Only use EC2 creds from our project. Clean up after use. (#892)

* Only use EC2 creds from our project. Clean up after use.
  When looking for existing EC2 credentials, we only accept those
  created for our own project.
  If we need to create one, remember this and clean it up again.
* Cosmetic: Minor complaints from pylint addressed.
* Remove created bucket before deleting create creds.
* Install a signal handler to clean up ec2 cred.
* Revert "Install a signal handler to clean up ec2 cred."
  Too much complexity for too little gain.
* Use finally: for credential cleanup.
* Add marker to Secret, so we can clean up.
* OK, use a custom field "owner" in the blob to tag cred.
* imports: minor cosmetic improvement
* Remove annoying FIXME (use json.loads)
* Don't quit loop before having deleted all leftover credentials
* make slightly more Pythonic
* Appease flake8

Signed-off-by: Kurt Garloff <[email protected]>
Signed-off-by: Matthias Büchse <[email protected]>
Co-authored-by: Matthias Büchse <[email protected]>

Author: garloff

Tests/iaas/mandatory-services/mandatory-iaas-services.py

@@ -8,18 +8,20 @@
 """
 
 import argparse
-import boto3
 from collections import Counter
+import json
 import logging
 import os
 import re
 import sys
 import uuid
 
+import boto3
 import openstack
 
 
 TESTCONTNAME = "scs-test-container"
+EC2MARKER = "TmpMandSvcTest"
 
 logger = logging.getLogger(__name__)
 mandatory_services = ["compute", "identity", "image", "network",
@@ -114,32 +116,48 @@ def s3_from_env(creds, fieldnm, env, prefix=""):
 
 
 def s3_from_ostack(creds, conn, endpoint):
-    "Set creds from openstack swift/keystone"
+    """Set creds from openstack swift/keystone
+       Returns credential ID *if* an ec2 credential was created,
+       None otherwise."""
     rgx = re.compile(r"^(https*://[^/]*)/")
     match = rgx.match(endpoint)
     if match:
         creds["HOST"] = match.group(1)
-    # Use first ec2 cred if one exists
+    # Use first ec2 cred that matches the project (if one exists)
+    project_id = conn.identity.get_project_id()
     ec2_creds = [cred for cred in conn.identity.credentials()
-                 if cred.type == "ec2"]
-    if len(ec2_creds):
-        # FIXME: Assume cloud is not evil
-        ec2_dict = eval(ec2_creds[0].blob, {"null": None})
-        creds["AK"] = ec2_dict["access"]
-        creds["SK"] = ec2_dict["secret"]
+                 if cred.type == "ec2" and cred.project_id == project_id]
+    found_ec2 = None
+    for cred in ec2_creds:
+        try:
+            ec2_dict = json.loads(cred.blob)
+        except Exception:
+            logger.warning(f"unable to parse credential {cred!r}", exc_info=True)
+            continue
+        # Clean up old EC2 creds and jump over
+        if ec2_dict.get("owner") == EC2MARKER:
+            logger.debug(f"Removing leftover credential {ec2_dict['access']}")
+            conn.identity.delete_credential(cred)
+            continue
+        found_ec2 = ec2_dict
+    if found_ec2:
+        creds["AK"] = found_ec2["access"]
+        creds["SK"] = found_ec2["secret"]
         return
     # Generate keyid and secret
     ak = uuid.uuid4().hex
     sk = uuid.uuid4().hex
-    blob = f'{{"access": "{ak}", "secret": "{sk}"}}'
+    blob = f'{{"access": "{ak}", "secret": "{sk}", "owner": "{EC2MARKER}"}}'
     try:
-        conn.identity.create_credential(type="ec2", blob=blob,
-                                        user_id=conn.current_user_id,
-                                        project_id=conn.current_project_id)
-        creds["AK"] = ak
-        creds["SK"] = sk
-    except BaseException as exc:
-        logger.warning(f"ec2 creds creation failed: {exc!s}")
+        crd = conn.identity.create_credential(type="ec2", blob=blob,
+                                              user_id=conn.current_user_id,
+                                              project_id=conn.current_project_id)
+    except BaseException:
+        logger.warning("ec2 creds creation failed", exc_info=True)
+        return
+    creds["AK"] = ak
+    creds["SK"] = sk
+    return crd.id
 
 
 def check_for_s3_and_swift(conn: openstack.connection.Connection, s3_credentials=None):
@@ -170,38 +188,45 @@ def check_for_s3_and_swift(conn: openstack.connection.Connection, s3_credentials
         )
         return 1
     # Get S3 endpoint (swift) and ec2 creds from OpenStack (keystone)
-    s3_from_ostack(s3_creds, conn, endpoint)
-    # Overrides (var names are from libs3, in case you wonder)
-    s3_from_env(s3_creds, "HOST", "S3_HOSTNAME", "https://")
-    s3_from_env(s3_creds, "AK", "S3_ACCESS_KEY_ID")
-    s3_from_env(s3_creds, "SK", "S3_SECRET_ACCESS_KEY")
-
-    # This is to be used for local debugging purposes ONLY
-    # logger.info(f"using credentials {s3_creds}")
-
-    s3 = s3_conn(s3_creds, conn)
-    s3_buckets = list_s3_buckets(s3) or create_bucket(s3, TESTCONTNAME)
-    if not s3_buckets:
-        raise RuntimeError("failed to create S3 bucket")
-
-    # If we got till here, s3 is working, now swift
-    swift_containers = list_containers(conn)
-    # if not swift_containers:
-    #    swift_containers = create_container(conn, TESTCONTNAME)
-    result = 0
-    if Counter(s3_buckets) != Counter(swift_containers):
-        logger.error("S3 buckets and Swift Containers differ:\n"
-                     f"S3: {sorted(s3_buckets)}\nSW: {sorted(swift_containers)}")
-        result = 1
-    else:
-        logger.info("SUCCESS: S3 and Swift exist and agree")
-    # Clean up
-    # FIXME: Cleanup created EC2 credential
-    # if swift_containers == [TESTCONTNAME]:
-    #    del_container(conn, TESTCONTNAME)
-    # Cleanup created S3 bucket
-    if s3_buckets == [TESTCONTNAME]:
-        del_bucket(s3, TESTCONTNAME)
+    try:
+        ec2_cred = s3_from_ostack(s3_creds, conn, endpoint)
+        # Overrides (var names are from libs3, in case you wonder)
+        s3_from_env(s3_creds, "HOST", "S3_HOSTNAME", "https://")
+        s3_from_env(s3_creds, "AK", "S3_ACCESS_KEY_ID")
+        s3_from_env(s3_creds, "SK", "S3_SECRET_ACCESS_KEY")
+
+        # This is to be used for local debugging purposes ONLY
+        # logger.info(f"using credentials {s3_creds}")
+
+        s3 = s3_conn(s3_creds, conn)
+        s3_buckets = list_s3_buckets(s3) or create_bucket(s3, TESTCONTNAME)
+        if not s3_buckets:
+            raise RuntimeError("failed to create S3 bucket")
+
+        # If we got till here, s3 is working, now swift
+        swift_containers = list_containers(conn)
+        # if not swift_containers:
+        #    swift_containers = create_container(conn, TESTCONTNAME)
+        result = 0
+        # Compare number of buckets/containers
+        # FIXME: Could compare list of sorted names
+        if Counter(s3_buckets) != Counter(swift_containers):
+            logger.error("S3 buckets and Swift Containers differ:\n"
+                         f"S3: {sorted(s3_buckets)}\nSW: {sorted(swift_containers)}")
+            result = 1
+        else:
+            logger.info("SUCCESS: S3 and Swift exist and agree")
+        # No need to clean up swift container, as we did not create one
+        # (If swift and S3 agree, there will be a S3 bucket that we clean up with S3.)
+        # if swift_containers == [TESTCONTNAME]:
+        #    del_container(conn, TESTCONTNAME)
+        # Cleanup created S3 bucket
+        if s3_buckets == [TESTCONTNAME]:
+            del_bucket(s3, TESTCONTNAME)
+        # Clean up ec2 cred IF we created one
+    finally:
+        if ec2_cred:
+            conn.identity.delete_credential(ec2_cred)
     return result