fabric8-services · dipak-pawar · Dec 5, 2018 · Dec 3, 2018 · Dec 3, 2018 · Dec 4, 2018
diff --git a/cluster/repository/cluster.go b/cluster/repository/cluster.go
@@ -34,10 +34,12 @@ type Cluster struct {
 	LoggingURL string
 	// Application host name used by the cluster
 	AppDNS string
-	// Encrypted Service Account token
+	// Service Account token
 	SaToken string
 	// Service Account name
 	SaUsername string
+	// SA Token encrypted
+	SaTokenEncrypted bool
 	// Token Provider ID
 	TokenProviderID string
 	// OAuthClient ID used to link users account

diff --git a/cluster/service/cluster.go b/cluster/service/cluster.go
@@ -47,6 +47,7 @@ func (c clusterService) CreateOrSaveClusterFromConfig(ctx context.Context) error
 
 			SaToken:          configCluster.ServiceAccountToken,
 			SaUsername:       configCluster.ServiceAccountUsername,
+			SaTokenEncrypted: configCluster.ServiceAccountTokenEncrypted,
 			TokenProviderID:  configCluster.TokenProviderID,
 			AuthClientID:     configCluster.AuthClientID,
 			AuthClientSecret: configCluster.AuthClientSecret,

diff --git a/configuration/conf-files/oso-clusters.conf b/configuration/conf-files/oso-clusters.conf
@@ -6,6 +6,7 @@
             "app-dns":"8a09.starter-us-east-2.openshiftapps.com",
             "service-account-token":"fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"f867ac10-5e05-4359-a0c6-b855ece59090",
             "auth-client-id":"autheast2",
             "auth-client-secret":"autheast2secret",
@@ -17,6 +18,7 @@
             "app-dns":"b542.starter-us-east-2a.openshiftapps.com",
             "service-account-token":"ak61T6RSAacWFruh1vZP8cyUOBtQ3Chv1rdOBddSuc9nZ2wEcs81DHXRO55NpIpVQ8uiH",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"886c7ea3-ef97-443d-b345-de94b94bb65d",
             "auth-client-id":"autheast2a",
             "auth-client-secret":"autheast2asecret",
@@ -29,6 +31,7 @@
             "app-dns":"b542.starter-us-east-1a.openshiftapps.com",
             "service-account-token":"sdfjdlfjdfkjdlfjd12324434543085djdfjd084508gfdkjdofkjg43854085dlkjdlk",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"886c7ea3-ef97-443d-b345-de94b94bb65d",
             "auth-client-id":"autheast1a",
             "auth-client-secret":"autheast1asecret",
@@ -41,6 +44,7 @@
             "app-dns":"b542.starter-us-east-3a.openshiftapps.com",
             "service-account-token":"fkdjhfdsjfgfdjlsflhjgsafgskfdsagrwgwerwshbdjasbdjbsahdbsagbdyhsbdesbh",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"1c09073a-13ad-4add-b0ff-197eaf18fc37",
             "auth-client-id":"autheast3a",
             "auth-client-secret":"autheast3asecret",

diff --git a/configuration/conf-files/tests/oso-clusters-capacity-updated.conf b/configuration/conf-files/tests/oso-clusters-capacity-updated.conf
@@ -6,6 +6,7 @@
             "app-dns":"8a09.starter-us-east-2.openshiftapps.com",
             "service-account-token":"fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"f867ac10-5e05-4359-a0c6-b855ece59090",
             "auth-client-id":"autheast2",
             "auth-client-secret":"autheast2secret",
@@ -17,6 +18,7 @@
             "app-dns":"b542.starter-us-east-2a.openshiftapps.com",
             "service-account-token":"ak61T6RSAacWFruh1vZP8cyUOBtQ3Chv1rdOBddSuc9nZ2wEcs81DHXRO55NpIpVQ8uiH",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"886c7ea3-ef97-443d-b345-de94b94bb65d",
             "auth-client-id":"autheast2a",
             "auth-client-secret":"autheast2asecret",
@@ -29,6 +31,7 @@
             "app-dns":"b542.starter-us-east-1a.openshiftapps.com",
             "service-account-token":"sdfjdlfjdfkjdlfjd12324434543085djdfjd084508gfdkjdofkjg43854085dlkjdlk",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"886c7ea3-ef97-443d-b345-de94b94bb65d",
             "auth-client-id":"autheast1a",
             "auth-client-secret":"autheast1asecret",
@@ -41,6 +44,7 @@
             "app-dns":"b542.starter-us-east-3a.openshiftapps.com",
             "service-account-token":"fkdjhfdsjfgfdjlsflhjgsafgskfdsagrwgwerwshbdjasbdjbsahdbsagbdyhsbdesbh",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"1c09073a-13ad-4add-b0ff-197eaf18fc37",
             "auth-client-id":"autheast3a",
             "auth-client-secret":"autheast3asecret",

diff --git a/configuration/conf-files/tests/oso-clusters-custom-urls.conf b/configuration/conf-files/tests/oso-clusters-custom-urls.conf
@@ -9,6 +9,7 @@
             "app-dns":"8a09.starter-us-east-2.openshiftapps.com",
             "service-account-token":"fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
             "service-account-username":"dsaas",
+            "service-account-token-encrypted": true,
             "token-provider-id":"f867ac10-5e05-4359-a0c6-b855ece59090",
             "auth-client-id":"autheast2",
             "auth-client-secret":"autheast2secret",

diff --git a/configuration/configuration.go b/configuration/configuration.go
@@ -77,20 +77,21 @@ type clusterConfig struct {
 
 // Cluster represents a cluster from configuration
 type Cluster struct {
-	Name                   string `mapstructure:"name"`
-	APIURL                 string `mapstructure:"api-url"`
-	ConsoleURL             string `mapstructure:"console-url"` // Optional in oso-clusters.conf
-	MetricsURL             string `mapstructure:"metrics-url"` // Optional in oso-clusters.conf
-	LoggingURL             string `mapstructure:"logging-url"` // Optional in oso-clusters.conf
-	AppDNS                 string `mapstructure:"app-dns"`
-	ServiceAccountToken    string `mapstructure:"service-account-token"`
-	ServiceAccountUsername string `mapstructure:"service-account-username"`
-	TokenProviderID        string `mapstructure:"token-provider-id"`
-	AuthClientID           string `mapstructure:"auth-client-id"`
-	AuthClientSecret       string `mapstructure:"auth-client-secret"`
-	AuthClientDefaultScope string `mapstructure:"auth-client-default-scope"`
-	Type                   string `mapstructure:"type"`               // Optional in oso-clusters.conf ('OSO' by default)
-	CapacityExhausted      bool   `mapstructure:"capacity-exhausted"` // Optional in oso-clusters.conf ('false' by default)
+	Name                         string `mapstructure:"name"`
+	APIURL                       string `mapstructure:"api-url"`
+	ConsoleURL                   string `mapstructure:"console-url"` // Optional in oso-clusters.conf
+	MetricsURL                   string `mapstructure:"metrics-url"` // Optional in oso-clusters.conf
+	LoggingURL                   string `mapstructure:"logging-url"` // Optional in oso-clusters.conf
+	AppDNS                       string `mapstructure:"app-dns"`
+	ServiceAccountToken          string `mapstructure:"service-account-token"`
+	ServiceAccountUsername       string `mapstructure:"service-account-username"`
+	ServiceAccountTokenEncrypted bool   `mapstructure:"service-account-token-encrypted"`
+	TokenProviderID              string `mapstructure:"token-provider-id"`
+	AuthClientID                 string `mapstructure:"auth-client-id"`
+	AuthClientSecret             string `mapstructure:"auth-client-secret"`
+	AuthClientDefaultScope       string `mapstructure:"auth-client-default-scope"`
+	Type                         string `mapstructure:"type"`               // Optional in oso-clusters.conf ('OSO' by default)
+	CapacityExhausted            bool   `mapstructure:"capacity-exhausted"` // Optional in oso-clusters.conf ('false' by default)
 }
 
 // ConfigurationData encapsulates the Viper configuration object which stores the configuration data in-memory.

diff --git a/configuration/configuration_blackbox_test.go b/configuration/configuration_blackbox_test.go
@@ -192,18 +192,19 @@ func TestClusterConfigurationWithGeneratedURLs(t *testing.T) {
 	clusterConfig, err := configuration.NewConfigurationData("", "./conf-files/tests/oso-clusters-custom-urls.conf")
 	require.Nil(t, err)
 	checkCluster(t, clusterConfig.GetClusters(), configuration.Cluster{
-		Name:                   "us-east-2",
-		APIURL:                 "https://api.starter-us-east-2.openshift.com",
-		ConsoleURL:             "custom.console.url",
-		MetricsURL:             "custom.metrics.url",
-		LoggingURL:             "custom.logging.url",
-		AppDNS:                 "8a09.starter-us-east-2.openshiftapps.com",
-		ServiceAccountToken:    "fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
-		ServiceAccountUsername: "dsaas",
-		TokenProviderID:        "f867ac10-5e05-4359-a0c6-b855ece59090",
-		AuthClientID:           "autheast2",
-		AuthClientSecret:       "autheast2secret",
-		AuthClientDefaultScope: "user:full",
+		Name:                         "us-east-2",
+		APIURL:                       "https://api.starter-us-east-2.openshift.com",
+		ConsoleURL:                   "custom.console.url",
+		MetricsURL:                   "custom.metrics.url",
+		LoggingURL:                   "custom.logging.url",
+		AppDNS:                       "8a09.starter-us-east-2.openshiftapps.com",
+		ServiceAccountToken:          "fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
+		ServiceAccountUsername:       "dsaas",
+		ServiceAccountTokenEncrypted: true,
+		TokenProviderID:              "f867ac10-5e05-4359-a0c6-b855ece59090",
+		AuthClientID:                 "autheast2",
+		AuthClientSecret:             "autheast2secret",
+		AuthClientDefaultScope:       "user:full",
 		Type: cluster.OSO,
 	})
 }
@@ -230,66 +231,70 @@ func TestClusterConfigurationFromInvalidFile(t *testing.T) {
 
 func checkClusterConfiguration(t *testing.T, clusters map[string]configuration.Cluster) {
 	checkCluster(t, clusters, configuration.Cluster{
-		Name:                   "us-east-2",
-		APIURL:                 "https://api.starter-us-east-2.openshift.com",
-		ConsoleURL:             "https://console.starter-us-east-2.openshift.com/console",
-		MetricsURL:             "https://metrics.starter-us-east-2.openshift.com",
-		LoggingURL:             "https://console.starter-us-east-2.openshift.com/console",
-		AppDNS:                 "8a09.starter-us-east-2.openshiftapps.com",
-		ServiceAccountToken:    "fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
-		ServiceAccountUsername: "dsaas",
-		TokenProviderID:        "f867ac10-5e05-4359-a0c6-b855ece59090",
-		AuthClientID:           "autheast2",
-		AuthClientSecret:       "autheast2secret",
-		AuthClientDefaultScope: "user:full",
+		Name:                         "us-east-2",
+		APIURL:                       "https://api.starter-us-east-2.openshift.com",
+		ConsoleURL:                   "https://console.starter-us-east-2.openshift.com/console",
+		MetricsURL:                   "https://metrics.starter-us-east-2.openshift.com",
+		LoggingURL:                   "https://console.starter-us-east-2.openshift.com/console",
+		AppDNS:                       "8a09.starter-us-east-2.openshiftapps.com",
+		ServiceAccountToken:          "fX0nH3d68LQ6SK5wBE6QeKJ6X8AZGVQO3dGQZZETakhmgmWAqr2KDFXE65KUwBO69aWoq",
+		ServiceAccountUsername:       "dsaas",
+		ServiceAccountTokenEncrypted: true,
+		TokenProviderID:              "f867ac10-5e05-4359-a0c6-b855ece59090",
+		AuthClientID:                 "autheast2",
+		AuthClientSecret:             "autheast2secret",
+		AuthClientDefaultScope:       "user:full",
 		Type:              "OSO",
 		CapacityExhausted: false,
 	})
 	checkCluster(t, clusters, configuration.Cluster{
-		Name:                   "us-east-2a",
-		APIURL:                 "https://api.starter-us-east-2a.openshift.com",
-		ConsoleURL:             "https://console.starter-us-east-2a.openshift.com/console",
-		MetricsURL:             "https://metrics.starter-us-east-2a.openshift.com",
-		LoggingURL:             "https://console.starter-us-east-2a.openshift.com/console",
-		AppDNS:                 "b542.starter-us-east-2a.openshiftapps.com",
-		ServiceAccountToken:    "ak61T6RSAacWFruh1vZP8cyUOBtQ3Chv1rdOBddSuc9nZ2wEcs81DHXRO55NpIpVQ8uiH",
-		ServiceAccountUsername: "dsaas",
-		TokenProviderID:        "886c7ea3-ef97-443d-b345-de94b94bb65d",
-		AuthClientID:           "autheast2a",
-		AuthClientSecret:       "autheast2asecret",
-		AuthClientDefaultScope: "user:full",
+		Name:                         "us-east-2a",
+		APIURL:                       "https://api.starter-us-east-2a.openshift.com",
+		ConsoleURL:                   "https://console.starter-us-east-2a.openshift.com/console",
+		MetricsURL:                   "https://metrics.starter-us-east-2a.openshift.com",
+		LoggingURL:                   "https://console.starter-us-east-2a.openshift.com/console",
+		AppDNS:                       "b542.starter-us-east-2a.openshiftapps.com",
+		ServiceAccountToken:          "ak61T6RSAacWFruh1vZP8cyUOBtQ3Chv1rdOBddSuc9nZ2wEcs81DHXRO55NpIpVQ8uiH",
+		ServiceAccountUsername:       "dsaas",
+		ServiceAccountTokenEncrypted: true,
+		TokenProviderID:              "886c7ea3-ef97-443d-b345-de94b94bb65d",
+		AuthClientID:                 "autheast2a",
+		AuthClientSecret:             "autheast2asecret",
+		AuthClientDefaultScope:       "user:full",
 		Type:              "OSO",
 		CapacityExhausted: false,
 	})
 	checkCluster(t, clusters, configuration.Cluster{
-		Name:                   "us-east-1a",
-		APIURL:                 "https://api.starter-us-east-1a.openshift.com",
-		ConsoleURL:             "https://console.starter-us-east-1a.openshift.com/console",
-		MetricsURL:             "https://metrics.starter-us-east-1a.openshift.com",
-		LoggingURL:             "https://console.starter-us-east-1a.openshift.com/console",
-		AppDNS:                 "b542.starter-us-east-1a.openshiftapps.com",
-		ServiceAccountToken:    "sdfjdlfjdfkjdlfjd12324434543085djdfjd084508gfdkjdofkjg43854085dlkjdlk",
-		ServiceAccountUsername: "dsaas",
-		TokenProviderID:        "886c7ea3-ef97-443d-b345-de94b94bb65d",
-		AuthClientID:           "autheast1a",
-		AuthClientSecret:       "autheast1asecret",
-		AuthClientDefaultScope: "user:full",
+		Name:                         "us-east-1a",
+		APIURL:                       "https://api.starter-us-east-1a.openshift.com",
+		ConsoleURL:                   "https://console.starter-us-east-1a.openshift.com/console",
+		MetricsURL:                   "https://metrics.starter-us-east-1a.openshift.com",
+		LoggingURL:                   "https://console.starter-us-east-1a.openshift.com/console",
+		AppDNS:                       "b542.starter-us-east-1a.openshiftapps.com",
+		ServiceAccountToken:          "sdfjdlfjdfkjdlfjd12324434543085djdfjd084508gfdkjdofkjg43854085dlkjdlk",
+		ServiceAccountUsername:       "dsaas",
+		ServiceAccountTokenEncrypted: true,
+		TokenProviderID:              "886c7ea3-ef97-443d-b345-de94b94bb65d",
+		AuthClientID:                 "autheast1a",
+		AuthClientSecret:             "autheast1asecret",
+		AuthClientDefaultScope:       "user:full",
 		Type:              "OSO",
 		CapacityExhausted: true,
 	})
 	checkCluster(t, clusters, configuration.Cluster{
-		Name:                   "us-east-3a",
-		APIURL:                 "https://api.starter-us-east-3a.openshift.com",
-		ConsoleURL:             "https://console.starter-us-east-3a.openshift.com/console",
-		MetricsURL:             "https://metrics.starter-us-east-3a.openshift.com",
-		LoggingURL:             "https://console.starter-us-east-3a.openshift.com/console",
-		AppDNS:                 "b542.starter-us-east-3a.openshiftapps.com",
-		ServiceAccountToken:    "fkdjhfdsjfgfdjlsflhjgsafgskfdsagrwgwerwshbdjasbdjbsahdbsagbdyhsbdesbh",
-		ServiceAccountUsername: "dsaas",
-		TokenProviderID:        "1c09073a-13ad-4add-b0ff-197eaf18fc37",
-		AuthClientID:           "autheast3a",
-		AuthClientSecret:       "autheast3asecret",
-		AuthClientDefaultScope: "user:full",
+		Name:                         "us-east-3a",
+		APIURL:                       "https://api.starter-us-east-3a.openshift.com",
+		ConsoleURL:                   "https://console.starter-us-east-3a.openshift.com/console",
+		MetricsURL:                   "https://metrics.starter-us-east-3a.openshift.com",
+		LoggingURL:                   "https://console.starter-us-east-3a.openshift.com/console",
+		AppDNS:                       "b542.starter-us-east-3a.openshiftapps.com",
+		ServiceAccountToken:          "fkdjhfdsjfgfdjlsflhjgsafgskfdsagrwgwerwshbdjasbdjbsahdbsagbdyhsbdesbh",
+		ServiceAccountUsername:       "dsaas",
+		ServiceAccountTokenEncrypted: true,
+		TokenProviderID:              "1c09073a-13ad-4add-b0ff-197eaf18fc37",
+		AuthClientID:                 "autheast3a",
+		AuthClientSecret:             "autheast3asecret",
+		AuthClientDefaultScope:       "user:full",
 		Type:              "OSD",
 		CapacityExhausted: false,
 	})

diff --git a/design/clusters.go b/design/clusters.go
@@ -44,6 +44,7 @@ var fullClusterData = a.Type("FullClusterData", func() {
 
 	a.Attribute("service-account-token", d.String, "Decrypted cluster wide token")
 	a.Attribute("service-account-username", d.String, "Username of the cluster wide user")
+	a.Attribute("sa-token-encrypted", d.Boolean, "encrypted Service Account Token set to 'true'")
 	a.Attribute("token-provider-id", d.String, "Token provider ID")
 	a.Attribute("auth-client-id", d.String, "OAuth client ID")
 	a.Attribute("auth-client-secret", d.String, "OAuth client secret")

diff --git a/migration/migration.go b/migration/migration.go
@@ -20,6 +20,7 @@ func Steps() Scripts {
 		{"003-unique-index-on-cluster-api-url.sql"},
 		{"004-add-capacity-exhausted-to-cluster.sql"},
 		{"005-alter-cluster-api-url-index-to-unique.sql"},
+		{"006-add-sa-token-encrypted-to-cluster.sql"},
 	}
 }
 

diff --git a/migration/migration_blackbox_test.go b/migration/migration_blackbox_test.go
@@ -84,6 +84,7 @@ func (s *MigrationTestSuite) TestMigrate() {
 	s.T().Run("testMigration003UniqueIndexOnClusterApiUrl", testMigration003UniqueIndexOnClusterApiUrl)
 	s.T().Run("testMigration004AddCapacityExhaustedToCluster", testMigration004AddCapacityExhaustedToCluster)
 	s.T().Run("testMigration005AlterClusterAPIURLIndexToUnique", testMigration005AlterClusterAPIURLIndexToUnique)
+	s.T().Run("testMigration006AddSaTokenEncryptedToCluster", testMigration006AddSaTokenEncryptedToCluster)
 }
 
 func testMigration001Cluster(t *testing.T) {
@@ -210,3 +211,31 @@ func testMigration005AlterClusterAPIURLIndexToUnique(t *testing.T) {
 
 	require.Error(t, err)
 }
+
+func testMigration006AddSaTokenEncryptedToCluster(t *testing.T) {
+	err := migrationsupport.Migrate(sqlDB, databaseName, migration.Steps()[:7])
+	require.NoError(t, err)
+
+	assert.True(t, dialect.HasColumn("cluster", "sa_token_encrypted"))
+
+	_, err = sqlDB.Exec(`INSERT INTO cluster (cluster_id, created_at, updated_at, name, url, console_url,
+                     metrics_url, logging_url, app_dns, sa_token, sa_username, sa_token_encrypted, token_provider_id,
+                     auth_client_id, auth_client_secret, auth_default_scope, type)
+			VALUES ('3eb0fb9a-b7d3-479f-9ec0-e5f93c7b1e53', now(), now(), 'exhausted', 'https://token-encrypted.api.cluster.com', 'https://console.cluster.com',
+			        'https://metrics.cluster.com', 'https://login.cluster.com', 'https://app.cluster.com', 'sometoken', 'dssas-sre', false, 'pr-id',
+			        'client-id', 'cleint-scr', 'somescope', 'OSD')`)
+	require.NoError(t, err)
+
+	// check if ALL the existing rows & new rows have the default value
+	rows, err := sqlDB.Query("SELECT sa_token_encrypted FROM cluster")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer rows.Close()
+	for rows.Next() {
+		var sa_token_encrypted bool
+		err = rows.Scan(&sa_token_encrypted)
+		require.NoError(t, err)
+		assert.False(t, sa_token_encrypted)
+	}
+}
diff --git a/migration/sql-files/006-add-sa-token-encrypted-to-cluster.sql b/migration/sql-files/006-add-sa-token-encrypted-to-cluster.sql
@@ -0,0 +1,2 @@
+-- Store sa_token_encrypted for cluster
+ALTER TABLE cluster ADD COLUMN sa_token_encrypted boolean NOT NULL DEFAULT FALSE;