From fa9960690db89b0695c266abdb9009e2331f6f3c Mon Sep 17 00:00:00 2001 From: Dileep Ranganathan Date: Thu, 27 Sep 2018 08:06:26 -0700 Subject: Retrieve secrets using Secret Management Service Integrate with OSDF by retrieving stored secrets using SMS Application code remains in tact as the secrets are preloaded and stored in config. The configs in clear text will be deprecated eventually. OOM needs to load aaf-sms and preload secrets before oof deployment. Updated to use domain name instead of domain uuid. Change-Id: I88a3c3dd2ad87753cc056fb63c8bbabd546707ab Issue-ID: OPTFRA-343 Signed-off-by: Dileep Ranganathan --- assembly.xml | 1 + config/osdf_config.yaml | 2 +- config/preload_secrets.yaml | 18 +++++++++++++++--- osdf/adapters/aaf/sms.py | 38 ++++++++++++++++++++++++++++++++++---- osdfapp.py | 2 ++ requirements.txt | 2 +- test/adapters/test_sms.py | 16 +++++----------- 7 files changed, 59 insertions(+), 20 deletions(-) diff --git a/assembly.xml b/assembly.xml index d19bdcf..24379d4 100644 --- a/assembly.xml +++ b/assembly.xml @@ -31,6 +31,7 @@ **/*.pyc + config/preload_secrets.yaml diff --git a/config/osdf_config.yaml b/config/osdf_config.yaml index c484fb4..b522919 100755 --- a/config/osdf_config.yaml +++ b/config/osdf_config.yaml @@ -68,7 +68,7 @@ aaf_user_roles: # Secret Management Service from AAF aaf_sms_url: https://aaf-sms.onap:10443 aaf_sms_timeout: 30 -secret_domain: osdf #Replace with the UUID +secret_domain: osdf aaf_ca_certs: ssl_certs/aaf_root_ca.cer # config db api diff --git a/config/preload_secrets.yaml b/config/preload_secrets.yaml index 6e877e7..1d2ea01 100755 --- a/config/preload_secrets.yaml +++ b/config/preload_secrets.yaml @@ -9,11 +9,11 @@ secrets: values: UserName: admin1 Password: plan.15 -- name: policy_platform +- name: policyPlatform values: UserName: testpdp Password: alpha123 -- name: policy_client +- name: policyClient values: UserName: python Password: test @@ -40,4 +40,16 @@ secrets: - name: osdfCMScheduler values: UserName: test1 - Password: test_pwd1 + Password: testpwd1 +- name: configDb + values: + UserName: osdf + Password: passwd +- name: pciHMS + values: + UserName: '' + Password: '' +- name: osdfPCIOpt + values: + UserName: pci_test + Password: pci_testpwd diff --git a/osdf/adapters/aaf/sms.py b/osdf/adapters/aaf/sms.py index 976eb61..9c7af51 100644 --- a/osdf/adapters/aaf/sms.py +++ b/osdf/adapters/aaf/sms.py @@ -29,8 +29,6 @@ config_spec = { "preload_secrets": "config/preload_secrets.yaml" } -secret_cache = {} - def preload_secrets(): """ This is intended to load the secrets required for testing Application @@ -44,8 +42,9 @@ def preload_secrets(): timeout = config["aaf_sms_timeout"] cacert = config["aaf_ca_certs"] sms_client = Client(url=sms_url, timeout=timeout, cacert=cacert) - domain = sms_client.createDomain(domain) - config["secret_domain"] = domain # uuid + domain_uuid = sms_client.createDomain(domain) + debug_log.debug( + "Created domain {} with uuid {}".format(domain, domain_uuid)) secrets = preload_config.get("secrets") for secret in secrets: sms_client.storeSecret(domain, secret.get('name'), @@ -70,6 +69,37 @@ def retrieve_secrets(): return secret_dict +def load_secrets(): + config = osdf_config.deployment + secret_dict = retrieve_secrets() + config['soUsername'] = secret_dict['so']['UserName'] + config['soPassword'] = secret_dict['so']['Password'] + config['conductorUsername'] = secret_dict['conductor']['UserName'] + config['conductorPassword'] = secret_dict['conductor']['Password'] + config['policyPlatformUsername'] = secret_dict['policyPlatform']['UserName'] + config['policyPlatformPassword'] = secret_dict['policyPlatform']['Password'] + config['policyClientUsername'] = secret_dict['policyClient']['UserName'] + config['policyClientPassword'] = secret_dict['policyClient']['Password'] + config['messageReaderAafUserId'] = secret_dict['dmaap']['UserName'] + config['messageReaderAafPassword'] = secret_dict['dmaap']['Password'] + config['sdcUsername'] = secret_dict['sdc']['UserName'] + config['sdcPassword'] = secret_dict['sdc']['Password'] + config['osdfPlacementUsername'] = secret_dict['osdfPlacement']['UserName'] + config['osdfPlacementPassword'] = secret_dict['osdfPlacement']['Password'] + config['osdfPlacementSOUsername'] = secret_dict['osdfPlacementSO']['UserName'] + config['osdfPlacementSOPassword'] = secret_dict['osdfPlacementSO']['Password'] + config['osdfPlacementVFCUsername'] = secret_dict['osdfPlacementVFC']['UserName'] + config['osdfPlacementVFCPassword'] = secret_dict['osdfPlacementVFC']['Password'] + config['osdfCMSchedulerUsername'] = secret_dict['osdfCMScheduler']['UserName'] + config['osdfCMSchedulerPassword'] = secret_dict['osdfCMScheduler']['Password'] + config['configDbUserName'] = secret_dict['configDb']['UserName'] + config['configDbPassword'] = secret_dict['configDb']['Password'] + config['pciHMSUsername'] = secret_dict['pciHMS']['UserName'] + config['pciHMSPassword'] = secret_dict['pciHMS']['Password'] + config['osdfPCIOptUsername'] = secret_dict['osdfPCIOpt']['UserName'] + config['osdfPCIOptPassword'] = secret_dict['osdfPCIOpt']['Password'] + + def delete_secrets(): """ This is intended to delete the secrets for a clean initialization for testing Application. Actual deployment will have a preload script. diff --git a/osdfapp.py b/osdfapp.py index c28e14c..f43c215 100755 --- a/osdfapp.py +++ b/osdfapp.py @@ -207,6 +207,8 @@ if __name__ == "__main__": common_app_opts.update({'ssl_context': tuple(ssl_opts)}) opts = get_options(sys.argv) + # TODO(Dileep): Uncomment once Helm charts to preload secrets available + # sms.load_secrets() if not opts.local and not opts.devtest: # normal deployment app.run(port=internal_port, debug=False, **common_app_opts) else: diff --git a/requirements.txt b/requirements.txt index 2cf5358..0275ab7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,5 +11,5 @@ requests>=2.14.2 schematics>=2.0.0 docopt>=0.6.2 pydevd>=1.0.0 -onapsmsclient>=0.0.3 +onapsmsclient>=0.0.4 pymzn>=0.17.0 diff --git a/test/adapters/test_sms.py b/test/adapters/test_sms.py index ed6c9c9..ae9346d 100644 --- a/test/adapters/test_sms.py +++ b/test/adapters/test_sms.py @@ -35,10 +35,7 @@ class TestSMS(unittest.TestCase): @requests_mock.mock() def test_sms(self, mock_sms): - ''' NOTE: preload_secret generate the uuid for the domain - Create Domain API is called during the deployment using a - preload script. So the application oly knows the domain_uuid. - All sub-sequent SMS API calls needs the uuid. + ''' NOTE: preload_secret during the deployment using a preload script. For test purposes we need to do preload ourselves''' sms_url = self.config["aaf_sms_url"] @@ -53,7 +50,8 @@ class TestSMS(unittest.TestCase): # Mock requests for preload_secret cd_url = self.base_domain_url.format(sms_url) domain_uuid1 = str(uuid4()) - s_url = self.secret_url.format(sms_url, domain_uuid1) + domain_name = self.config['secret_domain'] + s_url = self.secret_url.format(sms_url, domain_name) mock_sms.post(cd_url, status_code=200, json={'uuid': domain_uuid1}) mock_sms.post(s_url, status_code=200) # Initialize Secrets from SMS @@ -61,13 +59,9 @@ class TestSMS(unittest.TestCase): # Part 2: Retrieve Secret Test # Mock requests for retrieve_secrets - # IMPORTANT: Read the config again as the preload_secrets has - # updated the config with uuid - domain_uuid2 = self.config["secret_domain"] - self.assertEqual(domain_uuid1, domain_uuid2) - d_url = self.domain_url.format(sms_url, domain_uuid2) - s_url = self.secret_url.format(sms_url, domain_uuid2) + d_url = self.domain_url.format(sms_url, domain_name) + s_url = self.secret_url.format(sms_url, domain_name) # Retrieve Secrets from SMS and load to secret cache # Use the secret_cache instead of config files -- cgit 1.2.3-korg