diff --git a/go.mod b/go.mod index 9326766..50235b8 100644 --- a/go.mod +++ b/go.mod @@ -3,10 +3,12 @@ module opendev.org/airship/armada-go go 1.20 require ( + github.com/databus23/goslo.policy v0.0.0-20210929125152-81bf2876dbdb github.com/gin-gonic/gin v1.9.1 github.com/spf13/cobra v1.7.0 github.com/spf13/viper v1.18.2 golang.org/x/sync v0.5.0 + gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.28.4 k8s.io/apiextensions-apiserver v0.28.3 k8s.io/apimachinery v0.28.4 @@ -80,7 +82,6 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index 842a0b3..65b48a7 100644 --- a/go.sum +++ b/go.sum @@ -8,6 +8,8 @@ github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 h1:qSGYFH7+jGhD github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/databus23/goslo.policy v0.0.0-20210929125152-81bf2876dbdb h1:8JB2G8t3o1iCL8vCzssUj2Nn2qjqSab2/G3xXhvkpPQ= +github.com/databus23/goslo.policy v0.0.0-20210929125152-81bf2876dbdb/go.mod h1:tRj172JgwQmUmEqZZJBWzYWFStitMFTtb95NtUnmpkw= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= diff --git a/pkg/apply/apply.go b/pkg/apply/apply.go index 2f63b57..506f37e 100644 --- a/pkg/apply/apply.go +++ b/pkg/apply/apply.go @@ -21,7 +21,11 @@ import ( "flag" "fmt" "io" + "net/http" + "net/url" + "opendev.org/airship/armada-go/pkg/auth" "os" + "regexp" "strings" "time" @@ -326,10 +330,39 @@ func (c *RunCommand) ValidateManifests() error { func (c *RunCommand) ParseManifests() error { klog.V(5).Infof("parsing manifests started, path: %s", c.Manifests) - f, err := os.Open(c.Manifests) + + var f io.ReadCloser + u, err := url.Parse(c.Manifests) if err != nil { return err } + if u.Scheme == "" { + f, err = os.Open(c.Manifests) + if err != nil { + return err + } + } else if u.Scheme == "deckhand+http" { + reg, err := regexp.Compile("^[^+]+\\+") + if err != nil { + return err + } + deckhandUrl := reg.ReplaceAllString(c.Manifests, "") + req, err := http.NewRequest("GET", deckhandUrl, nil) + if err != nil { + return err + } + token, err := auth.Authenticate() + if err != nil { + return err + } + req.Header.Set("X-Auth-Token", token) + client := &http.Client{} + resp, err := client.Do(req) + if err != nil { + return err + } + f = resp.Body + } defer f.Close() c.airCharts = map[string]*AirshipChart{} diff --git a/pkg/server/auth.go b/pkg/auth/auth.go similarity index 82% rename from pkg/server/auth.go rename to pkg/auth/auth.go index 8ea43e7..e0ee729 100644 --- a/pkg/server/auth.go +++ b/pkg/auth/auth.go @@ -1,9 +1,11 @@ -package server +package auth import ( + "bytes" "encoding/json" "errors" "fmt" + "github.com/spf13/viper" "net/http" "strings" "time" @@ -13,7 +15,7 @@ import ( "opendev.org/airship/armada-go/pkg/log" ) -var Log func(string, ...interface{}) = func(format string, a ...interface{}) { +var Log = func(format string, a ...interface{}) { log.Printf(format, a...) } @@ -287,3 +289,56 @@ func filterIncomingHeaders(req *http.Request) { req.Header.Del("X-User") req.Header.Del("X-Role") } + +func Authenticate() (string, error) { + authUrl := viper.Sub("keystone_authtoken").GetString("auth_url") + username := viper.Sub("keystone_authtoken").GetString("username") + password := viper.Sub("keystone_authtoken").GetString("password") + projectDomainName := viper.Sub("keystone_authtoken").GetString("project_domain_name") + projectName := viper.Sub("keystone_authtoken").GetString("project_name") + userDomainName := viper.Sub("keystone_authtoken").GetString("user_domain_name") + + jsonData := []byte(fmt.Sprintf(`{ + "auth": { + "identity": { + "methods": ["password"], + "password": { + "user": { + "name": "%s", + "domain": { "id": "%s" }, + "password": "%s" + } + } + }, + "scope": { + "project": { + "name": "%s", + "domain": { "id": "%s" } + } + } + } + }`, username, userDomainName, password, projectName, projectDomainName)) + + req, err := http.NewRequest("POST", authUrl+"/auth/tokens", bytes.NewBuffer(jsonData)) + if err != nil { + return "", err + } + req.Header.Set("Content-Type", "application/json") + + client := &http.Client{} + resp, err := client.Do(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + if resp.StatusCode != 201 { + return "", errors.New("http: not authorized") + } + + token := resp.Header.Get("X-Subject-Token") + if token == "" { + return "", errors.New("http: keystone token is empty") + } + + return token, nil +} diff --git a/pkg/server/server.go b/pkg/server/server.go index 652905a..ed28180 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -15,13 +15,18 @@ package server import ( - "net/http" - + "fmt" + policy "github.com/databus23/goslo.policy" "github.com/gin-gonic/gin" "github.com/spf13/viper" - + "gopkg.in/yaml.v3" + "net/http" + "opendev.org/airship/armada-go/pkg/apply" + auth2 "opendev.org/airship/armada-go/pkg/auth" "opendev.org/airship/armada-go/pkg/config" "opendev.org/airship/armada-go/pkg/log" + "os" + "strings" ) // RunCommand phase run command @@ -29,17 +34,53 @@ type RunCommand struct { Factory config.Factory } +type JsonDataRequest struct { + Href string `json:"hrefs" binding:"required"` + Overrides []any `json:"overrides"` +} + +func PolicyEnforcer(enforcer *policy.Enforcer, rule string) gin.HandlerFunc { + return func(context *gin.Context) { + ctx := policy.Context{ + Roles: strings.Split(context.GetHeader("X-Roles"), ","), + Logger: log.Printf, + } + if enforcer.Enforce(rule, ctx) { + context.Next() + } else { + context.String(401, "oslo policy error") + } + } +} + func Apply(c *gin.Context) { if c.GetHeader("X-Identity-Status") == "Confirmed" { - c.JSON(200, gin.H{ - "message": gin.H{ - "install": []any{}, - "upgrade": []any{}, - "diff": []any{}, - "purge": []any{}, - "protected": []any{}, - }, - }) + if c.ContentType() == "application/json" { + targetManifest := c.Query("target_manifest") + var dataReq JsonDataRequest + if err := c.BindJSON(&dataReq); err != nil { + c.String(500, "internal error", err.Error()) + return + } + + runOpts := apply.RunCommand{Manifests: dataReq.Href, TargetManifest: targetManifest, Out: os.Stdout} + if err := runOpts.RunE(); err != nil { + c.String(500, "apply error", err.Error()) + return + } + + c.JSON(200, gin.H{ + "message": gin.H{ + "install": []any{}, + "upgrade": []any{}, + "diff": []any{}, + "purge": []any{}, + "protected": []any{}, + }, + }) + } else { + c.Status(500) + } } else { c.Status(401) } @@ -66,7 +107,7 @@ func Releases(c *gin.Context) { if c.GetHeader("X-Identity-Status") == "Confirmed" { c.JSON(200, gin.H{ "releases": gin.H{ - "ucp": []string{"clcp-ucp-armada"}, + "ucp": []string{}, }, }) } else { @@ -88,11 +129,27 @@ func (c *RunCommand) RunE() error { log.Printf("armada-go server has been started") r := gin.Default() r.Use(gin.Logger()) - auth := New(viper.Sub("keystone_authtoken").GetString("auth_url")) + auth := auth2.New(viper.Sub("keystone_authtoken").GetString("auth_url")) - r.POST("/api/v1.0/apply", auth.Handler(r.Handler()), Apply) - r.POST("/api/v1.0/validatedesign", auth.Handler(r.Handler()), Validate) - r.GET("/api/v1.0/releases", auth.Handler(r.Handler()), Releases) + buf, err := os.ReadFile("/etc/armada/policy.yaml") + if err != nil { + return err + } + + var pol map[string]string + err = yaml.Unmarshal(buf, &pol) + if err != nil { + return fmt.Errorf("in file %q: %w", "policy", err) + } + + enf, err := policy.NewEnforcer(pol) + if err != nil { + return err + } + + r.POST("/api/v1.0/apply", auth.Handler(r.Handler()), PolicyEnforcer(enf, "armada:create_endpoints"), Apply) + r.POST("/api/v1.0/validatedesign", auth.Handler(r.Handler()), PolicyEnforcer(enf, "armada:validate_manifest"), Validate) + r.GET("/api/v1.0/releases", auth.Handler(r.Handler()), PolicyEnforcer(enf, "armada:get_release"), Releases) r.GET("/api/v1.0/health", Health) return r.Run(":8000") }