chef · kalroy · Jul 21, 2023 · May 10, 2023 · May 10, 2023 · May 15, 2023
diff --git a/.bldr.toml b/.bldr.toml
@@ -194,6 +194,7 @@ paths = [
  "api/config/minio/*",
  "api/config/nodemanager/*",
  "api/config/notifications/*",
+ "api/config/ocid/*",
  "api/config/opensearch/*",
  "api/config/pg_gateway/*",
  "api/config/pg_sidecar/*",
@@ -408,6 +409,7 @@ paths = [
  "api/config/minio/*",
  "api/config/nodemanager/*",
  "api/config/notifications/*",
+ "api/config/ocid/*",
  "api/config/opensearch/*",
  "api/config/pg_gateway/*",
  "api/config/pg_sidecar/*",
@@ -511,6 +513,7 @@ paths = [
  "api/config/minio/*",
  "api/config/nodemanager/*",
  "api/config/notifications/*",
+ "api/config/ocid/*",
  "api/config/opensearch/*",
  "api/config/pg_gateway/*",
  "api/config/pg_sidecar/*",
@@ -943,6 +946,12 @@ paths = [
  "components/automate-cs-oc-erchef/*"
 ]
 
+[automate-cs-ocid]
+plan_path = "components/automate-cs-ocid"
+paths = [
+ "components/automate-cs-ocid/*"
+]
+
 [automate-cs-nginx]
 plan_path = "components/automate-cs-nginx"
 paths = [

diff --git a/.expeditor/update_chef_server.sh b/.expeditor/update_chef_server.sh
@@ -42,6 +42,7 @@ file_for_pkg=(
  [bookshelf]="components/automate-cs-bookshelf/habitat/plan.sh"
  [oc_bifrost]="components/automate-cs-oc-bifrost/habitat/plan.sh"
  [oc_erchef]="components/automate-cs-oc-erchef/habitat/plan.sh"
+ [oc_id]="components/automate-cs-ocid/habitat/plan.sh"
  [openresty-noroot]="components/automate-workflow-nginx/habitat/plan.sh"
 )
 

diff --git a/.expeditor/verify_private.pipeline.yml b/.expeditor/verify_private.pipeline.yml
@@ -929,3 +929,29 @@ steps:
  executor:
  linux:
  privileged: true
+
+ - label: "ocid"
+ command:
+ - integration/run_test integration/tests/testing_ocid.sh
+ timeout_in_minutes: 15
+ expeditor:
+ secrets:
+ A2_LICENSE:
+ path: secret/a2/license
+ field: license
+ executor:
+ linux:
+ privileged: true
+
+ - label: "ocid config patch"
+ command:
+ - integration/run_test integration/tests/testing_ocid_config_patch.sh
+ timeout_in_minutes: 15
+ expeditor:
+ secrets:
+ A2_LICENSE:
+ path: secret/a2/license
+ field: license
+ executor:
+ linux:
+ privileged: true
diff --git a/.license_scout.yml b/.license_scout.yml
@@ -11,6 +11,7 @@ directories:
  - ./components/automate-cs-nginx
  - ./components/automate-cs-oc-bifrost
  - ./components/automate-cs-oc-erchef
+ - ./components/automate-cs-ocid
  - ./components/automate-debug
  - ./components/automate-deployment
  - ./components/automate-dex

diff --git a/.studio/chef-server-collection b/.studio/chef-server-collection
@@ -392,6 +392,141 @@ function test_knife() {
  done
 }
 
+hab_curl() {
+ hab pkg exec core/curl curl "$@";
+}
+
+document "test_if_login_working_with_correct_credentials" <<DOC
+ login call returns 200 if creds are correct
+DOC
+test_if_login_working_with_correct_credentials() {
+ bootstrap_chef_user_data || return 1
+ local url="https://${chef_server_hostname}/id/auth/chef/callback"
+
+ res_code=$(hab_curl --insecure -H -s -o /dev/null -w "%{http_code}" "$url" \
+ --header 'x-requested-with: XMLHttpRequest' \
+ --header 'Content-Type: application/x-www-form-urlencoded' \
+ --data-urlencode 'utf8=✓' \
+ --data-urlencode "username=$chef_server_test_admin_user_email" \
+ --data-urlencode "password=$chef_server_test_user_password" \
+ --data-urlencode 'commit=Sign+In')
+
+ if [ "$res_code" == 200 ]; then
+ echo "User Logged In"
+ else
+ echo "Error Logging in with test admin user"
+ return 1
+ fi
+}
+
+document "test_if_login_failing_with_incorrect_credentials" <<DOC
+ login call returns 302 if creds are incorrect
+DOC
+test_if_login_failing_with_incorrect_credentials() {
+ bootstrap_chef_user_data || return 1
+ local url="https://${chef_server_hostname}/id/auth/chef/callback"
+ local incorrect_password='incorrect-password'
+
+ res_code=$(hab_curl --insecure -H -s -o /dev/null -w "%{http_code}" "$url" \
+ --header 'x-requested-with: XMLHttpRequest' \
+ --header 'Content-Type: application/x-www-form-urlencoded' \
+ --data-urlencode 'utf8=✓' \
+ --data-urlencode "username=$chef_server_test_admin_user_email" \
+ --data-urlencode "password=$incorrect_password" \
+ --data-urlencode 'commit=Sign+In')
+
+ if [ "$res_code" == 302 ]; then
+ echo "Login call returns HTTP STATUS 302 as expected for invalid credentials"
+ else
+ echo "Login call did not return HTTP STATUS 302 for invalid credentials"
+ return 1
+ fi
+}
+
+document "test_if_env_vars_are_configured" <<DOC
+ test if default ENV variables are configured for OCID
+DOC
+test_if_env_vars_are_configured() {
+ ocid_config_file_path="$(hab pkg path chef/oc_id)/oc_id/config/settings/production.yml"
+
+ # Get values from in settings/production.yml
+ endpoint=$(awk '/endpoint:/ {print $2}' "$ocid_config_file_path")
+ superuser=$(awk '/superuser:/ {print $2}' "$ocid_config_file_path")
+ ssl_verify_mode=$(awk '/ssl_verify_mode:/ {print $2}' "$ocid_config_file_path")
+
+ errors=()
+
+ if [ "$endpoint" != "https://127.0.0.1:443" ]; then
+ errors+=("Chef-Server endpoint is not configured properly.")
+ fi
+
+ if [ "$superuser" != "pivotal" ]; then
+ errors+=("Chef-Server superuser is not configured properly.")
+ fi
+
+ if [ "$ssl_verify_mode" != "verify_none" ]; then
+ errors+=("Chef-Server SSL certificate verification mode is not configured properly.")
+ fi
+
+ if [ ${#errors} -gt 0 ]; then
+ for (( i=0; i<${#errors[@]}; i++ )); do echo "${errors[$i]}" ; done
+ return 1
+ else
+ echo "ENV Vars configured correctly"
+ fi
+}
+
+# We are keeping a local copy of this method as the original from 01_base.sh is not accessible here
+install_if_missing() {
+ if [ "$#" -ne 2 ]; then
+ error "Wrong number of arguments to ${FUNCNAME[0]}"
+ describe "${FUNCNAME[0]}"
+ return 1
+ fi
+
+ # Install the package if it is not installed
+ if [[ ! -d "/hab/pkgs/$1" ]]; then
+ hab pkg install "$1" > /dev/null
+ fi
+
+ # Ensure we are binlinking to the same version `hab pkg exec` would run
+ hab pkg binlink --force "$1" "$2" > /dev/null
+}
+
+document "test_if_webui_key_is_patched" <<DOC
+ test if WEB UI key is patched for OCID
+DOC
+test_if_webui_key_is_patched() {
+ install_if_missing core/jq-static jq
+
+ # Extract webui_key from private-chef-secrets.json
+ ocid_secrets_file_path="$(hab pkg path chef/oc_id)/oc_id/config/private-chef-secrets.json"
+
+ # elem variable hold the value 'chef-server', we opted for this syntax becz chef-server needs to be
+ # to be treated as string as it contains `-`, which is not a valid JSON character
+ ocid_webui_key="$(jq --arg elem "chef-server" -r '.[$elem]."webui_key"' < "$ocid_secrets_file_path")"
+
+ # Create a temporary file with the ocid_webui_key content
+ echo "$ocid_webui_key" > temp_ocid_webui_key.pem
+
+ # Path for erchef webui_priv.pem file
+ erchef_webui_key_path="/hab/svc/automate-cs-oc-erchef/data/webui_priv.pem"
+
+ # Compare the temporary file with the erchef PEM file
+ output=$(diff "$erchef_webui_key_path" temp_ocid_webui_key.pem)
+
+ # Remove the temporary file
+ rm temp_ocid_webui_key.pem
+
+ # Check if the output is empty, indicating a match
+ if [ -z "$output" ]; then
+ echo "The content of the PEM file matches."
+ else
+ echo "The content of the PEM file does not match."
+ return 1
+ fi
+}
+
 document "ohai_time" <<DOC
  Gets ohai_time for a converged node. Assumes converge_chef_client has already run.
 DOC
@@ -406,3 +541,66 @@ function ohai_time() {
  -a ohai_time \
  | grep ohai_time | cut -f2 -d":" | xargs
 }
+
+document "test_if_env_vars_are_configured_after_patch" <<DOC
+ test if OCID ENV variables are configured after patch
+DOC
+test_if_env_vars_are_configured_after_patch() {
+ ocid_config_file_path="$(hab pkg path chef/oc_id)/oc_id/config/settings/production.yml"
+
+ # Get values from in settings/production.yml
+ endpoint=$(awk '/endpoint:/ {print $2}' "$ocid_config_file_path")
+ superuser=$(awk '/superuser:/ {print $2}' "$ocid_config_file_path")
+ ssl_verify_mode=$(awk '/ssl_verify_mode:/ {print $2}' "$ocid_config_file_path")
+
+ errors=()
+
+ if [ "$endpoint" != "https://test-url.com:443" ]; then
+ errors+=("Chef-Server endpoint is not configured properly.")
+ fi
+
+ if [ "$superuser" != "testuser" ]; then
+ errors+=("Chef-Server superuser is not configured properly.")
+ fi
+
+ if [ "$ssl_verify_mode" != "verify_peer" ]; then
+ errors+=("Chef-Server SSL certificate verification mode is not configured properly.")
+ fi
+
+ if [ ${#errors} -gt 0 ]; then
+ for (( i=0; i<${#errors[@]}; i++ )); do echo "${errors[$i]}" ; done
+ return 1
+ else
+ echo "ENV Vars configured correctly"
+ fi
+}
+
+document "test_if_oauthapps_are_patched_correctly" <<DOC
+ test if OAuth App values are patched correctly
+DOC
+test_if_oauthapps_are_patched_correctly() {
+ chef-automate config oc-id-show-app > registered_oauth_apps.yml
+
+ yaml_file="registered_oauth_apps.yml"
+
+ # Extract values of attributes
+ name=$(grep -oP "(?<=name: ).*" "$yaml_file")
+ redirect_uri=$(grep -oP "(?<=redirect_uri: ).*" "$yaml_file")
+
+ errors=()
+
+ if [ "$name" != "test-supermarket" ]; then
+ errors+=("Registered OAuth application's name is not patched correctly.")
+ fi
+
+ if [ "$redirect_uri" != "https://sampleurl.com/auth/chef_oauth2/callback" ]; then
+ errors+=("Registered OAuth application's redirect URI is not configured correctly.")
+ fi
+
+ if [ ${#errors} -gt 0 ]; then
+ for (( i=0; i<${#errors[@]}; i++ )); do echo "${errors[$i]}" ; done
+ return 1
+ else
+ echo "OAuth App values are patched correctly"
+ fi
+}
diff --git a/HABITAT_PACKAGES b/HABITAT_PACKAGES
@@ -58,6 +58,7 @@ trial-license-service components/trial-license-service
 automate-cs-bookshelf components/automate-cs-bookshelf
 automate-cs-oc-bifrost components/automate-cs-oc-bifrost
 automate-cs-oc-erchef components/automate-cs-oc-erchef
+automate-cs-ocid components/automate-cs-ocid
 automate-cs-nginx components/automate-cs-nginx
 automate-workflow-nginx components/automate-workflow-nginx
 automate-workflow-web components/automate-workflow-web

diff --git a/api/config/deployment/automate_config.pb.a2svc.go b/api/config/deployment/automate_config.pb.a2svc.go