From 7bf6b9addc5a9eac44cea7a3a655f1bc6d9c3773 Mon Sep 17 00:00:00 2001 From: tomdds Date: Tue, 28 Jan 2020 14:12:04 -0500 Subject: [PATCH] Remove creds from payloads and passthroughs. --- atst/domain/csp/cloud/azure_cloud_provider.py | 29 ++++++++++++------- atst/domain/csp/cloud/models.py | 15 ++-------- tests/domain/cloud/test_azure_csp.py | 18 ++++-------- tests/domain/test_portfolio_state_machine.py | 4 +-- tests/mock_azure.py | 7 +++++ 5 files changed, 35 insertions(+), 38 deletions(-) diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py index 4d3fb87e..703b5635 100644 --- a/atst/domain/csp/cloud/azure_cloud_provider.py +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -86,7 +86,7 @@ class AzureCloudProvider(CloudProviderInterface): def set_secret(self, secret_key, secret_value): credential = self._get_client_secret_credential_obj({}) - secret_client = self.secrets.SecretClient( + secret_client = self.sdk.secrets.SecretClient( vault_url=self.vault_url, credential=credential, ) try: @@ -99,7 +99,7 @@ class AzureCloudProvider(CloudProviderInterface): def get_secret(self, secret_key): credential = self._get_client_secret_credential_obj({}) - secret_client = self.secrets.SecretClient( + secret_client = self.sdk.secrets.SecretClient( vault_url=self.vault_url, credential=credential, ) try: @@ -288,7 +288,7 @@ class AzureCloudProvider(CloudProviderInterface): ) def create_tenant(self, payload: TenantCSPPayload): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() if sp_token is None: raise AuthenticationException("Could not resolve token for tenant creation") payload.password = token_urlsafe(16) @@ -318,7 +318,7 @@ class AzureCloudProvider(CloudProviderInterface): def create_billing_profile_creation( self, payload: BillingProfileCreationCSPPayload ): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() if sp_token is None: raise AuthenticationException( "Could not resolve token for billing profile creation" @@ -350,7 +350,7 @@ class AzureCloudProvider(CloudProviderInterface): def create_billing_profile_verification( self, payload: BillingProfileVerificationCSPPayload ): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() if sp_token is None: raise AuthenticationException( "Could not resolve token for billing profile validation" @@ -375,7 +375,7 @@ class AzureCloudProvider(CloudProviderInterface): def create_billing_profile_tenant_access( self, payload: BillingProfileTenantAccessCSPPayload ): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() request_body = { "properties": { "principalTenantId": payload.tenant_id, # from tenant creation @@ -399,7 +399,7 @@ class AzureCloudProvider(CloudProviderInterface): def create_task_order_billing_creation( self, payload: TaskOrderBillingCreationCSPPayload ): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() request_body = [ { "op": "replace", @@ -429,7 +429,7 @@ class AzureCloudProvider(CloudProviderInterface): def create_task_order_billing_verification( self, payload: TaskOrderBillingVerificationCSPPayload ): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() if sp_token is None: raise AuthenticationException( "Could not resolve token for task order billing validation" @@ -452,7 +452,7 @@ class AzureCloudProvider(CloudProviderInterface): return self._error(result.json()) def create_billing_instruction(self, payload: BillingInstructionCSPPayload): - sp_token = self._get_sp_token(payload.creds) + sp_token = self.get_root_provisioning_token() if sp_token is None: raise AuthenticationException( "Could not resolve token for task order billing validation" @@ -563,13 +563,20 @@ class AzureCloudProvider(CloudProviderInterface): if sub_id_match: return sub_id_match.group(1) + def get_tenant_principal_token(self, tenant_id): + creds = self.get_secret(tenant_id) + return self._get_sp_token(creds) + + def get_root_provisioning_token(self): + return self._get_sp_token(self._root_creds) + def _get_sp_token(self, creds): - home_tenant_id = creds.get("home_tenant_id") + tenant_id = creds.get("tenant_id") client_id = creds.get("client_id") secret_key = creds.get("secret_key") context = self.sdk.adal.AuthenticationContext( - f"{self.sdk.cloud.endpoints.active_directory}/{home_tenant_id}" + f"{self.sdk.cloud.endpoints.active_directory}/{tenant_id}" ) # TODO: handle failure states here diff --git a/atst/domain/csp/cloud/models.py b/atst/domain/csp/cloud/models.py index c6bf0ede..f6503445 100644 --- a/atst/domain/csp/cloud/models.py +++ b/atst/domain/csp/cloud/models.py @@ -20,20 +20,10 @@ class AliasModel(BaseModel): class BaseCSPPayload(AliasModel): - # {"username": "mock-cloud", "pass": "shh"} - creds: Dict - - def dict(self, *args, **kwargs): - exclude = {"creds"} - if "exclude" not in kwargs: - kwargs["exclude"] = exclude - else: - kwargs["exclude"].update(exclude) - - return super().dict(*args, **kwargs) + tenant_id: str -class TenantCSPPayload(BaseCSPPayload): +class TenantCSPPayload(AliasModel): user_id: str password: Optional[str] domain_name: str @@ -232,3 +222,4 @@ class BillingInstructionCSPResult(AliasModel): fields = { "reported_clin_name": "name", } + diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index 0648ec1e..28a8dcf1 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -22,11 +22,6 @@ from atst.domain.csp.cloud.models import ( TenantCSPResult, ) -creds = { - "home_tenant_id": "tenant_id", - "client_id": "client_id", - "secret_key": "secret_key", -} BILLING_ACCOUNT_NAME = "52865e4c-52e8-5a6c-da6b-c58f0814f06f:7ea5de9d-b8ce-4901-b1c5-d864320c7b03_2019-05-31" @@ -146,7 +141,7 @@ def test_create_tenant(mock_azure: AzureCloudProvider): mock_azure.sdk.requests.post.return_value = mock_result payload = TenantCSPPayload( **dict( - creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", user_id="admin", password="JediJan13$coot", # pragma: allowlist secret domain_name="jediccpospawnedtenant2", @@ -183,7 +178,6 @@ def test_create_billing_profile_creation(mock_azure: AzureCloudProvider): country="US", postal_code="19109", ), - creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", billing_profile_display_name="Test Billing Profile", billing_account_name=BILLING_ACCOUNT_NAME, @@ -234,7 +228,7 @@ def test_validate_billing_profile_creation(mock_azure: AzureCloudProvider): payload = BillingProfileVerificationCSPPayload( **dict( - creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", billing_profile_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview", ) ) @@ -273,7 +267,6 @@ def test_create_billing_profile_tenant_access(mock_azure: AzureCloudProvider): payload = BillingProfileTenantAccessCSPPayload( **dict( - creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", user_object_id="0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", @@ -305,7 +298,7 @@ def test_create_task_order_billing_creation(mock_azure: AzureCloudProvider): payload = TaskOrderBillingCreationCSPPayload( **dict( - creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", billing_profile_name="KQWI-W2SU-BG7-TGB", ) @@ -365,7 +358,7 @@ def test_create_task_order_billing_verification(mock_azure): payload = TaskOrderBillingVerificationCSPPayload( **dict( - creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", task_order_billing_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview", ) ) @@ -400,7 +393,7 @@ def test_create_billing_instruction(mock_azure: AzureCloudProvider): payload = BillingInstructionCSPPayload( **dict( - creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", initial_clin_amount=1000.00, initial_clin_start_date="2020/1/1", initial_clin_end_date="2020/3/1", @@ -413,3 +406,4 @@ def test_create_billing_instruction(mock_azure: AzureCloudProvider): result = mock_azure.create_billing_instruction(payload) body: BillingInstructionCSPResult = result.get("body") assert body.reported_clin_name == "TO1:CLIN001" + diff --git a/tests/domain/test_portfolio_state_machine.py b/tests/domain/test_portfolio_state_machine.py index 2e412653..44d1382b 100644 --- a/tests/domain/test_portfolio_state_machine.py +++ b/tests/domain/test_portfolio_state_machine.py @@ -106,8 +106,6 @@ def test_fsm_transition_start(mock_cloud_provider, portfolio: Portfolio): FSMStates.BILLING_INSTRUCTION_CREATED, ] - # Should source all creds for portfolio? might be easier to manage than per-step specific ones - creds = {"username": "mock-cloud", "password": "shh"} # pragma: allowlist secret if portfolio.csp_data is not None: csp_data = portfolio.csp_data else: @@ -150,7 +148,7 @@ def test_fsm_transition_start(mock_cloud_provider, portfolio: Portfolio): collected_data = dict( list(csp_data.items()) + list(portfolio_data.items()) + list(config.items()) ) - sm.trigger_next_transition(creds=creds, csp_data=collected_data) + sm.trigger_next_transition(csp_data=collected_data) assert sm.state == expected_state if portfolio.csp_data is not None: csp_data = portfolio.csp_data diff --git a/tests/mock_azure.py b/tests/mock_azure.py index 9ab1f61d..4a7aace3 100644 --- a/tests/mock_azure.py +++ b/tests/mock_azure.py @@ -48,6 +48,12 @@ def mock_credentials(): return Mock(spec=credentials) +def mock_identity(): + import azure.identity as identity + + return Mock(spec=identity) + + def mock_policy(): from azure.mgmt.resource import policy @@ -88,6 +94,7 @@ class MockAzureSDK(object): self.managementgroups = mock_managementgroups() self.graphrbac = mock_graphrbac() self.credentials = mock_credentials() + self.identity = mock_identity() self.policy = mock_policy() self.secrets = mock_secrets() self.requests = mock_requests()