Wdt compare model security providers (#901)

* WDT-561 compare block of security providers

* Custom security providers attributes comparison

* correct comments for new methods and files

Author: CarolynRountree

core/src/main/python/wlsdeploy/tool/compare/model_comparer.py

@@ -2,6 +2,7 @@
 Copyright (c) 2021, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
+from java.util import Properties
 
 from oracle.weblogic.deploy.aliases import AliasException
 from oracle.weblogic.deploy.util import PyOrderedDict
@@ -65,15 +66,76 @@ def _compare_folders(self, current_folder, past_folder, location, attributes_loc
 
         # determine if the specified location has named folders, such as topology/Server
         has_named_folders = False
+        has_security = False
         if (location is not None) and not self._aliases.is_artificial_type_folder(location):
-            has_named_folders = self._aliases.supports_multiple_mbean_instances(location) or \
-                                self._aliases.requires_artificial_type_subfolder_handling(location)
+            if self._aliases.supports_multiple_mbean_instances(location):
+                has_named_folders = True
+            elif self._aliases.requires_artificial_type_subfolder_handling(location):
+                has_security = True
 
         if has_named_folders:
             return self._compare_named_folders(current_folder, past_folder, location, attributes_location)
+        elif has_security:
+            return self._compare_security_folders(current_folder, past_folder, location, attributes_location)
         else:
             return self._compare_folder_contents(current_folder, past_folder, location, attributes_location)
 
+    def _compare_security_folders(self, current_folder, past_folder, location, attributes_location):
+        """
+        Compare current and past security configuration provider section. If a provider section has an entry
+        that is different from the original, the entire provider section will be returned as differences between
+        the two folders.
+        :param current_folder: a folder in the current model
+        :param past_folder: corresponding folder in the past model
+        :param location: the location for the specified folders
+        :param attributes_location: the attribute location for the specified folders
+        :return: a dictionary of differences between these folders
+        """
+        providers = self._aliases.get_model_subfolder_names(location)
+        matches = True
+        custom = True
+        if len(current_folder) == len(past_folder):
+            curr_keys = current_folder.keys()
+            past_keys = past_folder.keys()
+            idx = 0
+            while idx < len(curr_keys):
+                if curr_keys[idx] == past_keys[idx]:
+                    custom = curr_keys[idx] not in providers
+                    next_curr_folder = current_folder[curr_keys[idx]]
+                    next_curr_keys = next_curr_folder.keys()
+                    next_past_folder = past_folder[past_keys[idx]]
+                    next_past_keys = next_past_folder.keys()
+                    next_idx = 0
+                    while next_idx < len(next_curr_keys):
+                        if next_curr_keys[next_idx] == next_past_keys[next_idx]:
+                            if custom:
+                                changes = self._compare_folder_sc_contents(next_curr_folder, next_past_folder,
+                                                                           location, attributes_location)
+                            else:
+                                changes = self._compare_folder_contents(next_curr_folder, next_past_folder,
+                                                                        location, attributes_location)
+                            if changes:
+                                matches = False
+                                break
+                        else:
+                            matches = False
+                            break
+                        next_idx +=1
+                else:
+                    matches = False
+                    break
+                idx +=1
+        else:
+            matches = False
+        if matches is False:
+            self._messages.add(('WLSDPLY-05716', location.get_folder_path()))
+            comment = "Replace entire Security Provider section "
+            new_folder = PyOrderedDict()
+            _add_comment(comment, new_folder)
+            new_folder.update(current_folder)
+            return new_folder
+        return PyOrderedDict()
+
     def _compare_named_folders(self, current_folder, past_folder, location, attributes_location):
         """
         Compare current and past named folders using the specified locations.
@@ -113,6 +175,46 @@ def _compare_named_folders(self, current_folder, past_folder, location, attribut
 
         return change_folder
 
+    def _compare_folder_sc_contents(self, current_folder, past_folder, location, attributes_location):
+        """
+        Compare the contents of current and past folders, looking at attribute changes for a security provider.
+        Return any changes so that calling routine will know changes occurred and the entire section will
+        of the current folder will be marked as changed.
+        :param current_folder: a folder in the current model
+        :param past_folder: corresponding folder in the past model
+        :param location: the location for the specified folders
+        :param attributes_location: the attribute location for the specified folders
+        :return: a dictionary of differences between these folders
+        """
+        change_folder = PyOrderedDict()
+
+        # check if keys in the current folder are present in the past folder
+        for key in current_folder:
+            if not self._check_key(key, location):
+                continue
+
+            if key in past_folder:
+                current_value = current_folder[key]
+                past_value = past_folder[key]
+
+                self._compare_attribute_sc(current_value, past_value, attributes_location, key, change_folder)
+
+            else:
+                # key is present the current folder, not in the past folder.
+                # just add to the change folder, no further recursion needed.
+                change_folder[key] = current_folder[key]
+
+        # check if keys in the past folder are not in the current folder
+        for key in past_folder:
+            if not self._check_key(key, location):
+                continue
+
+            if key not in current_folder:
+                change_folder[key] = past_folder[key]
+
+        self._finalize_folder(current_folder, past_folder, change_folder, location)
+        return change_folder
+
     def _compare_folder_contents(self, current_folder, past_folder, location, attributes_location):
         """
         Compare the contents of current and past folders using the specified locations.
@@ -197,6 +299,38 @@ def _get_next_location(self, location, key):
 
         return next_location, next_attributes_location
 
+    def _compare_attribute_sc(self, current_value, past_value, location, key, change_folder):
+        """
+        Compare values of an attribute from the current and past folders.
+        The changed value will signal the calling method that the entire new
+        :param current_value: the value from the current model
+        :param past_value: the value from the past model
+        :param key: the key of the attribute
+        :param change_folder: the folder in the change model to be updated
+        :param location: the location for attributes in the specified folders
+        """
+        if current_value != past_value:
+            if type(current_value) == list:
+                current_list = list(current_value)
+                previous_list = list(past_value)
+
+                change_list = list(previous_list)
+                for item in current_list:
+                    if item in previous_list:
+                        change_list.remove(item)
+                    else:
+                        change_list.append(item)
+                for item in previous_list:
+                    if item not in current_list:
+                        change_list.remove(item)
+                        change_list.append(model_helper.get_delete_name(item))
+
+            elif isinstance(current_value, Properties):
+                self._compare_properties(current_value, past_value, key, change_folder)
+
+            else:
+                change_folder[key] = current_value
+
     def _compare_attribute(self, current_value, past_value, location, key, change_folder):
         """
         Compare values of an attribute from the current and past folders.
@@ -278,16 +412,6 @@ def _check_key(self, key, location):
         if (location is None) and (key == KUBERNETES):
             self._logger.info('WLSDPLY-05713', KUBERNETES, class_name=self._class_name, method_name=_method_name)
             return False
-        try:
-            if (location is not None) and (not self._aliases.is_artificial_type_folder(location)) and \
-                    (self._aliases.requires_artificial_type_subfolder_handling(location)):
-                providers = self._aliases.get_model_subfolder_names(location)
-                if key not in providers:
-                    self._logger.warning('WLSDPLY-05716', key,
-                                         class_name=self._class_name, method_name=_method_name)
-                    return False
-        except AliasException:
-            return True
         return True
 
     def _finalize_folder(self, current_folder, past_folder, change_folder, location):

core/src/main/resources/oracle/weblogic/deploy/messages/wlsdeploy_rb.properties

@@ -498,8 +498,9 @@ WLSDPLY-05712=Unrecognized token {0} in path {1}
 WLSDPLY-05713=Model section {0} will not be compared
 WLSDPLY-05714={0} is unchanged, but required if other changes are present
 WLSDPLY-05715=There are {0} attributes that only exist in the previous model, see {1}
-WLSDPLY-05716=Model Security Configuration section contains a custom security provider {0}. The compare model cannot compare \
-  a custom security provider and the section will not be included in the diffed model.
+WLSDPLY-05716=The Security Configuration Provider at location {0} has a difference and the current \
+    provider(s) will replace the previous provider(s) 
+
 
 # prepare_model.py
 WLSDPLY-05801=Error in prepare model {0}

core/src/test/python/compare_model_test.py

@@ -122,11 +122,11 @@ def testCompareModelFull(self):
 
         self.assertEqual(return_code, 0)
 
-    def testCompareModelSecurityConfiguration(self):
-        _method_name = 'testCompareModelSecurityConfiguration'
+    def testCompareModelSecurityConfigurationAttribute(self):
+        _method_name = 'testCompareModelSecurityConfigurationAttribute'
 
-        _new_model_file = self._resources_dir + '/compare/model-a-old.yaml'
-        _old_model_file = self._resources_dir + '/compare/model-a-new.yaml'
+        _new_model_file = self._resources_dir + '/compare/model-sc1-new.yaml'
+        _old_model_file = self._resources_dir + '/compare/model-sc1-old.yaml'
         _temp_dir = os.path.join(tempfile.gettempdir(), _method_name)
 
         if os.path.exists(_temp_dir):
@@ -158,6 +158,7 @@ def testCompareModelSecurityConfiguration(self):
             self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm'].has_key('myrealm'), True)
             self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm']['myrealm'].has_key('Auditor'), False)
             self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm']['myrealm'].has_key('AuthenticationProvider'), True)
+            self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm']['myrealm'].has_key('PasswordValidator'), False)
 
         except (CompareException, PyWLSTException), te:
             return_code = 2
@@ -170,6 +171,54 @@ def testCompareModelSecurityConfiguration(self):
 
         self.assertEqual(return_code, 0)
 
+    def testCompareModelSecurityConfigurationCustomList(self):
+        _method_name = 'testCompareModelSecurityConfigurationCustomList'
+
+        _new_model_file = self._resources_dir + '/compare/model-sc2-new.yaml'
+        _old_model_file = self._resources_dir + '/compare/model-sc2-old.yaml'
+        _temp_dir = os.path.join(tempfile.gettempdir(), _method_name)
+
+        if os.path.exists(_temp_dir):
+            shutil.rmtree(_temp_dir)
+
+        os.mkdir(_temp_dir)
+
+        mw_home = os.environ['MW_HOME']
+        args_map = {
+            '-oracle_home': mw_home,
+            '-output_dir' : _temp_dir,
+            '-domain_type' : 'WLS',
+            '-trailing_arguments': [ _new_model_file, _old_model_file ]
+        }
+
+        try:
+            model_context = ModelContext('CompareModelTestCase', args_map)
+            obj = ModelFileDiffer(_new_model_file, _old_model_file, model_context, _temp_dir)
+            return_code = obj.compare()
+            self.assertEqual(return_code, 0)
+
+            yaml_result = _temp_dir + os.sep + 'diffed_model.yaml'
+            json_result = _temp_dir + os.sep + 'diffed_model.json'
+            stdout_result = obj.get_compare_msgs()
+            model_dictionary = FileToPython(yaml_result).parse()
+            self.assertEqual(model_dictionary.has_key('topology'), True)
+            self.assertEqual(model_dictionary['topology'].has_key('SecurityConfiguration'), True)
+            self.assertEqual(model_dictionary['topology']['SecurityConfiguration'].has_key('Realm'), True)
+            self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm'].has_key('myrealm'), True)
+            self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm']['myrealm'].has_key('Auditor'), False)
+            self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm']['myrealm'].has_key('AuthenticationProvider'), True)
+            self.assertEqual(model_dictionary['topology']['SecurityConfiguration']['Realm']['myrealm'].has_key('PasswordValidator'), True)
+        except (CompareException, PyWLSTException), te:
+            return_code = 2
+            self._logger.severe('WLSDPLY-05709',
+                                te.getLocalizedMessage(), error=te,
+                                class_name=self._program_name, method_name=_method_name)
+
+        if os.path.exists(_temp_dir):
+            shutil.rmtree(_temp_dir)
+
+        self.assertEqual(return_code, 0)
+
     def testCompareModelInvalidModel(self):
         _method_name = 'testCompareModelInvalidModel'
 

core/src/test/resources/compare/model-a-new.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) 2021, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# Changing the value of ControlFlag should cause this entire
+# AuthenticationProvider section to be included in the compare result.
+# PasswordValidator providers are identical, this section should not be in the result.
+topology:
+  SecurityConfiguration:
+    Realm:
+      myrealm:
+        # Version 1.9 should be used fixing NPE
+        AuthenticationProvider:
+          DefaultAuthenticator:
+            DefaultAuthenticator:
+              ControlFlag: REQUIRED
+          DefaultIdentityAsserter:
+            DefaultIdentityAsserter:
+              DefaultUserNameMapperAttributeType: CN
+              ActiveType: [ 'AuthenticatedUser', 'X.509' ]
+              DefaultUserNameMapperAttributeDelimiter: ','
+              UseDefaultUserNameMapper: true
+        PasswordValidator:
+          SystemPasswordValidator:
+            SystemPasswordValidator:
+              MinAlphabeticCharacters: 1
+              MinLowercaseCharacters: 1
+              MinNumericCharacters: 1
+              MaxConsecutiveCharacters: 2
+              MinNonAlphanumericCharacters: 1
+              MinUppercaseCharacters: 1
+              RejectEqualOrContainUsername: true
+              MinPasswordLength: 10
+              RejectEqualOrContainReverseUsername: true

core/src/test/resources/compare/model-a-old.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) 2021, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# Test to check default provider attribute changed in the new yaml causing the entire AuthenticationProvider
+# to be included in the diff
+# PasswordValidator providers are identical, this section should not be in the result.
+topology:
+  SecurityConfiguration:
+    Realm:
+      myrealm:
+        # Version 1.9 should be used fixing NPE
+        AuthenticationProvider:
+          DefaultAuthenticator:
+            DefaultAuthenticator:
+              ControlFlag: OPTIONAL
+          DefaultIdentityAsserter:
+            DefaultIdentityAsserter:
+              DefaultUserNameMapperAttributeType: CN
+              ActiveType: [ 'AuthenticatedUser', 'X.509' ]
+              DefaultUserNameMapperAttributeDelimiter: ','
+              UseDefaultUserNameMapper: true
+        PasswordValidator:
+          SystemPasswordValidator:
+            SystemPasswordValidator:
+              MinAlphabeticCharacters: 1
+              MinLowercaseCharacters: 1
+              MinNumericCharacters: 1
+              MaxConsecutiveCharacters: 2
+              MinNonAlphanumericCharacters: 1
+              MinUppercaseCharacters: 1
+              RejectEqualOrContainUsername: true
+              MinPasswordLength: 10
+              RejectEqualOrContainReverseUsername: true