Merge branch 'JIRA-WDT-760-secrets-overlap' into 'main'

Fix overlapping secret names; allow secret key walletPassword for OPSSSecrets

See merge request weblogic-cloud/weblogic-deploy-tooling!1482

Author: robertpatrick

core/src/main/python/wlsdeploy/aliases/alias_constants.py

@@ -29,6 +29,8 @@
 PREFERRED_MODEL_TYPE = 'preferred_model_type'
 PRODUCTION_DEFAULT = 'production_default'
 RESTART_REQUIRED = 'restart_required'
+SECRET_KEY = 'secret_key'
+SECRET_SUFFIX = 'secret_suffix'
 SECURE_DEFAULT = 'secure_default'
 SET_MBEAN_TYPE = 'set_mbean_type'
 SET_METHOD = 'set_method'
@@ -103,6 +105,10 @@
 STRING = 'string'
 MASKED = '<masked>'
 
+# alias owns these, they are derived from secret_key, wlst_type
+SECRET_USERNAME_KEY = "username"
+SECRET_PASSWORD_KEY = "password"
+
 ALIAS_DELIMITED_TYPES = [
     COMMA_DELIMITED_STRING,
     DELIMITED_STRING,

core/src/main/python/wlsdeploy/aliases/aliases.py

@@ -15,6 +15,7 @@
 from wlsdeploy.aliases.alias_constants import ALIAS_LIST_TYPES
 from wlsdeploy.aliases.alias_constants import ALIAS_MAP_TYPES
 from wlsdeploy.aliases.alias_constants import ATTRIBUTES
+from wlsdeploy.aliases.alias_constants import CREDENTIAL
 from wlsdeploy.aliases.alias_constants import ChildFoldersTypes
 from wlsdeploy.aliases.alias_constants import DEFAULT_VALUE
 from wlsdeploy.aliases.alias_constants import DERIVED_DEFAULT
@@ -36,6 +37,10 @@
 from wlsdeploy.aliases.alias_constants import PROPERTIES
 from wlsdeploy.aliases.alias_constants import RESTART_REQUIRED
 from wlsdeploy.aliases.alias_constants import RO
+from wlsdeploy.aliases.alias_constants import SECRET_KEY
+from wlsdeploy.aliases.alias_constants import SECRET_PASSWORD_KEY
+from wlsdeploy.aliases.alias_constants import SECRET_SUFFIX
+from wlsdeploy.aliases.alias_constants import SECRET_USERNAME_KEY
 from wlsdeploy.aliases.alias_constants import SECURE_DEFAULT
 from wlsdeploy.aliases.alias_constants import SET_MBEAN_TYPE
 from wlsdeploy.aliases.alias_constants import SET_METHOD
@@ -1414,6 +1419,57 @@ def is_derived_default(self, location, model_attribute):
         self._logger.exiting(class_name=self._class_name, method_name=_method_name, result=result)
         return result
 
+    def get_secret_suffix(self, location, model_attribute):
+        """
+        Get the secret suffix for the specified location and attribute.
+        :param location: location of the attribute
+        :param model_attribute: model name of attribute to check
+        :return: the secret suffix, or None
+        """
+        _method_name = "get_secret_suffix"
+        self._logger.entering(model_attribute, class_name=self._class_name, method_name=_method_name)
+
+        result = None
+        try:
+            attribute_info = self._alias_entries.get_alias_attribute_entry_by_model_name(location, model_attribute)
+            if attribute_info is not None:
+                result = dictionary_utils.get_element(attribute_info, SECRET_SUFFIX)
+        except AliasException, ae:
+            self._raise_exception(ae, _method_name, 'WLSDPLY-19049', model_attribute, location.get_folder_path(),
+                                  ae.getLocalizedMessage())
+
+        self._logger.exiting(class_name=self._class_name, method_name=_method_name, result=result)
+        return result
+
+    def get_secret_key(self, location, model_attribute):
+        """
+        Get the secret key for the specified location and attribute.
+        Return the secret_key value, or derive the value from the WLST type.
+        :param location: location of the attribute
+        :param model_attribute: model name of attribute to check
+        :return: the secret key, or None
+        """
+        _method_name = "get_secret_key"
+        self._logger.entering(model_attribute, class_name=self._class_name, method_name=_method_name)
+
+        result = None
+        try:
+            attribute_info = self._alias_entries.get_alias_attribute_entry_by_model_name(location, model_attribute)
+            if attribute_info is not None:
+                result = dictionary_utils.get_element(attribute_info, SECRET_KEY)
+                if not result:
+                    attribute_type = self.get_model_attribute_type(location, model_attribute)
+                    if attribute_type == PASSWORD:
+                        result = SECRET_PASSWORD_KEY
+                    elif attribute_type == CREDENTIAL:
+                        result = SECRET_USERNAME_KEY
+        except AliasException, ae:
+            self._raise_exception(ae, _method_name, 'WLSDPLY-19050', model_attribute, location.get_folder_path(),
+                                  ae.getLocalizedMessage())
+
+        self._logger.exiting(class_name=self._class_name, method_name=_method_name, result=result)
+        return result
+
     ###########################################################################
     #                          Convenience Methods                            #
     ###########################################################################

core/src/main/python/wlsdeploy/tool/util/credential_injector.py

@@ -1,11 +1,13 @@
 """
-Copyright (c) 2020, 2022, Oracle and/or its affiliates.
+Copyright (c) 2020, 2023, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
 
 import oracle.weblogic.deploy.util.PyOrderedDict as OrderedDict
 from wlsdeploy.aliases.alias_constants import CREDENTIAL
 from wlsdeploy.aliases.alias_constants import PASSWORD
+from wlsdeploy.aliases.alias_constants import SECRET_PASSWORD_KEY
+from wlsdeploy.aliases.alias_constants import SECRET_USERNAME_KEY
 from wlsdeploy.aliases.location_context import LocationContext
 from wlsdeploy.aliases.model_constants import DOMAIN_INFO_ALIAS
 from wlsdeploy.aliases.model_constants import DRIVER_PARAMS_PROPERTY_VALUE
@@ -27,8 +29,6 @@
 from wlsdeploy.util import variables
 from wlsdeploy.util.target_configuration import CONFIG_OVERRIDES_SECRETS_METHOD
 from wlsdeploy.util.target_configuration import SECRETS_METHOD
-from wlsdeploy.util.target_configuration_helper import SECRET_PASSWORD_KEY
-from wlsdeploy.util.target_configuration_helper import SECRET_USERNAME_KEY
 from wlsdeploy.util.target_configuration_helper import WEBLOGIC_CREDENTIALS_SECRET_NAME
 
 _class_name = 'CredentialInjector'
@@ -168,28 +168,16 @@ def get_variable_name(self, attribute_location, attribute, suffix=None):
         aliases = self.get_aliases()
         target_config = self._model_context.get_target_configuration()
 
-        # domainInfo attributes have separate model and attribute locations
+        # the attribute location passed may differ from the model location (rare).
+        # for example, DomainInfo/... attribute location is a top-level model location.
         model_location = attribute_location
         if model_location.get_current_model_folder() == DOMAIN_INFO_ALIAS:
             model_location = LocationContext()
 
         if target_config.uses_credential_secrets():
-            # use the secret token name as variable name in the cache, such as jdbc-generic1.password .
-            # secret name is the adjusted variable name, with the last element replaced with "username" or "password".
-
-            attribute_type = aliases.get_model_attribute_type(attribute_location, attribute)
-            variable_name = VariableInjector.get_variable_name(self, model_location, attribute)
-            secret_name = target_configuration_helper.create_secret_name(variable_name, suffix)
-
-            secret_key = SECRET_USERNAME_KEY
-            if attribute_type == PASSWORD:
-                secret_key = SECRET_PASSWORD_KEY
-
-            # suffix such as map3.password in MailSession properties
-            if suffix and suffix.endswith(".password"):
-                secret_key = SECRET_PASSWORD_KEY
-
-            return '%s:%s' % (secret_name, secret_key)
+            # use the secret token name as variable name in the cache, such as jdbc-generic1:password
+            return target_configuration_helper.get_secret_path(model_location, attribute_location,
+                                                               attribute, aliases, suffix)
 
         return VariableInjector.get_variable_name(self, model_location, attribute, suffix=suffix)
 

core/src/main/python/wlsdeploy/tool/util/variable_injector.py

@@ -1,5 +1,5 @@
 """
-Copyright (c) 2018, 2022, Oracle Corporation and/or its affiliates.
+Copyright (c) 2018, 2023, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
 import copy
@@ -72,7 +72,6 @@
 
 # global variables for functions in VariableInjector
 _find_special_names_pattern = re.compile('[\[\]]')
-_fake_name_marker = 'fakename'
 _split_around_special_names = re.compile('([\w]+\[[\w\.,]+\])|\.')
 
 _class_name = 'variable_injector'
@@ -333,7 +332,7 @@ def inject_variables(self, injector_dictionary):
         if injector_dictionary:
             location = LocationContext()
             domain_token = self.__aliases.get_name_token(location)
-            location.add_name_token(domain_token, _fake_name_marker)
+            location.add_name_token(domain_token, variable_injector_functions.FAKE_NAME_MARKER)
             for injector, injector_values in injector_dictionary.iteritems():
                 entries_dict = self.__inject_variable(location, injector, injector_values)
                 if len(entries_dict) > 0:
@@ -639,7 +638,7 @@ def _process_pattern_dictionary(self, attribute_name, attribute_dict, location,
 
     def _check_name_token(self, location, name_token):
         if self.__aliases.requires_unpredictable_single_name_handling(location):
-            location.add_name_token(name_token, _fake_name_marker)
+            location.add_name_token(name_token, variable_injector_functions.FAKE_NAME_MARKER)
 
     def _replace_tokens(self, path_string):
         result = path_string

core/src/main/python/wlsdeploy/tool/util/variable_injector_functions.py

@@ -1,21 +1,22 @@
 """
-Copyright (c) 2018, 2022, Oracle Corporation and/or its affiliates.
+Copyright (c) 2018, 2023, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
 import re
 
+from oracle.weblogic.deploy.aliases import AliasException
+
 import wlsdeploy.aliases.model_constants as model_constants
 import wlsdeploy.util.model as model_sections
-from oracle.weblogic.deploy.aliases import AliasException
+import wlsdeploy.util.unicode_helper as str_helper
 from wlsdeploy.aliases.location_context import LocationContext
 from wlsdeploy.logging.platform_logger import PlatformLogger
-import wlsdeploy.util.unicode_helper as str_helper
 
 _class_name = 'variable_injector'
 _logger = PlatformLogger('wlsdeploy.tool.util')
 
-_fake_name_marker = 'fakename'
-_fake_name_replacement = re.compile('.' + _fake_name_marker)
+FAKE_NAME_MARKER = 'fakename'
+_fake_name_replacement = re.compile('.' + FAKE_NAME_MARKER)
 _white_space_replacement = re.compile('\\s')
 
 # bad characters for a property name - anything that isn't a good character
@@ -73,6 +74,25 @@ def format_variable_name(location, attribute, aliases):
     """
     _method_name = 'format_variable_name'
 
+    short_name = get_short_name(location, attribute, aliases)
+
+    # remove or replace invalid characters in the variable name for use as a property name.
+    short_name = short_name.replace('/', '.')
+    short_name = _white_space_replacement.sub('-', short_name)
+    short_name = _bad_chars_replacement.sub('-', short_name)
+    return short_name
+
+
+def get_short_name(location, attribute, aliases):
+    """
+    Return a dot-delimited string representation of the location and attribute.
+    There are adjustments to use shorter element names and skip some redundant elements
+    This is used to make variable property names and secret names.
+    :param location: the location of the attribute
+    :param attribute: the attribute to be evaluated
+    :param aliases: for information about the location and attribute
+    :return: the short name
+    """
     short_list = __traverse_location(LocationContext(location), attribute, list(), aliases)
 
     short_name = ''
@@ -81,10 +101,6 @@ def format_variable_name(location, attribute, aliases):
             short_name += node + '.'
     short_name += attribute
 
-    # remove or replace invalid characters in the variable name for use as a property name.
-    short_name = short_name.replace('/', '.')
-    short_name = _white_space_replacement.sub('-', short_name)
-    short_name = _bad_chars_replacement.sub('-', short_name)
     short_name = _fake_name_replacement.sub('', short_name)
     return short_name