Ensure that secret names follow established rules (#718)

* Ensure that secret names follow established rules; avoid chmod on Windows

* Remove ServerStart from Server and ServerTemplate in filters

Author: rakillen

core/src/main/java/oracle/weblogic/deploy/util/FileUtils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2019, Oracle Corporation and/or its affiliates.  All rights reserved.
+ * Copyright (c) 2017, 2020, Oracle Corporation and/or its affiliates.  All rights reserved.
  * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
  */
 package oracle.weblogic.deploy.util;
@@ -831,6 +831,8 @@ static Set<PosixFilePermission> getPermissions(int octals) {
      * @throws IOException if permissions update fails
      */
     public static void chmod(String path, int octals) throws IOException {
-        Files.setPosixFilePermissions(Paths.get(path), getPermissions(octals));
+        if(!WINDOWS) {
+            Files.setPosixFilePermissions(Paths.get(path), getPermissions(octals));
+        }
     }
 }

core/src/main/python/wlsdeploy/util/target_configuration_helper.py

@@ -136,8 +136,7 @@ def generate_k8s_script(model_context, token_dictionary, model_dictionary):
             continue
 
         user_name = find_user_name(property_name, model_dictionary)
-        secret_names = property_name.lower().split('.')
-        secret_name = '-'.join(secret_names[:-1])
+        secret_name = _create_secret_name(property_name)
 
         if user_name is None:
             message = exception_helper.get_message("WLSDPLY-01663", PASSWORD_TAG, secret_name)
@@ -155,6 +154,7 @@ def generate_k8s_script(model_context, token_dictionary, model_dictionary):
     k8s_script.close()
     FileUtils.chmod(k8s_file, 0750)
 
+
 def format_as_secret_token(variable_name, target_config):
     """
     Format the variable as a secret name token for use in a model.
@@ -176,8 +176,9 @@ def format_as_secret_token(variable_name, target_config):
                 return '@@SECRET:%s:%s@@' % (secret_name, admin_token)
 
     # for paired and single secrets, password key is always named "password"
-    secret_name = "password"
-    return normal_secret_format % ('-'.join(name_lower_tokens[:-1]), secret_name)
+    secret_key = "password"
+    secret_name = _create_secret_name(variable_name)
+    return normal_secret_format % (secret_name, secret_key)
 
 
 def get_secret_name_for_location(location, domain_uid, aliases):
@@ -190,8 +191,8 @@ def get_secret_name_for_location(location, domain_uid, aliases):
     :return: the secret name
     """
     variable_name = variable_injector_functions.format_variable_name(location, '(none)', aliases)
-    name_lower_tokens = variable_name.lower().split('.')
-    return domain_uid + '-' + '-'.join(name_lower_tokens[:-1])
+    secret_name = _create_secret_name(variable_name)
+    return domain_uid + '-' + secret_name
 
 
 def create_additional_output(model, model_context, aliases, exception_type):
@@ -243,6 +244,27 @@ def find_user_name(property_name, model_dictionary):
     return None
 
 
+def _create_secret_name(variable_name):
+    """
+    Return the secret name derived from the specified property variable name.
+    Skip the last element of the variable name, which corresponds to the attribute.
+    Follow limitations for secret names: only alphanumeric and "-", must start and end with alphanumeric.
+    For example, "JDBC.Generic1.PasswordEncrypted" becomes "jdbc-generic1".
+    :param variable_name: the variable name to be converted
+    :return: the derived secret name
+    """
+    variable_keys = variable_name.lower().split('.')
+    secret_keys = []
+    for variable_key in variable_keys[:-1]:
+        secret_key = re.sub('[^a-z0-9-]', '-', variable_key)
+        secret_keys.append(secret_key)
+
+    # rejoin with hyphens, remove leading and trailing hyphens from final name.
+    # if empty, just return "x".
+    secret = '-'.join(secret_keys).strip('-')
+    return secret or 'x'
+
+
 def _is_paired_secret(property_name):
     """
     Determine if the property name is part of a paired secret with .username and .password .

core/src/main/targetconfigs/k8s/k8s_operator_filter.py

@@ -38,7 +38,7 @@ def __cleanup_topology(model):
         if topology.has_key('Server'):
             servers = topology['Server']
             for server in servers:
-                for delthis in ['Machine', 'CandidateMachine', 'AutoMigrationEnabled']:
+                for delthis in ['Machine', 'CandidateMachine', 'AutoMigrationEnabled', 'ServerStart']:
                     if servers[server].has_key(delthis):
                         del servers[server][delthis]
 
@@ -53,6 +53,9 @@ def __cleanup_topology(model):
             server_templates = topology['ServerTemplate']
             for server_template in server_templates:
                 server_templates[server_template]['AutoMigrationEnabled'] = False
+                for delthis in ['ServerStart']:
+                    if server_templates[server_template].has_key(delthis):
+                        del server_templates[server_template][delthis]
         else:
             topology['ServerTemplate'] = {}
             server_templates = topology['ServerTemplate']

core/src/main/targetconfigs/vz/vz_filter.py

@@ -42,7 +42,7 @@ def __cleanup_topology(model):
         if topology.has_key('Server'):
             servers = topology['Server']
             for server in servers:
-                for delthis in ['Machine', 'CandidateMachine', 'AutoMigrationEnabled']:
+                for delthis in ['Machine', 'CandidateMachine', 'AutoMigrationEnabled', 'ServerStart']:
                     if servers[server].has_key(delthis):
                         del servers[server][delthis]
 
@@ -57,6 +57,9 @@ def __cleanup_topology(model):
             server_templates = topology['ServerTemplate']
             for server_template in server_templates:
                 server_templates[server_template]['AutoMigrationEnabled'] = False
+                for delthis in ['ServerStart']:
+                    if server_templates[server_template].has_key(delthis):
+                        del server_templates[server_template][delthis]
         else:
             topology['ServerTemplate'] = {}
             server_templates = topology['ServerTemplate']

core/src/main/targetconfigs/wko/wko_operator_filter.py

@@ -38,7 +38,7 @@ def __cleanup_topology(model):
         if topology.has_key('Server'):
             servers = topology['Server']
             for server in servers:
-                for delthis in ['Machine', 'CandidateMachine', 'AutoMigrationEnabled']:
+                for delthis in ['Machine', 'CandidateMachine', 'AutoMigrationEnabled', 'ServerStart']:
                     if servers[server].has_key(delthis):
                         del servers[server][delthis]
 
@@ -53,6 +53,9 @@ def __cleanup_topology(model):
             server_templates = topology['ServerTemplate']
             for server_template in server_templates:
                 server_templates[server_template]['AutoMigrationEnabled'] = False
+                for delthis in ['ServerStart']:
+                    if server_templates[server_template].has_key(delthis):
+                        del server_templates[server_template][delthis]
         else:
             topology['ServerTemplate'] = {}
             server_templates = topology['ServerTemplate']

core/src/test/python/target_configuration_helper_test.py

@@ -52,5 +52,19 @@ def testSecretWithoutWlsCredName(self):
         self.assertEqual('@@SECRET:@@ENV:DOMAIN_UID@@-something:password@@',
                          HELPER.format_as_secret_token('something.else', self.target_with_cred_name))
 
+
+    def testCreateSecretName(self):
+        self.assertEqual('jdbc-generic1', HELPER._create_secret_name('JDBC.Generic1.PasswordEncrypted'))
+
+        self.assertEqual('jdbc--weblogic--credentials',
+                         HELPER._create_secret_name('JDBC.(WebLogic)-credentials.PasswordEncrypted'))
+
+        self.assertEqual('jdbc--why', HELPER._create_secret_name('JDBC.-why?-.PasswordEncrypted'))
+
+        self.assertEqual('jdbc-abc', HELPER._create_secret_name('-JDBC.abc-.PasswordEncrypted'))
+
+        self.assertEqual('x', HELPER._create_secret_name('--??!!'))
+
+
 if __name__ == '__main__':
     unittest.main()