Store and pull tenant creds from Key Vault.

The tenant ID should be hashed and used as the key for the JSON blob of
relevant creds for any given tenant. Azure CSP interface methods that
need to source creds should call the internal `_source_creds` method,
either with a `tenant_id` or no parameters. That method will source the
creds. If a tenant ID is provided, it will source them from the Key
Vault. If not provided, it will return the default creds for the app
registration in the home tenant.

tests/domain/cloud/test_azure_csp.py

@@ -1,5 +1,7 @@
+import pytest
+import json
 from uuid import uuid4
-from unittest.mock import Mock
+from unittest.mock import Mock, patch
 
 from tests.factories import ApplicationFactory, EnvironmentFactory
 from tests.mock_azure import AUTH_CREDENTIALS, mock_azure
@@ -84,13 +86,28 @@ def test_create_environment_succeeds(mock_azure: AzureCloudProvider):
     assert result.id == "Test Id"
 
 
+# mock the get_secret so it returns a JSON string
+MOCK_CREDS = {
+    "tenant_id": str(uuid4()),
+    "tenant_sp_client_id": str(uuid4()),
+    "tenant_sp_key": "1234",
+}
+
+
+def mock_get_secret(azure, func):
+    azure.get_secret = func
+
+    return azure
+
+
 def test_create_application_succeeds(mock_azure: AzureCloudProvider):
     application = ApplicationFactory.create()
-
     mock_management_group_create(mock_azure, {"id": "Test Id"})
 
+    mock_azure = mock_get_secret(mock_azure, lambda *a, **k: json.dumps(MOCK_CREDS))
+
     payload = ApplicationCSPPayload(
-        creds={}, display_name=application.name, parent_id=str(uuid4())
+        tenant_id="1234", display_name=application.name, parent_id=str(uuid4())
     )
     result = mock_azure.create_application(payload)
 

tests/domain/cloud/test_models.py

@@ -4,6 +4,7 @@ from pydantic import ValidationError
 
 from atst.domain.csp.cloud.models import (
     AZURE_MGMNT_PATH,
+    KeyVaultCredentials,
     ManagementGroupCSPPayload,
     ManagementGroupCSPResponse,
 )
@@ -12,25 +13,25 @@ from atst.domain.csp.cloud.models import (
 def test_ManagementGroupCSPPayload_management_group_name():
     # supplies management_group_name when absent
     payload = ManagementGroupCSPPayload(
-        creds={}, display_name="Council of Naboo", parent_id="Galactic_Senate"
+        tenant_id="any-old-id",
+        display_name="Council of Naboo",
+        parent_id="Galactic_Senate",
     )
     assert payload.management_group_name
     # validates management_group_name
     with pytest.raises(ValidationError):
         payload = ManagementGroupCSPPayload(
-            creds={},
+            tenant_id="any-old-id",
             management_group_name="council of Naboo 1%^&",
             display_name="Council of Naboo",
             parent_id="Galactic_Senate",
         )
     # shortens management_group_name to fit
-    name = "council_of_naboo"
-    for _ in range(90):
-        name = f"{name}1"
+    name = "council_of_naboo".ljust(95, "1")
 
     assert len(name) > 90
     payload = ManagementGroupCSPPayload(
-        creds={},
+        tenant_id="any-old-id",
         management_group_name=name,
         display_name="Council of Naboo",
         parent_id="Galactic_Senate",
@@ -40,12 +41,10 @@ def test_ManagementGroupCSPPayload_management_group_name():
 
 def test_ManagementGroupCSPPayload_display_name():
     # shortens display_name to fit
-    name = "Council of Naboo"
-    for _ in range(90):
-        name = f"{name}1"
+    name = "Council of Naboo".ljust(95, "1")
     assert len(name) > 90
     payload = ManagementGroupCSPPayload(
-        creds={}, display_name=name, parent_id="Galactic_Senate"
+        tenant_id="any-old-id", display_name=name, parent_id="Galactic_Senate"
     )
     assert len(payload.display_name) == 90
 
@@ -54,12 +53,14 @@ def test_ManagementGroupCSPPayload_parent_id():
     full_path = f"{AZURE_MGMNT_PATH}Galactic_Senate"
     # adds full path
     payload = ManagementGroupCSPPayload(
-        creds={}, display_name="Council of Naboo", parent_id="Galactic_Senate"
+        tenant_id="any-old-id",
+        display_name="Council of Naboo",
+        parent_id="Galactic_Senate",
     )
     assert payload.parent_id == full_path
     # keeps full path
     payload = ManagementGroupCSPPayload(
-        creds={}, display_name="Council of Naboo", parent_id=full_path
+        tenant_id="any-old-id", display_name="Council of Naboo", parent_id=full_path
     )
     assert payload.parent_id == full_path
 
@@ -70,3 +71,29 @@ def test_ManagementGroupCSPResponse_id():
         **{"id": "/path/to/naboo-123", "other": "stuff"}
     )
     assert response.id == full_id
+
+
+def test_KeyVaultCredentials_enforce_admin_creds():
+    with pytest.raises(ValidationError):
+        KeyVaultCredentials(tenant_id="an id", tenant_admin_username="C3PO")
+    assert KeyVaultCredentials(
+        tenant_id="an id",
+        tenant_admin_username="C3PO",
+        tenant_admin_password="beep boop",
+    )
+
+
+def test_KeyVaultCredentials_enforce_sp_creds():
+    with pytest.raises(ValidationError):
+        KeyVaultCredentials(tenant_id="an id", tenant_sp_client_id="C3PO")
+    assert KeyVaultCredentials(
+        tenant_id="an id", tenant_sp_client_id="C3PO", tenant_sp_key="beep boop"
+    )
+
+
+def test_KeyVaultCredentials_enforce_root_creds():
+    with pytest.raises(ValidationError):
+        KeyVaultCredentials(root_tenant_id="an id", root_sp_client_id="C3PO")
+    assert KeyVaultCredentials(
+        root_tenant_id="an id", root_sp_client_id="C3PO", root_sp_key="beep boop"
+    )

tests/mock_azure.py

@@ -72,6 +72,12 @@ def mock_secrets():
     return Mock(spec=secrets)
 
 
+def mock_identity():
+    import azure.identity as identity
+
+    return Mock(spec=identity)
+
+
 class MockAzureSDK(object):
     def __init__(self):
         from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD
@@ -88,6 +94,7 @@ class MockAzureSDK(object):
         self.requests = mock_requests()
         # may change to a JEDI cloud
         self.cloud = AZURE_PUBLIC_CLOUD
+        self.identity = mock_identity()
 
 
 @pytest.fixture(scope="function")

tests/utils/test_hash.py

@@ -0,0 +1,16 @@
+import random
+import re
+import string
+
+from atst.utils import sha256_hex
+
+
+def test_sha256_hex():
+    sample = "".join(
+        random.choices(string.ascii_uppercase + string.digits, k=random.randrange(200))
+    )
+    hashed = sha256_hex(sample)
+    assert re.match("^[a-zA-Z0-9]+$", hashed)
+    assert len(hashed) == 64
+    hashed_again = sha256_hex(sample)
+    assert hashed == hashed_again