While decrypting encrypted parameters from the database, if one uses the wrong auth encryption key, we still go ahead and update the database with the values that were decrypted using the wrong auth_encryption_key. It's non-deterministic however to know if the wrong auth encryption key was ever used in the first place.
[1]def db_decrypt_parameters_and_properties(ctxt, encryption_key):
session = get_session()
with session.begin():
raw_templates = session.query(models.RawTemplate).all()
for raw_template in raw_templates:
parameters = raw_template.environment['parameters']
encrypted_params = raw_template.environment[
'encrypted_param_names']
for param_name in encrypted_params:
decrypt_function_name = parameters[param_name][0]
decrypt_function = getattr(crypt, decrypt_function_name)
decrypted_val = decrypt_function(parameters[param_name][1],
encryption_key)
try:
parameters[param_name] = encodeutils.safe_decode(
decrypted_val)
except UnicodeDecodeError as ex:
# if the incorrect encryption_key was used then we can get
# total gibberish here and safe_decode() will freak out.
LOG.warn(_LW("Couldn't decrypt parameters %s"), ex)
parameters[param_name] = ""
environment = raw_template.environment.copy()
environment['encrypted_param_names'] = []
raw_template_update(ctxt, raw_template.id,
{'environment': environment})
[Expired for heat because there has been no activity for 60 days.]