read MSFT Sync credentials from Vault

why
* they are currently stored in Consul, and there is an effort being
made to move secrets from Consul to Vault

closes INTEROP-8000
flag=microsoft_group_enrollments_syncing

test plan:
* enable the MSFT sync flag
* get the MSFT dev tenant creds from the INTEROP team
* copy the MSFT dev creds from your config/dynamic_settings.yml
to your config/vault_contents.yml
NOTE: the format changed so make sure to reference
config/vault_contents.yml.example for the new correct format
* restart your containers/server
* in a rails console,
* `DynamicSettings.find('microsoft-sync')` should return nil (old way)
* `Rails.application.credentials.microsoft_sync` should return the creds
* `MicrosoftSync::LoginService.token("canvastest2.onmicrosoft.com")`
should return a token

Change-Id: Iab0e00f8360494858c2c3518274a1a375752374e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/335681
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Evan Battaglia <ebattaglia@instructure.com>
QA-Review: Evan Battaglia <ebattaglia@instructure.com>
Build-Review: James Butters <jbutters@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>

config/dynamic_settings.yml.example

@@ -53,9 +53,6 @@ development:
         base_url: 'http://mathman.docker'
         use_for_svg: 'false'
         use_for_mml: 'false'
-      microsoft-sync:
-        client-id: some_client_id
-        client-secret: some_client_secret
       pandata/events:
         enabled_for_canvas: false
         url: 'https://cbbsk4vb5k.execute-api.us-east-1.amazonaws.com/prod/pandata-event' # dev PandataEvents environment

config/vault_contents.yml.example

@@ -44,6 +44,9 @@ development:
 #      linked_in_creds:
 #        api_key: <api_key>
 #        secret_key: <secret_key>
+#      microsoft_sync:
+#        client_id: some_client_id
+#        client_secret: some_client_secret
 #      notification_service_creds:
 #        access_key_id: <access_key_id>
 #        secret_access_key: <secret_access_key>

docker-compose/config/dynamic_settings.yml

@@ -11,8 +11,8 @@ development:
     canvas:
       # prefix
       address-book:
-        app-host: "http://address-book.docker"
-        secret: "opensesame"
+        app-host: 'http://address-book.docker'
+        secret: 'opensesame'
       live_events.yml: |-
         aws_endpoint: http://kinesis.canvaslms.docker
         kinesis_stream_name: live-events
@@ -20,17 +20,14 @@ development:
         aws_secret_access_key_dec: secret
         # stub_credentials: true # can be used in dev to print creds to stdout
       live-events-subscription-service:
-        app-host: "http://les.docker"
+        app-host: 'http://les.docker'
         sad-panda: null
       math-man:
-        base_url: "http://mathman.docker"
-        use_for_svg: "false"
-        use_for_mml: "false"
-      microsoft-sync:
-        client-id: some_client_id
-        client-secret: some_client_secret
+        base_url: 'http://mathman.docker'
+        use_for_svg: 'false'
+        use_for_mml: 'false'
       rich-content-service:
-        app-host: "http://rce.canvas.docker:3000"
+        app-host: 'http://rce.canvas.docker:3000'
     # another service
     pandata:
       ios-pandata-key: IOS_pandata_key

lib/microsoft_sync/login_service.rb

@@ -50,6 +50,8 @@ module MicrosoftSync
 
       # Returns JSON returned from endpoint, including 'access_token' and 'expires_in'
       def new_token(tenant)
+        raise ArgumentError, "MicrosoftSync not configured" unless client_id && client_secret
+
         headers = { "Content-Type" => "application/x-www-form-urlencoded" }
         body = {
           scope: "https://graph.microsoft.com/.default",
@@ -113,18 +115,17 @@ module MicrosoftSync
       end
 
       def client_id
-        settings["client-id"]
+        settings[:client_id]
       end
 
       private
 
       def settings
-        DynamicSettings.find("microsoft-sync") or
-          raise ArgumentError, "MicrosoftSync not configured"
+        Rails.application.credentials&.microsoft_sync&.with_indifferent_access || {}
       end
 
       def client_secret
-        settings["client-secret"]
+        settings[:client_secret]
       end
     end
   end

spec/lib/microsoft_sync/login_service_spec.rb

@@ -29,8 +29,7 @@ describe MicrosoftSync::LoginService do
 
     context "when not configured" do
       before do
-        allow(DynamicSettings).to receive(:find).with(any_args).and_call_original
-        allow(DynamicSettings).to receive(:find).with("microsoft-sync").and_return(nil)
+        allow(Rails.application.credentials).to receive(:microsoft_sync).and_return(nil)
       end
 
       it 'returns an error "MicrosoftSync not configured"' do
@@ -45,16 +44,14 @@ describe MicrosoftSync::LoginService do
 
       before do
         allow(InstStatsd::Statsd).to receive(:increment)
+        allow(Rails.application.credentials).to receive(:microsoft_sync).and_return({
+                                                                                      client_id: "theclientid",
+                                                                                      client_secret: "thesecret"
+                                                                                    })
       end
 
       context "when Microsoft returns a response" do
         before do
-          allow(DynamicSettings).to receive(:find).with(any_args).and_call_original
-          allow(DynamicSettings).to receive(:find).with("microsoft-sync").and_return({
-                                                                                       "client-id" => "theclientid",
-                                                                                       "client-secret" => "thesecret"
-                                                                                     })
-
           WebMock.stub_request(
             :post, "https://login.microsoftonline.com/mytenant/oauth2/v2.0/token"
           ).with(