Commit 38bfec39 authored by Rucha Deshpande's avatar Rucha Deshpande
Browse files

Merge branch 'feat/aws-impl' into 'master'

Entitlements V2 AWS impl

See merge request !71
parents c85ef178 4c339222
Pipeline #37862 passed with stages
in 19 minutes and 35 seconds
......@@ -6,3 +6,4 @@
**/*.iml
**/dependency-reduced-pom.xml
**/*.pyc
/dist/
......@@ -3,6 +3,14 @@ variables:
AZURE_BUILD_SUBDIR: provider/entitlements-v2-azure
AZURE_TEST_SUBDIR: testing/entitlements-v2-test-azure
AWS_BUILD_SUBDIR: provider/entitlements-v2-aws/build-aws
AWS_TEST_SUBDIR: testing/entitlements-v2-test-aws
AWS_SERVICE: entitlements-v2
AWS_ENVIRONMENT: dev
include:
- project: "osdu/platform/ci-cd-pipelines"
file: "standard-setup.yml"
......@@ -19,5 +27,8 @@ include:
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/azure.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "cloud-providers/aws.yml"
- project: "osdu/platform/ci-cd-pipelines"
file: "publishing/pages.yml"
\ No newline at end of file
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import os;
import boto3;
import jwt;
import requests;
import base64;
import json;
class AwsToken(object):
def get_aws_id_token(self):
if os.getenv("AWS_COGNITO_REGION") is not None:
region = os.environ["AWS_COGNITO_REGION"]
else:
region = os.environ["AWS_REGION"]
client = boto3.client('cognito-idp', region_name=region)
environment = os.environ["RESOURCE_PREFIX"]
ssm = boto3.client('ssm')
secretsmanagerclient = boto3.client('secretsmanager')
tokenUrl = ssm.get_parameter(Name='/osdu/' + environment +'/oauth-token-uri', WithDecryption=True)['Parameter']['Value']
awsOauthCustomScope = ssm.get_parameter(Name='/osdu/' + environment +'/oauth-custom-scope', WithDecryption=True)['Parameter']['Value']
client_credentials_clientid = ssm.get_parameter(Name='/osdu/' + environment +'/client-credentials-client-id', WithDecryption=True)['Parameter']['Value']
client_secret_key = 'client_credentials_client_secret'
client_secret_secretName = '/osdu/' + environment +'/client_credentials_secret'
client_credentials_secret=''
get_secret_value_response = secretsmanagerclient.get_secret_value(SecretId=client_secret_secretName)
if 'SecretString' in get_secret_value_response:
secret = json.loads(get_secret_value_response['SecretString'])
client_credentials_secret=secret['client_credentials_client_secret']
encodeThisString = client_credentials_clientid+':'+client_credentials_secret
encodeThisStringBytes=encodeThisString.encode('UTF-8')
authorizationHeaderContents=base64.b64encode(encodeThisStringBytes)
a= authorizationHeaderContents.decode("UTF-8")
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic '+a
}
method = 'POST'
url = tokenUrl+'?grant_type=client_credentials&client_id='+client_credentials_clientid+'&scope='+awsOauthCustomScope;
response = requests.request(method,url, headers=headers)
jsonResponse = response.json()
for key, value in jsonResponse.items():
if(key == 'access_token'):
token = 'Bearer ' + value
print(token)
return token
if __name__ == '__main__':
AwsToken().get_aws_id_token()
\ No newline at end of file
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#Required Env Variables
#AWS_BASE_URL
#AWS_DEPLOYMENTS_SUBDIR
#AWS_REGION
pip3 install -r $AWS_DEPLOYMENTS_SUBDIR/requirements.txt
echo $AWS_BASE_URL
export AWS_ENTITLEMENTSV2_SERVICE_URL=$AWS_BASE_URL/api/entitlements/v2/
if [ -z "$BEARER_TOKEN" ];
then BEARER_TOKEN=`python $AWS_DEPLOYMENTS_SUBDIR/Token.py`;
export BEARER_TOKEN=$BEARER_TOKEN
fi
export APP_KEY=""
export DATA_PARTITION=opendes
python $AWS_DEPLOYMENTS_SUBDIR/initTenant.py -u $AWS_ENTITLEMENTSV2_SERVICE_URL -t $DATA_PARTITION
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import argparse
import os
import requests
parser = argparse.ArgumentParser()
parser.add_argument('-u', help='The complete URL to the Entitlements V2 Service.', default=None)
parser.add_argument('-t', help='The tenant for which groups are being provisioned.', default=None)
arguments = parser.parse_args()
if arguments.u is not None:
url = arguments.u
if arguments.t is not None:
tenant = arguments.t
token = os.environ.get('BEARER_TOKEN')
initTenantUrl=url+'tenant-provisioning'
#call init API to provision groups for Service Principal
headers = {
'data-partition-id': tenant,
'Content-Type': 'application/json',
'Authorization': token
}
method = 'POST'
response = requests.request(method,initTenantUrl, headers=headers)
print(response.status_code)
if response.status_code==200:
print('The Entitlements V2 bootstrapping successful for tenant:'+tenant)
else:
print('The Entitlements V2 bootstrapping failed for tenant:'+tenant)
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# THIS SCRIPT MUST BE RUN FROM THE ROOT FOLDER OF THE ENTITLEMENTS V2 SERVICE
set -e
OUTPUT_DIR="${OUTPUT_DIR:-dist}"
echo "--Copying Entitlements V2 Boostrap Scripts to ${OUTPUT_DIR}--"
rm -rf "${OUTPUT_DIR}/devops"
mkdir -p "${OUTPUT_DIR}/devops/aws"
cp -r devops/aws/ "${OUTPUT_DIR}/devops/"
boto3==1.17.1
botocore==1.20.1
PyJWT==1.7.1
requests
argparse
\ No newline at end of file
......@@ -22,6 +22,7 @@
<module>entitlements-v2-core</module>
<module>provider/entitlements-v2-azure</module>
<module>provider/entitlements-v2-gcp</module>
<module>provider/entitlements-v2-aws</module>
</modules>
<licenses>
......
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# https://docs.spring.io/spring-boot/docs/current/reference/html/deployment.html
FROM amazoncorretto:8
ARG JAR_FILE=provider/entitlements-v2-aws/target/*spring-boot.jar
#Default to using self signed generated TLS cert
ENV USE_SELF_SIGNED_SSL_CERT true
WORKDIR /
COPY ${JAR_FILE} app.jar
COPY /provider/entitlements-v2-aws/build-aws/ssl.sh /ssl.sh
COPY /provider/entitlements-v2-aws/build-aws/entrypoint.sh /entrypoint.sh
EXPOSE 8080
ENTRYPOINT ["/bin/sh", "-c", ". /entrypoint.sh"]
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import boto3
import json
import os
import argparse
# Create the build-info.json
parser = argparse.ArgumentParser(description="")
# env - CODEBUILD_SOURCE_VERSION
parser.add_argument("--branch", type=str, help="")
# env - CODEBUILD_RESOLVED_SOURCE_VERSION
parser.add_argument("--commit", type=str, help="")
# env - CODEBUILD_BUILD_ID
parser.add_argument("--buildid", type=str, help="")
# env - CODEBUILD_BUILD_NUMBER
parser.add_argument("--buildnumber", type=str, help="")
# Get from directory name
parser.add_argument("--reponame", type=str, help="")
# env OUTPUT_DIR
parser.add_argument("--outdir", type=str, help="")
# full ecr image and tag, and any other artifacts
parser.add_argument("--artifact", type=str, action="append", help="")
args = parser.parse_args()
branch = args.branch
commitId = args.commit
buildId = args.buildid
buildNumber = args.buildnumber
repoName = args.reponame
outputDir = args.outdir
artifacts = args.artifact
buildInfoFilePath = os.path.join(".", outputDir, "build-info.json")
print(buildInfoFilePath)
commitArgs = {
"repositoryName": repoName,
"commitId": commitId
}
commitDetail = {
"commit": ""
}
# get the commit detail
try:
codecommit = boto3.client("codecommit")
commitDetail = codecommit.get_commit(**commitArgs)
except Exception as e:
print("Getting commit information from codecommit failed")
buildInfo = {
"branch": branch,
"build-id": buildId,
"build-number": buildNumber,
"repo": repoName,
"artifacts": artifacts,
"commit": commitDetail["commit"]
}
print(json.dumps(buildInfo, sort_keys=True, indent=4))
# write the build.json file to dist
f = open(buildInfoFilePath, "w")
f.write(json.dumps(buildInfo, sort_keys=True, indent=4))
f.close()
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
# https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html
version: 0.2
env:
secrets-manager:
DOCKER_USERNAME: /osdu/devops/docker_credentials:username
DOCKER_PASSWORD: /osdu/devops/docker_credentials:password
phases:
install:
runtime-versions:
java: corretto8
commands:
# fix error noted here: https://github.com/yarnpkg/yarn/issues/7866
- curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
- if [ $(echo $CODEBUILD_SOURCE_VERSION | grep -c ^refs/heads.*) -eq 1 ]; then echo "Branch name found"; else echo "This build only supports branch builds" && exit 1; fi
- apt-get update -y -qq
- apt-get install -y maven
- java -version
- mvn -version
- mkdir -p /root/.m2
- cp ./provider/entitlements-v2-aws/maven/settings.xml /root/.m2/settings.xml # copy the AWS-specific settings.xml to the CodeBuild instance's .m2 folder
- export AWS_ACCOUNT_ID=`aws sts get-caller-identity | grep Account | cut -d':' -f 2 | cut -d'"' -f 2`
- export AWS_OSDU_DEV_MAVEN_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain $AWS_OSDU_DEV_MAVEN_DOMAIN --domain-owner $AWS_ACCOUNT_ID --query authorizationToken --output text`
pre_build:
commands:
- echo "Logging in to Amazon ECR..."
- $(aws ecr get-login --no-include-email --region $AWS_REGION) # authenticate with ECR via the AWS CLI
build:
commands:
- export REPO_NAME=${PWD##*/}
- export OUTPUT_DIR="dist"
- export BRANCH_NAME=`echo ${CODEBUILD_SOURCE_VERSION} | awk '{gsub("refs/heads/","");gsub("\\.","-");gsub("[[:space:]]","-")}1' | sed 's/\//-/g' | awk '{print tolower($0)}'`
- export ECR_TAG=`echo build.${BRANCH_NAME}.${CODEBUILD_BUILD_NUMBER}.${CODEBUILD_RESOLVED_SOURCE_VERSION} | cut -c 1-120`
- export ECR_IMAGE=${ECR_REGISTRY}:${ECR_TAG}
- export ECR_IMAGE_BRANCH_LATEST=${ECR_REGISTRY}:${BRANCH_NAME}
- export INTEGRATION_TEST_OUTPUT=${OUTPUT_DIR}/testing/integration
- export INTEGRATION_TEST_OUTPUT_BIN=${INTEGRATION_TEST_OUTPUT}/bin
- mkdir -p ${OUTPUT_DIR}/bin
- mkdir -p ${OUTPUT_DIR}/testing && mkdir -p ${INTEGRATION_TEST_OUTPUT} && mkdir -p ${INTEGRATION_TEST_OUTPUT}/bin
- echo "Placeholder" >> ${OUTPUT_DIR}/build-info.json # touched so that the output directory has some content incase the build fails so that testing reports are uploaded
- printenv
- echo "Building primary service assemblies..."
- mvn -ntp -B test install -pl entitlements-v2-core,provider/entitlements-v2-aws -Ddeployment.environment=prod
- echo "Building integration testing assemblies and gathering artifacts..."
- ./testing/entitlements-v2-test-aws/build-aws/prepare-dist.sh
#Copy ENTITLEMENTS V2 bootstrap scripts to dist
- ./devops/aws/prepare-dist.sh
- echo "Logging into Docker Hub..."
- docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
- echo "Building docker image..."
- docker build -f provider/entitlements-v2-aws/build-aws/Dockerfile -t ${ECR_IMAGE} .
- docker tag ${ECR_IMAGE} ${ECR_IMAGE_BRANCH_LATEST}
- echo "Pushing docker image..."
- docker push ${ECR_IMAGE}
- docker push ${ECR_IMAGE_BRANCH_LATEST}
- echo "Generate build-info.json"
- |
python provider/entitlements-v2-aws/build-aws/build-info.py --branch ${CODEBUILD_SOURCE_VERSION} --commit ${CODEBUILD_RESOLVED_SOURCE_VERSION} \
--buildid ${CODEBUILD_BUILD_ID} --buildnumber ${CODEBUILD_BUILD_NUMBER} --reponame ${REPO_NAME} --outdir ${OUTPUT_DIR} \
--artifact ${ECR_IMAGE}
reports:
SurefireReports: # CodeBuild will create a report group called "SurefireReports".
files: #Store all of the files
- "entitlements-v2-core/target/surefire-reports/**/*"
- "provider/entitlements-v2-aws/target/surefire-reports/**/*"
base-directory: "." # Location of the reports
artifacts:
files:
- "**/*"
base-directory: "dist"
name: ${REPO_NAME}_${BRANCH_NAME}_$(date +%F)_${CODEBUILD_BUILD_NUMBER}.zip
cache:
paths:
- "/root/.m2/**/*"
\ No newline at end of file
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM;
export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD;
export SSL_KEY_STORE_DIR=/tmp/certs;
export SSL_KEY_STORE_NAME=osduonaws.p12;
export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME;
export SSL_KEY_ALIAS=osduonaws;
./ssl.sh;
fi
java $JAVA_OPTS -jar /app.jar
\ No newline at end of file
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#!/usr/bin/env bash
#Future: Support for using Amazon Cert Manager
# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ];
# then
# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc
# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH
# fi
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
mkdir -p $SSL_KEY_STORE_DIR
pushd $SSL_KEY_STORE_DIR
keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US"
popd
fi
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<profiles>
<profile>
<id>aws-osdu-dev-maven</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>aws-osdu-dev-maven</id>
<url>${env.AWS_OSDU_DEV_MAVEN_URL}</url>
</repository>
<repository>
<id>gitlab-os-core-common-maven</id>
<url>https://community.opengroup.org/api/v4/projects/67/packages/maven</url>
</repository>
<repository>
<id>gitlab-os-core-lib-aws-maven</id>
<url>https://community.opengroup.org/api/v4/projects/68/packages/maven</url>
</repository>
</repositories>
</profile>
<profile>
<id>credentialsConfiguration</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<deployment.environment>dev</deployment.environment>
<aws.accessKeyId>no-default</aws.accessKeyId>
<aws.secretKey>no-default</aws.secretKey>
<azure.devops.username>Another-Access-Token-2021</azure.devops.username>
<azure.devops.token>no-default</azure.devops.token>
</properties>
</profile>
</profiles>
<servers>
<server>
<id>aws-osdu-dev-maven</id>
<username>aws</username>
<password>${env.AWS_OSDU_DEV_MAVEN_AUTH_TOKEN}</password>
</server>
</servers>
<!-- CodeArtifact doesn't support external repos yet that aren't Maven Central. ETA Q4 2020. -->
<!-- <mirrors> -->
<!-- <mirror> -->
<!-- <id>aws-osdu-dev-maven</id> -->
<!-- <name>aws-osdu-dev-maven</name> -->
<!-- <url>https://osdu-dev-888733619319.d.codeartifact.us-east-1.amazonaws.com/maven/osdu-maven/</url> -->
<!-- <mirrorOf>*,!gitlab-os-core-common-maven</mirrorOf> -->
<!-- </mirror> -->
<!-- </mirrors> -->
<activeProfiles>
<activeProfile>credentialsConfiguration</activeProfile>
</activeProfiles>
</settings>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<artifactId>entitlements-v2-service</artifactId>
<groupId>org.opengroup.osdu.entitlements.v2</groupId>
<version>0.9.0-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>
<artifactId>entitlements-v2-aws</artifactId>