Check if encoded user credential may get truncated

In some deployments, user passwords are generated by other
authentication infrastructures where the length of the Base64 encoded
credentials is longer than the DB limit.

This patch checks if the encoded credential might be truncated when
it is generated and fail early during stack creation, or else it will
cause troubles later on when operating the stack.

Change-Id: I901b9e39dd0d394991520fea1f527e250c2c9680
Partial-Bug: 1386213

heat/db/sqlalchemy/api.py

@@ -482,6 +482,9 @@ def user_creds_create(context):
     else:
         user_creds_ref.update(values)
         method, password = _encrypt(values['password'])
+        if len(six.text_type(password)) > 255:
+            raise exception.Error(_("Length of OS_PASSWORD after encryption"
+                                    " exceeds Heat limit (255 chars)"))
         user_creds_ref.password = password
         user_creds_ref.decrypt_method = method
     user_creds_ref.save(_session(context))

heat/tests/test_sqlalchemy_api.py

@@ -758,6 +758,15 @@ class SqlAlchemyTest(common.HeatTestCase):
         self.assertIsNone(load_creds.get('trust_id'))
         self.assertIsNone(load_creds.get('trustor_user_id'))
 
+    def test_user_creds_password_too_long(self):
+        self.ctx.trust_id = None
+        self.ctx.password = 'O123456789O1234567' * 20
+        error = self.assertRaises(exception.Error,
+                                  db_api.user_creds_create,
+                                  self.ctx)
+        self.assertIn('Length of OS_PASSWORD after encryption exceeds '
+                      'Heat limit (255 chars)', six.text_type(error))
+
     def test_user_creds_trust(self):
         self.ctx.username = None
         self.ctx.password = None