Update assets api/job notify api configuration (#1703)

Signed-off-by: Doug Lovett <[email protected]>

jobs/permanent/ppr-discharges-for-mhr/src/ppr_discharges_for_mhr/config.py

@@ -65,3 +65,6 @@ class Config(BaseConfig):
         TRACKER_DATABASE_URI = f'postgresql://{TRACKER_DB_USER}:{TRACKER_DB_PASSWORD}@/{TRACKER_DB_NAME}?host={TRACKER_DB_UNIX_SOCKET}'
     else:
         TRACKER_DATABASE_URI = f'postgresql://{TRACKER_DB_USER}:{TRACKER_DB_PASSWORD}@{TRACKER_DB_HOST}:{TRACKER_DB_PORT}/{TRACKER_DB_NAME}'
+    ACCOUNT_SVC_CLIENT_ID = os.getenv('ACCOUNT_SVC_CLIENT_ID')
+    ACCOUNT_SVC_CLIENT_SECRET = os.getenv('ACCOUNT_SVC_CLIENT_SECRET')
+    JWT_OIDC_TOKEN_URL = os.getenv('JWT_OIDC_TOKEN_URL')

jobs/permanent/ppr-discharges-for-mhr/src/ppr_discharges_for_mhr/job.py

@@ -110,7 +110,11 @@ def job(config):
                     }
 
         # Send email
-        notify = Notify(**{'url': config.NOTIFY_URL})
+        # notify = Notify(**{'url': config.NOTIFY_URL})
+        notify = Notify(**{'url': config.NOTIFY_URL,
+                           'oidc_url': config.JWT_OIDC_TOKEN_URL,
+                           'sa_client_id': config.ACCOUNT_SVC_CLIENT_ID,
+                           'sa_secret': config.ACCOUNT_SVC_CLIENT_SECRET})
         ret = notify.send_email(email_data)
         logging.info(f'Email sent, return code: {ret}')
         if ret != HTTPStatus.OK:

jobs/permanent/ppr-discharges-for-mhr/src/ppr_discharges_for_mhr/services/notify/__init__.py

@@ -13,11 +13,15 @@
 # limitations under the License.
 """This module contains the services used by the Delivery Service."""
 from http import HTTPStatus
+import json
 
-import google.auth.transport.requests
-import google.oauth2.id_token
+# Don't need GCP tokens until completetly off of OpenShift
+# import google.auth.transport.requests
+# import google.oauth2.id_token
 import requests
 
+from ppr_discharges_for_mhr.services.logging import logging
+
 
 class Notify:
     """Notify calls the GCNotify service."""
@@ -30,12 +34,16 @@ def __init__(self, **kwargs):
     def setup(self, **kwargs):
         """Setup the attributes needed for notify to work."""
         self.notify_url = kwargs.get('url')
+        self.oidc_url = kwargs.get('oidc_url')
+        self.client_id = kwargs.get('sa_client_id')
+        self.secret = kwargs.get('sa_secret') 
 
     def send_email(self, payload: dict) -> HTTPStatus:
         """Create and send the email payload to the Notify service."""
 
-        auth_req = google.auth.transport.requests.Request()
-        id_token = google.oauth2.id_token.fetch_id_token(auth_req, self.notify_url)
+        # auth_req = google.auth.transport.requests.Request()
+        # id_token = google.oauth2.id_token.fetch_id_token(auth_req, self.notify_url)
+        id_token = self.get_oidc_sa_token()  # Use the PPR/MHR service account to create a JWT.
 
         headers = {'Authorization': 'Bearer ' + id_token,
                     'Content-Type': 'application/json'}
@@ -45,3 +53,27 @@ def send_email(self, payload: dict) -> HTTPStatus:
                             json=payload)
 
         return res.status_code
+
+    def get_oidc_sa_token(self) -> str:
+        """Generate an OIDC PPR service account token (JWT). Request one from the OIDC service."""
+        logging.info(f'Calling OIDC api to get token: URL = {self.oidc_url}, client_id={self.client_id}.')
+        token = ''
+        headers = {
+            'Accept': 'application/json',
+            'Content-Type': 'application/x-www-form-urlencoded'
+        }
+        data = f'grant_type=client_credentials&scope=openid&client_id={self.client_id}&client_secret={self.secret}'
+        response = requests.request('post',
+                                    self.oidc_url,
+                                    data=data,
+                                    params=None,
+                                    headers=headers)
+
+        if not response or not response.ok:
+            logging.error(f'No sa token from OIDC: return status {response.status_code}.')
+            return token
+
+        response_json = json.loads(response.text)
+        token = response_json.get('access_token')
+        logging.info(f'Have new sa token from OIDC: {token}')
+        return token

jobs/permanent/ppr-discharges-for-mhr/src/ppr_discharges_for_mhr/version.py

@@ -1,2 +1,2 @@
 
-__version__ = '0.1.0'  # pylint: disable=invalid-name
+__version__ = '0.1.1'  # pylint: disable=invalid-name

mhr_api/src/mhr_api/services/notify/__init__.py

@@ -14,11 +14,13 @@
 """This module contains the services used by the Delivery Service."""
 from http import HTTPStatus
 
-import google.auth.transport.requests
-import google.oauth2.id_token
+# Don't need GCP tokens until completetly off of OpenShift
+# import google.auth.transport.requests
+# import google.oauth2.id_token
 import requests
 from flask import current_app
 
+from mhr_api.services.payment.client import SBCPaymentClient
 
 class Notify:
     """Notify calls the GCNotify service."""
@@ -34,8 +36,9 @@ def setup(self, **kwargs):
 
     def send_email(self, payload: dict) -> HTTPStatus:
         """Create and send the email payload to the Notify service."""
-        auth_req = google.auth.transport.requests.Request()
-        id_token = google.oauth2.id_token.fetch_id_token(auth_req, self.notify_url)
+        # auth_req = google.auth.transport.requests.Request()
+        # id_token = google.oauth2.id_token.fetch_id_token(auth_req, self.notify_url)
+        id_token = SBCPaymentClient.get_sa_token()  # Use the PPR/MHR service account to create a JWT.
         current_app.logger.debug(id_token)
         headers = {'Authorization': 'Bearer ' + id_token,
                    'Content-Type': 'application/json'}

mhr_api/src/mhr_api/version.py

@@ -22,4 +22,4 @@
 Development release segment: .devN
 """
 
-__version__ = '1.6.8'  # pylint: disable=invalid-name
+__version__ = '1.6.9'  # pylint: disable=invalid-name