Adds support for OSMMON_DATABASE_COMMONKEY to decrypt vim passwords

When vim_accounts msgs arrive in the Kafka bus, vim password is decrypted
and stored in the SQL database. The ideal scenario would be to store it
encrypted in the SQL DB and decrypt it on demand, but that would require
to store the schema_version, instantiate a DbMongo client everywhere it is
needed and a few other modifications that would severely pollute the codebase.
There needs to be a modification in the future on the osm_common side to make
this more doable.

Signed-off-by: Benjamin Diaz <bdiaz@whitestack.com>

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 2cf98cb..8c342db 100644 (file)
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -47,6 +47,7 @@ ENV OSMMON_KAFKA_LOG_LEVEL INFO
 ENV OSMMON_VCA_HOST localhost
 ENV OSMMON_VCA_SECRET secret
 ENV OSMMON_VCA_USER admin
+ENV OSMMON_DATABASE_COMMONKEY changeme
 
 EXPOSE 8662 8000
 

diff --git a/osm_mon/common/common_db_client.py b/osm_mon/common/common_db_client.py
index 71d1306..716f170 100644 (file)
--- a/osm_mon/common/common_db_client.py
+++ b/osm_mon/common/common_db_client.py
@@ -32,7 +32,8 @@ class CommonDbClient:
         self.common_db = dbmongo.DbMongo()
         self.common_db.db_connect({'host': cfg.MONGO_URI.split(':')[0],
                                    'port': int(cfg.MONGO_URI.split(':')[1]),
-                                   'name': 'osm'})
+                                   'name': 'osm',
+                                   'commonkey': cfg.OSMMON_DATABASE_COMMONKEY})
 
     def get_vnfr(self, nsr_id: str, member_index: int):
         vnfr = self.common_db.get_one("vnfrs",
@@ -68,3 +69,6 @@ class CommonDbClient:
                 return vdur
         raise ValueError('vdur not found for nsr-id %s, member_index %s and vdu_name %s', nsr_id, member_index,
                          vdu_name)
+
+    def decrypt_vim_password(self, vim_password: str, schema_version: str, vim_id: str):
+        return self.common_db.decrypt(vim_password, schema_version, vim_id)

diff --git a/osm_mon/core/message_bus/common_consumer.py b/osm_mon/core/message_bus/common_consumer.py
index e32fa2b..3a95c76 100755 (executable)
--- a/osm_mon/core/message_bus/common_consumer.py
+++ b/osm_mon/core/message_bus/common_consumer.py
@@ -121,6 +121,9 @@ class CommonConsumer:
 
             if message.topic == "vim_account":
                 if message.key == "create" or message.key == "edit":
+                    values['vim_password'] = self.common_db.decrypt_vim_password(values['vim_password'],
+                                                                                 values['schema_version'],
+                                                                                 values['_id'])
                     self.auth_manager.store_auth_credentials(values)
                 if message.key == "delete":
                     self.auth_manager.delete_auth_credentials(values)

diff --git a/osm_mon/core/settings.py b/osm_mon/core/settings.py
index a7599cc..f8dfaa2 100644 (file)
--- a/osm_mon/core/settings.py
+++ b/osm_mon/core/settings.py
@@ -71,6 +71,7 @@ class Config(object):
         CfgParam('OSMMON_VCA_HOST', "localhost", six.text_type),
         CfgParam('OSMMON_VCA_SECRET', "secret", six.text_type),
         CfgParam('OSMMON_VCA_USER', "admin", six.text_type),
+        CfgParam('OSMMON_DATABASE_COMMONKEY', "changeme", six.text_type),
     ]
 
     _config_dict = {cfg.key: cfg for cfg in _configuration}