-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathhelpers.sh
executable file
·577 lines (523 loc) · 18.1 KB
/
helpers.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
#!/bin/bash
#
# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
#title helpers.sh
#description This script contains helper functions.
#author Sourav Paul (@psour)
#contributors @psour
#date 2024-04-12
#version 1.0
#usage ./helpers.sh [-a|--admin] [-c|--console] [-g|--generate -u|--user <APP_USER>] [-i|--inspect -t|--token <TOKEN>] [-w|--wait-lb -l|--lb-arn-pattern <LB_ARN_PATTERN>] [--authn] [--authz] [-n|--keycloak-namespace <KEYCLOAK_NAMESPACE>] [-r|--keycloak-realm <KEYCLOAK_REALM>] [-h|--help] [-v|--verbose]
#==============================================================================
#### Resolve command line arguments
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
-a|--admin)
PRINT_ADMIN_PASSWORD=YES
shift # past argument
;;
-c|--console)
PRINT_ADMIN_CONSOLE_URL=YES
shift # past argument
;;
-g|--generate)
GENERATE_TOKEN=YES
shift # past argument
;;
-u|--user)
APP_USER="$2"
shift # past argument
shift # past value
;;
-i|--inspect)
INSPECT_TOKEN=YES
shift # past argument
;;
-t|--token)
TOKEN="$2"
shift # past argument
shift # past value
;;
--authn)
APPLY_AUTHN=YES
shift # past argument
;;
--authz)
APPLY_AUTHZ=YES
shift # past argument
;;
-n|--keycloak-namespace)
KEYCLOAK_NAMESPACE="$2"
shift # past argument
shift # past value
;;
-r|--keycloak-realm)
KEYCLOAK_REALM="$2"
shift # past argument
shift # past value
;;
-w|--wait-lb)
WAIT_LB=YES
shift # past argument
;;
-l|--lb-arn-pattern)
LB_ARN_PATTERN="$2"
shift # past argument
shift # past value
;;
-h|--help)
SHOW_HELP=YES
shift # past argument
;;
-v|--verbose)
VERBOSE=YES
shift # past argument
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
#### Functions
function print_usage() {
echo ""
echo "Options:"
echo " -a, --admin Print Keycloak admin password. This is a mutually exclusive option. See below for more details."
echo " -c, --console Print Keycloak console URL. This is a mutually exclusive option. See below for more details."
echo " -g, --generate Generate access token for application user (requires -u|--user). This is a mutually exclusive option. See below for more details."
echo " -u, --user string Application username (required when -g|--generate is set)."
echo " -i, --inspect Inspect access token (requires -t|--token). This is a mutually exclusive option. See below for more details."
echo " -t, --token string Access token (required when -i|--inspect is set)."
echo " -w, --wait-lb Wait for load balancer endpoint to become healthy (requires -l|--lb-arn-pattern). This is a mutually exclusive option. See below for more details."
echo " -l, --lb-arn-pattern string Load balancer ARN pattern (required when -w|--wait-lb is set)."
echo " --authn Apply RequestAuthentication manifest. This is a mutually exclusive option. See below for more details."
echo " --authz Apply AuthorizationPolicy manifest. This is a mutually exclusive option. See below for more details."
echo " -n, --keycloak-namespace string Namespace for keycloak (default keycloak)."
echo " -r, --keycloak-realm string Keycloak realm for workshop (default workshop)."
echo " -h, --help Show this help message."
echo " -v, --verbose Enable verbose output."
echo ""
echo "**Mutually Exclusive Options:** Below options cannot appear together for an invocation of this command."
echo " -a, --admin"
echo " -c, --console"
echo " -g, --generate"
echo " -i, --inspect"
echo " -w, --wait-lb"
echo " --authn"
echo " --authz"
}
function handle_error() {
echo ""
echo "$1"
exit 1
}
function handle_error_with_usage() {
echo ""
echo "$1"
echo ""
echo "Printing help..."
print_usage
exit 1
}
function handle_arg_help() {
if [ "$SHOW_HELP" = "YES" ]; then
print_usage
exit 0
fi
}
function validate_mutually_exclusive_args() {
CNT=0
if [ -n "$VERBOSE" ]; then
echo "Validating if more than one mutually exclusive arguments are specified..."
fi
if [ -n "$PRINT_ADMIN_PASSWORD" ]; then
((CNT++))
fi
if [ -n "$PRINT_ADMIN_CONSOLE_URL" ]; then
((CNT++))
fi
if [ -n "$GENERATE_TOKEN" ]; then
((CNT++))
fi
if [ -n "$INSPECT_TOKEN" ]; then
((CNT++))
fi
if [ -n "$APPLY_AUTHN" ]; then
((CNT++))
fi
if [ -n "$APPLY_AUTHZ" ]; then
((CNT++))
fi
if [ -n "$WAIT_LB" ]; then
((CNT++))
fi
if [ $CNT -eq 0 ]; then
handle_error_with_usage "ERROR: Any one of -a|--admin, -c|--console, -g|--generate, -i|--inspect, --authn, --authz, or -w|--wait-lb is required."
fi
if [ $CNT -gt 1 ]; then
handle_error_with_usage "ERROR: Arguments -a|--admin, -c|--console, -g|--generate, -i|--inspect, --authn, --authz, and -w|--wait-lb are mutually exclusive. Specify any one."
fi
}
function validate_arg_generate() {
if [ -n "$VERBOSE" ]; then
echo "Validating arguments to generate access token..."
fi
if [ -n "$GENERATE_TOKEN" ]; then
if [ -z "$APP_USER" ]; then
handle_error_with_usage "ERROR: Application username is required for token generation. Use -u|--user option to specify application username."
fi
fi
}
function validate_arg_inspect() {
if [ -n "$VERBOSE" ]; then
echo "Validating arguments to inspect access token..."
fi
if [ -n "$INSPECT_TOKEN" ]; then
if [ -z "$TOKEN" ]; then
handle_error_with_usage "ERROR: Token is required for inspection. Use -t|--token option to specify token."
fi
fi
}
function validate_arg_wait_lb() {
if [ -n "$VERBOSE" ]; then
echo "Validating arguments to wait for load balncer healthy status..."
fi
if [ -n "$WAIT_LB" ]; then
if [ -z "$LB_ARN_PATTERN" ]; then
handle_error_with_usage "ERROR: Load balancer name pattern is required for -w|--wait-lb option. Use -l|--lb-arn-pattern option to specify load balancer name pattern."
fi
fi
}
function resolve_arg_keycloak_namespace() {
if [ -n "$VERBOSE" ]; then
echo "Resolving namespace for Keycloak..."
fi
if [ -z "$KEYCLOAK_NAMESPACE" ]; then
KEYCLOAK_NAMESPACE=keycloak
fi
}
function resolve_arg_keycloak_realm() {
if [ -n "$VERBOSE" ]; then
echo "Resolving Keycloak realm for Istio..."
fi
if [ -z "$KEYCLOAK_REALM" ]; then
KEYCLOAK_REALM=workshop
fi
}
function resolve_keycloak_config() {
if [ -n "$VERBOSE" ]; then
echo "Resolving Keycloak OIDC configurations..."
fi
KEYCLOAK_ENDPOINT=$(kubectl get service/keycloak -n "$KEYCLOAK_NAMESPACE" --output go-template --template='http://{{range .status.loadBalancer.ingress}}{{.hostname}}{{end}}')
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to retrieve keycloak endpoint."
fi
OPENID_CONFIG=$(curl -s "${KEYCLOAK_ENDPOINT}/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration")
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to retrieve Open ID configuration."
fi
ISSUER=$(echo "${OPENID_CONFIG}" | jq -r '.issuer')
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to parse 'issuer' field from retrieved Open ID configuration."
fi
JWKS_URI=$(echo "${OPENID_CONFIG}" | jq -r '.jwks_uri')
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to parse 'jwks_uri' field from retrieved Open ID configuration."
fi
TOKEN_ENDPOINT=$(echo "${OPENID_CONFIG}" | jq -r '.token_endpoint')
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to parse 'token_endpoint' field from retrieved Open ID configuration."
fi
}
function print_script_arguments() {
if [ -n "$VERBOSE" ]; then
echo ""
echo "Script arguments:"
echo "---------------------------------------------------------------------------------------------"
echo " KEYCLOAK_NAMESPACE........$KEYCLOAK_NAMESPACE"
echo " KEYCLOAK_REALM............$KEYCLOAK_REALM"
if [ -n "$PRINT_ADMIN_PASSWORD" ]; then
echo " PRINT_ADMIN_PASSWORD......$PRINT_ADMIN_PASSWORD"
fi
if [ -n "$PRINT_ADMIN_CONSOLE_URL" ]; then
echo " PRINT_ADMIN_CONSOLE_URL...$PRINT_ADMIN_CONSOLE_URL"
fi
if [ -n "$GENERATE_TOKEN" ]; then
echo " GENERATE_TOKEN............$GENERATE_TOKEN"
echo " APP_USER..................$APP_USER"
fi
if [ -n "$INSPECT_TOKEN" ]; then
echo " INSPECT_TOKEN.............$INSPECT_TOKEN"
echo " TOKEN.....................$TOKEN"
fi
if [ -n "$APPLY_AUTHN" ]; then
echo " APPLY_AUTHN...............$APPLY_AUTHN"
fi
if [ -n "$APPLY_AUTHZ" ]; then
echo " APPLY_AUTHZ...............$APPLY_AUTHZ"
fi
if [ -n "$WAIT_LB" ]; then
echo " WAIT_LB...................$WAIT_LB"
fi
echo " VERBOSE...................$VERBOSE"
echo "---------------------------------------------------------------------------------------------"
echo ""
fi
}
function print_admin_password() {
if [ -n "$VERBOSE" ]; then
echo "Retrieving Keycloak admin user password from AWS Secrets Manager..."
fi
SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id keycloak --query "SecretString" --output text)
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to retrieve Keycloak admin password from AWS SecretsManager."
fi
PASSWORD=$(echo "$SECRET_VALUE" | jq -r ".[\"admin_password\"]")
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to parse Keycloak admin password from AWS SecretsManager."
fi
if [ -n "$VERBOSE" ]; then
echo "Username: admin"
echo -n "Password: "
fi
echo "$PASSWORD"
}
function print_admin_console_url() {
if [ -n "$VERBOSE" ]; then
echo "Printing Keycloak admin console URL..."
fi
ADMIN_CONSOLE_URL=$(kubectl get service/keycloak -n $KEYCLOAK_NAMESPACE --output go-template --template='http://{{range .status.loadBalancer.ingress}}{{.hostname}}{{end}}/admin')
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to get Keycloak admin console URL."
fi
echo "$ADMIN_CONSOLE_URL"
}
function get_access_token() {
if [ -n "$VERBOSE" ]; then
echo "Retrieving access token from Keycloak..."
fi
resolve_keycloak_config
if [ -n "$VERBOSE" ]; then
echo "Retrieving password for application user ${APP_USER} from AWS Secrets Manager..."
fi
PASSWORD=$(aws secretsmanager get-secret-value --secret-id workshop-realm --query "SecretString" --output text | jq -r ".users[] | select(.username == \"${APP_USER}\") | .credentials[0].value")
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to retrieve user password for user ${APP_USER} from AWS SecretsManager."
fi
if [ -n "$VERBOSE" ]; then
echo "Getting OIDC access token from Keycloak for user ${APP_USER}..."
fi
TOKEN_RESPONSE=$(curl \
-s \
--data-urlencode "client_id=productapp" \
--data-urlencode "grant_type=password" \
--data-urlencode "username=${APP_USER}" \
--data-urlencode "password=${PASSWORD}" \
"$TOKEN_ENDPOINT")
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to get access token response from Keycloak."
fi
TOKEN=$(echo "${TOKEN_RESPONSE}" | jq -r '.access_token')
echo "$TOKEN"
}
# https://www.jvt.me/posts/2019/06/13/pretty-printing-jwt-openssl/
function jwt() {
for part in 1 2; do
b64="$(cut -f$part -d. <<< "$1" | tr '_-' '/+')"
len=${#b64}
n=$((len % 4))
if [[ 2 -eq n ]]; then
b64="${b64}=="
elif [[ 3 -eq n ]]; then
b64="${b64}="
fi
d="$(openssl enc -base64 -d -A <<< "$b64")"
echo "$d"
# don't decode further if this is an encrypted JWT (JWE)
if [[ 1 -eq part ]] && grep '"enc":' <<< "$d" >/dev/null ; then
exit 0
fi
done
}
function inspect_token() {
if [ -n "$VERBOSE" ]; then
echo "Inspecting JWT token..."
fi
INSPECTION_RESPONSE=$(jwt "$TOKEN")
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to inspect access token."
fi
if [ -n "$VERBOSE" ]; then
echo "Decoded JWT"
fi
echo "${INSPECTION_RESPONSE}" | jq -r '.'
}
function apply_requestauthentication() {
if [ -n "$VERBOSE" ]; then
echo "Generating RequestAuthentication manifest from ${MODULE_DIR}/request-authentication/ingress-requestauthentication-template.yaml..."
fi
resolve_keycloak_config
AUTH_DOC=$(sed "s#ISSUER#${ISSUER}#g" "${MODULE_DIR}/request-authentication/ingress-requestauthentication-template.yaml" \
| sed "s#JWKS_URI#${JWKS_URI}#g")
if [ -n "$VERBOSE" ]; then
echo "Generated manifest:"
echo "-------------------"
echo "${AUTH_DOC}"
echo "-------------------"
fi
echo "${AUTH_DOC}" | kubectl apply -f -
}
function apply_authorizationpolicy() {
if [ -n "$VERBOSE" ]; then
echo "Applying AuthorizationPolicy manifest $MODULE_DIR/request-authentication/ingress-authorizationpolicy.yaml..."
echo "Manifest:"
echo "-------------------"
cat "${MODULE_DIR}/request-authentication/ingress-authorizationpolicy.yaml"
echo "-------------------"
fi
kubectl apply -f "${MODULE_DIR}/request-authentication/ingress-authorizationpolicy.yaml"
}
function wait_for_load_balancer() {
if [ -n "$VERBOSE" ]; then
echo "Waiting for load balancer to become healthy..."
fi
if [ -n "$VERBOSE" ]; then
echo "Trying to locate load balancer using ARN pattern '$LB_ARN_PATTERN'..."
fi
LB_ARN=$(aws elbv2 describe-load-balancers --query "LoadBalancers[?contains(LoadBalancerArn, \`$LB_ARN_PATTERN\`)].LoadBalancerArn" --output text)
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to describe load balancer."
fi
if [ -z "$LB_ARN" ]; then
handle_error "ERROR: Could not locate load balancer resource. Is the region set correctly?"
fi
if [ -n "$VERBOSE" ]; then
echo "Trying to locate target group for load balancer ARN '$LB_ARN'..."
fi
TARGET_GRP_ARN=$(aws elbv2 describe-target-groups --load-balancer-arn "$LB_ARN" --query 'TargetGroups[0].TargetGroupArn' --output text)
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to describe target group."
fi
if [ -z "$TARGET_GRP_ARN" ]; then
handle_error "ERROR: Could not locate load balancer target group."
fi
if [ -n "$VERBOSE" ]; then
echo "Query target group health..."
fi
TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn "$TARGET_GRP_ARN" --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text)
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to describe keycloak target health."
fi
while [ "$TARGET_HEALTH" != "healthy" ]
do
if [ -n "$VERBOSE" ]; then
echo "Target health is $TARGET_HEALTH. Waiting 10 seconds."
fi
sleep 10
TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn "$TARGET_GRP_ARN" --query 'TargetHealthDescriptions[0].TargetHealth.State' --output text)
CMD_RESULT=$?
if [ $CMD_RESULT -ne 0 ]; then
handle_error "ERROR: Failed to describe keycloak target health."
fi
done
if [ -n "$VERBOSE" ]; then
echo "Target health is $TARGET_HEALTH."
fi
}
# https://stackoverflow.com/questions/59895/how-do-i-get-the-directory-where-a-bash-script-is-located-from-within-the-script
function resolve_script_dir() {
if [ -n "$VERBOSE" ]; then
echo "Resolving script directory..."
fi
SOURCE=${BASH_SOURCE[0]}
while [ -L "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
SCRIPT_DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$SCRIPT_DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
SCRIPT_DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
if [ -n "$VERBOSE" ]; then
echo "Resolved script directory: ${SCRIPT_DIR}"
fi
}
function resolve_module_dir() {
if [ -n "$VERBOSE" ]; then
echo "Resolving module directory..."
fi
MODULE_DIR="$SCRIPT_DIR/.."
if [ -n "$VERBOSE" ]; then
echo "Resolved module directory: ${MODULE_DIR}"
fi
}
function dispatch_call() {
if [ -n "$VERBOSE" ]; then
echo "Dispatching call to handler function..."
fi
if [ -n "$PRINT_ADMIN_PASSWORD" ]; then
print_admin_password
fi
if [ -n "$PRINT_ADMIN_CONSOLE_URL" ]; then
print_admin_console_url
fi
if [ -n "$GENERATE_TOKEN" ]; then
get_access_token
fi
if [ -n "$INSPECT_TOKEN" ]; then
inspect_token
fi
if [ -n "$APPLY_AUTHN" ]; then
apply_requestauthentication
fi
if [ -n "$APPLY_AUTHZ" ]; then
apply_authorizationpolicy
fi
if [ -n "$WAIT_LB" ]; then
wait_for_load_balancer
fi
}
#### Main ####
handle_arg_help
validate_mutually_exclusive_args
validate_arg_generate
validate_arg_inspect
validate_arg_wait_lb
resolve_arg_keycloak_namespace
resolve_arg_keycloak_realm
resolve_script_dir
resolve_module_dir
print_script_arguments
dispatch_call