From ab9ccdb63f39b6fec28614e7d1c97f0031bc46f5 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Thu, 4 Mar 2021 13:54:41 +0100 Subject: [PATCH 01/54] RBAC Adding get all api calls for users, groups and roles; --- modules/rbac/api_groups.sh | 50 ++++++++++++++++++++++++++ modules/rbac/api_roles.sh | 72 ++++++++++++++++++++++++++++++++++++++ modules/rbac/api_users.sh | 21 +++++++++++ 3 files changed, 143 insertions(+) create mode 100644 modules/rbac/api_groups.sh create mode 100644 modules/rbac/api_roles.sh create mode 100644 modules/rbac/api_users.sh diff --git a/modules/rbac/api_groups.sh b/modules/rbac/api_groups.sh new file mode 100644 index 0000000..2052837 --- /dev/null +++ b/modules/rbac/api_groups.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +source ./modules/common/http_check.sh # func_check_http_status +source ./modules/common/application.sh # func_get_application_id + +_endpoint_url="/api/rbac/v1/groups" + +function func_get_all_groups() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${6} + + _method="GET" + if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + + # Get all groups + groups=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + + echo "${groups}" + +} + +function func_group_id_by_name() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${6} + + local _group_name=${7} + + _method="GET" + _endpoint_url="${_endpoint_url}/name/${_group_name}" + if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + + # Get group by name + group=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + + group_id=$(jq '.[] | select(.id)' <<<$group) + + if [ "$group_id" = "" ]; then + func_check_http_status 404 "Group name ${_group_name} not found." + fi + + echo "${group_id}" + +} + diff --git a/modules/rbac/api_roles.sh b/modules/rbac/api_roles.sh new file mode 100644 index 0000000..c0ce5b5 --- /dev/null +++ b/modules/rbac/api_roles.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +source ./modules/common/http_check.sh # func_check_http_status +source ./modules/common/application.sh # func_get_application_id + +_endpoint_url="/api/rbac/v1/roles" + +function func_get_all_roles() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${6} + + # Get all roles + allRoles=$(curl -s --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + + echo "${allRoles}" + +} + +function func_create_role() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${6} + + local _role_name=${7} + local _role_description=${8} + + if [ ! -z "${_role_name// }" ]; then + + _method="POST" + _header="Content-Type: application/vnd.appd.cntrl+json;v=1" + _payload="{\"name\": \"${_role_name}\",\"description\": \"${_role_description}\"}" + if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + + httpCode=$(curl ${_output} -o /dev/null -w "%{http_code}" -X ${_method} -H "${_header}" -d "${_payload}" --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + func_check_http_status $httpCode "Error occured creating a role '${_role_name}'." + else + func_check_http_status 404 "Role name must be provided." + fi + + echo "Role created '${_role_name}'" + +} + +function func_add_role_to_group() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${6} + + local _role_id=${7} + local _group_id=${8} + + _method="PUT" + _header="Content-Type: application/vnd.appd.cntrl+json;v=1" + _endpoint_url="${_endpoint_url0}/${_role_id}/groups/${_group_id}" + if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + + # Add role to a group + httpCode=$(curl ${_output} -o /dev/null -w "%{http_code}" -X ${_method} -H "${_header}" --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + func_check_http_status $httpCode "Error occured adding role '${_role_id}' to a group '${_group_id}'." + + echo "Role '${_role_id}' added to a group '${_group_id}'." + +} + + diff --git a/modules/rbac/api_users.sh b/modules/rbac/api_users.sh new file mode 100644 index 0000000..dfe358b --- /dev/null +++ b/modules/rbac/api_users.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +source ./modules/common/http_check.sh # func_check_http_status +source ./modules/common/application.sh # func_get_application_id + +_endpoint_url="/api/rbac/v1/users" + +function func_get_all_users() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${6} + + # Get all applications + allUsers=$(curl -s --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + + echo "${allUsers}" + +} + From 523342c8fe3e972d5bb999cd53f859f034234414 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 10 Mar 2021 13:50:34 +0100 Subject: [PATCH 02/54] RBAC get roles standardize curl; --- modules/rbac/api_roles.sh | 5 ++++- modules/rbac/permissions_allow_app_to_role.sh | 0 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 modules/rbac/permissions_allow_app_to_role.sh diff --git a/modules/rbac/api_roles.sh b/modules/rbac/api_roles.sh index c0ce5b5..7692094 100644 --- a/modules/rbac/api_roles.sh +++ b/modules/rbac/api_roles.sh @@ -12,8 +12,11 @@ function func_get_all_roles() { local _proxy_details=${4} local _debug=${6} + _method="GET" + if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + # Get all roles - allRoles=$(curl -s --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + allRoles=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) echo "${allRoles}" diff --git a/modules/rbac/permissions_allow_app_to_role.sh b/modules/rbac/permissions_allow_app_to_role.sh new file mode 100644 index 0000000..e69de29 From 795d8d48e1e5bf6ffa03901c6e5f25d57cd2db4d Mon Sep 17 00:00:00 2001 From: alex_jov Date: Thu, 11 Mar 2021 16:30:16 +0100 Subject: [PATCH 03/54] RBAC add get user by id; --- modules/rbac/api_users.sh | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) mode change 100644 => 100755 modules/rbac/api_users.sh diff --git a/modules/rbac/api_users.sh b/modules/rbac/api_users.sh old mode 100644 new mode 100755 index dfe358b..e0a91e0 --- a/modules/rbac/api_users.sh +++ b/modules/rbac/api_users.sh @@ -3,14 +3,18 @@ source ./modules/common/http_check.sh # func_check_http_status source ./modules/common/application.sh # func_get_application_id -_endpoint_url="/api/rbac/v1/users" + function func_get_all_users() { local _controller_url=${1} # hostname + /controller local _user_credentials=${2} # ${username}:${password} local _application_name=${3} local _proxy_details=${4} - local _debug=${6} + local _debug=${5} + + _endpoint_url="/api/rbac/v1/users" + + if [[ _debug = true ]]; then _output="-v"; else _output="-s"; fi # Get all applications allUsers=$(curl -s --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) @@ -19,3 +23,28 @@ function func_get_all_users() { } +function func_get_user_by_id() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${5} + + local _user_id=${6} + + echo "user id is ${_user_id}" + + _endpoint_url="/api/rbac/v1/users" + _method="GET" + _endpoint_url="${_endpoint_url}/${_user_id}" + if [[ _debug = true ]]; then _output="-v"; else _output="-s"; fi + + echo "endpoint is ${_endpoint_url}" + + # Get group by name + user=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + + echo "${user}" + +} + From 13880b0979ed829be1f4789221626c6a771ee3fb Mon Sep 17 00:00:00 2001 From: alex_jov Date: Thu, 11 Mar 2021 16:54:59 +0100 Subject: [PATCH 04/54] RBAC update enpoint url; add script to call api scripts; --- modules/rbac/api_groups.sh | 46 +++++++++++++++++-- modules/rbac/api_roles.sh | 9 ++-- modules/rbac/permissions_allow_app_to_role.sh | 37 +++++++++++++++ 3 files changed, 85 insertions(+), 7 deletions(-) mode change 100644 => 100755 modules/rbac/api_groups.sh mode change 100644 => 100755 modules/rbac/api_roles.sh mode change 100644 => 100755 modules/rbac/permissions_allow_app_to_role.sh diff --git a/modules/rbac/api_groups.sh b/modules/rbac/api_groups.sh old mode 100644 new mode 100755 index 2052837..40d4383 --- a/modules/rbac/api_groups.sh +++ b/modules/rbac/api_groups.sh @@ -3,7 +3,7 @@ source ./modules/common/http_check.sh # func_check_http_status source ./modules/common/application.sh # func_get_application_id -_endpoint_url="/api/rbac/v1/groups" + function func_get_all_groups() { local _controller_url=${1} # hostname + /controller @@ -12,17 +12,20 @@ function func_get_all_groups() { local _proxy_details=${4} local _debug=${6} + _endpoint_url="/api/rbac/v1/groups" _method="GET" - if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + if [[ _debug = true ]]; then _output="-v"; else _output="-s"; fi + + echo "curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}${_endpoint_url} ${_proxy_details}" # Get all groups - groups=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + groups=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}${_endpoint_url} ${_proxy_details}) echo "${groups}" } -function func_group_id_by_name() { +function func_get_group_id_by_name() { local _controller_url=${1} # hostname + /controller local _user_credentials=${2} # ${username}:${password} local _application_name=${3} @@ -31,6 +34,7 @@ function func_group_id_by_name() { local _group_name=${7} + _endpoint_url="/api/rbac/v1/groups" _method="GET" _endpoint_url="${_endpoint_url}/name/${_group_name}" if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi @@ -48,3 +52,37 @@ function func_group_id_by_name() { } + +function func_create_group() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _application_name=${3} + local _proxy_details=${4} + local _debug=${5} + + local _group_name=${6} + local _group_description=${7} + local _group_security_provider_type="INTERNAL" + + if [ ! -z "${_group_name// }" ]; then + + _endpoint_url="/api/rbac/v1/groups" + _method="POST" + _header="Content-Type: application/vnd.appd.cntrl+json;v=1" + + _payload="{\"name\": \"${_group_name}\",\"description\": \"${_group_description}\",\"security_provider_type\": \"${_group_security_provider_type}\"}" + + if [[ $_debug = true ]]; then _output="-v"; else _output="-s"; fi + + echo "curl ${_output} -X ${_method} -H "\"${_header}\"" -d "\'${_payload}\'" --user ${_user_credentials} ${_controller_url}${_endpoint_url} ${_proxy_details}" + + httpCode=$(curl ${_output} -o /dev/null -w "%{http_code}" -X ${_method} -H "\"${_header}\"" -d "\'${_payload}\'" --user ${_user_credentials} ${_controller_url}${_endpoint_url} ${_proxy_details}) + func_check_http_status $httpCode "Error occured creating group '${_group_name}'." + else + func_check_http_status 404 "Group name must be provided." + fi + + echo "Group created: '${_group_name}'" + +} + diff --git a/modules/rbac/api_roles.sh b/modules/rbac/api_roles.sh old mode 100644 new mode 100755 index 7692094..0c0e370 --- a/modules/rbac/api_roles.sh +++ b/modules/rbac/api_roles.sh @@ -3,7 +3,7 @@ source ./modules/common/http_check.sh # func_check_http_status source ./modules/common/application.sh # func_get_application_id -_endpoint_url="/api/rbac/v1/roles" + function func_get_all_roles() { local _controller_url=${1} # hostname + /controller @@ -12,8 +12,9 @@ function func_get_all_roles() { local _proxy_details=${4} local _debug=${6} + _endpoint_url="/api/rbac/v1/roles" _method="GET" - if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi + if [[ _debug = true ]]; then _output="-v"; else _output="-s"; fi # Get all roles allRoles=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) @@ -34,12 +35,13 @@ function func_create_role() { if [ ! -z "${_role_name// }" ]; then + _endpoint_url="/api/rbac/v1/roles" _method="POST" _header="Content-Type: application/vnd.appd.cntrl+json;v=1" _payload="{\"name\": \"${_role_name}\",\"description\": \"${_role_description}\"}" if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi - httpCode=$(curl ${_output} -o /dev/null -w "%{http_code}" -X ${_method} -H "${_header}" -d "${_payload}" --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + httpCode=$(curl ${_output} -o /dev/null -w "%{http_code}" -X ${_method} -H "${_header}" -d "${_payload}" --user ${_user_credentials} ${_controller_url}${_endpoint_url} ${_proxy_details}) func_check_http_status $httpCode "Error occured creating a role '${_role_name}'." else func_check_http_status 404 "Role name must be provided." @@ -59,6 +61,7 @@ function func_add_role_to_group() { local _role_id=${7} local _group_id=${8} + _endpoint_url="/api/rbac/v1/roles" _method="PUT" _header="Content-Type: application/vnd.appd.cntrl+json;v=1" _endpoint_url="${_endpoint_url0}/${_role_id}/groups/${_group_id}" diff --git a/modules/rbac/permissions_allow_app_to_role.sh b/modules/rbac/permissions_allow_app_to_role.sh old mode 100644 new mode 100755 index e69de29..a8b11b7 --- a/modules/rbac/permissions_allow_app_to_role.sh +++ b/modules/rbac/permissions_allow_app_to_role.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +source ./modules/rbac/api_roles.sh +source ./modules/rbac/api_users.sh +source ./modules/rbac/api_groups.sh + +_controller_url=${1} # hostname + /controller +_user_credentials=${2} # ${username}:${password} +_proxy_details=${3} +_application_name=${4} +_debug=${5} + +echo "_controller_url ${_controller_url}" +echo "_user_credentials ${_user_credentials}" +echo "_proxy_details ${_proxy_details}" +echo "_application_name ${_application_name}" +echo "_debug ${_debug}" + +echo "____________" + +func_get_all_groups "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" + +echo "____________" + +func_get_all_roles "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" + +echo "____________" + +func_get_all_users "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" + +echo "____________" + +#func_get_user_by_id "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "10" + +#echo "____________" + +#func_create_group "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "API-CREATED-ME-3" "desc" From dbd52fb4e357eb97576e0c70c6c3efa7962786ac Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 13:57:37 +0100 Subject: [PATCH 05/54] Add restui auth; Add restui authorozed call; Add role permission template json files; --- .gitignore | 1 + modules/rbac/restui_auth.sh | 14 + .../restui_role_files/permissions_base.json | 9 + .../permissions_view_edit_app_template.json | 240 ++++++++++++++++++ .../permissions_view_template.json | 224 ++++++++++++++++ modules/rbac/restui_roles.sh | 59 +++++ 6 files changed, 547 insertions(+) create mode 100755 modules/rbac/restui_auth.sh create mode 100644 modules/rbac/restui_role_files/permissions_base.json create mode 100644 modules/rbac/restui_role_files/permissions_view_edit_app_template.json create mode 100644 modules/rbac/restui_role_files/permissions_view_template.json create mode 100755 modules/rbac/restui_roles.sh diff --git a/.gitignore b/.gitignore index e86176b..fd62c7e 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ api_actions/uploaded/*.json* api_actions/actions/*.json* custom_dashboards/*.json* custom_dashboards/uploaded/*.json* +cookie.appd diff --git a/modules/rbac/restui_auth.sh b/modules/rbac/restui_auth.sh new file mode 100755 index 0000000..19ee57d --- /dev/null +++ b/modules/rbac/restui_auth.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +function func_restui_get_cookie() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + response=$(curl -i -v -s -c cookie.appd --user ${_user_credentials} -X GET ${_controller_url}/auth?action=login ${_proxy_details}) + X_CSRF_TOKEN="$(grep X-CSRF-TOKEN cookie.appd|rev|cut -d$'\t' -f1|rev)" + X_CSRF_TOKEN_HEADER="`if [ -n "$X_CSRF_TOKEN" ]; then echo "X-CSRF-TOKEN:$X_CSRF_TOKEN"; else echo ''; fi`" + + echo "${X_CSRF_TOKEN_HEADER}" +} + diff --git a/modules/rbac/restui_role_files/permissions_base.json b/modules/rbac/restui_role_files/permissions_base.json new file mode 100644 index 0000000..2e23866 --- /dev/null +++ b/modules/rbac/restui_role_files/permissions_base.json @@ -0,0 +1,9 @@ +{ + "permissions": [ + + , + + ], + "name": "", + "description": "" +} \ No newline at end of file diff --git a/modules/rbac/restui_role_files/permissions_view_edit_app_template.json b/modules/rbac/restui_role_files/permissions_view_edit_app_template.json new file mode 100644 index 0000000..a652f14 --- /dev/null +++ b/modules/rbac/restui_role_files/permissions_view_edit_app_template.json @@ -0,0 +1,240 @@ +{ + "action": "VIEW", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "DELETE", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_TRANSACTION_DETECTION", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_BACKEND_DETECTION", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_ERROR_DETECTION", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_DIAGNOSTIC_DATA_COLLECTORS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_CALLGRAPH_SETTINGS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_JMX", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_MEMORY_MONITORING", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_EUM", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_INFO_POINTS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_POLICIES", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_EVENT_REACTOR", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_ACTIONS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_BUSINESS_TRANSACTIONS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_BASELINES", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_SQL_BIND_VARIABLES", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_AGENT_PROPERTIES", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_SERVICE_ENDPOINTS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "ENABLE_DEVELOPMENT_MODE", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "MANAGE_CUSTOM_DASHBOARD_TEMPLATES", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_SIM", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_AGENT_OPERATIONS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_TRIGGER_DIAGNOSTIC_SESSION", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "ENABLE_JMX_OPERATIONS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "VIEW_SENSITIVE_DATA", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "VIEW_SIM", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "NETVIZ_AGENT_PCAP_TRIGGER", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "ACI_APIC_TROUBLESHOOTING", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +}, +{ + "action": "CREATE_EVENTS", + "allowed": false, + "affectedEntity": { + "entityId": 0, + "entityType": "APPLICATION" + } +} diff --git a/modules/rbac/restui_role_files/permissions_view_template.json b/modules/rbac/restui_role_files/permissions_view_template.json new file mode 100644 index 0000000..b6c7670 --- /dev/null +++ b/modules/rbac/restui_role_files/permissions_view_template.json @@ -0,0 +1,224 @@ +{ + "action": "VIEW", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "DELETE", + "allowed": false, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_TRANSACTION_DETECTION", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_BACKEND_DETECTION", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_ERROR_DETECTION", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_DIAGNOSTIC_DATA_COLLECTORS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_CALLGRAPH_SETTINGS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_JMX", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_MEMORY_MONITORING", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_EUM", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_INFO_POINTS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_POLICIES", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_EVENT_REACTOR", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_ACTIONS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_BUSINESS_TRANSACTIONS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_BASELINES", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_SQL_BIND_VARIABLES", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_AGENT_PROPERTIES", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_AGENT_OPERATIONS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "ENABLE_JMX_OPERATIONS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_SERVICE_ENDPOINTS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "ENABLE_DEVELOPMENT_MODE", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "MANAGE_CUSTOM_DASHBOARD_TEMPLATES", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CONFIG_TRIGGER_DIAGNOSTIC_SESSION", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "NETVIZ_AGENT_PCAP_TRIGGER", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "ACI_APIC_TROUBLESHOOTING", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "VIEW_SENSITIVE_DATA", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +}, +{ + "action": "CREATE_EVENTS", + "allowed": true, + "affectedEntity": { + "entityId": , + "entityType": "APPLICATION" + } +} diff --git a/modules/rbac/restui_roles.sh b/modules/rbac/restui_roles.sh new file mode 100755 index 0000000..6b2c2a1 --- /dev/null +++ b/modules/rbac/restui_roles.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +function func_restui_get_roles() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _application_name=${4} + local _debug=${5} + + local X_CSRF_TOKEN_HEADER=${6} + + _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoleSummaries" + _method="GET" + + curl -i -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}" + +} + +function func_restui_create_role_with_default_view_and_view_edit_app_permissions() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _application_name=${4} + local _debug=${5} + + local X_CSRF_TOKEN_HEADER=${6} + + _role_name="test-me" + _role_description="test-me-desc" + _application_name_placeholder="" + _files_directory="./modules/rbac/restui_role_files" + + # prepare payload + for _json_file in $_files_directory/*.json; do + + _file_name="$(basename -- $_json_file)" + + echo -e "Processing ${_file_name} json file. Using the '${_application_name}' application. \n" + + if grep -q $_application_name_placeholder ${_json_file}; then + echo "true" + sed -i -e "s/${_application_name_placeholder}/${_application_name}/g" "${_json_file}" + else + echo "false" + echo -e "WARNING Placeholder value '$_application_name_placeholder' not found in json file provided. " + fi + + done + + _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoles/create" + _method="POST" + + curl -i -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}" + +} + + From 8e86e3cc552552ba5dca595015ae60c11b3cd8da Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 14:37:08 +0100 Subject: [PATCH 06/54] RBAC move json files to dedicated folder able to be mounted; --- {modules/rbac => rbac}/restui_role_files/permissions_base.json | 0 .../restui_role_files/permissions_view.json | 0 .../restui_role_files/permissions_view_edit_app.json | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {modules/rbac => rbac}/restui_role_files/permissions_base.json (100%) rename modules/rbac/restui_role_files/permissions_view_edit_app_template.json => rbac/restui_role_files/permissions_view.json (100%) rename modules/rbac/restui_role_files/permissions_view_template.json => rbac/restui_role_files/permissions_view_edit_app.json (100%) diff --git a/modules/rbac/restui_role_files/permissions_base.json b/rbac/restui_role_files/permissions_base.json similarity index 100% rename from modules/rbac/restui_role_files/permissions_base.json rename to rbac/restui_role_files/permissions_base.json diff --git a/modules/rbac/restui_role_files/permissions_view_edit_app_template.json b/rbac/restui_role_files/permissions_view.json similarity index 100% rename from modules/rbac/restui_role_files/permissions_view_edit_app_template.json rename to rbac/restui_role_files/permissions_view.json diff --git a/modules/rbac/restui_role_files/permissions_view_template.json b/rbac/restui_role_files/permissions_view_edit_app.json similarity index 100% rename from modules/rbac/restui_role_files/permissions_view_template.json rename to rbac/restui_role_files/permissions_view_edit_app.json From 51913460737bf28a1802e3790309bca48a302e1f Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 14:37:40 +0100 Subject: [PATCH 07/54] RBAC add uploaded folder for restui roles; --- rbac/restui_role_files/uploaded/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 rbac/restui_role_files/uploaded/.gitkeep diff --git a/rbac/restui_role_files/uploaded/.gitkeep b/rbac/restui_role_files/uploaded/.gitkeep new file mode 100644 index 0000000..e69de29 From 3cdba2e27f29d34243f477a6265c1ca92bd48e83 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 16:45:40 +0100 Subject: [PATCH 08/54] RBAC creating payload file for role with single app permissions; --- modules/rbac/restui_roles.sh | 79 +++++++++++++++++--- rbac/restui_role_files/permissions_base.json | 4 +- 2 files changed, 71 insertions(+), 12 deletions(-) diff --git a/modules/rbac/restui_roles.sh b/modules/rbac/restui_roles.sh index 6b2c2a1..28320be 100755 --- a/modules/rbac/restui_roles.sh +++ b/modules/rbac/restui_roles.sh @@ -1,5 +1,7 @@ #!/bin/bash +source ./modules/common/application.sh #func_get_application_id + function func_restui_get_roles() { local _controller_url=${1} # hostname + /controller local _user_credentials=${2} # ${username}:${password} @@ -29,30 +31,87 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _role_name="test-me" _role_description="test-me-desc" - _application_name_placeholder="" - _files_directory="./modules/rbac/restui_role_files" + dt=$(date '+%Y-%m-%d_%H-%M-%S') + + _application_id_placeholder="" + _overall_permissions_placeholder="" + _application_permissions_placeholder="" + _role_name_placeholder="" + _role_description_placeholder="" + + _files_directory="./rbac/restui_role_files" + + _application_permissions_path="${_files_directory}/permissions_view_edit_app.json" + _overall_permissions_path="${_files_directory}/permissions_view.json" + _permissions_base_path="${_files_directory}/permissions_base.json" + + _uploaded_path="${_files_directory}/uploaded" + + _payload_path="${_uploaded_path}/payload-${dt}.json" + + application_permission_final="${_uploaded_path}/tmp-permissions_view_edit_app.json-${dt}" + + # get application id + _app_id=$(func_get_application_id "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}") + + # prepare payload - for _json_file in $_files_directory/*.json; do + for _json_file in ${_application_permissions_path}; do _file_name="$(basename -- $_json_file)" - echo -e "Processing ${_file_name} json file. Using the '${_application_name}' application. \n" + echo -e "Processing '${_file_name}' json file, setting permissions for '${_application_name}' application. \n" - if grep -q $_application_name_placeholder ${_json_file}; then - echo "true" - sed -i -e "s/${_application_name_placeholder}/${_application_name}/g" "${_json_file}" + # replacing application id + if grep -q $_application_id_placeholder ${_json_file}; then + sed -e "s/${_application_id_placeholder}/${_app_id}/g" "${_json_file}" > "${application_permission_final}" else - echo "false" - echo -e "WARNING Placeholder value '$_application_name_placeholder' not found in json file provided. " + echo -e "WARNING Placeholder value '$_application_id_placeholder' not found in '${_file_name}'. " + fi + done + + echo ">>> replace file values" + + for _json_file in ${_permissions_base_path}; do + + _file_name="$(basename -- $_json_file)" + + _updated_file_path="${_uploaded_path}/${_file_name}-${dt}" + _tmp_updated_file_path="${_uploaded_path}/tmp-${_file_name}-${dt}" + + # set overall permissions + if grep -q $_overall_permissions_placeholder ${_json_file}; then + #echo "$(cat ${_overall_permissions_path})" + value=$(sed -e ':a' -e 'N;$!ba' -e 's/\n/ /g' ${_overall_permissions_path}) + #echo "VALUE IS >>>> ${value}" + sed -e "s/${_overall_permissions_placeholder}/${value}/g" "${_json_file}" > "${_tmp_updated_file_path}" + else + echo -e "WARNING Placeholder value '$_overall_permissions_placeholder' not found in '${_file_name}'. " + fi + + # set application-specific permissions + if grep -q $_application_permissions_placeholder ${_tmp_updated_file_path}; then + value=$(sed -e ':a' -e 'N;$!ba' -e 's/\n/ /g' ${application_permission_final}) + sed -e "s/${_application_permissions_placeholder}/${value}/" "${_tmp_updated_file_path}" > "${_updated_file_path}" + else + echo -e "WARNING Placeholder value '$_application_permissions_placeholder' not found in '${_file_name}'. " fi done + # replace role name and description + sed -e "s/${_role_name_placeholder}/${_role_name}/g" -e "s/${_role_description_placeholder}/${_role_description}/g" "${_updated_file_path}" > "${_payload_path}" + _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoles/create" _method="POST" - curl -i -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}" + echo ">>>> END !!!" + + #curl -i -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}" + + # remove temporaty files + #rm "${_uploaded_path}" -r tmp-*.json } diff --git a/rbac/restui_role_files/permissions_base.json b/rbac/restui_role_files/permissions_base.json index 2e23866..b5eeb08 100644 --- a/rbac/restui_role_files/permissions_base.json +++ b/rbac/restui_role_files/permissions_base.json @@ -4,6 +4,6 @@ , ], - "name": "", - "description": "" + "name": "", + "description": "" } \ No newline at end of file From f295b5d38feb1cf273ac91e867dd98f87379a44a Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 17:21:54 +0100 Subject: [PATCH 09/54] RBAC get cookie silently; --- modules/rbac/restui_auth.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/rbac/restui_auth.sh b/modules/rbac/restui_auth.sh index 19ee57d..6d0b8b0 100755 --- a/modules/rbac/restui_auth.sh +++ b/modules/rbac/restui_auth.sh @@ -5,7 +5,7 @@ function func_restui_get_cookie() { local _user_credentials=${2} # ${username}:${password} local _proxy_details=${3} - response=$(curl -i -v -s -c cookie.appd --user ${_user_credentials} -X GET ${_controller_url}/auth?action=login ${_proxy_details}) + response=$(curl -i -s -c cookie.appd --user ${_user_credentials} -X GET ${_controller_url}/auth?action=login ${_proxy_details}) X_CSRF_TOKEN="$(grep X-CSRF-TOKEN cookie.appd|rev|cut -d$'\t' -f1|rev)" X_CSRF_TOKEN_HEADER="`if [ -n "$X_CSRF_TOKEN" ]; then echo "X-CSRF-TOKEN:$X_CSRF_TOKEN"; else echo ''; fi`" From a5638b9aaae4dfedcda4b7da33d552bf337f1d59 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 17:22:37 +0100 Subject: [PATCH 10/54] RBAC add post request for restui roles, pass payload, remove temporary files; --- modules/rbac/restui_roles.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/rbac/restui_roles.sh b/modules/rbac/restui_roles.sh index 28320be..271b3a1 100755 --- a/modules/rbac/restui_roles.sh +++ b/modules/rbac/restui_roles.sh @@ -49,6 +49,7 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _uploaded_path="${_files_directory}/uploaded" _payload_path="${_uploaded_path}/payload-${dt}.json" + _payload_header="Content-Type: application/json; charset=utf8" application_permission_final="${_uploaded_path}/tmp-permissions_view_edit_app.json-${dt}" @@ -77,14 +78,13 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _file_name="$(basename -- $_json_file)" - _updated_file_path="${_uploaded_path}/${_file_name}-${dt}" - _tmp_updated_file_path="${_uploaded_path}/tmp-${_file_name}-${dt}" + _updated_file_path="${_uploaded_path}/tmp-${_file_name}-${dt}" + _tmp_updated_file_path="${_uploaded_path}/tmp-edited-${_file_name}-${dt}" # set overall permissions if grep -q $_overall_permissions_placeholder ${_json_file}; then - #echo "$(cat ${_overall_permissions_path})" + # replace newline with space value=$(sed -e ':a' -e 'N;$!ba' -e 's/\n/ /g' ${_overall_permissions_path}) - #echo "VALUE IS >>>> ${value}" sed -e "s/${_overall_permissions_placeholder}/${value}/g" "${_json_file}" > "${_tmp_updated_file_path}" else echo -e "WARNING Placeholder value '$_overall_permissions_placeholder' not found in '${_file_name}'. " @@ -92,6 +92,7 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions # set application-specific permissions if grep -q $_application_permissions_placeholder ${_tmp_updated_file_path}; then + # replace newline with space value=$(sed -e ':a' -e 'N;$!ba' -e 's/\n/ /g' ${application_permission_final}) sed -e "s/${_application_permissions_placeholder}/${value}/" "${_tmp_updated_file_path}" > "${_updated_file_path}" else @@ -106,12 +107,15 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoles/create" _method="POST" - echo ">>>> END !!!" + # echo -e " \n payload >>>>> $_payload_path" + # echo "curl -i -v -s -b cookie.appd -H /"$X_CSRF_TOKEN_HEADER/" -X ${_method} --data /"@${_payload_path}" /"${_controller_url}${_endpoint_url}/"" - #curl -i -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}" + curl -i -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}" # remove temporaty files - #rm "${_uploaded_path}" -r tmp-*.json + rm ${_uploaded_path}/tmp-* + + echo ">>>> END !!!" } From 40da339b9a4a8cecc4aa844e22cccededec227e8 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 17:28:55 +0100 Subject: [PATCH 11/54] RBAC ignore uploaded files; --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index fd62c7e..ea9f862 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ api_actions/actions/*.json* custom_dashboards/*.json* custom_dashboards/uploaded/*.json* cookie.appd +rbac/restui_role_files/uploaded/* From e8da82587cf61c38a8c8455c05f4d47bbec4605c Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 17:29:22 +0100 Subject: [PATCH 12/54] RBAC enable all application view permission by defult; --- rbac/restui_role_files/permissions_view.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rbac/restui_role_files/permissions_view.json b/rbac/restui_role_files/permissions_view.json index a652f14..d5b14f2 100644 --- a/rbac/restui_role_files/permissions_view.json +++ b/rbac/restui_role_files/permissions_view.json @@ -1,6 +1,6 @@ { "action": "VIEW", - "allowed": false, + "allowed": true, "affectedEntity": { "entityId": 0, "entityType": "APPLICATION" From 8e380704f8fb9b5c6c05ae2ce2e5393d9c6c695e Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 17:29:59 +0100 Subject: [PATCH 13/54] RBAC add intemediate script for api permissions; --- .../rbac/api_permissions_allow_app_to_role.sh | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100755 modules/rbac/api_permissions_allow_app_to_role.sh diff --git a/modules/rbac/api_permissions_allow_app_to_role.sh b/modules/rbac/api_permissions_allow_app_to_role.sh new file mode 100755 index 0000000..36f4162 --- /dev/null +++ b/modules/rbac/api_permissions_allow_app_to_role.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +source ./modules/rbac/api_roles.sh +source ./modules/rbac/api_users.sh +source ./modules/rbac/api_groups.sh + +source ./modules/rbac/restui_auth.sh +source ./modules/rbac/restui_roles.sh + + + +_controller_url=${1} # hostname + /controller +_user_credentials=${2} # ${username}:${password} +_proxy_details=${3} +_application_name=${4} +_debug=${5} + +echo "_controller_url ${_controller_url}" +echo "_user_credentials ${_user_credentials}" +echo "_proxy_details ${_proxy_details}" +echo "_application_name ${_application_name}" +echo "_debug ${_debug}" + +# echo "____________" + +# func_get_all_groups "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" + +# echo "____________" + +# func_get_all_roles "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" + +# echo "____________" + +# func_get_all_users "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" + +# echo "____________" + +#func_get_user_by_id "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "10" + +#echo "____________" + +#func_create_group "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "API-CREATED-ME-3" "desc" + +echo "____________" + +#todo always request cookie and get token before restui calls (!) +_token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials}" "${_proxy_details}") + +echo "============" + +echo "TOKEN IS: ${_token_header}" + +echo "____________" + +#func_restui_get_roles "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" + +_role_name="test-me-from-bash" +_role_description="test-me-desc" + +func_restui_create_role_with_default_view_and_view_edit_app_permissions "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_role_name}" "${_role_description}" From 118ba19142b0d92a81134ae4fab79391a1fdc13e Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 15 Mar 2021 17:30:37 +0100 Subject: [PATCH 14/54] RBAC cleanup; Remove echos; Remove unused files; --- modules/rbac/permissions_allow_app_to_role.sh | 37 ------------------- modules/rbac/restui_roles.sh | 8 +--- 2 files changed, 2 insertions(+), 43 deletions(-) delete mode 100755 modules/rbac/permissions_allow_app_to_role.sh diff --git a/modules/rbac/permissions_allow_app_to_role.sh b/modules/rbac/permissions_allow_app_to_role.sh deleted file mode 100755 index a8b11b7..0000000 --- a/modules/rbac/permissions_allow_app_to_role.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -source ./modules/rbac/api_roles.sh -source ./modules/rbac/api_users.sh -source ./modules/rbac/api_groups.sh - -_controller_url=${1} # hostname + /controller -_user_credentials=${2} # ${username}:${password} -_proxy_details=${3} -_application_name=${4} -_debug=${5} - -echo "_controller_url ${_controller_url}" -echo "_user_credentials ${_user_credentials}" -echo "_proxy_details ${_proxy_details}" -echo "_application_name ${_application_name}" -echo "_debug ${_debug}" - -echo "____________" - -func_get_all_groups "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" - -echo "____________" - -func_get_all_roles "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" - -echo "____________" - -func_get_all_users "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" - -echo "____________" - -#func_get_user_by_id "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "10" - -#echo "____________" - -#func_create_group "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "API-CREATED-ME-3" "desc" diff --git a/modules/rbac/restui_roles.sh b/modules/rbac/restui_roles.sh index 271b3a1..c6f7cc7 100755 --- a/modules/rbac/restui_roles.sh +++ b/modules/rbac/restui_roles.sh @@ -29,8 +29,8 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions local X_CSRF_TOKEN_HEADER=${6} - _role_name="test-me" - _role_description="test-me-desc" + local _role_name=${7} + local _role_description=${8} dt=$(date '+%Y-%m-%d_%H-%M-%S') @@ -56,7 +56,6 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions # get application id _app_id=$(func_get_application_id "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}") - # prepare payload for _json_file in ${_application_permissions_path}; do @@ -71,8 +70,6 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions echo -e "WARNING Placeholder value '$_application_id_placeholder' not found in '${_file_name}'. " fi done - - echo ">>> replace file values" for _json_file in ${_permissions_base_path}; do @@ -115,7 +112,6 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions # remove temporaty files rm ${_uploaded_path}/tmp-* - echo ">>>> END !!!" } From 011d0092b358d120e81900abc4f5320e995c089d Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 16 Mar 2021 13:15:00 +0100 Subject: [PATCH 15/54] RBAC remove unnecessary code under comments; --- modules/rbac/restui_roles.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/rbac/restui_roles.sh b/modules/rbac/restui_roles.sh index c6f7cc7..707a50f 100755 --- a/modules/rbac/restui_roles.sh +++ b/modules/rbac/restui_roles.sh @@ -104,15 +104,11 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoles/create" _method="POST" - # echo -e " \n payload >>>>> $_payload_path" - # echo "curl -i -v -s -b cookie.appd -H /"$X_CSRF_TOKEN_HEADER/" -X ${_method} --data /"@${_payload_path}" /"${_controller_url}${_endpoint_url}/"" - curl -i -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}" # remove temporaty files rm ${_uploaded_path}/tmp-* - } From de98cd4a9603b48fc09d99f901f8ff1cb91e7919 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 16 Mar 2021 16:16:21 +0100 Subject: [PATCH 16/54] RBAC saml get/update config; save sent payload to file; --- .gitignore | 1 + modules/rbac/restui_saml.sh | 65 ++++++++++++++++++++++++ rbac/restui_saml_files/uploaded/.gitkeep | 0 3 files changed, 66 insertions(+) create mode 100755 modules/rbac/restui_saml.sh create mode 100644 rbac/restui_saml_files/uploaded/.gitkeep diff --git a/.gitignore b/.gitignore index ea9f862..3e32022 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ custom_dashboards/*.json* custom_dashboards/uploaded/*.json* cookie.appd rbac/restui_role_files/uploaded/* +rbac/restui_saml_files/uploaded/* \ No newline at end of file diff --git a/modules/rbac/restui_saml.sh b/modules/rbac/restui_saml.sh new file mode 100755 index 0000000..acafbe5 --- /dev/null +++ b/modules/rbac/restui_saml.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +source ./modules/common/application.sh #func_get_application_id + +function func_get_saml_configuration() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _debug=${4} + + local X_CSRF_TOKEN_HEADER=${5} + + _endpoint_url="/restui/accountAdmin/getSAMLConfiguration" + _method="GET" + + response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}" ${_proxy_details}) + + echo "${response}" + +} + +function func_update_saml_configuration() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _debug=${4} + + local X_CSRF_TOKEN_HEADER=${5} + + local _role_ids=${6} + local _saml_group_name=${7} + + _payload_header="Content-Type: application/json; charset=utf8" + + dt=$(date '+%Y-%m-%d_%H-%M-%S') + + _files_directory="./rbac/restui_saml_files" + _uploaded_path="${_files_directory}/uploaded" + _payload_path="${_uploaded_path}/payload-${dt}.json" + + #todo check if single integer or comma-separated IDs + + # get current configuration + _current_saml_config=$(func_get_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${X_CSRF_TOKEN_HEADER}") + + #echo ">>>> current config: $_current_saml_config" + + # add new group + with_group=$(jq '.samlRoles += ["'"$_saml_group_name"'"]' <<< $_current_saml_config) + + with_group_and_roles=$(jq --arg new "$_role_ids" '.accountRoles += ['[$_role_ids]']' <<< $with_group) + + # number of roles and groups count control? + + _endpoint_url="/restui/accountAdmin/updateSAMLConfiguration" + _method="POST" + + response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} -d "${with_group_and_roles}" "${_controller_url}${_endpoint_url}") + + echo "${response}" > ${_payload_path} +} + + diff --git a/rbac/restui_saml_files/uploaded/.gitkeep b/rbac/restui_saml_files/uploaded/.gitkeep new file mode 100644 index 0000000..e69de29 From 8e85a77a99be13af6b6d9eb6f306c90ededb8ad3 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 17 Mar 2021 15:19:09 +0100 Subject: [PATCH 17/54] Common - add "error" to echo-ed response for http check; --- modules/common/http_check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/common/http_check.sh b/modules/common/http_check.sh index c386845..df3b950 100644 --- a/modules/common/http_check.sh +++ b/modules/common/http_check.sh @@ -6,7 +6,7 @@ function func_check_http_status() { #echo "HTTP status code: $http_code" if [[ $http_code -lt 200 ]] || [[ $http_code -gt 299 ]]; then echo "${dt} ERROR "{$http_code: $message_on_failure}"" >> ../../error.log - echo "$http_code: $message_on_failure" + echo "ERROR $http_code: $message_on_failure" exit 1 fi } From 01f4a0a2140e895d309d6233a3ac17c528c9a4d0 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 17 Mar 2021 15:20:09 +0100 Subject: [PATCH 18/54] RBAC api - add get role by name function; --- modules/rbac/api_roles.sh | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/modules/rbac/api_roles.sh b/modules/rbac/api_roles.sh index 0c0e370..ddbac44 100755 --- a/modules/rbac/api_roles.sh +++ b/modules/rbac/api_roles.sh @@ -12,6 +12,8 @@ function func_get_all_roles() { local _proxy_details=${4} local _debug=${6} + if [[ _debug = true ]]; then echo ">> func_get_all_roles"; fi + _endpoint_url="/api/rbac/v1/roles" _method="GET" if [[ _debug = true ]]; then _output="-v"; else _output="-s"; fi @@ -23,6 +25,27 @@ function func_get_all_roles() { } +function func_get_role_by_name() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _application_name=${4} + local _debug=${5} + + local _role_name=${6} + + _endpoint_url="/api/rbac/v1/roles/name/${_role_name}" + _method="GET" + if [[ _debug = true ]]; then _output="-v"; else _output="-s"; fi + + # Get all roles + response=$(curl ${_output} -X ${_method} --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + + echo "${response}" + +} + function func_create_role() { local _controller_url=${1} # hostname + /controller local _user_credentials=${2} # ${username}:${password} @@ -33,6 +56,8 @@ function func_create_role() { local _role_name=${7} local _role_description=${8} + if [[ _debug = true ]]; then echo ">> func_create_role"; fi + if [ ! -z "${_role_name// }" ]; then _endpoint_url="/api/rbac/v1/roles" @@ -61,6 +86,8 @@ function func_add_role_to_group() { local _role_id=${7} local _group_id=${8} + if [[ _debug = true ]]; then echo ">> func_add_role_to_group"; fi + _endpoint_url="/api/rbac/v1/roles" _method="PUT" _header="Content-Type: application/vnd.appd.cntrl+json;v=1" @@ -68,10 +95,10 @@ function func_add_role_to_group() { if [ $_debug = true ]; then _output="-v"; else _output="-s"; fi # Add role to a group - httpCode=$(curl ${_output} -o /dev/null -w "%{http_code}" -X ${_method} -H "${_header}" --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) - func_check_http_status $httpCode "Error occured adding role '${_role_id}' to a group '${_group_id}'." + response=$(curl ${_output} -X ${_method} -H "${_header}" --user ${_user_credentials} ${_controller_url}{$_endpoint_url} ${_proxy_details}) + #func_check_http_status $httpCode "Error occured adding role '${_role_id}' to a group '${_group_id}'." - echo "Role '${_role_id}' added to a group '${_group_id}'." + echo "${response}" } From 29dae0bdc3f1867c67d84de2255248147b213448 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 17 Mar 2021 15:22:07 +0100 Subject: [PATCH 19/54] RBAC restui - remove uneccessary echo-s; Add comments; Func renames; --- modules/rbac/restui_auth.sh | 2 +- modules/rbac/restui_roles.sh | 22 +++++++++++++++++----- modules/rbac/restui_saml.sh | 26 +++++++++++++++----------- 3 files changed, 33 insertions(+), 17 deletions(-) diff --git a/modules/rbac/restui_auth.sh b/modules/rbac/restui_auth.sh index 6d0b8b0..0b92017 100755 --- a/modules/rbac/restui_auth.sh +++ b/modules/rbac/restui_auth.sh @@ -9,6 +9,6 @@ function func_restui_get_cookie() { X_CSRF_TOKEN="$(grep X-CSRF-TOKEN cookie.appd|rev|cut -d$'\t' -f1|rev)" X_CSRF_TOKEN_HEADER="`if [ -n "$X_CSRF_TOKEN" ]; then echo "X-CSRF-TOKEN:$X_CSRF_TOKEN"; else echo ''; fi`" - echo "${X_CSRF_TOKEN_HEADER}" + echo "${X_CSRF_TOKEN_HEADER}" # echo header value only (to be used by other functions) } diff --git a/modules/rbac/restui_roles.sh b/modules/rbac/restui_roles.sh index 707a50f..4dd60a0 100755 --- a/modules/rbac/restui_roles.sh +++ b/modules/rbac/restui_roles.sh @@ -1,5 +1,6 @@ #!/bin/bash +source ./modules/common/http_check.sh # func_check_http_status source ./modules/common/application.sh #func_get_application_id function func_restui_get_roles() { @@ -12,11 +13,14 @@ function func_restui_get_roles() { local X_CSRF_TOKEN_HEADER=${6} + if [[ _debug = true ]]; then echo ">> func_restui_get_roles"; fi + _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoleSummaries" _method="GET" - curl -i -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}" - + roleSummaries=$(curl -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}") + + echo "${roleSummaries}" } function func_restui_create_role_with_default_view_and_view_edit_app_permissions() { @@ -32,6 +36,10 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions local _role_name=${7} local _role_description=${8} + echo "||Creating role '${_role_name}'..." + + #if [[ _debug = true ]]; then echo ">> func_restui_create_role_with_default_view_and_view_edit_app_permissions"; fi + dt=$(date '+%Y-%m-%d_%H-%M-%S') _application_id_placeholder="" @@ -61,7 +69,7 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _file_name="$(basename -- $_json_file)" - echo -e "Processing '${_file_name}' json file, setting permissions for '${_application_name}' application. \n" + echo -e "Processing '${_file_name}' json file, setting permissions for '${_application_name}' application." # replacing application id if grep -q $_application_id_placeholder ${_json_file}; then @@ -78,6 +86,8 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _updated_file_path="${_uploaded_path}/tmp-${_file_name}-${dt}" _tmp_updated_file_path="${_uploaded_path}/tmp-edited-${_file_name}-${dt}" + echo -e "Processing '${_file_name}' json file, setting global permissions." + # set overall permissions if grep -q $_overall_permissions_placeholder ${_json_file}; then # replace newline with space @@ -104,11 +114,13 @@ function func_restui_create_role_with_default_view_and_view_edit_app_permissions _endpoint_url="/restui/accountRoleAdministrationUiService/accountRoles/create" _method="POST" - curl -i -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}" + response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}") - # remove temporaty files + # remove temporary files, save only final payload backup rm ${_uploaded_path}/tmp-* + echo "${response}" + } diff --git a/modules/rbac/restui_saml.sh b/modules/rbac/restui_saml.sh index acafbe5..ee5b1f7 100755 --- a/modules/rbac/restui_saml.sh +++ b/modules/rbac/restui_saml.sh @@ -2,15 +2,17 @@ source ./modules/common/application.sh #func_get_application_id -function func_get_saml_configuration() { +function func_restui_get_saml_configuration() { local _controller_url=${1} # hostname + /controller local _user_credentials=${2} # ${username}:${password} local _proxy_details=${3} - + # no application name needed local _debug=${4} local X_CSRF_TOKEN_HEADER=${5} + if [[ _debug = true ]]; then echo ">> func_restui_get_saml_configuration"; fi + _endpoint_url="/restui/accountAdmin/getSAMLConfiguration" _method="GET" @@ -20,11 +22,11 @@ function func_get_saml_configuration() { } -function func_update_saml_configuration() { +function func_restui_update_saml_configuration() { local _controller_url=${1} # hostname + /controller local _user_credentials=${2} # ${username}:${password} local _proxy_details=${3} - + # no application name needed local _debug=${4} local X_CSRF_TOKEN_HEADER=${5} @@ -38,28 +40,30 @@ function func_update_saml_configuration() { _files_directory="./rbac/restui_saml_files" _uploaded_path="${_files_directory}/uploaded" - _payload_path="${_uploaded_path}/payload-${dt}.json" + _payload_backup_path="${_uploaded_path}/payload-${dt}.json" #todo check if single integer or comma-separated IDs # get current configuration - _current_saml_config=$(func_get_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${X_CSRF_TOKEN_HEADER}") + _current_saml_config=$(func_restui_get_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${X_CSRF_TOKEN_HEADER}") - #echo ">>>> current config: $_current_saml_config" + if [[ _debug = true ]]; then echo "current saml config is: ${_current_saml_config}"; fi # add new group - with_group=$(jq '.samlRoles += ["'"$_saml_group_name"'"]' <<< $_current_saml_config) + _with_group=$(jq '.samlRoles += ["'"$_saml_group_name"'"]' <<< $_current_saml_config) + + _payload_with_group_and_roles=$(jq --arg new "$_role_ids" '.accountRoles += ['[$_role_ids]']' <<< $_with_group) - with_group_and_roles=$(jq --arg new "$_role_ids" '.accountRoles += ['[$_role_ids]']' <<< $with_group) + if [[ _debug = true ]]; then echo "updated saml config is: ${_payload_with_group_and_roles}"; fi # number of roles and groups count control? _endpoint_url="/restui/accountAdmin/updateSAMLConfiguration" _method="POST" - response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} -d "${with_group_and_roles}" "${_controller_url}${_endpoint_url}") + response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} -d "${_payload_with_group_and_roles}" "${_controller_url}${_endpoint_url}") - echo "${response}" > ${_payload_path} + echo "${response}" > ${_payload_backup_path} } From c82c293a8fb2fb7e36849c581bffc50b1872656c Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 17 Mar 2021 15:23:35 +0100 Subject: [PATCH 20/54] RBAC add script that uses api&restui funcs - create role and attach to SAML group; --- ...e_role_with_app_edit_and_attach_to_saml.sh | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh diff --git a/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh b/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh new file mode 100755 index 0000000..43d161b --- /dev/null +++ b/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +source ./modules/rbac/api_roles.sh +source ./modules/rbac/api_users.sh +source ./modules/rbac/api_groups.sh + +source ./modules/rbac/restui_auth.sh +source ./modules/rbac/restui_roles.sh +source ./modules/rbac/restui_saml.sh + +source ./modules/common/http_check.sh # func_check_http_status + +_controller_url=${1} # hostname + /controller +_user_credentials=${2} # ${username}:${password} +_proxy_details=${3} +_application_name=${4} +_debug=${5} + +_role_name=${6} +_role_description=${7} + +_saml_group_name=${8} + +if [ -z "${_role_name// }" ]; then + func_check_http_status 404 "Role name not provided. Unable to create it without this value." + exit 1 +fi + +echo "| Create auth header and cookie." + +_token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials}" "${_proxy_details}") + +if [ _debug = true ]; then echo "appd token value is: ${_token_header}"; fi + +echo "| Create role with application permissions." +# create role +_role_with_permissions_response=$(func_restui_create_role_with_default_view_and_view_edit_app_permissions "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_role_name}" "${_role_description}") + +sleep 5 # creating role takes some time, wait before going to fetch it + +_expected_response='"id" :' # returns id with space before : on success +func_check_http_response "\{$_role_with_permissions_response}" "${_expected_response}" + +echo "| Get role with application permissions by id." +# get created role by name +_get_role_response=$(func_get_role_by_name "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_role_name}") + +_expected_response='"id":' # returns id on success +func_check_http_response "\{$_get_role_response}" "${_expected_response}" + +# get role ID from response +_role_id=$(jq -r '.id' <<< $_get_role_response) + +sleep 1 + +# role ids have to be existing ones for saml update to be successfully performed (although 200 is returned in any case) +# Note: when multiple: e.g. role_ids="28,16" - no space! +if [ -z "${_role_id// }" ]; then + func_check_http_status 404 "Role '${_role_name}' ID not found. Unable to add its identifier to SAML group." + exit 1 +fi + +if [ -z "${_saml_group_name// }" ]; then + func_check_http_status 404 "SAML group name cannot be empty." + exit 1 +fi + +echo "| Attach role to SAML Group." +# create saml group +_saml_response=$(func_restui_update_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${_token_header}" "${_role_id}" "${_saml_group_name}") + +echo "| Role '${_role_name}' added to SAML group '${_saml_group_name}' successfully." \ No newline at end of file From 7d1002fec42c3988e5b6468cab082dfa54a27804 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 17 Mar 2021 17:52:11 +0100 Subject: [PATCH 21/54] RBAC add config json values; --- config.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/config.json b/config.json index 8c75ef3..6e7ab1d 100644 --- a/config.json +++ b/config.json @@ -49,5 +49,14 @@ "suppress_upload_files": false, "suppress_delete": "" } + ], + "rbac": [ + { + "rbac_only": false, + "rbac_action": "role-saml", + "rbac_role_name": "", + "rbac_role_description": "", + "rbac_saml_group_name": "" + } ] } From 5c4d5c45e46f703d97cd7c2af8ee2a5c366162c8 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 23 Mar 2021 09:11:18 +0100 Subject: [PATCH 22/54] RBAC adding start.sh flags, env.vars, config and validations; --- start.sh | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/start.sh b/start.sh index 235343f..965506b 100755 --- a/start.sh +++ b/start.sh @@ -67,6 +67,12 @@ _arg_include_database=false _arg_database_name= _arg_include_sim=false +_arg_rbac_only=false +_arg_rbac_action="role-saml" # the only action for now in rbac module is "role-saml" +_arg_rbac_role_name= +_arg_rbac_role_description= +_arg_rbac_saml_group_name= + _arg_debug=false _arg_controller_port_explicitly_set=false @@ -85,6 +91,8 @@ _arg_upload_default_dashboard_explicitly_set=false _arg_upload_custom_dashboard_explicitly_set=false _arg_health_rules_only_explicitly_set=false _arg_health_rules_overwrite_explicitly_set=false +_arg_rbac_only_explicitly_set=false +_arg_rbac_action_explicitly_set=false print_help() @@ -143,6 +151,13 @@ print_help() printf '\t%s\n' "-d, --database-name: mandatory if --include-database set to true (no default)" printf '\t%s\n' "-s, --include-sim, --no-include-sim: include server visibility (${_arg_include_sim} by default)" + printf '%s\n' "Role-Based Access Control (RBAC) options:" + printf '\t%s\n' "--rbac-only, --no-rbac-only: configure RBAC (${_arg_rbac_only} by default)" + printf '\t%s\n' "--rbac-action: RBAC action to be performed ('${_arg_rbac_action}' by default)" + printf '\t%s\n' "--rbac-role-name: RBAC role name (auto-generated by default)" + printf '\t%s\n' "--rbac-role-description: RBAC role description, not mandatory (no default)" + printf '\t%s\n' "--rbac-saml-group-name: RBAC SAML group name (auto-generated by default)" + printf '%s\n' "Help options:" printf '\t%s\n' "-h, --help: Prints help" printf '\t%s\n' "--debug, --no-debug: Run in debug mode (${_arg_debug} by default)" @@ -396,6 +411,44 @@ parse_commandline() _arg_upload_default_dashboard_explicitly_set=true test "${1:0:5}" = "--no-" && _arg_upload_default_dashboard=false ;; + --no-rbac-only|_arg_rbac_only) + _arg_rbac_only=true + _arg_rbac_only_explicitly_set=true + test "${1:0:5}" = "--no-" && _arg_rbac_only=false + ;; + --rbac-action) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_rbac_action="$2" + shift + ;; + --rbac-action=*) + _arg_rbac_action_explicitly_set=true + _arg_rbac_action="${_key##--rbac-action=}" + ;; + --rbac-role-name) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_rbac_role_name="$2" + shift + ;; + --rbac-role-name=*) + _arg_rbac_role_name="${_key##--rbac-role-name=}" + ;; + --rbac-role-description) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_rbac_role_description="$2" + shift + ;; + --rbac-role-description=*) + _arg_rbac_role_description="${_key##--rbac-role-description=}" + ;; + --rbac-saml-group-name) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_rbac_saml_group_name="$2" + shift + ;; + --rbac-saml-group-name=*) + _arg_rbac_saml_group_name="${_key##--rbac-saml-group-name=}" + ;; -h|--help) print_help exit 0 @@ -497,6 +550,10 @@ handle_expected_values_for_args() if ([ ! $_arg_upload_default_dashboard = false ] && [ ! $_arg_upload_default_dashboard = true ] ); then _PRINT_HELP=no die "FATAL ERROR: --upload-default-dashboard value \"${_arg_upload_default_dashboard}\" not recognized" 1 fi + + if ([ ! $_arg_rbac_only = false ] && [ ! $_arg_rbac_only = true ] ); then + _PRINT_HELP=no die "FATAL ERROR: _arg_rbac_only value \"${_arg_rbac_only}\" not recognized" 1 + fi } ### 1 SET PARAMETER VALUES ### @@ -622,6 +679,23 @@ if ([ $_arg_upload_default_dashboard_explicitly_set = false ] && [ ! -z "${CMA_U _arg_upload_default_dashboard=${CMA_UPLOAD_DEFAULT_DASHBOARD} fi +# RBAC +if ([ $_arg_rbac_only_explicitly_set = false ] && [ ! -z "${CMA_RBAC_ONLY// }" ]); then + _arg_rbac_only=${CMA_RBAC_ONLY} +fi +if ([ $_arg_rbac_action_explicitly_set = false ] && [ ! -z "${CMA_RBAC_ACTION// }" ]); then + _arg_rbac_action=${CMA_RBAC_ACTION} +fi +if ([ -z "${_arg_rbac_role_name// }" ] && [ ! -z "${CMA_RBAC_ROLE_NAME// }" ]); then + _arg_rbac_role_name=${CMA_RBAC_ROLE_NAME} +fi +if ([ -z "${_arg_rbac_role_description// }" ] && [ ! -z "${CMA_RBAC_ROLE_DESCRIPTION// }" ]); then + _arg_rbac_role_description=${CMA_RBAC_ROLE_DESCRIPTION} +fi +if ([ -z "${_arg_rbac_saml_group_name// }" ] && [ ! -z "${CMA_RBAC_SAML_GROUP_NAME// }" ]); then + _arg_rbac_saml_group_name=${CMA_RBAC_SAML_GROUP_NAME} +fi + # 1.3 If value not set replace with configuration file values conf_file="config.json" @@ -741,6 +815,23 @@ if ([[ $_arg_upload_default_dashboard_explicitly_set = false ]] && [ -z "${CMA_U _arg_upload_default_dashboard=$(jq -r '.configuration[].upload_default_dashboard' <${conf_file}) fi +# RBAC +if ([[ $_arg_rbac_only_explicitly_set = false ]] && [ -z "${CMA_RBAC_ONLY// }" ]); then + _arg_rbac_only=$(jq -r '.rbac[].rbac_only' <${conf_file}) +fi +if ([[ $_arg_rbac_action_explicitly_set = false ]] && [ -z "${CMA_RBAC_ACTION// }" ]); then + _arg_rbac_action=$(jq -r '.rbac[].rbac_action' <${conf_file}) +fi +if [[ -z "${_arg_rbac_role_name// }" ]]; then + _arg_rbac_role_name=$(jq -r '.rbac[].rbac_role_name' <${conf_file}) +fi +if [[ -z "${_arg_rbac_role_description// }" ]]; then + _arg_rbac_role_description=$(jq -r '.rbac[].rbac_role_description' <${conf_file}) +fi +if [[ -z "${_arg_rbac_saml_group_name// }" ]]; then + _arg_rbac_saml_group_name=$(jq -r '.rbac[].rbac_saml_group_name' <${conf_file}) +fi + ### 2 VALIDATE ### # 2.1 Check if values are in expected ranges @@ -795,6 +886,12 @@ if [ $_arg_debug = true ]; then echo "Value of --upload-custom-dashboard: $_arg_upload_custom_dashboard" echo "Value of --upload-default-dashboard: $_arg_upload_default_dashboard" + + echo "Value of --rbac-only: $_arg_rbac_only" + echo "Value of --rbac-action: $_arg_rbac_action" + echo "Value of --rbac-role-name: $_arg_rbac_role_name" + echo "Value of --rbac-role-description: $_arg_rbac_role_description" + echo "Value of --rbac-saml-group-name: $_arg_rbac_saml_group_name" fi @@ -875,6 +972,11 @@ if [ $_arg_suppress_action = true ]; then fi fi +# todo prepare RBAC +# validate action (check if valid option) +# create saml group name (if empty) +# create role name (if empty) + ## VALIDATIONS [prereqs] ## 1. packages @@ -902,6 +1004,24 @@ case $ec in 1) printf '%s\n' "Command exited with non-zero code"; exit 1;; esac +# _arg_rbac=true +# _arg_rbac_action="saml" + +# _arg_rbac_role_name="role-start-script-13" +# _arg_rbac_role_description="desc" # ignore if empty, not mandatory + +# # Note: if you run again with the same group name - new role gets created getting and attached to the existing saml group as well +# _arg_rbac_saml_group_name="Newest coolest" # deafult to name cma-role_name-xyz + + +if ([[ $_arg_rbac = true ]] && [ $_arg_rbac_action = "role-saml" ]); then + echo -e "\n> Running 'RBAC' module" + echo -e ">> Action 'SAML'\n" + ./modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_role_name" "$_arg_rbac_role_description" "$_arg_rbac_saml_group_name" +fi + +exit 1 #todo testing -> remove + ### 4 ACTION SUPRESSION ### if [ $_arg_suppress_action = true ]; then echo -e "\n> Running 'Action Supression' module" From 77f82801714ae9ad929477f1217bd1a3428580cf Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 23 Mar 2021 09:13:30 +0100 Subject: [PATCH 23/54] RESTUI update test script; --- modules/rbac/api_permissions_allow_app_to_role.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/rbac/api_permissions_allow_app_to_role.sh b/modules/rbac/api_permissions_allow_app_to_role.sh index 36f4162..d2a8de4 100755 --- a/modules/rbac/api_permissions_allow_app_to_role.sh +++ b/modules/rbac/api_permissions_allow_app_to_role.sh @@ -6,7 +6,7 @@ source ./modules/rbac/api_groups.sh source ./modules/rbac/restui_auth.sh source ./modules/rbac/restui_roles.sh - +source ./modules/rbac/restui_saml.sh _controller_url=${1} # hostname + /controller @@ -54,7 +54,14 @@ echo "____________" #func_restui_get_roles "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" -_role_name="test-me-from-bash" -_role_description="test-me-desc" +# _role_name="test-me-from-bash" +# _role_description="test-me-desc" + +# func_restui_create_role_with_default_view_and_view_edit_app_permissions "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_role_name}" "${_role_description}" + +echo "____________" + +_role_ids="28,16" #no space! roles have to be existing ones to be created +_saml_group_name="API-CREATED-ME" -func_restui_create_role_with_default_view_and_view_edit_app_permissions "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_role_name}" "${_role_description}" +func_update_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${_token_header}" "${_role_ids}" "${_saml_group_name}" \ No newline at end of file From f13ec2d9b6b884a9ee0e040fb8f2c96efd5ad334 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 29 Mar 2021 13:16:16 +0100 Subject: [PATCH 24/54] RBAC add default role and group names; Check rbac action name; Update info echoed; --- ...e_role_with_app_edit_and_attach_to_saml.sh | 8 +-- start.sh | 51 ++++++++++++------- 2 files changed, 39 insertions(+), 20 deletions(-) diff --git a/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh b/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh index 43d161b..8724912 100755 --- a/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh +++ b/modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh @@ -32,16 +32,17 @@ _token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials if [ _debug = true ]; then echo "appd token value is: ${_token_header}"; fi -echo "| Create role with application permissions." +echo "| Create role '${_role_name}' with application permissions." # create role _role_with_permissions_response=$(func_restui_create_role_with_default_view_and_view_edit_app_permissions "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_role_name}" "${_role_description}") sleep 5 # creating role takes some time, wait before going to fetch it +echo "| Check if role created successfully." _expected_response='"id" :' # returns id with space before : on success func_check_http_response "\{$_role_with_permissions_response}" "${_expected_response}" -echo "| Get role with application permissions by id." +echo "| Get role by id." # get created role by name _get_role_response=$(func_get_role_by_name "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_role_name}") @@ -60,6 +61,7 @@ if [ -z "${_role_id// }" ]; then exit 1 fi +## SAML group if [ -z "${_saml_group_name// }" ]; then func_check_http_status 404 "SAML group name cannot be empty." exit 1 @@ -69,4 +71,4 @@ echo "| Attach role to SAML Group." # create saml group _saml_response=$(func_restui_update_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${_token_header}" "${_role_id}" "${_saml_group_name}") -echo "| Role '${_role_name}' added to SAML group '${_saml_group_name}' successfully." \ No newline at end of file +echo "|| Role '${_role_name}' added to SAML group '${_saml_group_name}' successfully." \ No newline at end of file diff --git a/start.sh b/start.sh index 965506b..c287047 100755 --- a/start.sh +++ b/start.sh @@ -28,7 +28,6 @@ begins_with_short_option() # THE DEFAULTS INITIALIZATION - OPTIONALS _arg_use_encoded_credentials=false - _arg_controller_host= _arg_controller_port=8090 _arg_use_https=false @@ -67,6 +66,8 @@ _arg_include_database=false _arg_database_name= _arg_include_sim=false +_valid_rbac_actions=("role-saml") # array of valid rbac actions e.g. ("role" "role-saml" "saml") + _arg_rbac_only=false _arg_rbac_action="role-saml" # the only action for now in rbac module is "role-saml" _arg_rbac_role_name= @@ -95,6 +96,8 @@ _arg_rbac_only_explicitly_set=false _arg_rbac_action_explicitly_set=false + + print_help() { printf '%s\n' "ConfigMyApp - Self-service configuration tool." @@ -411,7 +414,7 @@ parse_commandline() _arg_upload_default_dashboard_explicitly_set=true test "${1:0:5}" = "--no-" && _arg_upload_default_dashboard=false ;; - --no-rbac-only|_arg_rbac_only) + --no-rbac-only|--rbac-only) _arg_rbac_only=true _arg_rbac_only_explicitly_set=true test "${1:0:5}" = "--no-" && _arg_rbac_only=false @@ -965,17 +968,40 @@ if [ $_arg_suppress_action = true ]; then # set to current datetime if empty # UTC / GMT _arg_suppress_start=$(date -u +%FT%T+0000) + echo "DEF|Default action suppression start time created '${_arg_suppress_start}'" fi if [ -z "${_arg_suppress_duration// }" ]; then # set to one hour if empty _arg_suppress_duration=60 + echo "DEF|Default action suppression duration created '${_arg_suppress_duration}'" fi fi -# todo prepare RBAC -# validate action (check if valid option) -# create saml group name (if empty) -# create role name (if empty) +# 3.6 Prepare RBAC +if [ $_arg_rbac_only = true ]; then + # validate action (check if valid option) + if [[ ! " ${_valid_rbac_actions[@]} " =~ " ${_arg_rbac_action} " ]]; then + # whatever you want to do when array doesn't contain value + _PRINT_HELP=no die "FATAL ERROR: --rbac-action value \"${_arg_rbac_action}\" not recognized" 1 + fi + + _rbac_prefix="cma" + _rbac_rnd=$((1 + $RANDOM % 1000)) + + # default saml group name + if [ -z "${_arg_rbac_saml_group_name// }" ]; then + # if empty + _arg_rbac_saml_group_name="${_rbac_prefix}_group_${_arg_application_name}_${_rbac_rnd}" + echo "DEF|Default RBAC SAML group name created '${_arg_rbac_saml_group_name}'" + fi + + # default role name + if [ -z "${_arg_rbac_role_name// }" ]; then + # if empty + _arg_rbac_role_name="${_rbac_prefix}_role_${_arg_application_name}_${_rbac_rnd}" + echo "DEF|Default RBAC role name created '${_arg_rbac_role_name}'" + fi +fi ## VALIDATIONS [prereqs] ## 1. packages @@ -1004,19 +1030,10 @@ case $ec in 1) printf '%s\n' "Command exited with non-zero code"; exit 1;; esac -# _arg_rbac=true -# _arg_rbac_action="saml" - -# _arg_rbac_role_name="role-start-script-13" -# _arg_rbac_role_description="desc" # ignore if empty, not mandatory - -# # Note: if you run again with the same group name - new role gets created getting and attached to the existing saml group as well -# _arg_rbac_saml_group_name="Newest coolest" # deafult to name cma-role_name-xyz - -if ([[ $_arg_rbac = true ]] && [ $_arg_rbac_action = "role-saml" ]); then +if ([[ $_arg_rbac_only = true ]] && [ $_arg_rbac_action = "role-saml" ]); then echo -e "\n> Running 'RBAC' module" - echo -e ">> Action 'SAML'\n" + echo -e ">> Action 'Role and SAML'\n" ./modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_role_name" "$_arg_rbac_role_description" "$_arg_rbac_saml_group_name" fi From 89b3c1cfa0998a6b5b833bcb38f7a05447efd350 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 29 Mar 2021 13:17:04 +0100 Subject: [PATCH 25/54] Remove exit with error used in testing; --- start.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/start.sh b/start.sh index c287047..6d7a8b8 100755 --- a/start.sh +++ b/start.sh @@ -1037,8 +1037,6 @@ if ([[ $_arg_rbac_only = true ]] && [ $_arg_rbac_action = "role-saml" ]); then ./modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_role_name" "$_arg_rbac_role_description" "$_arg_rbac_saml_group_name" fi -exit 1 #todo testing -> remove - ### 4 ACTION SUPRESSION ### if [ $_arg_suppress_action = true ]; then echo -e "\n> Running 'Action Supression' module" From 47403742d856ac2842990b474a610bde5f770b2e Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 13:29:53 +0100 Subject: [PATCH 26/54] RBAC remove test script; --- .../rbac/api_permissions_allow_app_to_role.sh | 67 ------------------- 1 file changed, 67 deletions(-) delete mode 100755 modules/rbac/api_permissions_allow_app_to_role.sh diff --git a/modules/rbac/api_permissions_allow_app_to_role.sh b/modules/rbac/api_permissions_allow_app_to_role.sh deleted file mode 100755 index d2a8de4..0000000 --- a/modules/rbac/api_permissions_allow_app_to_role.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -source ./modules/rbac/api_roles.sh -source ./modules/rbac/api_users.sh -source ./modules/rbac/api_groups.sh - -source ./modules/rbac/restui_auth.sh -source ./modules/rbac/restui_roles.sh -source ./modules/rbac/restui_saml.sh - - -_controller_url=${1} # hostname + /controller -_user_credentials=${2} # ${username}:${password} -_proxy_details=${3} -_application_name=${4} -_debug=${5} - -echo "_controller_url ${_controller_url}" -echo "_user_credentials ${_user_credentials}" -echo "_proxy_details ${_proxy_details}" -echo "_application_name ${_application_name}" -echo "_debug ${_debug}" - -# echo "____________" - -# func_get_all_groups "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" - -# echo "____________" - -# func_get_all_roles "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" - -# echo "____________" - -# func_get_all_users "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" - -# echo "____________" - -#func_get_user_by_id "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "10" - -#echo "____________" - -#func_create_group "${_controller_url}" "${_user_credentials}" "${_application_name}" "${_proxy_details}" "${_debug}" "API-CREATED-ME-3" "desc" - -echo "____________" - -#todo always request cookie and get token before restui calls (!) -_token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials}" "${_proxy_details}") - -echo "============" - -echo "TOKEN IS: ${_token_header}" - -echo "____________" - -#func_restui_get_roles "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" - -# _role_name="test-me-from-bash" -# _role_description="test-me-desc" - -# func_restui_create_role_with_default_view_and_view_edit_app_permissions "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_role_name}" "${_role_description}" - -echo "____________" - -_role_ids="28,16" #no space! roles have to be existing ones to be created -_saml_group_name="API-CREATED-ME" - -func_update_saml_configuration "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_debug}" "${_token_header}" "${_role_ids}" "${_saml_group_name}" \ No newline at end of file From 989f34099c690e7d6abcc2e2ab64ef7615be6c13 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 14:01:26 +0100 Subject: [PATCH 27/54] RBAC update github actions; --- .github/workflows/QAConfigMyApp.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index 4a58e5d..20247e7 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -5,7 +5,7 @@ name: ConfigMyAppCI # Controls when the action will run. Triggers the workflow on push or pull request on: push: - branches: [ master, develop ] + branches: [ master, develop, features/rbac ] pull_request: branches: [ master, develop ] @@ -142,3 +142,22 @@ jobs: echo Running SIM and DB, env vars ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + - name: TestCase15- rbac roles and saml groups - runtime + env: + CMA_UPLOAD_DEFAULT_DASHBOARD: false + run: | + echo Running RBAC, runtime parameters + ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --rbac-only --rbac-action="role-saml" + + - name: TestCase16- Upload default dashboard - env variables + env: + CMA_UPLOAD_DEFAULT_DASHBOARD: false + CMA_RBAC_ONLY: true + CMA_RBAC_ACTION: "role-saml" + CMA_RBAC_ROLE_NAME: "test-role" + CMA_RBAC_ROLE_DESCRIPTION: "test-role-desc" + CMA_RBAC_SAML_GROUP_NAME: "test-saml-group" + run: | + echo Running RBAC, env vars + ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + From 88dca310d11e900e417ce301a5897338f1e41a96 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 14:19:36 +0100 Subject: [PATCH 28/54] RBAC add test case without role and group names provided; --- .github/workflows/QAConfigMyApp.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index 20247e7..c35b3ef 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -149,7 +149,7 @@ jobs: echo Running RBAC, runtime parameters ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --rbac-only --rbac-action="role-saml" - - name: TestCase16- Upload default dashboard - env variables + - name: TestCase16- rbac roles and saml groups - env variables env: CMA_UPLOAD_DEFAULT_DASHBOARD: false CMA_RBAC_ONLY: true @@ -160,4 +160,13 @@ jobs: run: | echo Running RBAC, env vars ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + + - name: TestCase17- rbac roles and saml groups - no names provided - env variables + env: + CMA_UPLOAD_DEFAULT_DASHBOARD: false + CMA_RBAC_ONLY: true + CMA_RBAC_ACTION: "role-saml" + run: | + echo Running RBAC, env vars + ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} From f7cd2a53cacb0079d7ae9d93dd567c32f0bfebc7 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 15:35:52 +0100 Subject: [PATCH 29/54] Actions all tests use the same application; --- .github/workflows/QAConfigMyApp.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index c35b3ef..de8e6d9 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -64,14 +64,14 @@ jobs: echo Running Dash upload curl https://gist.githubusercontent.com/iogbole/48e7568454b066132700c4fe039c2cff/raw/4aa417193e7ce9f3cce2410e67d525761cb6d678/gistfile1.txt -o ./custom_dashboards/CustomDashboard_vanilla.json echo Running SIM and DB, - ./start.sh -a IoT_API --upload-custom-dashboard -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API --upload-custom-dashboard -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase6- Upload custom dashboard - env variables run: | echo Running Dash upload curl https://gist.githubusercontent.com/iogbole/48e7568454b066132700c4fe039c2cff/raw/4aa417193e7ce9f3cce2410e67d525761cb6d678/gistfile1.txt -o ./custom_dashboards/CustomDashboard_vanilla.json export CMA_UPLOAD_CUSTOM_DASHBOARD=true - ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase7- Health rules only - no overwrite - parameters env: @@ -129,7 +129,7 @@ jobs: - name: TestCase13- Upload default dashboard SIM and DB - runtime run: | echo Running SIM and DB, runtime - ./start.sh -a IoT_API --upload-default-dashboard --include-database --database-name 'ConfigMyApp' --include-sim -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API --upload-default-dashboard --include-database --database-name 'ConfigMyApp' --include-sim -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase14- Upload default dashboard - env variables env: @@ -140,14 +140,14 @@ jobs: CMA_INCLUDE_SIM: true run: | echo Running SIM and DB, env vars - ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase15- rbac roles and saml groups - runtime env: CMA_UPLOAD_DEFAULT_DASHBOARD: false run: | echo Running RBAC, runtime parameters - ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --rbac-only --rbac-action="role-saml" + ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --rbac-only --rbac-action="role-saml" - name: TestCase16- rbac roles and saml groups - env variables env: @@ -159,7 +159,7 @@ jobs: CMA_RBAC_SAML_GROUP_NAME: "test-saml-group" run: | echo Running RBAC, env vars - ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase17- rbac roles and saml groups - no names provided - env variables env: @@ -168,5 +168,5 @@ jobs: CMA_RBAC_ACTION: "role-saml" run: | echo Running RBAC, env vars - ./start.sh -a IoT_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} From b643129095c0092db92b20410e75a1a3c64b3706 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 16:23:08 +0100 Subject: [PATCH 30/54] GitHub Actions update controller host and app name; --- docker/env.list | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/env.list b/docker/env.list index dbec430..265ce6a 100644 --- a/docker/env.list +++ b/docker/env.list @@ -1,6 +1,6 @@ -CMA_APPLICATION_NAME=IoT_API -CMA_CONTROLLER_HOST=configmyappdemo-2044no-uzyczrm0.appd-cx.com +CMA_APPLICATION_NAME=Jenkins_API +CMA_CONTROLLER_HOST=configmyappdemo-20103n-m3lp0zmi.appd-cx.com CMA_CONTROLLER_PORT=8090 CMA_USE_HTTPS=false CMA_USERNAME=appd From cee8b21ccec93e706312cb36a6986d9acdcab3c7 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 16:59:09 +0100 Subject: [PATCH 31/54] Actins test failed docker run; --- docker/env.list | 2 +- docker/run.sh | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docker/env.list b/docker/env.list index 265ce6a..f20831d 100644 --- a/docker/env.list +++ b/docker/env.list @@ -1,6 +1,6 @@ CMA_APPLICATION_NAME=Jenkins_API -CMA_CONTROLLER_HOST=configmyappdemo-20103n-m3lp0zmi.appd-cx.com +CMA_CONTROLLER_HOST=20103n-m3lp0zmi.appd-cx.com CMA_CONTROLLER_PORT=8090 CMA_USE_HTTPS=false CMA_USERNAME=appd diff --git a/docker/run.sh b/docker/run.sh index b1c109a..54dae65 100755 --- a/docker/run.sh +++ b/docker/run.sh @@ -15,6 +15,14 @@ fi #standard run docker run --rm --env-file env.list ${image_name}:${version} +if [ $? -eq 0 ] +then + echo "Successful Docker container run. Proceeding..." +else + echo "Error occurred. Could not run the Docker container." >&2 + exit 1 +fi + docker ps # change directory to the root folder where mounted volumes are located - if you're executing the ./run.sh script From 31ceb70c2b2b19e4ab6ad024d1ba392dee01e2e2 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 17:01:29 +0100 Subject: [PATCH 32/54] GitHub Actions - fix typo and provide latest valid container host name to Docker; --- .github/workflows/DockerBuildPush.yml | 2 +- docker/env.list | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/DockerBuildPush.yml b/.github/workflows/DockerBuildPush.yml index 94286b7..8c13a50 100644 --- a/.github/workflows/DockerBuildPush.yml +++ b/.github/workflows/DockerBuildPush.yml @@ -19,7 +19,7 @@ jobs: tag_with_ref: true dockerfile: docker/Dockerfile - QA-DcokerImage: + QA-DockerImage: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/docker/env.list b/docker/env.list index f20831d..265ce6a 100644 --- a/docker/env.list +++ b/docker/env.list @@ -1,6 +1,6 @@ CMA_APPLICATION_NAME=Jenkins_API -CMA_CONTROLLER_HOST=20103n-m3lp0zmi.appd-cx.com +CMA_CONTROLLER_HOST=configmyappdemo-20103n-m3lp0zmi.appd-cx.com CMA_CONTROLLER_PORT=8090 CMA_USE_HTTPS=false CMA_USERNAME=appd From 78dd0a936e0f076ebf2c13cdc8c604d1d8a3a942 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 30 Mar 2021 17:09:04 +0100 Subject: [PATCH 33/54] GitHub actions - remove rbac feature from watched branches on push; --- .github/workflows/QAConfigMyApp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index de8e6d9..e746844 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -5,7 +5,7 @@ name: ConfigMyAppCI # Controls when the action will run. Triggers the workflow on push or pull request on: push: - branches: [ master, develop, features/rbac ] + branches: [ master, develop ] pull_request: branches: [ master, develop ] From a820936cd7d3d74c402e6f08d942cac035ba59bf Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 7 Apr 2021 11:30:17 +0100 Subject: [PATCH 34/54] Add centralized logging and sensitive log message data masking; --- config.json | 7 ++ modules/business_transactions/configBT.sh | 12 ++-- modules/common/http_check.sh | 26 ++++--- modules/common/logging.sh | 22 ++++++ modules/common/sensitive_data.sh | 84 +++++++++++++++++++++++ 5 files changed, 137 insertions(+), 14 deletions(-) create mode 100644 modules/common/logging.sh create mode 100755 modules/common/sensitive_data.sh diff --git a/config.json b/config.json index 6e7ab1d..ba7c0d4 100644 --- a/config.json +++ b/config.json @@ -58,5 +58,12 @@ "rbac_role_description": "", "rbac_saml_group_name": "" } + ], + "sensitive_data": [ + { + "data_masking": true, + "data_masking_patterns": "configmyapp-prod, https://, -.*8090", + "data_masking_strategy": "exact" + } ] } diff --git a/modules/business_transactions/configBT.sh b/modules/business_transactions/configBT.sh index 26c9c04..7c2fb42 100755 --- a/modules/business_transactions/configBT.sh +++ b/modules/business_transactions/configBT.sh @@ -2,6 +2,8 @@ # Match types: MATCHES_REGEX, CONTAINS, EQUALS, STARTS_WITH, ENDS_WITH, IS_IN_LIST, IS_NOT_EMPTY # The format of the JSON must be maintained at all times.. all four sections must be available even if you're not using them, leave them blank. +source ./modules/common/logging.sh # func_log_error_to_file + bt_folder="./bt_api_templates" bt_conf="./bt_config/configBT.json" bt_config_template="bt_config_template.xml" @@ -293,7 +295,7 @@ if [ -f "$bt_file_path" ]; then echo "The file path is $bt_file_path" sleep 1 echo "" - echo "Please wait while we configure BT detection rules in $appName" + echo "Please wait while we configure BT detection rules in $app_name" btendpoint="/transactiondetection/${app_name}/custom" @@ -303,13 +305,13 @@ if [ -f "$bt_file_path" ]; then echo "" echo "*********************************************************************" echo "ConfigMyApp created Business transaction detection rules successfully." - echo "Please check $appName detection rule configuration pages." + echo "Please check $app_name detection rule configuration pages." echo "*********************************************************************" echo "" else - msg="An Error occured whilst creating business transaction detection rules. Please refer to the error.log file for further details" - echo "${dt} An Error occured whilst creating business transaction detection rules." >> error.log - echo "${dt} ERROR $bt_response" >>error.log + msg="An Error occured whilst creating business transaction detection rules. Please refer to the error.log file for further details." + func_log_error_to_file "An Error occured whilst creating business transaction detection rules for application '$app_name'." + func_log_error_to_file "$bt_response" "ERROR" echo "$msg" echo "$bt_response" echo "" diff --git a/modules/common/http_check.sh b/modules/common/http_check.sh index df3b950..55dbb83 100644 --- a/modules/common/http_check.sh +++ b/modules/common/http_check.sh @@ -1,12 +1,18 @@ #!/bin/bash +source ./modules/common/sensitive_data.sh # func_data_masking +source ./modules/common/logging.sh # func_log_error_to_file + +# external function func_check_http_status() { local http_code=$1 local message_on_failure=$2 #echo "HTTP status code: $http_code" if [[ $http_code -lt 200 ]] || [[ $http_code -gt 299 ]]; then - echo "${dt} ERROR "{$http_code: $message_on_failure}"" >> ../../error.log echo "ERROR $http_code: $message_on_failure" + # mask sensitive info (if needed) + message_on_failure=$(func_data_masking "${message_on_failure}") + logged_to_file=$(func_log_error_to_file "$message_on_failure" "ERROR" "$http_code") exit 1 fi } @@ -15,14 +21,16 @@ function func_check_http_response(){ local http_message_body="$1" local string_success_response_contains="$2" if [[ "$http_message_body" =~ "$string_success_response_contains" ]]; then # contains - echo "*********************************************************************" - echo "Success" - echo "*********************************************************************" - else - echo "${dt} ERROR "{$http_message_body}"" >> ../../error.log - echo "ERROR $http_message_body" - exit 1 - fi + echo "*********************************************************************" + echo "Success" + echo "*********************************************************************" + else + echo "ERROR HTTP response does not contain '$string_success_response_contains'. Check logs for mode detils..." + # mask sensitive info (if needed) + http_message_body=$(func_data_masking ${http_message_body} "" "") + logged_to_file=$(func_log_error_to_file "${http_message_body}" "ERROR") + exit 1 + fi } function func_cleanup() { diff --git a/modules/common/logging.sh b/modules/common/logging.sh new file mode 100644 index 0000000..12df18b --- /dev/null +++ b/modules/common/logging.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +source ./modules/common/sensitive_data.sh # func_data_masking + +# intent to be internal +function func_log_error_to_file(){ + local message="$1" + local severity="$2" # optional, error by default + local status_code="$3" # optional + + dt=$(date '+%Y-%m-%d_%H-%M-%S') + + if [[ -z "$severity" ]]; then + severity="ERROR" + fi + + if [[ ! -z "$status_code" ]]; then + status_code="'$status_code' " + fi + + echo "${dt} ${severity} ${status_code}"${message}"" >> error.log +} \ No newline at end of file diff --git a/modules/common/sensitive_data.sh b/modules/common/sensitive_data.sh new file mode 100755 index 0000000..4fe3005 --- /dev/null +++ b/modules/common/sensitive_data.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +#source ./modules/common/logging.sh # func_log_error_to_file + +# can be called form any part of the program => handle varaibles here +if ([ -z "${_arg_data_masking// }" ] && [ ! -z "${CMA_DATA_MASKING// }" ]); then + _arg_data_masking=${CMA_DATA_MASKING} +fi + +if ([ -z "${_arg_data_masking_patterns// }" ] && [ ! -z "${CMA_DATA_MASKING_PATTERNS// }" ]); then + _arg_data_masking_patterns=${CMA_DATA_MASKING_PATTERNS} +fi + +if ([ -z "${_arg_data_masking_strategy// }" ] && [ ! -z "${CMA_DATA_MASKING_STRATEGY// }" ]); then + _arg_data_masking_strategy=${CMA_DATA_MASKING_STRATEGY} +fi + +conf_file="config.json" + +if [[ -z "${_arg_data_masking// }" ]]; then + _arg_data_masking=$(jq -r '.sensitive_data[].data_masking' <${conf_file}) +fi +if [[ -z "${_arg_data_masking_patterns// }" ]]; then + _arg_data_masking_patterns=$(jq -r '.sensitive_data[].data_masking_patterns' <${conf_file}) +fi +if [[ -z "${_arg_data_masking_strategy// }" ]]; then + _arg_data_masking_strategy=$(jq -r '.sensitive_data[].data_masking_strategy' <${conf_file}) +fi + +## check if values are valid data type +if ([ ! $_arg_data_masking = false ] && [ ! $_arg_data_masking = true ] ); then + echo -n "Data-masking value \"${_arg_data_masking}\" not recognized. Proceeding with data not being masked..." +fi + +# source ./modules/common/sensitive_data.sh; func_data_masking "me.saas.com:443" "saas" "exact" +function func_data_masking(){ + local message="$1" + local patterns="$2" #todo no characters: comma, # or * allowed + local strategy="$3" # valid: exact, before, after + + # argumebts from configuration + if [ $_arg_data_masking = false ]; then + echo "$message" + exit 0 + fi + + if [[ -z "$patterns" ]]; then + patterns=${_arg_data_masking_patterns} + fi + + if [[ -z "$strategy" ]]; then + strategy=${_arg_data_masking_strategy} + fi + + masking_string="*********" + valid_data_masking_strategies=("exact" "before" "after") + + if [[ ! " ${valid_data_masking_strategies[@]} " =~ " ${strategy} " ]]; then + # whatever you want to do when array doesn't contain value + echo -e "[Data masking strategy \"${strategy}\" not recognized] " + fi + + for pattern in ${patterns//,/ } + do + # mask sensitive info + case $strategy in + exact) + message=$(echo $message | sed -e "s#${pattern}#${masking_string}#g") + ;; + before) + message=$(echo $message | sed -e "s#.*${pattern}#${masking_string}#g") + ;; + after) + message=$(echo $message | sed -e "s#${pattern}.*'#${masking_string}#g") + ;; + *) + # echo -n "Message not masked..." + ;; + esac + + done + + echo "$message" +} \ No newline at end of file From ef19bbb530fd4ff7c1345c39dc567ef5ce9e1498 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 7 Apr 2021 11:37:25 +0100 Subject: [PATCH 35/54] Set sensitive data masking false by defuat; --- config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.json b/config.json index ba7c0d4..6087c6a 100644 --- a/config.json +++ b/config.json @@ -61,7 +61,7 @@ ], "sensitive_data": [ { - "data_masking": true, + "data_masking": false, "data_masking_patterns": "configmyapp-prod, https://, -.*8090", "data_masking_strategy": "exact" } From 6b1c30ab88cbd40cfdf490e8aa2464d557491781 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 7 Apr 2021 11:38:04 +0100 Subject: [PATCH 36/54] Add data masking test case; Update test app name - append _Demo to match k8s deployment; --- .github/workflows/QAConfigMyApp.yml | 55 ++++++++++++++++++----------- 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index e746844..051840d 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -10,7 +10,7 @@ on: branches: [ master, develop ] jobs: - DcokerImage-QA: + DockerImage-QA: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -32,53 +32,53 @@ jobs: echo Running basic CMA pwd ls -ltr - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase1- Basic ConfigMyApp with default dashboard off run: | echo Running basic CMA with default dashboard off pwd ls -ltr - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase2- BT_ONLY env: CMA_USE_HTTPS: false run: | echo Running BT_ONLY, - ./start.sh -a Jenkins_API --bt-only -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --bt-only -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase3- Action suppression. Default. run: | echo Running Action Suppression, - ./start.sh -a Jenkins_API --suppress-action -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --suppress-action -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase4- Action suppression. Date and duration. run: | echo Running Action Suppression #--suppress-start=$(date -d " + 20 minutes" -u +%FT%T) - ./start.sh -a Jenkins_API --suppress-action --suppress-duration=120 -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --suppress-action --suppress-duration=120 -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase5- Upload custom dashboard - runtime run: | echo Running Dash upload curl https://gist.githubusercontent.com/iogbole/48e7568454b066132700c4fe039c2cff/raw/4aa417193e7ce9f3cce2410e67d525761cb6d678/gistfile1.txt -o ./custom_dashboards/CustomDashboard_vanilla.json echo Running SIM and DB, - ./start.sh -a Jenkins_API --upload-custom-dashboard -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --upload-custom-dashboard -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase6- Upload custom dashboard - env variables run: | echo Running Dash upload curl https://gist.githubusercontent.com/iogbole/48e7568454b066132700c4fe039c2cff/raw/4aa417193e7ce9f3cce2410e67d525761cb6d678/gistfile1.txt -o ./custom_dashboards/CustomDashboard_vanilla.json export CMA_UPLOAD_CUSTOM_DASHBOARD=true - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase7- Health rules only - no overwrite - parameters env: CMA_USE_HTTPS: false run: | echo Running health rules only, get values from runtime parameters, - ./start.sh -a Jenkins_API --health-rules-only --no-health-rules-overwrite -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --health-rules-only --no-health-rules-overwrite -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase8- Health rules only - overwrite - env variables env: @@ -87,7 +87,7 @@ jobs: CMA_HEALTH_RULES_ONLY: true run: | echo Running health rules only, get values from environment variables, - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase9- Health rules only - overwrite default - config env: @@ -96,7 +96,7 @@ jobs: cp config.json config.json.bkp curl https://gist.githubusercontent.com/AlexJov/63ccb17421208679ef63b55afafea712/raw/b8e5ebc5399a8d7df5422ff07c49c892f0c3bd63/config.json -o ./config.json echo Running health rules only, get values from config, - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard cp config.json.bkp config.json - name: TestCase10- Delete health rules, existing @@ -107,29 +107,29 @@ jobs: curl https://gist.githubusercontent.com/AlexJov/03317fd4271325fbd6678dded2df6e91/raw/bb33a4b3abcaed762f1a5b262586183c6efd4402/CpuUtilisationTooHighToDelete.json -o ./health_rules/ServerVisibility/CpuUtilisationTooHighToDelete.json echo Running health rules only, import additional health rules, - ./start.sh -a Jenkins_API -u appd --include-sim --health-rules-only -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo -u appd --include-sim --health-rules-only -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard echo Delete health rules: - ./start.sh -a Jenkins_API --health-rules-delete "Agent Availability to Delete, Server Health: CPU Utilisation is too high to Delete" -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --health-rules-delete "Agent Availability to Delete, Server Health: CPU Utilisation is too high to Delete" -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase11- Delete health rules, non existing env: CMA_USE_HTTPS: false run: | echo Delete health rules, delete health rules from TestCase10 - ./start.sh -a Jenkins_API --health-rules-delete "There is no this rule name" -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --health-rules-delete "There is no this rule name" -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase12- Overwrite Health rules - runtime run: | echo Running basic CMA pwd ls -ltr - ./start.sh -a Jenkins_API --health-rules-only --overwrite-health-rules -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard + ./start.sh -a Jenkins_API_Demo --health-rules-only --overwrite-health-rules -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --no-upload-default-dashboard - name: TestCase13- Upload default dashboard SIM and DB - runtime run: | echo Running SIM and DB, runtime - ./start.sh -a Jenkins_API --upload-default-dashboard --include-database --database-name 'ConfigMyApp' --include-sim -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API_Demo --upload-default-dashboard --include-database --database-name 'ConfigMyApp' --include-sim -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase14- Upload default dashboard - env variables env: @@ -140,14 +140,14 @@ jobs: CMA_INCLUDE_SIM: true run: | echo Running SIM and DB, env vars - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase15- rbac roles and saml groups - runtime env: CMA_UPLOAD_DEFAULT_DASHBOARD: false run: | echo Running RBAC, runtime parameters - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --rbac-only --rbac-action="role-saml" + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} --rbac-only --rbac-action="role-saml" - name: TestCase16- rbac roles and saml groups - env variables env: @@ -159,7 +159,7 @@ jobs: CMA_RBAC_SAML_GROUP_NAME: "test-saml-group" run: | echo Running RBAC, env vars - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - name: TestCase17- rbac roles and saml groups - no names provided - env variables env: @@ -168,5 +168,18 @@ jobs: CMA_RBAC_ACTION: "role-saml" run: | echo Running RBAC, env vars - ./start.sh -a Jenkins_API -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} - + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + + - name: TestCase18- sensitive data masking - env variables + env: + CMA_UPLOAD_DEFAULT_DASHBOARD: false + CMA_DATA_MASKING: true + CMA_DATA_MASKING_PATTERNS: "-.*8090" + CMA_DATA_MASKING_STRATEGY: "exact" + run: | + echo Running sensitive data masking, env vars + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + last_log_line=$(tail -n 1 error.log) + echo "Logged: ${last_log_line}" + + From 08ea97d6d7cec0742361fe91d8a73e4f0cb5649a Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 7 Apr 2021 15:31:21 +0100 Subject: [PATCH 37/54] Logging - actions supression update; --- modules/actions/application-action-suppression.sh | 5 ++++- modules/actions/upload-files-action-suppression.sh | 5 ++++- modules/common/http_check.sh | 6 +++--- modules/common/logging.sh | 2 -- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/actions/application-action-suppression.sh b/modules/actions/application-action-suppression.sh index dee3b55..7bad4a6 100755 --- a/modules/actions/application-action-suppression.sh +++ b/modules/actions/application-action-suppression.sh @@ -2,6 +2,8 @@ source ./modules/common/http_check.sh # func_check_http_status, func_check_http_response source ./modules/common/application.sh # func_get_application_id +source ./modules/common/logging.sh # func_log_error_to_file +source ./modules/common/sensitive_data.sh # func_data_masking # 1. INPUT PARAMETERS _controller_url=${1} # hostname + /controller @@ -27,8 +29,9 @@ function func_check_http_response(){ # override default cp -rf "$filePath" "./api_actions/uploaded/${fileName}.${dt}" echo "Success..." else - echo "${dt} ERROR "{$http_message_body}"" >> error.log echo "ERROR $http_message_body" + http_message_body=$(func_data_masking ${http_message_body}) + logged_to_file=$(func_log_error_to_file "${http_message_body}" "ERROR") exit 1 fi } diff --git a/modules/actions/upload-files-action-suppression.sh b/modules/actions/upload-files-action-suppression.sh index e666e1b..e4fbec9 100755 --- a/modules/actions/upload-files-action-suppression.sh +++ b/modules/actions/upload-files-action-suppression.sh @@ -2,6 +2,8 @@ source ./modules/common/http_check.sh # func_check_http_status, func_check_http_response source ./modules/common/application.sh # func_get_application_id +source ./modules/common/logging.sh # func_log_error_to_file +source ./modules/common/sensitive_data.sh # func_data_masking # 1. INPUT PARAMETERS _controller_url=${1} # hostname + /controller @@ -31,8 +33,9 @@ function func_check_http_response(){ # function override cp -rf "$filePath" "./api_actions/uploaded/${fileName}.${dt}" echo "Success..." else - echo "${dt} ERROR "{$http_message_body}"" >> error.log echo "ERROR $http_message_body" + http_message_body=$(func_data_masking ${http_message_body}) + logged_to_file=$(func_log_error_to_file "${http_message_body}" "ERROR") # do not break on failure fi } diff --git a/modules/common/http_check.sh b/modules/common/http_check.sh index 55dbb83..c4ca2f8 100644 --- a/modules/common/http_check.sh +++ b/modules/common/http_check.sh @@ -12,7 +12,7 @@ function func_check_http_status() { echo "ERROR $http_code: $message_on_failure" # mask sensitive info (if needed) message_on_failure=$(func_data_masking "${message_on_failure}") - logged_to_file=$(func_log_error_to_file "$message_on_failure" "ERROR" "$http_code") + logged_to_file=$(func_log_error_to_file ${message_on_failure} "ERROR" "$http_code") exit 1 fi } @@ -27,8 +27,8 @@ function func_check_http_response(){ else echo "ERROR HTTP response does not contain '$string_success_response_contains'. Check logs for mode detils..." # mask sensitive info (if needed) - http_message_body=$(func_data_masking ${http_message_body} "" "") - logged_to_file=$(func_log_error_to_file "${http_message_body}" "ERROR") + http_message_body=$(func_data_masking ${http_message_body}) + logged_to_file=$(func_log_error_to_file ${http_message_body} "ERROR") exit 1 fi } diff --git a/modules/common/logging.sh b/modules/common/logging.sh index 12df18b..1836588 100644 --- a/modules/common/logging.sh +++ b/modules/common/logging.sh @@ -1,7 +1,5 @@ #!/bin/bash -source ./modules/common/sensitive_data.sh # func_data_masking - # intent to be internal function func_log_error_to_file(){ local message="$1" From 9c076016df410e93d8315964b42147414972aa2b Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 7 Apr 2021 15:32:09 +0100 Subject: [PATCH 38/54] testCases update data masking test to target non-existing controller; --- .github/workflows/QAConfigMyApp.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index 051840d..9c73964 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -5,7 +5,7 @@ name: ConfigMyAppCI # Controls when the action will run. Triggers the workflow on push or pull request on: push: - branches: [ master, develop ] + branches: [ master, develop, features/rbac ] pull_request: branches: [ master, develop ] @@ -178,7 +178,7 @@ jobs: CMA_DATA_MASKING_STRATEGY: "exact" run: | echo Running sensitive data masking, env vars - ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API_Demo -c NonExistingControllerSoItLogsError -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} last_log_line=$(tail -n 1 error.log) echo "Logged: ${last_log_line}" From 2cf1fafcc9b01d349b333bba3759bacf2c3b5201 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Thu, 8 Apr 2021 08:50:31 +0100 Subject: [PATCH 39/54] RBAC Add license rule creating, new valid rbac action, and payload template; --- .gitignore | 3 +- modules/rbac/create_license_rules.sh | 28 +++++ modules/rbac/restui_license_rules.sh | 104 ++++++++++++++++++ .../payload_all.json | 37 +++++++ start.sh | 12 +- 5 files changed, 180 insertions(+), 4 deletions(-) create mode 100755 modules/rbac/create_license_rules.sh create mode 100755 modules/rbac/restui_license_rules.sh create mode 100644 rbac/restui_license_rules_files/payload_all.json diff --git a/.gitignore b/.gitignore index 3e32022..a787ad3 100644 --- a/.gitignore +++ b/.gitignore @@ -19,4 +19,5 @@ custom_dashboards/*.json* custom_dashboards/uploaded/*.json* cookie.appd rbac/restui_role_files/uploaded/* -rbac/restui_saml_files/uploaded/* \ No newline at end of file +rbac/restui_saml_files/uploaded/* +rbac/restui_license_rules_files/uploaded/* \ No newline at end of file diff --git a/modules/rbac/create_license_rules.sh b/modules/rbac/create_license_rules.sh new file mode 100755 index 0000000..ba7b4fb --- /dev/null +++ b/modules/rbac/create_license_rules.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +source ./modules/rbac/restui_auth.sh +source ./modules/common/http_check.sh # func_check_http_status +source ./modules/rbac/restui_license_rules.sh # func_restui_create_license_rules + +_controller_url=${1} # hostname + /controller +_user_credentials=${2} # ${username}:${password} +_proxy_details=${3} +_application_name=${4} +_debug=${5} + +echo "| Create auth header and cookie." + +_token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials}" "${_proxy_details}") + +# todo debug mode? +#if [ _debug = true ]; then echo "appd token value is: ${_token_header}"; fi + +echo "| Creating license rule." +# create role +_create_license_rule_response=$(func_restui_create_license_rules "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}") + +echo "| Check if rule created successfully." +_expected_response='"id" :' # returns id with space before : on success +func_check_http_response "\{$_create_license_rule_response}" "${_expected_response}" + +echo "Done" diff --git a/modules/rbac/restui_license_rules.sh b/modules/rbac/restui_license_rules.sh new file mode 100755 index 0000000..559219a --- /dev/null +++ b/modules/rbac/restui_license_rules.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +source ./modules/common/http_check.sh # func_check_http_status +source ./modules/common/logging.sh # func_log_error_to_file + + +function func_restui_get_license_rules() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _application_name=${4} + local _debug=${5} + + local X_CSRF_TOKEN_HEADER=${6} + + if [[ _debug = true ]]; then echo ">> func_restui_get_roles"; fi + + _endpoint_url="/restui/licenseRule/getAllRulesSummary" + _method="GET" + + licenseRulesSummary=$(curl -v -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}") + + echo "${licenseRulesSummary}" +} + +function func_restui_create_license_rules() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + + local _application_name=${4} + local _debug=${5} + + local X_CSRF_TOKEN_HEADER=${6} + + #local _rule_name=${7} + + echo "||Creating license key rule '${_rule_name}'..." + + #if [[ _debug = true ]]; then echo ">> func_restui_create_role_with_default_view_and_view_edit_app_permissions"; fi + + dt=$(date '+%Y-%m-%d_%H-%M-%S') + + _rule_name_placeholder="" + _rule_id_placeholder="" + _rule_key_placeholder="" + + _files_directory="./rbac/restui_license_rules_files" + + _uploaded_path="${_files_directory}/uploaded" + _payload_path="${_uploaded_path}/payload-${dt}.json" + + _payload_header="Content-Type: application/json; charset=utf8" + + _name_prefix="cma" + + # prepare payload + for _json_file in $_files_directory/*.json; do + + _file_name="$(basename -- $_json_file)" + + # Check if folder contains files + [ -f "$_json_file" ] || func_check_http_status 404 "No files found in directory: '"$_files_directory"'. Aborting..." + + _tmp_updated_file_path="${_uploaded_path}/tmp-${_file_name}-${dt}" + + # generate for each file found in directory + _rbac_rnd=$((1 + $RANDOM % 1000)) + _rule_name="${_name_prefix}_rule_${_rbac_rnd}" + echo "INFO|License rule name created '${_rule_name}'" + _rule_id=$(uuidgen) + _rule_key=$(uuidgen) + + echo -e "Processing '${_file_name}' file, creating license rule '${_rule_name}'." + + # replacing license rule name + if grep -q $_rule_name_placeholder ${_json_file}; then + sed -e "s/${_rule_name_placeholder}/${_rule_name}/g" "${_json_file}" > "${_tmp_updated_file_path}" + else + echo -e "WARNING Placeholder value '$_rule_name_placeholder' not found in '${_file_name}'. Value not replaced." + copying=$(cp "${_json_file}" "${_tmp_updated_file_path}") + fi + + # replace rule id and key + sed -e "s/${_rule_id_placeholder}/${_rule_id}/g" -e "s/${_rule_key_placeholder}/${_rule_key}/g" "${_tmp_updated_file_path}" > "${_payload_path}" + + _endpoint_url="/restui/licenseRule/create" + _method="POST" + + response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}") + + # remove temporary files, save only final payload backup + rm ${_uploaded_path}/tmp-* + + echo "${response}" + + done + + + +} + + diff --git a/rbac/restui_license_rules_files/payload_all.json b/rbac/restui_license_rules_files/payload_all.json new file mode 100644 index 0000000..b288f22 --- /dev/null +++ b/rbac/restui_license_rules_files/payload_all.json @@ -0,0 +1,37 @@ +{ + "id": "", + "account_id": "", + "name": "", + "access_key": "", + "constraints": [ + { + "entity_type_id": "com.appdynamics.modules.apm.topology.impl.persistenceapi.model.ApplicationEntity", + "constraint_type": "ALLOW_ALL", + "match_conditions": [] + }, + { + "entity_type_id": "com.appdynamics.modules.apm.topology.impl.persistenceapi.model.MachineEntity", + "constraint_type": "ALLOW_ALL", + "match_conditions": [] + } + ], + "entitlements": [ + { + "license_module_type": "APM", + "number_of_licenses": 0 + }, + { + "license_module_type": "MACHINE_AGENT", + "number_of_licenses": 0 + }, + { + "license_module_type": "SIM_MACHINE_AGENT", + "number_of_licenses": 0 + }, + { + "license_module_type": "NETVIZ", + "number_of_licenses": 0 + } + ], + "enabled": true +} \ No newline at end of file diff --git a/start.sh b/start.sh index 6d7a8b8..3dc2801 100755 --- a/start.sh +++ b/start.sh @@ -66,7 +66,7 @@ _arg_include_database=false _arg_database_name= _arg_include_sim=false -_valid_rbac_actions=("role-saml") # array of valid rbac actions e.g. ("role" "role-saml" "saml") +_valid_rbac_actions=("role-saml" "license-rule") # array of valid rbac actions e.g. ("role" "role-saml" "saml") _arg_rbac_only=false _arg_rbac_action="role-saml" # the only action for now in rbac module is "role-saml" @@ -1030,13 +1030,19 @@ case $ec in 1) printf '%s\n' "Command exited with non-zero code"; exit 1;; esac - +### RBAC ### if ([[ $_arg_rbac_only = true ]] && [ $_arg_rbac_action = "role-saml" ]); then echo -e "\n> Running 'RBAC' module" - echo -e ">> Action 'Role and SAML'\n" + echo -e ">> Action 'Create Role and SAML Attach'\n" ./modules/rbac/create_role_with_app_edit_and_attach_to_saml.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_role_name" "$_arg_rbac_role_description" "$_arg_rbac_saml_group_name" fi +if ([[ $_arg_rbac_only = true ]] && [ $_arg_rbac_action = "license-rule" ]); then + echo -e "\n> Running 'RBAC' module" + echo -e ">> Action 'Create License Rule'\n" + ./modules/rbac/create_license_rules.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_role_name" "$_arg_rbac_role_description" "$_arg_rbac_saml_group_name" +fi + ### 4 ACTION SUPRESSION ### if [ $_arg_suppress_action = true ]; then echo -e "\n> Running 'Action Supression' module" From ae8a60e34bc7aeeb6469e2482ced9a1f80d89080 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 16:06:42 +0100 Subject: [PATCH 40/54] Bugfix - adding quotes for log message not to get trimmed off; --- config.json | 4 ++-- modules/common/http_check.sh | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/config.json b/config.json index 6087c6a..4dda212 100644 --- a/config.json +++ b/config.json @@ -61,8 +61,8 @@ ], "sensitive_data": [ { - "data_masking": false, - "data_masking_patterns": "configmyapp-prod, https://, -.*8090", + "data_masking": true, + "data_masking_patterns": "-.*8090", "data_masking_strategy": "exact" } ] diff --git a/modules/common/http_check.sh b/modules/common/http_check.sh index c4ca2f8..e963845 100644 --- a/modules/common/http_check.sh +++ b/modules/common/http_check.sh @@ -11,8 +11,9 @@ function func_check_http_status() { if [[ $http_code -lt 200 ]] || [[ $http_code -gt 299 ]]; then echo "ERROR $http_code: $message_on_failure" # mask sensitive info (if needed) - message_on_failure=$(func_data_masking "${message_on_failure}") - logged_to_file=$(func_log_error_to_file ${message_on_failure} "ERROR" "$http_code") + message_on_failure=$(func_data_masking "${message_on_failure}" "" "") + logged_to_file=$(func_log_error_to_file "${message_on_failure}" "ERROR" "$http_code") + echo " logged_to_file > ${logged_to_file}" exit 1 fi } @@ -27,8 +28,8 @@ function func_check_http_response(){ else echo "ERROR HTTP response does not contain '$string_success_response_contains'. Check logs for mode detils..." # mask sensitive info (if needed) - http_message_body=$(func_data_masking ${http_message_body}) - logged_to_file=$(func_log_error_to_file ${http_message_body} "ERROR") + http_message_body=$(func_data_masking "${http_message_body}" "" "") + logged_to_file=$(func_log_error_to_file "${http_message_body}" "ERROR") exit 1 fi } From 1f26d8d7d099d11b472a660af7b8a8ce0bd74f3f Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 16:13:33 +0100 Subject: [PATCH 41/54] Bugfix - run failed for non-existing controller; --- .github/workflows/QAConfigMyApp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index 9c73964..f7fe607 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -178,7 +178,7 @@ jobs: CMA_DATA_MASKING_STRATEGY: "exact" run: | echo Running sensitive data masking, env vars - ./start.sh -a Jenkins_API_Demo -c NonExistingControllerSoItLogsError -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} + ./start.sh -a Jenkins_API_Demo -c ${{ secrets.CONTROLLER_HOST }} -p ${{ secrets.CONTROLLER_USERNAME }} -u ${{ secrets.CONTROLLER_PASSWORD }} last_log_line=$(tail -n 1 error.log) echo "Logged: ${last_log_line}" From 9d71e9b4a39d948da42ee4f3fbb4b8099453a270 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 18:13:12 +0100 Subject: [PATCH 42/54] Bugfix - remove echo logged to file; --- modules/common/http_check.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/common/http_check.sh b/modules/common/http_check.sh index e963845..02eb2a4 100644 --- a/modules/common/http_check.sh +++ b/modules/common/http_check.sh @@ -13,7 +13,6 @@ function func_check_http_status() { # mask sensitive info (if needed) message_on_failure=$(func_data_masking "${message_on_failure}" "" "") logged_to_file=$(func_log_error_to_file "${message_on_failure}" "ERROR" "$http_code") - echo " logged_to_file > ${logged_to_file}" exit 1 fi } From be57db8bf5e9b65b1a221f832c65f557e3fca1c6 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 18:53:15 +0100 Subject: [PATCH 43/54] RBAC adding license rule application name as a param; --- config.json | 3 ++- modules/rbac/create_license_rules.sh | 8 ++++---- start.sh | 27 ++++++++++++++++++++++++--- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/config.json b/config.json index 4dda212..b0032c8 100644 --- a/config.json +++ b/config.json @@ -56,7 +56,8 @@ "rbac_action": "role-saml", "rbac_role_name": "", "rbac_role_description": "", - "rbac_saml_group_name": "" + "rbac_saml_group_name": "", + "rbac_license_rule_name": "" } ], "sensitive_data": [ diff --git a/modules/rbac/create_license_rules.sh b/modules/rbac/create_license_rules.sh index ba7b4fb..47becaf 100755 --- a/modules/rbac/create_license_rules.sh +++ b/modules/rbac/create_license_rules.sh @@ -10,6 +10,8 @@ _proxy_details=${3} _application_name=${4} _debug=${5} +_arg_rbac_license_rule_name=${6} + echo "| Create auth header and cookie." _token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials}" "${_proxy_details}") @@ -19,10 +21,8 @@ _token_header=$(func_restui_get_cookie "${_controller_url}" "${_user_credentials echo "| Creating license rule." # create role -_create_license_rule_response=$(func_restui_create_license_rules "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}") +_create_license_rule_response=$(func_restui_create_license_rules "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}" "${_arg_rbac_license_rule_name}") -echo "| Check if rule created successfully." -_expected_response='"id" :' # returns id with space before : on success -func_check_http_response "\{$_create_license_rule_response}" "${_expected_response}" +echo "${_create_license_rule_response}" echo "Done" diff --git a/start.sh b/start.sh index 3dc2801..17c18b7 100755 --- a/start.sh +++ b/start.sh @@ -73,6 +73,7 @@ _arg_rbac_action="role-saml" # the only action for now in rbac module is "role-s _arg_rbac_role_name= _arg_rbac_role_description= _arg_rbac_saml_group_name= +_arg_rbac_license_rule_name= _arg_debug=false @@ -96,8 +97,6 @@ _arg_rbac_only_explicitly_set=false _arg_rbac_action_explicitly_set=false - - print_help() { printf '%s\n' "ConfigMyApp - Self-service configuration tool." @@ -160,6 +159,7 @@ print_help() printf '\t%s\n' "--rbac-role-name: RBAC role name (auto-generated by default)" printf '\t%s\n' "--rbac-role-description: RBAC role description, not mandatory (no default)" printf '\t%s\n' "--rbac-saml-group-name: RBAC SAML group name (auto-generated by default)" + printf '\t%s\n' "--rbac-license-rule-name: License rule name (auto-generated by default)" printf '%s\n' "Help options:" printf '\t%s\n' "-h, --help: Prints help" @@ -452,6 +452,14 @@ parse_commandline() --rbac-saml-group-name=*) _arg_rbac_saml_group_name="${_key##--rbac-saml-group-name=}" ;; + --rbac-license-rule-name) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_rbac_license_rule_name="$2" + shift + ;; + --rbac-license-rule-name=*) + _arg_rbac_license_rule_name="${_key##--rbac-license-rule-name=}" + ;; -h|--help) print_help exit 0 @@ -698,6 +706,9 @@ fi if ([ -z "${_arg_rbac_saml_group_name// }" ] && [ ! -z "${CMA_RBAC_SAML_GROUP_NAME// }" ]); then _arg_rbac_saml_group_name=${CMA_RBAC_SAML_GROUP_NAME} fi +if ([ -z "${_arg_rbac_license_rule_name// }" ] && [ ! -z "${CMA_RBAC_LICENSE_RULE_NAME// }" ]); then + _arg_rbac_saml_group_name=${CMA_RBAC_LICENSE_RULE_NAME} +fi # 1.3 If value not set replace with configuration file values conf_file="config.json" @@ -834,6 +845,9 @@ fi if [[ -z "${_arg_rbac_saml_group_name// }" ]]; then _arg_rbac_saml_group_name=$(jq -r '.rbac[].rbac_saml_group_name' <${conf_file}) fi +if [[ -z "${_arg_rbac_license_rule_name// }" ]]; then + _arg_rbac_license_rule_name=$(jq -r '.rbac[].rbac_license_rule_name' <${conf_file}) +fi ### 2 VALIDATE ### @@ -895,6 +909,7 @@ if [ $_arg_debug = true ]; then echo "Value of --rbac-role-name: $_arg_rbac_role_name" echo "Value of --rbac-role-description: $_arg_rbac_role_description" echo "Value of --rbac-saml-group-name: $_arg_rbac_saml_group_name" + echo "Value of --rbac-license-rule-name: $_arg_rbac_license_rule_name" fi @@ -1001,6 +1016,12 @@ if [ $_arg_rbac_only = true ]; then _arg_rbac_role_name="${_rbac_prefix}_role_${_arg_application_name}_${_rbac_rnd}" echo "DEF|Default RBAC role name created '${_arg_rbac_role_name}'" fi + + if [ -z "${_arg_rbac_license_rule_name// }" ]; then + _arg_rbac_license_rule_name="${_rbac_prefix}_rule" # more than one rule can be uploaded during a single run, rand added in module + echo "DEF|License rule name created '${_arg_rbac_license_rule_name}'" + fi + fi ## VALIDATIONS [prereqs] @@ -1040,7 +1061,7 @@ fi if ([[ $_arg_rbac_only = true ]] && [ $_arg_rbac_action = "license-rule" ]); then echo -e "\n> Running 'RBAC' module" echo -e ">> Action 'Create License Rule'\n" - ./modules/rbac/create_license_rules.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_role_name" "$_arg_rbac_role_description" "$_arg_rbac_saml_group_name" + ./modules/rbac/create_license_rules.sh "$_arg_controller_url" "$_arg_user_credentials" "$_arg_proxy_details" "$_arg_application_name" "$_arg_debug" "$_arg_rbac_license_rule_name" fi ### 4 ACTION SUPRESSION ### From dce7236a03044aaea45bf6b5c40d753dc8d2a76b Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 18:54:15 +0100 Subject: [PATCH 44/54] RBAc enable license rule based on application guid passed in payload; --- modules/rbac/restui_applications.sh | 33 +++++++++++++ modules/rbac/restui_license_rules.sh | 49 ++++++++++++++----- .../payload_app_server_constraint.json | 49 +++++++++++++++++++ 3 files changed, 118 insertions(+), 13 deletions(-) create mode 100755 modules/rbac/restui_applications.sh create mode 100644 rbac/restui_license_rules_files/payload_app_server_constraint.json diff --git a/modules/rbac/restui_applications.sh b/modules/rbac/restui_applications.sh new file mode 100755 index 0000000..493e0ba --- /dev/null +++ b/modules/rbac/restui_applications.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +source ./modules/common/application.sh #func_get_application_id + +function func_restui_get_application_guid() { + local _controller_url=${1} # hostname + /controller + local _user_credentials=${2} # ${username}:${password} + local _proxy_details=${3} + local _application_name=${4} + # no application name needed + local _debug=${5} + + local X_CSRF_TOKEN_HEADER=${6} + + _endpoint_url="/restui/licenseRule/getAllApplications" + _method="GET" + + allApplications=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -X ${_method} "${_controller_url}${_endpoint_url}" ${_proxy_details}) + + # Select by name + applicationObject=$(jq --arg appName "$_application_name" '.[] | select(.name == $appName)' <<<$allApplications) + + if [ "$applicationObject" = "" ]; then + echo "" + exit 0 + fi + + appGuid=$(jq '.objectReference.id' <<<$applicationObject) + + echo "${appGuid}" + +} + diff --git a/modules/rbac/restui_license_rules.sh b/modules/rbac/restui_license_rules.sh index 559219a..72bc555 100755 --- a/modules/rbac/restui_license_rules.sh +++ b/modules/rbac/restui_license_rules.sh @@ -2,7 +2,7 @@ source ./modules/common/http_check.sh # func_check_http_status source ./modules/common/logging.sh # func_log_error_to_file - +source ./modules/rbac/restui_applications.sh # func_restui_get_application_guid function func_restui_get_license_rules() { local _controller_url=${1} # hostname + /controller @@ -34,9 +34,7 @@ function func_restui_create_license_rules() { local X_CSRF_TOKEN_HEADER=${6} - #local _rule_name=${7} - - echo "||Creating license key rule '${_rule_name}'..." + local _rule_name=${7} #if [[ _debug = true ]]; then echo ">> func_restui_create_role_with_default_view_and_view_edit_app_permissions"; fi @@ -45,6 +43,7 @@ function func_restui_create_license_rules() { _rule_name_placeholder="" _rule_id_placeholder="" _rule_key_placeholder="" + _application_name_placeholder="" _files_directory="./rbac/restui_license_rules_files" @@ -53,8 +52,6 @@ function func_restui_create_license_rules() { _payload_header="Content-Type: application/json; charset=utf8" - _name_prefix="cma" - # prepare payload for _json_file in $_files_directory/*.json; do @@ -64,37 +61,63 @@ function func_restui_create_license_rules() { [ -f "$_json_file" ] || func_check_http_status 404 "No files found in directory: '"$_files_directory"'. Aborting..." _tmp_updated_file_path="${_uploaded_path}/tmp-${_file_name}-${dt}" + _tmp_updated_file_path_final="${_uploaded_path}/tmp-fin-${_file_name}-${dt}" # generate for each file found in directory _rbac_rnd=$((1 + $RANDOM % 1000)) - _rule_name="${_name_prefix}_rule_${_rbac_rnd}" - echo "INFO|License rule name created '${_rule_name}'" + _rule_name="${_rule_name}-${_rbac_rnd}" _rule_id=$(uuidgen) _rule_key=$(uuidgen) - echo -e "Processing '${_file_name}' file, creating license rule '${_rule_name}'." + echo -e "|| Processing '${_file_name}' file, creating license rule '${_rule_name}'." # replacing license rule name if grep -q $_rule_name_placeholder ${_json_file}; then sed -e "s/${_rule_name_placeholder}/${_rule_name}/g" "${_json_file}" > "${_tmp_updated_file_path}" else - echo -e "WARNING Placeholder value '$_rule_name_placeholder' not found in '${_file_name}'. Value not replaced." + echo -e "|| WARNING Placeholder value '$_rule_name_placeholder' not found in '${_file_name}'. Value not replaced." copying=$(cp "${_json_file}" "${_tmp_updated_file_path}") fi + # replacing application name (if exists) + if grep -q $_application_name_placeholder ${_json_file}; then + # get application guid + application_guid=$(func_restui_get_application_guid "${_controller_url}" "${_user_credentials}" "${_proxy_details}" "${_application_name}" "${_debug}" "${_token_header}") + + application_guid=$(echo $application_guid | tr -d '"') + + if [[ ! -z "${application_guid// }" ]]; then + sed -e "s/${_application_name_placeholder}/${application_guid}/g" "${_tmp_updated_file_path}" > "${_tmp_updated_file_path_final}" + else + echo -e "|| WARNING GUID value for placeholder '$_application_name_placeholder' not found. Value not replaced." + _tmp_updated_file_path_final="${_tmp_updated_file_path}" + fi + else + echo -e "|| WARNING Placeholder value '$_application_name_placeholder' not found in '${_file_name}'. Value not replaced." + _tmp_updated_file_path_final="${_tmp_updated_file_path}" + fi + # replace rule id and key - sed -e "s/${_rule_id_placeholder}/${_rule_id}/g" -e "s/${_rule_key_placeholder}/${_rule_key}/g" "${_tmp_updated_file_path}" > "${_payload_path}" + sed -e "s/${_rule_id_placeholder}/${_rule_id}/g" -e "s/${_rule_key_placeholder}/${_rule_key}/g" "${_tmp_updated_file_path_final}" > "${_payload_path}" _endpoint_url="/restui/licenseRule/create" _method="POST" response=$(curl -s -b cookie.appd -H "$X_CSRF_TOKEN_HEADER" -H "${_payload_header}" -X ${_method} --data "@${_payload_path}" "${_controller_url}${_endpoint_url}") + #echo "RESPONSE >>>>> $response" + + echo "| Check if rule created successfully." + _expected_response='"id" :' # returns id with space before : on success + func_check_http_response "\{$response}" "${_expected_response}" + + license_name=$(jq '.name' <<<$response) + + echo -e "|License rule '${license_name}' created. \n" + # remove temporary files, save only final payload backup rm ${_uploaded_path}/tmp-* - echo "${response}" - done diff --git a/rbac/restui_license_rules_files/payload_app_server_constraint.json b/rbac/restui_license_rules_files/payload_app_server_constraint.json new file mode 100644 index 0000000..58bde3a --- /dev/null +++ b/rbac/restui_license_rules_files/payload_app_server_constraint.json @@ -0,0 +1,49 @@ +{ + "id": "", + "account_id": "", + "name": "", + "access_key": "", + "constraints": [ + { + "entity_type_id": "com.appdynamics.modules.apm.topology.impl.persistenceapi.model.ApplicationEntity", + "constraint_type": "ALLOW_SELECTED", + "match_conditions": [ + { + "match_type": "EQUALS", + "attribute_type": "ID", + "match_string": "" + } + ] + }, + { + "entity_type_id": "com.appdynamics.modules.apm.topology.impl.persistenceapi.model.MachineEntity", + "constraint_type": "ALLOW_SELECTED", + "match_conditions": [ + { + "match_type": "CONTAINS", + "attribute_type": "UNIQUE_HOST_ID", + "match_string": "team-pluto" + } + ] + } + ], + "entitlements": [ + { + "license_module_type": "APM", + "number_of_licenses": 0 + }, + { + "license_module_type": "MACHINE_AGENT", + "number_of_licenses": 0 + }, + { + "license_module_type": "SIM_MACHINE_AGENT", + "number_of_licenses": 0 + }, + { + "license_module_type": "NETVIZ", + "number_of_licenses": 0 + } + ], + "enabled": true +} \ No newline at end of file From 240d4da9b237274d25fdce5a2b50370ff5a0d0b3 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 19:08:01 +0100 Subject: [PATCH 45/54] RBAC license rue name - common prefix and file number; --- modules/rbac/restui_license_rules.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/rbac/restui_license_rules.sh b/modules/rbac/restui_license_rules.sh index 72bc555..5fe222e 100755 --- a/modules/rbac/restui_license_rules.sh +++ b/modules/rbac/restui_license_rules.sh @@ -34,7 +34,7 @@ function func_restui_create_license_rules() { local X_CSRF_TOKEN_HEADER=${6} - local _rule_name=${7} + local _license_rule_name=${7} #if [[ _debug = true ]]; then echo ">> func_restui_create_role_with_default_view_and_view_edit_app_permissions"; fi @@ -52,6 +52,10 @@ function func_restui_create_license_rules() { _payload_header="Content-Type: application/json; charset=utf8" + _rbac_rnd=$((1 + $RANDOM % 1000)) + + itt=1 + # prepare payload for _json_file in $_files_directory/*.json; do @@ -64,8 +68,7 @@ function func_restui_create_license_rules() { _tmp_updated_file_path_final="${_uploaded_path}/tmp-fin-${_file_name}-${dt}" # generate for each file found in directory - _rbac_rnd=$((1 + $RANDOM % 1000)) - _rule_name="${_rule_name}-${_rbac_rnd}" + _rule_name="${_license_rule_name}-${_rbac_rnd}-${itt}" _rule_id=$(uuidgen) _rule_key=$(uuidgen) @@ -118,6 +121,9 @@ function func_restui_create_license_rules() { # remove temporary files, save only final payload backup rm ${_uploaded_path}/tmp-* + _rule_name="${_license_rule_name}" + itt=$((itt + 1)) + done From 57fbf21e3570e9f3cc30100eb500d0730aba775c Mon Sep 17 00:00:00 2001 From: alex_jov Date: Fri, 9 Apr 2021 19:08:43 +0100 Subject: [PATCH 46/54] RBAC remove feature branch from git ci; --- .github/workflows/QAConfigMyApp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/QAConfigMyApp.yml b/.github/workflows/QAConfigMyApp.yml index f7fe607..051840d 100644 --- a/.github/workflows/QAConfigMyApp.yml +++ b/.github/workflows/QAConfigMyApp.yml @@ -5,7 +5,7 @@ name: ConfigMyAppCI # Controls when the action will run. Triggers the workflow on push or pull request on: push: - branches: [ master, develop, features/rbac ] + branches: [ master, develop ] pull_request: branches: [ master, develop ] From a6ccd420247c9be64dff763f48ec17a26e6971ed Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 13 Apr 2021 10:07:55 +0100 Subject: [PATCH 47/54] retrigger checks From 2586814cecff3c56452ee04a89db79232c7184ba Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 13 Apr 2021 12:52:43 +0100 Subject: [PATCH 48/54] RBAC license - update payload file - allow all machines, limit applications only; rename to payload_app.json; --- ...oad_app_server_constraint.json => payload_app.json} | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) rename rbac/restui_license_rules_files/{payload_app_server_constraint.json => payload_app.json} (82%) diff --git a/rbac/restui_license_rules_files/payload_app_server_constraint.json b/rbac/restui_license_rules_files/payload_app.json similarity index 82% rename from rbac/restui_license_rules_files/payload_app_server_constraint.json rename to rbac/restui_license_rules_files/payload_app.json index 58bde3a..1547047 100644 --- a/rbac/restui_license_rules_files/payload_app_server_constraint.json +++ b/rbac/restui_license_rules_files/payload_app.json @@ -17,14 +17,8 @@ }, { "entity_type_id": "com.appdynamics.modules.apm.topology.impl.persistenceapi.model.MachineEntity", - "constraint_type": "ALLOW_SELECTED", - "match_conditions": [ - { - "match_type": "CONTAINS", - "attribute_type": "UNIQUE_HOST_ID", - "match_string": "team-pluto" - } - ] + "constraint_type": "ALLOW_ALL", + "match_conditions": [] } ], "entitlements": [ From afd4bad6e92f233a8d82734d5698ca08cf0479c4 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Tue, 13 Apr 2021 13:00:03 +0100 Subject: [PATCH 49/54] retrigger checks From b3b62140f508ecc63bc7e45b0f9e0d08dc048be3 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 14 Apr 2021 11:28:07 +0100 Subject: [PATCH 50/54] bugfix license rule name not set from env variable; --- start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/start.sh b/start.sh index 17c18b7..0c5f373 100755 --- a/start.sh +++ b/start.sh @@ -707,7 +707,7 @@ if ([ -z "${_arg_rbac_saml_group_name// }" ] && [ ! -z "${CMA_RBAC_SAML_GROUP_NA _arg_rbac_saml_group_name=${CMA_RBAC_SAML_GROUP_NAME} fi if ([ -z "${_arg_rbac_license_rule_name// }" ] && [ ! -z "${CMA_RBAC_LICENSE_RULE_NAME// }" ]); then - _arg_rbac_saml_group_name=${CMA_RBAC_LICENSE_RULE_NAME} + _arg_rbac_license_rule_name=${CMA_RBAC_LICENSE_RULE_NAME} fi # 1.3 If value not set replace with configuration file values From d3fc3d53b2870bb01919c915dfafb22295c690ac Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 14 Apr 2021 11:35:47 +0100 Subject: [PATCH 51/54] Add temp files creation; --- modules/rbac/restui_license_rules.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/rbac/restui_license_rules.sh b/modules/rbac/restui_license_rules.sh index 5fe222e..3b8dd3c 100755 --- a/modules/rbac/restui_license_rules.sh +++ b/modules/rbac/restui_license_rules.sh @@ -76,6 +76,7 @@ function func_restui_create_license_rules() { # replacing license rule name if grep -q $_rule_name_placeholder ${_json_file}; then + touch "${_tmp_updated_file_path}" sed -e "s/${_rule_name_placeholder}/${_rule_name}/g" "${_json_file}" > "${_tmp_updated_file_path}" else echo -e "|| WARNING Placeholder value '$_rule_name_placeholder' not found in '${_file_name}'. Value not replaced." @@ -101,6 +102,7 @@ function func_restui_create_license_rules() { fi # replace rule id and key + touch "${_payload_path}" sed -e "s/${_rule_id_placeholder}/${_rule_id}/g" -e "s/${_rule_key_placeholder}/${_rule_key}/g" "${_tmp_updated_file_path_final}" > "${_payload_path}" _endpoint_url="/restui/licenseRule/create" From 32367a9d41697ddd2654b0c72ea09962747a3246 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Wed, 14 Apr 2021 11:40:53 +0100 Subject: [PATCH 52/54] Update gitignore to ignore uploaded json files; Add licene_rules uploaded dir gitkeep; --- .gitignore | 6 +++--- rbac/restui_license_rules_files/uploaded/.gitkeep | 0 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 rbac/restui_license_rules_files/uploaded/.gitkeep diff --git a/.gitignore b/.gitignore index a787ad3..21d8d12 100644 --- a/.gitignore +++ b/.gitignore @@ -18,6 +18,6 @@ api_actions/actions/*.json* custom_dashboards/*.json* custom_dashboards/uploaded/*.json* cookie.appd -rbac/restui_role_files/uploaded/* -rbac/restui_saml_files/uploaded/* -rbac/restui_license_rules_files/uploaded/* \ No newline at end of file +rbac/restui_role_files/uploaded/*.json +rbac/restui_saml_files/uploaded/*.json +rbac/restui_license_rules_files/uploaded/*.json \ No newline at end of file diff --git a/rbac/restui_license_rules_files/uploaded/.gitkeep b/rbac/restui_license_rules_files/uploaded/.gitkeep new file mode 100644 index 0000000..e69de29 From 5a2eda971d6a8ee8da9e0faa0620326462638c50 Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 19 Apr 2021 12:35:36 +0100 Subject: [PATCH 53/54] retrigger checks From 57a28ff384a140c0bd43b23fcc6b8a75ff17b88d Mon Sep 17 00:00:00 2001 From: alex_jov Date: Mon, 19 Apr 2021 13:30:14 +0100 Subject: [PATCH 54/54] retrigger checks