MQE-1600: MQE-1600: MFTF Vault integration

- prefer credentials from local file over vault
- address review comments

Author: jilu1

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/CredentialStore.php

@@ -12,31 +12,35 @@
 
 class CredentialStore
 {
+    const ARRAY_KEY_FOR_VAULT = 'vault';
+    const ARRAY_KEY_FOR_FILE = 'file';
+
     /**
-     * Singleton instance
+     * Numeric indexed array that defines the access precedence of credential storage
      *
-     * @var CredentialStore
+     * @var array
      */
-    private static $INSTANCE = null;
+    private static $credStoragePrecedence = [self::ARRAY_KEY_FOR_FILE, self::ARRAY_KEY_FOR_VAULT];
 
     /**
-     * File storage for credentials
+     * Credential storage array
      *
-     * @var FileStorage
+     * @var array
      */
-    private $credFile = null;
+    private $credStorage = [];
 
     /**
-     * Vault storage for credentials
+     * Singleton instance
      *
-     * @var VaultStorage
+     * @var CredentialStore
      */
-    private $credVault = null;
+    private static $INSTANCE = null;
 
     /**
      * Static singleton getter for CredentialStore Instance
      *
      * @return CredentialStore
+     * @throws TestFrameworkException
      */
     public static function getInstance()
     {
@@ -48,7 +52,9 @@ public static function getInstance()
     }
 
     /**
-     * CredentialStore constructor.
+     * CredentialStore constructor
+     *
+     * @throws TestFrameworkException
      */
     private function __construct()
     {
@@ -57,16 +63,28 @@ private function __construct()
         $csToken = getenv('CREDENTIAL_VAULT_TOKEN');
         if ($csBaseUrl !== false && $csToken !== false) {
             try {
-                $this->credVault = new VaultStorage(rtrim($csBaseUrl, '/'), $csToken);
+                $this->credStorage[self::ARRAY_KEY_FOR_VAULT] = new VaultStorage(
+                    rtrim($csBaseUrl, '/'),
+                    $csToken
+                );
             } catch (TestFrameworkException $e) {
             }
         }
 
         // Initialize file storage
         try {
-            $this->credFile = new FileStorage();
+            $this->credStorage[self::ARRAY_KEY_FOR_FILE]  = new FileStorage();
         } catch (TestFrameworkException $e) {
         }
+
+        foreach ($this->credStorage as $cred) {
+            if (null !== $cred) {
+                return;
+            }
+        }
+        throw new TestFrameworkException(
+            "No credential storage is properly configured. Please configure vault or .credentials file."
+        );
     }
 
     /**
@@ -78,24 +96,20 @@ private function __construct()
      */
     public function getSecret($key)
     {
-        // Get secret data from vault storage first
-        if (null !== $this->credVault) {
-            $value = $this->credVault->getEncryptedValue($key);
-            if (!empty($value)) {
-                return $value;
-            }
-        }
-
-        // Get secret data from file when not found in vault
-        if (null !== $this->credFile) {
-            $value = $this->credFile->getEncryptedValue($key);
-            if (!empty($value)) {
-                return $value;
+        // Get secret data from storage according to defined precedence
+        // File storage is preferred over vault storage to allow local secret value overriding remote secret value
+        foreach (self::$credStoragePrecedence as $credType) {
+            if (null !== $this->credStorage[$credType]) {
+                $value = $this->credStorage[$credType]->getEncryptedValue($key);
+                if (null !== $value) {
+                    return $value;
+                }
             }
         }
 
         throw new TestFrameworkException(
-            "value for key \"$key\" not found in credential storage."
+            "{$key} not defined in vault or .credentials file, "
+            . "please provide a value in order to use this secret in a test.\"."
         );
     }
 
@@ -107,12 +121,11 @@ public function getSecret($key)
      */
     public function decryptSecretValue($value)
     {
-        if (null !== $this->credVault) {
-            return $this->credVault->getDecryptedValue($value);
-        }
-
-        if (null !== $this->credFile) {
-            return $this->credFile->getDecryptedValue($value);
+        // Loop through storage to decrypt value
+        foreach (self::$credStoragePrecedence as $credType) {
+            if (null !== $this->credStorage[$credType]) {
+                return $this->credStorage[$credType]->getDecryptedValue($value);
+            }
         }
     }
 
@@ -124,12 +137,11 @@ public function decryptSecretValue($value)
      */
     public function decryptAllSecretsInString($string)
     {
-        if (null !== $this->credVault) {
-            return $this->credVault->getAllDecryptedValues($string);
-        }
-
-        if (null !== $this->credFile) {
-            return $this->credFile->getAllDecryptedValues($string);
+        // Loop through storage to decrypt all occurrences from input string
+        foreach (self::$credStoragePrecedence as $credType) {
+            if (null !== $this->credStorage[$credType]) {
+                return $this->credStorage[$credType]->getAllDecryptedValues($string);
+            }
         }
     }
 }

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/FileStorage.php

@@ -6,9 +6,9 @@
 
 namespace Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage;
 
-use Magento\FunctionalTestingFramework\Config\MftfApplicationConfig;
 use Magento\FunctionalTestingFramework\Console\BuildProjectCommand;
 use Magento\FunctionalTestingFramework\Exceptions\TestFrameworkException;
+use Magento\FunctionalTestingFramework\Config\MftfApplicationConfig;
 use Magento\FunctionalTestingFramework\Util\Logger\LoggingUtil;
 
 class FileStorage extends BaseStorage
@@ -22,7 +22,6 @@ class FileStorage extends BaseStorage
 
     /**
      * FileStorage constructor
-     *
      * @throws TestFrameworkException
      */
     public function __construct()
@@ -40,27 +39,24 @@ public function __construct()
      */
     public function getEncryptedValue($key)
     {
+        $value = null;
         // Check if secret is in cached array
         if (null !== ($value = parent::getEncryptedValue($key))) {
             return $value;
         }
 
-        try {
-            // log here for verbose config
-            if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
-                LoggingUtil::getInstance()->getLogger(FileStorage::class)->debug(
-                    "retrieving secret for key name {$key} from file"
-                );
-            }
-        } catch (\Exception $e) {
+        // log here for verbose config
+        if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
+            LoggingUtil::getInstance()->getLogger(FileStorage::class)->debug(
+                "retrieving secret for key name {$key} from file"
+            );
         }
 
         // Retrieve from file storage
-        if (!array_key_exists($key, $this->secretData) || empty($value = $this->secretData[$key])) {
-            return null;
+        if (array_key_exists($key, $this->secretData) && (null !== ($value = $this->secretData[$key]))) {
+            parent::$cachedSecretData[$key] = $value;
         }
 
-        parent::$cachedSecretData[$key] = $value;
         return $value;
     }
 
@@ -80,8 +76,7 @@ private function readInCredentialsFile()
 
         if (!file_exists($credsFilePath)) {
             throw new TestFrameworkException(
-                "Cannot find .credentials file, please create in "
-                . TESTS_BP . " in order to reference sensitive information"
+                "Credential file is not used: .credentials file not found in " . TESTS_BP
             );
         }
 

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/VaultStorage.php

@@ -20,19 +20,14 @@ class VaultStorage extends BaseStorage
      * Adobe Vault
      */
     const BASE_PATH = '/dx_magento_qe';
-    const KV_DATA = '/data';
-    /**
-     * Local Vault
-     */
-    //const BASE_PATH = '/secret';
-    //const KV_DATA = '/data';
+    const KV_DATA = 'data';
 
     /**
      * Vault client
      *
      * @var Client
      */
-    private static $client = null;
+    private $client = null;
 
     /**
      * Vault token
@@ -51,13 +46,13 @@ class VaultStorage extends BaseStorage
     public function __construct($baseUrl, $token)
     {
         parent::__construct();
-        if (null === self::$client) {
+        if (null === $this->client) {
             // Creating the client using Guzzle6 Transport and passing a custom url
-            self::$client = new Client(new Guzzle6Transport(['base_uri' => $baseUrl]));
+            $this->client = new Client(new Guzzle6Transport(['base_uri' => $baseUrl]));
         }
         $this->token = $token;
         if (!$this->authenticated()) {
-            throw new TestFrameworkException("Credential Vault: Cannot Authenticate");
+            throw new TestFrameworkException("Credential vault is not used: cannot authenticate");
         }
     }
 
@@ -74,50 +69,48 @@ public function getEncryptedValue($key)
             return $value;
         }
 
+        if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
+            LoggingUtil::getInstance()->getLogger(VaultStorage::class)->debug(
+                "Retrieving secret for key name {$key} from vault"
+            );
+        }
+
+        $reValue = null;
         try {
-            // Log here for verbose config
+            // Split vendor/key to construct secret path
+            list($vendor, $key) = explode('/', trim($key, '/'), 2);
+            $url = self::BASE_PATH
+                . (empty(self::KV_DATA) ? '' : '/' . self::KV_DATA)
+                . self::MFTF_PATH
+                . '/'
+                . $vendor
+                . '/'
+                . $key;
+            // Read value by key from vault
+            $value = $this->client->read($url)->getData()[self::KV_DATA][$key];
+            // Encrypt value for return
+            $reValue = openssl_encrypt($value, parent::ENCRYPTION_ALGO, parent::$encodedKey, 0, parent::$iv);
+            parent::$cachedSecretData[$key] = $reValue;
+        } catch (\Exception $e) {
             if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
                 LoggingUtil::getInstance()->getLogger(VaultStorage::class)->debug(
-                    "retrieving secret for key name {$key} from vault"
+                    "Unable to read secret for key name {$key} from vault"
                 );
             }
-        } catch (\Exception $e) {
-        }
-
-        // Retrieve from vault storage
-        if (!$this->authenticated()) {
-            return null;
-        }
-
-        // Read value by key from vault
-        list($vendor, $key) = explode('/', trim($key, '/'), 2);
-        $url = self::BASE_PATH
-            . (empty(self::KV_DATA) ? '' : self::KV_DATA)
-            . self::MFTF_PATH
-            . '/'
-            . $vendor
-            . '/'
-            . $key;
-        $value = self::$client->read($url)->getData()['data'][$key];
-
-        if (empty($value)) {
-            return null;
         }
-        $eValue = openssl_encrypt($value, parent::ENCRYPTION_ALGO, parent::$encodedKey, 0, parent::$iv);
-        parent::$cachedSecretData[$key] = $eValue;
-        return $eValue;
+        return $reValue;
     }
 
     /**
-     * Check if vault token is still valid.
+     * Check if vault token is valid
      *
      * @return boolean
      */
     private function authenticated()
     {
         try {
-            // Authenticating using token auth backend.
-            $authenticated = self::$client
+            // Authenticating using token auth backend
+            $authenticated = $this->client
                 ->setAuthenticationStrategy(new TokenAuthenticationStrategy($this->token))
                 ->authenticate();
 

src/Magento/FunctionalTestingFramework/Test/Util/ActionMergeUtil.php

@@ -31,6 +31,7 @@ class ActionMergeUtil
     const DEFAULT_WAIT_ORDER = 'after';
     const APPROVED_ACTIONS = ['fillField', 'magentoCLI', 'field'];
     const SECRET_MAPPING = ['fillField' => 'fillSecretField', 'magentoCLI' => 'magentoCLISecret'];
+    const CREDS_REGEX = "/{{_CREDS\.([\w|\/]+)}}/";
 
     /**
      * Array holding final resulting steps
@@ -149,7 +150,7 @@ private function actionAttributeContainsSecretRef($actionAttributes)
                 return $this->actionAttributeContainsSecretRef($actionAttribute);
             }
 
-            preg_match_all("/{{_CREDS\.([\w|\/]+)}}/", $actionAttribute, $matches);
+            preg_match_all(self::CREDS_REGEX, $actionAttribute, $matches);
 
             if (!empty($matches[0])) {
                 return true;

src/Magento/FunctionalTestingFramework/Util/TestGenerator.php

@@ -24,6 +24,7 @@
 use Magento\FunctionalTestingFramework\Test\Util\ActionObjectExtractor;
 use Magento\FunctionalTestingFramework\Test\Util\TestObjectExtractor;
 use Magento\FunctionalTestingFramework\Util\Filesystem\DirSetupUtil;
+use Magento\FunctionalTestingFramework\Test\Util\ActionMergeUtil;
 
 /**
  * Class TestGenerator
@@ -1901,7 +1902,7 @@ private function resolveAllRuntimeReferences($args)
     {
         $runtimeReferenceRegex = [
             "/{{_ENV\.([\w]+)}}/" => 'getenv',
-            "/{{_CREDS\.([\w|\/]+)}}/" => 'CredentialStore::getInstance()->getSecret'
+            ActionMergeUtil::CREDS_REGEX => 'CredentialStore::getInstance()->getSecret'
         ];
 
         $argResult = $args;