From 051649eed57fb7718c2fab9c14234ed3e83cb94f Mon Sep 17 00:00:00 2001
From: Roey Chen <roeyc@vmware.com>
Date: Tue, 21 Jun 2016 06:17:42 -0700
Subject: [PATCH] NSXAdmin: Update metadata shared secret

Change-Id: Ia8b236f3ddc751a8c317308fbac40818f35b3db7
---
 .../admin/plugins/nsxv/resources/metadata.py  | 42 +++++++++++++++++++
 vmware_nsx/shell/nsxadmin.py                  |  4 +-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/vmware_nsx/shell/admin/plugins/nsxv/resources/metadata.py b/vmware_nsx/shell/admin/plugins/nsxv/resources/metadata.py
index 6dc44709a6..3e26562151 100644
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/metadata.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/metadata.py
@@ -13,6 +13,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import hashlib
+import hmac
 import logging
 
 from neutron.callbacks import registry
@@ -106,6 +108,46 @@ def nsx_redo_metadata_cfg(resource, event, trigger, **kwargs):
                 lb.submit_to_backend(nsxv, edge_id, False)
 
 
+def update_shared_secret():
+    edgeapi = utils.NeutronDbClient()
+    edge_list = nsxv_db.get_nsxv_internal_edges_by_purpose(
+        edgeapi.context.session,
+        vcns_constants.InternalEdgePurposes.INTER_EDGE_PURPOSE)
+    md_rtr_ids = [edge['router_id'] for edge in edge_list]
+    router_bindings = nsxv_db.get_nsxv_router_bindings(
+        edgeapi.context.session,
+        filters={'edge_type': [nsxv_constants.SERVICE_EDGE]})
+    edge_ids = list(set([binding['edge_id'] for binding in router_bindings
+                         if (binding['router_id'] not in set(md_rtr_ids)
+                             and not binding['router_id'].startswith(
+                                 vcns_constants.BACKUP_ROUTER_PREFIX)
+                             and not binding['router_id'].startswith(
+                                 vcns_constants.PLR_EDGE_PREFIX))]))
+
+    for edge_id in edge_ids:
+        with locking.LockManager.get_lock(edge_id):
+            lb = nsxv_lb.NsxvLoadbalancer.get_loadbalancer(nsxv, edge_id)
+            virt = lb.virtual_servers.get(md_proxy.METADATA_VSE_NAME)
+            if not virt:
+                return
+
+            virt.del_app_rule('insert-auth')
+            if cfg.CONF.nsxv.metadata_shared_secret:
+                signature = hmac.new(cfg.CONF.nsxv.metadata_shared_secret,
+                                     edge_id,
+                                     hashlib.sha256).hexdigest()
+                sign = 'reqadd X-Metadata-Provider-Signature:' + signature
+                sign_app_rule = nsxv_lb.NsxvLBAppRule('insert-auth', sign)
+                virt.add_app_rule('insert-auth', sign_app_rule)
+
+            lb.submit_to_backend(nsxv, edge_id, False)
+
+
 registry.subscribe(nsx_redo_metadata_cfg,
                    constants.METADATA,
                    shell.Operations.NSX_UPDATE.value)
+
+
+registry.subscribe(update_shared_secret,
+                   constants.METADATA,
+                   shell.Operations.NSX_UPDATE_SECRET.value)
diff --git a/vmware_nsx/shell/nsxadmin.py b/vmware_nsx/shell/nsxadmin.py
index 00bba8551d..8674a4d272 100644
--- a/vmware_nsx/shell/nsxadmin.py
+++ b/vmware_nsx/shell/nsxadmin.py
@@ -63,6 +63,7 @@ class Operations(enum.Enum):
     NSX_LIST = 'nsx-list'
     NSX_CLEAN = 'nsx-clean'
     NSX_UPDATE = 'nsx-update'
+    NSX_UPDATE_SECRET = 'nsx-update-secret'
 
 
 ops = [op.value for op in Operations]
@@ -126,7 +127,8 @@ nsxv_resources = {
         constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
                                         Operations.LIST_MISMATCHES.value]),
     constants.METADATA: Resource(
-        constants.METADATA, [Operations.NSX_UPDATE.value]),
+        constants.METADATA, [Operations.NSX_UPDATE.value,
+                             Operations.NSX_UPDATE_SECRET]),
 }
 
 nsxv3_resources_names = map(lambda res: res.name, nsxv3_resources.itervalues())