--- /dev/null
+# Conductor API WSGI Pipeline
+# Define the filters that make up the pipeline for processing WSGI requests
+# Note: This pipeline is PasteDeploy's term rather than Conductor's pipeline
+# used for processing samples
+
+# Remove authtoken from the pipeline if you don't want to use keystone authentication
+[pipeline:main]
+pipeline = cors http_proxy_to_wsgi api-server
+#pipeline = cors http_proxy_to_wsgi request_id authtoken api-server
+
+[app:api-server]
+paste.app_factory = conductor.api.app:app_factory
+
+#[filter:authtoken]
+#paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+#[filter:request_id]
+#paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = conductor
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+oslo_config_project = conductor
#fatal_deprecations = false
+[auth]
+aapkey = h@ss3crtky400fdntc#001
+
[aaf_api]
#
from conductor.common import rest
from conductor.i18n import _LE, _LI
-from conductor import __file__ as conductor_root
+from conductor.common.utils import cipherUtils
from oslo_log import log
LOG = log.getLogger(__name__)
def authenticate(uid, passwd):
aafUser = None
username = CONF.conductor_api.username
- password = CONF.conductor_api.password
+ password = cipherUtils.AESCipher.get_instance().decrypt(CONF.conductor_api.password)
if username == uid and password == passwd:
aafUser = CONF.aaf_api.aaf_conductor_user
else:
"server_url": server_url,
"retries": CONF.aaf_api.aaf_retries,
"username": CONF.aaf_api.username,
- "password": CONF.aaf_api.password,
+ "password": cipherUtils.AESCipher.get_instance().decrypt(CONF.aaf_api.password),
"log_debug": LOG.debug,
"read_timeout": CONF.aaf_api.aaf_timeout,
"cert_file": CONF.aaf_api.aaf_cert_file,
--- /dev/null
+#
+# -------------------------------------------------------------------------
+# Copyright (c) 2015-2018 AT&T Intellectual Property
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# -------------------------------------------------------------------------
+#
+
+import sys
+from conductor.common.utils import cipherUtils
+
+
+def main():
+
+ if len(sys.argv) != 4:
+ print("Invalid input - usage --> (options(encrypt/decrypt) input-value with-key)")
+ return
+
+ enc_dec = sys.argv[1]
+ valid_option_values = ['encrypt', 'decrypt']
+ if enc_dec not in valid_option_values:
+ print("Invalid input - usage --> (options(encrypt/decrypt) input-value with-key)")
+ print("Option value can only be one of {}".format(valid_option_values))
+ print("You entered '{}'".format(enc_dec))
+ return
+
+ input_string = sys.argv[2]
+ with_key = sys.argv[3]
+
+ print("You've requested '{}' to be '{}ed' using key '{}'".format(input_string, enc_dec, with_key))
+ print("You can always perform the reverse operation (encrypt/decrypt) using the same key"
+ "to be certain you get the same results back'")
+
+ util = cipherUtils.AESCipher.get_instance(with_key)
+ #util = CipherUtil.AESCipher(with_key)
+
+ if enc_dec.lower() == 'encrypt':
+ result = util.encrypt(input_string)
+ else:
+ result = util.decrypt(input_string)
+
+ print("Your result: {}".format(result))
+
from conductor.common import rest
from conductor.common.utils import basic_auth_util
from conductor.i18n import _LE, _LI # pylint: disable=W0212
+from conductor.common.utils import cipherUtils
LOG = log.getLogger(__name__)
}
self.rest = rest.REST(**kwargs)
+ music_pwd = cipherUtils.AESCipher.get_instance().decrypt(CONF.music_api.aafpass)
# Set one parameter for connection mode
# Currently depend on music version
- if (CONF.music_api.enable_https_mode):
+ if CONF.music_api.enable_https_mode:
self.rest.server_url = 'https://{}:{}/{}'.format(
host, port, version, path.rstrip('/').lstrip('/'))
self.rest.session.verify = CONF.music_api.certificate_authority_bundle_file
- if(CONF.music_api.music_new_version):
- MUSIC_version = CONF.music_api.music_version.split(".")
+ if CONF.music_api.music_new_version:
+ music_version = CONF.music_api.music_version.split(".")
self.rest.session.headers['content-type'] = 'application/json'
- self.rest.session.headers['X-minorVersion'] = MUSIC_version[1]
- self.rest.session.headers['X-patchVersion'] = MUSIC_version[2]
+ self.rest.session.headers['X-minorVersion'] = music_version[1]
+ self.rest.session.headers['X-patchVersion'] = music_version[2]
self.rest.session.headers['ns'] = CONF.music_api.aafns
self.rest.session.headers['userId'] = CONF.music_api.aafuser
- self.rest.session.headers['password'] = CONF.music_api.aafpass
+ self.rest.session.headers['password'] = music_pwd
self.rest.session.headers['Authorization'] = basic_auth_util.encode(CONF.music_api.aafuser,
CONF.music_api.aafpass)
def encode(user_id, password):
""" Provide the basic authencation encoded value in an 'Authorization' Header """
- user_pass = user_id + ':' + password
+ user_pass = str(user_id) + ":" + str(password)
base64_val = base64.b64encode(user_pass)
authorization_val = _LE("Basic {}".format(base64_val))
--- /dev/null
+#
+# -------------------------------------------------------------------------
+# Copyright (c) 2015-2017 AT&T Intellectual Property
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# -------------------------------------------------------------------------
+#
+
+import base64
+import hashlib
+from Crypto import Random
+from Crypto.Cipher import AES
+from oslo_config import cfg
+
+CONF = cfg.CONF
+
+cipher_opts = [
+ cfg.StrOpt('appkey',
+ default='ch00se@g003ntropy',
+ help='Master key to secure other secrets')
+]
+
+CONF.register_opts(cipher_opts, group='auth')
+
+
+class AESCipher(object):
+ __instance = None
+
+ @staticmethod
+ def get_instance(key = None):
+ if AESCipher.__instance is None:
+ print ('Creating the singleton instance')
+ AESCipher(key)
+ return AESCipher.__instance
+
+ def __init__(self, key=None):
+ if AESCipher.__instance is not None:
+ raise Exception("This class is a singleton!")
+ else:
+ AESCipher.__instance = self
+
+ self.bs = 32
+ if key is None:
+ key = CONF.auth.appkey.encode()
+
+ self.key = hashlib.sha256(key.encode()).digest()
+
+ def encrypt(self, raw):
+ raw = self._pad(raw)
+ iv = Random.new().read(AES.block_size)
+ cipher = AES.new(self.key, AES.MODE_CBC, iv)
+ return base64.b64encode(iv + cipher.encrypt(raw))
+
+ def decrypt(self, enc):
+ enc = base64.b64decode(enc)
+ iv = enc[:AES.block_size]
+ cipher = AES.new(self.key, AES.MODE_CBC, iv)
+ return self._unpad(cipher.decrypt(enc[AES.block_size:])).decode('utf-8')
+
+ def _pad(self, s):
+ return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
+
+ @staticmethod
+ def _unpad(s):
+ return s[:-ord(s[len(s)-1:])]
+
import copy
import json
-from oslo_config import cfg
-from oslo_log import log
from conductor.common import rest
from conductor.data.plugins import constants
+from conductor.common.utils import cipherUtils
from conductor.data.plugins.inventory_provider import base
from conductor.data.plugins.inventory_provider import hpa_utils
from conductor.data.plugins.triage_translator.triage_translator import TraigeTranslator
self.timeout = self.conf.aai.aai_rest_timeout
self.retries = self.conf.aai.aai_retries
self.username = self.conf.aai.username
- self.password = self.conf.aai.password
+ self.password = cipherUtils.AESCipher.get_instance().decrypt(self.conf.aai.password)
self.triage_translator=TraigeTranslator()
# Cache is initially empty
from oslo_log import log
from conductor.common import rest
+from conductor.common.utils import cipherUtils
from conductor.data.plugins.service_controller import base
from conductor.i18n import _LE
self.conf = CONF
self.base = self.conf.sdnc.server_url.rstrip('/')
- self.password = self.conf.sdnc.password
+ self.password = cipherUtils.AESCipher.get_instance().decrypt(self.conf.sdnc.password)
self.timeout = self.conf.sdnc.sdnc_rest_timeout
self.verify = False
self.retries = self.conf.sdnc.sdnc_retries
"read_timeout": self.timeout,
}
self.rest = rest.REST(**kwargs)
- if(self.conf.multicloud.enable_https_mode):
+ if self.conf.multicloud.enable_https_mode:
self.rest.server_url = self.base[:4]+'s'+self.base[4:]
self.rest.session.verify =self.conf.multicloud.certificate_authority_bundle_file
class TestAAI(unittest.TestCase):
def setUp(self):
-
+ cfg.CONF.set_override('password', '4HyU6sI+Tw0YMXgSHr5sJ5C0UTkeBaxXoxQqWuSVFugls7sQnaAXp4zMfJ8FKFrH', 'aai')
CONF = cfg.CONF
CONF.register_opts(aai.AAI_OPTS, group='aai')
self.conf = CONF
from conductor.common.music.api import MusicAPI
from oslo_config import cfg
-
class TestMusicApi(unittest.TestCase):
def setUp(self):
cfg.CONF.set_override('debug', True, 'music_api')
cfg.CONF.set_override('certificate_authority_bundle_file', '../AAF_RootCA.cer', 'music_api')
+ cfg.CONF.set_override('aafpass', 'U5AudaTTC/DYQ29Q7qiXx/iwsgwV+dV7v7/Q5TDBh1URPwqAGECnbVmUkOynLjTY', 'music_api')
self.mock_lock_id = mock.patch.object(MusicAPI, '_lock_id_create',
return_value='12345678')
self.mock_lock_acquire = mock.patch.object(MusicAPI,
WebOb>=1.2.3 # MIT
onapsmsclient>=0.0.4
Flask>=0.11.1
-prometheus-client>=0.3.1
\ No newline at end of file
+prometheus-client>=0.3.1
+pycrypto==2.6.1
conductor-data = conductor.cmd.data:main
conductor-solver = conductor.cmd.solver:main
conductor-reservation = conductor.cmd.reservation:main
+ cipher-util = conductor.cmd.encryptionUtil:main
conductor.inventory_provider.plugin =
aai = conductor.data.plugins.inventory_provider.aai:AAI
- name: aai
values:
username: oof@oof.onap.org
- password: demo123456!
+ password: 4HyU6sI+Tw0YMXgSHr5sJ5C0UTkeBaxXoxQqWuSVFugls7sQnaAXp4zMfJ8FKFrH
- name: conductor_api
values:
username: admin1
- password: plan.15
+ password: /90ON7wZM2SfItrVXix57TpCyMMR/EUxrhE9Vbo62yJyNfcrpEfsYEZKqTOXHmkn
- name: sdnc
values:
username: admin
- password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+ password: jI4D86X3lZIZILHLpHIWVsJeYODWpcEHlkfswE3pHF0UKjwp36euiwILMyV1jmyNjFF37we3n9VKZFc2UYO6Xsrfe2wBfwhod9Ft4rZEqFo
- name: music_api
values:
aafuser: conductor
- aafpass: c0nduct0r
+ aafpass: U5AudaTTC/DYQ29Q7qiXx/iwsgwV+dV7v7/Q5TDBh1URPwqAGECnbVmUkOynLjTY
aafns: conductor
- name: aaf_api
values:
username: aaf_admin@people.osaaf.org
- password: demo123456!
+ password: IE4lBg4NmcIikB7RLjnXbyVeU2jxuKUWqX1ZfEzCcBAe0wDV87xFGTYTNoTzptXn
aaf_conductor_user: oof@oof.onap.org
Code Review / optf / has.git / commitdiff