Make onboarder working on the cloud (hopefully)

imperva · Oct 27, 2022 · 0e92de8 · 0e92de8
1 parent 3c6d87b
commit 0e92de8
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 27 deletions.
diff --git a/deploy/examples/se_demo/main.tf b/deploy/examples/se_demo/main.tf
@@ -155,15 +155,15 @@ module "gw_attachments" {
   ]
 }
 
-# module "db_onboarding" {
-#   count = 1
-#   source = "../../modules/db_onboarding"
-#   hub_address = module.hub.public_address
-#   hub_ssh_key_path = resource.local_sensitive_file.dsf_ssh_key_file.filename
-#   assignee_gw = module.hub_install.jsonar_uid
-# }
+module "db_onboarding" {
+  count = 1
+  source = "../../modules/db_onboarding"
+  hub_address = module.hub.public_address
+  hub_ssh_key_path = resource.local_sensitive_file.dsf_ssh_key_file.filename
+  assignee_gw = module.hub_install.jsonar_uid
+}
 
-# output "db_details" {
-#   value = module.db_onboarding
-#   sensitive = true
-# }
+output "db_details" {
+  value = module.db_onboarding
+  sensitive = true
+}
diff --git a/deploy/modules/db_onboarding/artifacts/generate_token.sh b/deploy/modules/db_onboarding/artifacts/generate_token.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+client_id="terraform-automation"
+reason="Token autogenerated by terraform"
+
+# Generate access token to hub
+sudo curl -w '\n' \
+    --cacert $JSONAR_LOCALDIR/ssl/ca/ca.cert.pem \
+    --cert $JSONAR_LOCALDIR/ssl/client/admin/cert.pem \
+    --key $JSONAR_LOCALDIR/ssl/client/admin/key.pem \
+    -X POST 'https://localhost:27920/tokens' \
+    -H 'Content-type: application/json' \
+    -d '{"client_id":"'$client_id'","user":"admin","reason":"'"$reason"'","grants":["usc:access"]}' | cut -d\" -f4
diff --git a/deploy/modules/db_onboarding/artifacts/s3get.sh b/deploy/modules/db_onboarding/artifacts/s3get.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+function s3get {
+	#helper functions
+	function fail {	echo "$1" > /dev/stderr; exit 1; }
+	#dependency check
+	if ! hash openssl 2>/dev/null; then fail "openssl not installed"; fi
+	if ! hash curl 2>/dev/null; then fail "curl not installed"; fi
+	#params
+	path="${1}"
+	bucket=$(cut -d '/' -f 1 <<< "$path")
+	key=$(cut -d '/' -f 2- <<< "$path")
+	#load creds
+	access="$AWS_ACCESS_KEY_ID"
+	secret="$AWS_SECRET_ACCESS_KEY"
+	#validate
+	if [[ "$bucket" = "" ]]; then fail "missing bucket (arg 1)"; fi;
+	if [[ "$key" = ""    ]]; then fail "missing key (arg 1)"; fi;
+	if [[ "$access" = "" ]]; then fail "missing AWS_ACCESS_KEY (env var)"; fi;
+	if [[ "$secret" = "" ]]; then fail "missing AWS_SECRET_KEY (env var)"; fi;
+	#compute signature
+	contentType="text/html; charset=UTF-8" 
+	date="`date -u +'%a, %d %b %Y %H:%M:%S GMT'`"
+	resource="/${bucket}/${key}"
+	string="GET\n\n${contentType}\n\nx-amz-date:${date}\n${resource}"
+	signature=`echo -en $string | openssl sha1 -hmac "${secret}" -binary | base64` 
+	#get!
+	curl -H "x-amz-date: ${date}" \
+		-H "Content-Type: ${contentType}" \
+		-H "Authorization: AWS ${access}:${signature}" \
+		"https://s3.amazonaws.com${resource}"
+}
+
+#example usage
+#s3get bucket/path/to/file > /tmp/file
diff --git a/...acts/sonar_onboarder-1.4-SNAPSHOT-all.jar → ...ts/sonar_onboarder-1.4.1-SNAPSHOT-all.jar b/...acts/sonar_onboarder-1.4-SNAPSHOT-all.jar → ...ts/sonar_onboarder-1.4.1-SNAPSHOT-all.jar
diff --git a/deploy/modules/db_onboarding/onboarder.tpl b/deploy/modules/db_onboarding/onboarder.tpl
@@ -1,24 +1,28 @@
 #!/bin/bash -x
 set -e
 
-client_id=terraform-automation
-reason="Token autogenerated by terraform"
-
-# Generate access token to hub
-cat << EOF > generate_token.sh
-sudo curl -w '\n' \
-    --cacert \$JSONAR_LOCALDIR/ssl/ca/ca.cert.pem \
-    --cert \$JSONAR_LOCALDIR/ssl/client/admin/cert.pem \
-    --key \$JSONAR_LOCALDIR/ssl/client/admin/key.pem \
-    -X POST 'https://localhost:27920/tokens' \
-    -H 'Content-type: application/json' \
-    -d '{"client_id":"'$client_id'","user":"admin","reason":"'"$reason"'","grants":["usc:access"]}' | cut -d\" -f4
-EOF
-
-scp -o StrictHostKeyChecking="no" -i ${ssh_key_path} generate_token.sh ec2-user@${dsf_hub_address}:generate_token.sh
+scp -o StrictHostKeyChecking="no" -i ${ssh_key_path} ${module_path}/artifacts/generate_token.sh ec2-user@${dsf_hub_address}:generate_token.sh
 ssh -o StrictHostKeyChecking="no" -i ${ssh_key_path} ec2-user@${dsf_hub_address} -C "chmod +x ./generate_token.sh && ./generate_token.sh" > hub_token
 hub_token=$(cat hub_token)
 echo token: $hub_token
 
 # Run oboarder jar
-java -jar ${module_path}/artifacts/sonar_onboarder-1.4-SNAPSHOT-all.jar ${db_arn} ${dsf_hub_address} $hub_token ${assignee_gw} ${db_user} ${db_password}
+JAR=${module_path}/artifacts/sonar_onboarder-1.4.1-SNAPSHOT-all.jar
+JDK=jdk-16.0.2_linux-x64_bin.tar.gz
+JDK_BUCKET=1ef8de27-ed95-40ff-8c08-7969fc1b7901
+
+if command -v java &> /dev/null; then
+    java -jar $JAR ${db_arn} ${dsf_hub_address} $hub_token ${assignee_gw} ${db_user} ${db_password}
+else
+    echo "jave is not installed on the workstation. Copying jar to hub and run it from there"
+    if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+        echo "For overcming the lack of java problem, we need the have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY defined"
+        exit 1
+    else
+        set -x
+        . ${module_path}/artifacts/s3get.sh
+        s3get $JDK_BUCKET/$JDK > $JDK
+        tar zxvf $JAR
+        ./jdk-16.0.2/bin/java -jar $JAR ${db_arn} ${dsf_hub_address} $hub_token ${assignee_gw} ${db_user} ${db_password}
+    fi
+fi