Decrypting Dialog Fields

fine

#1

Is there a standard way to decrypt protected text box fields in service dialogs? MiqPassword doesn’t seem to be available within automate, and dialog_parser doesn’t seem to decrypt these fields. I suppose I could require miq-password using its full path, but I’d rather not do that if it’s possible to avoid it.

Thanks


#2

Hi @01100010011001010110

https://pemcg.gitbooks.io/mastering-automation-in-cloudforms-4-2-and-manage/content/using_schema_variables/chapter.html

password   = $evm.object.decrypt('password')

#3

@01100010011001010110
Looks like there is no way to decrypt protected dialog fields :joy: I want to raise related BZ. Crazy developers…


#4

@01100010011001010110

$LOAD_PATH.unshift('/var/www/miq/vmdb/gems/pending')
require 'util/miq-password'
MiqPassword::decrypt(enc_local_admin_password) 

Non documented way to do this.


#5

Still way better than requiring the miq-password gem using the fully qualified path, which is what I had been doing, thank you. Unsure if this is still an issue in Gapri?


#6

There is some hidden from world BZ and I have currently a discussion about this with RH Tech Support.


#7

Can’t you use something like:

$evm.root.decrypt('dialog_my_password')

?


#8

@pemcg
Hi Peter

dialog_my_password present in $evm.root[‘miq_provision’].get_option(‘dialog_my_password’), so, looks like I cannot access it directly by root $evm.root.decrypt(‘dialog_my_password’) ?


#9

Why don’t you try saving the password to a variable and call decrpyt on it? Something like

encrypted_password = $evm.root['miq_provision'].get_option('dialog_my_password')
password = $evm.root.decrypt(encrypted_password)

or you can make it a one-liner without using the variable (substituting encrypted_variable).


#10

@xian @pemcg

From @tinaafitz post about this:

The method validates the <attribute_name> is a “password” datatype before any decryption can be done.

#11

Aah, ok, I think the problem is that you’re trying to decrypt the password in the VM provision state machine, and the password value here is a “v2:{O3tPHdsg…” style string. You need MiqPassword::decrypt to be able to decrypt this as you’ve discovered.

If you are able to decrypt the string in the service provision state machine, the password object is copied to $evm.root (along with the ‘_id’ string equivalent), i.e.

 |    $evm.root['dialog_option_0_root_password'] = ********   (type: String)
 |    $evm.root['dialog_option_0_root_password_id'] = v2:{O3tPHdsgSh....   (type: String)

You’d be able to decrypt this using $evm.root.decrypt(‘dialog_option_0_root_password’)

Cheers,
pemcg


#12

I discovered yesterday (thanks @bevans!) that all you need is a require 'miq-password'. For example you can use the following to decrypt a password from the VM provision state machine:

require 'miq-password'
prov = $evm.root['miq_provision']
root_password_decrypted = MiqPassword.decrypt(prov.get_option(:"password::root_password"))

Hope this helps,
pemcg


#13

Hi @pemcg

Thank you for investigation. Can you please explain also what is difference between get_option(“root_password”) and get_option(:“password::root_password”) notation ?


#14

That was how the field appeared in the options hash:

|    $evm.root['miq_provision'].options[:password::dialog_root_password] = v2:{O3tPHdsg...}   (type: String)
|    $evm.root['miq_provision'].options[:password::root_password] = v2:{O3tPHdsg...}   (type: String)

#15

@pemcg Thank you again, so as a result I am using password field to configure Oracle sys through ansible tower and I want to change launch_ansible_job method to the following:

def ansible_vars_from_options(ext_vars)
  options = @handle.root["miq_provision"].try(:options) || {}
  options.each_with_object(ext_vars) do |(key, value), hash|
    match_data = ANSIBLE_DIALOG_VAR_REGEX.match(key.to_s)
    if match_data
       if match_data[1].include? 'password'
           require 'miq-password'
           value = MiqPassword::decrypt(value) rescue value
       end
       hash[match_data[1]] = value
    end
  end
end

right ?