Retrieve secrets using Secret Management Service

Integrate with HAS by retrieving stored secrets using SMS Application code remains in tact as the secrets are preloaded and stored in config. During startup the conf will be set with retrieved secrets. The configs in clear text will be deprecated eventually. OOM needs to load aaf-sms and preload secrets before oof deployment. Updated to use domain name instead of domain uuid. Change-Id: I902b18c0cf080316f9a251e61387b67756198cc2 Issue-ID: OPTFRA-343 Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>
author: Dileep Ranganathan <dileep.ranganathan@intel.com> 2018-10-08 15:34:56 -0700
committer: Dileep Ranganathan <dileep.ranganathan@intel.com> 2018-10-08 15:34:56 -0700
commit: ef59fbb68ef593ae2fe6e351e30e544688637044 (patch)
tree: 4c5167453b89bec096aa1f4fb798131a91c82e48 /conductor
parent: c9cf683edb9fab83698c5e1801df89dd78a3300f (diff)
4 files changed, 32 insertions, 18 deletions
diff --git a/conductor/conductor/common/sms.py b/conductor/conductor/common/sms.py
index 43b9522..ace2e68 100644
--- a/conductor/conductor/common/sms.py
+++ b/conductor/conductor/common/sms.py
@@ -23,6 +23,12 @@ from onapsmsclient import Client
 
 from oslo_config import cfg
 from oslo_log import log
+import conductor.data.plugins.inventory_provider.aai
+import conductor.api.controllers.v1.plans
+import conductor.common.music.api
+import conductor.data.plugins.service_controller.sdnc
+
+
 
 LOG = log.getLogger(__name__)
 
@@ -43,8 +49,7 @@ AAF_SMS_OPTS = [
                     'is not verified by the client.'),
     cfg.StrOpt('secret_domain',
                default='has',
-               help='Domain UUID - A unique UUID generated when the domain'
-                    'for HAS is created by administrator during deployment')
+               help='Domain Name for HAS')
 ]
 
 CONF.register_opts(AAF_SMS_OPTS, group='aaf_sms')
@@ -52,8 +57,6 @@ config_spec = {
     "preload_secrets": "../preload_secrets.yaml"
 }
 
-secret_cache = {}
-
 
 def preload_secrets():
     """ This is intended to load the secrets required for testing Application
@@ -67,8 +70,8 @@ def preload_secrets():
     timeout = config.aaf_sms_timeout
     cacert = config.aaf_ca_certs
     sms_client = Client(url=sms_url, timeout=timeout, cacert=cacert)
-    domain = sms_client.createDomain(domain)
-    config.secret_domain = domain  # uuid
+    domain_uuid = sms_client.createDomain(domain)
+    LOG.debug("Created domain {} with uuid {}".format(domain, domain_uuid))
     secrets = preload_config.get("secrets")
     for secret in secrets:
         sms_client.storeSecret(domain, secret.get('name'),
@@ -93,6 +96,20 @@ def retrieve_secrets():
     return secret_dict
 
 
+def load_secrets():
+    config = CONF
+    secret_dict = retrieve_secrets()
+    config.aai.username = secret_dict['aai']['username']
+    config.aai.password = secret_dict['aai']['password']
+    config.conductor_api.username = secret_dict['conductor_api']['username']
+    config.conductor_api.password = secret_dict['conductor_api']['password']
+    config.music_api.aafuser = secret_dict['music_api']['aafuser']
+    config.music_api.aafpass = secret_dict['music_api']['aafpass']
+    config.music_api.aafns = secret_dict['music_api']['aafns']
+    config.sdnc.username = secret_dict['sdnc']['username']
+    config.sdnc.password = secret_dict['sdnc']['password']
+
+
 def delete_secrets():
     """ This is intended to delete the secrets for a clean initialization for
         testing Application. Actual deployment will have a preload script.
diff --git a/conductor/conductor/service.py b/conductor/conductor/service.py
index df5bffc..982123c 100644
--- a/conductor/conductor/service.py
+++ b/conductor/conductor/service.py
@@ -20,6 +20,7 @@
 import sys
 
 # from keystoneauth1 import loading as ka_loading
+from conductor.common import sms
 from oslo_config import cfg
 import oslo_i18n
 from oslo_log import log
@@ -107,4 +108,6 @@ def prepare_service(argv=None, config_files=None):
     if argv:
         gmr.TextGuruMeditation.setup_autorun(version)
     messaging.setup()
+    # TODO(Dileep): Uncomment once Helm charts to preload secrets available
+    # sms.load_secrets()
     return conf
diff --git a/conductor/conductor/tests/unit/test_sms.py b/conductor/conductor/tests/unit/test_sms.py
index b04111e..77c06b8 100644
--- a/conductor/conductor/tests/unit/test_sms.py
+++ b/conductor/conductor/tests/unit/test_sms.py
@@ -35,10 +35,7 @@ class TestSMS(unittest.TestCase):
 
     @requests_mock.mock()
     def test_sms(self, mock_sms):
-        ''' NOTE: preload_secret generate the uuid for the domain
-                  Create Domain API is called during the deployment using a
-                  preload script. So the application oly knows the domain_uuid.
-                  All sub-sequent SMS API calls needs the uuid.
+        ''' NOTE: preload_secret during the deployment using a preload script.
                   For test purposes we need to do preload ourselves'''
         sms_url = self.config.aaf_sms_url
 
@@ -53,7 +50,8 @@ class TestSMS(unittest.TestCase):
         # Mock requests for preload_secret
         cd_url = self.base_domain_url.format(sms_url)
         domain_uuid1 = str(uuid4())
-        s_url = self.secret_url.format(sms_url, domain_uuid1)
+        domain_name = self.config.secret_domain
+        s_url = self.secret_url.format(sms_url, domain_name)
         mock_sms.post(cd_url, status_code=200, json={'uuid': domain_uuid1})
         mock_sms.post(s_url, status_code=200)
         # Initialize Secrets from SMS
@@ -61,13 +59,9 @@ class TestSMS(unittest.TestCase):
 
         # Part 2: Retrieve Secret Test
         # Mock requests for retrieve_secrets
-        # IMPORTANT: Read the config again as the preload_secrets has
-        # updated the config with uuid
-        domain_uuid2 = self.config.secret_domain
-        self.assertEqual(domain_uuid1, domain_uuid2)
 
-        d_url = self.domain_url.format(sms_url, domain_uuid2)
-        s_url = self.secret_url.format(sms_url, domain_uuid2)
+        d_url = self.domain_url.format(sms_url, domain_name)
+        s_url = self.secret_url.format(sms_url, domain_name)
 
         # Retrieve Secrets from SMS and load to secret cache
         # Use the secret_cache instead of config files
diff --git a/conductor/requirements.txt b/conductor/requirements.txt
index 52ed4ed..d6d413d 100644
--- a/conductor/requirements.txt
+++ b/conductor/requirements.txt
@@ -23,6 +23,6 @@ requests[security]!=2.9.0,>=2.8.1 # Apache-2.0
 six>=1.9.0 # MIT, also required by futurist
 stevedore>=1.9.0 # Apache-2.0, also required by oslo.config
 WebOb>=1.2.3 # MIT
-onapsmsclient>=0.0.3
+onapsmsclient>=0.0.4
 Flask>=0.11.1
 prometheus-client>=0.3.1
 \ No newline at end of file
author	Dileep Ranganathan <dileep.ranganathan@intel.com>	2018-10-08 15:34:56 -0700
committer	Dileep Ranganathan <dileep.ranganathan@intel.com>	2018-10-08 15:34:56 -0700
commit	ef59fbb68ef593ae2fe6e351e30e544688637044 (patch)
tree	4c5167453b89bec096aa1f4fb798131a91c82e48 /conductor
parent	c9cf683edb9fab83698c5e1801df89dd78a3300f (diff)