From 0d9af5c6833e26532bf798ebd0756e93d674b7fc Mon Sep 17 00:00:00 2001
From: tengqm <tengqim@cn.ibm.com>
Date: Fri, 28 Nov 2014 19:37:13 +0800
Subject: [PATCH] Check if encoded user credential may get truncated

In some deployments, user passwords are generated by other
authentication infrastructures where the length of the Base64 encoded
credentials is longer than the DB limit.

This patch checks if the encoded credential might be truncated when
it is generated and fail early during stack creation, or else it will
cause troubles later on when operating the stack.

Change-Id: I901b9e39dd0d394991520fea1f527e250c2c9680
Partial-Bug: 1386213
---
 heat/db/sqlalchemy/api.py         | 3 +++
 heat/tests/test_sqlalchemy_api.py | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index 1d961de27..efeb07623 100644
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -482,6 +482,9 @@ def user_creds_create(context):
     else:
         user_creds_ref.update(values)
         method, password = _encrypt(values['password'])
+        if len(six.text_type(password)) > 255:
+            raise exception.Error(_("Length of OS_PASSWORD after encryption"
+                                    " exceeds Heat limit (255 chars)"))
         user_creds_ref.password = password
         user_creds_ref.decrypt_method = method
     user_creds_ref.save(_session(context))
diff --git a/heat/tests/test_sqlalchemy_api.py b/heat/tests/test_sqlalchemy_api.py
index ef9bca080..cbe58e4a7 100644
--- a/heat/tests/test_sqlalchemy_api.py
+++ b/heat/tests/test_sqlalchemy_api.py
@@ -758,6 +758,15 @@ class SqlAlchemyTest(common.HeatTestCase):
         self.assertIsNone(load_creds.get('trust_id'))
         self.assertIsNone(load_creds.get('trustor_user_id'))
 
+    def test_user_creds_password_too_long(self):
+        self.ctx.trust_id = None
+        self.ctx.password = 'O123456789O1234567' * 20
+        error = self.assertRaises(exception.Error,
+                                  db_api.user_creds_create,
+                                  self.ctx)
+        self.assertIn('Length of OS_PASSWORD after encryption exceeds '
+                      'Heat limit (255 chars)', six.text_type(error))
+
     def test_user_creds_trust(self):
         self.ctx.username = None
         self.ctx.password = None