Retrieve secrets using Secret Management Service

Integrate with HAS by retrieving stored secrets using SMS
Application code remains in tact as the secrets are preloaded
and stored in config. During startup the conf will be set with
retrieved secrets. The configs in clear text will be deprecated
eventually. OOM needs to load aaf-sms and preload secrets
before oof deployment.

Updated to use domain name instead of domain uuid.

Change-Id: I902b18c0cf080316f9a251e61387b67756198cc2
Issue-ID: OPTFRA-343
Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>

diff --git a/conductor.conf b/conductor.conf
index d40b7b7..18dad13 100755 (executable)
--- a/conductor.conf
+++ b/conductor.conf
@@ -173,8 +173,7 @@ aaf_url = http://aaf-service:8100/authz/perms/user/
 # be False and the server certis not verified by the client. (string value)
 #aaf_ca_certs = AAF_RootCA.cer
 
-# Domain UUID - A unique UUID generated when the domainfor HAS is created by
-# administrator during deployment (string value)
+# Domain Name for HAS
 #secret_domain = has
 
 

diff --git a/conductor/conductor/common/sms.py b/conductor/conductor/common/sms.py
index 43b9522..ace2e68 100644 (file)
--- a/conductor/conductor/common/sms.py
+++ b/conductor/conductor/common/sms.py
@@ -23,6 +23,12 @@ from onapsmsclient import Client
 
 from oslo_config import cfg
 from oslo_log import log
+import conductor.data.plugins.inventory_provider.aai
+import conductor.api.controllers.v1.plans
+import conductor.common.music.api
+import conductor.data.plugins.service_controller.sdnc
+
+
 
 LOG = log.getLogger(__name__)
 
@@ -43,8 +49,7 @@ AAF_SMS_OPTS = [
                     'is not verified by the client.'),
     cfg.StrOpt('secret_domain',
                default='has',
-               help='Domain UUID - A unique UUID generated when the domain'
-                    'for HAS is created by administrator during deployment')
+               help='Domain Name for HAS')
 ]
 
 CONF.register_opts(AAF_SMS_OPTS, group='aaf_sms')
@@ -52,8 +57,6 @@ config_spec = {
     "preload_secrets": "../preload_secrets.yaml"
 }
 
-secret_cache = {}
-
 
 def preload_secrets():
     """ This is intended to load the secrets required for testing Application
@@ -67,8 +70,8 @@ def preload_secrets():
     timeout = config.aaf_sms_timeout
     cacert = config.aaf_ca_certs
     sms_client = Client(url=sms_url, timeout=timeout, cacert=cacert)
-    domain = sms_client.createDomain(domain)
-    config.secret_domain = domain  # uuid
+    domain_uuid = sms_client.createDomain(domain)
+    LOG.debug("Created domain {} with uuid {}".format(domain, domain_uuid))
     secrets = preload_config.get("secrets")
     for secret in secrets:
         sms_client.storeSecret(domain, secret.get('name'),
@@ -93,6 +96,20 @@ def retrieve_secrets():
     return secret_dict
 
 
+def load_secrets():
+    config = CONF
+    secret_dict = retrieve_secrets()
+    config.aai.username = secret_dict['aai']['username']
+    config.aai.password = secret_dict['aai']['password']
+    config.conductor_api.username = secret_dict['conductor_api']['username']
+    config.conductor_api.password = secret_dict['conductor_api']['password']
+    config.music_api.aafuser = secret_dict['music_api']['aafuser']
+    config.music_api.aafpass = secret_dict['music_api']['aafpass']
+    config.music_api.aafns = secret_dict['music_api']['aafns']
+    config.sdnc.username = secret_dict['sdnc']['username']
+    config.sdnc.password = secret_dict['sdnc']['password']
+
+
 def delete_secrets():
     """ This is intended to delete the secrets for a clean initialization for
         testing Application. Actual deployment will have a preload script.

diff --git a/conductor/conductor/service.py b/conductor/conductor/service.py
index df5bffc..982123c 100644 (file)
--- a/conductor/conductor/service.py
+++ b/conductor/conductor/service.py
@@ -20,6 +20,7 @@
 import sys
 
 # from keystoneauth1 import loading as ka_loading
+from conductor.common import sms
 from oslo_config import cfg
 import oslo_i18n
 from oslo_log import log
@@ -107,4 +108,6 @@ def prepare_service(argv=None, config_files=None):
     if argv:
         gmr.TextGuruMeditation.setup_autorun(version)
     messaging.setup()
+    # TODO(Dileep): Uncomment once Helm charts to preload secrets available
+    # sms.load_secrets()
     return conf

diff --git a/conductor/conductor/tests/unit/test_sms.py b/conductor/conductor/tests/unit/test_sms.py
index b04111e..77c06b8 100644 (file)
--- a/conductor/conductor/tests/unit/test_sms.py
+++ b/conductor/conductor/tests/unit/test_sms.py
@@ -35,10 +35,7 @@ class TestSMS(unittest.TestCase):
 
     @requests_mock.mock()
     def test_sms(self, mock_sms):
-        ''' NOTE: preload_secret generate the uuid for the domain
-                  Create Domain API is called during the deployment using a
-                  preload script. So the application oly knows the domain_uuid.
-                  All sub-sequent SMS API calls needs the uuid.
+        ''' NOTE: preload_secret during the deployment using a preload script.
                   For test purposes we need to do preload ourselves'''
         sms_url = self.config.aaf_sms_url
 
@@ -53,7 +50,8 @@ class TestSMS(unittest.TestCase):
         # Mock requests for preload_secret
         cd_url = self.base_domain_url.format(sms_url)
         domain_uuid1 = str(uuid4())
-        s_url = self.secret_url.format(sms_url, domain_uuid1)
+        domain_name = self.config.secret_domain
+        s_url = self.secret_url.format(sms_url, domain_name)
         mock_sms.post(cd_url, status_code=200, json={'uuid': domain_uuid1})
         mock_sms.post(s_url, status_code=200)
         # Initialize Secrets from SMS
@@ -61,13 +59,9 @@ class TestSMS(unittest.TestCase):
 
         # Part 2: Retrieve Secret Test
         # Mock requests for retrieve_secrets
-        # IMPORTANT: Read the config again as the preload_secrets has
-        # updated the config with uuid
-        domain_uuid2 = self.config.secret_domain
-        self.assertEqual(domain_uuid1, domain_uuid2)
 
-        d_url = self.domain_url.format(sms_url, domain_uuid2)
-        s_url = self.secret_url.format(sms_url, domain_uuid2)
+        d_url = self.domain_url.format(sms_url, domain_name)
+        s_url = self.secret_url.format(sms_url, domain_name)
 
         # Retrieve Secrets from SMS and load to secret cache
         # Use the secret_cache instead of config files

diff --git a/conductor/requirements.txt b/conductor/requirements.txt
index 52ed4ed..d6d413d 100644 (file)
--- a/conductor/requirements.txt
+++ b/conductor/requirements.txt
@@ -23,6 +23,6 @@ requests[security]!=2.9.0,>=2.8.1 # Apache-2.0
 six>=1.9.0 # MIT, also required by futurist
 stevedore>=1.9.0 # Apache-2.0, also required by oslo.config
 WebOb>=1.2.3 # MIT
-onapsmsclient>=0.0.3
+onapsmsclient>=0.0.4
 Flask>=0.11.1
 prometheus-client>=0.3.1
\ No newline at end of file

diff --git a/preload_secrets.yaml b/preload_secrets.yaml
index 65a814a..1642308 100755 (executable)
--- a/preload_secrets.yaml
+++ b/preload_secrets.yaml
@@ -5,17 +5,18 @@ domain: has
 secrets:
 - name: aai
   values:
-    UserName: OOF
-    Password: OOF
+    username: OOF
+    password: OOF
 - name: conductor_api
   values:
-    UserName: admin1
-    Password: plan.15
+    username: admin1
+    password: plan.15
 - name: sdnc
   values:
-    UserName: admin
-    Password: sdnc.15
+    username: admin
+    password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
 - name: music_api
   values:
-    UserName: conductor
-    Password: c0nduct0r
+    aafuser: conductor
+    aafpass: c0nduct0r
+    aafns: conductor