heat : ensure DB user creds aren't written decrypted
Return the decrypted user_creds record as a dict copy and do not decrypt the credentials direct into the sqlalchemy model object, or we can inadvertently end up committing decrypted credentials to the DB Ref #218 Change-Id: I0df9afcb271804557c94cdf0c913f7a26affdc83 Signed-off-by: Steven Hardy <shardy@redhat.com>
This commit is contained in:
parent
52f5d7c7fe
commit
73a8743367
@ -211,11 +211,13 @@ def user_creds_create(values):
|
||||
|
||||
|
||||
def user_creds_get(user_creds_id):
|
||||
result = model_query(None, models.UserCreds).get(user_creds_id)
|
||||
result.password = auth.decrypt(result.password)
|
||||
result.service_password = auth.decrypt(result.service_password)
|
||||
result.aws_creds = auth.decrypt(result.aws_creds)
|
||||
|
||||
db_result = model_query(None, models.UserCreds).get(user_creds_id)
|
||||
# Return a dict copy of db results, do not decrypt details into db_result
|
||||
# or it can be committed back to the DB in decrypted form
|
||||
result = dict(db_result)
|
||||
result['password'] = auth.decrypt(result['password'])
|
||||
result['service_password'] = auth.decrypt(result['service_password'])
|
||||
result['aws_creds'] = auth.decrypt(result['aws_creds'])
|
||||
return result
|
||||
|
||||
|
||||
|
@ -443,7 +443,7 @@ class EngineManager(manager.Manager):
|
||||
if s and s.status in (parser.Stack.CREATE_COMPLETE,
|
||||
parser.Stack.UPDATE_COMPLETE):
|
||||
user_creds = db_api.user_creds_get(s.user_creds_id)
|
||||
ctxt = ctxtlib.RequestContext.from_dict(dict(user_creds))
|
||||
ctxt = ctxtlib.RequestContext.from_dict(user_creds)
|
||||
stack = parser.Stack.load(ctxt, s.id)
|
||||
for a in wr.rule[watchrule.WatchRule.ACTION_MAP[new_state]]:
|
||||
greenpool.spawn_n(stack[a].alarm)
|
||||
|
Loading…
Reference in New Issue
Block a user