Merge "Make parameter decryption more robust"
This commit is contained in:
commit
c9bca1883b
|
@ -18,15 +18,19 @@
|
|||
import copy
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_versionedobjects import base
|
||||
from oslo_versionedobjects import fields
|
||||
|
||||
from heat.common import crypt
|
||||
from heat.common import environment_format as env_fmt
|
||||
from heat.common.i18n import _LW
|
||||
from heat.db import api as db_api
|
||||
from heat.objects import base as heat_base
|
||||
from heat.objects import fields as heat_fields
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class RawTemplate(
|
||||
heat_base.HeatObject,
|
||||
|
@ -54,9 +58,17 @@ class RawTemplate(
|
|||
env_fmt.ENCRYPTED_PARAM_NAMES]
|
||||
|
||||
for param_name in encrypted_param_names:
|
||||
method, value = parameters[param_name]
|
||||
decrypted_val = crypt.decrypt(method, value)
|
||||
parameters[param_name] = decrypted_val
|
||||
if (isinstance(parameters[param_name], (list, tuple)) and
|
||||
len(parameters[param_name]) == 2):
|
||||
method, enc_value = parameters[param_name]
|
||||
value = crypt.decrypt(method, enc_value)
|
||||
else:
|
||||
value = parameters[param_name]
|
||||
LOG.warning(_LW(
|
||||
'Encountered already-decrypted data while attempting '
|
||||
'to decrypt parameter %s. Please file a Heat bug so '
|
||||
'this can be fixed.'), param_name)
|
||||
parameters[param_name] = value
|
||||
tpl.environment[env_fmt.PARAMETERS] = parameters
|
||||
|
||||
tpl._context = context
|
||||
|
|
|
@ -15,7 +15,9 @@ import collections
|
|||
import copy
|
||||
import datetime
|
||||
import eventlet
|
||||
import fixtures
|
||||
import json
|
||||
import logging
|
||||
import time
|
||||
|
||||
import mock
|
||||
|
@ -2406,6 +2408,48 @@ class StackTest(common.HeatTestCase):
|
|||
|
||||
self.assertEqual([], loaded_stack.env.encrypted_param_names)
|
||||
|
||||
def test_parameters_inconsistent_encrypted_param_names(self):
|
||||
tmpl = template_format.parse('''
|
||||
heat_template_version: 2013-05-23
|
||||
parameters:
|
||||
param1:
|
||||
type: string
|
||||
description: value1.
|
||||
param2:
|
||||
type: string
|
||||
description: value2.
|
||||
hidden: true
|
||||
resources:
|
||||
a_resource:
|
||||
type: GenericResourceType
|
||||
''')
|
||||
warning_logger = self.useFixture(
|
||||
fixtures.FakeLogger(level=logging.WARNING,
|
||||
format="%(levelname)8s [%(name)s] %("
|
||||
"message)s"))
|
||||
|
||||
cfg.CONF.set_override('encrypt_parameters_and_properties', False,
|
||||
enforce_type=True)
|
||||
|
||||
env1 = environment.Environment({'param1': 'foo', 'param2': 'bar'})
|
||||
self.stack = stack.Stack(self.ctx, 'test',
|
||||
template.Template(tmpl, env=env1))
|
||||
self.stack.store()
|
||||
|
||||
loaded_stack = stack.Stack.load(self.ctx, stack_id=self.stack.id)
|
||||
loaded_stack.state_set(self.stack.CREATE, self.stack.COMPLETE,
|
||||
'for_update')
|
||||
|
||||
env2 = environment.Environment({'param1': 'foo', 'param2': 'new_bar'})
|
||||
|
||||
# Put inconsistent encrypted_param_names data in the environment
|
||||
env2.encrypted_param_names = ['param1']
|
||||
new_stack = stack.Stack(self.ctx, 'test_update',
|
||||
template.Template(tmpl, env=env2))
|
||||
self.assertIsNone(loaded_stack.update(new_stack))
|
||||
self.assertIn('Encountered already-decrypted data',
|
||||
warning_logger.output)
|
||||
|
||||
def test_parameters_stored_decrypted_successful_load(self):
|
||||
"""Test stack loading with disabled parameter value validation."""
|
||||
tmpl = template_format.parse('''
|
||||
|
|
Loading…
Reference in New Issue