def user_creds_get(user_creds_id):
db_result = model_query(None, models.UserCreds).get(user_creds_id)
# Return a dict copy of db results, do not decrypt details into db_result
# or it can be committed back to the DB in decrypted form
result = dict(db_result)
result['password'] = crypt.decrypt(result['password'])
result['aws_creds'] = crypt.decrypt(result['aws_creds'])
return result
def user_creds_get(user_creds_id):
db_result = model_query(None, models.UserCreds).get(user_creds_id)
# Return a dict copy of db results, do not decrypt details into db_result
# or it can be committed back to the DB in decrypted form
result = dict(db_result)
result['password'] = crypt.decrypt(result['password'])
result['aws_creds'] = crypt.decrypt(result['aws_creds'])
return result
def user_creds_get(user_creds_id):
db_result = model_query(None, models.UserCreds).get(user_creds_id)
if db_result is None:
return None
# Return a dict copy of db results, do not decrypt details into db_result
# or it can be committed back to the DB in decrypted form
result = dict(db_result)
del result["decrypt_method"]
result["password"] = crypt.decrypt(db_result.decrypt_method, result["password"])
result["trust_id"] = crypt.decrypt(db_result.decrypt_method, result["trust_id"])
return result
def user_creds_get(user_creds_id):
db_result = model_query(None, models.UserCreds).get(user_creds_id)
if db_result is None:
return None
# Return a dict copy of db results, do not decrypt details into db_result
# or it can be committed back to the DB in decrypted form
result = dict(db_result)
del result['decrypt_method']
result['password'] = crypt.decrypt(db_result.decrypt_method,
result['password'])
result['trust_id'] = crypt.decrypt(db_result.decrypt_method,
result['trust_id'])
return result
def db_decrypt_parameters_and_properties(ctxt, encryption_key, batch_size=50):
"""Decrypt parameters and properties for all templates in db.
:param ctxt: RPC context
:param encryption_key: key that will be used for parameter and property
decryption
:param batch_size: number of templates requested from db in each iteration.
50 means that heat requests 50 templates, encrypt them
and proceed with next 50 items.
"""
session = get_session()
with session.begin():
query = session.query(models.RawTemplate)
for raw_template in _get_batch(session=session,
ctxt=ctxt,
query=query,
model=models.RawTemplate,
batch_size=batch_size):
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value, encryption_key)
parameters[param_name] = decrypted_val
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
query = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
models.Resource.properties_data_encrypted.is_(True))
for resource in _get_batch(session=session,
ctxt=ctxt,
query=query,
model=models.Resource,
batch_size=batch_size):
result = {}
for prop_name, prop_value in resource.properties_data.items():
method, value = prop_value
decrypted_value = crypt.decrypt(method, value, encryption_key)
prop_string = jsonutils.loads(decrypted_value)
result[prop_name] = prop_string
resource.properties_data = result
resource.properties_data_encrypted = False
resource_update(ctxt, resource.id, {
'properties_data': result,
'properties_data_encrypted': False
}, resource.atomic_key)
def db_decrypt_parameters_and_properties(ctxt, encryption_key, batch_size=50):
"""Decrypt parameters and properties for all templates in db.
:param ctxt: RPC context
:param encryption_key: key that will be used for parameter and property
decryption
:param batch_size: number of templates requested from db in each iteration.
50 means that heat requests 50 templates, encrypt them
and proceed with next 50 items.
"""
session = get_session()
with session.begin():
query = session.query(models.RawTemplate)
for raw_template in _get_batch(
session=session, ctxt=ctxt, query=query,
model=models.RawTemplate, batch_size=batch_size):
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value, encryption_key)
parameters[param_name] = decrypted_val
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
query = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
models.Resource.properties_data_encrypted.is_(True))
for resource in _get_batch(
session=session, ctxt=ctxt, query=query, model=models.Resource,
batch_size=batch_size):
result = {}
for prop_name, prop_value in resource.properties_data.items():
method, value = prop_value
decrypted_value = crypt.decrypt(method, value,
encryption_key)
prop_string = jsonutils.loads(decrypted_value)
result[prop_name] = prop_string
resource.properties_data = result
resource.properties_data_encrypted = False
resource_update(ctxt, resource.id,
{'properties_data': result,
'properties_data_encrypted': False},
resource.atomic_key)
def _from_db_object(resource, context, db_resource):
if db_resource is None:
return None
for field in resource.fields:
if field == 'data':
resource['data'] = [
resource_data.ResourceData._from_db_object(
resource_data.ResourceData(context), resd)
for resd in db_resource.data
]
else:
resource[field] = db_resource[field]
if resource.properties_data_encrypted and resource.properties_data:
properties_data = {}
for prop_name, prop_value in resource.properties_data.items():
method, value = prop_value
decrypted_value = crypt.decrypt(method, value)
prop_string = jsonutils.loads(decrypted_value)
properties_data[prop_name] = prop_string
resource.properties_data = properties_data
resource._context = context
resource.obj_reset_changes()
return resource
def from_db_object(context, tpl, db_tpl):
for field in tpl.fields:
tpl[field] = db_tpl[field]
tpl.environment = copy.deepcopy(tpl.environment)
# If any of the parameters were encrypted, then decrypt them
if (tpl.environment is not None and
env_fmt.ENCRYPTED_PARAM_NAMES in tpl.environment):
parameters = tpl.environment[env_fmt.PARAMETERS]
encrypted_param_names = tpl.environment[
env_fmt.ENCRYPTED_PARAM_NAMES]
for param_name in encrypted_param_names:
if (isinstance(parameters[param_name], (list, tuple)) and
len(parameters[param_name]) == 2):
method, enc_value = parameters[param_name]
value = crypt.decrypt(method, enc_value)
else:
value = parameters[param_name]
LOG.warning(_LW(
'Encountered already-decrypted data while attempting '
'to decrypt parameter %s. Please file a Heat bug so '
'this can be fixed.'), param_name)
parameters[param_name] = value
tpl.environment[env_fmt.PARAMETERS] = parameters
tpl._context = context
tpl.obj_reset_changes()
return tpl
def _from_db_object(resource, context, db_resource):
if db_resource is None:
return None
for field in resource.fields:
if field == 'data':
resource['data'] = map(
lambda resd: resource_data.ResourceData._from_db_object(
resource_data.ResourceData(context), resd
),
db_resource.data
)
else:
resource[field] = db_resource[field]
if resource.properties_data_encrypted and resource.properties_data:
properties_data = {}
for prop_name, prop_value in resource.properties_data.items():
method, value = prop_value
decrypted_value = crypt.decrypt(method, value)
prop_string = jsonutils.loads(decrypted_value)
properties_data[prop_name] = prop_string
resource.properties_data = properties_data
resource._context = context
resource.obj_reset_changes()
return resource
def resource_data_get(resource, key):
"""Lookup value of resource's data by key. Decrypts resource data if
necessary.
"""
result = resource_data_get_by_key(resource.context, resource.id, key)
if result.redact:
return crypt.decrypt(result.decrypt_method, result.value)
return result.value
def resource_data_get_by_key(context, resource_id, key):
result = (model_query(context, models.ResourceData).filter_by(
resource_id=resource_id).filter_by(key=key).first())
if not result:
raise exception.NotFound('No resource data found')
if result.redact and result.value:
result.value = crypt.decrypt(result.value)
return result
def resource_data_get(resource, key):
"""Lookup value of resource's data by key.
Decrypts resource data if necessary.
"""
result = resource_data_get_by_key(resource.context, resource.id, key)
if result.redact:
return crypt.decrypt(result.decrypt_method, result.value)
return result.value
def _get_user_token(self, cnxt, rs, project):
user = password = None
for rd in rs.data:
if rd.key == "password":
password = crypt.decrypt(rd.decrypt_method, rd.value)
if rd.key == "user_id":
user = rd.value
keystone = cnxt.clients.client("keystone")
return keystone.stack_domain_user_token(user_id=user, project_id=project, password=password)
def resource_data_get_by_key(context, resource_id, key):
result = (model_query(context, models.ResourceData)
.filter_by(resource_id=resource_id)
.filter_by(key=key)
.first())
if not result:
raise exception.NotFound('No resource data found')
if result.redact and result.value:
result.value = crypt.decrypt(result.value)
return result
def _get_user_token(self, cnxt, rs, project):
user = password = None
for rd in rs.data:
if rd.key == 'password':
password = crypt.decrypt(rd.decrypt_method, rd.value)
if rd.key == 'user_id':
user = rd.value
keystone = cnxt.clients.client('keystone')
return keystone.stack_domain_user_token(
user_id=user, project_id=project, password=password)
def test_encrypt_hidden_parameters_template_env(self):
env = environment.Environment({'blarg': 'bar'})
cfg.CONF.set_override('encrypt_parameters_and_properties', True)
tmpl = template.Template(parameter_template, env=env)
raw_template.RawTemplate.encrypt_hidden_parameters(tmpl)
self.assertEqual(['blarg'], tmpl.env.encrypted_param_names)
self.assertEqual('cryptography_decrypt_v1',
tmpl.env.params['blarg'][0])
name, value = tmpl.env.params['blarg']
decrypted_val = crypt.decrypt(name, value)
self.assertEqual('bar', decrypted_val)
def db_decrypt_parameters_and_properties(ctxt, encryption_key):
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value, encryption_key)
parameters[param_name] = decrypted_val
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
resources = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
models.Resource.properties_data_encrypted.is_(True)).all()
for resource in resources:
result = {}
for prop_name, prop_value in resource.properties_data.items():
method, value = prop_value
decrypted_value = crypt.decrypt(method, value,
encryption_key)
prop_string = jsonutils.loads(decrypted_value)
result[prop_name] = prop_string
resource.properties_data = result
resource.properties_data_encrypted = False
resource_update(ctxt, resource.id,
{'properties_data': result,
'properties_data_encrypted': False},
resource.atomic_key)
def db_decrypt_parameters_and_properties(ctxt, encryption_key):
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value, encryption_key)
parameters[param_name] = decrypted_val
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
resources = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
models.Resource.properties_data_encrypted.is_(True)).all()
for resource in resources:
result = {}
for prop_name, prop_value in resource.properties_data.items():
method, value = prop_value
decrypted_value = crypt.decrypt(method, value, encryption_key)
prop_string = jsonutils.loads(decrypted_value)
result[prop_name] = prop_string
resource.properties_data = result
resource.properties_data_encrypted = False
resource_update(ctxt, resource.id, {
'properties_data': result,
'properties_data_encrypted': False
}, resource.atomic_key)
def db_decrypt_parameters_and_properties(ctxt, encryption_key):
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value, encryption_key)
parameters[param_name] = decrypted_val
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
def resource_data_get_all(context, resource_id, data=None):
"""Looks up resource_data by resource.id.
If data is encrypted, this method will decrypt the results.
"""
if data is None:
data = (model_query(context, models.ResourceData).filter_by(resource_id=resource_id)).all()
if not data:
raise exception.NotFound(_("no resource data found"))
ret = {}
for res in data:
if res.redact:
ret[res.key] = crypt.decrypt(res.decrypt_method, res.value)
else:
ret[res.key] = res.value
return ret
def db_decrypt_parameters_and_properties(ctxt, encryption_key):
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value, encryption_key)
parameters[param_name] = decrypted_val
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
def resource_data_get_all(context, resource_id, data=None):
"""Looks up resource_data by resource.id.
If data is encrypted, this method will decrypt the results.
"""
if data is None:
data = (model_query(context, models.ResourceData)
.filter_by(resource_id=resource_id)).all()
if not data:
raise exception.NotFound(_('no resource data found'))
ret = {}
for res in data:
if res.redact:
ret[res.key] = crypt.decrypt(res.decrypt_method, res.value)
else:
ret[res.key] = res.value
return ret
def _get_zaqar_queue(self, cnxt, rs, project, queue_name):
user = password = signed_url_data = None
for rd in rs.data:
if rd.key == 'password':
password = crypt.decrypt(rd.decrypt_method, rd.value)
if rd.key == 'user_id':
user = rd.value
if rd.key == 'zaqar_queue_signed_url_data':
signed_url_data = jsonutils.loads(rd.value)
zaqar_plugin = cnxt.clients.client_plugin('zaqar')
if signed_url_data is None:
keystone = cnxt.clients.client('keystone')
token = keystone.stack_domain_user_token(
user_id=user, project_id=project, password=password)
zaqar = zaqar_plugin.create_for_tenant(project, token)
else:
signed_url_data.pop('project')
zaqar = zaqar_plugin.create_from_signed_url(project,
**signed_url_data)
return zaqar.queue(queue_name)
def _from_db_object(context, tpl, db_tpl):
for field in tpl.fields:
tpl[field] = db_tpl[field]
tpl.environment = copy.deepcopy(tpl.environment)
# If any of the parameters were encrypted, then decrypt them
if (tpl.environment is not None and
env_fmt.ENCRYPTED_PARAM_NAMES in tpl.environment):
parameters = tpl.environment[env_fmt.PARAMETERS]
encrypted_param_names = tpl.environment[
env_fmt.ENCRYPTED_PARAM_NAMES]
for param_name in encrypted_param_names:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value)
parameters[param_name] = decrypted_val
tpl.environment[env_fmt.PARAMETERS] = parameters
tpl._context = context
tpl.obj_reset_changes()
return tpl
def _get_zaqar_queue(self, cnxt, rs, project, queue_name):
user = password = signed_url_data = None
for rd in rs.data:
if rd.key == 'password':
password = crypt.decrypt(rd.decrypt_method, rd.value)
if rd.key == 'user_id':
user = rd.value
if rd.key == 'zaqar_queue_signed_url_data':
signed_url_data = jsonutils.loads(rd.value)
zaqar_plugin = cnxt.clients.client_plugin('zaqar')
if signed_url_data is None:
keystone = cnxt.clients.client('keystone')
token = keystone.stack_domain_user_token(
user_id=user, project_id=project, password=password)
zaqar = zaqar_plugin.create_for_tenant(project, token)
else:
signed_url_data.pop('project')
zaqar = zaqar_plugin.create_from_signed_url(project,
**signed_url_data)
return zaqar.queue(queue_name)
def _from_db_object(context, tpl, db_tpl):
for field in tpl.fields:
tpl[field] = db_tpl[field]
tpl.environment = copy.deepcopy(tpl.environment)
# If any of the parameters were encrypted, then decrypt them
if (tpl.environment is not None
and env_fmt.ENCRYPTED_PARAM_NAMES in tpl.environment):
parameters = tpl.environment[env_fmt.PARAMETERS]
encrypted_param_names = tpl.environment[
env_fmt.ENCRYPTED_PARAM_NAMES]
for param_name in encrypted_param_names:
method, value = parameters[param_name]
decrypted_val = crypt.decrypt(method, value)
parameters[param_name] = decrypted_val
tpl.environment[env_fmt.PARAMETERS] = parameters
tpl._context = context
tpl.obj_reset_changes()
return tpl
def _decrypt(enc_value):
value = crypt.decrypt(enc_value)
if value is not None:
return unicode(value, 'utf-8')
def _decrypt(enc_value):
value = crypt.decrypt(enc_value)
if value is not None:
return unicode(value, 'utf-8')
