Retrieve secrets using Secret Management Service

Integrate with OSDF by retrieving stored secrets using SMS
Application code remains in tact as the secrets are preloaded
and stored in config. The configs in clear text will be deprecated
eventually. OOM needs to load aaf-sms and preload secrets
before oof deployment.

Updated to use domain name instead of domain uuid.

Change-Id: I88a3c3dd2ad87753cc056fb63c8bbabd546707ab
Issue-ID: OPTFRA-343
Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>

diff --git a/assembly.xml b/assembly.xml
index d19bdcf..24379d4 100644 (file)
--- a/assembly.xml
+++ b/assembly.xml
@@ -31,6 +31,7 @@
             </includes>
             <excludes>
                 <exclude>**/*.pyc</exclude>
+                <exclude>config/preload_secrets.yaml</exclude>
             </excludes>
         </fileSet>
     </fileSets>

diff --git a/config/osdf_config.yaml b/config/osdf_config.yaml
index c484fb4..b522919 100755 (executable)
--- a/config/osdf_config.yaml
+++ b/config/osdf_config.yaml
@@ -68,7 +68,7 @@ aaf_user_roles:
 # Secret Management Service from AAF
 aaf_sms_url: https://aaf-sms.onap:10443
 aaf_sms_timeout: 30
-secret_domain: osdf #Replace with the UUID
+secret_domain: osdf
 aaf_ca_certs: ssl_certs/aaf_root_ca.cer
 
 # config db api

diff --git a/config/preload_secrets.yaml b/config/preload_secrets.yaml
index 6e877e7..1d2ea01 100755 (executable)
--- a/config/preload_secrets.yaml
+++ b/config/preload_secrets.yaml
@@ -9,11 +9,11 @@ secrets:
   values:
     UserName: admin1
     Password: plan.15
-- name: policy_platform
+- name: policyPlatform
   values:
     UserName: testpdp
     Password: alpha123
-- name: policy_client
+- name: policyClient
   values:
     UserName: python
     Password: test
@@ -40,4 +40,16 @@ secrets:
 - name: osdfCMScheduler
   values:
     UserName: test1
-    Password: test_pwd1
+    Password: testpwd1
+- name: configDb
+  values:
+    UserName: osdf
+    Password: passwd
+- name: pciHMS
+  values:
+    UserName: ''
+    Password: ''
+- name: osdfPCIOpt
+  values:
+    UserName: pci_test
+    Password: pci_testpwd

diff --git a/osdf/adapters/aaf/sms.py b/osdf/adapters/aaf/sms.py
index 976eb61..9c7af51 100644 (file)
--- a/osdf/adapters/aaf/sms.py
+++ b/osdf/adapters/aaf/sms.py
@@ -29,8 +29,6 @@ config_spec = {
     "preload_secrets": "config/preload_secrets.yaml"
 }
 
-secret_cache = {}
-
 
 def preload_secrets():
     """ This is intended to load the secrets required for testing Application
@@ -44,8 +42,9 @@ def preload_secrets():
     timeout = config["aaf_sms_timeout"]
     cacert = config["aaf_ca_certs"]
     sms_client = Client(url=sms_url, timeout=timeout, cacert=cacert)
-    domain = sms_client.createDomain(domain)
-    config["secret_domain"] = domain  # uuid
+    domain_uuid = sms_client.createDomain(domain)
+    debug_log.debug(
+        "Created domain {} with uuid {}".format(domain, domain_uuid))
     secrets = preload_config.get("secrets")
     for secret in secrets:
         sms_client.storeSecret(domain, secret.get('name'),
@@ -70,6 +69,37 @@ def retrieve_secrets():
     return secret_dict
 
 
+def load_secrets():
+    config = osdf_config.deployment
+    secret_dict = retrieve_secrets()
+    config['soUsername'] = secret_dict['so']['UserName']
+    config['soPassword'] = secret_dict['so']['Password']
+    config['conductorUsername'] = secret_dict['conductor']['UserName']
+    config['conductorPassword'] = secret_dict['conductor']['Password']
+    config['policyPlatformUsername'] = secret_dict['policyPlatform']['UserName']
+    config['policyPlatformPassword'] = secret_dict['policyPlatform']['Password']
+    config['policyClientUsername'] = secret_dict['policyClient']['UserName']
+    config['policyClientPassword'] = secret_dict['policyClient']['Password']
+    config['messageReaderAafUserId'] = secret_dict['dmaap']['UserName']
+    config['messageReaderAafPassword'] = secret_dict['dmaap']['Password']
+    config['sdcUsername'] = secret_dict['sdc']['UserName']
+    config['sdcPassword'] = secret_dict['sdc']['Password']
+    config['osdfPlacementUsername'] = secret_dict['osdfPlacement']['UserName']
+    config['osdfPlacementPassword'] = secret_dict['osdfPlacement']['Password']
+    config['osdfPlacementSOUsername'] = secret_dict['osdfPlacementSO']['UserName']
+    config['osdfPlacementSOPassword'] = secret_dict['osdfPlacementSO']['Password']
+    config['osdfPlacementVFCUsername'] = secret_dict['osdfPlacementVFC']['UserName']
+    config['osdfPlacementVFCPassword'] = secret_dict['osdfPlacementVFC']['Password']
+    config['osdfCMSchedulerUsername'] = secret_dict['osdfCMScheduler']['UserName']
+    config['osdfCMSchedulerPassword'] = secret_dict['osdfCMScheduler']['Password']
+    config['configDbUserName'] = secret_dict['configDb']['UserName']
+    config['configDbPassword'] = secret_dict['configDb']['Password']
+    config['pciHMSUsername'] = secret_dict['pciHMS']['UserName']
+    config['pciHMSPassword'] = secret_dict['pciHMS']['Password']
+    config['osdfPCIOptUsername'] = secret_dict['osdfPCIOpt']['UserName']
+    config['osdfPCIOptPassword'] = secret_dict['osdfPCIOpt']['Password']
+
+
 def delete_secrets():
     """ This is intended to delete the secrets for a clean initialization for
         testing Application. Actual deployment will have a preload script.

diff --git a/osdfapp.py b/osdfapp.py
index c28e14c..f43c215 100755 (executable)
--- a/osdfapp.py
+++ b/osdfapp.py
@@ -207,6 +207,8 @@ if __name__ == "__main__":
         common_app_opts.update({'ssl_context': tuple(ssl_opts)})
 
     opts = get_options(sys.argv)
+    # TODO(Dileep): Uncomment once Helm charts to preload secrets available
+    # sms.load_secrets()
     if not opts.local and not opts.devtest:  # normal deployment
         app.run(port=internal_port, debug=False, **common_app_opts)
     else:

diff --git a/requirements.txt b/requirements.txt
index 2cf5358..0275ab7 100644 (file)
--- a/requirements.txt
+++ b/requirements.txt
@@ -11,5 +11,5 @@ requests>=2.14.2
 schematics>=2.0.0
 docopt>=0.6.2
 pydevd>=1.0.0
-onapsmsclient>=0.0.3
+onapsmsclient>=0.0.4
 pymzn>=0.17.0

diff --git a/test/adapters/test_sms.py b/test/adapters/test_sms.py
index ed6c9c9..ae9346d 100644 (file)
--- a/test/adapters/test_sms.py
+++ b/test/adapters/test_sms.py
@@ -35,10 +35,7 @@ class TestSMS(unittest.TestCase):
 
     @requests_mock.mock()
     def test_sms(self, mock_sms):
-        ''' NOTE: preload_secret generate the uuid for the domain
-                  Create Domain API is called during the deployment using a
-                  preload script. So the application oly knows the domain_uuid.
-                  All sub-sequent SMS API calls needs the uuid.
+        ''' NOTE: preload_secret during the deployment using a preload script.
                   For test purposes we need to do preload ourselves'''
         sms_url = self.config["aaf_sms_url"]
 
@@ -53,7 +50,8 @@ class TestSMS(unittest.TestCase):
         # Mock requests for preload_secret
         cd_url = self.base_domain_url.format(sms_url)
         domain_uuid1 = str(uuid4())
-        s_url = self.secret_url.format(sms_url, domain_uuid1)
+        domain_name = self.config['secret_domain']
+        s_url = self.secret_url.format(sms_url, domain_name)
         mock_sms.post(cd_url, status_code=200, json={'uuid': domain_uuid1})
         mock_sms.post(s_url, status_code=200)
         # Initialize Secrets from SMS
@@ -61,13 +59,9 @@ class TestSMS(unittest.TestCase):
 
         # Part 2: Retrieve Secret Test
         # Mock requests for retrieve_secrets
-        # IMPORTANT: Read the config again as the preload_secrets has
-        # updated the config with uuid
-        domain_uuid2 = self.config["secret_domain"]
-        self.assertEqual(domain_uuid1, domain_uuid2)
 
-        d_url = self.domain_url.format(sms_url, domain_uuid2)
-        s_url = self.secret_url.format(sms_url, domain_uuid2)
+        d_url = self.domain_url.format(sms_url, domain_name)
+        s_url = self.secret_url.format(sms_url, domain_name)
 
         # Retrieve Secrets from SMS and load to secret cache
         # Use the secret_cache instead of config files