4.5.0
This commit is contained in:
Nikita Sorokin
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
Copyright (c) 2019-2022 Digital Energy Cloud Solutions LLC. All Rights Reserved.
|
||||
Copyright (c) 2019-2023 Digital Energy Cloud Solutions LLC. All Rights Reserved.
|
||||
Authors:
|
||||
Petr Krutov, <petr.krutov@digitalenergy.online>
|
||||
Stanislav Solovev, <spsolovev@digitalenergy.online>
|
||||
@@ -24,15 +24,15 @@ import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"io"
|
||||
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
// "time"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"golang.org/x/oauth2"
|
||||
decort "repository.basistech.ru/BASIS/decort-golang-sdk"
|
||||
"repository.basistech.ru/BASIS/decort-golang-sdk/config"
|
||||
"repository.basistech.ru/BASIS/decort-golang-sdk/interfaces"
|
||||
@@ -46,24 +46,29 @@ import (
|
||||
|
||||
// enumerated constants that define authentication modes
|
||||
const (
|
||||
MODE_UNDEF = iota // this is the invalid mode - it should never be seen
|
||||
MODE_LEGACY = iota
|
||||
MODE_OAUTH2 = iota
|
||||
MODE_JWT = iota
|
||||
MODE_UNDEF = iota // this is the invalid mode - it should never be seen
|
||||
MODE_LEGACY
|
||||
MODE_DECS3O
|
||||
MODE_JWT
|
||||
MODE_BVS
|
||||
)
|
||||
|
||||
type ControllerCfg struct {
|
||||
controller_url string // always required
|
||||
auth_mode_code int // always required
|
||||
auth_mode_txt string // always required, it is a text representation of auth mode
|
||||
bvs_user string // required for bvs mode
|
||||
bvs_password string // required for bvs mode
|
||||
domain string // required for bvs mode
|
||||
token oauth2.Token // obtained from BVS provider on successful login in bvs mode
|
||||
legacy_user string // required for legacy mode
|
||||
legacy_password string // required for legacy mode
|
||||
legacy_sid string // obtained from DECORT controller on successful login in legacy mode
|
||||
jwt string // obtained from Outh2 provider on successful login in oauth2 mode, required in jwt mode
|
||||
app_id string // required for oauth2 mode
|
||||
app_secret string // required for oauth2 mode
|
||||
oauth2_url string // always required
|
||||
decort_username string // assigned to either legacy_user (legacy mode) or Oauth2 user (oauth2 mode) upon successful verification
|
||||
jwt string // obtained from Outh2 provider on successful login in decs3o mode, required in jwt mode
|
||||
app_id string // required for decs3o and bvs mode
|
||||
app_secret string // required for decs3o and bvs mode
|
||||
oauth2_url string // required for decs3o and bvs mode
|
||||
decort_username string // assigned to either legacy_user (legacy mode) or Oauth2 user (decs3o mode) upon successful verification
|
||||
cc_client *http.Client // assigned when all initial checks successfully passed
|
||||
caller interfaces.Caller
|
||||
}
|
||||
@@ -86,17 +91,21 @@ func ControllerConfigure(d *schema.ResourceData) (*ControllerCfg, error) {
|
||||
legacy_user: d.Get("user").(string),
|
||||
legacy_password: d.Get("password").(string),
|
||||
legacy_sid: "",
|
||||
bvs_user: d.Get("bvs_user").(string),
|
||||
bvs_password: d.Get("bvs_password").(string),
|
||||
domain: d.Get("domain").(string),
|
||||
jwt: d.Get("jwt").(string),
|
||||
app_id: d.Get("app_id").(string),
|
||||
app_secret: d.Get("app_secret").(string),
|
||||
oauth2_url: d.Get("oauth2_url").(string),
|
||||
decort_username: "",
|
||||
token: oauth2.Token{},
|
||||
}
|
||||
|
||||
allow_unverified_ssl := d.Get("allow_unverified_ssl").(bool)
|
||||
|
||||
if ret_config.controller_url == "" {
|
||||
return nil, fmt.Errorf("Empty DECORT cloud controller URL provided.")
|
||||
return nil, fmt.Errorf("empty DECORT cloud controller URL provided")
|
||||
}
|
||||
|
||||
// this should have already been done by StateFunc defined in Schema, but we want to be sure
|
||||
@@ -105,33 +114,53 @@ func ControllerConfigure(d *schema.ResourceData) (*ControllerCfg, error) {
|
||||
switch ret_config.auth_mode_txt {
|
||||
case "jwt":
|
||||
if ret_config.jwt == "" {
|
||||
return nil, fmt.Errorf("Authenticator mode 'jwt' specified but no JWT provided.")
|
||||
return nil, fmt.Errorf("authenticator mode 'jwt' specified but no JWT provided")
|
||||
}
|
||||
ret_config.auth_mode_code = MODE_JWT
|
||||
case "oauth2":
|
||||
case "decs3o":
|
||||
if ret_config.oauth2_url == "" {
|
||||
return nil, fmt.Errorf("Authenticator mode 'oauth2' specified but no OAuth2 URL provided.")
|
||||
return nil, fmt.Errorf("authenticator mode 'decs3o' specified but no OAuth2 URL provided")
|
||||
}
|
||||
if ret_config.app_id == "" {
|
||||
return nil, fmt.Errorf("Authenticator mode 'oauth2' specified but no Application ID provided.")
|
||||
return nil, fmt.Errorf("authenticator mode 'decs3o' specified but no Application ID provided")
|
||||
}
|
||||
if ret_config.app_secret == "" {
|
||||
return nil, fmt.Errorf("Authenticator mode 'oauth2' specified but no Secret ID provided.")
|
||||
return nil, fmt.Errorf("authenticator mode 'decs3o' specified but no Secret ID provided")
|
||||
}
|
||||
ret_config.auth_mode_code = MODE_OAUTH2
|
||||
ret_config.auth_mode_code = MODE_DECS3O
|
||||
case "legacy":
|
||||
//
|
||||
ret_config.legacy_user = d.Get("user").(string)
|
||||
if ret_config.legacy_user == "" {
|
||||
return nil, fmt.Errorf("Authenticator mode 'legacy' specified but no user provided.")
|
||||
return nil, fmt.Errorf("authenticator mode 'legacy' specified but no user provided")
|
||||
}
|
||||
ret_config.legacy_password = d.Get("password").(string)
|
||||
if ret_config.legacy_password == "" {
|
||||
return nil, fmt.Errorf("Authenticator mode 'legacy' specified but no password provided.")
|
||||
return nil, fmt.Errorf("authenticator mode 'legacy' specified but no password provided")
|
||||
}
|
||||
ret_config.auth_mode_code = MODE_LEGACY
|
||||
case "bvs":
|
||||
if ret_config.bvs_user == "" {
|
||||
return nil, fmt.Errorf("authenticator mode 'bvs' specified but no user provided")
|
||||
}
|
||||
if ret_config.bvs_password == "" {
|
||||
return nil, fmt.Errorf("authenticator mode 'bvs' specified but no password provided")
|
||||
}
|
||||
if ret_config.oauth2_url == "" {
|
||||
return nil, fmt.Errorf("authenticator mode 'bvs' specified but no bvs URL provided")
|
||||
}
|
||||
if ret_config.app_id == "" {
|
||||
return nil, fmt.Errorf("authenticator mode 'bvs' specified but no Application ID provided")
|
||||
}
|
||||
if ret_config.app_secret == "" {
|
||||
return nil, fmt.Errorf("authenticator mode 'bvs' specified but no Secret ID provided")
|
||||
}
|
||||
if ret_config.domain == "" {
|
||||
return nil, fmt.Errorf("authenticator mode 'bvs' specified but no Domain provided")
|
||||
}
|
||||
ret_config.auth_mode_code = MODE_BVS
|
||||
default:
|
||||
return nil, fmt.Errorf("Unknown authenticator mode %q provided.", ret_config.auth_mode_txt)
|
||||
return nil, fmt.Errorf("unknown authenticator mode %q provided", ret_config.auth_mode_txt)
|
||||
}
|
||||
|
||||
if allow_unverified_ssl {
|
||||
@@ -167,10 +196,10 @@ func ControllerConfigure(d *schema.ResourceData) (*ControllerCfg, error) {
|
||||
if !ok {
|
||||
return nil, err
|
||||
}
|
||||
case MODE_OAUTH2:
|
||||
// on success getOAuth2JWT will set config.jwt to the obtained JWT, so there is no
|
||||
case MODE_DECS3O:
|
||||
// on success getDECS3OJWT will set config.jwt to the obtained JWT, so there is no
|
||||
// need to set it once again here
|
||||
_, err := ret_config.getOAuth2JWT()
|
||||
_, err := ret_config.getDECS3OJWT()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -189,7 +218,7 @@ func ControllerConfigure(d *schema.ResourceData) (*ControllerCfg, error) {
|
||||
tbuf.WriteString(claims["iss"].(string))
|
||||
ret_config.decort_username = tbuf.String()
|
||||
} else {
|
||||
return nil, fmt.Errorf("Failed to extract user and iss fields from JWT token in oauth2 mode.")
|
||||
return nil, fmt.Errorf("failed to extract user and iss fields from JWT token in oauth2 mode")
|
||||
}
|
||||
|
||||
sdkConf := config.Config{
|
||||
@@ -201,10 +230,24 @@ func ControllerConfigure(d *schema.ResourceData) (*ControllerCfg, error) {
|
||||
}
|
||||
|
||||
ret_config.caller = decort.New(sdkConf)
|
||||
case MODE_BVS:
|
||||
|
||||
sdkConf := config.BVSConfig{
|
||||
AppID: ret_config.app_id,
|
||||
AppSecret: ret_config.app_secret,
|
||||
SSOURL: ret_config.oauth2_url,
|
||||
DecortURL: ret_config.controller_url,
|
||||
SSLSkipVerify: allow_unverified_ssl,
|
||||
Username: ret_config.bvs_user,
|
||||
Password: ret_config.bvs_password,
|
||||
Domain: ret_config.domain,
|
||||
Token: ret_config.token,
|
||||
}
|
||||
|
||||
ret_config.caller = decort.NewBVS(sdkConf)
|
||||
default:
|
||||
// FYI, this should never happen due to all above checks, but we want to be fool proof
|
||||
return nil, fmt.Errorf("Unknown authenticator mode code %d provided.", ret_config.auth_mode_code)
|
||||
return nil, fmt.Errorf("unknown authenticator mode code %d provided", ret_config.auth_mode_code)
|
||||
}
|
||||
|
||||
// All checks passed successfully, credentials corresponding to the selected authenticator mode
|
||||
@@ -216,13 +259,13 @@ func (config *ControllerCfg) GetDecortUsername() string {
|
||||
return config.decort_username
|
||||
}
|
||||
|
||||
func (config *ControllerCfg) getOAuth2JWT() (string, error) {
|
||||
func (config *ControllerCfg) getDECS3OJWT() (string, error) {
|
||||
// Obtain JWT from the Oauth2 provider using application ID and application secret provided in config.
|
||||
if config.auth_mode_code == MODE_UNDEF {
|
||||
return "", fmt.Errorf("getOAuth2JWT method called for undefined authorization mode.")
|
||||
return "", fmt.Errorf("getOAuth2JWT method called for undefined authorization mode")
|
||||
}
|
||||
if config.auth_mode_code != MODE_OAUTH2 {
|
||||
return "", fmt.Errorf("getOAuth2JWT method called for incompatible authorization mode %q.", config.auth_mode_txt)
|
||||
if config.auth_mode_code != MODE_DECS3O {
|
||||
return "", fmt.Errorf("getOAuth2JWT method called for incompatible authorization mode %q", config.auth_mode_txt)
|
||||
}
|
||||
|
||||
params := url.Values{}
|
||||
@@ -253,7 +296,7 @@ func (config *ControllerCfg) getOAuth2JWT() (string, error) {
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
responseData, err := ioutil.ReadAll(resp.Body)
|
||||
responseData, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
@@ -273,13 +316,13 @@ func (config *ControllerCfg) validateJWT(jwt string) (bool, error) {
|
||||
*/
|
||||
if jwt == "" {
|
||||
if config.jwt == "" {
|
||||
return false, fmt.Errorf("validateJWT method called, but no meaningful JWT provided.")
|
||||
return false, fmt.Errorf("validateJWT method called, but no meaningful JWT provided")
|
||||
}
|
||||
jwt = config.jwt
|
||||
}
|
||||
|
||||
if config.oauth2_url == "" {
|
||||
return false, fmt.Errorf("validateJWT method called, but no OAuth2 URL provided.")
|
||||
return false, fmt.Errorf("validateJWT method called, but no OAuth2 URL provided")
|
||||
}
|
||||
|
||||
req, err := http.NewRequest("POST", config.controller_url+"/restmachine/cloudapi/account/list", nil)
|
||||
@@ -296,7 +339,7 @@ func (config *ControllerCfg) validateJWT(jwt string) (bool, error) {
|
||||
return false, err
|
||||
}
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return false, fmt.Errorf("validateJWT: unexpected status code %d when validating JWT against %q.",
|
||||
return false, fmt.Errorf("validateJWT: unexpected status code %d when validating JWT against %q",
|
||||
resp.StatusCode, req.URL)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
@@ -312,10 +355,10 @@ func (config *ControllerCfg) validateLegacyUser() (bool, error) {
|
||||
reason, the method will return false and error.
|
||||
*/
|
||||
if config.auth_mode_code == MODE_UNDEF {
|
||||
return false, fmt.Errorf("validateLegacyUser method called for undefined authorization mode.")
|
||||
return false, fmt.Errorf("validateLegacyUser method called for undefined authorization mode")
|
||||
}
|
||||
if config.auth_mode_code != MODE_LEGACY {
|
||||
return false, fmt.Errorf("validateLegacyUser method called for incompatible authorization mode %q.", config.auth_mode_txt)
|
||||
return false, fmt.Errorf("validateLegacyUser method called for incompatible authorization mode %q", config.auth_mode_txt)
|
||||
}
|
||||
|
||||
params := url.Values{}
|
||||
@@ -336,12 +379,12 @@ func (config *ControllerCfg) validateLegacyUser() (bool, error) {
|
||||
return false, err
|
||||
}
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return false, fmt.Errorf("validateLegacyUser: unexpected status code %d when validating legacy user %q against %q.",
|
||||
return false, fmt.Errorf("validateLegacyUser: unexpected status code %d when validating legacy user %q against %q",
|
||||
resp.StatusCode, config.legacy_user, config.controller_url)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
responseData, err := ioutil.ReadAll(resp.Body)
|
||||
responseData, err := io.ReadAll(req.Body)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
@@ -353,21 +396,32 @@ func (config *ControllerCfg) validateLegacyUser() (bool, error) {
|
||||
}
|
||||
|
||||
func (config *ControllerCfg) CloudAPI() *cloudapi.CloudAPI {
|
||||
if config.auth_mode_code == MODE_LEGACY {
|
||||
switch config.auth_mode_code {
|
||||
case MODE_LEGACY:
|
||||
client, _ := config.caller.(*decort.LegacyDecortClient)
|
||||
return client.CloudAPI()
|
||||
case MODE_DECS3O:
|
||||
client, _ := config.caller.(*decort.DecortClient)
|
||||
return client.CloudAPI()
|
||||
case MODE_BVS:
|
||||
client, _ := config.caller.(*decort.BVSDecortClient)
|
||||
return client.CloudAPI()
|
||||
default:
|
||||
return &cloudapi.CloudAPI{}
|
||||
}
|
||||
|
||||
client, _ := config.caller.(*decort.DecortClient)
|
||||
return client.CloudAPI()
|
||||
}
|
||||
|
||||
func (config *ControllerCfg) CloudBroker() *cloudbroker.CloudBroker {
|
||||
if config.auth_mode_code == MODE_LEGACY {
|
||||
switch config.auth_mode_code {
|
||||
case MODE_LEGACY:
|
||||
client, _ := config.caller.(*decort.LegacyDecortClient)
|
||||
return client.CloudBroker()
|
||||
case MODE_DECS3O:
|
||||
client, _ := config.caller.(*decort.DecortClient)
|
||||
return client.CloudBroker()
|
||||
case MODE_BVS:
|
||||
client, _ := config.caller.(*decort.BVSDecortClient)
|
||||
return client.CloudBroker()
|
||||
default:
|
||||
return &cloudbroker.CloudBroker{}
|
||||
}
|
||||
|
||||
client, _ := config.caller.(*decort.DecortClient)
|
||||
return client.CloudBroker()
|
||||
}
|
||||
|
||||
@@ -40,8 +40,8 @@ func Provider() *schema.Provider {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
StateFunc: statefuncs.StateFuncToLower,
|
||||
ValidateFunc: validation.StringInSlice([]string{"oauth2", "legacy", "jwt"}, true), // ignore case while validating
|
||||
Description: "Authentication mode to use when connecting to DECORT cloud API. Should be one of 'oauth2', 'legacy' or 'jwt'.",
|
||||
ValidateFunc: validation.StringInSlice([]string{"decs3o", "legacy", "jwt", "bvs"}, true), // ignore case while validating
|
||||
Description: "Authentication mode to use when connecting to DECORT cloud API. Should be one of 'decs3o', 'legacy', 'jwt' or 'bvs'.",
|
||||
},
|
||||
|
||||
"oauth2_url": {
|
||||
@@ -49,7 +49,7 @@ func Provider() *schema.Provider {
|
||||
Optional: true,
|
||||
StateFunc: statefuncs.StateFuncToLower,
|
||||
DefaultFunc: schema.EnvDefaultFunc("DECORT_OAUTH2_URL", nil),
|
||||
Description: "OAuth2 application URL in 'oauth2' authentication mode.",
|
||||
Description: "OAuth2 application URL in 'decs3o' and 'bvs' authentication mode.",
|
||||
},
|
||||
|
||||
"controller_url": {
|
||||
@@ -74,18 +74,39 @@ func Provider() *schema.Provider {
|
||||
Description: "User password for DECORT cloud API operations in 'legacy' authentication mode.",
|
||||
},
|
||||
|
||||
"bvs_user": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
DefaultFunc: schema.EnvDefaultFunc("DECORT_BVS_USER", nil),
|
||||
Description: "User name for DECORT cloud API operations in 'bvs' authentication mode.",
|
||||
},
|
||||
|
||||
"bvs_password": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
DefaultFunc: schema.EnvDefaultFunc("DECORT_BVS_PASSWORD", nil),
|
||||
Description: "User password for DECORT cloud API operations in 'bvs' authentication mode.",
|
||||
},
|
||||
|
||||
"domain": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
DefaultFunc: schema.EnvDefaultFunc("DECORT_DOMAIN", nil),
|
||||
Description: "User password for DECORT cloud API operations in 'bvs' authentication mode.",
|
||||
},
|
||||
|
||||
"app_id": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
DefaultFunc: schema.EnvDefaultFunc("DECORT_APP_ID", nil),
|
||||
Description: "Application ID to access DECORT cloud API in 'oauth2' authentication mode.",
|
||||
Description: "Application ID to access DECORT cloud API in 'decs3o' and 'bvs' authentication mode.",
|
||||
},
|
||||
|
||||
"app_secret": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
DefaultFunc: schema.EnvDefaultFunc("DECORT_APP_SECRET", nil),
|
||||
Description: "Application secret to access DECORT cloud API in 'oauth2' authentication mode.",
|
||||
Description: "Application secret to access DECORT cloud API in 'decs3o' and 'bvs' authentication mode.",
|
||||
},
|
||||
|
||||
"jwt": {
|
||||
|
||||
Reference in New Issue
Block a user