Issue #484 - Use of model encryption with online update fails

Author: rakillen

core/src/main/python/wlsdeploy/aliases/aliases.py

@@ -397,13 +397,7 @@ def get_wlst_attribute_name_and_value(self, location, model_attribute_name, mode
         attribute_info = module_folder[ATTRIBUTES][model_attribute_name]
 
         if attribute_info and not self.__is_model_attribute_read_only(location, attribute_info):
-            password_attribute_name = \
-                password_utils.get_wlst_attribute_name(attribute_info, model_attribute_value, self._wlst_mode)
-
-            if password_attribute_name is not None:
-                wlst_attribute_name = password_attribute_name
-            else:
-                wlst_attribute_name = attribute_info[WLST_NAME]
+            wlst_attribute_name = attribute_info[WLST_NAME]
 
             if self._model_context and USES_PATH_TOKENS in attribute_info and \
                     string_utils.to_boolean(attribute_info[USES_PATH_TOKENS]):
@@ -413,6 +407,14 @@ def get_wlst_attribute_name_and_value(self, location, model_attribute_name, mode
             if data_type == 'password':
                 try:
                     wlst_attribute_value = self.decrypt_password(model_attribute_value)
+
+                    # the attribute name may change for special cases, check against decrypted value
+                    password_attribute_name = \
+                        password_utils.get_wlst_attribute_name(attribute_info, wlst_attribute_value, self._wlst_mode)
+
+                    if password_attribute_name is not None:
+                        wlst_attribute_name = password_attribute_name
+
                 except EncryptionException, ee:
                     ex = exception_helper.create_alias_exception('WLSDPLY-08402', model_attribute_name,
                                                                  location.get_folder_path(),
@@ -1200,7 +1202,7 @@ def get_wlst_read_type(self, location, model_attribute_name):
 
     def decrypt_password(self, text):
         """
-        Encrypt the specified password if encryption is used and the password is encrypted.
+        Decrypt the specified password if model encryption is used and the password is encrypted.
         :param text: the text to check and decrypt, if needed
         :return: the clear text
         :raises EncryptionException: if an error occurs while decrypting the password

site/encrypt.md

@@ -4,6 +4,8 @@
 
 Models contain WebLogic Server domain configuration.  Certain types of resources and other configurations require passwords; for example, a JDBC data source requires the password for the user establishing the database connection.  When creating or configuring a resource that requires a password, that password must be specified either in the model directly or in the variable file.  Clear-text passwords are not conducive to storing configurations as source, so the Encrypt Model Tool gives the model author the ability to encrypt the passwords in the model and variable file using passphrase-based, reversible encryption.  When using a tool with a model containing encrypted passwords, the encryption passphrase must be provided, so that the tool can decrypt the password in memory to set the necessary WebLogic Server configuration (which supports its own encryption mechanism based on a domain-specific key).  While there is no requirement to use the Oracle WebLogic Server Deploy Tooling encryption mechanism, it is highly recommended because storing clear text passwords on disk is never a good idea.
 
+**NOTE: WebLogic Server Deploy Tooling also supports the use of domain-encrypted passwords directly in the model. The Encrypt Model Tool should not be used in tandem with this method.**  
+
 Start with the following example model:
 
 ```yaml