Update nozzle with client-id and client-secret for authentication (#205)

* Update nozzle with client-id and client-secret for token refresh mechanism. * CI update * Readme update
cloudfoundry-community · Aug 5, 2019 · 531fc26 · 531fc26
1 parent c8493db
commit 531fc26
Show file tree

Hide file tree

Showing 456 changed files with 343 additions and 92,624 deletions.
diff --git a/.circleci/ci_nozzle_manifest.yml b/.circleci/ci_nozzle_manifest.yml
@@ -10,6 +10,8 @@ applications:
       API_ENDPOINT:
       API_USER:
       API_PASSWORD:
+      CLIENT_ID:
+      CLIENT_SECRET:
       SPLUNK_HOST:
       SPLUNK_TOKEN:
       SPLUNK_INDEX:

diff --git a/.circleci/update_manifest.sh b/.circleci/update_manifest.sh
@@ -6,6 +6,8 @@ set -e
 sed -i 's@API_ENDPOINT:.*@'"API_ENDPOINT: $API_ENDPOINT"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@API_USER:.*@'"API_USER: $API_USER"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@API_PASSWORD:.*@'"API_PASSWORD: $API_PASSWORD"'@' .circleci/ci_nozzle_manifest.yml
+sed -i 's@CLIENT_ID:.*@'"CLIENT_ID: $CLIENT_ID"'@' .circleci/ci_nozzle_manifest.yml
+sed -i 's@CLIENT_SECRET:.*@'"CLIENT_SECRET: $CLIENT_SECRET"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@SPLUNK_HOST:.*@'"SPLUNK_HOST: $SPLUNK_HOST"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@SPLUNK_TOKEN:.*@'"SPLUNK_TOKEN: $SPLUNK_TOKEN"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@SPLUNK_INDEX:.*@'"SPLUNK_INDEX: $SPLUNK_INDEX"'@' .circleci/ci_nozzle_manifest.yml

diff --git a/README.md b/README.md
@@ -19,30 +19,36 @@ In addition, logs from the nozzle itself are of sourcetype `cf:splunknozzle`.
 
 ### Setup
 
-The Nozzle requires a user with the scope `doppler.firehose` and
-`cloud_controller.admin_read_only` (the latter is only required if `ADD_APP_INFO` is true). If `cloud_controller.admin_read_only` is not
+The Nozzle requires a client with the authorities `doppler.firehose` and `cloud_controller.admin_read_only` (the latter is only required if `ADD_APP_INFO` is true) and grant-types `client_credentials` and `refresh_token`. If `cloud_controller.admin_read_only` is not
 available in the system, switch to use `cloud_controller.admin`.
 
 You can either
-* Add the user manually using [uaac](https://github.com/cloudfoundry/cf-uaac)
-* Add a new user to the deployment manifest; see [uaa.scim.users](https://github.com/cloudfoundry/uaa-release/blob/master/jobs/uaa/spec)
+* Add the client manually using [uaac](https://github.com/cloudfoundry/cf-uaac)
+* Add the client to the deployment manifest; see [uaa.scim.users](https://github.com/cloudfoundry/uaa-release/blob/master/jobs/uaa/spec)
 
 Manifest example:
 
 ```yaml
-uaa:
-  scim:
-    users:
-      - splunk-firehose|password123|cloud_controller.admin_read_only,doppler.firehose
+
+# Clients
+uaa.clients:
+    splunk-firehose:
+      id: splunk-firehose
+      override: true
+      secret: splunk-firehose-secret
+      authorized-grant-types: client_credentials,refresh_token
+      authorities: doppler.firehose,cloud_controller.admin_read_only
 ```
 
 `uaac` example:
 ```shell
 uaac target https://uaa.[system domain url]
 uaac token client get admin -s [admin client credentials secret]
-uaac -t user add splunk-nozzle --password password123 --emails na
-uaac -t member add cloud_controller.admin_read_only splunk-nozzle
-uaac -t member add doppler.firehose splunk-nozzle
+uaac client add splunk-firehose --name splunk-firehose
+uaac client add splunk-firehose --secret [your_client_secret]
+uaac client add splunk-firehose --authorized_grant_types client_credentials,refresh_token
+uaac client add splunk-firehose --authorities doppler.firehose,cloud_controller.admin_read_only
+
 ```
 
 `cloud_controller.admin_read_only` will work for cf v241
@@ -55,8 +61,8 @@ You can declare parameters by making a copy of the scripts/nozzle.sh.template.
 
 __Cloud Foundry configuration parameters:__
 * `API_ENDPOINT`: Cloud Foundry API endpoint address.
-* `API_USER`: Cloud Foundry user name. (Must have scope described above)
-* `API_PASSWORD`: Cloud Foundry user password.
+* `CLIENT_ID`: UAA Client ID (Must have authorities and grant_types described above).
+* `CLIENT_SECRET`: Secret for Client ID.
 
 __Splunk configuration parameters:__
 * `SPLUNK_TOKEN`: [Splunk HTTP event collector token](http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector/).

diff --git a/cache/boltdb.go b/cache/boltdb.go
@@ -359,6 +359,7 @@ func (c *Boltdb) fromPCFApp(app *cfclient.App) *App {
 		Guid:       app.Guid,
 		SpaceGuid:  app.SpaceGuid,
 		IgnoredApp: c.isOptOut(app.Environment),
+		CfAppEnv:   app.Environment,
 	}
 
 	c.fillOrgAndSpace(cachedApp)

diff --git a/ci/nozzle_manifest.yml b/ci/nozzle_manifest.yml
@@ -8,8 +8,8 @@ applications:
     env:
       GOPACKAGENAME: main
       API_ENDPOINT:
-      API_USER:
-      API_PASSWORD:
+      CLIENT_ID:
+      CLIENT_SECRET:
       SPLUNK_HOST:
       SPLUNK_TOKEN:
       SPLUNK_INDEX:

diff --git a/glide.lock b/glide.lock
diff --git a/splunknozzle/config.go b/splunknozzle/config.go
@@ -11,9 +11,11 @@ import (
 )
 
 type Config struct {
-	ApiEndpoint string `json:"api-endpoint"`
-	User        string `json:"-"`
-	Password    string `json:"-"`
+	ApiEndpoint  string `json:"api-endpoint"`
+	User         string `json:"-"`
+	Password     string `json:"-"`
+	ClientID     string `json:"-"`
+	ClientSecret string `json:"-"`
 
 	SplunkToken string `json:"-"`
 	SplunkHost  string `json:"splunk-host"`
@@ -67,9 +69,13 @@ func NewConfigFromCmdFlags(version, branch, commit, buildos string) *Config {
 	kingpin.Flag("api-endpoint", "API endpoint address").
 		OverrideDefaultFromEnvar("API_ENDPOINT").Required().StringVar(&c.ApiEndpoint)
 	kingpin.Flag("user", "Admin user.").
-		OverrideDefaultFromEnvar("API_USER").Required().StringVar(&c.User)
+		OverrideDefaultFromEnvar("API_USER").StringVar(&c.User)
 	kingpin.Flag("password", "Admin password.").
-		OverrideDefaultFromEnvar("API_PASSWORD").Required().StringVar(&c.Password)
+		OverrideDefaultFromEnvar("API_PASSWORD").StringVar(&c.Password)
+	kingpin.Flag("client-id", "Client ID.").
+		OverrideDefaultFromEnvar("CLIENT_ID").Required().StringVar(&c.ClientID)
+	kingpin.Flag("client-secret", "Client secret.").
+		OverrideDefaultFromEnvar("CLIENT_SECRET").Required().StringVar(&c.ClientSecret)
 
 	kingpin.Flag("splunk-host", "Splunk HTTP event collector host").
 		OverrideDefaultFromEnvar("SPLUNK_HOST").Required().StringVar(&c.SplunkHost)

diff --git a/splunknozzle/config_test.go b/splunknozzle/config_test.go
@@ -28,6 +28,8 @@ var _ = Describe("Config", func() {
 			os.Setenv("API_ENDPOINT", "api.bosh-lite.com")
 			os.Setenv("API_USER", "admin")
 			os.Setenv("API_PASSWORD", "abc123")
+			os.Setenv("CLIENT_ID", "client123")
+			os.Setenv("CLIENT_SECRET", "secret123")
 
 			os.Setenv("SPLUNK_TOKEN", "sometoken")
 			os.Setenv("SPLUNK_HOST", "splunk.example.com")
@@ -69,6 +71,8 @@ var _ = Describe("Config", func() {
 			Expect(c.ApiEndpoint).To(Equal("api.bosh-lite.com"))
 			Expect(c.User).To(Equal("admin"))
 			Expect(c.Password).To(Equal("abc123"))
+			Expect(c.ClientID).To(Equal("client123"))
+			Expect(c.ClientSecret).To(Equal("secret123"))
 
 			Expect(c.SplunkHost).To(Equal("splunk.example.com"))
 			Expect(c.SplunkToken).To(Equal("sometoken"))
@@ -160,6 +164,8 @@ var _ = Describe("Config", func() {
 				"--api-endpoint=api.bosh-lite.comc",
 				"--user=adminc",
 				"--password=abc123c",
+				"--client-id=client123",
+				"--client-secret=secret123",
 				"--splunk-host=splunk.example.comc",
 				"--splunk-token=sometokenc",
 				"--splunk-index=splunk_indexc",
@@ -196,6 +202,8 @@ var _ = Describe("Config", func() {
 			Expect(c.ApiEndpoint).To(Equal("api.bosh-lite.comc"))
 			Expect(c.User).To(Equal("adminc"))
 			Expect(c.Password).To(Equal("abc123c"))
+			Expect(c.ClientID).To(Equal("client123"))
+			Expect(c.ClientSecret).To(Equal("secret123"))
 
 			Expect(c.SplunkHost).To(Equal("splunk.example.comc"))
 			Expect(c.SplunkToken).To(Equal("sometokenc"))

diff --git a/splunknozzle/nozzle.go b/splunknozzle/nozzle.go
@@ -43,6 +43,8 @@ func (s *SplunkFirehoseNozzle) PCFClient() (*cfclient.Client, error) {
 		Username:          s.config.User,
 		Password:          s.config.Password,
 		SkipSslValidation: s.config.SkipSSLCF,
+		ClientID:          s.config.ClientID,
+		ClientSecret:      s.config.ClientSecret,
 	}
 
 	return cfclient.NewClient(cfConfig)
@@ -80,7 +82,6 @@ func (s *SplunkFirehoseNozzle) EventSink(logger lager.Logger) (eventsink.Sink, e
 		Logger:  logger,
 	}
 
-
 	var writers []eventwriter.Writer
 	for i := 0; i < s.config.HecWorkers+1; i++ {
 		splunkWriter := eventwriter.NewSplunk(writerConfig)

diff --git a/splunknozzle/nozzle_test.go b/splunknozzle/nozzle_test.go
@@ -16,9 +16,11 @@ import (
 
 func newConfig() *Config {
 	return &Config{
-		ApiEndpoint: "http://localhost:9911",
-		User:        "admin",
-		Password:    "admin",
+		ApiEndpoint:  "http://localhost:9911",
+		User:         "admin",
+		Password:     "admin",
+		ClientID:     "admin",
+		ClientSecret: "admin",
 
 		SplunkToken: "token",
 		SplunkHost:  "localhost:8088",

diff --git a/tile/tile-history.yml b/tile/tile-history.yml
@@ -5,4 +5,5 @@ history:
 - 1.0.1
 - 1.0.2
 - 1.1.0
-version: 1.1.1
+- 1.1.1
+version: 1.1.2
diff --git a/tile/tile.yml b/tile/tile.yml
@@ -52,14 +52,14 @@ forms:
     type: string
     label: API Endpoint
     description: Cloud Foundry API endpoint.
-  - name: api_user
+  - name: client_id
     type: string
-    label: API User
-    description: API username
-  - name: api_password
+    label: Client ID
+    description: CF UAA client ID
+  - name: client_secret
     type: secret
-    label: API Password
-    description: Password for API user
+    label: Client Secret
+    description: CF UAA client secret
   - name: skip_ssl_validation_cf
     type: boolean
     label: Skip SSL Validation

diff --git a/vendor/github.com/cloudfoundry-incubator/uaago/.travis.yml b/vendor/github.com/cloudfoundry-incubator/uaago/.travis.yml