openshift · openshift-merge-bot · Nov 27, 2023 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023
diff --git a/cmd/ocm-backplane/cloud/common.go b/cmd/ocm-backplane/cloud/common.go
@@ -12,18 +12,198 @@ import (
  "github.com/aws/aws-sdk-go-v2/aws/arn"
  "github.com/aws/aws-sdk-go-v2/credentials"
  "github.com/aws/aws-sdk-go-v2/service/sts"
+ ocmsdk "github.com/openshift-online/ocm-sdk-go"
  cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+ BackplaneApi "github.com/openshift/backplane-api/pkg/client"
  "github.com/openshift/backplane-cli/pkg/awsutil"
+ "github.com/openshift/backplane-cli/pkg/cli/config"
+ bpCredentials "github.com/openshift/backplane-cli/pkg/credentials"
  "github.com/openshift/backplane-cli/pkg/utils"
+ logger "github.com/sirupsen/logrus"
 )
 
 const OldFlowSupportRole = "role/RH-Technical-Support-Access"
 
-var StsClientWithProxy = awsutil.StsClientWithProxy
+var StsClient = awsutil.StsClient
 var AssumeRoleWithJWT = awsutil.AssumeRoleWithJWT
 var NewStaticCredentialsProvider = credentials.NewStaticCredentialsProvider
 var AssumeRoleSequence = awsutil.AssumeRoleSequence
 
+// Wrapper for the configuration needed for cloud requests
+type QueryConfig struct {
+ config.BackplaneConfiguration
+ OcmConnection *ocmsdk.Connection
+ Cluster *cmv1.Cluster
+}
+
+// GetAWSV2Config allows consumers to get an aws-sdk-go-v2 Config to programmatically access the AWS API
+func (cfg *QueryConfig) GetAWSV2Config() (aws.Config, error) {
+ if cfg.Cluster.CloudProvider().ID() != "aws" {
+ return aws.Config{}, fmt.Errorf("only supported for the aws cloud provider, this cluster has: %s", cfg.Cluster.CloudProvider().ID())
+ }
+ creds, err := cfg.GetCloudCredentials()
+ if err != nil {
+ return aws.Config{}, err
+ }
+
+ awsCreds, ok := creds.(*bpCredentials.AWSCredentialsResponse)
+ if !ok {
+ return aws.Config{}, errors.New("unexpected error: failed to convert backplane creds to AWSCredentialsResponse")
+ }
+
+ return awsCreds.AWSV2Config()
+}
+
+// GetCloudCredentials returns Cloud Credentials Response
+func (cfg *QueryConfig) GetCloudConsole() (*ConsoleResponse, error) {
+ ocmToken, _, err := cfg.OcmConnection.Tokens()
+ if err != nil {
+ return nil, fmt.Errorf("unable to get token for ocm connection")
+ }
+
+ isolatedBackplane, err := isIsolatedBackplaneAccess(cfg.Cluster, cfg.OcmConnection)
+ if err != nil {
+ logger.Infof("failed to determine if the cluster is using isolated backplane access: %v", err)
+ logger.Infof("for more information, try ocm get /api/clusters_mgmt/v1/clusters/%s/sts_support_jump_role", cfg.Cluster.ID())
+ logger.Infof("attempting to fallback to %s", OldFlowSupportRole)
+ }
+
+ if isolatedBackplane {
+ logger.Debugf("cluster is using isolated backplane")
+ targetCredentials, err := cfg.getIsolatedCredentials(ocmToken)
+ if err != nil {
+ // TODO: This fallback should be removed in the future
+ // TODO: when we are more confident in our ability to access clusters using the isolated flow
+ logger.Infof("failed to assume role with isolated backplane flow: %v", err)
+ logger.Infof("attempting to fallback to %s", OldFlowSupportRole)
+ return cfg.getCloudConsoleFromPublicAPI(ocmToken)
+ }
+
+ resp, err := awsutil.GetSigninToken(targetCredentials, cfg.Cluster.Region().ID())
+ if err != nil {
+ return nil, fmt.Errorf("failed to get signin token: %w", err)
+ }
+
+ signinFederationURL, err := awsutil.GetConsoleURL(resp.SigninToken, cfg.Cluster.Region().ID())
+ if err != nil {
+ return nil, fmt.Errorf("failed to generate console url: %w", err)
+ }
+ return &ConsoleResponse{ConsoleLink: signinFederationURL.String()}, nil
+ }
+
+ return cfg.getCloudConsoleFromPublicAPI(ocmToken)
+}
+
+// GetCloudConsole returns console response calling to public Backplane API
+func (cfg *QueryConfig) getCloudConsoleFromPublicAPI(ocmToken string) (*ConsoleResponse, error) {
+ logger.Debugln("Getting Cloud Console")
+
+ client, err := utils.DefaultClientUtils.GetBackplaneClient(cfg.BackplaneConfiguration.URL, ocmToken, cfg.BackplaneConfiguration.ProxyURL)
+ if err != nil {
+ return nil, err
+ }
+ resp, err := client.GetCloudConsole(context.TODO(), cfg.Cluster.ID())
+ if err != nil {
+ return nil, err
+ }
+
+ if resp.StatusCode != http.StatusOK {
+ return nil, utils.TryPrintAPIError(resp, false)
+ }
+
+ credsResp, err := BackplaneApi.ParseGetCloudConsoleResponse(resp)
+ if err != nil {
+ return nil, fmt.Errorf("unable to parse response body from backplane:\n Status Code: %d", resp.StatusCode)
+ }
+
+ if len(credsResp.Body) == 0 {
+ return nil, fmt.Errorf("empty response from backplane")
+ }
+
+ cliResp := &ConsoleResponse{}
+ cliResp.ConsoleLink = *credsResp.JSON200.ConsoleLink
+
+ return cliResp, nil
+}
+
+// GetCloudCredentials returns Cloud Credentials Response
+func (cfg *QueryConfig) GetCloudCredentials() (bpCredentials.Response, error) {
+ ocmToken, _, err := cfg.OcmConnection.Tokens()
+ if err != nil {
+ return nil, fmt.Errorf("unable to get token for ocm connection")
+ }
+
+ isolatedBackplane, err := isIsolatedBackplaneAccess(cfg.Cluster, cfg.OcmConnection)
+ if err != nil {
+ logger.Infof("failed to determine if the cluster is using isolated backplane access: %v", err)
+ logger.Infof("for more information, try ocm get /api/clusters_mgmt/v1/clusters/%s/sts_support_jump_role", cfg.Cluster.ID())
+ logger.Infof("attempting to fallback to %s", OldFlowSupportRole)
+ }
+
+ if isolatedBackplane {
+ logger.Debugf("cluster is using isolated backplane")
+ targetCredentials, err := cfg.getIsolatedCredentials(ocmToken)
+ if err != nil {
+ // TODO: This fallback should be removed in the future
+ // TODO: when we are more confident in our ability to access clusters using the isolated flow
+ logger.Infof("failed to assume role with isolated backplane flow: %v", err)
+ logger.Infof("attempting to fallback to %s", OldFlowSupportRole)
+ return cfg.getCloudCredentialsFromBackplaneAPI(ocmToken)
+ }
+
+ return &bpCredentials.AWSCredentialsResponse{
+ AccessKeyID: targetCredentials.AccessKeyID,
+ SecretAccessKey: targetCredentials.SecretAccessKey,
+ SessionToken: targetCredentials.SessionToken,
+ Expiration: targetCredentials.Expires.String(),
+ Region: cfg.Cluster.Region().ID(),
+ }, nil
+ }
+
+ return cfg.getCloudCredentialsFromBackplaneAPI(ocmToken)
+}
+
+func (cfg *QueryConfig) getCloudCredentialsFromBackplaneAPI(ocmToken string) (bpCredentials.Response, error) {
+ client, err := utils.DefaultClientUtils.GetBackplaneClient(cfg.BackplaneConfiguration.URL, ocmToken, cfg.BackplaneConfiguration.ProxyURL)
+ if err != nil {
+ return nil, err
+ }
+
+ resp, err := client.GetCloudCredentials(context.TODO(), cfg.Cluster.ID())
+ if err != nil {
+ return nil, err
+ }
+
+ if resp.StatusCode != http.StatusOK {
+ return nil, utils.TryPrintAPIError(resp, false)
+ }
+
+ logger.Debugln("Parsing response")
+
+ credsResp, err := BackplaneApi.ParseGetCloudCredentialsResponse(resp)
+ if err != nil {
+ return nil, fmt.Errorf("unable to parse response body from backplane:\n Status Code: %d : err: %v", resp.StatusCode, err)
+ }
+
+ switch cfg.Cluster.CloudProvider().ID() {
+ case "aws":
+ cliResp := &bpCredentials.AWSCredentialsResponse{}
+ if err := json.Unmarshal([]byte(*credsResp.JSON200.Credentials), cliResp); err != nil {
+ return nil, fmt.Errorf("unable to unmarshal AWS credentials response from backplane %s: %w", *credsResp.JSON200.Credentials, err)
+ }
+ cliResp.Region = cfg.Cluster.Region().ID()
+ return cliResp, nil
+ case "gcp":
+ cliResp := &bpCredentials.GCPCredentialsResponse{}
+ if err := json.Unmarshal([]byte(*credsResp.JSON200.Credentials), cliResp); err != nil {
+ return nil, fmt.Errorf("unable to unmarshal GCP credentials response from backplane %s: %w", *credsResp.JSON200.Credentials, err)
+ }
+ return cliResp, nil
+ default:
+ return nil, fmt.Errorf("unsupported cloud provider: %s", cfg.Cluster.CloudProvider().ID())
+ }
+}
+
 type assumeChainResponse struct {
  AssumptionSequence []namedRoleArn `json:"assumptionSequence"`
 }
@@ -33,41 +213,36 @@ type namedRoleArn struct {
  Arn string `json:"arn"`
 }
 
-func getIsolatedCredentials(clusterID string, ocmToken *string) (aws.Credentials, error) {
- if clusterID == "" {
+func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials, error) {
+ if cfg.Cluster.ID() == "" {
  return aws.Credentials{}, errors.New("must provide non-empty cluster ID")
  }
 
- email, err := utils.GetStringFieldFromJWT(*ocmToken, "email")
+ email, err := utils.GetStringFieldFromJWT(ocmToken, "email")
  if err != nil {
  return aws.Credentials{}, fmt.Errorf("unable to extract email from given token: %w", err)
  }
 
- bpConfig, err := GetBackplaneConfiguration()
- if err != nil {
- return aws.Credentials{}, fmt.Errorf("error retrieving backplane configuration: %w", err)
- }
-
- if bpConfig.AssumeInitialArn == "" {
+ if cfg.BackplaneConfiguration.AssumeInitialArn == "" {
  return aws.Credentials{}, errors.New("backplane config is missing required `assume-initial-arn` property")
  }
 
- initialClient, err := StsClientWithProxy(bpConfig.ProxyURL)
+ initialClient, err := StsClient(cfg.BackplaneConfiguration.ProxyURL)
  if err != nil {
  return aws.Credentials{}, fmt.Errorf("failed to create sts client: %w", err)
  }
 
- seedCredentials, err := AssumeRoleWithJWT(*ocmToken, bpConfig.AssumeInitialArn, initialClient)
+ seedCredentials, err := AssumeRoleWithJWT(ocmToken, cfg.BackplaneConfiguration.AssumeInitialArn, initialClient)
  if err != nil {
  return aws.Credentials{}, fmt.Errorf("failed to assume role using JWT: %w", err)
  }
 
- backplaneClient, err := utils.DefaultClientUtils.MakeRawBackplaneAPIClientWithAccessToken(bpConfig.URL, *ocmToken)
+ backplaneClient, err := utils.DefaultClientUtils.GetBackplaneClient(cfg.BackplaneConfiguration.URL, ocmToken, cfg.BackplaneConfiguration.ProxyURL)
  if err != nil {
  return aws.Credentials{}, fmt.Errorf("failed to create backplane client with access token: %w", err)
  }
 
- response, err := backplaneClient.GetAssumeRoleSequence(context.TODO(), clusterID)
+ response, err := backplaneClient.GetAssumeRoleSequence(context.TODO(), cfg.Cluster.ID())
  if err != nil {
  return aws.Credentials{}, fmt.Errorf("failed to fetch arn sequence: %w", err)
  }
@@ -96,16 +271,16 @@ func getIsolatedCredentials(clusterID string, ocmToken *string) (aws.Credentials
  Credentials: NewStaticCredentialsProvider(seedCredentials.AccessKeyID, seedCredentials.SecretAccessKey, seedCredentials.SessionToken),
  })
 
- targetCredentials, err := AssumeRoleSequence(email, seedClient, roleAssumeSequence, bpConfig.ProxyURL, awsutil.DefaultSTSClientProviderFunc)
+ targetCredentials, err := AssumeRoleSequence(email, seedClient, roleAssumeSequence, cfg.BackplaneConfiguration.ProxyURL, awsutil.DefaultSTSClientProviderFunc)
  if err != nil {
  return aws.Credentials{}, fmt.Errorf("failed to assume role sequence: %w", err)
  }
  return targetCredentials, nil
 }
 
-func isIsolatedBackplaneAccess(cluster *cmv1.Cluster) (bool, error) {
+func isIsolatedBackplaneAccess(cluster *cmv1.Cluster, ocmConnection *ocmsdk.Connection) (bool, error) {
-func isIsolatedBackplaneAccess(cluster *cmv1.Cluster, ocmConnection *ocmsdk.Connection) (bool, error) {
+func (cfg *QueryConfig) isIsolatedBackplaneAccess(cluster *cmv1.Cluster) (bool, error) {
-func isIsolatedBackplaneAccess(cluster *cmv1.Cluster, ocmConnection *ocmsdk.Connection) (bool, error) {
+func (cfg *QueryConfig) isIsolatedBackplaneAccess(cluster *cmv1.Cluster) (bool, error) {
  if cluster.AWS().STS().Enabled() {
- stsSupportJumpRole, err := utils.DefaultOCMInterface.GetStsSupportJumpRoleARN(cluster.ID())
+ stsSupportJumpRole, err := utils.DefaultOCMInterface.GetStsSupportJumpRoleARN(ocmConnection, cluster.ID())
  if err != nil {
  return false, fmt.Errorf("failed to get sts support jump role ARN for cluster %v: %w", cluster.ID(), err)
  }