Partition params into locked and unlocked sets.

common/scala/src/main/scala/org/apache/openwhisk/core/connector/Message.scala

@@ -57,6 +57,7 @@ case class ActivationMessage(override val transid: TransactionId,
                              blocking: Boolean,
                              content: Option[JsObject],
                              initArgs: Set[String] = Set.empty,
+                             lockedArgs: Map[String, String] = Map.empty,
                              cause: Option[ActivationId] = None,
                              traceContext: Option[Map[String, String]] = None)
     extends Message {
@@ -171,7 +172,7 @@ object ActivationMessage extends DefaultJsonProtocol {
   def parse(msg: String) = Try(serdes.read(msg.parseJson))
 
   private implicit val fqnSerdes = FullyQualifiedEntityName.serdes
-  implicit val serdes = jsonFormat11(ActivationMessage.apply)
+  implicit val serdes = jsonFormat12(ActivationMessage.apply)
 }
 
 object CombinedCompletionAndResultMessage extends DefaultJsonProtocol {

common/scala/src/main/scala/org/apache/openwhisk/core/entity/Parameter.scala

@@ -21,7 +21,6 @@ import org.apache.openwhisk.core.entity.size.{SizeInt, SizeString}
 import spray.json.DefaultJsonProtocol._
 import spray.json._
 
-import scala.collection.immutable.ListMap
 import scala.language.postfixOps
 import scala.util.{Failure, Success, Try}
 
@@ -74,9 +73,17 @@ protected[core] class Parameters protected[entity] (private val params: Map[Para
     params.keySet filter (params(_).init) map (_.name)
   }
 
+  /** Gets list all locked (encrypted) parameters. */
+  protected[core] def lockedParameters: Map[String, String] = {
+    params.collect {
+      case p if p._2.encryption.isDefined => (p._1.name -> p._2.encryption.get)
+    }
+  }
+
   protected[core] def getMap = {
     params
   }
+
   protected[core] def toJsArray = {
     JsArray(params map { p =>
       val init = if (p._2.init) Some("init" -> JsTrue) else None
@@ -86,14 +93,7 @@ protected[core] class Parameters protected[entity] (private val params: Map[Para
     } toSeq: _*)
   }
 
-  protected[core] def toJsObject =
-    JsObject(params.map(p => {
-      val newValue =
-        p._2.encryption
-          .map(e => JsObject("value" -> p._2.value, "init" -> p._2.init.toJson, "encryption" -> e.toJson))
-          .getOrElse(p._2.value)
-      (p._1.name, newValue)
-    }))
+  protected[core] def toJsObject = JsObject(params.map(p => (p._1.name -> p._2.value.toJson)))
 
   override def toString = toJsArray.compactPrint
 
@@ -134,28 +134,27 @@ protected[core] class Parameters protected[entity] (private val params: Map[Para
   /**
    * Encrypts any parameters that are not yet encoded.
    *
+   * @param encoder the encoder to transform parameter values with
    * @return parameters with all values encrypted
    */
-  def lock(encoder: Option[Encrypter] = None): Parameters = {
+  def lock(encoder: Encrypter): Parameters = {
     new Parameters(params.map {
       case (paramName, paramValue) if paramValue.encryption.isEmpty =>
-        paramName -> encoder.getOrElse(ParameterEncryption.singleton.default).encrypt(paramValue)
+        paramName -> encoder.encrypt(paramValue)
       case p => p
     })
   }
 
   /**
    * Decodes parameters. If the encryption scheme for a parameter is not recognized, it is not modified.
    *
+   * @param decoder the decoder to use to transform locked values
    * @return parameters will all values decoded (where scheme is known)
    */
-  def unlock(decoder: Option[ParameterEncryption] = None): Parameters = {
+  def unlock(decoder: ParameterEncryption): Parameters = {
     new Parameters(params.map {
-      case (paramName, paramValue) if paramValue.encryption.nonEmpty =>
-        paramName -> decoder
-          .getOrElse(ParameterEncryption.singleton)
-          .encryptor(paramValue.encryption)
-          .decrypt(paramValue)
+      case (paramName, paramValue) if paramValue.encryption.isDefined =>
+        paramName -> decoder.encryptor(paramValue.encryption).decrypt(paramValue)
       case p => p
     })
   }
@@ -265,29 +264,6 @@ protected[core] object Parameters extends ArgNormalizer[Parameters] {
     ParameterValue(Option(v).getOrElse(JsNull), false, None))
   }
 
-  def readMergedList(value: JsValue): Parameters =
-    Try {
-
-      val JsObject(obj) = value
-      new Parameters(
-        obj
-          .map((tuple: (String, JsValue)) => {
-            val key = new ParameterName(tuple._1)
-            val paramVal: ParameterValue = tuple._2 match {
-              case o: JsObject =>
-                o.getFields("value", "init", "encryption") match {
-                  case Seq(v: JsValue, JsBoolean(i), JsString(e)) =>
-                    ParameterValue(v, i, Some(e))
-                  case _ => ParameterValue(o, false, None)
-                }
-              case v: JsValue => ParameterValue(v, false, None)
-            }
-            (key, paramVal)
-          })
-          .toMap)
-    } getOrElse deserializationError(
-      "parameters malformed, could not get a JsObject from: " + (if (value != null) value.toString() else ""))
-
   override protected[core] implicit val serdes = new RootJsonFormat[Parameters] {
     def write(p: Parameters) = p.toJsArray
 
@@ -298,39 +274,12 @@ protected[core] object Parameters extends ArgNormalizer[Parameters] {
      * @param parameters the JSON representation of an parameter array
      * @return Parameters instance if parameters conforms to schema
      */
-    def read(value: JsValue) =
-      Try {
-        val JsArray(params) = value
-        params
-      } flatMap {
-        read(_)
-      } getOrElse {
-        Try {
-          var converted = new ListMap[ParameterName, ParameterValue]()
-          val JsObject(o) = value
-          o.foreach(i =>
-            i._2.asJsObject.getFields("value", "init", "encryption") match {
-              case Seq(v: JsValue, JsBoolean(init), JsString(e)) =>
-                val key = new ParameterName(i._1)
-                val value = ParameterValue(v, init, Some(e))
-                converted = converted + (key -> value)
-              case Seq(v: JsValue, JsBoolean(init)) =>
-                val key = new ParameterName(i._1)
-                val value = ParameterValue(v, init)
-                converted = converted + (key -> value)
-              case Seq(v: JsValue, JsBoolean(init), JsNull) =>
-                val key = new ParameterName(i._1)
-                val value = ParameterValue(v, init)
-                converted = converted + (key -> value)
-          })
-          if (converted.size == 0) {
-            deserializationError("parameters malformed no parameters available: " + value.toString)
-          } else {
-            new Parameters(converted)
-          }
-        } getOrElse deserializationError(
-          "parameters malformed could not read directly: " + (if (value != null) value.toString else ""))
+    def read(value: JsValue): Parameters = {
+      value match {
+        case JsArray(params) => read(params).getOrElse(deserializationError("parameters malformed!"))
+        case _               => deserializationError("parameters malformed!")
       }
+    }
 
     /**
      * Gets parameters as a Parameters instances.
@@ -348,15 +297,19 @@ protected[core] object Parameters extends ArgNormalizer[Parameters] {
                 val key = new ParameterName(k)
                 val value = ParameterValue(v, false)
                 (key, value)
+              case Seq(JsString(k), v: JsValue, JsBoolean(i)) =>
+                val key = new ParameterName(k)
+                val value = ParameterValue(v, i)
+                (key, value)
               case Seq(JsString(k), v: JsValue, JsBoolean(i), JsString(e)) =>
                 val key = new ParameterName(k)
                 val value = ParameterValue(v, i, Some(e))
                 (key, value)
-              case Seq(JsString(k), v: JsValue, JsBoolean(i)) =>
+              case Seq(JsString(k), v: JsValue, JsBoolean(i), JsNull) =>
                 val key = new ParameterName(k)
-                val value = ParameterValue(v, i)
+                val value = ParameterValue(v, i, None)
                 (key, value)
-              case Seq(JsString(k), v: JsValue, JsString(e)) if (i.asJsObject.fields.contains("encryption")) =>
+              case Seq(JsString(k), v: JsValue, JsString(e)) =>
                 val key = new ParameterName(k)
                 val value = ParameterValue(v, false, Some(e))
                 (key, value)

common/scala/src/main/scala/org/apache/openwhisk/core/entity/ParameterEncryption.scala

@@ -46,6 +46,10 @@ protected[core] case class ParameterEncryption(default: Encrypter, encryptors: M
     encryptors.get(name.getOrElse(default.name)).getOrElse(ParameterEncryption.noop)
   }
 
+  def encryptor(name: String): Encrypter = {
+    encryptors.get(name).getOrElse(ParameterEncryption.noop)
+  }
+
 }
 
 protected[core] object ParameterEncryption {
@@ -79,6 +83,7 @@ protected[core] trait Encrypter {
   val name: String
   def encrypt(p: ParameterValue): ParameterValue = p
   def decrypt(p: ParameterValue): ParameterValue = p
+  def decrypt(v: JsString): JsValue = v
 }
 
 protected[core] object Encrypter {
@@ -116,8 +121,15 @@ protected[core] trait AesEncryption extends Encrypter {
     ParameterValue(JsString(Base64.getEncoder.encodeToString(cipherMessage)), value.init, Some(name))
   }
 
-  override def decrypt(value: ParameterValue): ParameterValue = {
-    val cipherMessage = value.value.convertTo[String].getBytes(StandardCharsets.UTF_8)
+  override def decrypt(p: ParameterValue): ParameterValue = {
+    p.value match {
+      case s: JsString => p.copy(v = decrypt(s), encryption = None)
+      case _           => p
+    }
+  }
+
+  override def decrypt(value: JsString): JsValue = {
+    val cipherMessage = value.convertTo[String].getBytes(StandardCharsets.UTF_8)
     val byteBuffer = ByteBuffer.wrap(Base64.getDecoder.decode(cipherMessage))
     val ivLength = byteBuffer.getInt
     if (ivLength != ivLen) {
@@ -133,7 +145,7 @@ protected[core] trait AesEncryption extends Encrypter {
     cipher.init(Cipher.DECRYPT_MODE, secretKey, gcmSpec)
     val plainTextBytes = cipher.doFinal(cipherText)
     val plainText = new String(plainTextBytes, StandardCharsets.UTF_8)
-    ParameterValue(plainText.parseJson, value.init)
+    plainText.parseJson
   }
 
 }

common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala

@@ -384,7 +384,9 @@ object WhiskAction extends DocumentFactory[WhiskAction] with WhiskEntityQueries[
       val stream = new ByteArrayInputStream(bytes)
       super.putAndAttach(
         db,
-        doc.copy(parameters = doc.parameters.lock()).revision[WhiskAction](doc.rev),
+        doc
+          .copy(parameters = doc.parameters.lock(ParameterEncryption.singleton.default))
+          .revision[WhiskAction](doc.rev),
         attachmentUpdater,
         attachmentType,
         stream,
@@ -404,7 +406,12 @@ object WhiskAction extends DocumentFactory[WhiskAction] with WhiskEntityQueries[
         case exec @ BlackBoxExec(_, Some(Inline(code)), _, _, binary) =>
           putWithAttachment(code, binary, exec)
         case _ =>
-          super.put(db, doc.copy(parameters = doc.parameters.lock()).revision[WhiskAction](doc.rev), old)
+          super.put(
+            db,
+            doc
+              .copy(parameters = doc.parameters.lock(ParameterEncryption.singleton.default))
+              .revision[WhiskAction](doc.rev),
+            old)
       }
     } match {
       case Success(f) => f

common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskPackage.scala

@@ -205,7 +205,10 @@ object WhiskPackage
   override def put[A >: WhiskPackage](db: ArtifactStore[A], doc: WhiskPackage, old: Option[WhiskPackage])(
     implicit transid: TransactionId,
     notifier: Option[CacheChangeNotification]): Future[DocInfo] = {
-    super.put(db, doc.copy(parameters = doc.parameters.lock()).revision[WhiskPackage](doc.rev), old)
+    super.put(
+      db,
+      doc.copy(parameters = doc.parameters.lock(ParameterEncryption.singleton.default)).revision[WhiskPackage](doc.rev),
+      old)
   }
 }
 

core/controller/src/main/scala/org/apache/openwhisk/core/controller/actions/PrimitiveActions.scala

@@ -179,6 +179,7 @@ protected[actions] trait PrimitiveActions {
       waitForResponse.isDefined,
       args,
       action.parameters.initParameters,
+      action.parameters.lockedParameters,
       cause = cause,
       WhiskTracerProvider.tracer.getTraceContext(transid))
 

core/controller/src/main/scala/org/apache/openwhisk/core/loadBalancer/InvokerSupervision.scala

@@ -416,7 +416,8 @@ class InvokerActor(invokerInstance: InvokerInstanceId, controllerInstance: Contr
         rootControllerIndex = controllerInstance,
         blocking = false,
         content = None,
-        initArgs = Set.empty)
+        initArgs = Set.empty,
+        lockedArgs = Map.empty)
 
       context.parent ! ActivationRequest(activationMessage, invokerInstance)
     }

core/invoker/src/main/scala/org/apache/openwhisk/core/containerpool/ContainerProxy.scala

@@ -774,9 +774,10 @@ class ContainerProxy(factory: (TransactionId,
   def initializeAndRun(container: Container, job: Run, reschedule: Boolean = false)(
     implicit tid: TransactionId): Future[WhiskActivation] = {
     val actionTimeout = job.action.limits.timeout.duration
-    val unlockedContent = job.msg.content.map(Parameters.readMergedList(_).unlock().toJsObject)
+    val unlockedArgs =
+      ContainerProxy.unlockArguments(job.msg.content, job.msg.lockedArgs, ParameterEncryption.singleton)
 
-    val (env, parameters) = ContainerProxy.partitionArguments(unlockedContent, job.msg.initArgs)
+    val (env, parameters) = ContainerProxy.partitionArguments(unlockedArgs, job.msg.initArgs)
 
     val environment = Map(
       "namespace" -> job.msg.user.namespace.name.toJson,
@@ -1089,6 +1090,23 @@ object ContainerProxy {
         (env, JsObject(args))
     }
   }
+
+  def unlockArguments(content: Option[JsObject],
+                      lockedArgs: Map[String, String],
+                      decoder: ParameterEncryption): Option[JsObject] = {
+    content.map {
+      case JsObject(fields) =>
+        JsObject(fields.map {
+          case (k, o: JsObject) =>
+            o.getFields("value", "encryption") match {
+              case Seq(s: JsString, JsString(e)) => (k -> decoder.encryptor(e).decrypt(s))
+              case Seq(v: JsValue, JsNull)       => (k -> v)
+            }
+
+          case p => p
+        })
+    }
+  }
 }
 
 object TCPPingClient {

tests/src/test/scala/org/apache/openwhisk/core/containerpool/test/ContainerPoolTests.scala

@@ -87,7 +87,8 @@ class ContainerPoolTests
       ControllerInstanceId("0"),
       blocking = false,
       content = None,
-      initArgs = Set.empty)
+      initArgs = Set.empty,
+      lockedArgs = Map.empty)
     Run(action, message)
   }
 

tests/src/test/scala/org/apache/openwhisk/core/containerpool/test/ContainerProxyTests.scala

@@ -125,7 +125,8 @@ class ContainerProxyTests
     ControllerInstanceId("0"),
     blocking = false,
     content = Some(activationArguments),
-    initArgs = Set("ENV_VAR"))
+    initArgs = Set("ENV_VAR"),
+    lockedArgs = Map.empty)
 
   /*
    * Helpers for assertions and actor lifecycles