adding new discover passwords feature

Author: robertpatrick

README.md

@@ -65,7 +65,7 @@ vulnerability disclosure process.
 
 ## License
 
-Copyright (c) 2017, 2023, Oracle and/or its affiliates.
+Copyright (c) 2017, 2024, Oracle and/or its affiliates.
 
 Released under the Universal Permissive License v1.0 as shown at
 <https://oss.oracle.com/licenses/upl/>.

core/src/main/python/discover.py

@@ -88,6 +88,10 @@
     CommandLineArgUtil.ADMIN_PASS_ENV_SWITCH,
     CommandLineArgUtil.TARGET_MODE_SWITCH,
     CommandLineArgUtil.OUTPUT_DIR_SWITCH,
+    CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH,
+    CommandLineArgUtil.PASSPHRASE_SWITCH,
+    CommandLineArgUtil.PASSPHRASE_ENV_SWITCH,
+    CommandLineArgUtil.PASSPHRASE_FILE_SWITCH,
     CommandLineArgUtil.TARGET_SWITCH,
     CommandLineArgUtil.REMOTE_SWITCH,
     CommandLineArgUtil.SSH_HOST_SWITCH,
@@ -125,7 +129,9 @@ def __process_args(args):
     __process_java_home(argument_map)
     __process_domain_home(argument_map, __wlst_mode)
 
-    return model_context_helper.create_context(_program_name, argument_map)
+    model_context = model_context_helper.create_context(_program_name, argument_map)
+    __validate_discover_passwords_args(model_context, argument_map)
+    return model_context
 
 
 def __process_model_arg(argument_map):
@@ -252,6 +258,50 @@ def __process_domain_home(arg_map, wlst_mode):
         full_path = cla_utils.validate_domain_home_arg(domain_home)
         arg_map[CommandLineArgUtil.DOMAIN_HOME_SWITCH] = full_path
 
+
+def __validate_discover_passwords_args(model_context, argument_map):
+    _method_name = '__validate_discover_passwords_args'
+    if model_context.is_discover_passwords():
+        if model_context.is_remote():
+            ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-06050',
+                                                       _program_name, CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH,
+                                                       CommandLineArgUtil.REMOTE_SWITCH)
+            __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
+            raise ex
+        if model_context.is_encrypt_discovered_passwords():
+            if model_context.get_encryption_passphrase() is None:
+                ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-06051',
+                    _program_name, CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH,
+                    CommandLineArgUtil.PASSPHRASE_ENV_SWITCH, CommandLineArgUtil.PASSPHRASE_FILE_SWITCH)
+                __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
+                raise ex
+        else:
+            if model_context.get_encryption_passphrase() is not None:
+                if CommandLineArgUtil.PASSPHRASE_ENV_SWITCH in argument_map:
+                    bad_arg = CommandLineArgUtil.PASSPHRASE_ENV_SWITCH
+                elif CommandLineArgUtil.PASSPHRASE_FILE_SWITCH in argument_map:
+                    bad_arg = CommandLineArgUtil.PASSPHRASE_FILE_SWITCH
+                else:
+                    bad_arg = CommandLineArgUtil.PASSPHRASE_SWITCH
+
+                ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-06052',
+                    _program_name, CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH, bad_arg)
+                __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
+                raise ex
+    else:
+        if model_context.get_encryption_passphrase() is not None:
+            if CommandLineArgUtil.PASSPHRASE_ENV_SWITCH in argument_map:
+                bad_arg = CommandLineArgUtil.PASSPHRASE_ENV_SWITCH
+            elif CommandLineArgUtil.PASSPHRASE_FILE_SWITCH in argument_map:
+                bad_arg = CommandLineArgUtil.PASSPHRASE_FILE_SWITCH
+            else:
+                bad_arg = CommandLineArgUtil.PASSPHRASE_SWITCH
+
+            ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-06056',
+                _program_name, bad_arg, CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH)
+            __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
+            raise ex
+
 def __discover(model_context, aliases, credential_injector, helper, extra_tokens):
     """
     Populate the model from the domain.
@@ -636,12 +686,19 @@ def main(model_context):
     if _exit_code == ExitCode.OK:
         aliases = Aliases(model_context, wlst_mode=__wlst_mode, exception_type=ExceptionType.DISCOVER)
         credential_injector = None
+
         if model_context.get_variable_file() is not None or model_context.get_target() is not None:
             credential_injector = CredentialInjector(_program_name, model_context, aliases)
-
-            __logger.info('WLSDPLY-06025', class_name=_class_name, method_name=_method_name)
+            if model_context.is_discover_passwords():
+                password_key = 'WLSDPLY-06055'
+            else:
+                password_key = 'WLSDPLY-06025'
         else:
-            __logger.info('WLSDPLY-06024', class_name=_class_name, method_name=_method_name)
+            if model_context.is_discover_passwords():
+                password_key = 'WLSDPLY-06054'
+            else:
+                password_key = 'WLSDPLY-06024'
+        __logger.info(password_key, class_name=_class_name, method_name=_method_name)
 
         extra_tokens = {}
         try:

core/src/main/python/wlsdeploy/aliases/aliases.py

@@ -2,6 +2,8 @@
 Copyright (c) 2017, 2024, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
+import array
+
 from java.lang import String
 from oracle.weblogic.deploy.aliases import AliasException
 from oracle.weblogic.deploy.aliases import TypeUtils
@@ -31,7 +33,6 @@
 from wlsdeploy.aliases.alias_constants import MERGE
 from wlsdeploy.aliases.alias_constants import MODEL_NAME
 from wlsdeploy.aliases.alias_constants import PASSWORD
-from wlsdeploy.aliases.alias_constants import PASSWORD_TOKEN
 from wlsdeploy.aliases.alias_constants import PREFERRED_MODEL_TYPE
 from wlsdeploy.aliases.alias_constants import PRODUCTION_DEFAULT
 from wlsdeploy.aliases.alias_constants import PROPERTIES
@@ -706,6 +707,51 @@ def get_wlst_access_ro_attribute_names(self, location):
             self._raise_exception(ae, _method_name, 'WLSDPLY-19046', location.get_current_model_folder(),
                                   location.get_folder_path(), ae.getLocalizedMessage())
 
+    def get_wlst_attribute_type(self, location, wlst_attribute_name):
+        """
+        Get the wlst_type from the alias for the specified WLST attribute.
+        :param location:            model folder location
+        :param wlst_attribute_name: WLST attribute name
+        :return: the wlst_type from the alias entry or None if the attribute is not in the aliases
+        """
+        _method_name = 'get_wlst_attribute_type'
+        self._logger.entering(str_helper.to_string(location), wlst_attribute_name,
+                              class_name=self._class_name, method_name=_method_name)
+
+        result = None
+        if wlst_attribute_name not in AliasEntries.IGNORE_FOR_MODEL_LIST:
+            # WLST online has dual attributes for passwords of the form Foo and FooEncrypted.
+            # Since the aliases don't include the Foo form, allow this method to return None
+            # for the type, which indicates that the attribute was not found in the aliases.
+            #
+            module_folder = dict()
+            try:
+                module_folder = self._alias_entries.get_dictionary_for_location(location)
+            except AliasException, ae:
+                self._raise_exception(ae, _method_name, 'WLSDPLY-19046',
+                                      location.get_current_model_folder(), location.get_folder_path(),
+                                      ae.getLocalizedMessage())
+
+            if ATTRIBUTES not in module_folder:
+                ex = exception_helper.create_alias_exception('WLSDPLY-08418', wlst_attribute_name,
+                                                             location.get_folder_path())
+                self._logger.throwing(ex, class_name=self._class_name, method_name=_method_name)
+                raise ex
+
+            for key, value in module_folder[ATTRIBUTES].iteritems():
+                if WLST_NAME in value and value[WLST_NAME] == wlst_attribute_name:
+                    if WLST_TYPE in value:
+                        result = value[WLST_TYPE]
+                    else:
+                        ex = exception_helper.create_alias_exception('WLSDPLY-08419',location.get_folder_path(),
+                                                                     wlst_attribute_name, WLST_TYPE)
+                        self._logger.throwing(ex, class_name=self._class_name, method_name=_method_name)
+                        raise ex
+                    break
+
+        self._logger.exiting(class_name=self._class_name, method_name=_method_name, result=result)
+        return result
+
     ###########################################################################
     #                    Model folder-related methods                         #
     ###########################################################################
@@ -1064,6 +1110,9 @@ def get_model_uses_path_tokens_attribute_names(self, location, only_readable=Fal
             self._raise_exception(ae, _method_name, 'WLSDPLY-19030', location.get_current_model_folder(),
                                   location.get_folder_path(), ae.getLocalizedMessage())
 
+    # Although the wlst_attribute_value may be a password field, logging it is probably OK since the password is
+    # encrypted, just like it is in config.xml.
+    #
     def get_model_attribute_name_and_value(self, location, wlst_attribute_name, wlst_attribute_value):
         """
         Returns the model attribute name and value for the specified WLST attribute name and value.
@@ -1114,10 +1163,14 @@ def get_model_attribute_name_and_value(self, location, wlst_attribute_name, wlst
                     default_value = alias_utils.replace_tokens_in_path(location, default_value)
 
                 if model_type == 'password':
+                    # WDT doesn't really understand PyArray so convert it to a string before proceeding.
+                    if isinstance(wlst_attribute_value, array.array):
+                        wlst_attribute_value = wlst_attribute_value.tostring()
+
                     if string_utils.is_empty(wlst_attribute_value) or converted_value == default_value:
                         model_attribute_value = None
                     else:
-                        model_attribute_value = PASSWORD_TOKEN
+                        model_attribute_value = wlst_attribute_value
 
                 elif model_type == 'boolean':
                     # some boolean attributes have WLST value of null until they are set

core/src/main/python/wlsdeploy/tool/discover/common_resources_discoverer.py

@@ -300,7 +300,7 @@ def get_mail_sessions(self):
                     mail_session_result = result[mail_session]
                     location.add_name_token(name_token, mail_session)
                     self._populate_model_parameters(mail_session_result, location)
-                    _fix_passwords_in_mail_session_properties(mail_session_result)
+                    self._fix_passwords_in_mail_session_properties(mail_session_result)
                     location.remove_name_token(name_token)
 
         _logger.exiting(class_name=_class_name, method_name=_method_name, result=model_top_folder_name)
@@ -605,18 +605,18 @@ def _get_named_resources(self, folder_name):
         _logger.exiting(class_name=_class_name, method_name=_method_name, result=model_top_folder_name)
         return model_top_folder_name, result
 
-
-def _fix_passwords_in_mail_session_properties(mail_session_dict):
-    """
-    Look for password properties in the mail session properties string, and replace the password with a fix me token.
-    :param mail_session_dict: containing the discovered mail session attributes
-    """
-    match_pattern = r'mail\.\w*\.?password'
-    if model_constants.MAIL_SESSION_PROPERTIES in mail_session_dict:
-        # alias framework has converted properties to a dictionary by this point
-        properties_dict = mail_session_dict[model_constants.MAIL_SESSION_PROPERTIES]
-        for property_name in properties_dict:
-            property_value = properties_dict[property_name]
-            is_tokenized = property_value.startswith('@@')
-            if StringUtils.matches(match_pattern, property_name) and not is_tokenized:
-                properties_dict[property_name] = PASSWORD_TOKEN
+    def _fix_passwords_in_mail_session_properties(self, mail_session_dict):
+        """
+        Look for password properties in the mail session properties string, and replace the password with a fix me token.
+        :param mail_session_dict: containing the discovered mail session attributes
+        """
+        match_pattern = r'mail\.\w*\.?password'
+        if model_constants.MAIL_SESSION_PROPERTIES in mail_session_dict and \
+                not self._model_context.is_discover_passwords():
+            # alias framework has converted properties to a dictionary by this point
+            properties_dict = mail_session_dict[model_constants.MAIL_SESSION_PROPERTIES]
+            for property_name in properties_dict:
+                property_value = properties_dict[property_name]
+                is_tokenized = property_value.startswith('@@')
+                if StringUtils.matches(match_pattern, property_name) and not is_tokenized:
+                    properties_dict[property_name] = PASSWORD_TOKEN