diff --git a/.version b/.version index 0eed1a2..feaae22 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -1.12.0 +1.13.0 diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ef77c6..50bdd41 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).\ +## [1.13.0] - 2022-06-23 + +### Changed + +- Updated CT and integration tests to hms-test:3.1.0 image as part of Helm test coordination. +- Replaced fake Vault with real Vault in the integration test environment. + ## [1.12.0] - 2022-06-03 ### Changed diff --git a/Dockerfile.test.integration b/Dockerfile.test.integration index b26248c..4b029dd 100644 --- a/Dockerfile.test.integration +++ b/Dockerfile.test.integration @@ -1,6 +1,6 @@ # MIT License # -# (C) Copyright [2020-2021] Hewlett Packard Enterprise Development LP +# (C) Copyright [2020-2022] Hewlett Packard Enterprise Development LP # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), @@ -60,22 +60,6 @@ RUN set -ex \ # Setup environment variables. ENV VAULT_SKIP_VERIFY="true" -ARG IN_CRAY_VAULT_JWT_FILE -ARG IN_CRAY_VAULT_ROLE_FILE -ARG IN_SCSD_TEST_K8S_AUTH_URL -ARG IN_SCSD_TEST_VAULT_PKI_URL -ARG IN_SCSD_TEST_VAULT_CA_URL - -ENV CRAY_VAULT_JWT_FILE=${IN_CRAY_VAULT_JWT_FILE} -ENV CRAY_VAULT_ROLE_FILE=${IN_CRAY_VAULT_ROLE_FILE} -ENV SCSD_TEST_K8S_AUTH_URL=${IN_SCSD_TEST_K8S_AUTH_URL} -ENV SCSD_TEST_VAULT_PKI_URL=${IN_SCSD_TEST_VAULT_PKI_URL} -ENV SCSD_TEST_VAULT_CA_URL=${IN_SCSD_TEST_VAULT_CA_URL} - -RUN if [ ! -z ${IN_CRAY_VAULT_JWT_FILE} ]; then mkdir -p `dirname ${IN_CRAY_VAULT_JWT_FILE}` ; echo jwt_xyzzy > ${IN_CRAY_VAULT_JWT_FILE} ; fi - -RUN if [ ! -z $CRAY_VAULT_ROLE_FILE ]; then mkdir -p `dirname ${CRAY_VAULT_ROLE_FILE}` ; echo role_xyzzy > ${CRAY_VAULT_ROLE_FILE} ; fi - RUN set -ex \ && apk -U upgrade \ && apk add --no-cache curl diff --git a/cmd/scsd/scsd.go b/cmd/scsd/scsd.go index 42a0021..273a146 100644 --- a/cmd/scsd/scsd.go +++ b/cmd/scsd/scsd.go @@ -83,18 +83,10 @@ var VaultKeypath string var Running = true var dfltHTTP = false // for testing var caURI string -var vaultCAURL string -var vaultPKIURL string var dfltProtocol = "https" var serviceName = "scsd" var logger *logrus.Logger -//Test stuff -var test_k8sAuthUrl string -var test_vaultJWTFile string -var test_vaultPKIUrl string -var test_vaultCAUrl string - var compCredStore *compcreds.CompCredStore var rfClientLock sync.Mutex @@ -181,8 +173,6 @@ func parseEnvVars() { __env_parse_string("SCSD_SMD_URL", &appParams.SmdURL) __env_parse_bool("SCSD_DEFAULT_HTTP", &dfltHTTP) __env_parse_string("SCSD_CA_URI", &caURI) - __env_parse_string("SCSD_VAULT_CA_URL", &vaultCAURL) - __env_parse_string("SCSD_VAULT_PKI_URL", &vaultPKIURL) //These env vars are for vault and need to be named without SCSD_ //since libraries use them too. @@ -198,12 +188,6 @@ func parseEnvVars() { // CRAY_VAULT_JWT_FILE # e.g. /tmp/k8stoken // CRAY_VAULT_ROLE_FILE # e.g. also /tmp/k8stoken - //The following are used only for testing - - __env_parse_string("SCSD_TEST_K8S_AUTH_URL", &test_k8sAuthUrl) - __env_parse_string("SCSD_TEST_VAULT_JWT_FILE", &test_vaultJWTFile) - __env_parse_string("SCSD_TEST_VAULT_PKI_URL", &test_vaultPKIUrl) - __env_parse_string("SCSD_TEST_VAULT_CA_URL", &test_vaultCAUrl) } func setupVault() { @@ -328,47 +312,12 @@ func main() { } // For testing. ENV VARS relevant: - // SCSD_TEST_K8S_AUTH_URL - // SCSD_TEST_VAULT_PKI_URL - // SCSD_TEST_VAULT_CA_URL - // SCSD_TEST_VAULT_JWT_FILE - // See also: CRAY_VAULT_JWT_FILE and CRAY_VAULT_ROLE_FILE - - if test_k8sAuthUrl != "" { - logger.Infof("Overriding k8s auth url with: '%s'", test_k8sAuthUrl) - hms_certs.ConfigParams.K8SAuthUrl = test_k8sAuthUrl - } - if test_vaultPKIUrl != "" { - logger.Infof("Overriding PKI url with: '%s'", test_vaultPKIUrl) - hms_certs.ConfigParams.VaultPKIUrl = test_vaultPKIUrl - } - if test_vaultCAUrl != "" { - logger.Infof("Overriding CA url with: '%s'", test_vaultCAUrl) - hms_certs.ConfigParams.VaultCAUrl = test_vaultCAUrl - } - if test_vaultJWTFile != "" { - logger.Infof("Overriding Vault JWT file with: '%s'", test_vaultJWTFile) - hms_certs.ConfigParams.VaultJWTFile = test_vaultJWTFile - } - estr := os.Getenv("CRAY_VAULT_JWT_FILE") - if estr != "" { - logger.Infof("Overriding JWT file with: '%s'", estr) - } - estr = os.Getenv("CRAY_VAULT_ROLE_FILE") - if estr != "" { - logger.Infof("Overriding ROLE file with: '%s'", estr) - } + // CRAY_VAULT_JWT_FILE + // CRAY_VAULT_ROLE_FILE + hms_certs.InitInstance(logger, serviceName) if appParams.LocalMode && (caURI != "") { - if vaultCAURL != "" { - logger.Infof("Setting Vault CA URL to: '%s'", vaultCAURL) - hms_certs.ConfigParams.VaultCAUrl = vaultCAURL - } - if vaultPKIURL != "" { - logger.Infof("Setting Vault PKI URL to: '%s'", vaultPKIURL) - hms_certs.ConfigParams.VaultPKIUrl = vaultPKIURL - } //Set up TRS cert security stuff and register CA chain update callback diff --git a/docker-compose.test.integration.yaml b/docker-compose.test.integration.yaml index 77301af..82ca7cc 100644 --- a/docker-compose.test.integration.yaml +++ b/docker-compose.test.integration.yaml @@ -26,7 +26,6 @@ services: - X_S5_HOST=x0c0s5b0 - X_S5_PORT=80 depends_on: - - cray-scsd - x0c0s0b0 - x0c0s1b0 - x0c0s2b0 @@ -138,37 +137,26 @@ services: build: context: . dockerfile: Dockerfile.test.integration - args: - IN_SCSD_TEST_K8S_AUTH_URL: ${SCSD_TEST_K8S_AUTH_URL} - IN_SCSD_TEST_VAULT_PKI_URL: ${SCSD_TEST_VAULT_PKI_URL} - IN_SCSD_TEST_VAULT_CA_URL: ${SCSD_TEST_VAULT_CA_URL} - IN_CRAY_VAULT_JWT_FILE: ${CRAY_VAULT_JWT_FILE} - IN_CRAY_VAULT_ROLE_FILE: ${CRAY_VAULT_ROLE_FILE} environment: - SCSD_SMD_URL=http://cray-smd:27779/hsm/v2 - SCSD_HTTP_LISTEN_PORT=25309 - SCSD_LOCAL_MODE=true - SCSD_DEFAULT_HTTP=true - SCSD_LOG_LEVEL=TRACE - - VAULT_ENABLE=0 - - IN_SCSD_TEST_K8S_AUTH_URL=:${SCSD_TEST_K8S_AUTH_URL} - - IN_SCSD_TEST_VAULT_PKI_URL=:${SCSD_TEST_VAULT_PKI_URL} - - IN_SCSD_TEST_VAULT_CA_URL=:${SCSD_TEST_VAULT_CA_URL} - - IN_CRAY_VAULT_JWT_FILE=:${CRAY_VAULT_JWT_FILE} - - IN_CRAY_VAULT_ROLE_FILE=:${CRAY_VAULT_ROLE_FILE} + - VAULT_ENABLE=1 + - VAULT_ADDR=http://vault:8200 + - VAULT_TOKEN=hms + - VAULT_KEYPATH=hms-creds + # CRAY_VAULT_* used by hms-securestorage and hms-certs + - CRAY_VAULT_AUTH_PATH=auth/token/create + - CRAY_VAULT_ROLE_FILE=configs/namespace + - CRAY_VAULT_JWT_FILE=configs/token networks: - scsd depends_on: - cray-smd - - fake-vault - - fake-vault: - build: - context: test/integration - dockerfile: Dockerfile.fake-vault - hostname: fake-vault - networks: - - scsd + - vault + - vault-kv-enabler vault: hostname: vault @@ -183,11 +171,12 @@ services: - scsd vault-kv-enabler: - image: artifactory.algol60.net/csm-docker/stable/vault-kv-enabler:1.13.4 + image: artifactory.algol60.net/csm-docker/stable/vault-kv-enabler:1.18.0 environment: - - VAULT_ADDR=http://${COMPOSE_PROJECT_NAME}_vault_1:8200 + - VAULT_ADDR=http://vault:8200 - VAULT_TOKEN=hms - - KV_STORES=hms-creds + - VAULT_PKI_ENABLE=true + - KV_STORES=hms-creds,secret/certs depends_on: - vault networks: @@ -202,7 +191,7 @@ services: - CRAY_VAULT_AUTH_PATH=auth/token/create - CRAY_VAULT_ROLE_FILE=configs/namespace - CRAY_VAULT_JWT_FILE=configs/token - - VAULT_ADDR=http://${COMPOSE_PROJECT_NAME}_vault_1:8200 + - VAULT_ADDR=http://vault:8200 - VAULT_TOKEN=hms - VAULT_KEYPATH=hms-creds - SMD_WVAULT=true diff --git a/go.mod b/go.mod index b165904..a14a054 100644 --- a/go.mod +++ b/go.mod @@ -4,9 +4,9 @@ go 1.16 require ( github.com/Cray-HPE/hms-base v1.15.1 - github.com/Cray-HPE/hms-certs v1.3.2 - github.com/Cray-HPE/hms-compcredentials v1.11.2 - github.com/Cray-HPE/hms-securestorage v1.12.2 + github.com/Cray-HPE/hms-certs v1.4.0 + github.com/Cray-HPE/hms-compcredentials v1.11.3 + github.com/Cray-HPE/hms-securestorage v1.13.0 github.com/Cray-HPE/hms-trs-app-api v1.6.2 github.com/gorilla/mux v1.8.0 github.com/sirupsen/logrus v1.8.1 diff --git a/go.sum b/go.sum index 3762374..587f6ed 100644 --- a/go.sum +++ b/go.sum @@ -5,10 +5,16 @@ github.com/Cray-HPE/hms-base v1.15.1 h1:+f9cl9BsDWvewvGBPzinmBSU//I7yhwaSUTaNUwx github.com/Cray-HPE/hms-base v1.15.1/go.mod h1:+G8KFLPtanLC5lQ602hrf3MDfLTmIXedTavVCOdz5XA= github.com/Cray-HPE/hms-certs v1.3.2 h1:Prd7PTwiSMULYuL8bhsvw7LSICx+pSvpWlA9fQKvW9s= github.com/Cray-HPE/hms-certs v1.3.2/go.mod h1:6DymilWScLtbQkaQRMuf55K1MzEi0kYCoXfT212yLjY= +github.com/Cray-HPE/hms-certs v1.4.0 h1:ZyQ50B1e2P81Y7PCbfSFW6O1F0Behi0spScwR6GAM04= +github.com/Cray-HPE/hms-certs v1.4.0/go.mod h1:4/NBEi9SWhWxWkZwhk2WDFxQDyXU6PCN5BAr7ejuWLE= github.com/Cray-HPE/hms-compcredentials v1.11.2 h1:Ug7e7vMSx1STHKkniWY27ddD1X49pQAEljQmTcVkng4= github.com/Cray-HPE/hms-compcredentials v1.11.2/go.mod h1:tmurR+zsOtB61n6j3GlEfsl7wmNIAGJqErFymOUb0Hw= +github.com/Cray-HPE/hms-compcredentials v1.11.3 h1:y3VwLBby2b+pVUxVjiZUpsvPK5pspXr3w4pxeh/D35s= +github.com/Cray-HPE/hms-compcredentials v1.11.3/go.mod h1:tmurR+zsOtB61n6j3GlEfsl7wmNIAGJqErFymOUb0Hw= github.com/Cray-HPE/hms-securestorage v1.12.2 h1:H5n0i6ldzewd5p7PI2Hktr/+9cYfSCui+0367p2L6n8= github.com/Cray-HPE/hms-securestorage v1.12.2/go.mod h1:P4CMKqQVlx/lv+AdyEjNQubZw2FKNyo/IAtFNgQ3VuI= +github.com/Cray-HPE/hms-securestorage v1.13.0 h1:ut6z9TMtCzL902f9NPxcbtkkDuk9zbX6E30pP8j3k6Q= +github.com/Cray-HPE/hms-securestorage v1.13.0/go.mod h1:P4CMKqQVlx/lv+AdyEjNQubZw2FKNyo/IAtFNgQ3VuI= github.com/Cray-HPE/hms-trs-app-api v1.6.2 h1:yzf2E+8QM0+S7AFc47JIyu4yTLM/HKvY1BHtdGSEXFY= github.com/Cray-HPE/hms-trs-app-api v1.6.2/go.mod h1:RbB2pYCrZ5N3d0ho4nzTAz9ifI2GYpAdf4Qeco748KQ= github.com/Cray-HPE/hms-trs-kafkalib v1.5.2 h1:MhV6SE0HmEcMnuAb/dVclfXd+49udbVCYr2ze0CDXoI= diff --git a/runCT.sh b/runCT.sh index d5285c4..2ddab3e 100755 --- a/runCT.sh +++ b/runCT.sh @@ -25,6 +25,11 @@ # set -x +# Add .exe if running in a WSL environment +if $(uname -r | grep -q "Microsoft"); then + shopt -s expand_aliases + alias docker-compose=docker-compose.exe +fi # Configure docker compose export COMPOSE_PROJECT_NAME=$RANDOM @@ -33,9 +38,10 @@ export COMPOSE_FILE=docker-compose.test.ct.yaml echo "COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}" echo "COMPOSE_FILE: $COMPOSE_FILE" +args="-f $COMPOSE_FILE -p $COMPOSE_PROJECT_NAME" function cleanup() { - docker-compose down + docker-compose $args down if ! [[ $? -eq 0 ]]; then echo "Failed to decompose environment!" exit 1 @@ -46,12 +52,12 @@ function cleanup() { # Get the base containers running echo "Starting containers..." -docker-compose build --no-cache -docker-compose up -d cray-scsd -docker-compose up -d ct-tests-functional-wait-for-smd +docker-compose $args build --no-cache +docker-compose $args up -d cray-scsd +docker-compose $args up -d ct-tests-functional-wait-for-smd docker wait ${COMPOSE_PROJECT_NAME}_ct-tests-functional-wait-for-smd_1 docker logs ${COMPOSE_PROJECT_NAME}_ct-tests-functional-wait-for-smd_1 -docker-compose up --exit-code-from ct-tests-smoke ct-tests-smoke +docker-compose $args up --exit-code-from ct-tests-smoke ct-tests-smoke test_result=$? echo "Cleaning up containers..." if [[ $test_result -ne 0 ]]; then diff --git a/runIntegration.sh b/runIntegration.sh index 920d5d9..78dd8df 100755 --- a/runIntegration.sh +++ b/runIntegration.sh @@ -24,6 +24,12 @@ set -x +# Add .exe if running in a WSL environment +if $(uname -r | grep -q "Microsoft"); then + shopt -s expand_aliases + alias docker-compose=docker-compose.exe +fi + # Configure docker compose export COMPOSE_PROJECT_NAME=${RANDOM} export COMPOSE_FILE="docker-compose.test.integration.yaml" @@ -33,16 +39,10 @@ export LOG_FILE="scsd-integration-test-${COMPOSE_PROJECT_NAME}.logs" echo "COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}" echo "COMPOSE_FILE: ${COMPOSE_FILE}" -# Configure SCSD for docker compose test environment -export SCSD_TEST_K8S_AUTH_URL="http://${COMPOSE_PROJECT_NAME}_fake-vault_1:8200/v1/auth/kubernetes/login" -export SCSD_TEST_VAULT_PKI_URL="http://${COMPOSE_PROJECT_NAME}_fake-vault_1:8200/v1/pki_common/issue/pki-common" -export SCSD_TEST_VAULT_CA_URL="http://${COMPOSE_PROJECT_NAME}_fake-vault_1:8200/v1/pki_common/ca_chain" -export CRAY_VAULT_JWT_FILE="/tmp/k8stoken" -export CRAY_VAULT_ROLE_FILE="/tmp/k8stoken" - +args="-f $COMPOSE_FILE -p $COMPOSE_PROJECT_NAME" function cleanup() { - docker-compose down + docker-compose $args down if [[ $? -ne 0 ]]; then echo "Failed to decompose environment!" exit 1 @@ -53,16 +53,16 @@ function cleanup() { # Get the base containers running echo "Starting containers..." -docker-compose build --build-arg SCSD_VERSION=${SCSD_VERSION} -docker-compose up -d cray-scsd -docker-compose up --exit-code-from integration-tests integration-tests +docker-compose $args build --build-arg SCSD_VERSION=${SCSD_VERSION} +docker-compose $args up -d cray-scsd +docker-compose $args up --exit-code-from integration-tests integration-tests test_result=$? # Clean up echo "Cleaning up containers..." if [[ $test_result -ne 0 ]]; then - docker-compose logs > ${LOG_FILE} 2>&1 + docker-compose $args logs > ${LOG_FILE} 2>&1 echo "=================================================" echo "LOGS:" cat ${LOG_FILE} diff --git a/test/ct/Dockerfile b/test/ct/Dockerfile index fe5eed0..a23a9e4 100644 --- a/test/ct/Dockerfile +++ b/test/ct/Dockerfile @@ -20,7 +20,7 @@ # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR # OTHER DEALINGS IN THE SOFTWARE. -FROM artifactory.algol60.net/csm-docker/stable/hms-test:3.0.0 +FROM artifactory.algol60.net/csm-docker/stable/hms-test:3.1.0 COPY smoke/ /src/app #COPY functional/ /src/app diff --git a/test/integration/Dockerfile b/test/integration/Dockerfile index b5a9721..d7e7de1 100644 --- a/test/integration/Dockerfile +++ b/test/integration/Dockerfile @@ -64,4 +64,6 @@ ENV X_S3_PORT=${IN_X_S3_PORT} ENV X_S4_PORT=${IN_X_S4_PORT} ENV X_S5_PORT=${IN_X_S5_PORT} +WORKDIR /usr/local/bin + CMD ["sh", "-c", "runit.sh"] diff --git a/test/integration/Dockerfile.fake-vault b/test/integration/Dockerfile.fake-vault deleted file mode 100644 index 481e46b..0000000 --- a/test/integration/Dockerfile.fake-vault +++ /dev/null @@ -1,49 +0,0 @@ -# MIT License -# -# (C) Copyright [2020-2021] Hewlett Packard Enterprise Development LP -# -# Permission is hereby granted, free of charge, to any person obtaining a -# copy of this software and associated documentation files (the "Software"), -# to deal in the Software without restriction, including without limitation -# the rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Software, and to permit persons to whom the -# Software is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -# OTHER DEALINGS IN THE SOFTWARE. - -# Dockerfile for building HMS fake Vault daemon for testing. -# Author: mpkelly -# Date: 11-August 2020 - -# Base image contains everything needed for Go building, just build. - -FROM artifactory.algol60.net/docker.io/library/golang:1.16-alpine AS builder - -RUN go env -w GO111MODULE=auto - -COPY fake-vault.go ${GOPATH}/src/fake-vault/ - -RUN set -ex && go build -v -i -o /usr/local/bin/fake-vault fake-vault - -### Final Stage ### - -FROM artifactory.algol60.net/csm-docker/stable/docker.io/library/alpine:3.15 -LABEL maintainer="Hewlett Packard Enterprise" -STOPSIGNAL SIGTERM - -# Copy the final binary. - -COPY --from=builder /usr/local/bin/fake-vault /usr/local/bin - -# Run the fake Vault daemon - -CMD ["sh", "-c", "fake-vault"] diff --git a/test/integration/fake-vault.go b/test/integration/fake-vault.go deleted file mode 100644 index a3cfa9d..0000000 --- a/test/integration/fake-vault.go +++ /dev/null @@ -1,217 +0,0 @@ -// MIT License -// -// (C) Copyright [2020-2021] Hewlett Packard Enterprise Development LP -// -// Permission is hereby granted, free of charge, to any person obtaining a -// copy of this software and associated documentation files (the "Software"), -// to deal in the Software without restriction, including without limitation -// the rights to use, copy, modify, merge, publish, distribute, sublicense, -// and/or sell copies of the Software, and to permit persons to whom the -// Software is furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included -// in all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -// THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -// OTHER DEALINGS IN THE SOFTWARE. - -package main - -import ( - "encoding/json" - "net/http" - "log" - "io/ioutil" - "os" - "strings" -) - - -type vaultTokStuff struct { - Auth vtsAuth `json:"auth"` -} - -type vtsAuth struct { - ClientToken string `json:"client_token"` -} - -type vaultCertReq struct { - CommonName string `json:"common_name"` - TTL string `json:"ttl"` - AltNames string `json:"alt_names"` -} - -type VaultCertData struct { - RequestID string `json:"request_id"` - LeaseID string `json:"lease_id"` - Renewable bool `json:"renewable"` - LeaseDuration int `json:"lease_duration"` - Data CertInfo `json:"data"` -} - -type CertInfo struct { - CAChain []string `json:"ca_chain"` - Certificate string `json:"certificate"` - Expiration int `json:"expiration"` - IssuingCA string `json:"issuing_ca"` - PrivateKey string `json:"private_key"` - PrivateKeyType string `json:"private_key_type"` - SerialNumber string `json:"serial_number"` -} - - -func k8sLogin(w http.ResponseWriter, r *http.Request) { - if (r.Method != "POST") { - log.Printf("ERROR: request is not a POST.\n") - w.WriteHeader(http.StatusMethodNotAllowed) - return - } - - _,err := ioutil.ReadAll(r.Body) - if (err != nil) { - log.Printf("ERROR reading req body: %v",err) - w.WriteHeader(http.StatusInternalServerError) - return - } - - //Don't care about the request data. Just gin up the response. - - jdata := vaultTokStuff{Auth: vtsAuth{ClientToken: "CLIENT_TOKEN",},} - ba,baerr := json.Marshal(&jdata) - if (baerr != nil) { - log.Printf("ERROR marshalling rsp data: %v",baerr) - w.WriteHeader(http.StatusInternalServerError) - return - } - w.Header().Set("Content-Type","application/json") - w.WriteHeader(http.StatusOK) - w.Write(ba) -} - -func pkiCerts(w http.ResponseWriter, r *http.Request) { - var jdata vaultCertReq - var pkiDataStr = ` -{ - "request_id": "dead1562-4a3c-6828-9951-d85d1997e0ce", - "lease_id": "", - "renewable": false, - "lease_duration": 0, - "data": { - "ca_chain": [ - "-----BEGIN CERTIFICATE-----\naaa\n-----END CERTIFICATE-----", - "-----BEGIN CERTIFICATE-----\nbbb\n-----END CERTIFICATE-----" - ], - "certificate": "-----BEGIN CERTIFICATE-----\nccc\n-----END CERTIFICATE-----", - "expiration": 1627423464, - "issuing_ca": "-----BEGIN CERTIFICATE-----\nddd\n-----END CERTIFICATE-----", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\neee\n-----END RSA PRIVATE KEY-----", - "private_key_type": "rsa", - "serial_number": "4f:fe:98:c2:0d:d4:1e:bb:50:75:8b:94:fe:b9:48:89:b6:d4:7f:86" - }, - "wrap_info": null, - "warnings": null, - "auth": null -}` - - - if (r.Method != "POST") { - log.Printf("ERROR: request is not a POST.\n") - w.WriteHeader(http.StatusMethodNotAllowed) - return - } - - body,err := ioutil.ReadAll(r.Body) - if (err != nil) { - log.Printf("ERROR reading req body: %v",err) - w.WriteHeader(http.StatusInternalServerError) - return - } - - err = json.Unmarshal(body,&jdata) - if (err != nil) { - log.Printf("ERROR un-marshalling req data: %v",err) - w.WriteHeader(http.StatusInternalServerError) - return - } - - if (jdata.CommonName == "") { - log.Printf("ERROR: Cert request has no common name.") - w.WriteHeader(http.StatusBadRequest) - return - } - if (jdata.TTL == "") { - log.Printf("ERROR: Cert request has no TTL.") - w.WriteHeader(http.StatusBadRequest) - return - } - if (jdata.AltNames == "") { - log.Printf("ERROR: Cert request has no SANs.") - w.WriteHeader(http.StatusBadRequest) - return - } - - log.Printf("Cert Req: CommonName: '%s'",jdata.CommonName) - log.Printf("Cert Req: TTL: '%s'",jdata.TTL) - log.Printf("Cert Req: AltNames: '%s'",jdata.AltNames) - - //Send back the fake cert data - - rstr := strings.Replace(pkiDataStr,"aaa",(jdata.CommonName+"aaa"),-1) - rstr = strings.Replace(rstr,"bbb",(jdata.CommonName+"bbb"),-1) - rstr = strings.Replace(rstr,"ccc",(jdata.CommonName+"ccc"),-1) - rstr = strings.Replace(rstr,"ddd",(jdata.CommonName+"ddd"),-1) - rstr = strings.Replace(rstr,"eee",(jdata.CommonName+"eee"),-1) - - w.Header().Set("Content-Type","application/json") - w.WriteHeader(http.StatusOK) - w.Write([]byte(rstr)) -} - -func pkiCAChain(w http.ResponseWriter, r *http.Request) { - if (r.Method != "GET") { - log.Printf("ERROR: request is not a GET.\n") - w.WriteHeader(http.StatusMethodNotAllowed) - return - } - - caChainStr := `-----BEGIN CERTIFICATE-----\n11223344\n55667788\n-----END CERTIFICATE-----\n` - - //w.Header().Set("Content-Type","application/json") - w.WriteHeader(http.StatusOK) - w.Write([]byte(caChainStr)) -} - -func main() { - port := ":8200" - envstr := os.Getenv("PORT") - if (envstr != "") { - port = envstr - if (!strings.Contains(port,":")) { - port = ":" + port - } - } - - urlFront := "http://10.0.2.15"+port - - klogURL := "/v1/auth/kubernetes/login" - pkiCertURL := "/v1/pki_common/issue/pki-common" - caChainURL := "/v1/pki_common/ca_chain" - http.HandleFunc(klogURL,k8sLogin) - http.HandleFunc(pkiCertURL,pkiCerts) - http.HandleFunc(caChainURL,pkiCAChain) - - log.Printf("Listening on: %s",urlFront) - log.Printf("URLs: %s",klogURL) - log.Printf(" %s",pkiCertURL) - log.Printf(" %s",caChainURL) - - srv := &http.Server{Addr: port,} - srv.ListenAndServe() -} - - diff --git a/test/integration/hsmLoad.sh b/test/integration/hsmLoad.sh index 6f501ef..a44b0e8 100755 --- a/test/integration/hsmLoad.sh +++ b/test/integration/hsmLoad.sh @@ -58,5 +58,22 @@ if (( scode != 201 )); then exit 1 fi +echo "RedfishEndpoints:" +cat hout + +for i in $(seq 0 5); do + pldx='{"ID":"X_S'${i}'_HOST", "Type":"NodeBMC", "Hostname":"10.10.255.'${i}'", "Domain":"local", "FQDN":"10.10.255.'${i}'", "Enabled":true, "UUID":"d4c6d22f-6983-42d8-8e6e-e1fd6d675c1'${i}'", "User":"root", "Password":"********", "RediscoverOnUpdate":true, "DiscoveryInfo":{"LastDiscoveryStatus":"DiscoverOK"}}' + pld=`portFix "$pldx"` + + curl -D hout -X POST -d "$pld" http://${HSM}/hsm/v2/Inventory/RedfishEndpoints + echo " " + + scode=`cat hout | grep HTTP | awk '{print $2}'` + if (( scode != 201 )); then + echo "Bad status code from HSM redfish endpoint load: ${scode}" + exit 1 + fi +done + exit 0 diff --git a/vendor/github.com/Cray-HPE/hms-certs/LICENSE b/vendor/github.com/Cray-HPE/hms-certs/LICENSE index e49c916..3b3a173 100644 --- a/vendor/github.com/Cray-HPE/hms-certs/LICENSE +++ b/vendor/github.com/Cray-HPE/hms-certs/LICENSE @@ -1,4 +1,6 @@ -(C) Copyright [2020-2021] Hewlett Packard Enterprise Development LP +MIT License + +(C) Copyright [2021] Hewlett Packard Enterprise Development LP Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), @@ -17,3 +19,4 @@ THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + diff --git a/vendor/github.com/Cray-HPE/hms-certs/pkg/hms_certs/certs.go b/vendor/github.com/Cray-HPE/hms-certs/pkg/hms_certs/certs.go index ad7c9e1..04abff4 100644 --- a/vendor/github.com/Cray-HPE/hms-certs/pkg/hms_certs/certs.go +++ b/vendor/github.com/Cray-HPE/hms-certs/pkg/hms_certs/certs.go @@ -1,6 +1,6 @@ // MIT License // -// (C) Copyright [2020-2021] Hewlett Packard Enterprise Development LP +// (C) Copyright [2020-2022] Hewlett Packard Enterprise Development LP // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the "Software"), @@ -29,7 +29,6 @@ import ( "fmt" "net/http" "net/url" - "encoding/json" "io" "io/ioutil" "os" @@ -63,11 +62,12 @@ type vtsAuth struct { } // Used to create certs - +// hms-securestorage uses the mapstructure pkg for decoding structs into the map[string]interface{} +// type needed for the Vault API. The 'mapstructure' tag ensures that the field names are correct. type vaultCertReq struct { - CommonName string `json:"common_name"` - TTL string `json:"ttl"` - AltNames string `json:"alt_names"` + CommonName string `json:"common_name" mapstructure:"common_name"` + TTL string `json:"ttl" mapstructure:"ttl"` + AltNames string `json:"alt_names" mapstructure:"alt_names"` } type VaultCertData struct { @@ -135,12 +135,11 @@ type HTTPClientPair struct { // change them unless you know what you're doing!! type Config struct { - K8SAuthUrl string //Defaults to k8sAuthURL - VaultPKIUrl string //Defaults to vaultPKIURL - VaultCAUrl string //Defaults to vaultCAURL VaultKeyBase string //Defaults to vaultKeyBase - VaultJWTFile string //Defaults to k8sJWTFile CertKeyBasePath string //Defaults to certKeyBasePath + VaultPKIBase string //Defaults to vaultPKIBase + PKIPath string //Defaults to pkiPath + CAChainPath string //Defaults to caPath LogInsecureFailover bool //Defaults to true } @@ -158,14 +157,14 @@ const ( // Constants used within this package const ( - k8sJWTFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" - k8sAuthURL = "http://cray-vault.vault:8200/v1/auth/kubernetes/login" - vaultPKIURL = "http://cray-vault.vault:8200/v1/pki_common/issue/pki-common" - vaultCAURL = "http://cray-vault.vault:8200/v1/pki_common/ca_chain" vaultKeyBase = "secret" certKeyBasePath = "certs" + vaultPKIBase = "pki_common" + pkiPath = "issue/pki-common" + caChainPath = "ca_chain" + maxCabChassis = 8 maxChassisSlot = 8 maxRVChassisSlot = 64 @@ -178,19 +177,17 @@ const ( // variables which affect the way Vault works, and they are global to the // application: // -// CRAY_VAULT_JWT_FILE # The file containing the access token. Defaults -// # to the constant k8sJWTfile. +// CRAY_VAULT_JWT_FILE # The file containing the access token. // CRAY_VAULT_ROLE_FILE # Namespace file. Default is /var/run/secrets/kubernetes.io/serviceaccount/namespace // CRAY_VAULT_AUTH_PATH # Vault URL tail for k8s logins. Default is // # /auth/kubernetes/login // VAULT_ADDR # URL of Vault, default is http://cray-vault.vault:8200 -var ConfigParams = Config{K8SAuthUrl: k8sAuthURL, - VaultPKIUrl: vaultPKIURL, - VaultCAUrl: vaultCAURL, - VaultKeyBase: vaultKeyBase, - VaultJWTFile: k8sJWTFile, +var ConfigParams = Config{VaultKeyBase: vaultKeyBase, CertKeyBasePath: certKeyBasePath, + VaultPKIBase: vaultPKIBase, + PKIPath: pkiPath, + CAChainPath: caChainPath, LogInsecureFailover: true, } @@ -332,77 +329,12 @@ func CAUpdateUnregister(uri string) error { return nil } -//Convenience function to fetch HTTP client for internal use. - -func getHTTPClient() *http.Client { - if (__httpClient == nil) { - __httpTransport = &http.Transport{TLSClientConfig: - &tls.Config{InsecureSkipVerify: true}, - } - __httpClient = &http.Client{Transport: __httpTransport, - Timeout: (3 * time.Second), - } - } - return __httpClient -} - // Given a raw key, massage it into a proper vault key (prepend path). func vaultKey(raw string) string { return path.Join(ConfigParams.CertKeyBasePath,raw) } -// Fetch the vault access token. - -func getVaultToken() (string,error) { - //Get access to vault. Start by reading the svc acct token file. - - jwtFile := os.Getenv(sstorage.EnvVaultJWTFile) - if (jwtFile == "") { - jwtFile = ConfigParams.VaultJWTFile - } - ktoken,kerr := ioutil.ReadFile(jwtFile) - if (kerr != nil) { - return "",fmt.Errorf("ERROR reading k8s token file '%s': %v", - jwtFile,kerr) - } - - client := getHTTPClient() - pld := `{"jwt":"` + string(ktoken) + `","role":"pki-common-direct"}` - req,reqerr := http.NewRequest("POST",ConfigParams.K8SAuthUrl,bytes.NewBuffer([]byte(pld))) - if (reqerr != nil) { - return "", fmt.Errorf("ERROR creating a new request for kubernetes/login: %v", - reqerr) - } - base.SetHTTPUserAgent(req,instName) - defer req.Body.Close() - rsp,rsperr := client.Do(req) - if (rsperr != nil) { - return "",fmt.Errorf("ERROR executing req for kubernetes/login: %v", - rsperr) - } - body,berr := ioutil.ReadAll(rsp.Body) - defer rsp.Body.Close() - - if (rsp.StatusCode != http.StatusOK) { - return "",fmt.Errorf("ERROR bad rsp code from req for kubernetes/login: %d", - rsp.StatusCode) - } - if (berr != nil) { - return "",fmt.Errorf("ERROR can't read rsp body from kubernetes/login: %v", - berr) - } - - var jdata vaultTokStuff - berr = json.Unmarshal(body,&jdata) - if (berr != nil) { - return "",fmt.Errorf("ERROR can't unmarshal rsp body from kubernetes/login: %v", - berr) - } - - return jdata.Auth.ClientToken,nil -} - // Given an endpoint and a domain type, generate all possible SANs for a cert. // // endpoint(in): XName of an endpoint in a cert domain, e.g., "x1000" for a @@ -489,56 +421,6 @@ func genAllDomainAltNames(endpoint,domain string) (string,error) { return strings.Join(eps,","),nil } -// Create a cert using the Vault PKI. -// -// reqData(in): Ptr to a certificate creation request. -// vaultToken(in): Token to use for Vault access. -// retData(out): Returned cert from PKI. -// Return: nil on success, error info on error. - -func createTargCerts(reqData *vaultCertReq, vaultToken string, - retData *VaultCertData) error { - client := getHTTPClient() - ba,berr := json.Marshal(reqData) - if (berr != nil) { - return fmt.Errorf("Problem marshalling vault cert request data: %v", - berr) - } - req,reqerr := http.NewRequest("POST",ConfigParams.VaultPKIUrl,bytes.NewBuffer(ba)) - if (reqerr != nil) { - return fmt.Errorf("ERROR creating req for vault cert data: %v", - reqerr) - } - base.SetHTTPUserAgent(req,instName) - req.Header.Set("X-Vault-Token",vaultToken) - rsp,rsperr := client.Do(req) - if (rsperr != nil) { - return fmt.Errorf("ERROR executing req for vault cert data: %v", - rsperr) - } - - body,berr := ioutil.ReadAll(rsp.Body) - defer rsp.Body.Close() - - if (rsp.StatusCode != http.StatusOK) { - return fmt.Errorf("ERROR bad rsp code from req for vault cert data: %d", - rsp.StatusCode) - } - - if (berr != nil) { - return fmt.Errorf("ERROR can't read rsp body from fault cert req: %v", - berr) - } - - berr = json.Unmarshal(body,retData) - if (berr != nil) { - return fmt.Errorf("ERROR can't read rsp body from vault cert req: %v", - berr) - } - - return nil -} - // Given an XName and a separator, get the front part of an XName // // xname(in): Full xname e.g. x1000c1s2b0 @@ -669,14 +551,14 @@ func CreateCert(endpoints []string, domain string, fqdn string, retData *VaultCertData) error { var vreq vaultCertReq - domName,err := CheckDomain(endpoints,domain) + domName, err := CheckDomain(endpoints, domain) if (err != nil) { return err } - vaultToken,verr := getVaultToken() - if (verr != nil) { - return verr + ss, err := sstorage.NewVaultAdapterAs(ConfigParams.VaultPKIBase, "pki-common-direct") + if (err != nil) { + return fmt.Errorf("ERROR creating secure storage adapter: %v", err) } //Create the request for vault certs @@ -685,29 +567,28 @@ func CreateCert(endpoints []string, domain string, fqdn string, vreq.TTL = "8760h" //1 year TODO: this may change. if (len(endpoints) == 1) { - vreq.AltNames,err = genAllDomainAltNames(domName,domain) + vreq.AltNames, err = genAllDomainAltNames(domName, domain) if (err != nil) { return err } } else { - vreq.AltNames = strings.Join(endpoints,",") + vreq.AltNames = strings.Join(endpoints, ",") } //Append FQDN to each AltName if (fqdn != "") { - npfqdn := strings.TrimLeft(fqdn,".") + npfqdn := strings.TrimLeft(fqdn, ".") fqdn = "." + npfqdn - anames := strings.Split(vreq.AltNames,",") + anames := strings.Split(vreq.AltNames, ",") for ix := 0; ix < len(anames); ix ++ { anames[ix] = anames[ix] + fqdn } - vreq.AltNames = strings.Join(anames,",") + vreq.AltNames = strings.Join(anames, ",") } //Make the call to Vault - - err = createTargCerts(&vreq, vaultToken, retData) + err = ss.StoreWithData(ConfigParams.PKIPath, vreq, retData) if (err != nil) { return err } @@ -725,48 +606,27 @@ func CreateCert(endpoints []string, domain string, fqdn string, // nil on success, error string on error func FetchCAChain(uri string) (string,error) { + caChain := "" if (uri == VaultCAChainURI) { - vaultToken,err := getVaultToken() + ss, err := sstorage.NewVaultAdapterAs(ConfigParams.VaultPKIBase, "pki-common-direct") if (err != nil) { - return "",err - } - - client := getHTTPClient() - req,reqerr := http.NewRequest("GET",ConfigParams.VaultCAUrl,nil) - if (reqerr != nil) { - return "",fmt.Errorf("ERROR creating req for vault ca chain: %v", - reqerr) - } - base.SetHTTPUserAgent(req,instName) - req.Header.Set("X-Vault-Token",vaultToken) - rsp,rsperr := client.Do(req) - if (rsperr != nil) { - return "",fmt.Errorf("ERROR executing req for vault ca chain: %v", - rsperr) + return caChain, fmt.Errorf("ERROR creating secure storage adapter: %v", err) } - body,berr := ioutil.ReadAll(rsp.Body) - defer rsp.Body.Close() - - if (rsp.StatusCode != http.StatusOK) { - return "",fmt.Errorf("ERROR bad rsp code from req for vault ca chain: %d", - rsp.StatusCode) - } - - if (berr != nil) { - return "",fmt.Errorf("ERROR can't read rsp body from vault ca chain req: %v", - berr) + + err = ss.Lookup(ConfigParams.CAChainPath, &caChain) + if (err != nil) { + return caChain, fmt.Errorf("ERROR fetching CA Chain: %v", err) } - - return string(body),nil + return caChain, nil } //Nope, must be a file (from configmap) data,err := ioutil.ReadFile(uri) if (err != nil) { - return "",fmt.Errorf("ERROR reading file '%s': %v",uri,err) + return "", fmt.Errorf("ERROR reading file '%s': %v", uri, err) } - return string(data),nil + return string(data), nil } // Take a cert/key pair and store it in Vault. diff --git a/vendor/github.com/Cray-HPE/hms-compcredentials/.version b/vendor/github.com/Cray-HPE/hms-compcredentials/.version index ca71766..0a5af26 100644 --- a/vendor/github.com/Cray-HPE/hms-compcredentials/.version +++ b/vendor/github.com/Cray-HPE/hms-compcredentials/.version @@ -1 +1 @@ -1.11.2 +1.11.3 diff --git a/vendor/github.com/Cray-HPE/hms-compcredentials/CHANGELOG.md b/vendor/github.com/Cray-HPE/hms-compcredentials/CHANGELOG.md index 6ea55cd..19e988f 100644 --- a/vendor/github.com/Cray-HPE/hms-compcredentials/CHANGELOG.md +++ b/vendor/github.com/Cray-HPE/hms-compcredentials/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.11.3] - 2021-08-09 + +### Changed + +- Added GitHub configuration files + ## [1.11.2] - 2021-07-26 ### Changed diff --git a/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile b/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile index a79d6b9..5185c91 100644 --- a/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile +++ b/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile @@ -27,7 +27,7 @@ FROM arti.dev.cray.com/baseos-docker-master-local/golang:1.16-alpine3.13 AS build-base RUN set -ex \ - && apk update \ + && apk -U upgrade \ && apk add build-base # Copy the files in for the next stages to use. diff --git a/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile.build-base b/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile.build-base index 4a87622..cacaa4a 100644 --- a/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile.build-base +++ b/vendor/github.com/Cray-HPE/hms-compcredentials/Dockerfile.build-base @@ -27,7 +27,7 @@ FROM arti.dev.cray.com/baseos-docker-master-local/golang:1.16-alpine3.13 AS build-base RUN set -ex \ - && apk update \ + && apk -U upgrade \ && apk add build-base # Copy the files in for the next stages to use. diff --git a/vendor/github.com/Cray-HPE/hms-compcredentials/Jenkinsfile b/vendor/github.com/Cray-HPE/hms-compcredentials/Jenkinsfile deleted file mode 100644 index c7fc0e0..0000000 --- a/vendor/github.com/Cray-HPE/hms-compcredentials/Jenkinsfile +++ /dev/null @@ -1,13 +0,0 @@ -@Library('dst-shared@master') _ - -dockerBuildPipeline { - githubPushRepo = "Cray-HPE/hms-compcredentials" - repository = "cray" - imagePrefix = "hms" - app = "compcredentials" - name = "hms-compcredentials" - description = "Cray HMS compcredentials code." - dockerfile = "Dockerfile" - slackNotification = ["", "", false, false, true, true] - product = "internal" -} diff --git a/vendor/github.com/Cray-HPE/hms-compcredentials/Makefile b/vendor/github.com/Cray-HPE/hms-compcredentials/Makefile index 3f8813b..dbe385b 100644 --- a/vendor/github.com/Cray-HPE/hms-compcredentials/Makefile +++ b/vendor/github.com/Cray-HPE/hms-compcredentials/Makefile @@ -1,11 +1,11 @@ -NAME ?= hms-compcredentials +NAME ?= hms-compcredentials VERSION ?= $(shell cat .version) all : unittest coverage unittest: - docker build --pull ${DOCKER_ARGS} --tag '${NAME}:${VERSION}' . - ./runUnitTest.sh + docker build --pull ${DOCKER_ARGS} --tag '${NAME}:${VERSION}' . + ./runUnitTest.sh coverage: - ./runCoverage.sh + ./runCoverage.sh diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/.version b/vendor/github.com/Cray-HPE/hms-securestorage/.version index 6b89d58..feaae22 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/.version +++ b/vendor/github.com/Cray-HPE/hms-securestorage/.version @@ -1 +1 @@ -1.12.2 +1.13.0 diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/CHANGELOG.md b/vendor/github.com/Cray-HPE/hms-securestorage/CHANGELOG.md index 899fd55..3d729a9 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/CHANGELOG.md +++ b/vendor/github.com/Cray-HPE/hms-securestorage/CHANGELOG.md @@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.13.0] - 2022-06-01 + +### Added + +- NewVaultAdapterAs() function to override the login role +- StoreWithData() function to return the response from Vault when doing a store/PUT action. + +## [1.12.3] - 2021-08-10 + +### Changed + +- Updated dockerfile and .github + ## [1.12.2] - 2021-07-21 ### Changed diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile b/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile deleted file mode 100644 index 4516708..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile +++ /dev/null @@ -1,45 +0,0 @@ -# MIT License -# -# (C) Copyright [2019-2021] Hewlett Packard Enterprise Development LP -# -# Permission is hereby granted, free of charge, to any person obtaining a -# copy of this software and associated documentation files (the "Software"), -# to deal in the Software without restriction, including without limitation -# the rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Software, and to permit persons to whom the -# Software is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -# OTHER DEALINGS IN THE SOFTWARE. - -# Dockerfile for building HMS securestorage code. Note that this -# image can't be run as these are just packages in this repo. - -# Build base just has the packages installed we need. -FROM arti.dev.cray.com/baseos-docker-master-local/golang:1.16-alpine3.13 AS build-base - -RUN set -ex \ - && apk update \ - && apk add build-base - -# Copy the files in for the next stages to use. -FROM build-base AS base - -RUN go env -w GO111MODULE=auto - -COPY *.go $GOPATH/src/github.com/Cray-HPE/hms-securestorage/ -COPY vendor $GOPATH/src/github.com/Cray-HPE/hms-securestorage/vendor - -# Now we can build. -FROM base - -RUN set -ex \ - && go build -v github.com/Cray-HPE/hms-securestorage/... diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.build-base b/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.build-base deleted file mode 100644 index 005739b..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.build-base +++ /dev/null @@ -1,39 +0,0 @@ -# MIT License -# -# (C) Copyright [2019-2021] Hewlett Packard Enterprise Development LP -# -# Permission is hereby granted, free of charge, to any person obtaining a -# copy of this software and associated documentation files (the "Software"), -# to deal in the Software without restriction, including without limitation -# the rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Software, and to permit persons to whom the -# Software is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -# OTHER DEALINGS IN THE SOFTWARE. - -# Dockerfile for creating a base image that can be used -# for other images to do testing, coverage, and building. - -# Build base just has the packages installed we need. -FROM arti.dev.cray.com/baseos-docker-master-local/golang:1.16-alpine3.13 AS build-base - -RUN set -ex \ - && apk update \ - && apk add build-base - -# Copy the files in for the next stages to use. -FROM build-base - -RUN go env -w GO111MODULE=auto - -COPY *.go namespace token $GOPATH/src/github.com/Cray-HPE/hms-securestorage/ -COPY vendor $GOPATH/src/github.com/Cray-HPE/hms-securestorage/vendor diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.coverage b/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.coverage deleted file mode 100644 index 84350c4..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.coverage +++ /dev/null @@ -1,29 +0,0 @@ -# MIT License -# -# (C) Copyright [2019-2021] Hewlett Packard Enterprise Development LP -# -# Permission is hereby granted, free of charge, to any person obtaining a -# copy of this software and associated documentation files (the "Software"), -# to deal in the Software without restriction, including without limitation -# the rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Software, and to permit persons to whom the -# Software is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -# OTHER DEALINGS IN THE SOFTWARE. - -# Dockerfile for running testing coverage on securestorage HMS code. - -FROM cray/hms-securestorage-build-base - -# Run coverage. -RUN set -ex \ - && go test -cover -v github.com/Cray-HPE/hms-securestorage/... diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.testing b/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.testing deleted file mode 100644 index e1545c0..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Dockerfile.testing +++ /dev/null @@ -1,29 +0,0 @@ -# MIT License -# -# (C) Copyright [2019-2021] Hewlett Packard Enterprise Development LP -# -# Permission is hereby granted, free of charge, to any person obtaining a -# copy of this software and associated documentation files (the "Software"), -# to deal in the Software without restriction, including without limitation -# the rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Software, and to permit persons to whom the -# Software is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -# OTHER DEALINGS IN THE SOFTWARE. - -# Dockerfile for testing HMS securestorage code. - -FROM cray/hms-securestorage-build-base - -# Run any tests that might be present. -RUN set -ex \ - && go test -v github.com/Cray-HPE/hms-securestorage/... diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Jenkinsfile b/vendor/github.com/Cray-HPE/hms-securestorage/Jenkinsfile deleted file mode 100644 index 9ca01d4..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Jenkinsfile +++ /dev/null @@ -1,13 +0,0 @@ -@Library('dst-shared@master') _ - -dockerBuildPipeline { - githubPushRepo = "Cray-HPE/hms-securestorage" - repository = "cray" - imagePrefix = "hms" - app = "securestorage" - name = "hms-securestorage" - description = "Cray HMS securestorage code." - dockerfile = "Dockerfile" - slackNotification = ["", "", false, false, true, true] - product = "internal" -} diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Jenkinsfile.github b/vendor/github.com/Cray-HPE/hms-securestorage/Jenkinsfile.github deleted file mode 100644 index d58a021..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Jenkinsfile.github +++ /dev/null @@ -1,34 +0,0 @@ -@Library('csm-shared-library') _ - -pipeline { - agent { - label "metal-gcp-builder" - } - - options { - buildDiscarder(logRotator(numToKeepStr: "10")) - timestamps() - } - - environment { - NAME = "hms-securestorage" - DESCRIPTION = "Cray Hardware Management System Secure Storage library" - IS_STABLE = getBuildIsStable() - VERSION = getDockerBuildVersion(isStable: env.IS_STABLE) - DOCKER_ARGS = getDockerBuildArgs(name: env.NAME, description: env.DESCRIPTION) - } - - stages { - stage("Run Unit Tests") { - steps { - sh "make unittest" - } - } - - stage("Run Coverage Tests") { - steps { - sh "make coverage" - } - } - } -} diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/Makefile b/vendor/github.com/Cray-HPE/hms-securestorage/Makefile index 32b198b..86b5b14 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/Makefile +++ b/vendor/github.com/Cray-HPE/hms-securestorage/Makefile @@ -1,11 +1,29 @@ -NAME ?= hms-securestorage -VERSION ?= $(shell cat .version) +# +# MIT License +# +# (C) Copyright 2022 Hewlett Packard Enterprise Development LP +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included +# in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR +# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +# OTHER DEALINGS IN THE SOFTWARE. +# -all : unittest coverage +all: unittest +.PHONY: unittest -unittest: - docker build --pull ${DOCKER_ARGS} --tag '${NAME}:${VERSION}' . - ./runUnitTest.sh - -coverage: - ./runCoverage.sh +unittest: + go test ./... -cover \ No newline at end of file diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/README.md b/vendor/github.com/Cray-HPE/hms-securestorage/README.md new file mode 100644 index 0000000..51fe459 --- /dev/null +++ b/vendor/github.com/Cray-HPE/hms-securestorage/README.md @@ -0,0 +1,266 @@ +# Secure Storage Package + +## Overview + +The *hms-securestorage* package is an adapter for access to +Hashicorp Vault. It provides methods for: + +* Adapter initialization, +* Key/value store, fetch, and delete +* K8s and Vault authorization setup +* Methods for more direct interaction with the Vault K/V store (typically not directly used by applications) + +This package is used by the higher-level *hms-compcredentials* package to +further abstract away the details of Vault interactions. + + +## Environment Variables + +This package depends heavily on environment variables to provide various +pieces of configuration information needed by the Hashicorp Vault API. +Fortunately, the defaults suffice for nearly all of them. The variables +are listed below, with explanations of the few that are needed by most +applications: + + +* **VAULT_ADDR** - URL of Hashicorp Vault service, e.g. http://cray-vault.vault:8200 +* **VAULT_SKIP_VERIFY** -- Typically set to 'true' +* **VAULT_TOKEN** -- Specify key space. HMS services set this to 'hms' + +The following are typically set according to defaults generated by a system's +configuration mechanism, including k8s sealed secrets, and are thus available +to and already set in a microservice's environment. + +* **CRAY_VAULT_JWT_FILE** -- Specifies the path of a file containing an access token used for k8s authN/authZ. The default is */var/run/secrets/kubernetes.io/serviceaccount/token*. +* **CRAY_VAULT_ROLE_FILE** -- Specifies the path of a file containing a name space used by k8s. Default is */var/run/secrets/kubernetes.io/serviceaccount/namespace*. +* **CRAY_VAULT_AUTH_PATH** -- Used for k8s access. Default will suffice for production deployments. Default is *auth/kubernetes/login*. In testing environments it can be set to *auth/token/create*. + + +The following are typically not set in HMS services; default values are safe: + +* VAULT_AGENT_ADDR +* VAULT_CACERT +* VAULT_CAPATH +* VAULT_CLIENT_CERT +* VAULT_CLIENT_KEY +* VAULT_CLIENT_TIMEOUT +* VAULT_NAMESPACE +* VAULT_TLS_SERVER_NAME +* VAULT_WRAP_TTL +* VAULT_MAX_RETRIES +* VAULT_MFA +* VAULT_RATE_LIMIT + + +## Adapter Initialization + +Typical usage by applications begins by creating and initializing a Vault +adapter, assuming the environment variables specified above have been set: + +``` +... + ss,err := securestorage.NewVaultAdapter("secret") + if (err != nil) { + log.Printf("Unable to create Vault adapter: %v",err) + } +... +``` + +The string "secret" is a path within the overall key space used by the +application, and is the typical value used by HMS microservices. + +The returned handle can then be used for storing/fetching/deleting key/value +entries. + +## Most-Used Methods + +The following methods are the ones most used by applications. + +``` +// Create a new SecureStorage interface that uses Vault. This connects an +// application to Vault. +func NewVaultAdapter(basePath string) (SecureStorage, error) + + +// Write a value to Vault at the location specified by 'key'. This function +// prepends the basePath. Retries are implemented for token renewal. The +// specified value should not be marshalled or encoded in any way. +func (ss *VaultAdapter) Store(key string, value interface{}) error + + +// Read a value from Vault at the location specified by key. This function +// prepends the basePath. Retries are automatically done for token renewal. +// Note that the resulting value is unmarshalled and returned in the +// 'output' argument. +func (ss *VaultAdapter) Lookup(key string, output interface{}) error { + + +// Get a list of keys that exsist in Vault at the path specified by keyPath. +// This function prepends the basePath. Retries are automatically done for +// token renewal. +func (ss *VaultAdapter) LookupKeys(keyPath string) ([]string, error) + + +// Remove a value from Vault at the location specified by key. This function +// prepends the basePath. Retries are implemented for token renewal. +func (ss *VaultAdapter) Delete(key string) error +``` + + +## Lower Level Mechanisms + +In addition to the above typically-used methods there are also lower-level +methods that can be directly used by applications. **Note that these lower-level +mechanisms are used by the higher-level ones outlined above so there is +typically no need to use them.** + + +### K8s Authentication Support + +The following are used for authN support for Kubernetes. + +``` +// AuthConfig struct for vault k8s authentication +type AuthConfig struct { + JWTFile string + RoleFile string + Path string + jwt string + role string +} + + +// ReadEnvironment Update an AuthConfig object with environment variables +// CRAY_VAULT_JWT_FILE +// CRAY_VAULT_ROLE_FILE +// CRAY_VAULT_AUTH_PATH +func (authConfig *AuthConfig) ReadEnvironment() error + + +// LoadJWT save contents of JWT file to the AuthConfig jwt field. This is +// used for manual JWT token refresh. +func (authConfig *AuthConfig) LoadJWT() error + + +// Manually load contents of RoleFile into the role field +func (authConfig *AuthConfig) LoadRole() error + + +// Getter method for auth path key +func (authConfig *AuthConfig) GetAuthPath() string + + +// Generates the args required for generating an auth token +func (authConfig *AuthConfig) GetAuthArgs() map[string]interface{} +``` + +### Low-Level Vault Access + +This package provides a mechanism for a more direct access to the Vault API. +This is generally not used by applications; using it will require code changes +if Vault is ever swapped out for another secure storage system. + +These methods and data structures use the Vault 'api' object directly. + +``` +/////////////////////////////////////////////////////////////////////////////// +// Vault API interface - This interface wraps only a subset of functions for +// api.Client so as to reduce the amount of functions that need to be mocked +// for unit testing. +/////////////////////////////////////////////////////////////////////////////// +type VaultApi interface { + Read(path string) (*api.Secret, error) + Write(path string, data map[string]interface{}) (*api.Secret, error) + Delete(path string) (*api.Secret, error) + List(path string) (*api.Secret, error) + SetToken(t string) +} + +type RealVaultApi struct { + Client *api.Client +} + + +// Create a low-level Vault API object +func NewRealVaultApi(client *api.Client) VaultApi + + +// Apply a JWT token to the low-level Vault +func (v *RealVaultApi) SetToken(t string) + + +// Read a K/V from low-level Vault. Returns a secret record containing the +// key's value. +func (v *RealVaultApi) Read(path string) (*api.Secret, error) + + +// Write a K/V to low-level Vault. Returns the secret record modified by +// the write operation. +func (v *RealVaultApi) Write(path string, data map[string]interface{}) (*api.Secret, error) + + +// Delete a key in low-level Vault. +func (v *RealVaultApi) Delete(path string) (*api.Secret, error) + + +// List all keys in the specified key space. Returns secret record +// containing all keys in the space. +func (v *RealVaultApi) List(path string) (*api.Secret, error) +``` + +## Typical Usage + +Following is an example of the *hms-securestorage* package. Note that this +example is mostly centered around the *hms-compcredentials* package, as that +package is the one predominantly used in HMS services. + +``` +... +import ( + sstorage "github.com/Cray-HPE/hms-securestorage" + compcreds "github.com/Cray-HPE/hms-compcredentials" +) +... + + // Create the Vault adapter and connect to Vault + + ss, err := sstorage.NewVaultAdapter("secret") + if err != nil { + return fmt.Errorf("Error: %v", err) + } + + // Initialize the CompCredStore struct with the Vault adapter. + // Use the 'hms-creds' key space + + ccs := compcreds.NewCompCredStore("hms-creds", ss) + + // Create a new set of credentials for a component. + + compCred := compcreds.CompCredentials{ + Xname: "x0c0s21b0" + URL: "10.4.0.8/redfish/v1/UpdateService" + Username: "test" + Password: "123" + } + + // Store the credentials in the CompCredStore (backed by Vault). + + err = ccs.StoreCompCred(compCred) + if err != nil { + return fmt.Errorf("Error: %v", err) + + } + + // Read the credentials for a component from the CompCredStore + // (backed by Vault). + + var ccred CompCredentials + ccred, err = ccs.GetCompCred(compCred.Xname) + if err != nil { + return fmt.Errorf("Error: %v", err) + } + + log.Printf("%v", ccred) +... +``` + diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/mockAdapter.go b/vendor/github.com/Cray-HPE/hms-securestorage/mockAdapter.go index 3fc765e..a154ccf 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/mockAdapter.go +++ b/vendor/github.com/Cray-HPE/hms-securestorage/mockAdapter.go @@ -1,6 +1,6 @@ // MIT License // -// (C) Copyright [2019, 2021] Hewlett Packard Enterprise Development LP +// (C) Copyright [2019-2022] Hewlett Packard Enterprise Development LP // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the "Software"), @@ -41,6 +41,11 @@ type MockStore struct { Output OutputStore } +type MockStoreWithData struct { + Input InputStore + Output OutputLookup +} + type InputLookup struct { Key string } @@ -85,6 +90,8 @@ type MockLookupKeys struct { type MockAdapter struct { StoreNum int StoreData []MockStore + StoreWDataNum int + StoreWData []MockStoreWithData LookupNum int LookupData []MockLookup DeleteNum int @@ -109,6 +116,21 @@ func (ss *MockAdapter) Store(key string, value interface{}) error { return ss.StoreData[i].Output.Err } +func (ss *MockAdapter) StoreWithData(key string, value interface{}, output interface{}) error { + i := ss.StoreWDataNum + if len(ss.StoreWData) <= i { + return fmt.Errorf("Unexpected call to MockStoreWithData") + } + ss.StoreWDataNum++ + ss.StoreWData[i].Input.Key = key + ss.StoreWData[i].Input.Value = value + err := mapstructure.Decode(ss.StoreWData[i].Output.Output, output) + if err != nil { + return err + } + return ss.StoreWData[i].Output.Err +} + func (ss *MockAdapter) Lookup(key string, output interface{}) error { if len(ss.LookupData) == 0 { return fmt.Errorf("Unexpected call to MockLookup: no data") diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/runCoverage.sh b/vendor/github.com/Cray-HPE/hms-securestorage/runCoverage.sh deleted file mode 100644 index 621ba10..0000000 --- a/vendor/github.com/Cray-HPE/hms-securestorage/runCoverage.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -# MIT License -# -# (C) Copyright [2021] Hewlett Packard Enterprise Development LP -# -# Permission is hereby granted, free of charge, to any person obtaining a -# copy of this software and associated documentation files (the "Software"), -# to deal in the Software without restriction, including without limitation -# the rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Software, and to permit persons to whom the -# Software is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included -# in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -# OTHER DEALINGS IN THE SOFTWARE. - -# Build the build base image -docker build -t cray/hms-securestorage-build-base -f Dockerfile.build-base . - -docker build -t cray/hms-securestorage-coverage -f Dockerfile.coverage . diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/runUnitTest.sh b/vendor/github.com/Cray-HPE/hms-securestorage/runSnyk.sh similarity index 59% rename from vendor/github.com/Cray-HPE/hms-securestorage/runUnitTest.sh rename to vendor/github.com/Cray-HPE/hms-securestorage/runSnyk.sh index 607285c..b3f2f27 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/runUnitTest.sh +++ b/vendor/github.com/Cray-HPE/hms-securestorage/runSnyk.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#! /bin/bash # MIT License # # (C) Copyright [2021] Hewlett Packard Enterprise Development LP @@ -20,8 +20,28 @@ # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR # OTHER DEALINGS IN THE SOFTWARE. +set -ex +SNYK_OPTS="--dev --show-vulnerable-paths=all --fail-on=all --severity-threshold=${SEVERITY:-high} --skip-unresolved=true --json" -# Build the build base image -docker build -t cray/hms-securestorage-build-base -f Dockerfile.build-base . +OUT=$(set -x; snyk test --all-projects --detection-depth=999 $SNYK_OPTS) -docker build -t cray/hms-securestorage-testing -f Dockerfile.testing . +PROJ_CHECK=OK +jq .[].ok <<<"$OUT" | grep -q false && PROJ_CHECK=FAIL + +echo Snyk project check: $PROJ_CHECK + +DOCKER_CHECK= +if [ -f Dockerfile ]; then + DOCKER_IMAGE=${PWD/*\//}:$(cat .version) + docker build --tag $DOCKER_IMAGE . + OUT=$(set -x; snyk test --docker $DOCKER_IMAGE --file=${PWD}/Dockerfile $SNYK_OPTS) + DOCKER_CHECK=OK + jq .ok <<<"$OUT" | grep -q false && DOCKER_CHECK=FAIL +fi + +echo +echo Snyk project check: $PROJ_CHECK +echo Snyk docker check: $DOCKER_CHECK + +test "$PROJ_CHECK" == OK -a "$DOCKER_CHECK" == OK +exit $? diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/secureStorage.go b/vendor/github.com/Cray-HPE/hms-securestorage/secureStorage.go index 2bee7ca..9c561b6 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/secureStorage.go +++ b/vendor/github.com/Cray-HPE/hms-securestorage/secureStorage.go @@ -1,6 +1,6 @@ // MIT License // -// (C) Copyright [2019, 2021] Hewlett Packard Enterprise Development LP +// (C) Copyright [2019-2022] Hewlett Packard Enterprise Development LP // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the "Software"), @@ -24,6 +24,7 @@ package securestorage type SecureStorage interface { Store(key string, value interface{}) error + StoreWithData(key string, value interface{}, output interface{}) error Lookup(key string, output interface{}) error Delete(key string) error LookupKeys(keyPath string) ([]string, error) diff --git a/vendor/github.com/Cray-HPE/hms-securestorage/vaultAdapter.go b/vendor/github.com/Cray-HPE/hms-securestorage/vaultAdapter.go index 0bb3093..39740e5 100644 --- a/vendor/github.com/Cray-HPE/hms-securestorage/vaultAdapter.go +++ b/vendor/github.com/Cray-HPE/hms-securestorage/vaultAdapter.go @@ -1,6 +1,6 @@ // MIT License // -// (C) Copyright [2019, 2021] Hewlett Packard Enterprise Development LP +// (C) Copyright [2019-2022] Hewlett Packard Enterprise Development LP // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the "Software"), @@ -68,14 +68,14 @@ type VaultAdapter struct { AuthConfig *AuthConfig BasePath string VaultRetry int + Role string } -// Create a new SecureStorage interface that uses Vault. This connects to -// vault. -func NewVaultAdapter(basePath string) (SecureStorage, error) { +func NewVaultAdapterAs(basePath string, role string) (SecureStorage, error) { ss := &VaultAdapter{ BasePath: basePath, VaultRetry: 1, + Role: role, } // Get k8s authentication configuration values. @@ -113,6 +113,12 @@ func NewVaultAdapter(basePath string) (SecureStorage, error) { return ss, nil } +// Create a new SecureStorage interface that uses Vault. This connects to +// vault. +func NewVaultAdapter(basePath string) (SecureStorage, error) { + return NewVaultAdapterAs(basePath, "") +} + // Parse an error into the vault api's ErrorResponse struct. func getError(err error) *api.ErrorResponse { parsedErr := &api.ErrorResponse{} @@ -128,6 +134,7 @@ func (ss *VaultAdapter) loadToken() error { if err != nil { return err } + err = ss.AuthConfig.LoadJWT() if err != nil { return err @@ -137,6 +144,11 @@ func (ss *VaultAdapter) loadToken() error { k8AuthPath := ss.AuthConfig.GetAuthPath() k8AuthArgs := ss.AuthConfig.GetAuthArgs() + // Apply role override if any + if ss.Role != "" { + k8AuthArgs["role"] = ss.Role + } + secret, err := ss.Client.Write(k8AuthPath, k8AuthArgs) if err != nil { return err @@ -191,6 +203,48 @@ func (ss *VaultAdapter) Store(key string, value interface{}) error { } break } + return err +} + +// Write a struct to Vault at the location specified by key and return the response. +// This function prepends the basePath. Retries are implemented for token renewal. +// Note: Unlike Lookup(), this returns the entire response body. Not just secretValues.Data. +func (ss *VaultAdapter) StoreWithData(key string, value interface{}, output interface{}) error { + var ( + err error + data map[string]interface{} + ) + + err = mapstructure.Decode(value, &data) + if err != nil { + return err + } + path := ss.BasePath + "/" + key + for i := 0; i <= ss.VaultRetry; i++ { + // Write the data to Vault + secretValues, err := ss.Client.Write(path, data) + if err != nil { + if ss.checkErrForTokenRefresh(err) { + // We need to renew the token and then retry + if err = ss.loadToken(); err != nil { + return err + } else { + continue + } + } else { + + return err + } + } + + if secretValues == nil { + // No data returned. + break + } + + err = mapstructure.Decode(secretValues, output) + break + } return err } diff --git a/vendor/modules.txt b/vendor/modules.txt index fd01e70..7981dcc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,13 +1,13 @@ # github.com/Cray-HPE/hms-base v1.15.1 ## explicit github.com/Cray-HPE/hms-base -# github.com/Cray-HPE/hms-certs v1.3.2 +# github.com/Cray-HPE/hms-certs v1.4.0 ## explicit github.com/Cray-HPE/hms-certs/pkg/hms_certs -# github.com/Cray-HPE/hms-compcredentials v1.11.2 +# github.com/Cray-HPE/hms-compcredentials v1.11.3 ## explicit github.com/Cray-HPE/hms-compcredentials -# github.com/Cray-HPE/hms-securestorage v1.12.2 +# github.com/Cray-HPE/hms-securestorage v1.13.0 ## explicit github.com/Cray-HPE/hms-securestorage # github.com/Cray-HPE/hms-trs-app-api v1.6.2