Merge branch 'jira-wdt-881-tokenize-security' into 'main'

Tokenize credentials discovered from security providers

See merge request weblogic-cloud/weblogic-deploy-tooling!1688

Author: robertpatrick

core/src/main/python/wlsdeploy/tool/discover/security_provider_data_discoverer.py

@@ -20,6 +20,7 @@
 from wlsdeploy.aliases.model_constants import DEFAULT_AUTHENTICATOR
 from wlsdeploy.aliases.model_constants import DEFAULT_CREDENTIAL_MAPPER
 from wlsdeploy.aliases.model_constants import DEFAULT_REALM
+from wlsdeploy.aliases.model_constants import DOMAIN_INFO
 from wlsdeploy.aliases.model_constants import GROUP
 from wlsdeploy.aliases.model_constants import REALM
 from wlsdeploy.aliases.model_constants import REMOTE_RESOURCE
@@ -157,7 +158,8 @@ def _discover_default_authenticator_instance_data(self, location, provider_name,
             local_file = export_file
 
         default_authenticator = \
-            DefaultAuthenticatorLdift(local_file, self._model_context, exception_type=ExceptionType.DISCOVER,
+            DefaultAuthenticatorLdift(local_file, self._model_context, self._aliases, self._credential_injector,
+                                      exception_type=ExceptionType.DISCOVER,
                                       download_temporary_dir=self._local_tmp_directory)
 
         users = default_authenticator.get_users_dictionary()
@@ -337,7 +339,8 @@ def _discover_default_credential_mapper_instance_data(self, location, provider_n
             local_file = export_file
 
         credential_mapper = \
-            DefaultCredentialMapperLdift(local_file, self._model_context, exception_type=ExceptionType.DISCOVER,
+            DefaultCredentialMapperLdift(local_file, self._model_context, self._aliases, self._credential_injector,
+                                         exception_type=ExceptionType.DISCOVER,
                                          download_temporary_dir=self._local_tmp_directory)
         cross_domain_credential_mappings_dict = credential_mapper.get_cross_domain_dictionary()
         remote_resource_credential_mapping_dict = credential_mapper.get_remote_resource_dictionary()
@@ -374,6 +377,11 @@ def _populate_admin_user_and_password(self):
             else:
                 self._domain_info_dictionary[ADMIN_PASSWORD] = self._model_context.get_admin_password()
 
+            if self._credential_injector is not None:
+                location = self._aliases.get_model_section_attribute_location(DOMAIN_INFO)
+                self._credential_injector.check_and_tokenize(self._domain_info_dictionary, ADMIN_USERNAME, location)
+                self._credential_injector.check_and_tokenize(self._domain_info_dictionary, ADMIN_PASSWORD, location)
+
         _logger.exiting(class_name=_class_name, method_name=_method_name)
 
     ###########################################################################

core/src/main/python/wlsdeploy/tool/util/wlst_helper.py

@@ -1762,7 +1762,7 @@ def __ls(self, method_name, ls_type, path=None, log_throwing=True):
             current_path = self.get_pwd()
             self.cd(path)
             try:
-                result = load_ls(returnMap='true', returnType=ls_type)
+                result = load_ls(ls_type, returnMap='true', returnType=ls_type)
             except (self.__load_global('WLSTException'), offlineWLSTException), e:
                 pwe = exception_helper.create_exception(self.__exception_type, 'WLSDPLY-00029', path, ls_type,
                                                         self.__get_exception_mode(e), _format_exception(e), error=e)

core/src/main/python/wlsdeploy/util/default_authenticator_ldift_helper.py

@@ -8,11 +8,14 @@
 from oracle.weblogic.deploy.util import PyOrderedDict as OrderedDict
 
 from wlsdeploy.aliases.alias_constants import PASSWORD_TOKEN
+from wlsdeploy.aliases.location_context import LocationContext
 from wlsdeploy.aliases.model_constants import DEFAULT_AUTHENTICATOR
 from wlsdeploy.aliases.model_constants import DEFAULT_AUTHENTICATOR_USER_ATTRIBUTE_KEYS
 from wlsdeploy.aliases.model_constants import DESCRIPTION
 from wlsdeploy.aliases.model_constants import GROUP_MEMBER_OF
 from wlsdeploy.aliases.model_constants import PASSWORD
+from wlsdeploy.aliases.model_constants import SECURITY
+from wlsdeploy.aliases.model_constants import USER
 from wlsdeploy.aliases.model_constants import USER_ATTRIBUTES
 from wlsdeploy.exception.exception_types import ExceptionType
 from wlsdeploy.logging.platform_logger import PlatformLogger
@@ -191,10 +194,14 @@ class DefaultAuthenticatorLdift(LdiftBase):
     __DEFAULT_GROUPS_DICT = None
     __DEFAULT_USER_LIST = [ 'weblogic', 'OracleSystemUser', 'LCMUser' ]
 
-    def __init__(self, ldift_file_name, model_context, exception_type=ExceptionType.DISCOVER, download_temporary_dir=None):
+    def __init__(self, ldift_file_name, model_context, aliases, credential_injector,
+                 exception_type=ExceptionType.DISCOVER, download_temporary_dir=None):
+
         LdiftBase.__init__(self, model_context, exception_type, download_temporary_dir=download_temporary_dir)
 
         self._ldift_file_name = ldift_file_name
+        self._aliases = aliases
+        self._credential_injector = credential_injector
         self._ldift_entries = self.read_ldift_file(ldift_file_name)
 
 
@@ -229,6 +236,13 @@ def get_users_dictionary(self, filter_defaults=False):
 
                 user_entry = OrderedDict()
                 user_entry[PASSWORD] = user_password
+
+                if self._credential_injector is not None:
+                    location = LocationContext().append_location(SECURITY).append_location(USER)
+                    name_token = self._aliases.get_name_token(location)
+                    location.add_name_token(name_token, user_name)
+                    self._credential_injector.check_and_tokenize(user_entry, PASSWORD, location)
+
                 if not string_utils.is_empty(user_description):
                     user_entry[DESCRIPTION] = user_description
                 if len(user_groups_names) > 0:

core/src/main/python/wlsdeploy/util/default_credential_mapper_ldift_helper.py

@@ -9,6 +9,7 @@
 from oracle.weblogic.deploy.util import PyOrderedDict as OrderedDict
 
 from wlsdeploy.aliases.alias_constants import PASSWORD_TOKEN
+from wlsdeploy.aliases.location_context import LocationContext
 from wlsdeploy.aliases.model_constants import CROSS_DOMAIN
 from wlsdeploy.aliases.model_constants import METHOD
 from wlsdeploy.aliases.model_constants import PATH
@@ -20,6 +21,7 @@
 from wlsdeploy.aliases.model_constants import REMOTE_RESOURCE
 from wlsdeploy.aliases.model_constants import REMOTE_USER
 from wlsdeploy.aliases.model_constants import USER
+from wlsdeploy.aliases.model_constants import WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS
 from wlsdeploy.exception.exception_types import ExceptionType
 from wlsdeploy.logging.platform_logger import PlatformLogger
 from wlsdeploy.util import string_utils
@@ -190,10 +192,14 @@ def _get_resource_name_dict(self, resource_name):
 class DefaultCredentialMapperLdift(LdiftBase):
     __class_name = 'DefaultCredentialMapperLdift'
 
-    def __init__(self, ldift_file_name, model_context, exception_type=ExceptionType.DISCOVER, download_temporary_dir=None):
+    def __init__(self, ldift_file_name, model_context, aliases, credential_injector,
+                 exception_type=ExceptionType.DISCOVER, download_temporary_dir=None):
+
         LdiftBase.__init__(self, model_context, exception_type, download_temporary_dir=download_temporary_dir)
 
         self._ldift_file_name = ldift_file_name
+        self._aliases = aliases
+        self._credential_injector = credential_injector
         self._credential_map_ldift_entries, self._resource_map_ldift_entries = self.read_ldift_file(ldift_file_name)
 
     # Override
@@ -229,8 +235,8 @@ def get_cross_domain_dictionary(self):
                 continue
 
             resource_map_entries = self._find_resource_map_entries_for_credential_map_entry(credential_map_entry)
-            entry_name = 'CrossDomainCredentialMap-%s' % count
-            entry_payload = self._get_cross_domain_model_entry(credential_map_entry, resource_map_entries)
+            entry_name = 'Map-%s' % count
+            entry_payload = self._get_cross_domain_model_entry(credential_map_entry, resource_map_entries, entry_name)
             result[entry_name] = entry_payload
             count += 1
 
@@ -248,8 +254,8 @@ def get_remote_resource_dictionary(self):
                 continue
 
             resource_map_entries = self._find_resource_map_entries_for_credential_map_entry(credential_map_entry)
-            entry_name = 'RemoteResourceCredentialMap-%s' % count
-            entry_payload = self._get_remote_resource_model_entry(credential_map_entry, resource_map_entries)
+            entry_name = 'Map-%s' % count
+            entry_payload = self._get_remote_resource_model_entry(credential_map_entry, resource_map_entries, entry_name)
             result[entry_name] = entry_payload
             count += 1
 
@@ -270,7 +276,7 @@ def _find_resource_map_entries_for_credential_map_entry(self, credential_map_ldi
         _logger.exiting(class_name=self.__class_name, method_name=_method_name, result=resource_map_ldift_entries)
         return resource_map_ldift_entries
 
-    def _get_cross_domain_model_entry(self, credential_map_ldift_entry, resource_map_ldift_entries):
+    def _get_cross_domain_model_entry(self, credential_map_ldift_entry, resource_map_ldift_entries, entry_name):
         _method_name = '_get_cross_domain_model_entry'
         _logger.entering(credential_map_ldift_entry, resource_map_ldift_entries,
                          class_name=self.__class_name, method_name=_method_name)
@@ -291,10 +297,18 @@ def _get_cross_domain_model_entry(self, credential_map_ldift_entry, resource_map
         result[REMOTE_USER] = remote_user
         result[REMOTE_PASSWORD] = remote_password
 
+        if self._credential_injector is not None:
+            location = LocationContext().append_location(WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS) \
+                .append_location(CROSS_DOMAIN)
+            name_token = self._aliases.get_name_token(location)
+            location.add_name_token(name_token, entry_name)
+            self._credential_injector.check_and_tokenize(result, REMOTE_USER, location)
+            self._credential_injector.check_and_tokenize(result, REMOTE_PASSWORD, location)
+
         _logger.exiting(class_name=self.__class_name, method_name=_method_name)
         return result
 
-    def _get_remote_resource_model_entry(self, credential_map_ldift_entry, resource_map_ldift_entries):
+    def _get_remote_resource_model_entry(self, credential_map_ldift_entry, resource_map_ldift_entries, entry_name):
         _method_name = '_get_remote_resource_model_entry'
         _logger.entering(credential_map_ldift_entry, resource_map_ldift_entries,
                          class_name=self.__class_name, method_name=_method_name)
@@ -327,6 +341,14 @@ def _get_remote_resource_model_entry(self, credential_map_ldift_entry, resource_
         result[REMOTE_USER] = remote_user
         result[REMOTE_PASSWORD] = remote_password
 
+        if self._credential_injector is not None:
+            location = LocationContext().append_location(WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS) \
+                .append_location(REMOTE_RESOURCE)
+            name_token = self._aliases.get_name_token(location)
+            location.add_name_token(name_token, entry_name)
+            self._credential_injector.check_and_tokenize(result, REMOTE_USER, location)
+            self._credential_injector.check_and_tokenize(result, REMOTE_PASSWORD, location)
+
         _logger.exiting(class_name=self.__class_name, method_name=_method_name, result=result)
         return result
 

core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/Security.json

@@ -9,9 +9,9 @@
             "child_folders_type": "multiple",
             "folders": { },
             "attributes": {
-                "Description":    [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Description",    "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ],
-                "GroupMemberOf":  [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "GroupMemberOf",  "wlst_path": "WP001", "default_value": null,    "wlst_type": "delimited_string", "get_method": "NONE" } ],
-                "Name":           [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Name",           "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ]
+                "Description":    [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "Description",    "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ],
+                "GroupMemberOf":  [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "GroupMemberOf",  "wlst_path": "WP001", "default_value": null,    "wlst_type": "delimited_string", "get_method": "NONE" } ],
+                "Name":           [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "Name",           "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ]
             },
             "wlst_attributes_path": "WP001",
             "wlst_paths": {
@@ -57,11 +57,11 @@
                 }
             },
             "attributes": {
-                "Description":               [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Description",              "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ],
-                "GroupMemberOf":             [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "GroupMemberOf",            "wlst_path": "WP001", "default_value": null,    "wlst_type": "delimited_string", "get_method": "NONE" } ],
-                "IsDefaultAdmin":            [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "IsDefaultAdmin",           "wlst_path": "WP001", "default_value": false,   "wlst_type": "boolean",          "get_method": "NONE" } ],
-                "Name":                      [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Name",                     "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ],
-                "Password":                  [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Password",                 "wlst_path": "WP001", "default_value": null,    "wlst_type": "password",         "get_method": "NONE" } ]
+                "Description":               [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "Description",              "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ],
+                "GroupMemberOf":             [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "GroupMemberOf",            "wlst_path": "WP001", "default_value": null,    "wlst_type": "delimited_string", "get_method": "NONE" } ],
+                "IsDefaultAdmin":            [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "IsDefaultAdmin",           "wlst_path": "WP001", "default_value": false,   "wlst_type": "boolean",          "get_method": "NONE" } ],
+                "Name":                      [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "Name",                     "wlst_path": "WP001", "default_value": null,    "wlst_type": "string",           "get_method": "NONE" } ],
+                "Password":                  [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "Password",                 "wlst_path": "WP001", "default_value": null,    "wlst_type": "password",         "get_method": "NONE" } ]
             },
             "wlst_attributes_path": "WP001",
             "wlst_paths": {

core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/WLSUserPasswordCredentialMappings.json

@@ -1,16 +1,18 @@
 {
-    "copyright": "Copyright (c) 2020, 2022, Oracle Corporation and/or its affiliates.",
+    "copyright": "Copyright (c) 2020, 2024, Oracle and/or its affiliates.",
     "license": "Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl",
     "wlst_type": "WLSUserPasswordCredentialMappings",
+    "short_name": "CredentialMap",
     "folders": {
         "CrossDomain": {
             "wlst_type": "CrossDomain",
             "child_folders_type": "multiple",
+            "short_name": "CrossDomain",
             "folders": {},
             "attributes": {
                 "RemoteDomain":   [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteDomain",   "wlst_path": "WP001", "default_value": null,   "wlst_type": "string" } ],
                 "RemotePassword": [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemotePassword", "wlst_path": "WP001", "default_value": null,   "wlst_type": "password" } ],
-                "RemoteUser":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteUser",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "string" } ]
+                "RemoteUser":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteUser",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "credential" } ]
             },
             "wlst_attributes_path": "WP001",
             "wlst_paths": {
@@ -20,6 +22,7 @@
         "RemoteResource": {
             "wlst_type": "RemoteResource",
             "child_folders_type": "multiple",
+            "short_name": "RemoteResource",
             "folders": {},
             "attributes": {
                 "Method":         [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "Method",         "wlst_path": "WP001", "default_value": null,   "wlst_type": "string" } ],
@@ -28,7 +31,7 @@
                 "RemoteHost":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteHost",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "string" } ],
                 "RemotePassword": [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemotePassword", "wlst_path": "WP001", "default_value": null,   "wlst_type": "password" } ],
                 "RemotePort":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemotePort",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "integer" } ],
-                "RemoteUser":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteUser",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "string" } ],
+                "RemoteUser":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteUser",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "credential" } ],
                 "User":           [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "User",           "wlst_path": "WP001", "default_value": null,   "wlst_type": "list" } ]
             },
             "wlst_attributes_path": "WP001",