def user_creds_create(context):
values = context.to_dict()
user_creds_ref = models.UserCreds()
if values.get('trust_id'):
method, trust_id = crypt.encrypt(values.get('trust_id'))
user_creds_ref.trust_id = trust_id
user_creds_ref.decrypt_method = method
user_creds_ref.trustor_user_id = values.get('trustor_user_id')
user_creds_ref.username = None
user_creds_ref.password = None
user_creds_ref.tenant = values.get('tenant')
user_creds_ref.tenant_id = values.get('tenant_id')
user_creds_ref.auth_url = values.get('auth_url')
user_creds_ref.region_name = values.get('region_name')
else:
user_creds_ref.update(values)
method, password = crypt.encrypt(values['password'])
if len(six.text_type(password)) > 255:
raise exception.Error(_("Length of OS_PASSWORD after encryption"
" exceeds Heat limit (255 chars)"))
user_creds_ref.password = password
user_creds_ref.decrypt_method = method
user_creds_ref.save(_session(context))
result = dict(user_creds_ref)
if values.get('trust_id'):
result['trust_id'] = values.get('trust_id')
else:
result['password'] = values.get('password')
return result
def user_creds_create(context):
values = context.to_dict()
user_creds_ref = models.UserCreds()
if values.get('trust_id'):
method, trust_id = crypt.encrypt(values.get('trust_id'))
user_creds_ref.trust_id = trust_id
user_creds_ref.decrypt_method = method
user_creds_ref.trustor_user_id = values.get('trustor_user_id')
user_creds_ref.username = None
user_creds_ref.password = None
user_creds_ref.tenant = values.get('tenant')
user_creds_ref.tenant_id = values.get('tenant_id')
user_creds_ref.auth_url = values.get('auth_url')
user_creds_ref.region_name = values.get('region_name')
else:
user_creds_ref.update(values)
method, password = crypt.encrypt(values['password'])
if len(six.text_type(password)) > 255:
raise exception.Error(
_("Length of OS_PASSWORD after encryption"
" exceeds Heat limit (255 chars)"))
user_creds_ref.password = password
user_creds_ref.decrypt_method = method
user_creds_ref.save(_session(context))
result = dict(user_creds_ref)
if values.get('trust_id'):
result['trust_id'] = values.get('trust_id')
else:
result['password'] = values.get('password')
return result
def db_encrypt_parameters_and_properties(ctxt, encryption_key, batch_size=50):
"""Encrypt parameters and properties for all templates in db.
:param ctxt: RPC context
:param encryption_key: key that will be used for parameter and property
encryption
:param batch_size: number of templates requested from db in each iteration.
50 means that heat requests 50 templates, encrypt them
and proceed with next 50 items.
"""
from heat.engine import template
session = get_session()
with session.begin():
query = session.query(models.RawTemplate)
for raw_template in _get_batch(
session=session, ctxt=ctxt, query=query, model=models.RawTemplate, batch_size=batch_size
):
tmpl = template.Template.load(ctxt, raw_template.id, raw_template)
env = raw_template.environment
if "encrypted_param_names" in env:
encrypted_params = env["encrypted_param_names"]
else:
encrypted_params = []
for param_name, param in tmpl.param_schemata().items():
if (param_name in encrypted_params) or (not param.hidden):
continue
try:
param_val = env["parameters"][param_name]
except KeyError:
param_val = param.default
encrypted_val = crypt.encrypt(param_val, encryption_key)
env["parameters"][param_name] = encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = env.copy()
environment["encrypted_param_names"] = encrypted_params
raw_template_update(ctxt, raw_template.id, {"environment": environment})
query = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None), ~models.Resource.properties_data_encrypted.is_(True)
)
for resource in _get_batch(
session=session, ctxt=ctxt, query=query, model=models.Resource, batch_size=batch_size
):
result = {}
for prop_name, prop_value in resource.properties_data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string, encryption_key)
result[prop_name] = encrypted_value
resource.properties_data = result
resource.properties_data_encrypted = True
resource_update(
ctxt, resource.id, {"properties_data": result, "properties_data_encrypted": True}, resource.atomic_key
)
def user_creds_create(context):
values = context.to_dict()
user_creds_ref = models.UserCreds()
user_creds_ref.update(values)
user_creds_ref.password = crypt.encrypt(values['password'])
user_creds_ref.aws_creds = crypt.encrypt(values['aws_creds'])
user_creds_ref.save(_session(context))
return user_creds_ref
def user_creds_create(context):
values = context.to_dict()
user_creds_ref = models.UserCreds()
user_creds_ref.update(values)
user_creds_ref.password = crypt.encrypt(values['password'])
user_creds_ref.aws_creds = crypt.encrypt(values['aws_creds'])
user_creds_ref.save(_session(context))
return user_creds_ref
def user_creds_create(context):
values = context.to_dict()
user_creds_ref = models.UserCreds()
if values.get('trust_id'):
user_creds_ref.trust_id = crypt.encrypt(values.get('trust_id'))
user_creds_ref.trustor_user_id = values.get('trustor_user_id')
user_creds_ref.username = None
user_creds_ref.password = None
else:
user_creds_ref.update(values)
user_creds_ref.password = crypt.encrypt(values['password'])
user_creds_ref.save(_session(context))
return user_creds_ref
def user_creds_create(context):
values = context.to_dict()
user_creds_ref = models.UserCreds()
if values.get('trust_id'):
user_creds_ref.trust_id = crypt.encrypt(values.get('trust_id'))
user_creds_ref.trustor_user_id = values.get('trustor_user_id')
user_creds_ref.username = None
user_creds_ref.password = None
else:
user_creds_ref.update(values)
user_creds_ref.password = crypt.encrypt(values['password'])
user_creds_ref.save(_session(context))
return user_creds_ref
def db_encrypt_parameters_and_properties(ctxt, encryption_key):
from heat.engine import template
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
tmpl = template.Template.load(ctxt, raw_template.id, raw_template)
env = raw_template.environment
if 'encrypted_param_names' in env:
encrypted_params = env['encrypted_param_names']
else:
encrypted_params = []
for param_name, param in tmpl.param_schemata().items():
if (param_name in encrypted_params) or (not param.hidden):
continue
try:
param_val = env['parameters'][param_name]
except KeyError:
param_val = param.default
encrypted_val = crypt.encrypt(param_val, encryption_key)
env['parameters'][param_name] = encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = env.copy()
environment['encrypted_param_names'] = encrypted_params
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
resources = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
~models.Resource.properties_data_encrypted.is_(True)).all()
for resource in resources:
result = {}
for prop_name, prop_value in resource.properties_data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string,
encryption_key)
result[prop_name] = encrypted_value
resource.properties_data = result
resource.properties_data_encrypted = True
resource_update(ctxt, resource.id,
{'properties_data': result,
'properties_data_encrypted': True},
resource.atomic_key)
def db_encrypt_parameters_and_properties(ctxt, encryption_key):
from heat.engine import template
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
tmpl = template.Template.load(ctxt, raw_template.id, raw_template)
env = raw_template.environment
if 'encrypted_param_names' in env:
encrypted_params = env['encrypted_param_names']
else:
encrypted_params = []
for param_name, param in tmpl.param_schemata().items():
if (param_name in encrypted_params) or (not param.hidden):
continue
try:
param_val = env['parameters'][param_name]
except KeyError:
param_val = param.default
encrypted_val = crypt.encrypt(param_val, encryption_key)
env['parameters'][param_name] = encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = env.copy()
environment['encrypted_param_names'] = encrypted_params
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
resources = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
~models.Resource.properties_data_encrypted.is_(True)).all()
for resource in resources:
result = {}
for prop_name, prop_value in resource.properties_data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string, encryption_key)
result[prop_name] = encrypted_value
resource.properties_data = result
resource.properties_data_encrypted = True
resource_update(ctxt, resource.id, {
'properties_data': result,
'properties_data_encrypted': True
}, resource.atomic_key)
def db_encrypt_parameters_and_properties(ctxt, encryption_key):
from heat.engine import template
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
tmpl = template.Template.load(ctxt, raw_template.id, raw_template)
encrypted_params = []
for param_name, param in tmpl.param_schemata().items():
if (param_name in encrypted_params) or (not param.hidden):
continue
try:
param_val = raw_template.environment['parameters'][
param_name]
except KeyError:
param_val = param.default
encrypted_val = crypt.encrypt(param_val, encryption_key)
raw_template.environment['parameters'][param_name] = \
encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = encrypted_params
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
def db_encrypt_parameters_and_properties(ctxt, encryption_key):
from heat.engine import template
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
tmpl = template.Template.load(ctxt, raw_template.id, raw_template)
encrypted_params = []
for param_name, param in tmpl.param_schemata().items():
if (param_name in encrypted_params) or (not param.hidden):
continue
try:
param_val = raw_template.environment['parameters'][
param_name]
except KeyError:
param_val = param.default
encrypted_val = crypt.encrypt(param_val, encryption_key)
raw_template.environment['parameters'][param_name] = \
encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = encrypted_params
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
def encrypt_hidden_parameters(cls, tmpl):
if cfg.CONF.encrypt_parameters_and_properties:
for param_name, param in tmpl.env.params.items():
if not tmpl.param_schemata()[param_name].hidden:
continue
clear_text_val = tmpl.env.params.get(param_name)
tmpl.env.params[param_name] = crypt.encrypt(clear_text_val)
tmpl.env.encrypted_param_names.append(param_name)
def encrypt_hidden_parameters(cls, tmpl):
if cfg.CONF.encrypt_parameters_and_properties:
for param_name, param in tmpl.env.params.items():
if not tmpl.param_schemata()[param_name].hidden:
continue
clear_text_val = tmpl.env.params.get(param_name)
tmpl.env.params[param_name] = crypt.encrypt(clear_text_val)
tmpl.env.encrypted_param_names.append(param_name)
def encrypt_properties_data(data):
if cfg.CONF.encrypt_parameters_and_properties and data:
result = {}
for prop_name, prop_value in data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string)
result[prop_name] = encrypted_value
return (True, result)
return (False, data)
def encrypt_properties_data(data):
if cfg.CONF.encrypt_parameters_and_properties and data:
result = {}
for prop_name, prop_value in data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string)
result[prop_name] = encrypted_value
return (True, result)
return (False, data)
def resource_data_set(resource, key, value, redact=False):
"""Save resource's key/value pair to database."""
if redact:
value = crypt.encrypt(value)
try:
current = resource_data_get_by_key(resource.context, resource.id, key)
except exception.NotFound:
current = models.ResourceData()
current.key = key
current.resource_id = resource.id
current.redact = redact
current.value = value
current.save()
return current
def resource_data_set(resource, key, value, redact=False):
"""Save resource's key/value pair to database."""
if redact:
value = crypt.encrypt(value)
try:
current = resource_data_get_by_key(resource.context, resource.id, key)
except exception.NotFound:
current = models.ResourceData()
current.key = key
current.resource_id = resource.id
current.redact = redact
current.value = value
current.save()
return current
def test_refresh_zaqar_software_deployment(self, plugin, res_get, res_upd,
md_sd, ssd):
rs = mock.Mock()
rs.rsrc_metadata = {}
rs.id = '1234'
rs.atomic_key = 1
rd1 = mock.Mock()
rd1.key = 'user'
rd1.value = 'user1'
rd2 = mock.Mock()
rd2.key = 'password'
rd2.decrypt_method, rd2.value = crypt.encrypt('pass1')
rs.data = [rd1, rd2]
res_get.return_value = rs
res_upd.return_value = 1
deployments = {'deploy': 'this'}
md_sd.return_value = deployments
config = self._create_software_config(inputs=[
{
'name': 'deploy_signal_transport',
'type': 'String',
'value': 'ZAQAR_SIGNAL'
}, {
'name': 'deploy_queue_id',
'type': 'String',
'value': '6789'
}
])
queue = mock.Mock()
zaqar_client = mock.Mock()
plugin.return_value = zaqar_client
zaqar_client.queue.return_value = queue
queue.pop.return_value = [mock.Mock(body='ok')]
with mock.patch.object(self.ctx.session, 'refresh'):
deployment = self._create_software_deployment(
status='IN_PROGRESS', config_id=config['id'])
deployment_id = deployment['id']
self.assertEqual(
deployment,
self.engine.show_software_deployment(self.ctx, deployment_id))
zaqar_client.queue.assert_called_once_with('6789')
queue.pop.assert_called_once_with()
ssd.assert_called_once_with(self.ctx, deployment_id, 'ok', None)
def test_refresh_zaqar_software_deployment(self, plugin, res_get, res_upd,
md_sd, ssd):
rs = mock.Mock()
rs.rsrc_metadata = {}
rs.id = '1234'
rs.atomic_key = 1
rd1 = mock.Mock()
rd1.key = 'user'
rd1.value = 'user1'
rd2 = mock.Mock()
rd2.key = 'password'
rd2.decrypt_method, rd2.value = crypt.encrypt('pass1')
rs.data = [rd1, rd2]
res_get.return_value = rs
res_upd.return_value = 1
deployments = {'deploy': 'this'}
md_sd.return_value = deployments
config = self._create_software_config(inputs=[
{
'name': 'deploy_signal_transport',
'type': 'String',
'value': 'ZAQAR_SIGNAL'
}, {
'name': 'deploy_queue_id',
'type': 'String',
'value': '6789'
}
])
queue = mock.Mock()
zaqar_client = mock.Mock()
plugin.return_value = zaqar_client
zaqar_client.queue.return_value = queue
queue.pop.return_value = [mock.Mock(body='ok')]
with mock.patch.object(self.ctx.session, 'refresh'):
deployment = self._create_software_deployment(
status='IN_PROGRESS', config_id=config['id'])
deployment_id = deployment['id']
self.assertEqual(
deployment,
self.engine.show_software_deployment(self.ctx, deployment_id))
zaqar_client.queue.assert_called_once_with('6789')
queue.pop.assert_called_once_with()
ssd.assert_called_once_with(self.ctx, deployment_id, 'ok', None)
def test_refresh_zaqar_software_deployment(self, plugin, res_get, res_upd, md_sd, ssd):
rs = mock.Mock()
rs.rsrc_metadata = {}
rs.id = "1234"
rs.atomic_key = 1
rd1 = mock.Mock()
rd1.key = "user"
rd1.value = "user1"
rd2 = mock.Mock()
rd2.key = "password"
rd2.decrypt_method, rd2.value = crypt.encrypt("pass1")
rs.data = [rd1, rd2]
res_get.return_value = rs
res_upd.return_value = 1
deployments = {"deploy": "this"}
md_sd.return_value = deployments
config = self._create_software_config(
inputs=[
{"name": "deploy_signal_transport", "type": "String", "value": "ZAQAR_SIGNAL"},
{"name": "deploy_queue_id", "type": "String", "value": "6789"},
]
)
queue = mock.Mock()
zaqar_client = mock.Mock()
plugin.return_value = zaqar_client
zaqar_client.queue.return_value = queue
queue.pop.return_value = [mock.Mock(body="ok")]
deployment = self._create_software_deployment(status="IN_PROGRESS", config_id=config["id"])
deployment_id = deployment["id"]
self.assertEqual(deployment, self.engine.show_software_deployment(self.ctx, deployment_id))
zaqar_client.queue.assert_called_once_with("6789")
queue.pop.assert_called_once_with()
ssd.assert_called_once_with(self.ctx, deployment_id, "ok", None)
def test_fernet_key(self):
key = 'x' * 16
method, result = crypt.encrypt('foo', key)
self.assertEqual('cryptography_decrypt_v1', method)
self.assertIsNotNone(result)
def _encrypt(value):
if value is not None:
return crypt.encrypt(value.encode('utf-8'))
else:
return None, None
def db_encrypt_parameters_and_properties(ctxt, encryption_key, batch_size=50):
"""Encrypt parameters and properties for all templates in db.
:param ctxt: RPC context
:param encryption_key: key that will be used for parameter and property
encryption
:param batch_size: number of templates requested from db in each iteration.
50 means that heat requests 50 templates, encrypt them
and proceed with next 50 items.
:return: list of exceptions encountered during encryption
"""
from heat.engine import template
session = get_session()
with session.begin():
query = session.query(models.RawTemplate)
excs = []
for raw_template in _get_batch(
session=session, ctxt=ctxt, query=query,
model=models.RawTemplate, batch_size=batch_size):
try:
tmpl = template.Template.load(
ctxt, raw_template.id, raw_template)
param_schemata = tmpl.param_schemata()
env = raw_template.environment
if (not env or
'parameters' not in env or
not tmpl.param_schemata()):
continue
if 'encrypted_param_names' in env:
encrypted_params = env['encrypted_param_names']
else:
encrypted_params = []
for param_name, param_val in env['parameters'].items():
if ((param_name in encrypted_params) or
(not param_schemata[param_name].hidden)):
continue
encrypted_val = crypt.encrypt(six.text_type(param_val),
encryption_key)
env['parameters'][param_name] = encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = env.copy()
environment['encrypted_param_names'] = encrypted_params
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
except Exception as exc:
LOG.exception(_LE('Failed to encrypt parameters of raw '
'template %(id)d'), {'id': raw_template.id})
excs.append(exc)
continue
query = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
~models.Resource.properties_data_encrypted.is_(True))
for resource in _get_batch(
session=session, ctxt=ctxt, query=query, model=models.Resource,
batch_size=batch_size):
try:
result = {}
if not resource.properties_data:
continue
for prop_name, prop_value in resource.properties_data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string,
encryption_key)
result[prop_name] = encrypted_value
resource.properties_data = result
resource.properties_data_encrypted = True
resource_update(ctxt, resource.id,
{'properties_data': result,
'properties_data_encrypted': True},
resource.atomic_key)
except Exception as exc:
LOG.exception(_LE('Failed to encrypt properties_data of '
'resource %(id)d'), {'id': resource.id})
excs.append(exc)
continue
return excs
def _encrypt(value):
return crypt.encrypt(value.encode('utf-8'))
def test_fernet_key(self):
key = 'x' * 16
method, result = crypt.encrypt('foo', key)
self.assertEqual('cryptography_decrypt_v1', method)
self.assertIsNotNone(result)
def db_encrypt_parameters_and_properties(ctxt, encryption_key, batch_size=50):
"""Encrypt parameters and properties for all templates in db.
:param ctxt: RPC context
:param encryption_key: key that will be used for parameter and property
encryption
:param batch_size: number of templates requested from db in each iteration.
50 means that heat requests 50 templates, encrypt them
and proceed with next 50 items.
"""
from heat.engine import template
session = get_session()
with session.begin():
query = session.query(models.RawTemplate)
for raw_template in _get_batch(
session=session, ctxt=ctxt, query=query,
model=models.RawTemplate, batch_size=batch_size):
tmpl = template.Template.load(ctxt, raw_template.id, raw_template)
env = raw_template.environment
if 'encrypted_param_names' in env:
encrypted_params = env['encrypted_param_names']
else:
encrypted_params = []
for param_name, param in tmpl.param_schemata().items():
if (param_name in encrypted_params) or (not param.hidden):
continue
try:
param_val = env['parameters'][param_name]
except KeyError:
param_val = param.default
encrypted_val = crypt.encrypt(param_val, encryption_key)
env['parameters'][param_name] = encrypted_val
encrypted_params.append(param_name)
if encrypted_params:
environment = env.copy()
environment['encrypted_param_names'] = encrypted_params
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
query = session.query(models.Resource).filter(
~models.Resource.properties_data.is_(None),
~models.Resource.properties_data_encrypted.is_(True))
for resource in _get_batch(
session=session, ctxt=ctxt, query=query, model=models.Resource,
batch_size=batch_size):
result = {}
for prop_name, prop_value in resource.properties_data.items():
prop_string = jsonutils.dumps(prop_value)
encrypted_value = crypt.encrypt(prop_string,
encryption_key)
result[prop_name] = encrypted_value
resource.properties_data = result
resource.properties_data_encrypted = True
resource_update(ctxt, resource.id,
{'properties_data': result,
'properties_data_encrypted': True},
resource.atomic_key)
def test_fernet_key(self):
key = "x" * 16
method, result = crypt.encrypt("foo", key)
self.assertEqual("cryptography_decrypt_v1", method)
self.assertIsNotNone(result)
def _encrypt(value):
if value is not None:
return crypt.encrypt(value.encode('utf-8'))
def _encrypt(value):
return crypt.encrypt(value.encode("utf-8"))
