]> review.fuel-infra Code Review - openstack-build/heat-build.git/commitdiff
Code Review / openstack-build / heat-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 52f5d7c)
heat : ensure DB user creds aren't written decrypted
authorSteven Hardy <shardy@redhat.com>
Wed, 19 Sep 2012 10:48:29 +0000 (11:48 +0100)
committerSteven Hardy <shardy@redhat.com>
Wed, 19 Sep 2012 10:48:29 +0000 (11:48 +0100)
Return the decrypted user_creds record as a dict copy
and do not decrypt the credentials direct into the
sqlalchemy model object, or we can inadvertently
end up committing decrypted credentials to the DB

Ref #218

Change-Id: I0df9afcb271804557c94cdf0c913f7a26affdc83
Signed-off-by: Steven Hardy <shardy@redhat.com>
heat/db/sqlalchemy/api.py patch | blob | history
heat/engine/manager.py patch | blob | history

diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index 9f53a979b05f53490967f5c5e369cb61dc85433d..e6f106a41c07816a6b28396aa08267aca09a8c43 100644 (file)
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -211,11 +211,13 @@ def user_creds_create(values):
 
 
 def user_creds_get(user_creds_id):
-    result = model_query(None, models.UserCreds).get(user_creds_id)
-    result.password = auth.decrypt(result.password)
-    result.service_password = auth.decrypt(result.service_password)
-    result.aws_creds = auth.decrypt(result.aws_creds)
-
+    db_result = model_query(None, models.UserCreds).get(user_creds_id)
+    # Return a dict copy of db results, do not decrypt details into db_result
+    # or it can be committed back to the DB in decrypted form
+    result = dict(db_result)
+    result['password'] = auth.decrypt(result['password'])
+    result['service_password'] = auth.decrypt(result['service_password'])
+    result['aws_creds'] = auth.decrypt(result['aws_creds'])
     return result
 
 
diff --git a/heat/engine/manager.py b/heat/engine/manager.py
index f7da9d9f229ea84c7b26d693f9388fb1865ac8be..6bc31423e6ed32b56d6dda6bc2201777457517b1 100644 (file)
--- a/heat/engine/manager.py
+++ b/heat/engine/manager.py
@@ -443,7 +443,7 @@ class EngineManager(manager.Manager):
             if s and s.status in (parser.Stack.CREATE_COMPLETE,
                                   parser.Stack.UPDATE_COMPLETE):
                 user_creds = db_api.user_creds_get(s.user_creds_id)
-                ctxt = ctxtlib.RequestContext.from_dict(dict(user_creds))
+                ctxt = ctxtlib.RequestContext.from_dict(user_creds)
                 stack = parser.Stack.load(ctxt, s.id)
                 for a in wr.rule[watchrule.WatchRule.ACTION_MAP[new_state]]:
                     greenpool.spawn_n(stack[a].alarm)