def _was_persisted_value_encrypted(self, property_name, file_name):
secure_property_name = '%s__is_secure' % property_name
state_persistor = StatePersistor(self._models,
self._controllers,
persistence_file=file_name)
value = state_persistor.recall_info([secure_property_name])
if value is None:
return False
return value is not None
def _encrypt_validator(self, secret):
state_persistor = StatePersistor(
self._models,
self._controllers,
persistence_file='private_data_encryption_validator.yml')
property_name = 'encryption_key_checker'
property_value = 'encryption_key_checker'
property_value = CPSecurity.encrypt(secret, property_value)
info = {property_name: property_value}
state_persistor.persist_info(info)
def _get_encrypted_validator(self):
if 'private_data' in self._models['persistent_state']:
state_persistor = StatePersistor(
self._models,
self._controllers,
persistence_file='private_data.yml')
else:
state_persistor = StatePersistor(
self._models,
self._controllers,
persistence_file='private_data_encryption_validator.yml')
property_name = 'encryption_key_checker'
value = state_persistor.recall_info([property_name])
return value
def is_deleted(models, controllers, elem_s):
state_persistor = StatePersistor(
models, controllers, persistence_file='server_allocations.yml')
info = state_persistor.recall_info()
for k, v in six.iteritems(info):
if (v['pxe-mac-addr'] != elem_s['pxe-mac-addr']
or v['pxe-ip-addr'] != elem_s['pxe-ip-addr']):
continue
if 'state' not in v:
return False
if not CPState.is_active(v['state']):
return True
return False
return False
def _migrate_keys(self, prev_encryption_key, encryption_key, file_name):
state_persistor = StatePersistor(self._models,
self._controllers,
persistence_file=file_name)
all_private_data = state_persistor.recall_info()
for k, v in six.iteritems(all_private_data):
if k == 'encryption_key_checker':
continue
if not self._was_persisted_value_encrypted(k, file_name):
continue
v = CPSecurity.decrypt(prev_encryption_key, v)
v = CPSecurity.encrypt(encryption_key, v)
info = {k: v}
state_persistor.persist_info(info)
def generate_value(instructions,
models,
controllers,
name,
value,
warnings,
errors,
payload=None):
if not isinstance(value, str):
return value
if value.count('%') != 2:
return value
cp = payload['context'].get('cp')
sp = StatePersistor(models, controllers, 'private_data_%s.yml' % cp)
sp_old = StatePersistor(models, controllers,
'private_data_old_working_%s.yml' % cp)
sp_non_scoped = StatePersistor(models, controllers, 'private_data.yml')
#
# Set-up a work-space in persistent state to hold the values of all variables with
# scope cloud. This is a temporary workspace that is not written out to disk. The
# cloud scoped variables are persisted in the private_data spaces of the control
# planes on which the variables are defined. We use this temporary workspace in a
# couple of ways:
# We use it to populate cloud-scoped variables when we regenerate their values -
# we don't know which control-plane will get to regenerate their value so the first
# time we regenerate the value we store it in this temporary workspace
# We use it to determine which variables are cloud-scoped, and write the names of
# these variables out to private_data_cloud_variables.yml in PersistentStateBuilder.
# We also write the metadata for cloud scoped variables to their own informational
# file.
#
sp_cloud = StatePersistor(models, controllers,
'private_data_cloud.yml')
try:
key_name = payload['key-name']
except (TypeError, KeyError):
key_name = name
ArdanaVariable.process_immutability(instructions, models, controllers,
payload, value)
ri, user_supplied = ArdanaVariable._check_for_existing_process_creds_change(
instructions, models, key_name, payload, sp, sp_old, sp_non_scoped)
if (ri is not None and ri != {}) and not user_supplied:
if payload['scope'] == 'cloud':
sp_cloud.persist_info({key_name: ri})
return ri
elif (ri is None or ri == {} and ri != '0') and not user_supplied:
ri, success = ArdanaVariable._generate_new_value(
instructions, models, controllers, key_name, value, payload,
warnings)
if ri is None:
return None
elif not success:
return ri
if payload['scope'] == 'cloud':
sp_cloud.persist_info({key_name: ri})
value = ri
context = payload.get('context')
meta_data = sp.recall_info(["%s__metadata" % key_name])
if meta_data:
meta_data = ArdanaVariable._add_context_to_meta(meta_data,
context=context)
else:
meta_data = [context]
if 'encryption_key' in instructions:
key = instructions['encryption_key']
secure_value = CPSecurity.encrypt(key, value)
is_secure_val = True
else:
secure_value = value
is_secure_val = False
ArdanaVariable.persist_value(sp,
key_name,
secure_value,
is_secure_val,
meta_data=meta_data)
return value
def _generate_new_value(instructions, models, controllers, name, value,
payload, warnings):
#
# Set-up a work-space in persistent state to hold the values of all variables with
# scope cloud. This is a temporary workspace that is not written out to disk. The
# cloud scoped variables are persisted in the private_data spaces of the control
# planes on which the variables are defined. We use this temporary workspace in a
# couple of ways:
# We use it to populate cloud-scoped variables when we regenerate their values -
# we don't know which control-plane will get to regenerate their value so the first
# time we regenerate the value we store it in this temporary workspace
# We use it to determine which variables are cloud-scoped, and write the names of
# these variables out to private_data_cloud_variables.yml in PersistentStateBuilder.
# We also write the metadata for cloud scoped variables to their own informational
# file.
#
sp_cloud = StatePersistor(models, controllers,
'private_data_cloud.yml')
p1 = value.find('%') + 1
p2 = value.rfind('%')
variable_type = value[p1:p2]
version = instructions['model_version']
version = Version.normalize(version)
if float(version) > 1.0:
variable_type += '-%s' % version
#
# Search for existing values in all instances of private_data_<control-plane>
# To do this we exclude all instances of private_data_old,
# private_data_old_<control-plane>, private_data_encryption_validator
# and private_data_cloud
#
values = []
pattern = re.compile(
'^private_data_((?!old.*)(?!encryption.)(?!cloud.*))')
for key, v in models['persistent_state'].iteritems():
if re.search(pattern, key):
if name in v:
values.append(v.get(name))
if payload['scope'] == 'cloud':
regen, ri_u = ArdanaVariable._check_for_user_supplied_secret(
models, payload, name)
if regen:
val = sp_cloud.recall_info([name])
if val or val == 0:
return val, True
elif not regen and values:
sp_cloud.persist_info({name: values[0]})
return values[0], True
value, success = ArdanaVariable._generate(instructions, models,
controllers, name,
variable_type, value,
payload, warnings)
if not success or not values:
if payload['scope'] == 'cloud' and success:
sp_cloud.persist_info({name: value})
return value, success
while value in values:
value, success = ArdanaVariable._generate(instructions, models,
controllers, name,
variable_type, value,
payload, warnings)
return value, success
def get_old_value(instructions,
models,
controllers,
name,
value,
warnings,
errors,
payload=None):
if not isinstance(value, str):
return None
if value.count('%') != 2:
return None
try:
key_name = payload['key-name']
except (TypeError, KeyError):
key_name = name
cp = payload['context'].get('cp')
sp_old = StatePersistor(models, controllers,
'private_data_old_working_%s.yml' % cp)
sp_old_disk = StatePersistor(models, controllers,
'private_data_old_%s.yml' % cp)
sp_old_disk_non_scoped = StatePersistor(models, controllers,
'private_data_old.yml')
ri = sp_old.recall_info([key_name])
ri_e = sp_old.recall_info(['%s__is_secure' % key_name])
if ri is None or ri == {}:
ri_d = sp_old_disk.recall_info([key_name])
ri_d_e = sp_old_disk.recall_info(['%s__is_secure' % key_name])
if ri_d is None or ri_d == {}:
ri_d = sp_old_disk_non_scoped.recall_info([key_name])
ri_d_e = sp_old_disk_non_scoped.recall_info(
['%s__is_secure' % key_name])
if (ri_d is not None and ri_d != {}) and not ri_d_e:
ArdanaVariable._encrypt(sp_old_disk, instructions, key_name,
ri_d)
return ri_d
elif (ri_d is not None and ri_d != {}) and ri_d_e:
return ArdanaVariable.decrypt_value(ri_d, instructions)
else:
return None
if not ri_e:
ArdanaVariable._encrypt(sp_old, instructions, key_name, ri)
return ri
elif ri_e:
return ArdanaVariable.decrypt_value(ri, instructions)