2 files changed, 83 insertions, 6 deletions

diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index 9acc4a3e0..67ac6f380 100644
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -96,6 +96,17 @@ def resource_get_all(context):
     return results
 
 
+def _encrypt(value):
+    if value is not None:
+        return crypt.encrypt(value.encode('utf-8'))
+
+
+def _decrypt(enc_value):
+    value = crypt.decrypt(enc_value)
+    if value is not None:
+        return unicode(value, 'utf-8')
+
+
 def resource_create(context, values):
     resource_ref = models.Resource()
     resource_ref.update(values)
@@ -206,9 +217,9 @@ def user_creds_create(context):
     values = context.to_dict()
     user_creds_ref = models.UserCreds()
     user_creds_ref.update(values)
-    user_creds_ref.password = crypt.encrypt(values['password'])
-    user_creds_ref.service_password = crypt.encrypt(values['service_password'])
-    user_creds_ref.aws_creds = crypt.encrypt(values['aws_creds'])
+    user_creds_ref.password = _encrypt(values['password'])
+    user_creds_ref.service_password = _encrypt(values['service_password'])
+    user_creds_ref.aws_creds = _encrypt(values['aws_creds'])
     user_creds_ref.save(_session(context))
     return user_creds_ref
 
@@ -218,9 +229,9 @@ def user_creds_get(user_creds_id):
     # Return a dict copy of db results, do not decrypt details into db_result
     # or it can be committed back to the DB in decrypted form
     result = dict(db_result)
-    result['password'] = crypt.decrypt(result['password'])
-    result['service_password'] = crypt.decrypt(result['service_password'])
-    result['aws_creds'] = crypt.decrypt(result['aws_creds'])
+    result['password'] = _decrypt(result['password'])
+    result['service_password'] = _decrypt(result['service_password'])
+    result['aws_creds'] = _decrypt(result['aws_creds'])
     return result
 
 
diff --git a/heat/tests/test_sqlalchemy_api.py b/heat/tests/test_sqlalchemy_api.py
new file mode 100644
index 000000000..e8c58afce
--- /dev/null
+++ b/heat/tests/test_sqlalchemy_api.py
@@ -0,0 +1,66 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import unittest
+
+import mox
+from nose.plugins.attrib import attr
+
+from heat.common import context
+from heat.db.sqlalchemy import api as db_api
+
+
+@attr(tag=['unit', 'sqlalchemy'])
+@attr(speed='fast')
+class SqlAlchemyTest(unittest.TestCase):
+    def setUp(self):
+        self.m = mox.Mox()
+
+    def tearDown(self):
+        self.m.UnsetStubs()
+
+    def test_user_creds_password(self):
+        ctx = context.RequestContext.from_dict({
+            'tenant_id': 'test_tenant_id',
+            'tenant': 'test_tenant',
+            'username': 'test_username',
+            'password': 'password',
+            'service_password': 'service_password',
+            'aws_creds': 'aws_creds_123',
+            'roles': [],
+            'auth_url': 'http://server.test:5000/v2.0',
+        })
+
+        db_creds = db_api.user_creds_create(ctx)
+        load_creds = db_api.user_creds_get(db_creds.id)
+
+        self.assertEqual(load_creds.get('username'), 'test_username')
+        self.assertEqual(load_creds.get('password'), 'password')
+        self.assertEqual(load_creds.get('service_password'),
+                         'service_password')
+        self.assertEqual(load_creds.get('aws_creds'), 'aws_creds_123')
+        self.assertEqual(load_creds.get('tenant'), 'test_tenant')
+        self.assertEqual(load_creds.get('tenant_id'), 'test_tenant_id')
+        self.assertNotEqual(None, load_creds.get('created_at'))
+        self.assertEqual(None, load_creds.get('updated_at'))
+        self.assertEqual(load_creds.get('auth_url'),
+                         'http://server.test:5000/v2.0')
+
+    def test_user_creds_none(self):
+        ctx = context.RequestContext()
+        db_creds = db_api.user_creds_create(ctx)
+        load_creds = db_api.user_creds_get(db_creds.id)
+
+        self.assertEqual(None, load_creds.get('username'))
+        self.assertEqual(None, load_creds.get('password'))
+        self.assertEqual(None, load_creds.get('service_password'))
+        self.assertEqual(None, load_creds.get('aws_creds'))