feat: add monitor and update (#41)

* feat: add monitor and update * docs: update readme * feat: add image build and tag
bcgov-nr · Aug 19, 2024 · fe7c057 · fe7c057
1 parent 828cfa4
commit fe7c057
Show file tree

Hide file tree

Showing 42 changed files with 2,923 additions and 1,975 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,19 @@
+# git things
+.git
+.github
+
+# Configs
+.editorconfig
+
+# No docs
+*.md
+
+/coverage
+/e2e
+/dist
+/node_modules
+/setenv*
+/setenv/*
+/config*
+/config/*
+/env.hcl
diff --git a/.eslintignore b/.eslintignore
diff --git a/.eslintrc.json b/.eslintrc.json
diff --git a/.github/workflows/auth-sync-app-ci.yml b/.github/workflows/auth-sync-app-ci.yml
@@ -4,7 +4,7 @@ name: Auth Sync App Continuous Intergation
 on:
   push:
     branches:
-      -main
+      - main
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:

diff --git a/.github/workflows/auth-sync-app-runner.yml b/.github/workflows/auth-sync-app-runner.yml
@@ -43,13 +43,20 @@ jobs:
         env:
           BROKER_API_URL: ${{ secrets.BROKER_API_URL }}
           BROKER_TOKEN: ${{ secrets.BROKER_TOKEN }}
+          CSS_TOKEN_URL: ${{ secrets.CSS_TOKEN_URL }}
+          CSS_CLIENT_ID: ${{ secrets.CSS_CLIENT_ID }}
+          CSS_CLIENT_SECRET: ${{ secrets.CSS_CLIENT_SECRET }}
+          SOURCE_BROKER_DOMAIN: 'azureidir'
 
       - name: Role Sync
         run: ./bin/dev role-sync
         env:
+          BROKER_API_URL: ${{ secrets.BROKER_API_URL }}
+          BROKER_TOKEN: ${{ secrets.BROKER_TOKEN }}
           CSS_TOKEN_URL: ${{ secrets.CSS_TOKEN_URL }}
           CSS_CLIENT_ID: ${{ secrets.CSS_CLIENT_ID }}
           CSS_CLIENT_SECRET: ${{ secrets.CSS_CLIENT_SECRET }}
+          SOURCE_BROKER_DOMAIN: 'azureidir'
 
       - name: Member Sync
         run: ./bin/dev member-sync
@@ -59,3 +66,4 @@ jobs:
           CSS_TOKEN_URL: ${{ secrets.CSS_TOKEN_URL }}
           CSS_CLIENT_ID: ${{ secrets.CSS_CLIENT_ID }}
           CSS_CLIENT_SECRET: ${{ secrets.CSS_CLIENT_SECRET }}
+          SOURCE_BROKER_DOMAIN: 'azureidir'
diff --git a/.github/workflows/knox-pipeline.yml b/.github/workflows/knox-pipeline.yml
@@ -5,7 +5,7 @@ on:
   - cron: "0 23 * * *"
   push:
     branches:
-      -main
+      - main
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/opensearch-pipeline.yml b/.github/workflows/opensearch-pipeline.yml
@@ -5,7 +5,7 @@ on:
   - cron: "0 23 * * *"
   push:
     branches:
-      -main
+      - main
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/polaris-pipeline.yml b/.github/workflows/polaris-pipeline.yml
@@ -5,7 +5,7 @@ on:
   - cron: "0 23 * * *"
   push:
     branches:
-      -main
+      - main
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/tag-main.yml b/.github/workflows/tag-main.yml
@@ -0,0 +1,71 @@
+name: Tag Main
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+    paths-ignore:
+      - ".**"
+      - "**.md"
+      - "**.yml"
+      - "**.yaml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  # # Uncomment to view GitHub context object
+  # view-context:
+  #   # https://docs.github.com/en/actions/learn-github-actions/contexts
+  #   name: View GitHub Context
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Echo GitHub context
+  #       uses: satackey/[email protected]
+  #       with:
+  #         script: |
+  #           const github = require('@actions/github');
+  #           console.log(JSON.stringify(github, null, 2));
+
+  build-image:
+    name: Build Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Backend Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          build-args: |
+            REPO_LOCATION=
diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,6 @@ npm-debug.log
 VAULT_ROOT_TOKEN
 VAULT_UNSEAL_KEY
 /setenv*
-!/setenv.sh.tmp
+!/setenv-local.sh
 .DS_STORE
 /config*
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,21 @@
+FROM node:20-alpine
+ARG ENVCONSUL_VERSION=0.13.2
+
+ADD https://releases.hashicorp.com/envconsul/${ENVCONSUL_VERSION}/envconsul_${ENVCONSUL_VERSION}_linux_amd64.zip /tmp/envconsul.zip
+RUN unzip /tmp/envconsul.zip && \
+    rm /tmp/envconsul.zip && \
+    mv envconsul /usr/local/bin/
+
+# Create app directory
+WORKDIR /app
+COPY . ./
+
+RUN npm ci && \
+    npm run build
+
+VOLUME /app/config
+
+ENV NODE_ENV production
+ENV AUTH_SYNC_CONFIG_PATH /app/config
+
+ENTRYPOINT ["envconsul", "-config", "/app/config/env.hcl", "./bin/run", "monitor"]
diff --git a/README-dev.md b/README-dev.md
@@ -0,0 +1,27 @@
+# Auth Sync Tool - Development
+
+Back: [README.md](README.md)
+
+This document is aimed at developers looking to setup the Auth Sync Tool to run or make modifications to it.
+
+See: [Oclif CLI](https://oclif.io)
+
+## Requirements
+
+* Podman
+* Node.js
+
+## Supported NPM commands
+
+* npm run lint - lint source code
+* npm run test - Run unit tests
+* npm run prepack - Build and update CLI README
+
+## Build with Podman
+
+```
+podman build . -t auth-sync-app
+```
+
+The built container can be substituted for the released container.
+
diff --git a/README.md b/README.md
@@ -1,30 +1,51 @@
 # Auth Sync Tool
 
 The auth sync tool takes user group and "privilege information" from federated systems to generate client roles and group membership (and what roles those groups have) in CSS (KeyCloak).
-The auth sync runs everyday at 3PM.
-
-See: [Confluence Documentation](https://apps.nrs.gov.bc.ca/int/confluence/x/LpZvBQ)
-
 
 <!-- toc -->
 * [Auth Sync Tool](#auth-sync-tool)
 * [Usage](#usage)
 * [Commands](#commands)
 <!-- tocstop -->
 
-## Supported npm commands
+## Running
+
+The tool can be run from the source using Node.js or a container image by using Podman or Docker.
+
+```
+./bin/dev generate
+```
+
+```
+podman run --rm ghcr.io/bcgov-nr/auth-sync-app:v1.0.0 generate
+```
+
+The sample command runs the generate command. All the commands will require some arguments set up to work.
+
+## Environment Variables
+
+The tool can utilize environment variables instead of most command arguments. It is recommended to set all confidential parameters (such as tokens and secrets) using environment variables. As an example, the argument 'broker-token' should always be configured with the environment variable 'BROKER_TOKEN'.
+
+These can be found by looking in the [src/flags.ts](src/flags.ts) file.
+
+A sample env file is provided. To setup for running the tool using a local dev environment, run the following command:
+
+`source setenv-local.sh`
+
+## Development
+
+This document is aimed at developers looking to setup the Auth Sync Tool to run or make modifications to it.
+
+See: [Development](README-dev.md)
 
-* npm start - deploy configuration to provided vault instance
-* npm run lint - lint source code
-* npm run test - Run unit tests
 # Usage
 <!-- usage -->
 ```sh-session
 $ npm install -g authtool
 $ authtool COMMAND
 running command...
 $ authtool (--version)
-authtool/1.0.0 darwin-arm64 node-v22.1.0
+authtool/1.0.0 darwin-x64 node-v20.11.1
 $ authtool --help [COMMAND]
 USAGE
   $ authtool COMMAND
@@ -46,6 +67,7 @@ $ ./bin/run (-v|--version|version)
 * [`authtool generate`](#authtool-generate)
 * [`authtool help [COMMAND]`](#authtool-help-command)
 * [`authtool member-sync`](#authtool-member-sync)
+* [`authtool monitor`](#authtool-monitor)
 * [`authtool role-sync`](#authtool-role-sync)
 
 ## `authtool generate`
@@ -55,12 +77,17 @@ Generates configuration file from template.
 ```
 USAGE
   $ authtool generate [-h] [--broker-api-url <value>] [--broker-token <value>] [--config-path <value>]
+    [--css-token-url <value>] [--css-client-id <value>] [--css-client-secret <value>] [--source-broker-idp <value>]
 
 FLAGS
-  -h, --help                    Show CLI help.
-      --broker-api-url=<value>  [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
-      --broker-token=<value>    The broker JWT
-      --config-path=<value>     [default: ./config] The path to the config directory
+  -h, --help                       Show CLI help.
+      --broker-api-url=<value>     [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
+      --broker-token=<value>       The broker JWT
+      --config-path=<value>        [default: ./config] The path to the config directory
+      --css-client-id=<value>      [default: id] The css keycloak client id
+      --css-client-secret=<value>  [default: password] The css keycloak client secret
+      --css-token-url=<value>      [default: url] The css token url
+      --source-broker-idp=<value>  The idp to filter users to
 
 DESCRIPTION
   Generates configuration file from template.
@@ -87,7 +114,7 @@ DESCRIPTION
   Display help for authtool.
 ```
 
-_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.1/src/commands/help.ts)_
+_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.8/src/commands/help.ts)_
 
 ## `authtool member-sync`
 
@@ -114,21 +141,47 @@ EXAMPLES
   $ authtool member-sync
 ```
 
+## `authtool monitor`
+
+Monitor for auth changes to sync
+
+```
+USAGE
+  $ authtool monitor [-h] [--broker-api-url <value>] [--broker-token <value>] [--config-path <value>]
+    [--css-token-url <value>] [--css-client-id <value>] [--css-client-secret <value>] [--source-broker-idp <value>]
+
+FLAGS
+  -h, --help                       Show CLI help.
+      --broker-api-url=<value>     [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
+      --broker-token=<value>       The broker JWT
+      --config-path=<value>        [default: ./config] The path to the config directory
+      --css-client-id=<value>      [default: id] The css keycloak client id
+      --css-client-secret=<value>  [default: password] The css keycloak client secret
+      --css-token-url=<value>      [default: url] The css token url
+      --source-broker-idp=<value>  The idp to filter users to
+
+DESCRIPTION
+  Monitor for auth changes to sync
+```
+
 ## `authtool role-sync`
 
 Syncs roles to CSS
 
 ```
 USAGE
-  $ authtool role-sync [-h] [--config-path <value>] [--css-token-url <value>] [--css-client-id <value>]
-    [--css-client-secret <value>]
+  $ authtool role-sync [-h] [--broker-api-url <value>] [--broker-token <value>] [--config-path <value>]
+    [--css-token-url <value>] [--css-client-id <value>] [--css-client-secret <value>] [--source-broker-idp <value>]
 
 FLAGS
   -h, --help                       Show CLI help.
+      --broker-api-url=<value>     [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
+      --broker-token=<value>       The broker JWT
       --config-path=<value>        [default: ./config] The path to the config directory
       --css-client-id=<value>      [default: id] The css keycloak client id
       --css-client-secret=<value>  [default: password] The css keycloak client secret
       --css-token-url=<value>      [default: url] The css token url
+      --source-broker-idp=<value>  The idp to filter users to
 
 DESCRIPTION
   Syncs roles to CSS