pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove creds from payloads and passthroughs.

Browse Source
This commit is contained in:
tomdds 2020-01-28 14:12:04 -05:00
parent 475ceaed7c
commit 7bf6b9addc
5 changed files with 35 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
atst/domain/csp/cloud/azure_cloud_provider.py
View File

@ -86,7 +86,7 @@ class AzureCloudProvider(CloudProviderInterface):
def set_secret(self, secret_key, secret_value): def set_secret(self, secret_key, secret_value):
credential = self._get_client_secret_credential_obj({}) credential = self._get_client_secret_credential_obj({})
secret_client = self.secrets.SecretClient( secret_client = self.sdk.secrets.SecretClient(
vault_url=self.vault_url, credential=credential, vault_url=self.vault_url, credential=credential,
) )
try: try:
@ -99,7 +99,7 @@ class AzureCloudProvider(CloudProviderInterface):
def get_secret(self, secret_key): def get_secret(self, secret_key):
credential = self._get_client_secret_credential_obj({}) credential = self._get_client_secret_credential_obj({})
secret_client = self.secrets.SecretClient( secret_client = self.sdk.secrets.SecretClient(
vault_url=self.vault_url, credential=credential, vault_url=self.vault_url, credential=credential,
) )
try: try:
@ -288,7 +288,7 @@ class AzureCloudProvider(CloudProviderInterface):
) )
def create_tenant(self, payload: TenantCSPPayload): def create_tenant(self, payload: TenantCSPPayload):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
if sp_token is None: if sp_token is None:
raise AuthenticationException("Could not resolve token for tenant creation") raise AuthenticationException("Could not resolve token for tenant creation")
payload.password = token_urlsafe(16) payload.password = token_urlsafe(16)
@ -318,7 +318,7 @@ class AzureCloudProvider(CloudProviderInterface):
def create_billing_profile_creation( def create_billing_profile_creation(
self, payload: BillingProfileCreationCSPPayload self, payload: BillingProfileCreationCSPPayload
): ):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
if sp_token is None: if sp_token is None:
raise AuthenticationException( raise AuthenticationException(
"Could not resolve token for billing profile creation" "Could not resolve token for billing profile creation"
@ -350,7 +350,7 @@ class AzureCloudProvider(CloudProviderInterface):
def create_billing_profile_verification( def create_billing_profile_verification(
self, payload: BillingProfileVerificationCSPPayload self, payload: BillingProfileVerificationCSPPayload
): ):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
if sp_token is None: if sp_token is None:
raise AuthenticationException( raise AuthenticationException(
"Could not resolve token for billing profile validation" "Could not resolve token for billing profile validation"
@ -375,7 +375,7 @@ class AzureCloudProvider(CloudProviderInterface):
def create_billing_profile_tenant_access( def create_billing_profile_tenant_access(
self, payload: BillingProfileTenantAccessCSPPayload self, payload: BillingProfileTenantAccessCSPPayload
): ):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
request_body = { request_body = {
"properties": { "properties": {
"principalTenantId": payload.tenant_id, # from tenant creation "principalTenantId": payload.tenant_id, # from tenant creation
@ -399,7 +399,7 @@ class AzureCloudProvider(CloudProviderInterface):
def create_task_order_billing_creation( def create_task_order_billing_creation(
self, payload: TaskOrderBillingCreationCSPPayload self, payload: TaskOrderBillingCreationCSPPayload
): ):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
request_body = [ request_body = [
{ {
"op": "replace", "op": "replace",
@ -429,7 +429,7 @@ class AzureCloudProvider(CloudProviderInterface):
def create_task_order_billing_verification( def create_task_order_billing_verification(
self, payload: TaskOrderBillingVerificationCSPPayload self, payload: TaskOrderBillingVerificationCSPPayload
): ):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
if sp_token is None: if sp_token is None:
raise AuthenticationException( raise AuthenticationException(
"Could not resolve token for task order billing validation" "Could not resolve token for task order billing validation"
@ -452,7 +452,7 @@ class AzureCloudProvider(CloudProviderInterface):
return self._error(result.json()) return self._error(result.json())
def create_billing_instruction(self, payload: BillingInstructionCSPPayload): def create_billing_instruction(self, payload: BillingInstructionCSPPayload):
sp_token = self._get_sp_token(payload.creds) sp_token = self.get_root_provisioning_token()
if sp_token is None: if sp_token is None:
raise AuthenticationException( raise AuthenticationException(
"Could not resolve token for task order billing validation" "Could not resolve token for task order billing validation"
@ -563,13 +563,20 @@ class AzureCloudProvider(CloudProviderInterface):
if sub_id_match: if sub_id_match:
return sub_id_match.group(1) return sub_id_match.group(1)
def get_tenant_principal_token(self, tenant_id):
creds = self.get_secret(tenant_id)
return self._get_sp_token(creds)
def get_root_provisioning_token(self):
return self._get_sp_token(self._root_creds)
def _get_sp_token(self, creds): def _get_sp_token(self, creds):
home_tenant_id = creds.get("home_tenant_id") tenant_id = creds.get("tenant_id")
client_id = creds.get("client_id") client_id = creds.get("client_id")
secret_key = creds.get("secret_key") secret_key = creds.get("secret_key")
context = self.sdk.adal.AuthenticationContext( context = self.sdk.adal.AuthenticationContext(
f"{self.sdk.cloud.endpoints.active_directory}/{home_tenant_id}" f"{self.sdk.cloud.endpoints.active_directory}/{tenant_id}"
) )
# TODO: handle failure states here # TODO: handle failure states here

15
atst/domain/csp/cloud/models.py
View File

@ -20,20 +20,10 @@ class AliasModel(BaseModel):
class BaseCSPPayload(AliasModel): class BaseCSPPayload(AliasModel):
# {"username": "mock-cloud", "pass": "shh"} tenant_id: str
creds: Dict
def dict(self, *args, **kwargs):
exclude = {"creds"}
if "exclude" not in kwargs:
kwargs["exclude"] = exclude
else:
kwargs["exclude"].update(exclude)
return super().dict(*args, **kwargs)
class TenantCSPPayload(BaseCSPPayload): class TenantCSPPayload(AliasModel):
user_id: str user_id: str
password: Optional[str] password: Optional[str]
domain_name: str domain_name: str
@ -232,3 +222,4 @@ class BillingInstructionCSPResult(AliasModel):
fields = { fields = {
"reported_clin_name": "name", "reported_clin_name": "name",
} }

18
tests/domain/cloud/test_azure_csp.py
View File

@ -22,11 +22,6 @@ from atst.domain.csp.cloud.models import (
TenantCSPResult, TenantCSPResult,
) )
creds = {
"home_tenant_id": "tenant_id",
"client_id": "client_id",
"secret_key": "secret_key",
}
BILLING_ACCOUNT_NAME = "52865e4c-52e8-5a6c-da6b-c58f0814f06f:7ea5de9d-b8ce-4901-b1c5-d864320c7b03_2019-05-31" BILLING_ACCOUNT_NAME = "52865e4c-52e8-5a6c-da6b-c58f0814f06f:7ea5de9d-b8ce-4901-b1c5-d864320c7b03_2019-05-31"
@ -146,7 +141,7 @@ def test_create_tenant(mock_azure: AzureCloudProvider):
mock_azure.sdk.requests.post.return_value = mock_result mock_azure.sdk.requests.post.return_value = mock_result
payload = TenantCSPPayload( payload = TenantCSPPayload(
**dict( **dict(
creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
user_id="admin", user_id="admin",
password="JediJan13$coot", # pragma: allowlist secret password="JediJan13$coot", # pragma: allowlist secret
domain_name="jediccpospawnedtenant2", domain_name="jediccpospawnedtenant2",
@ -183,7 +178,6 @@ def test_create_billing_profile_creation(mock_azure: AzureCloudProvider):
country="US", country="US",
postal_code="19109", postal_code="19109",
), ),
creds=creds,
tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
billing_profile_display_name="Test Billing Profile", billing_profile_display_name="Test Billing Profile",
billing_account_name=BILLING_ACCOUNT_NAME, billing_account_name=BILLING_ACCOUNT_NAME,
@ -234,7 +228,7 @@ def test_validate_billing_profile_creation(mock_azure: AzureCloudProvider):
payload = BillingProfileVerificationCSPPayload( payload = BillingProfileVerificationCSPPayload(
**dict( **dict(
creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
billing_profile_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview", billing_profile_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview",
) )
) )
@ -273,7 +267,6 @@ def test_create_billing_profile_tenant_access(mock_azure: AzureCloudProvider):
payload = BillingProfileTenantAccessCSPPayload( payload = BillingProfileTenantAccessCSPPayload(
**dict( **dict(
creds=creds,
tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
user_object_id="0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", user_object_id="0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d",
billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31",
@ -305,7 +298,7 @@ def test_create_task_order_billing_creation(mock_azure: AzureCloudProvider):
payload = TaskOrderBillingCreationCSPPayload( payload = TaskOrderBillingCreationCSPPayload(
**dict( **dict(
creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31",
billing_profile_name="KQWI-W2SU-BG7-TGB", billing_profile_name="KQWI-W2SU-BG7-TGB",
) )
@ -365,7 +358,7 @@ def test_create_task_order_billing_verification(mock_azure):
payload = TaskOrderBillingVerificationCSPPayload( payload = TaskOrderBillingVerificationCSPPayload(
**dict( **dict(
creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
task_order_billing_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview", task_order_billing_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview",
) )
) )
@ -400,7 +393,7 @@ def test_create_billing_instruction(mock_azure: AzureCloudProvider):
payload = BillingInstructionCSPPayload( payload = BillingInstructionCSPPayload(
**dict( **dict(
creds=creds, tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435",
initial_clin_amount=1000.00, initial_clin_amount=1000.00,
initial_clin_start_date="2020/1/1", initial_clin_start_date="2020/1/1",
initial_clin_end_date="2020/3/1", initial_clin_end_date="2020/3/1",
@ -413,3 +406,4 @@ def test_create_billing_instruction(mock_azure: AzureCloudProvider):
result = mock_azure.create_billing_instruction(payload) result = mock_azure.create_billing_instruction(payload)
body: BillingInstructionCSPResult = result.get("body") body: BillingInstructionCSPResult = result.get("body")
assert body.reported_clin_name == "TO1:CLIN001" assert body.reported_clin_name == "TO1:CLIN001"

4
tests/domain/test_portfolio_state_machine.py
View File

@ -106,8 +106,6 @@ def test_fsm_transition_start(mock_cloud_provider, portfolio: Portfolio):
FSMStates.BILLING_INSTRUCTION_CREATED, FSMStates.BILLING_INSTRUCTION_CREATED,
] ]
# Should source all creds for portfolio? might be easier to manage than per-step specific ones
creds = {"username": "mock-cloud", "password": "shh"} # pragma: allowlist secret
if portfolio.csp_data is not None: if portfolio.csp_data is not None:
csp_data = portfolio.csp_data csp_data = portfolio.csp_data
else: else:
@ -150,7 +148,7 @@ def test_fsm_transition_start(mock_cloud_provider, portfolio: Portfolio):
collected_data = dict( collected_data = dict(
list(csp_data.items()) + list(portfolio_data.items()) + list(config.items()) list(csp_data.items()) + list(portfolio_data.items()) + list(config.items())
) )
sm.trigger_next_transition(creds=creds, csp_data=collected_data) sm.trigger_next_transition(csp_data=collected_data)
assert sm.state == expected_state assert sm.state == expected_state
if portfolio.csp_data is not None: if portfolio.csp_data is not None:
csp_data = portfolio.csp_data csp_data = portfolio.csp_data

7
tests/mock_azure.py
View File

@ -48,6 +48,12 @@ def mock_credentials():
return Mock(spec=credentials) return Mock(spec=credentials)
def mock_identity():
import azure.identity as identity
return Mock(spec=identity)
def mock_policy(): def mock_policy():
from azure.mgmt.resource import policy from azure.mgmt.resource import policy
@ -88,6 +94,7 @@ class MockAzureSDK(object):
self.managementgroups = mock_managementgroups() self.managementgroups = mock_managementgroups()
self.graphrbac = mock_graphrbac() self.graphrbac = mock_graphrbac()
self.credentials = mock_credentials() self.credentials = mock_credentials()
self.identity = mock_identity()
self.policy = mock_policy() self.policy = mock_policy()
self.secrets = mock_secrets() self.secrets = mock_secrets()
self.requests = mock_requests() self.requests = mock_requests()