NSX|P: Fix certificate secret to use the correct password

DbCertificateStorageDriver should use the pk_password from the
nsx_p config section and not from the nsx_v3 one

Change-Id: Ibe843e9e994bb679bdae68b0683aa36e2c78d891

vmware_nsx/plugins/common_v3/utils.py

@@ -41,13 +41,16 @@ PORT_SG_SCOPE = 'os-security-group'
 NSX_NEUTRON_PLUGIN = 'NSX Neutron plugin'
 
 
+def get_DbCertProvider(conf_path):
     class DbCertProvider(client_cert.ClientCertProvider):
         """Write cert data from DB to file and delete after use
 
-       New provider object with random filename is created for each request.
+           New provider object with random filename is created for each
-       This is not most efficient, but the safest way to avoid race conditions,
+           request.
-       since backend connections can occur both before and after neutron
+           This is not most efficient, but the safest way to avoid race
-       fork, and several concurrent requests can occupy the same thread.
+           conditions, since backend connections can occur both before and
+           after neutron fork, and several concurrent requests can occupy the
+           same thread.
            Note that new cert filename for each request does not result in new
            connection for each request (at least for now..)
         """
@@ -57,6 +60,7 @@ class DbCertProvider(client_cert.ClientCertProvider):
             super(DbCertProvider, self).__init__(None)
             random.seed()
             self._filename = '/tmp/.' + str(random.randint(1, 10000000))
+            self.conf_path = conf_path
 
         def _check_expiration(self, expires_in_days):
             if expires_in_days > self.EXPIRATION_ALERT_DAYS:
@@ -74,7 +78,7 @@ class DbCertProvider(client_cert.ClientCertProvider):
             try:
                 context = q_context.get_admin_context()
                 db_storage_driver = cert_utils.DbCertificateStorageDriver(
-                context)
+                    context, self.conf_path.nsx_client_cert_pk_password)
                 with client_cert.ClientCertificateManager(
                     cert_utils.NSX_OPENSTACK_IDENTITY,
                     None,
@@ -109,6 +113,8 @@ class DbCertProvider(client_cert.ClientCertProvider):
         def filename(self):
             return self._filename
 
+    return DbCertProvider
+
 
 def get_client_cert_provider(conf_path=cfg.CONF.nsx_v3):
     if not conf_path.nsx_use_client_auth:
@@ -123,18 +129,19 @@ def get_client_cert_provider(conf_path=cfg.CONF.nsx_v3):
     if conf_path.nsx_client_cert_storage.lower() == 'nsx-db':
         # Cert data is stored in DB, and written to file system only
         # when new connection is opened, and deleted immediately after.
-        return DbCertProvider
+        return get_DbCertProvider(conf_path)
 
 
 def get_nsxlib_wrapper(nsx_username=None, nsx_password=None, basic_auth=False,
                        plugin_conf=None, allow_overwrite_header=False):
+    if not plugin_conf:
+        plugin_conf = cfg.CONF.nsx_v3
+
     client_cert_provider = None
     if not basic_auth:
         # if basic auth requested, dont use cert file even if provided
-        client_cert_provider = get_client_cert_provider()
+        client_cert_provider = get_client_cert_provider(conf_path=plugin_conf)
 
-    if not plugin_conf:
-        plugin_conf = cfg.CONF.nsx_v3
     nsxlib_config = config.NsxLibConfig(
         username=nsx_username or plugin_conf.nsx_api_user,
         password=nsx_password or plugin_conf.nsx_api_password,

vmware_nsx/plugins/nsx_v3/cert_utils.py

@@ -17,7 +17,6 @@ import base64
 import hashlib
 
 from cryptography import fernet
-from oslo_config import cfg
 from oslo_log import log as logging
 
 from vmware_nsx.db import db as nsx_db
@@ -55,12 +54,11 @@ def symmetric_decrypt(secret, ciphertext):
 
 class DbCertificateStorageDriver(object):
     """Storage for certificate and private key in neutron DB"""
-    def __init__(self, context):
+    def __init__(self, context, cert_pk_password=None):
         global _SECRET
         self._context = context
-        if cfg.CONF.nsx_v3.nsx_client_cert_pk_password and not _SECRET:
+        if cert_pk_password and not _SECRET:
-            _SECRET = generate_secret_from_password(
+            _SECRET = generate_secret_from_password(cert_pk_password)
-                    cfg.CONF.nsx_v3.nsx_client_cert_pk_password)
 
     def store_cert(self, purpose, certificate, private_key):
         # encrypt private key

vmware_nsx/shell/admin/plugins/common/v3_common_cert.py

@@ -56,7 +56,8 @@ def get_certificate_manager(plugin_conf, **kwargs):
     LOG.info("Certificate storage is %s", storage_driver_type)
     if storage_driver_type == 'nsx-db':
         storage_driver = cert_utils.DbCertificateStorageDriver(
-            context.get_admin_context())
+            context.get_admin_context(),
+            plugin_conf.nsx_client_cert_pk_password)
     elif storage_driver_type == 'none':
         storage_driver = cert_utils.DummyCertificateStorageDriver()
     # TODO(annak) - add support for barbican storage driver