Merge "Make parameter decryption more robust"

heat/objects/raw_template.py

@@ -18,15 +18,19 @@
 import copy
 
 from oslo_config import cfg
+from oslo_log import log as logging
 from oslo_versionedobjects import base
 from oslo_versionedobjects import fields
 
 from heat.common import crypt
 from heat.common import environment_format as env_fmt
+from heat.common.i18n import _LW
 from heat.db import api as db_api
 from heat.objects import base as heat_base
 from heat.objects import fields as heat_fields
 
+LOG = logging.getLogger(__name__)
+
 
 class RawTemplate(
     heat_base.HeatObject,
@@ -54,9 +58,17 @@ class RawTemplate(
                 env_fmt.ENCRYPTED_PARAM_NAMES]
 
             for param_name in encrypted_param_names:
-                method, value = parameters[param_name]
-                decrypted_val = crypt.decrypt(method, value)
-                parameters[param_name] = decrypted_val
+                if (isinstance(parameters[param_name], (list, tuple)) and
+                        len(parameters[param_name]) == 2):
+                    method, enc_value = parameters[param_name]
+                    value = crypt.decrypt(method, enc_value)
+                else:
+                    value = parameters[param_name]
+                    LOG.warning(_LW(
+                        'Encountered already-decrypted data while attempting '
+                        'to decrypt parameter %s.  Please file a Heat bug so '
+                        'this can be fixed.'), param_name)
+                parameters[param_name] = value
             tpl.environment[env_fmt.PARAMETERS] = parameters
 
         tpl._context = context

heat/tests/test_stack.py

@@ -15,7 +15,9 @@ import collections
 import copy
 import datetime
 import eventlet
+import fixtures
 import json
+import logging
 import time
 
 import mock
@@ -2406,6 +2408,48 @@ class StackTest(common.HeatTestCase):
 
         self.assertEqual([], loaded_stack.env.encrypted_param_names)
 
+    def test_parameters_inconsistent_encrypted_param_names(self):
+        tmpl = template_format.parse('''
+        heat_template_version: 2013-05-23
+        parameters:
+            param1:
+                type: string
+                description: value1.
+            param2:
+                type: string
+                description: value2.
+                hidden: true
+        resources:
+            a_resource:
+                type: GenericResourceType
+        ''')
+        warning_logger = self.useFixture(
+            fixtures.FakeLogger(level=logging.WARNING,
+                                format="%(levelname)8s [%(name)s] %("
+                                "message)s"))
+
+        cfg.CONF.set_override('encrypt_parameters_and_properties', False,
+                              enforce_type=True)
+
+        env1 = environment.Environment({'param1': 'foo', 'param2': 'bar'})
+        self.stack = stack.Stack(self.ctx, 'test',
+                                 template.Template(tmpl, env=env1))
+        self.stack.store()
+
+        loaded_stack = stack.Stack.load(self.ctx, stack_id=self.stack.id)
+        loaded_stack.state_set(self.stack.CREATE, self.stack.COMPLETE,
+                               'for_update')
+
+        env2 = environment.Environment({'param1': 'foo', 'param2': 'new_bar'})
+
+        # Put inconsistent encrypted_param_names data in the environment
+        env2.encrypted_param_names = ['param1']
+        new_stack = stack.Stack(self.ctx, 'test_update',
+                                template.Template(tmpl, env=env2))
+        self.assertIsNone(loaded_stack.update(new_stack))
+        self.assertIn('Encountered already-decrypted data',
+                      warning_logger.output)
+
     def test_parameters_stored_decrypted_successful_load(self):
         """Test stack loading with disabled parameter value validation."""
         tmpl = template_format.parse('''