Encrypt and decrypt password elements in RCU DB info (#357)

* JIRA WDT-262 - Expose decrypt method in alias_helper

* JIRA WDT-262 - Encrypt model and variables using aliases instead of static list

* JIRA WDT-262 - Encrypt model and variables using aliases instead of static list

* JIRA WDT-262 - Encrypt model and variables using aliases instead of static list

* JIRA WDT-262 - Encrypt model and variables using aliases instead of static list

* JIRA WDT-262 - Use RCU DB info object to decrypt password fields as needed

* JIRA WDT-262 - Allow boolean and default values for useATP field; move model checks into RCU DB helper

Author: rakillen

core/src/main/python/create.py

@@ -30,11 +30,14 @@
 from wlsdeploy.aliases import model_constants
 from wlsdeploy.aliases.wlst_modes import WlstModes
 from wlsdeploy.exception import exception_helper
+from wlsdeploy.exception.expection_types import ExceptionType
 from wlsdeploy.logging.platform_logger import PlatformLogger
+from wlsdeploy.tool.create.rcudbinfo_helper import RcuDbInfo
 from wlsdeploy.tool.create.domain_creator import DomainCreator
 from wlsdeploy.tool.create.domain_typedef import DomainTypedef
 from wlsdeploy.tool.create.domain_typedef import CREATE_DOMAIN
 from wlsdeploy.tool.util import filter_helper
+from wlsdeploy.tool.util.alias_helper import AliasHelper
 from wlsdeploy.tool.validate.validator import Validator
 from wlsdeploy.util import getcreds
 from wlsdeploy.util import tool_exit
@@ -332,15 +335,15 @@ def validate_model(model_dictionary, model_context, aliases):
         tool_exit.end(model_context, CommandLineArgUtil.PROG_ERROR_EXIT_CODE)
 
 
-def validateRCUArgsAndModel(model_context, model):
+def validateRCUArgsAndModel(model_context, model, alias_helper):
     has_atpdbinfo = 0
     domain_info = model[model_constants.DOMAIN_INFO]
     if domain_info is not None:
         if model_constants.RCU_DB_INFO in domain_info:
-            rcu_db_info = domain_info[model_constants.RCU_DB_INFO]
-            has_tns_admin = atp_helper.has_tns_admin(rcu_db_info)
-            has_regular_db = atp_helper.is_regular_db(rcu_db_info)
-            has_atpdbinfo = atp_helper.has_atpdbinfo(rcu_db_info)
+            rcu_db_info = RcuDbInfo(alias_helper, domain_info[model_constants.RCU_DB_INFO])
+            has_tns_admin = rcu_db_info.has_tns_admin()
+            has_regular_db = rcu_db_info.is_regular_db()
+            has_atpdbinfo = rcu_db_info.has_atpdbinfo()
 
             if model_context.get_archive_file_name() and not has_regular_db:
                 System.setProperty('oracle.jdbc.fanEnabled', 'false')
@@ -424,14 +427,15 @@ def main(args):
         tool_exit.end(model_context, CommandLineArgUtil.PROG_ERROR_EXIT_CODE)
 
     aliases = Aliases(model_context, wlst_mode=__wlst_mode)
+    alias_helper = AliasHelper(aliases, __logger, ExceptionType.CREATE)
     validate_model(model, model_context, aliases)
 
     if filter_helper.apply_filters(model, "create"):
         # if any filters were applied, re-validate the model
         validate_model(model, model_context, aliases)
     try:
 
-        has_atp = validateRCUArgsAndModel(model_context, model)
+        has_atp = validateRCUArgsAndModel(model_context, model, alias_helper)
         # check if there is an atpwallet and extract in the domain dir
         # it is to support non JRF domain but user wants to use ATP database
         archive_file_name = model_context.get_archive_file_name()
@@ -446,7 +450,10 @@ def main(args):
         creator.create()
 
         if has_atp:
-            atp_helper.fix_jps_config(model, model_context)
+            rcu_properties_map = model[model_constants.DOMAIN_INFO][model_constants.RCU_DB_INFO]
+            rcu_db_info = RcuDbInfo(alias_helper, rcu_properties_map)
+            atp_helper.fix_jps_config(rcu_db_info, model_context)
+
     except WLSDeployArchiveIOException, ex:
         __logger.severe('WLSDPLY-12409', _program_name, ex.getLocalizedMessage(), error=ex,
                         class_name=_class_name, method_name=_method_name)

core/src/main/python/encrypt.py

@@ -1,5 +1,5 @@
 """
-Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
+Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
 The Universal Permissive License (UPL), Version 1.0
 
 The main module for the WLSDeploy tool to encrypt passwords.
@@ -21,9 +21,13 @@
 sys.path.append(os.path.dirname(os.path.realpath(sys.argv[0])))
 
 # imports from local packages start here
+from wlsdeploy.aliases.aliases import Aliases
+from wlsdeploy.aliases.wlst_modes import WlstModes
 from wlsdeploy.exception import exception_helper
+from wlsdeploy.exception.expection_types import ExceptionType
 from wlsdeploy.logging.platform_logger import PlatformLogger
 from wlsdeploy.tool.encrypt import encryption_utils
+from wlsdeploy.tool.util.alias_helper import AliasHelper
 from wlsdeploy.util import getcreds
 from wlsdeploy.util import variables as variable_helper
 from wlsdeploy.util import wlst_helper
@@ -70,7 +74,7 @@ def __process_args(args):
     # Prompt for the password to encrypt if the -manual switch was specified
     #
     if CommandLineArgUtil.ENCRYPT_MANUAL_SWITCH in optional_arg_map and \
-                    CommandLineArgUtil.ONE_PASS_SWITCH not in optional_arg_map:
+            CommandLineArgUtil.ONE_PASS_SWITCH not in optional_arg_map:
         try:
             pwd = getcreds.getpass('WLSDPLY-04200')
         except IOException, ioe:
@@ -101,6 +105,7 @@ def __verify_required_args_present(required_arg_map):
             raise ex
     return
 
+
 def __validate_mode_args(optional_arg_map):
     """
     Verify that either the model_file or the manual switch was specified.
@@ -179,10 +184,13 @@ def __encrypt_model_and_variables(model_context):
                             class_name=_class_name, method_name=_method_name)
             return CommandLineArgUtil.PROG_ERROR_EXIT_CODE
 
+    aliases = Aliases(model_context, wlst_mode=WlstModes.OFFLINE)
+    alias_helper = AliasHelper(aliases, __logger, ExceptionType.ENCRYPTION)
+
     try:
         passphrase = model_context.get_encryption_passphrase()
         model_change_count, variable_change_count = \
-            encryption_utils.encrypt_model_dictionary(passphrase, model, variables)
+            encryption_utils.encrypt_model_dictionary(passphrase, model, alias_helper, variables)
     except EncryptionException, ee:
         __logger.severe('WLSDPLY-04208', _program_name, ee.getLocalizedMessage(), error=ee,
                         class_name=_class_name, method_name=_method_name)
@@ -268,6 +276,7 @@ def main(args):
     __logger.exiting(class_name=_class_name, method_name=_method_name, result=exit_code)
     sys.exit(exit_code)
 
+
 if __name__ == "main":
     WebLogicDeployToolingVersion.logVersionInfo(_program_name)
     main(sys.argv)

core/src/main/python/wlsdeploy/aliases/aliases.py

@@ -401,7 +401,7 @@ def get_wlst_attribute_name_and_value(self, location, model_attribute_name, mode
             data_type = attribute_info[WLST_TYPE]
             if data_type == 'password':
                 try:
-                    wlst_attribute_value = self.__decrypt_password(model_attribute_value)
+                    wlst_attribute_value = self.decrypt_password(model_attribute_value)
                 except EncryptionException, ee:
                     ex = exception_helper.create_alias_exception('WLSDPLY-08402', model_attribute_name,
                                                                  location.get_folder_path(),
@@ -1130,21 +1130,15 @@ def get_ignore_attribute_names(self):
         """
         return self._alias_entries.IGNORE_FOR_MODEL_LIST
 
-    ####################################################################################
-    #
-    # Private methods, private inner classes and static methods only, beyond here please
-    #
-    ####################################################################################
-
-    def __decrypt_password(self, text):
+    def decrypt_password(self, text):
         """
-        Internal method to determine if the provided password text needs to be decrypted
+        Encrypt the specified password if encryption is used and the password is encrypted.
         :param text: the text to check and decrypt, if needed
         :return: the clear text
         :raises EncryptionException: if an error occurs while decrypting the password
         """
         if text is None or len(str(text)) == 0 or \
-                (self._model_context and not self._model_context.is_using_encryption()) or\
+                (self._model_context and not self._model_context.is_using_encryption()) or \
                 not EncryptionUtils.isEncryptedString(text):
 
             rtnval = text
@@ -1156,6 +1150,12 @@ def __decrypt_password(self, text):
 
         return rtnval
 
+    ####################################################################################
+    #
+    # Private methods, private inner classes and static methods only, beyond here please
+    #
+    ####################################################################################
+
     def __is_model_attribute_read_only(self, location, attribute_info):
         """
         Is the model attribute read-only?

core/src/main/python/wlsdeploy/tool/create/atp_helper.py

@@ -88,15 +88,11 @@ def unzip_atp_wallet(wallet_file, location):
     zis.close()
     fis.close()
 
-def fix_jps_config(model, model_context):
-    #print model[model_constants.DOMAIN_INFO][model_constants.ATP_DB_INFO]
-    tns_admin = model[model_constants.DOMAIN_INFO][model_constants.RCU_DB_INFO][
-        model_constants.DRIVER_PARAMS_NET_TNS_ADMIN]
-    keystore_password = model[model_constants.DOMAIN_INFO][model_constants.RCU_DB_INFO][
-        model_constants.DRIVER_PARAMS_KEYSTOREPWD_PROPERTY]
 
-    truststore_password = model[model_constants.DOMAIN_INFO][model_constants.RCU_DB_INFO][
-        model_constants.DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY]
+def fix_jps_config(rcu_db_info, model_context):
+    tns_admin = rcu_db_info.get_atp_tns_admin()
+    keystore_password = rcu_db_info.get_keystore_password()
+    truststore_password = rcu_db_info.get_truststore_password()
 
     jsp_config = model_context.get_domain_home() + '/config/fmwconfig/jps-config.xml'
     jsp_config_jse = model_context.get_domain_home() + '/config/fmwconfig/jps-config-jse.xml'
@@ -155,33 +151,6 @@ def format_connect_string(connect_string):
 
     return connect_string
 
-# has_tns_admin is used to find the extract location if it is already extracted by the user
-# its an optional field, so insufficient to determine whether it has atp
-
-
-def has_tns_admin(rcu_db_info):
-    return model_constants.DRIVER_PARAMS_NET_TNS_ADMIN in rcu_db_info
-
-
-def has_atpdbinfo(rcu_db_info):
-    is_atp = 0
-    if model_constants.USE_ATP in rcu_db_info:
-        if rcu_db_info[model_constants.USE_ATP] == 'true' or rcu_db_info[model_constants.USE_ATP] == 1:
-            is_atp = 1
-    return is_atp
-    # return model_constants.USE_ATP in rcu_db_info
-    # return model_constants.ATP_TNS_ENTRY in rcu_db_info
-
-
-def is_regular_db(rcu_db_info):
-    is_regular = 0
-    if model_constants.USE_ATP in rcu_db_info:
-        if rcu_db_info[model_constants.USE_ATP] is 'false' or rcu_db_info[model_constants.USE_ATP] is 0:
-            is_regular = 1
-    if model_constants.RCU_DB_CONN in rcu_db_info:
-        is_regular = 1
-    return is_regular
-
 
 def extract_walletzip(model, model_context, archive_file, atp_zipentry):
     domain_parent = model_context.get_domain_parent_dir()