Merge branch 'prepare-model-fix' into 'main'

fixing password validation so that it does not run with Prepare Model

See merge request weblogic-cloud/weblogic-deploy-tooling!1542

Author: robertpatrick

core/src/main/python/create.py

@@ -346,7 +346,7 @@ def _precheck_rcu_connectivity(model_context, creator, rcu_db_info):
                                                           e.getLocalizedMessage(), error=e)
             __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
             raise ex
-        except ee:
+        except ee:  # FIXME - WLSDPLY-12506 only has one placeholder so ee gets dropped on the floor.
             ex = exception_helper.create_create_exception('WLSDPLY-12506', domain_typename, ee)
             __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
             raise ex
@@ -372,6 +372,7 @@ def main(model_context):
         # check for any content problems in the merged, substituted model
         content_validator = ContentValidator(model_context, aliases)
         content_validator.validate_model(model_dictionary)
+        content_validator.validate_user_passwords(model_dictionary)
 
         archive_helper = None
         archive_file_name = model_context.get_archive_file_name()

core/src/main/python/wlsdeploy/tool/validate/content_validator.py

@@ -54,7 +54,10 @@ def validate_model(self, model_dict):
         """
         _method_name = 'validate_model'
         self._logger.entering(class_name=self._class_name, method_name=_method_name)
-        self.validate_user_passwords(model_dict)
+        #
+        # This code is called by both Create Domain and Prepare Model.  Since passwords may still
+        # be tokenized in Prepare Model, do not call validate_user_passwords() from here.
+        #
         self.validate_dynamic_clusters(model_dict)
         self._logger.exiting(class_name=self._class_name, method_name=_method_name)
 
@@ -108,8 +111,12 @@ def validate_user_passwords(self, model_dict):
 
         found_errors = False
         try:
-            if not password_validator.validate(admin_username, admin_password):
-                found_errors = True
+            if not self._model_context.password_is_tokenized(admin_password):
+                if not password_validator.validate(admin_username, admin_password):
+                    found_errors = True
+            else:
+                self._logger.notification('WLSDPLY-05208', admin_username,
+                                          class_name=self._class_name, method_name=_method_name)
         except ValidateException, ex:
             self._logger.severe('WLSDPLY-05203', ex.getLocalizedMessage(),
                                 error=ex, class_name=self._class_name, method_name=_method_name)
@@ -122,8 +129,12 @@ def validate_user_passwords(self, model_dict):
                 password = dictionary_utils.get_element(user_dict, PASSWORD)
                 password = self._aliases.decrypt_password(password)
                 try:
-                    if not password_validator.validate(user_name, password):
-                        found_errors = True
+                    if not self._model_context.password_is_tokenized(password):
+                        if not password_validator.validate(user_name, password):
+                            found_errors = True
+                    else:
+                        self._logger.notification('WLSDPLY-05208', user_name,
+                                                  class_name=self._class_name, method_name=_method_name)
                 except ValidateException, ex:
                     self._logger.severe('WLSDPLY-05204', user_name, ex.getLocalizedMessage(),
                                         error=ex, class_name=self._class_name, method_name=_method_name)

core/src/main/python/wlsdeploy/util/model_config.py

@@ -50,7 +50,7 @@
 DISABLE_RCU_DROP_SCHEMA_PROP='disable.rcu.drop.schema'
 DISABLE_RCU_DROP_SCHEMA_DEFAULT='false'
 ENABLE_CREATE_DOMAIN_PASSWORD_VALIDATION_PROP = 'enable.create.domain.password.validation'
-ENABLE_CREATE_DOMAIN_PASSWORD_VALIDATION_DEFAULT = 'false'
+ENABLE_CREATE_DOMAIN_PASSWORD_VALIDATION_DEFAULT = 'true'
 
 # System Property overrides for WLST timeout properties
 SYS_PROP_PREFIX = 'wdt.config.'

core/src/main/python/wlsdeploy/util/model_context.py

@@ -33,6 +33,8 @@ class ModelContext(object):
     """
     _class_name = "ModelContext"
 
+    SECRET_REGEX = re.compile('@@SECRET:[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+@@')
+    ENV_REGEX = re.compile('@@ENV:[a-zA-Z0-9_-]+@@')
     ORACLE_HOME_TOKEN = '@@ORACLE_HOME@@'
     WL_HOME_TOKEN = '@@WL_HOME@@'
     DOMAIN_HOME_TOKEN = '@@DOMAIN_HOME@@'
@@ -957,6 +959,18 @@ def tokenize_classpath(self, classpath):
 
         return MODEL_LIST_DELIMITER.join(cp_elements)
 
+    def password_is_tokenized(self, password):
+        """
+        Does the password contain a secret or environment variable token?
+        :param password: the password to test
+        :return: True if a secret or environment variable token is found; False otherwise
+        """
+        result = False
+        if password is not None:
+            result = self.SECRET_REGEX.search(password) is not None or self.ENV_REGEX.search(password) is not None
+        return result
+
+
     def copy(self, arg_map):
         model_context_copy = copy.copy(self)
         model_context_copy.__copy_from_args(arg_map)

core/src/main/resources/oracle/weblogic/deploy/messages/wlsdeploy_rb.properties

@@ -565,6 +565,7 @@ WLSDPLY-05204=Password validation failed for the {0} credentials: {1}
 WLSDPLY-05205=Password validation encountered validation errors
 WLSDPLY-05206=Found model attribute {0} of type {1} with value {2}
 WLSDPLY-05207=Found alias attribute {0} of type {1} with default value {2}
+WLSDPLY-05208=Skipping password validation for user {0} because the password appears to be tokenized
 
 # wlsdeploy/tools/validate/validation_utils.py
 WLSDPLY-05300=NOT USED

core/src/test/python/wlsdeploy/util/model_context_test.py

@@ -1,5 +1,5 @@
 """
-Copyright (c) 2020, Oracle and/or its affiliates.
+Copyright (c) 2020, 2023, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 """
 import unittest
@@ -10,7 +10,7 @@
 
 class ClaHelperTest(unittest.TestCase):
 
-    def testCopyModelContext(self):
+    def test_copy_model_context(self):
         __program_name = 'model_context_test'
         __oracle_home = '/my/oracle/home'
         __model_file = 'my_model_file.yaml'
@@ -28,3 +28,22 @@ def testCopyModelContext(self):
         self.assertEquals(model_context_copy.get_program_name(), __program_name)
         self.assertEquals(model_context_copy.get_oracle_home(), __oracle_home)
         self.assertEquals(model_context_copy.get_model_file(), __model_file)
+
+    def test_password_is_tokenized(self):
+        __program_name = 'model_context_test'
+
+        __no_token_value = 'Welcome1'
+        __complex_no_token_value = 'Abc@@def@@ghi'
+        __secret_value = '@@SECRET:foo:username@@'
+        __env_value = '@@ENV:FOO@@'
+        __complex_token_value = '@@SECRET:foo:@@ENV:BAR@@@@'
+
+        model_context = ModelContext(__program_name)
+        self.assertEquals(model_context.password_is_tokenized(None), False)
+        self.assertEquals(model_context.password_is_tokenized(__no_token_value), False)
+        self.assertEquals(model_context.password_is_tokenized(__complex_no_token_value), False)
+
+        self.assertEquals(model_context.password_is_tokenized(__secret_value), True)
+        self.assertEquals(model_context.password_is_tokenized(__env_value), True)
+        self.assertEquals(model_context.password_is_tokenized(__secret_value), True)
+        self.assertEquals(model_context.password_is_tokenized(__complex_token_value), True)