SAP · Googlom · Jan 7, 2025 · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024
@@ -41,7 +41,7 @@ type GeneralConfigOptions struct {
 	VaultServerURL       string
 	VaultNamespace       string
 	VaultPath            string
-	TrustEngineToken     string
+	SystemTrustToken     string
 	HookConfig           HookConfiguration
 	MetaDataResolver     func() map[string]config.StepData
 	GCPJsonKeyFilePath   string
@@ -57,7 +57,7 @@ type HookConfiguration struct {
 	SplunkConfig      SplunkConfiguration      `json:"splunk,omitempty"`
 	PendoConfig       PendoConfiguration       `json:"pendo,omitempty"`
 	OIDCConfig        OIDCConfiguration        `json:"oidc,omitempty"`
-	TrustEngineConfig TrustEngineConfiguration `json:"trustengine,omitempty"`
+	SystemTrustConfig SystemTrustConfiguration `json:"systemtrust,omitempty"`
 }
 
 type GCPPubSubConfiguration struct {
@@ -93,7 +93,7 @@ type OIDCConfiguration struct {
 	RoleID string `json:",roleID,omitempty"`
 }
 
-type TrustEngineConfiguration struct {
+type SystemTrustConfiguration struct {
 	ServerURL           string `json:"baseURL,omitempty"`
 	TokenEndPoint       string `json:"tokenEndPoint,omitempty"`
 	TokenQueryParamName string `json:"tokenQueryParamName,omitempty"`
@@ -385,8 +385,8 @@ func PrepareConfig(cmd *cobra.Command, metadata *config.StepData, stepName strin
 	}
 	myConfig.SetVaultCredentials(GeneralConfig.VaultRoleID, GeneralConfig.VaultRoleSecretID, GeneralConfig.VaultToken)
 
-	GeneralConfig.TrustEngineToken = os.Getenv("PIPER_trustEngineToken")
-	myConfig.SetTrustEngineToken(GeneralConfig.TrustEngineToken)
+	GeneralConfig.SystemTrustToken = os.Getenv("PIPER_systemTrustToken")
+	myConfig.SetSystemTrustToken(GeneralConfig.SystemTrustToken)
 
 	if len(GeneralConfig.StepConfigJSON) != 0 {
 		// ignore config & defaults in favor of passed stepConfigJSON

diff --git a/cmd/sonarExecuteScan_generated.go b/cmd/sonarExecuteScan_generated.go
@@ -11,7 +11,7 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/SAP/jenkins-library/pkg/trustengine"
+	"github.com/SAP/jenkins-library/pkg/systemtrust"
 
 	piperhttp "github.com/SAP/jenkins-library/pkg/http"
 	"github.com/SAP/jenkins-library/pkg/log"
@@ -33,7 +33,7 @@ type Config struct {
 	accessTokens             map[string]string
 	openFile                 func(s string, t map[string]string) (io.ReadCloser, error)
 	vaultCredentials         VaultCredentials
-	trustEngineConfiguration trustengine.Configuration
+	systemTrustConfiguration systemtrust.Configuration
 }
 
 // StepConfig defines the structure for merged step configuration
@@ -295,12 +295,12 @@ func (c *Config) GetStepConfig(flagValues map[string]interface{}, paramJSON stri
 	}
 
 	// hooks need to have been loaded from the defaults before the server URL is known
-	err = c.setTrustEngineConfiguration(stepConfig.HookConfig)
+	err = c.setSystemTrustConfiguration(stepConfig.HookConfig)
 	if err != nil {
 		log.Entry().WithError(err).Debug("System Trust lookup skipped due to missing or incorrect configuration")
 	} else {
-		trustengineClient := trustengine.PrepareClient(&piperhttp.Client{}, c.trustEngineConfiguration)
-		resolveAllTrustEngineReferences(&stepConfig, append(parameters, ReportingParameters.Parameters...), c.trustEngineConfiguration, trustengineClient)
+		systemTrustClient := systemtrust.PrepareClient(&piperhttp.Client{}, c.systemTrustConfiguration)
+		resolveAllSystemTrustReferences(&stepConfig, append(parameters, ReportingParameters.Parameters...), c.systemTrustConfiguration, systemTrustClient)
 	}
 
 	// finally do the condition evaluation post processing

@@ -0,0 +1,66 @@
+package config
+
+import (
+	"errors"
+
+	piperhttp "github.com/SAP/jenkins-library/pkg/http"
+	"github.com/SAP/jenkins-library/pkg/log"
+	"github.com/SAP/jenkins-library/pkg/systemtrust"
+)
+
+const RefTypeSystemTrustSecret = "systemTrustSecret"
+
+// resolveAllSystemTrustReferences retrieves all the step's secrets from the System Trust
+func resolveAllSystemTrustReferences(config *StepConfig, params []StepParameters, systemTrustConfiguration systemtrust.Configuration, client *piperhttp.Client) {
+	for _, param := range params {
+		if ref := param.GetReference(RefTypeSystemTrustSecret); ref != nil {
+			if config.Config[param.Name] == "" {
+				log.Entry().Infof("Getting '%s' from System Trust", param.Name)
+				token, err := systemtrust.GetToken(ref.Default, client, systemTrustConfiguration)
+				if err != nil {
+					log.Entry().Info(" failed")
+					log.Entry().WithError(err).Debugf("Couldn't get '%s' token from System Trust", ref.Default)
+					continue
+				}
+				log.RegisterSecret(token)
+				config.Config[param.Name] = token
+				log.Entry().Info(" succeeded")
+			} else {
+				log.Entry().Debugf("Skipping retrieval of '%s' from System Trust: parameter already set", param.Name)
+			}
+		}
+	}
+}
+
+// setSystemTrustConfiguration sets the server URL for the System Trust by taking it from the hooks
+func (c *Config) setSystemTrustConfiguration(hookConfig map[string]interface{}) error {
+	systemTrustHook, ok := hookConfig["systemtrust"].(map[string]interface{})
+	if !ok {
+		return errors.New("no System Trust hook configuration found")
+	}
+	if serverURL, ok := systemTrustHook["serverURL"].(string); ok {
+		c.systemTrustConfiguration.ServerURL = serverURL
+	} else {
+		return errors.New("no System Trust server URL found")
+	}
+	if tokenEndPoint, ok := systemTrustHook["tokenEndPoint"].(string); ok {
+		c.systemTrustConfiguration.TokenEndPoint = tokenEndPoint
+	} else {
+		return errors.New("no System Trust service endpoint found")
+	}
+	if tokenQueryParamName, ok := systemTrustHook["tokenQueryParamName"].(string); ok {
+		c.systemTrustConfiguration.TokenQueryParamName = tokenQueryParamName
+	} else {
+		return errors.New("no System Trust query parameter name found")
+	}
+
+	if len(c.systemTrustConfiguration.Token) == 0 {
+		return errors.New("no System Trust token found and envvar is empty")
+	}
+	return nil
+}
+
+// SetSystemTrustToken sets the token for the System Trust
+func (c *Config) SetSystemTrustToken(token string) {
+	c.systemTrustConfiguration.Token = token
+}
@@ -9,14 +9,14 @@ import (
 	"testing"
 
 	piperhttp "github.com/SAP/jenkins-library/pkg/http"
-	"github.com/SAP/jenkins-library/pkg/trustengine"
+	"github.com/SAP/jenkins-library/pkg/systemtrust"
 	"github.com/jarcoal/httpmock"
 
 	"github.com/stretchr/testify/assert"
 )
 
 const secretName = "sonar"
-const secretNameInTrustEngine = "sonarTrustengineSecretName"
+const secretNameInSystemTrust = "sonarSystemtrustSecretName"
 const testServerURL = "https://www.project-piper.io"
 const testTokenEndPoint = "tokens"
 const testTokenQueryParamName = "systems"
@@ -25,14 +25,14 @@ const mockSonarToken = "mockSonarToken"
 var testFullURL = fmt.Sprintf("%s/%s?%s=", testServerURL, testTokenEndPoint, testTokenQueryParamName)
 var mockSingleTokenResponse = fmt.Sprintf("{\"sonar\": \"%s\"}", mockSonarToken)
 
-func TestTrustEngineConfig(t *testing.T) {
+func TestSystemTrustConfig(t *testing.T) {
 	httpmock.Activate()
 	defer httpmock.DeactivateAndReset()
 	httpmock.RegisterResponder(http.MethodGet, testFullURL+"sonar", httpmock.NewStringResponder(200, mockSingleTokenResponse))
 
-	stepParams := []StepParameters{createStepParam(secretName, RefTypeTrustengineSecret, secretNameInTrustEngine, secretName)}
+	stepParams := []StepParameters{createStepParam(secretName, RefTypeSystemTrustSecret, secretNameInSystemTrust, secretName)}
 
-	var trustEngineConfiguration = trustengine.Configuration{
+	var systemTrustConfiguration = systemtrust.Configuration{
 		Token:               "testToken",
 		ServerURL:           testServerURL,
 		TokenEndPoint:       testTokenEndPoint,
@@ -46,7 +46,7 @@ func TestTrustEngineConfig(t *testing.T) {
 			secretName: "",
 		}}
 
-		resolveAllTrustEngineReferences(stepConfig, stepParams, trustEngineConfiguration, client)
+		resolveAllSystemTrustReferences(stepConfig, stepParams, systemTrustConfiguration, client)
 		assert.Equal(t, mockSonarToken, stepConfig.Config[secretName])
 	})
 
@@ -55,19 +55,19 @@ func TestTrustEngineConfig(t *testing.T) {
 			secretName: "aMockTokenFromVault",
 		}}
 
-		resolveAllTrustEngineReferences(stepConfig, stepParams, trustEngineConfiguration, client)
+		resolveAllSystemTrustReferences(stepConfig, stepParams, systemTrustConfiguration, client)
 		assert.NotEqual(t, mockSonarToken, stepConfig.Config[secretName])
 	})
 }
 
-func createStepParam(name, refType, trustengineSecretNameProperty, defaultSecretNameName string) StepParameters {
+func createStepParam(name, refType, systemTrustSecretNameProperty, defaultSecretNameName string) StepParameters {
 	return StepParameters{
 		Name:    name,
 		Aliases: []Alias{},
 		ResourceRef: []ResourceReference{
 			{
 				Type:    refType,
-				Name:    trustengineSecretNameProperty,
+				Name:    systemTrustSecretNameProperty,
 				Default: defaultSecretNameName,
 			},
 		},

@@ -13,7 +13,7 @@ const (
 	vaultBadge       = "![Vault](https://img.shields.io/badge/-Vault-lightgrey)"
 	jenkinsOnlyBadge = "![Jenkins only](https://img.shields.io/badge/-Jenkins%20only-yellowgreen)"
 	secretBadge      = "![Secret](https://img.shields.io/badge/-Secret-yellowgreen)"
-	trustengineBadge = "![System Trust](https://img.shields.io/badge/-System%20Trust-lightblue)"
+	systemTrustBadge = "![System Trust](https://img.shields.io/badge/-System%20Trust-lightblue)"
 	deprecatedBadge  = "![deprecated](https://img.shields.io/badge/-deprecated-red)"
 )
 
@@ -122,9 +122,9 @@ func parameterFurtherInfo(paramName string, stepData *config.StepData, execution
 				secretInfo := fmt.Sprintf("%s pass via ENV or Jenkins credentials", secretBadge)
 
 				isVaultSecret := param.GetReference("vaultSecret") != nil || param.GetReference("vaultSecretFile") != nil
-				isTrustengineSecret := param.GetReference(config.RefTypeTrustengineSecret) != nil
-				if isVaultSecret && isTrustengineSecret {
-					secretInfo = fmt.Sprintf(" %s %s %s pass via ENV, Vault, System Trust or Jenkins credentials", vaultBadge, trustengineBadge, secretBadge)
+				isSystemTrustSecret := param.GetReference(config.RefTypeSystemTrustSecret) != nil
+				if isVaultSecret && isSystemTrustSecret {
+					secretInfo = fmt.Sprintf(" %s %s %s pass via ENV, Vault, System Trust or Jenkins credentials", vaultBadge, systemTrustBadge, secretBadge)
 				} else if isVaultSecret {
 					secretInfo = fmt.Sprintf(" %s %s pass via ENV, Vault or Jenkins credentials", vaultBadge, secretBadge)
 				}
@@ -347,8 +347,8 @@ func resourceReferenceDetails(resourceRef []config.ResourceReference) string {
 			resourceDetails = addVaultResourceDetails(resource, resourceDetails)
 			continue
 		}
-		if resource.Type == config.RefTypeTrustengineSecret {
-			resourceDetails = addTrustEngineResourceDetails(resource, resourceDetails)
+		if resource.Type == config.RefTypeSystemTrustSecret {
+			resourceDetails = addSystemTrustResourceDetails(resource, resourceDetails)
 		}
 	}
 
@@ -369,7 +369,7 @@ func addVaultResourceDetails(resource config.ResourceReference, resourceDetails
 	return resourceDetails
 }
 
-func addTrustEngineResourceDetails(resource config.ResourceReference, resourceDetails string) string {
+func addSystemTrustResourceDetails(resource config.ResourceReference, resourceDetails string) string {
 	resourceDetails += "<br/>System Trust resource:<br />"
 	resourceDetails += fmt.Sprintf("&nbsp;&nbsp;name: `%v`<br />", resource.Name)
 	resourceDetails += fmt.Sprintf("&nbsp;&nbsp;value: `%v`<br />", resource.Default)

@@ -1,4 +1,4 @@
-package trustengine
+package systemtrust
 
 import (
 	"encoding/json"
@@ -32,8 +32,8 @@ type Configuration struct {
 }
 
 // GetToken requests a single token
-func GetToken(refName string, client *piperhttp.Client, trustEngineConfiguration Configuration) (string, error) {
-	secrets, err := GetSecrets([]string{refName}, client, trustEngineConfiguration)
+func GetToken(refName string, client *piperhttp.Client, systemTrustConfiguration Configuration) (string, error) {
+	secrets, err := getSecrets([]string{refName}, client, systemTrustConfiguration)
 	if err != nil {
 		return "", errors.Wrap(err, "couldn't get token from System Trust")
 	}
@@ -45,15 +45,15 @@ func GetToken(refName string, client *piperhttp.Client, trustEngineConfiguration
 	return "", errors.New("could not find token in System Trust response")
 }
 
-// GetSecrets transforms the System Trust JSON response into System Trust secrets, and can be used to request multiple tokens
-func GetSecrets(refNames []string, client *piperhttp.Client, trustEngineConfiguration Configuration) ([]Secret, error) {
+// getSecrets transforms the System Trust JSON response into System Trust secrets, and can be used to request multiple tokens
+func getSecrets(refNames []string, client *piperhttp.Client, systemTrustConfiguration Configuration) ([]Secret, error) {
 	var secrets []Secret
 	query := url.Values{
-		trustEngineConfiguration.TokenQueryParamName: {
+		systemTrustConfiguration.TokenQueryParamName: {
 			strings.Join(refNames, ","),
 		},
 	}
-	response, err := getResponse(trustEngineConfiguration.ServerURL, trustEngineConfiguration.TokenEndPoint, query, client)
+	response, err := getResponse(systemTrustConfiguration.ServerURL, systemTrustConfiguration.TokenEndPoint, query, client)
 	if err != nil {
 		return secrets, errors.Wrap(err, "getting secrets from System Trust failed")
 	}
@@ -120,15 +120,15 @@ func parseURL(serverURL, endpoint string, query url.Values) (string, error) {
 }
 
 // PrepareClient adds the System Trust authentication token to the client
-func PrepareClient(client *piperhttp.Client, trustEngineConfiguration Configuration) *piperhttp.Client {
+func PrepareClient(client *piperhttp.Client, systemTrustConfiguration Configuration) *piperhttp.Client {
 	var logEntry *logrus.Entry
 	if logrus.GetLevel() < logrus.DebugLevel {
 		logger := logrus.New()
 		logger.SetOutput(io.Discard)
 		logEntry = logrus.NewEntry(logger)
 	}
 	client.SetOptions(piperhttp.ClientOptions{
-		Token:  fmt.Sprintf("Bearer %s", trustEngineConfiguration.Token),
+		Token:  fmt.Sprintf("Bearer %s", systemTrustConfiguration.Token),
 		Logger: logEntry,
 	})
 	return client