MQE-1919: MFTF AWS Secrets Manager - CI Use

Author: jilu1

docs/credentials.md

@@ -147,31 +147,33 @@ AWS Secrets Manager offers secret management that supports:
 
 #### Use AWS Secrets Manager from your own AWS account
 
-- AWS account with Secrets Manager service available
-- IAM User or Role is created with appropriate AWS Secrets Manger access permission
+- An AWS account with Secrets Manager service
+- An IAM user with AWS Secrets Manager access permission
 
-#### Use AWS Secrets Manager from other AWS account
+#### Use AWS Secrets Manager in CI/CD
 
 - AWS account ID where the AWS Secrets Manager service is hosted
-- IAM User or Role with appropriate access permission
+- Authorized CI/CD EC2 instances with AWS Secrets Manager service access IAM role attached
 
 ### Store secrets in AWS Secrets Manager
 
-
 #### Secrets format
 
 `Secret Name` and `Secret Value` are two key pieces of information for creating a secret. 
 
 `Secret Value` can be either plaintext or key/value pairs in JSON format.  
 
-`Secrets Name` must use the following format:
+`Secret Name` must use the following format:
 
 ```conf
 mftf/<VENDOR>/<YOUR/SECRET/KEY>
 ```
 
-`Secrets Value` in plaintext format can be any content you want to secure. `Secrets Value` in key/value pairs format, however, the `key` must be same as the `Secret Name` with `mftf/<VENDOR>/` part removed. 
-e.g. in above example, `key` should be `<YOUR/SECRET/KEY>`
+`Secret Value` can be stored in two different formats: plaintext or key/value pairs.
+
+For plaintext format, `Secret Value` can be any string you want to secure.
+
+For key/value pairs format, `Secret Value` is a key/value pair with `key` the same as `Secret Name` without `mftf/<VENDOR>/` prefix,  which is `<YOUR/SECRET/KEY>`, and value can be any string you want to secure.
 
 ##### Create Secrets using AWS CLI
 
@@ -181,8 +183,11 @@ aws secretsmanager create-secret --name "mftf/magento/shipping/carriers_usps_use
 
 ##### Create Secrets using AWS Console
 
-To save the same secret in key/value JSON format, you should use
-
+- Sign in to the AWS Secrets Manager console
+- Choose Store a new secret
+- In the Select secret type section, specify "Other type of secret"
+- For `Secret Name`, `Secret Key` and `Secret Value` field, for example, to save the same secret in key/value JSON format, you should use
+ 
 ```conf
 # Secret Name
 mftf/magento/shipping/carriers_usps_userid
@@ -210,9 +215,8 @@ CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE=default
 
 ### Optionally set CREDENTIAL_AWS_ACCOUNT_ID environment variable
 
-Full AWS KMS ([Key Management Service][]) key ARN ([Amazon Resource Name][]) is required when accessing secrets stored in other AWS account.
-If this is the case, you will also need to set `CREDENTIAL_AWS_ACCOUNT_ID` environment variable so that MFTF can construct the full ARN. 
-This is also commonly used in CI system.
+In case AWS credentials cannot resolve to a valid AWS account, full AWS KMS ([Key Management Service][]) key ARN ([Amazon Resource Name][]) is required.
+You will also need to set `CREDENTIAL_AWS_ACCOUNT_ID` environment variable so that MFTF can construct the full ARN. This is mostly used for CI/CD.
 
 ```bash
 export CREDENTIAL_AWS_ACCOUNT_ID=<Your_12_Digits_AWS_Account_ID>
@@ -236,7 +240,7 @@ Define the value as a reference to the corresponding key in the credentials file
 
 -  `_CREDS` is an environment constant pointing to the `.credentials` file
 -  `my_data_key` is a key in the the `.credentials` file or vault that contains the value to be used in a test step
-   - for File Storage, ensure your key contains the vendor prefix, i.e. `vendor/my_data_key`
+   - for File Storage, ensure your key contains the vendor prefix, which is `vendor/my_data_key`
 
 For example, to reference secret data in the [`fillField`][] action, use the `userInput` attribute using a typical File Storage:
 

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/CredentialStore.php

@@ -6,7 +6,9 @@
 
 namespace Magento\FunctionalTestingFramework\DataGenerator\Handlers;
 
+use Magento\FunctionalTestingFramework\Exceptions\Collector\ExceptionCollector;
 use Magento\FunctionalTestingFramework\Exceptions\TestFrameworkException;
+use Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage\BaseStorage;
 use Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage\FileStorage;
 use Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage\VaultStorage;
 use Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage\AwsSecretsManagerStorage;
@@ -24,22 +26,35 @@ class CredentialStore
     /**
      * Credential storage array
      *
-     * @var array
+     * @var BaseStorage[]
      */
     private $credStorage = [];
 
+    /**
+     * Boolean to indicate if credential storage have been initialized
+     *
+     * @var boolean
+     */
+    private $initialized;
+
     /**
      * Singleton instance
      *
      * @var CredentialStore
      */
     private static $INSTANCE = null;
 
+    /**
+     * Exception contexts
+     *
+     * @var ExceptionCollector
+     */
+    private $exceptionContexts;
+
     /**
      * Static singleton getter for CredentialStore Instance
      *
      * @return CredentialStore
-     * @throws TestFrameworkException
      */
     public static function getInstance()
     {
@@ -52,21 +67,11 @@ public static function getInstance()
 
     /**
      * CredentialStore constructor
-     *
-     * @throws TestFrameworkException
      */
     private function __construct()
     {
-        // Initialize credential storage by defined order of precedence as the following
-        $this->initializeFileStorage();
-        $this->initializeVaultStorage();
-        $this->initializeAwsSecretsManagerStorage();
-
-        if (empty($this->credStorage)) {
-            throw new TestFrameworkException(
-                'Invalid Credential Storage. ' . self::CREDENTIAL_STORAGE_INFO . '.'
-            );
-        }
+        $this->initialized = false;
+        $this->exceptionContexts = new ExceptionCollector();
     }
 
     /**
@@ -78,6 +83,9 @@ private function __construct()
      */
     public function getSecret($key)
     {
+        // Initialize credential storage if it's not been done
+        $this->initializeCredentialStorage();
+
         // Get secret data from storage according to the order they are stored which follows this precedence:
         // FileStorage > VaultStorage > AwsSecretsManagerStorage
         foreach ($this->credStorage as $storage) {
@@ -87,38 +95,125 @@ public function getSecret($key)
             }
         }
 
+        $exceptionContexts = $this->getExceptionContexts();
+        $this->resetExceptionContext();
         throw new TestFrameworkException(
             "{$key} not found. " . self::CREDENTIAL_STORAGE_INFO
-            . ' and ensure key, value exists to use _CREDS in tests.'
+            . " and ensure key, value exists to use _CREDS in tests."
+            . $exceptionContexts
         );
     }
 
     /**
      * Return decrypted input value
      *
      * @param string $value
-     * @return string
+     * @return string|false The decrypted string on success or false on failure
+     * @throws TestFrameworkException
      */
     public function decryptSecretValue($value)
     {
-        // Loop through storage to decrypt value
-        foreach ($this->credStorage as $storage) {
-            return $storage->getDecryptedValue($value);
-        }
+        // Initialize credential storage if it's not been done
+        $this->initializeCredentialStorage();
+
+        // Decrypt secret value
+        return BaseStorage::getDecryptedValue($value);
     }
 
     /**
      * Return decrypted values for all occurrences from input string
      *
      * @param string $string
-     * @return mixed
+     * @return string|false The decrypted string on success or false on failure
+     * @throws TestFrameworkException
      */
     public function decryptAllSecretsInString($string)
     {
-        // Loop through storage to decrypt all occurrences from input string
-        foreach ($this->credStorage as $storage) {
-            return $storage->getAllDecryptedValuesInString($string);
+        // Initialize credential storage if it's not been done
+        $this->initializeCredentialStorage();
+
+        // Decrypt all secret values in string
+        return BaseStorage::getAllDecryptedValuesInString($string);
+    }
+
+    /**
+     * Setter for exception contexts
+     *
+     * @param string $type
+     * @param string $context
+     * @return void
+     */
+    public function setExceptionContexts($type, $context)
+    {
+        $typeArray = [self::ARRAY_KEY_FOR_FILE, self::ARRAY_KEY_FOR_VAULT, self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER];
+        if (in_array($type, $typeArray) && !empty($context)) {
+            $this->exceptionContexts->addError($type, $context);
+        }
+    }
+
+    /**
+     * Return collected exception contexts
+     *
+     * @return string
+     */
+    private function getExceptionContexts()
+    {
+        // Gather all exceptions collected
+        $exceptionMessage = "\n";
+        foreach ($this->exceptionContexts->getErrors() as $type => $exceptions) {
+            $exceptionMessage .= "\nException from ";
+            if ($type == self::ARRAY_KEY_FOR_FILE) {
+                $exceptionMessage .= "File Storage: \n";
+            }
+            if ($type == self::ARRAY_KEY_FOR_VAULT) {
+                $exceptionMessage .= "Vault Storage: \n";
+            }
+            if ($type == self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER) {
+                $exceptionMessage .= "AWS Secrets Manager Storage: \n";
+            }
+
+            if (is_array($exceptions)) {
+                $exceptionMessage .= implode("\n", $exceptions) . "\n";
+            } else {
+                $exceptionMessage .= $exceptions . "\n";
+            }
+        }
+        return $exceptionMessage;
+    }
+
+    /**
+     * Reset exception contexts to empty array
+     *
+     * @return void
+     */
+    private function resetExceptionContext()
+    {
+        $this->exceptionContexts->reset();
+    }
+
+    /**
+     * Initialize all available credential storage
+     *
+     * @return void
+     * @throws TestFrameworkException
+     */
+    private function initializeCredentialStorage()
+    {
+        if (!$this->initialized) {
+            // Initialize credential storage by defined order of precedence as the following
+            $this->initializeFileStorage();
+            $this->initializeVaultStorage();
+            $this->initializeAwsSecretsManagerStorage();
+            $this->initialized = true;
+        }
+
+        if (empty($this->credStorage)) {
+            throw new TestFrameworkException(
+                'Invalid Credential Storage. ' . self::CREDENTIAL_STORAGE_INFO
+                . '.' . $this->getExceptionContexts()
+            );
         }
+        $this->resetExceptionContext();
     }
 
     /**
@@ -132,6 +227,10 @@ private function initializeFileStorage()
         try {
             $this->credStorage[self::ARRAY_KEY_FOR_FILE]  = new FileStorage();
         } catch (TestFrameworkException $e) {
+            // Print error message in console
+            print_r($e->getMessage());
+            // Save to exception context for Allure report
+            $this->setExceptionContexts(self::ARRAY_KEY_FOR_FILE, $e->getMessage());
         }
     }
 
@@ -152,6 +251,10 @@ private function initializeVaultStorage()
                     '/' . trim($cvSecretPath, '/')
                 );
             } catch (TestFrameworkException $e) {
+                // Print error message in console
+                print_r($e->getMessage());
+                // Save to exception context for Allure report
+                $this->setExceptionContexts(self::ARRAY_KEY_FOR_VAULT, $e->getMessage());
             }
         }
     }
@@ -181,6 +284,10 @@ private function initializeAwsSecretsManagerStorage()
                     $awsId
                 );
             } catch (TestFrameworkException $e) {
+                // Print error message in console
+                print_r($e->getMessage());
+                // Save to exception context for Allure report
+                $this->setExceptionContexts(self::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER, $e->getMessage());
             }
         }
     }

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/PersistedObjectHandler.php

@@ -89,10 +89,12 @@ public function createEntity(
 
         foreach ($overrideFields as $index => $field) {
             try {
-                $overrideFields[$index] = CredentialStore::getInstance()->decryptAllSecretsInString($field);
+                $decrptedField = CredentialStore::getInstance()->decryptAllSecretsInString($field);
+                if ($decrptedField !== false) {
+                    $overrideFields[$index] = $decrptedField;
+                }
             } catch (TestFrameworkException $e) {
-                //do not rethrow if Credentials are not defined
-                $overrideFields[$index] = $field;
+                //catch exception if Credentials are not defined
             }
         }
 

src/Magento/FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/AwsSecretsManagerStorage.php

@@ -7,6 +7,7 @@
 namespace Magento\FunctionalTestingFramework\DataGenerator\Handlers\SecretStorage;
 
 use Magento\FunctionalTestingFramework\Config\MftfApplicationConfig;
+use Magento\FunctionalTestingFramework\DataGenerator\Handlers\CredentialStore;
 use Magento\FunctionalTestingFramework\Exceptions\TestFrameworkException;
 use Magento\FunctionalTestingFramework\Util\Logger\LoggingUtil;
 use Aws\SecretsManager\SecretsManagerClient;
@@ -117,17 +118,31 @@ public function getEncryptedValue($key)
         } catch (AwsException $e) {
             $errMessage = "\nAWS Exception:\n" . $e->getAwsErrorMessage()
                 . "\nUnable to read value for key {$key} from AWS Secrets Manager\n";
+            // Print error message in console
             print_r($errMessage);
+            // Add error message in mftf log if verbose is enable
             if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
                 LoggingUtil::getInstance()->getLogger(AwsSecretsManagerStorage::class)->debug($errMessage);
             }
+            // Save to exception context for Allure report
+            CredentialStore::getInstance()->setExceptionContexts(
+                CredentialStore::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER,
+                $errMessage
+            );
         } catch (\Exception $e) {
             $errMessage = "\nException:\n" . $e->getMessage()
                 . "\nUnable to read value for key {$key} from AWS Secrets Manager\n";
+            // Print error message in console
             print_r($errMessage);
+            // Add error message in mftf log if verbose is enable
             if (MftfApplicationConfig::getConfig()->verboseEnabled()) {
                 LoggingUtil::getInstance()->getLogger(AwsSecretsManagerStorage::class)->debug($errMessage);
             }
+            // Save to exception context for Allure report
+            CredentialStore::getInstance()->setExceptionContexts(
+                CredentialStore::ARRAY_KEY_FOR_AWS_SECRETS_MANAGER,
+                $errMessage
+            );
         }
         return $reValue;
     }