v3(bindings): resolve credhub refs for keys (cloudfoundry#1801)

Derik Evangelista · web-flow · commit 658865427c71 · 2020-08-25T09:54:44.000+01:00
[#173529481](https://www.pivotaltracker.com/story/show/173529481)
diff --git a/app/controllers/v3/service_credential_bindings_controller.rb b/app/controllers/v3/service_credential_bindings_controller.rb
@@ -38,7 +38,18 @@ def details
     ensure_service_credential_binding_is_accessible!
     not_found! unless can_read_secrets_in_the_binding_space?
 
-    render status: :ok, json: credential_binding_details
+    credentials = if service_credential_binding[:type] == 'key' && service_credential_binding.credhub_reference?
+                    fetch_credentials_value(service_credential_binding.credhub_reference)
+                  else
+                    service_credential_binding.credentials
+                  end
+
+    details = Presenters::V3::ServiceCredentialBindingDetailsPresenter.new(
+      binding: service_credential_binding,
+      credentials: credentials
+    ).to_hash
+
+    render status: :ok, json: details
   end
 
   private
@@ -52,6 +63,29 @@ def decorators(message)
     AVAILABLE_DECORATORS.select { |d| d.match?(message.include) }.reduce([]) { |decorators, d| decorators << d }
   end
 
+  def config
+    @config ||= VCAP::CloudController::Config.config
+  end
+
+  def uaa_client
+    @uaa_client ||= UaaClient.new(
+      uaa_target: config.get(:uaa, :internal_url),
+      client_id: config.get(:cc_service_key_client_name),
+      secret: config.get(:cc_service_key_client_secret),
+      ca_file: config.get(:uaa, :ca_file),
+    )
+  end
+
+  def credhub_client
+    @credhub_client ||= Credhub::Client.new(config.get(:credhub_api, :internal_url), uaa_client)
+  end
+
+  def fetch_credentials_value(name)
+    credhub_client.get_credential_by_name(name)
+  rescue => e
+    unprocessable!(e.message)
+  end
+
   def service_credential_binding
     @service_credential_binding ||= fetcher.fetch(hashed_params[:guid], space_guids: space_guids)
   end
@@ -73,10 +107,6 @@ def serialized(message)
     Presenters::V3::ServiceCredentialBindingPresenter.new(service_credential_binding, decorators: decorators(message)).to_hash
   end
 
-  def credential_binding_details
-    Presenters::V3::ServiceCredentialBindingDetailsPresenter.new(service_credential_binding).to_hash
-  end
-
   def ensure_service_credential_binding_is_accessible!
     not_found! unless service_credential_binding_exists?
   end
diff --git a/app/presenters/v3/service_credential_binding_details_presenter.rb b/app/presenters/v3/service_credential_binding_details_presenter.rb
@@ -5,21 +5,18 @@ module CloudController
     module Presenters
       module V3
         class ServiceCredentialBindingDetailsPresenter < BasePresenter
+          def initialize(binding:, credentials:)
+            super(binding)
+            @credentials = credentials
+          end
+
           def to_hash
             {
-              credentials: credentials,
-              syslog_drain_url: @resource.syslog_drain_url,
-              volume_mounts: @resource.volume_mounts || nil
+              credentials: @credentials,
+              syslog_drain_url: @resource.try(:syslog_drain_url) || nil,
+              volume_mounts: @resource.try(:volume_mounts) || nil
             }.compact
           end
-
-          private
-
-          def credentials
-            JSON.parse(@resource.credentials)
-          rescue JSON::ParserError
-            nil
-          end
         end
       end
     end
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -456,12 +456,13 @@ def check_filtered_bindings(*bindings)
         service_instance: instance,
         volume_mounts: ['foo', 'bar'],
         syslog_drain_url: 'some-drain-url',
-        credentials: '{"cred_key": "creds-val-64", "magic": true}'
+        credentials: { 'cred_key' => 'creds-val-64', 'magic' => true }
       }
     }
     let(:app_binding) { VCAP::CloudController::ServiceBinding.make(**details) }
+    let(:guid) { app_binding.guid }
     let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
-    let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{app_binding.guid}/details", nil, user_headers } }
+    let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{guid}/details", nil, user_headers } }
     let(:binding_credentials) {
       {
         credentials: {
@@ -541,6 +542,94 @@ def check_filtered_bindings(*bindings)
         end
       end
     end
+
+    describe 'credhub interaction' do
+      let(:key_binding) { VCAP::CloudController::ServiceKey.make(:credhub_reference, service_instance: instance) }
+      let(:credhub_url) { VCAP::CloudController::Config.config.get(:credhub_api, :internal_url) }
+      let(:uaa_url) { VCAP::CloudController::Config.config.get(:uaa, :internal_url) }
+      let(:credentials) { { 'username' => 'cinnamon', 'password' => 'roll' } }
+      let(:credhub_response_status) { 200 }
+      let(:credhub_response_body) { { data: [value: credentials] }.to_json }
+      let!(:credhub_server_stub) {
+        stub_request(:get, "#{credhub_url}/api/v1/data?name=#{key_binding.credhub_reference}&current=true").
+          with(headers: {
+            'Authorization' => 'Bearer my-favourite-access-token',
+            'Content-Type'  => 'application/json'
+          }).to_return(status: credhub_response_status, body: credhub_response_body)
+      }
+
+      before do
+        token = { token_type: 'Bearer', access_token: 'my-favourite-access-token' }
+        stub_request(:post, "#{uaa_url}/oauth/token").
+          to_return(status: 200, body: token.to_json, headers: { 'Content-Type' => 'application/json' })
+      end
+
+      context 'for key bindings with a credhub reference' do
+        let(:guid) { key_binding.guid }
+
+        it 'fetches and returns the credentials values from credhub' do
+          api_call.call(admin_headers)
+          expect(last_response).to have_status_code(200)
+          expect(credhub_server_stub).to have_been_requested
+          expect(parsed_response['credentials']).to eq(credentials)
+        end
+      end
+
+      context 'for key bindings without a credhub reference' do
+        let(:key_binding) { VCAP::CloudController::ServiceKey.make(service_instance: instance) }
+        let(:guid) { key_binding.guid }
+
+        it 'returns the credentials as found in the datbase' do
+          api_call.call(admin_headers)
+          expect(last_response).to have_status_code(200)
+          expect(credhub_server_stub).not_to have_been_requested
+          expect(parsed_response['credentials']).to eq(key_binding.credentials)
+        end
+      end
+
+      context 'for app bindings with credhub references' do
+        let(:details) { { service_instance: instance, credentials: { 'credhub-ref' => '/secret/super/morish' } } }
+
+        it 'returns the credentials as found in the database' do
+          api_call.call(admin_headers)
+          expect(last_response).to have_status_code(200)
+          expect(credhub_server_stub).not_to have_been_requested
+          expect(parsed_response['credentials']).to eq({ 'credhub-ref' => '/secret/super/morish' })
+        end
+      end
+
+      context 'when the reference cannot be found on credhub' do
+        let(:guid) { key_binding.guid }
+        let(:credhub_response_status) { 404 }
+        let(:credhub_response_body) { { error: 'cred does not exist' }.to_json }
+
+        it 'returns an error' do
+          api_call.call(admin_headers)
+          expect(last_response).to have_status_code(422)
+          expect(parsed_response['errors']).to include(include({
+            'detail' => 'cred does not exist',
+            'title' => 'CF-UnprocessableEntity',
+            'code' => 10008,
+          }))
+        end
+      end
+
+      context 'when credhub returns an error' do
+        let(:guid) { key_binding.guid }
+        let(:credhub_response_status) { 500 }
+        let(:credhub_response_body) { nil }
+
+        it 'returns an error' do
+          api_call.call(admin_headers)
+          expect(last_response).to have_status_code(422)
+          expect(parsed_response['errors']).to include(include({
+            'detail' => 'Server error, status: 500',
+            'title' => 'CF-UnprocessableEntity',
+            'code' => 10008,
+          }))
+        end
+      end
+    end
   end
 
   def expected_json(binding)
diff --git a/spec/unit/presenters/v3/service_credential_binding_details_presenter_spec.rb b/spec/unit/presenters/v3/service_credential_binding_details_presenter_spec.rb
@@ -6,20 +6,28 @@ module CloudController
     RSpec.describe Presenters::V3::ServiceCredentialBindingDetailsPresenter do
       let(:instance) { ServiceInstance.make(guid: 'instance-guid') }
       let(:app) { AppModel.make(guid: 'app-guid', space: instance.space) }
-      let(:json_creds) { { password: 'super secret avocado toast' }.to_json }
+      let(:credentials) { { password: 'super secret avocado toast' } }
       let(:credential_binding) do
         ServiceBinding.make(
           name: 'some-name',
           app: app,
           service_instance: instance,
-          credentials: json_creds,
+          credentials: credentials,
           volume_mounts: %w{super good},
           syslog_drain_url: 'http://banana.example.com/drain'
         )
       end
 
-      it 'returns the binding details' do
-        presenter = described_class.new(credential_binding)
+      let(:key_binding) {
+        ServiceKey.make(
+          name: 'some-key',
+          service_instance: instance,
+          credentials: credentials
+        )
+      }
+
+      it 'returns the app binding details' do
+        presenter = described_class.new(binding: credential_binding, credentials: credential_binding.credentials)
         expect(presenter.to_hash.deep_symbolize_keys).to match(
           {
             credentials: {
@@ -31,11 +39,22 @@ module CloudController
         )
       end
 
+      it 'returns the key binding detials' do
+        presenter = described_class.new(binding: key_binding, credentials: key_binding.credentials)
+        expect(presenter.to_hash.deep_symbolize_keys).to match(
+          {
+            credentials: {
+              password: 'super secret avocado toast'
+            }
+          }
+        )
+      end
+
       context 'when syslog drain is not set' do
         let(:credential_binding) { ServiceBinding.make }
 
         it 'does not include syslog_drain_url in the response' do
-          presenter = described_class.new(credential_binding)
+          presenter = described_class.new(binding: credential_binding, credentials: credential_binding.credentials)
           expect(presenter.to_hash).to_not have_key(:syslog_drain_url)
         end
       end
@@ -44,19 +63,24 @@ module CloudController
         let(:credential_binding) { ServiceBinding.make }
 
         it 'does not include volume_mounts in the response' do
-          presenter = described_class.new(credential_binding)
+          presenter = described_class.new(binding: credential_binding, credentials: credential_binding.credentials)
           expect(presenter.to_hash).to_not have_key(:volume_mounts)
         end
       end
 
       context 'when credentials are not set' do
-        let(:credential_binding) { ServiceBinding.make }
-
         it 'does not include credentials in the response' do
-          presenter = described_class.new(credential_binding)
+          presenter = described_class.new(binding: credential_binding, credentials: nil)
           expect(presenter.to_hash).to_not have_key(:credentials)
         end
       end
+
+      context 'when some other credentials are passed in' do
+        it 'includes those in the response' do
+          presenter = described_class.new(binding: credential_binding, credentials: { hello: 'my friend' })
+          expect(presenter.to_hash[:credentials]).to eq({ hello: 'my friend' })
+        end
+      end
     end
   end
 end
