fix(jans-pycloudlib): specify decoder to load password from file (#7300)

Signed-off-by: iromli <isman.firmansyah@gmail.com>
JanssenProject · Jan 9, 2024 · 6b0a450 · 6b0a450
1 parent a1a2e10
commit 6b0a450
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 19 deletions.
diff --git a/jans-pycloudlib/jans/pycloudlib/utils.py b/jans-pycloudlib/jans/pycloudlib/utils.py
@@ -622,13 +622,18 @@ def get_password_from_file(password_file: str) -> str:
     with open(password_file) as f:
         raw_passwd = f.read().strip()
 
-    salt_file = os.environ.get("CN_OCI_LOCK_SALT_FILE", "/etc/jans/conf/oci_lock_salt")
+    decoder = os.environ.get("CN_OCI_LOCK_DECODER", "")
+
+    # sprig-aes format
+    if decoder == "sprig-aes":
+        salt_file = os.environ.get("CN_OCI_LOCK_SALT_FILE", "/etc/jans/conf/oci_lock_salt")
+
+        if not os.path.isfile(salt_file):
+            raise RuntimeError(f"Unable to find salt file {salt_file} to decode password file {password_file}")
 
-    # probably sprig-aes format
-    if os.path.isfile(salt_file):
-        logger.info(f"Found salt file {salt_file} to decode password file {password_file}")
         with open(salt_file) as f:
             salt = f.read().strip()
+
         try:
             passwd = sprig_decrypt_aes(raw_passwd, salt).decode()
             logger.info(f"Using sprig-aes to load password from {password_file}")
@@ -638,19 +643,19 @@ def get_password_from_file(password_file: str) -> str:
                 f"(either {salt_file} or {password_file} is incompatible with sprig-aes); error={exc}"
             )
 
-    # non sprig-aes format
-    else:
+    # base64 format
+    elif decoder == "base64":
         try:
             # maybe vanilla base64
             passwd = base64.b64decode(raw_passwd).decode()
             logger.warning(f"Using base64 to load password from {password_file}")
-        except UnicodeDecodeError as exc:
-            # tried to decode from sprig-aes format
-            raise ValueError(f"Unable to load password from {password_file}; error={exc}")
-        except binascii.Error:
-            # fallback to plain text
-            passwd = raw_passwd
-            logger.warning(f"Using insecure method to load password from {password_file}")
+        except (UnicodeDecodeError, binascii.Error) as exc:
+            raise ValueError(f"Unable to load password from {password_file} using base64; error={exc}")
+
+    # other formats
+    else:
+        passwd = raw_passwd
+        logger.warning(f"Using insecure method to load password from {password_file}")
 
     # returns plain text
     return passwd.strip()
diff --git a/jans-pycloudlib/tests/test_utils.py b/jans-pycloudlib/tests/test_utils.py
@@ -255,18 +255,20 @@ def test_generate_signed_ssl_certkey(tmpdir):
     assert os.path.isfile(str(base_dir.join("my-suffix.key")))
 
 
-@pytest.mark.parametrize("key, text, decrypted_text, sprig_enabled", [
+@pytest.mark.parametrize("key, text, decrypted_text, password_fmt", [
     # sprig-aes encoded
-    ("6Jsv61H7fbkeIkRvUpnZ98fu", "ow1Ty1OZWcOm8NRF49J07F1J1+fEQNLT5BKnCGqauvU=", "S3cr3t+pass", True),
+    ("6Jsv61H7fbkeIkRvUpnZ98fu", "ow1Ty1OZWcOm8NRF49J07F1J1+fEQNLT5BKnCGqauvU=", "S3cr3t+pass", "sprig-aes"),
     # vanilla base64
-    ("6Jsv61H7fbkeIkRvUpnZ98fu", "UzNjcjN0K3Bhc3MK", "S3cr3t+pass", False),
+    ("6Jsv61H7fbkeIkRvUpnZ98fu", "UzNjcjN0K3Bhc3MK", "S3cr3t+pass", "base64"),
     # plain text
-    ("6Jsv61H7fbkeIkRvUpnZ98fu", "S3cr3t+pass", "S3cr3t+pass", False),
+    ("6Jsv61H7fbkeIkRvUpnZ98fu", "S3cr3t+pass", "S3cr3t+pass", ""),
 ])
-def test_get_password_from_file(monkeypatch, tmpdir, key, text, decrypted_text, sprig_enabled):
+def test_get_password_from_file(monkeypatch, tmpdir, key, text, decrypted_text, password_fmt):
     from jans.pycloudlib.utils import get_password_from_file
 
-    if sprig_enabled:
+    monkeypatch.setenv("CN_OCI_LOCK_DECODER", password_fmt)
+
+    if password_fmt == "sprig-aes":
         salt_file = tmpdir.join("oci_lock_salt")
         salt_file.write(key)
         monkeypatch.setenv("CN_OCI_LOCK_SALT_FILE", str(salt_file))
@@ -284,6 +286,7 @@ def test_get_password_from_file_invalid_aes(monkeypatch, tmpdir):
     salt_file = tmpdir.join("oci_lock_salt")
     salt_file.write("6Jsv61H7fbkeIkRvUpnZ98fu")
     monkeypatch.setenv("CN_OCI_LOCK_SALT_FILE", str(salt_file))
+    monkeypatch.setenv("CN_OCI_LOCK_DECODER", "sprig-aes")
 
     passwd_file = tmpdir.join("oci_lock_password")
     passwd_file.write("S3cr3t+pass")
@@ -298,6 +301,7 @@ def test_get_password_from_file_invalid_b64(monkeypatch, tmpdir):
 
     passwd_file = tmpdir.join("oci_lock_password")
     passwd_file.write("ow1Ty1OZWcOm8NRF49J07F1J1+fEQNLT5BKnCGqauvU=")
+    monkeypatch.setenv("CN_OCI_LOCK_DECODER", "base64")
 
     # ensure exception is thrown
     with pytest.raises(ValueError):