Feat/risk assessment (#26)

* feat: add hardcoded user role environment var
* feat: add role finder script
* feat: update packages
* feat: basic validation of intention actions
* feat: action auth auditing

helm/broker-app/Chart.yaml

@@ -20,4 +20,4 @@ version: 1.0.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "1.3.0"
+appVersion: "1.4.0"

helm/broker-app/templates/deploymentconfig.yaml

@@ -87,6 +87,21 @@ spec:{{- if .Values.vault.agent.enabled }}
                 secretKeyRef:
                   name: nr-broker-basic-creds
                   key: password
+            - name: USER_ADMIN
+              valueFrom:
+                secretKeyRef:
+                  name: nr-broker-user-roles
+                  key: admin
+            - name: USER_DBA
+              valueFrom:
+                secretKeyRef:
+                  name: nr-broker-user-roles
+                  key: dba
+            - name: USER_DEVELOPER
+              valueFrom:
+                secretKeyRef:
+                  name: nr-broker-user-roles
+                  key: developer
             - name: NO_COLOR
               value: "true"
           ports:

nest-cli.json

@@ -1,5 +1,15 @@
 {
   "$schema": "https://json.schemastore.org/nest-cli",
   "collection": "@nestjs/schematics",
-  "sourceRoot": "src"
+  "sourceRoot": "src",
+  "compilerOptions": {
+    "plugins": [
+      {
+        "name": "@nestjs/swagger",
+        "options": {
+          "introspectComments": true
+        }
+      }
+    ]
+  }
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nr-broker",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "",
   "author": "",
   "private": true,
@@ -21,14 +21,14 @@
     "test:e2e": "jest --config ./test/jest-e2e.json"
   },
   "dependencies": {
-    "@aws-sdk/client-kinesis": "^3.179.0",
+    "@aws-sdk/client-kinesis": "^3.186.0",
     "@nestjs/axios": "^0.1.0",
-    "@nestjs/common": "^9.1.2",
+    "@nestjs/common": "^9.1.4",
     "@nestjs/config": "^2.2.0",
-    "@nestjs/core": "^9.1.2",
+    "@nestjs/core": "^9.1.4",
     "@nestjs/jwt": "^9.0.0",
     "@nestjs/passport": "^9.0.0",
-    "@nestjs/platform-express": "^9.1.2",
+    "@nestjs/platform-express": "^9.1.4",
     "@nestjs/schedule": "^2.1.0",
     "@nestjs/swagger": "^6.1.2",
     "@nestjs/terminus": "^9.1.2",
@@ -46,32 +46,32 @@
     "uuid": "^9.0.0"
   },
   "devDependencies": {
-    "@nestjs/cli": "^9.1.3",
+    "@nestjs/cli": "^9.1.4",
     "@nestjs/schematics": "^9.0.3",
-    "@nestjs/testing": "^9.1.2",
+    "@nestjs/testing": "^9.1.4",
     "@types/cron": "^2.0.0",
     "@types/express": "^4.17.14",
-    "@types/jest": "^29.0.3",
+    "@types/jest": "^29.1.2",
     "@types/lodash.merge": "^4.6.7",
-    "@types/node": "^16.11.62",
+    "@types/node": "^16.11.65",
     "@types/passport": "^1.0.11",
     "@types/passport-http": "^0.3.9",
     "@types/supertest": "^2.0.11",
     "@types/uuid": "^8.3.4",
-    "@typescript-eslint/eslint-plugin": "^5.38.1",
-    "@typescript-eslint/parser": "^5.38.1",
-    "eslint": "^8.24.0",
+    "@typescript-eslint/eslint-plugin": "^5.40.0",
+    "@typescript-eslint/parser": "^5.40.0",
+    "eslint": "^8.25.0",
     "eslint-config-prettier": "^8.3.0",
     "eslint-plugin-prettier": "^4.0.0",
-    "jest": "^29.0.3",
+    "jest": "^29.1.2",
     "prettier": "^2.3.2",
     "source-map-support": "^0.5.20",
-    "supertest": "^6.1.3",
-    "ts-jest": "^29.0.2",
+    "supertest": "^6.3.0",
+    "ts-jest": "^29.0.3",
     "ts-loader": "^9.4.1",
     "ts-node": "^10.0.0",
     "tsconfig-paths": "^4.1.0",
-    "typescript": "^4.3.5"
+    "typescript": "^4.8.4"
   },
   "jest": {
     "moduleFileExtensions": [

scripts/provision-db-demo.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+cd "${0%/*}"
+
+INSTALL_VERSION="12.0.3"
+
+echo "===> Intention open"
+# Open intention
+RESPONSE=$(curl -s -X POST $BROKER_URL/v1/intention/open \
+    -H 'Content-Type: application/json' \
+    -u "$BASIC_HTTP_USER:$BASIC_HTTP_PASSWORD" \
+    -d @<(cat provision-db-intention.json | \
+        jq ".event.url=\"http://sample.com/job\" \
+        " \
+    ))
+echo "$BROKER_URL/v1/intention/open:"
+echo $RESPONSE | jq '.'
+if [ "$(echo $RESPONSE | jq '.error')" != "null" ]; then
+    echo "Exit: Error detected"
+    exit 0
+fi
+
+# Save intention token for later
+INTENTION_TOKEN=$(echo $RESPONSE | jq -r '.token')
+# echo "Hashed transaction.id: $(echo -n $INTENTION_TOKEN | shasum -a 256)"
+
+echo "===> DB provision"
+
+# Get token for provisioning a db access
+DB_INTENTION_TOKEN=$(echo $RESPONSE | jq -r '.actions.database.token')
+echo "DB_INTENTION_TOKEN: $DB_INTENTION_TOKEN"
+
+# Get secret id for db access
+JENKINS_VAULT_TOKEN=$(curl -s -X POST $BROKER_URL/v1/provision/token/self -H 'X-Broker-Token: '"$DB_INTENTION_TOKEN"'' -H 'X-Vault-Role-Id: '"$PROVISION_ROLE_ID"'')
+echo "$BROKER_URL/v1/provision/token/self:"
+echo $JENKINS_VAULT_TOKEN | jq '.'
+
+# Not shown: Use Vault Token to access database
+
+echo "===> Intention close"
+
+# Use saved intention token to close intention
+curl -s -X POST $BROKER_URL/v1/intention/close -H 'X-Broker-Token: '"$INTENTION_TOKEN"''

scripts/provision-db-intention.json

@@ -0,0 +1,22 @@
+{
+  "event": {
+    "provider": "db-demo",
+    "reason": "Job triggered",
+    "url": "JOB_URL"
+  },
+  "actions": [
+    {
+      "action": "database-access",
+      "id": "database",
+      "provision": ["token/self"],
+      "service": {
+        "name": "fluent-bit",
+        "project": "fluent",
+        "environment": "production"
+      }
+    }
+  ],
+  "user": {
+    "id": "mbystedt@idir"
+  }
+}

scripts/provision-fluentbit-demo.sh

@@ -17,6 +17,10 @@ RESPONSE=$(curl -s -X POST $BROKER_URL/v1/intention/open \
     ))
 echo "$BROKER_URL/v1/intention/open:"
 echo $RESPONSE | jq '.'
+if [ "$(echo $RESPONSE | jq '.error')" != "null" ]; then
+    echo "Exit: Error detected"
+    exit 0
+fi
 
 # Save intention token for later
 INTENTION_TOKEN=$(echo $RESPONSE | jq -r '.token')

scripts/role-finder.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# ./role-finder.sh prod fluent fluent-bit
+#  $1: vault environment
+#  $2: project name
+#  $3: service name
+
+if [ -z "$1" ]
+  then
+    echo "No environment supplied"
+fi
+
+if [ -n "$1" ]
+  then
+  VAULT_ADDR="https://vault-iit-$1.apps.silver.devops.gov.bc.ca"
+  if [ "prod" = $1 ]
+  then
+    VAULT_ADDR="https://vault-iit.apps.silver.devops.gov.bc.ca"
+  fi
+  VAULT_TOKEN=$(VAULT_ADDR=$VAULT_ADDR vault login -method=oidc -format json -no-store | jq -r '.auth.client_token')
+  DEV_ROLE_ID= $(VAULT_ADDR=$VAULT_ADDR VAULT_TOKEN=$VAULT_TOKEN vault read -format json auth/vs_apps_approle/role/$2_$3_dev/role-id 2> /dev/null | jq -r '.data.role_id')
+  TEST_ROLE_ID=$(VAULT_ADDR=$VAULT_ADDR VAULT_TOKEN=$VAULT_TOKEN vault read -format json auth/vs_apps_approle/role/$2_$3_test/role-id 2> /dev/null | jq -r '.data.role_id')
+  PROD_ROLE_ID=$(VAULT_ADDR=$VAULT_ADDR VAULT_TOKEN=$VAULT_TOKEN vault read -format json auth/vs_apps_approle/role/$2_$3_prod/role-id 2> /dev/null | jq -r '.data.role_id')
+
+  echo "$2 : $3 - Role Id"
+  echo "dev: $DEV_ROLE_ID"
+  echo "test: $TEST_ROLE_ID"
+  echo "prod: $PROD_ROLE_ID"
+  VAULT_WRAP_JSON=$(echo "{\"app\": \"$2 : $3\", \"dev\": \"$DEV_ROLE_ID\", \"test\": \"$TEST_ROLE_ID\", \"prod\": \"$PROD_ROLE_ID\"}" | \
+    VAULT_ADDR=$VAULT_ADDR VAULT_TOKEN=$VAULT_TOKEN vault write -format json /sys/wrapping/wrap -)
+  echo $VAULT_WRAP_JSON | jq '.'
+fi

scripts/setenv-backend-dev.sh

@@ -28,3 +28,7 @@ fi
 
 export HTTP_BASIC_USER=myusername
 export HTTP_BASIC_PASS=password123
+
+export USER_ADMIN=mbystedt@idir
+export USER_DBA=dba@idir
+export USER_DEVELOPER=dev1@idir,dev2@idir