From 34746c0ba46a75c3acf88196d6db76066fff6cc2 Mon Sep 17 00:00:00 2001
From: Dougal Matthews <dougal@redhat.com>
Date: Wed, 02 Nov 2016 12:07:56 +0000
Subject: [PATCH] Fix password handling for users upgrading from Mitaka

In Newton we moved the password generation to a Mistral workflow and the
passwords are stored in the Mistral environment. However, when a user is
upgrading from Mitaka the passwords are stored in a file named
tripleo-overcloud-passwords. We need to use these passwords in preference of
the passwords stored in the Mistral env. If we don't, when the upgrading user
starts a new deployment the passwords will be changed for all services
to hew new passwords generted in the plan. This is only needed to help users
upgrade, once Ocata has been released this workaround should be removed.

We use a flag in the Mistral environment to make sure we only ever
upload these passwords once. Otherwise we would continue to do this on
every deploy if the file isn't removed.

Closes-Bug: #1638003
Change-Id: I3363beeeee50867352a1c54060ff091f31dfbdb4
---

diff --git a/tripleoclient/tests/fakes.py b/tripleoclient/tests/fakes.py
index 5e92f56..8ad5862 100644
--- a/tripleoclient/tests/fakes.py
+++ b/tripleoclient/tests/fakes.py
@@ -46,7 +46,8 @@
 
     def wait_for_message(self, execution_id):
         return {
-            'status': 'SUCCESS'
+            'status': 'SUCCESS',
+            'message': 'Done',
         }
 
     def __enter__(self):
diff --git a/tripleoclient/utils.py b/tripleoclient/utils.py
index e977c7f..f287ba7 100644
--- a/tripleoclient/utils.py
+++ b/tripleoclient/utils.py
@@ -39,6 +39,43 @@
 from tripleoclient import exceptions
 from tripleoclient.workflows import parameters
 
+# NOTE(d0ugal):  This password mapping should be removed before Ocata is
+# released. It is used for upgrade code in generate_overcloud_passwords below.
+__PASSWORD_NAME_MAPPING = {
+    'NEUTRON_METADATA_PROXY_SHARED_SECRET': 'NeutronMetadataProxySharedSecret',
+    'OVERCLOUD_ADMIN_PASSWORD': 'AdminPassword',
+    'OVERCLOUD_ADMIN_TOKEN': 'AdminToken',
+    'OVERCLOUD_AODH_PASSWORD': 'AodhPassword',
+    'OVERCLOUD_BARBICAN_PASSWORD': 'BarbicanPassword',
+    'OVERCLOUD_CEILOMETER_PASSWORD': 'CeilometerPassword',
+    'OVERCLOUD_CEILOMETER_SECRET': 'CeilometerMeteringSecret',
+    'OVERCLOUD_CEPH_ADMIN_KEY': 'CephAdminKey',
+    'OVERCLOUD_CEPH_CLIENT_KEY': 'CephClientKey',
+    'OVERCLOUD_CEPH_MON_KEY': 'CephMonKey',
+    'OVERCLOUD_CEPH_RGW_KEY': 'CephRgwKey',
+    'OVERCLOUD_CINDER_PASSWORD': 'CinderPassword',
+    'OVERCLOUD_GLANCE_PASSWORD': 'GlancePassword',
+    'OVERCLOUD_GNOCCHI_PASSWORD': 'GnocchiPassword',
+    'OVERCLOUD_HAPROXY_STATS_PASSWORD': 'HAProxyStatsPassword',
+    'OVERCLOUD_HEAT_PASSWORD': 'HeatPassword',
+    'OVERCLOUD_HEAT_STACK_DOMAIN_PASSWORD': 'HeatStackDomainAdminPassword',
+    'OVERCLOUD_IRONIC_PASSWORD': 'IronicPassword',
+    'OVERCLOUD_KEYSTONE_CREDENTIALS_0': 'KeystoneCredential0',
+    'OVERCLOUD_KEYSTONE_CREDENTIALS_1': 'KeystoneCredential1',
+    'OVERCLOUD_MANILA_PASSWORD': 'ManilaPassword',
+    'OVERCLOUD_MISTRAL_PASSWORD': 'MistralPassword',
+    'OVERCLOUD_MYSQL_CLUSTERCHECK_PASSWORD': 'MysqlClustercheckPassword',
+    'OVERCLOUD_NEUTRON_PASSWORD': 'NeutronPassword',
+    'OVERCLOUD_NOVA_PASSWORD': 'NovaPassword',
+    'OVERCLOUD_RABBITMQ_PASSWORD': 'RabbitPassword',
+    'OVERCLOUD_REDIS_PASSWORD': 'RedisPassword',
+    'OVERCLOUD_SAHARA_PASSWORD': 'SaharaPassword',
+    'OVERCLOUD_SWIFT_HASH': 'SwiftHashSuffix',
+    'OVERCLOUD_SWIFT_PASSWORD': 'SwiftPassword',
+    'OVERCLOUD_TROVE_PASSWORD': 'TrovePassword',
+    'OVERCLOUD_ZAQAR_PASSWORD': 'ZaqarPassword',
+}
+
 
 def generate_overcloud_passwords(clients, plan_name):
     """Retrieve passwords needed for the overcloud
@@ -46,11 +83,84 @@
     This will retrieve the set of passwords required by the overcloud stored
     in the deployment plan and accessible via a workflow.
     """
+
+    log = logging.getLogger(__name__ + ".generate_overcloud_passwords")
+
     workflow_input = {
         "container": plan_name,
         "queue_name": str(uuid.uuid4()),
     }
-    return parameters.get_overcloud_passwords(clients, **workflow_input)
+    passwords = parameters.get_overcloud_passwords(clients, **workflow_input)
+
+    # NOTE(d0ugal): If the user has a tripleo-overcloud-passwords file, then
+    # they must be upgrading from Mitaka. In Newton we no longer generate this
+    # file, and the passwords are generated and stored within the Mistral
+    # workflows/actions. However, if this file does exist, it will contain the
+    # passwords for the already deployed Heat stack. We then need to prefer
+    # these passwords over the passwords in Mistral. If we don't, when a new
+    # deployment is made the passwords generated in the plan will be used.
+
+    password_file = "tripleo-overcloud-passwords"
+
+    if not os.path.isfile(password_file):
+        # There is no password file, so we can just return the Mistral
+        # passwords. We are not upgrading.
+        return passwords
+
+    # The following steps here are the workaround and should be removed before
+    # Ocata is released.
+
+    with open(password_file) as f:
+        stored_passwords = dict(line.split("=", 1) for line in
+                                f.read().splitlines())
+
+    mistral = clients.workflow_engine
+    mistral_env = mistral.environments.get(plan_name)
+    mistral_passwords = mistral_env.variables.get('passwords', {})
+
+    # This flag is added to the Mistral environment so that we only pass the
+    # passwords from the tripleo-overcloud-passwords file once to Mistral.
+    has_passwords = mistral_env.variables.get('mitaka_password_upgrade', False)
+
+    for k, v in stored_passwords.items():
+        # Unfortunately in previous versions of tripleoclient, the
+        # passwords were stored with a name that was different from the Heat
+        # parameter. This means that we need to manually update the names to
+        # match the parameter.
+        if k not in __PASSWORD_NAME_MAPPING:
+            # The password OVERCLOUD_DEMO_PASSWORD is stored in the
+            # tripleo-overcloud-passwords file. However, it doesn't map to a
+            # Heat parameter. If that, or any others we don't know come up,
+            # ignore them but log a warning.
+            log.info((
+                "Unrecognised password '%s' found in the file "
+                "'tripleo-overcloud-passwords'. This password will not be "
+                "automatically migrated to the deployment plan.") % k)
+            continue
+
+        heat_param_name = __PASSWORD_NAME_MAPPING[k]
+
+        passwords[heat_param_name] = v
+
+        # The passwords generted by Mistral are stored in the Mistral
+        # environment in two places, to avoid them being deleted by mistake.
+        # This means that, unfortunately, we need to both manually patch the
+        # passwords and pass them as normal Heat parameters. Everything will
+        # then be in sync.
+        mistral_passwords[heat_param_name] = v
+
+    # If Mistral already has the passwords from tripleo-overcloud-passwords,
+    # we don't want to send them again.
+    if has_passwords:
+        return passwords
+
+    # Save the manually updated Mistral environment.
+    mistral_env.variables['passwords'] = mistral_passwords
+    mistral_env.variables['mitaka_password_upgrade'] = True
+    mistral.environments.update(
+        name=plan_name, variables=mistral_env.variables)
+
+    return passwords
 
 
 def bracket_ipv6(address):
diff --git a/tripleoclient/v1/overcloud_deploy.py b/tripleoclient/v1/overcloud_deploy.py
index 6389c49..e2bfa9b 100644
--- a/tripleoclient/v1/overcloud_deploy.py
+++ b/tripleoclient/v1/overcloud_deploy.py
@@ -1100,6 +1100,13 @@
         orchestration_client = clients.orchestration
 
         stack = utils.get_stack(orchestration_client, parsed_args.stack)
+        stack_create = stack is None
+
+        if not stack_create:
+            # NOTE(d0ugal): For Mitaka -> Newton upgrades we need to run some
+            # legacy password handling that uploads passwords stored locally to
+            # Mistral. This can be removed before Ocata is released.
+            utils.generate_overcloud_passwords(clients, parsed_args.stack)
 
         parameters = self._update_parameters(
             parsed_args, clients.network, stack)
@@ -1124,7 +1131,6 @@
             self.log.info("SUCCESS: No warnings or errors in deploy "
                           "configuration, proceeding.")
 
-        stack_create = stack is None
         if stack_create:
             self.log.info("No stack found, will be doing a stack create")
         else: