From dafd569775d02fcd827045ca7cbdbc7ead613233 Mon Sep 17 00:00:00 2001
From: Stan Lagun <slagun@mirantis.com>
Date: Fri, 4 Mar 2016 13:24:09 +0300
Subject: [PATCH] Makes config() function be available to Core Library only

config() function returns information from murano.conf.
But since it contains sensitive information like passwords
it creates a security issue for Murano because any app can
get access to that information. However the function is
used by the core library to get RabbitMQ credentials.

This commit makes the function available to Core Library
only which currently identified by the name (io.murano)
but in the future will be identified by the package signature.

Change-Id: I3fe5c153f931decc59bc8bf9eb87c78d459a64fa
Closes-Bug: #1506807
---
 murano/common/engine.py                |  8 ++++++++
 murano/engine/system/yaql_functions.py | 10 ++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/murano/common/engine.py b/murano/common/engine.py
index 20d856411..9ea73dfda 100755
--- a/murano/common/engine.py
+++ b/murano/common/engine.py
@@ -94,6 +94,14 @@ class ContextManager(context_manager.ContextManager):
         return helpers.link_contexts(
             root_context, yaql_functions.get_context(runtime_version))
 
+    def create_package_context(self, package):
+        context = super(ContextManager, self).create_package_context(
+            package)
+        if package.name == 'io.murano':
+            context = helpers.link_contexts(
+                context, yaql_functions.get_restricted_context())
+        return context
+
 
 class TaskProcessingEndpoint(object):
     @classmethod
diff --git a/murano/engine/system/yaql_functions.py b/murano/engine/system/yaql_functions.py
index 33c7fb41e..bfddf5aef 100644
--- a/murano/engine/system/yaql_functions.py
+++ b/murano/engine/system/yaql_functions.py
@@ -202,8 +202,6 @@ def get_context(runtime_version):
     context.register_function(bind)
     context.register_function(random_name)
     context.register_function(patch_)
-    context.register_function(config)
-    context.register_function(config_default)
     context.register_function(logger)
 
     if runtime_version <= constants.RUNTIME_VERSION_1_1:
@@ -217,3 +215,11 @@ def get_context(runtime_version):
             for spec in utils.to_extension_method(t, root_context):
                 context.register_function(spec)
     return context
+
+
+@helpers.memoize
+def get_restricted_context():
+    context = yaql_integration.create_empty_context()
+    context.register_function(config)
+    context.register_function(config_default)
+    return context