From d804eef02f338d0af1254b2190e0719f7dae0a8c Mon Sep 17 00:00:00 2001 From: aaa5kameric Date: Wed, 25 Sep 2024 13:58:37 +0200 Subject: [PATCH 1/3] OCM AuthType replaced with static token and E2E tests Deleted --- e2e/e2e_auth_test.go | 20 ----- e2e/e2e_suite_test.go | 6 -- .../pkg/cmd/fleetmanagerclient/client.go | 28 +++---- pkg/client/fleetmanager/impl/auth.go | 13 --- pkg/client/fleetmanager/impl/auth_ocm.go | 82 ------------------- 5 files changed, 14 insertions(+), 135 deletions(-) delete mode 100644 pkg/client/fleetmanager/impl/auth_ocm.go diff --git a/e2e/e2e_auth_test.go b/e2e/e2e_auth_test.go index ff1fcc8641..1ef7cf72cc 100644 --- a/e2e/e2e_auth_test.go +++ b/e2e/e2e_auth_test.go @@ -66,26 +66,6 @@ var _ = Describe("AuthN/Z Fleet* components", Ordered, func() { } } - Describe("OCM auth type", func() { - BeforeEach(func() { - auth, err := fmImpl.NewOCMAuth(context.Background(), authOption.Ocm) - Expect(err).ToNot(HaveOccurred()) - fmClient, err := fmImpl.NewClient(fleetManagerEndpoint, auth) - Expect(err).ToNot(HaveOccurred()) - client = fmClient - }) - - DescribeTable("AuthN/Z tests", - testCase, - Entry("should allow access to fleet manager's public API endpoints", - publicAPI, false, 0, false), - Entry("should not allow access to fleet manager's internal API endpoints", - internalAPI, true, http.StatusNotFound, false), - Entry("should not allow access to fleet manager's admin API endpoints", - adminAPI, true, http.StatusNotFound, false), - ) - }) - Describe("Static token auth type", func() { BeforeEach(func() { auth, err := fmImpl.NewStaticAuth(context.Background(), authOption.Static) diff --git a/e2e/e2e_suite_test.go b/e2e/e2e_suite_test.go index 7e956b5410..ed3372c8d5 100644 --- a/e2e/e2e_suite_test.go +++ b/e2e/e2e_suite_test.go @@ -36,7 +36,6 @@ var ( extendedWaitTimeout = getWaitTimeout() * 3 dpCloudProvider = getEnvDefault("DP_CLOUD_PROVIDER", "standalone") dpRegion = getEnvDefault("DP_REGION", "standalone") - authType = "OCM" fleetManagerEndpoint = "http://localhost:8000" runAuthTests bool runCentralTests bool @@ -103,11 +102,6 @@ var _ = BeforeSuite(func() { route53Client = route53.New(sess) } - if val := os.Getenv("AUTH_TYPE"); val != "" { - authType = val - } - GinkgoWriter.Printf("AUTH_TYPE: %q\n", authType) - if val := os.Getenv("FLEET_MANAGER_ENDPOINT"); val != "" { fleetManagerEndpoint = val } diff --git a/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go b/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go index 21c3188eeb..ea500163dc 100644 --- a/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go +++ b/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go @@ -14,8 +14,8 @@ import ( ) var ( - singletonOCMRefreshTokenInstance sync.Once - fmClientAuthWithOCMRefreshToken *fleetmanager.Client + singletonStaticTokenInstance sync.Once + fmAuthenticatedClientWithStaticToken *fleetmanager.Client fmClientAuthWithRHOASToken *fleetmanager.Client singletonRHOASTokenInstance sync.Once @@ -24,7 +24,7 @@ var ( const ( defaultFleetManagerEndpoint = "http://localhost:8000" fleetManagerEndpointEnvVar = "FMCLI_FLEET_MANAGER_ENDPOINT" - ocmRefreshTokenEnvVar = "OCM_TOKEN" + StaticTokenEnvVar = "STATIC_TOKEN" rhoasTokenEnvVar = "RHOAS_TOKEN" ) @@ -67,12 +67,12 @@ func AuthenticatedClientWithRHOASToken(ctx context.Context) *fleetmanager.Client return fmClientAuthWithRHOASToken } -// AuthenticatedClientWithOCM returns a rest client to the fleet-manager and receives the OCM refresh token. +// AuthenticatedClientWithStaticToken returns a rest client to the fleet-manager and receives the static refresh token. // This function will panic on an error, designed to be used by the fleet-manager CLI. -func AuthenticatedClientWithOCM(ctx context.Context) *fleetmanager.Client { - ocmRefreshToken := os.Getenv(ocmRefreshTokenEnvVar) - if ocmRefreshToken == "" { - panic(fmt.Sprintf("%s not set. Please set OCM token with 'export %s=$(ocm token --refresh)'", ocmRefreshTokenEnvVar, ocmRefreshTokenEnvVar)) +func AuthenticatedClientWithStaticToken(ctx context.Context) *fleetmanager.Client { + staticToken := os.Getenv(StaticTokenEnvVar) + if staticToken == "" { + panic(fmt.Sprintf("%s not set. Please set OCM token with 'export %s=$(ocm token --refresh)'", StaticTokenEnvVar, StaticTokenEnvVar)) } fleetManagerEndpoint := os.Getenv(fleetManagerEndpointEnvVar) @@ -80,10 +80,10 @@ func AuthenticatedClientWithOCM(ctx context.Context) *fleetmanager.Client { fleetManagerEndpoint = defaultFleetManagerEndpoint } - singletonOCMRefreshTokenInstance.Do(func() { - auth, err := impl.NewAuth(ctx, impl.OCMAuthName, impl.Option{ - Ocm: impl.OCMOption{ - RefreshToken: ocmRefreshToken, + singletonStaticTokenInstance.Do(func() { + auth, err := impl.NewAuth(ctx, impl.StaticTokenAuthName, impl.Option{ + Static: impl.StaticOption{ + StaticToken: staticToken, }, }) if err != nil { @@ -91,7 +91,7 @@ func AuthenticatedClientWithOCM(ctx context.Context) *fleetmanager.Client { return } - fmClientAuthWithOCMRefreshToken, err = impl.NewClient(fleetManagerEndpoint, auth) + fmAuthenticatedClientWithStaticToken, err = impl.NewClient(fleetManagerEndpoint, auth) if err != nil { glog.Fatalf("Failed to create connection: %s", err) return @@ -103,5 +103,5 @@ func AuthenticatedClientWithOCM(ctx context.Context) *fleetmanager.Client { if fleetManagerEndpoint == defaultFleetManagerEndpoint { time.Sleep(5 * time.Second) } - return fmClientAuthWithOCMRefreshToken + return fmAuthenticatedClientWithStaticToken } diff --git a/pkg/client/fleetmanager/impl/auth.go b/pkg/client/fleetmanager/impl/auth.go index c8c616b221..a80d7222ea 100644 --- a/pkg/client/fleetmanager/impl/auth.go +++ b/pkg/client/fleetmanager/impl/auth.go @@ -27,7 +27,6 @@ type authFactory interface { // Option for the different Auth types. type Option struct { Sso RHSSOOption - Ocm OCMOption Static StaticOption ServiceAccount ServiceAccountOption } @@ -40,12 +39,6 @@ type RHSSOOption struct { Endpoint string `env:"RHSSO_ENDPOINT" envDefault:"https://sso.redhat.com"` } -// OCMOption for the OCM Auth type. -type OCMOption struct { - RefreshToken string `env:"OCM_TOKEN"` - EnableLogger bool `env:"OCM_ENABLE_LOGGER"` -} - // StaticOption for the Static Auth type. type StaticOption struct { StaticToken string `env:"STATIC_TOKEN"` @@ -60,7 +53,6 @@ var authFactoryRegistry map[string]authFactory func init() { authFactoryRegistry = map[string]authFactory{ - ocmFactory.GetName(): ocmFactory, rhSSOFactory.GetName(): rhSSOFactory, staticTokenFactory.GetName(): staticTokenFactory, serviceAccountTokenFactory.GetName(): serviceAccountTokenFactory, @@ -91,11 +83,6 @@ func NewRHSSOAuth(ctx context.Context, opt RHSSOOption) (Auth, error) { return newAuth(ctx, rhSSOFactory.GetName(), Option{Sso: opt}) } -// NewOCMAuth will return Auth that uses OCM to provide authentication for HTTP requests. -func NewOCMAuth(ctx context.Context, opt OCMOption) (Auth, error) { - return newAuth(ctx, ocmFactory.GetName(), Option{Ocm: opt}) -} - // NewStaticAuth will return Auth that uses a static token to provide authentication for HTTP requests. func NewStaticAuth(ctx context.Context, opt StaticOption) (Auth, error) { return newAuth(ctx, staticTokenFactory.GetName(), Option{Static: opt}) diff --git a/pkg/client/fleetmanager/impl/auth_ocm.go b/pkg/client/fleetmanager/impl/auth_ocm.go deleted file mode 100644 index 17b238c8c7..0000000000 --- a/pkg/client/fleetmanager/impl/auth_ocm.go +++ /dev/null @@ -1,82 +0,0 @@ -package impl - -import ( - "context" - "fmt" - "net/http" - "time" - - sdk "github.com/openshift-online/ocm-sdk-go" - "github.com/pkg/errors" -) - -const ( - ocmTokenExpirationMargin = 5 * time.Minute - ocmClientID = "cloud-services" - // OCMAuthName is the name of the OCM auth authentication method - OCMAuthName = "OCM" -) - -var ( - _ authFactory = (*ocmAuthFactory)(nil) - _ Auth = (*ocmAuth)(nil) - ocmFactory = &ocmAuthFactory{} -) - -type ocmAuth struct { - conn *sdk.Connection -} - -type ocmAuthFactory struct{} - -// GetName gets the name of the factory. -func (f *ocmAuthFactory) GetName() string { - return OCMAuthName -} - -// CreateAuth ... -func (f *ocmAuthFactory) CreateAuth(ctx context.Context, o Option) (Auth, error) { - initialToken := o.Ocm.RefreshToken - if initialToken == "" { - return nil, errors.New("empty ocm token") - } - - builder := sdk.NewConnectionBuilder(). - Client(ocmClientID, ""). - Tokens(initialToken) - - if o.Ocm.EnableLogger { - l, err := sdk.NewGlogLoggerBuilder().Build() - if err != nil { - return nil, fmt.Errorf("creating Glog logger: %w", err) - } - builder.Logger(l) - } - - // Check if the connection can be established and tokens can be retrieved. - conn, err := builder.BuildContext(ctx) - if err != nil { - return nil, fmt.Errorf("creating connection: %w", err) - } - _, _, err = conn.TokensContext(ctx) - if err != nil { - return nil, fmt.Errorf("retrieving tokens: %w", err) - } - - return &ocmAuth{ - conn: conn, - }, nil -} - -// AddAuth add auth token to the request retrieved from OCM. -func (o *ocmAuth) AddAuth(req *http.Request) error { - // This will only do an external request iff the current access token of the connection has an expiration time - // lower than 5 minutes. - access, _, err := o.conn.TokensContext(req.Context(), ocmTokenExpirationMargin) - if err != nil { - return errors.Wrap(err, "retrieving access token via OCM auth type") - } - - setBearer(req, access) - return nil -} From 4ba5788176fa4d5b53084a39d287f1f3a868420b Mon Sep 17 00:00:00 2001 From: aaa5kameric Date: Wed, 25 Sep 2024 15:03:02 +0200 Subject: [PATCH 2/3] AuthenticatedClientWithOCM removed instances and authOpt.Ocm --- internal/dinosaur/pkg/cmd/centrals/create.go | 2 +- internal/dinosaur/pkg/cmd/centrals/delete.go | 2 +- internal/dinosaur/pkg/cmd/centrals/get.go | 2 +- internal/dinosaur/pkg/cmd/centrals/list.go | 2 +- pkg/client/fleetmanager/impl/auth_test.go | 1 - 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/internal/dinosaur/pkg/cmd/centrals/create.go b/internal/dinosaur/pkg/cmd/centrals/create.go index 21dc707066..dd7f8b5589 100644 --- a/internal/dinosaur/pkg/cmd/centrals/create.go +++ b/internal/dinosaur/pkg/cmd/centrals/create.go @@ -19,7 +19,7 @@ func NewCreateCommand() *cobra.Command { Short: "Create a new central request", Long: "Create a new central request.", Run: func(cmd *cobra.Command, args []string) { - runCreate(fleetmanagerclient.AuthenticatedClientWithOCM(cmd.Context()), cmd, args) + runCreate(fleetmanagerclient.AuthenticatedClientWithStaticToken(cmd.Context()), cmd, args) }, } diff --git a/internal/dinosaur/pkg/cmd/centrals/delete.go b/internal/dinosaur/pkg/cmd/centrals/delete.go index 390171ed6d..6b3f57cf1f 100644 --- a/internal/dinosaur/pkg/cmd/centrals/delete.go +++ b/internal/dinosaur/pkg/cmd/centrals/delete.go @@ -17,7 +17,7 @@ func NewDeleteCommand() *cobra.Command { Short: "Delete a central request", Long: "Delete a central request.", Run: func(cmd *cobra.Command, args []string) { - runDelete(fleetmanagerclient.AuthenticatedClientWithOCM(cmd.Context()), cmd, args) + runDelete(fleetmanagerclient.AuthenticatedClientWithStaticToken(cmd.Context()), cmd, args) }, } diff --git a/internal/dinosaur/pkg/cmd/centrals/get.go b/internal/dinosaur/pkg/cmd/centrals/get.go index b91f6c2ce1..f3f6983dbb 100644 --- a/internal/dinosaur/pkg/cmd/centrals/get.go +++ b/internal/dinosaur/pkg/cmd/centrals/get.go @@ -18,7 +18,7 @@ func NewGetCommand() *cobra.Command { Short: "Get a central request", Long: "Get a central request.", Run: func(cmd *cobra.Command, args []string) { - runGet(fleetmanagerclient.AuthenticatedClientWithOCM(cmd.Context()), cmd, args) + runGet(fleetmanagerclient.AuthenticatedClientWithStaticToken(cmd.Context()), cmd, args) }, } cmd.Flags().String(FlagID, "", "Central ID (required)") diff --git a/internal/dinosaur/pkg/cmd/centrals/list.go b/internal/dinosaur/pkg/cmd/centrals/list.go index 7a9c9b9ca2..5e7be58eeb 100644 --- a/internal/dinosaur/pkg/cmd/centrals/list.go +++ b/internal/dinosaur/pkg/cmd/centrals/list.go @@ -24,7 +24,7 @@ func NewListCommand() *cobra.Command { Short: "lists all managed central requests", Long: "lists all managed central requests", Run: func(cmd *cobra.Command, args []string) { - runList(fleetmanagerclient.AuthenticatedClientWithOCM(cmd.Context()), cmd, args) + runList(fleetmanagerclient.AuthenticatedClientWithStaticToken(cmd.Context()), cmd, args) }, } cmd.Flags().String(FlagOwner, "test-user", "Username") diff --git a/pkg/client/fleetmanager/impl/auth_test.go b/pkg/client/fleetmanager/impl/auth_test.go index f1298bc95f..55169a0cb4 100644 --- a/pkg/client/fleetmanager/impl/auth_test.go +++ b/pkg/client/fleetmanager/impl/auth_test.go @@ -18,6 +18,5 @@ func TestAuthOptions(t *testing.T) { assert.Equal(t, "https://sso.redhat.com", authOpt.Sso.Endpoint) assert.Equal(t, "redhat-external", authOpt.Sso.Realm) assert.Equal(t, tokenValue, authOpt.Static.StaticToken) - assert.Equal(t, tokenValue, authOpt.Ocm.RefreshToken) assert.Equal(t, tokenFile, authOpt.ServiceAccount.TokenFile) } From 18000311a9b4dd80b2f4c0828383de5effda2eaa Mon Sep 17 00:00:00 2001 From: aaa5kameric Date: Thu, 26 Sep 2024 13:14:08 +0200 Subject: [PATCH 3/3] OCM Comment changed --- internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go b/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go index ea500163dc..780346a712 100644 --- a/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go +++ b/internal/dinosaur/pkg/cmd/fleetmanagerclient/client.go @@ -1,4 +1,4 @@ -// Package fleetmanagerclient is a fmClientAuthWithOCMRefreshToken for the CLI to connect to the fleetmanager. +// Package fleetmanagerclient is a fmAuthenticatedClientWithStaticToken for the CLI to connect to the fleetmanager. package fleetmanagerclient import ( @@ -67,12 +67,12 @@ func AuthenticatedClientWithRHOASToken(ctx context.Context) *fleetmanager.Client return fmClientAuthWithRHOASToken } -// AuthenticatedClientWithStaticToken returns a rest client to the fleet-manager and receives the static refresh token. +// AuthenticatedClientWithStaticToken returns a rest client to the fleet-manager and receives the static token. // This function will panic on an error, designed to be used by the fleet-manager CLI. func AuthenticatedClientWithStaticToken(ctx context.Context) *fleetmanager.Client { staticToken := os.Getenv(StaticTokenEnvVar) if staticToken == "" { - panic(fmt.Sprintf("%s not set. Please set OCM token with 'export %s=$(ocm token --refresh)'", StaticTokenEnvVar, StaticTokenEnvVar)) + panic(fmt.Sprintf("%s not set. Please set static token with 'export %s='", StaticTokenEnvVar, StaticTokenEnvVar)) } fleetManagerEndpoint := os.Getenv(fleetManagerEndpointEnvVar)