Move all functionality for assume command into credentials/console

cmd/ocm-backplane/cloud/cloud.go

@@ -18,8 +18,6 @@ var CloudCmd = &cobra.Command{
 func init() {
 	CloudCmd.AddCommand(CredentialsCmd)
 	CloudCmd.AddCommand(ConsoleCmd)
-	CloudCmd.AddCommand(TokenCmd)
-	CloudCmd.AddCommand(AssumeCmd)
 }
 
 func help(cmd *cobra.Command, _ []string) {

cmd/ocm-backplane/cloud/common.go

@@ -0,0 +1,129 @@
+package cloud
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	v1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+	"github.com/openshift/backplane-cli/pkg/awsutil"
+	"github.com/openshift/backplane-cli/pkg/utils"
+	"io"
+	"net/http"
+)
+
+const OldFlowSupportRole = "role/RH-Technical-Support-Access"
+
+var StsClientWithProxy = awsutil.StsClientWithProxy
+var AssumeRoleWithJWT = awsutil.AssumeRoleWithJWT
+var NewStaticCredentialsProvider = credentials.NewStaticCredentialsProvider
+var AssumeRoleSequence = awsutil.AssumeRoleSequence
+
+type assumeChainResponse struct {
+	AssumptionSequence []namedRoleArn `json:"assumptionSequence"`
+}
+
+type namedRoleArn struct {
+	Name string `json:"name"`
+	Arn  string `json:"arn"`
+}
+
+func getIsolatedCredentials(clusterID string) (aws.Credentials, error) {
+	if clusterID == "" {
+		return aws.Credentials{}, errors.New("must provide non-empty cluster ID")
+	}
+
+	ocmToken, err := utils.DefaultOCMInterface.GetOCMAccessToken()
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to retrieve OCM token: %w", err)
+	}
+
+	email, err := utils.GetStringFieldFromJWT(*ocmToken, "email")
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("unable to extract email from given token: %w", err)
+	}
+
+	bpConfig, err := GetBackplaneConfiguration()
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("error retrieving backplane configuration: %w", err)
+	}
+
+	if bpConfig.AssumeInitialArn == "" {
+		return aws.Credentials{}, errors.New("backplane config is missing required `assume-initial-arn` property")
+	}
+
+	initialClient, err := StsClientWithProxy(bpConfig.ProxyURL)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to create sts client: %w", err)
+	}
+
+	seedCredentials, err := AssumeRoleWithJWT(*ocmToken, bpConfig.AssumeInitialArn, initialClient)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to assume role using JWT: %w", err)
+	}
+
+	backplaneClient, err := utils.DefaultClientUtils.MakeRawBackplaneAPIClientWithAccessToken(bpConfig.URL, *ocmToken)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to create backplane client with access token: %w", err)
+	}
+
+	response, err := backplaneClient.GetAssumeRoleSequence(context.TODO(), clusterID)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to fetch arn sequence: %w", err)
+	}
+	if response.StatusCode != http.StatusOK {
+		return aws.Credentials{}, fmt.Errorf("failed to fetch arn sequence: %v", response.Status)
+	}
+
+	bytes, err := io.ReadAll(response.Body)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to read backplane API response body: %w", err)
+	}
+
+	roleChainResponse := &assumeChainResponse{}
+	err = json.Unmarshal(bytes, roleChainResponse)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to unmarshal response: %w", err)
+	}
+
+	roleAssumeSequence := make([]string, 0, len(roleChainResponse.AssumptionSequence))
+	for _, namedRoleArn := range roleChainResponse.AssumptionSequence {
+		roleAssumeSequence = append(roleAssumeSequence, namedRoleArn.Arn)
+	}
+
+	seedClient := sts.NewFromConfig(aws.Config{
+		Region:      "us-east-1",
+		Credentials: NewStaticCredentialsProvider(seedCredentials.AccessKeyID, seedCredentials.SecretAccessKey, seedCredentials.SessionToken),
+	})
+
+	targetCredentials, err := AssumeRoleSequence(email, seedClient, roleAssumeSequence, bpConfig.ProxyURL, awsutil.DefaultSTSClientProviderFunc)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to assume role sequence: %w", err)
+	}
+	return targetCredentials, nil
+}
+
+func isIsolatedBackplaneAccess(cluster *v1.Cluster) (bool, error) {
+	if clusterAws, ok := cluster.GetAWS(); ok {
+		if clusterAwsSts, ok := clusterAws.GetSTS(); ok {
+			if clusterAwsSts.Enabled() {
+				stsSupportJumpRole, err := utils.DefaultOCMInterface.GetStsSupportJumpRoleARN(cluster.ID())
+				if err != nil {
+					return false, fmt.Errorf("failed to get sts support jump role ARN for cluster %v: %w", cluster.ID(), err)
+				}
+				supportRoleArn, err := arn.Parse(stsSupportJumpRole)
+				if err != nil {
+					return false, fmt.Errorf("failed to parse ARN for jump role %v: %w", stsSupportJumpRole, err)
+				}
+				if supportRoleArn.Resource != OldFlowSupportRole {
+					return true, nil
+				}
+			}
+		}
+	}
+	return false, nil
+}