Decrypting Dialog Fields

Is there a standard way to decrypt protected text box fields in service dialogs? MiqPassword doesn’t seem to be available within automate, and dialog_parser doesn’t seem to decrypt these fields. I suppose I could require miq-password using its full path, but I’d rather not do that if it’s possible to avoid it.

Thanks

Hi @01100010011001010110

https://pemcg.gitbooks.io/mastering-automation-in-cloudforms-4-2-and-manage/content/using_schema_variables/chapter.html

password   = $evm.object.decrypt('password')

@01100010011001010110
Looks like there is no way to decrypt protected dialog fields :joy: I want to raise related BZ. Crazy developers…

@01100010011001010110

$LOAD_PATH.unshift('/var/www/miq/vmdb/gems/pending')
require 'util/miq-password'
MiqPassword::decrypt(enc_local_admin_password) 

Non documented way to do this.

Still way better than requiring the miq-password gem using the fully qualified path, which is what I had been doing, thank you. Unsure if this is still an issue in Gapri?

There is some hidden from world BZ and I have currently a discussion about this with RH Tech Support.

Can’t you use something like:

$evm.root.decrypt('dialog_my_password')

?

@pemcg
Hi Peter

dialog_my_password present in $evm.root[‘miq_provision’].get_option(‘dialog_my_password’), so, looks like I cannot access it directly by root $evm.root.decrypt(‘dialog_my_password’) ?

Why don’t you try saving the password to a variable and call decrpyt on it? Something like

encrypted_password = $evm.root['miq_provision'].get_option('dialog_my_password')
password = $evm.root.decrypt(encrypted_password)

or you can make it a one-liner without using the variable (substituting encrypted_variable).

@xian @pemcg

From @tinaafitz post about this:

The method validates the <attribute_name> is a “password” datatype before any decryption can be done.

Aah, ok, I think the problem is that you’re trying to decrypt the password in the VM provision state machine, and the password value here is a “v2:{O3tPHdsg…” style string. You need MiqPassword::decrypt to be able to decrypt this as you’ve discovered.

If you are able to decrypt the string in the service provision state machine, the password object is copied to $evm.root (along with the ‘_id’ string equivalent), i.e.

 |    $evm.root['dialog_option_0_root_password'] = ********   (type: String)
 |    $evm.root['dialog_option_0_root_password_id'] = v2:{O3tPHdsgSh....   (type: String)

You’d be able to decrypt this using $evm.root.decrypt(‘dialog_option_0_root_password’)

Cheers,
pemcg

1 Like

I discovered yesterday (thanks @bevans!) that all you need is a require 'miq-password'. For example you can use the following to decrypt a password from the VM provision state machine:

require 'miq-password'
prov = $evm.root['miq_provision']
root_password_decrypted = MiqPassword.decrypt(prov.get_option(:"password::root_password"))

Hope this helps,
pemcg

1 Like

Hi @pemcg

Thank you for investigation. Can you please explain also what is difference between get_option(“root_password”) and get_option(:“password::root_password”) notation ?

That was how the field appeared in the options hash:

|    $evm.root['miq_provision'].options[:password::dialog_root_password] = v2:{O3tPHdsg...}   (type: String)
|    $evm.root['miq_provision'].options[:password::root_password] = v2:{O3tPHdsg...}   (type: String)
1 Like

@pemcg Thank you again, so as a result I am using password field to configure Oracle sys through ansible tower and I want to change launch_ansible_job method to the following:

def ansible_vars_from_options(ext_vars)
  options = @handle.root["miq_provision"].try(:options) || {}
  options.each_with_object(ext_vars) do |(key, value), hash|
    match_data = ANSIBLE_DIALOG_VAR_REGEX.match(key.to_s)
    if match_data
       if match_data[1].include? 'password'
           require 'miq-password'
           value = MiqPassword::decrypt(value) rescue value
       end
       hash[match_data[1]] = value
    end
  end
end

right ?

I’m facing the same issue from the VM provision. I have tested your suggested method using require ‘miq-password’ on cloudforms and it’s works well, but for some reason when I try the same on MIQ I’m getting the following error:

[----] E, [2019-01-04T10:22:24.953266 #23527:81dbe8] ERROR – : Q-task_id([miq_provision_482]) The following error occurred during method evaluation:
[----] E, [2019-01-04T10:22:24.954031 #23527:81dbe8] ERROR – : Q-task_id([miq_provision_482]) LoadError: cannot load such file – miq-password
[----] E, [2019-01-04T10:22:24.954770 #23527:81dbe8] ERROR – : Q-task_id([miq_provision_482]) /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in  `require' [----] E, [2019-01-04T10:22:24.957331 #23527:81dbe8] ERROR -- : Q-task_id([miq_provision_482]) Method STDERR: /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in` require’: cannot load such file – miq-password (LoadError)
[----] E, [2019-01-04T10:22:24.957694 #23527:81dbe8] ERROR – : Q-task_id([miq_provision_482]) Method STDERR: from /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require’

Any Idea how can I solve this?
Thanks