feat: Decrypt passwords for topology objects (Switch, PowerMng, OSD)

[a-gorczew]

This pull request adds support for automatic decryption of password fields stored in encrypted (Fernet) form for multiple model types, improving security and simplifying usage. It introduces utility functions to handle decryption for SwitchModel, PowerMngModel, OSDControllerModel, and HostModel, and updates relevant object creation routines to transparently decrypt passwords when needed. Documentation and example files are updated to reflect and demonstrate the new behavior.

Decryption support for model password fields:

• Added automatic decryption of mng_password and enable_password fields in SwitchModel during switch object creation, using the AMBER_ENCRYPTION_KEY environment variable. If decryption is needed but the key is missing, a PyTestMFDConfigException is raised. [1] [2] [3]
• Implemented decryption for the password field in PowerMngModel and OSDControllerModel when creating respective objects. [1] [2] [3] [4]
• Improved decryption logic for HostModel, supporting both host-level and per-connection password fields, and refactored the code for clarity and robustness. [1] [2]

Documentation and examples:

• Updated README.md to document the new password decryption behavior for SwitchModel, PowerMngModel, and OSDControllerModel, including usage notes and error handling. [1] [2] [3]
• Enhanced the example topology YAML file to show usage of encrypted secrets for host, switch, and power management passwords.

Fixture API improvements:

• Added a new fixture function create_osd_controller_from_model for consistent OSD controller object creation with decryption support. [1] [2] [3]

These changes make it easier and safer to manage secrets in test configurations by supporting encrypted password fields throughout the configuration models.

[Copilot]

Pull request overview

Adds transparent Fernet decryption for password-like fields across topology-related models (switches, power management, OSD controller, and host management/connection passwords) to allow storing encrypted secrets in config while keeping runtime behavior unchanged.

Changes:

• Added shared decryption helpers and integrated them into switch/host/power management/OSD controller object creation.
• Introduced create_osd_controller_from_model and refactored MAC-based connection establishment to use it.
• Updated unit tests, README docs, and the example topology YAML to reflect decryption support.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
pytest_mfd_config/fixtures.py	Adds decryption helpers, hooks them into object creation, and introduces an OSD controller factory used by MAC-based connections.
tests/unit/test_pytest_mfd_config/test_fixtures.py	Expands coverage for new fixtures/decryption logic and adds tests for OSD controller/power management/switch flows.
README.md	Documents new decryption behavior for PowerMng/OSD/Switch and adds the new OSD factory function to the API list.
examples/topology_host_config_with_secrets.yaml	Demonstrates encrypted secrets usage for host/switch/power management (and attempts to show OSD usage).

Comments suppressed due to low confidence (3)

pytest_mfd_config/fixtures.py:404

• _decrypt_switch_password swallows PyTestMFDConfigException from _get_encryption_obj and returns the original model. This means truly encrypted passwords will silently remain encrypted when AMBER_ENCRYPTION_KEY is missing, contradicting the README text that an exception is raised when decryption is needed. Consider either (a) detecting whether a value looks like a Fernet token and raising if the key is missing, or (b) updating the documentation/tests to match the intended non-raising behavior.

    if not _has_secret_switch_password_fields(switch_model):
        return switch_model

    try:
        cipher = _get_encryption_obj()
    except PyTestMFDConfigException as info:
        logger.log(level=log_levels.MODULE_DEBUG, msg=info)
        return switch_model

pytest_mfd_config/fixtures.py:372

• _try_decrypt_secret treats InvalidToken the same as "not encrypted" and returns the original SecretStr without any logging. With a wrong AMBER_ENCRYPTION_KEY (or a corrupted token), this will silently pass the encrypted token downstream and failures will occur later during authentication. Consider logging (or raising) when the input looks like a Fernet token but decryption fails, so configuration mistakes are easier to diagnose.

    try:
        decrypted = cipher.decrypt(value.get_secret_value().encode("utf-8")).decode()
        return SecretStr(decrypted)
    except (InvalidToken, AttributeError):
        return value

pytest_mfd_config/fixtures.py:505

• _decrypt_model_password catches PyTestMFDConfigException (missing AMBER_ENCRYPTION_KEY) and returns the model unchanged. If the field actually contains an encrypted Fernet token, this silently propagates the encrypted value into constructors (PowerMng/OSD), which is hard to debug and conflicts with the documented behavior for password decryption. Consider raising when decryption is required (e.g., token-like value) or updating docs/tests to reflect the non-raising behavior.

    try:
        cipher = _get_encryption_obj()
    except PyTestMFDConfigException as info:
        logger.log(level=log_levels.MODULE_DEBUG, msg=info)
        return model

    decrypted = _try_decrypt_secret(password, cipher)
    if decrypted is password:
        return model

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.