From 3b14e77d2acfce681fdf163461eddb347980deeb Mon Sep 17 00:00:00 2001
From: Gage Hugo <gagehugo@gmail.com>
Date: Fri, 26 Apr 2019 11:12:48 -0500
Subject: [PATCH] Skip cred-key setup when keys already exist

This change adds a conditional to the _fernet_setup to avoid
overwriting credential-keys when keystone-manage credential-setup
is ran and there are already existing credential keys. This will
mitigate issues where encrypted credential blobs in keystone were
becoming un-decryptable when the credential keys were being
overridden or lost upon upgrading.

Change-Id: Iac2b080d5d44bdf07534126419a1d5dd86055d6b
---
 keystone/templates/bin/_fernet-manage.py.tpl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/keystone/templates/bin/_fernet-manage.py.tpl b/keystone/templates/bin/_fernet-manage.py.tpl
index 3fdc1b40b9..019556bf87 100644
--- a/keystone/templates/bin/_fernet-manage.py.tpl
+++ b/keystone/templates/bin/_fernet-manage.py.tpl
@@ -155,6 +155,11 @@ def main():
                  FERNET_DIR)
         write_to_files(secret['data'])
 
+    if args.command == 'credential_setup':
+        if secret.get('data', False):
+            LOG.info('Credential keys already exist, skipping setup...')
+            sys.exit(0)
+
     execute_command(args.command)
 
     LOG.info("Updating data for '%s' secret.", SECRET_NAME)