From 8c1c99dfc4a42ff8e438a13858c95340a0f677c7 Mon Sep 17 00:00:00 2001
From: Marco Platania <platania@research.att.com>
Date: Wed, 5 Sep 2018 14:26:34 -0400
Subject: [PATCH] Remove plain OpenStack pwd from Heat

- Replace plain OpenStack password with its encrypted version
- Update SO install/init script to skip key encryption (will be done by user)
- Provide a script that encrypts the plain OpenStack password

Change-Id: Ifb7010ab8720ca92119c65484d05f5cfacf023cb
Issue-ID: INT-646
Signed-off-by: Marco Platania <platania@research.att.com>
---
 heat/ONAP/cloud-config/so_install.sh  |  6 +++---
 heat/ONAP/cloud-config/so_vm_init.sh  |  3 ++-
 heat/ONAP/onap_openstack.env          |  4 +---
 heat/ONAP/onap_openstack.yaml         |  8 ++------
 heat/ONAP/onap_openstack_template.env |  4 +---
 heat/ONAP/openstack_encrypted_key.sh  | 17 +++++++++++++++++
 6 files changed, 26 insertions(+), 16 deletions(-)
 create mode 100755 heat/ONAP/openstack_encrypted_key.sh

diff --git a/heat/ONAP/cloud-config/so_install.sh b/heat/ONAP/cloud-config/so_install.sh
index 3a8f3fc2..36c7c8cb 100644
--- a/heat/ONAP/cloud-config/so_install.sh
+++ b/heat/ONAP/cloud-config/so_install.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Read configuration files
-OPENSTACK_API_KEY=$(cat /opt/config/openstack_api_key.txt)
+#OPENSTACK_API_KEY=$(cat /opt/config/openstack_api_key.txt)
 GERRIT_BRANCH=$(cat /opt/config/gerrit_branch.txt)
 CODE_REPO=$(cat /opt/config/remote_repo.txt)
 HTTP_PROXY=$(cat /opt/config/http_proxy.txt)
@@ -16,7 +16,7 @@ fi
 # Clone Gerrit repository and run docker containers.
 cd /opt
 git clone -b $GERRIT_BRANCH --single-branch $CODE_REPO test_lab
-SO_ENCRYPTION_KEY=$(cat /opt/test_lab/encryption.key)
-echo -n "$OPENSTACK_API_KEY" | openssl aes-128-ecb -e -K $SO_ENCRYPTION_KEY -nosalt | xxd -c 256 -p > /opt/config/api_key.txt
+#SO_ENCRYPTION_KEY=$(cat /opt/test_lab/encryption.key)
+#echo -n "$OPENSTACK_API_KEY" | openssl aes-128-ecb -e -K $SO_ENCRYPTION_KEY -nosalt | xxd -c 256 -p > /opt/config/api_key.txt
 
 ./so_vm_init.sh
diff --git a/heat/ONAP/cloud-config/so_vm_init.sh b/heat/ONAP/cloud-config/so_vm_init.sh
index fb19d1a3..1acf2eb0 100644
--- a/heat/ONAP/cloud-config/so_vm_init.sh
+++ b/heat/ONAP/cloud-config/so_vm_init.sh
@@ -5,7 +5,8 @@ NEXUS_PASSWD=$(cat /opt/config/nexus_password.txt)
 NEXUS_DOCKER_REPO=$(cat /opt/config/nexus_docker_repo.txt)
 DMAAP_TOPIC=$(cat /opt/config/dmaap_topic.txt)
 OPENSTACK_USERNAME=$(cat /opt/config/openstack_username.txt)
-OPENSTACK_APIKEY=$(cat /opt/config/api_key.txt)
+#OPENSTACK_APIKEY=$(cat /opt/config/api_key.txt)
+OPENSTACK_APIKEY=$(cat /opt/config/openstack_api_key.txt)
 export MSO_DOCKER_IMAGE_VERSION=$(cat /opt/config/docker_version.txt)
 export MTU=$(/sbin/ifconfig | grep MTU | sed 's/.*MTU://' | sed 's/ .*//' | sort -n | head -1)
 
diff --git a/heat/ONAP/onap_openstack.env b/heat/ONAP/onap_openstack.env
index b9fc2e6c..c373317d 100644
--- a/heat/ONAP/onap_openstack.env
+++ b/heat/ONAP/onap_openstack.env
@@ -44,9 +44,7 @@ parameters:
 
   openstack_username: PUT YOUR OPENSTACK USERNAME HERE
 
-  openstack_api_key: PUT YOUR OPENSTACK PASSWORD HERE
-
-  openstack_auth_method: password
+  openstack_api_key: PUT YOUR ENCRYPTED OPENSTACK PASSWORD HERE
 
   openstack_region: RegionOne
 
diff --git a/heat/ONAP/onap_openstack.yaml b/heat/ONAP/onap_openstack.yaml
index 65fe4fdc..d836b78e 100644
--- a/heat/ONAP/onap_openstack.yaml
+++ b/heat/ONAP/onap_openstack.yaml
@@ -3,7 +3,7 @@
 #==================LICENSE_START==========================================
 #
 #
-# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -121,13 +121,9 @@ parameters:
     type: string
     description: OpenStack username
 
-  openstack_auth_method:
-    type: string
-    description: OpenStack authentication method (password VS. api-key)
-
   openstack_api_key:
     type: string
-    description: OpenStack password or API Key
+    description: Encrypted OpenStack password
 
   keystone_url:
     type: string
diff --git a/heat/ONAP/onap_openstack_template.env b/heat/ONAP/onap_openstack_template.env
index af560124..13ed5071 100644
--- a/heat/ONAP/onap_openstack_template.env
+++ b/heat/ONAP/onap_openstack_template.env
@@ -44,9 +44,7 @@ parameters:
 
   openstack_username: PUT YOUR OPENSTACK USERNAME HERE
 
-  openstack_api_key: PUT YOUR OPENSTACK PASSWORD HERE
-
-  openstack_auth_method: password
+  openstack_api_key: PUT YOUR ENCRYPTED OPENSTACK PASSWORD HERE
 
   openstack_region: RegionOne
 
diff --git a/heat/ONAP/openstack_encrypted_key.sh b/heat/ONAP/openstack_encrypted_key.sh
new file mode 100755
index 00000000..20910fa3
--- /dev/null
+++ b/heat/ONAP/openstack_encrypted_key.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+usage () {
+  echo "Usage:"
+  echo "   ./$(basename $0) your_openstack_password"
+  exit 1
+}
+
+if [ "$#" -ne 1 ]; then
+  echo "Wrong number of input parameters"
+  usage
+fi
+
+SO_ENCRYPTION_KEY=aa3871669d893c7fb8abbcda31b88b4f
+OPENSTACK_API_KEY=$1
+
+echo -n "$OPENSTACK_API_KEY" | openssl aes-128-ecb -e -K $SO_ENCRYPTION_KEY -nosalt | xxd -c 256 -p
-- 
2.16.6