[nc] initial pipeline test, dev-pskctl

Signed-off-by: Nic Cheneweth <[email protected]>

Author: ncheneweth

.circleci/config.yml

@@ -1,9 +1,13 @@
 ---
 version: 2.1
 
+orbs:
+  op: twdps/[email protected]
+  do: twdps/[email protected]
+
 globals:
   - &context empc-lab
-  - &shell op run --env-file op.env -- /bin/bash -eo pipefail
+  - &executor-image twdps/circleci-python-builder:3.0.2
 
 on-push-main: &on-push-main
   branches:
@@ -21,89 +25,80 @@ commands:
 
   set-environment:
     parameters:
-      cluster:
-        description: target cluster
-        type: string
-        default: ""
-      tag:
-        description: image to deploy
+      tenant:
+        description: set tenant ENV
         type: string
-        default: dev.${CIRCLE_SHA1:0:7}
     steps:
-      - run:
-          name: set environment
-          command: |
-            op inject -i op.env -o $BASH_ENV
-            echo "export API_VERSION=<< parameters.tag >>" >> $BASH_ENV
-            source $BASH_ENV
-            op inject -i tpl/cosign.key.tpl -o cosign.key
-            op inject -i tpl/cosign.pub.tpl -o cosign.pub
-      - when:
-          condition: << parameters.cluster >>
-          steps:
-            - run:
-                name: set ~/.kube/config
-                command: |
-                  mkdir -p ~/.kube
-                  ENV=<< parameters.cluster >> op inject -i tpl/kubeconfig.tpl -o ~/.kube/config
+      - op/env:
+          env-file: op.<< parameters.tenant >>.env
 
 jobs:
 
-  deploy auth0 configuration:
+  configure-auth0-tenant:
+    description: configure auth0 tenant
+    docker:
+      - image: *executor-image
     parameters:
-      cluster:
-        description: target cluster
+      tenant:
+        description: auth0 tenant to configure
         type: string
-      namespace:
-        description: deploy to this env namespace
-        type: string
-      tag:
-        description: image to deploy
-        type: string
-    docker:
-      - image: twdps/circleci-python-builder:alpine-stable
     steps:
       - checkout
       - setup_remote_docker
       - set-environment:
-          cluster: << parameters.cluster >>
-          tag: << parameters.tag >>
+          tenant: << parameters.tenant >>
+      - run:
+          name: install requirements
+          command: pip install -r requirements.txt
       - run:
-          name: deploy hello-restful
-          command: |
-            helm upgrade hello-restful charts/hello-restful \
-                 --install --atomic --timeout 60s \
-                 --namespace demo-<< parameters.namespace>> \
-                 --values charts/hello-restful/values.yaml \
-                 --values charts/hello-restful/values-<< parameters.namespace >>.yaml \
-                 --set image.tag=<< parameters.tag >>
+          name: lint invoke tasks
+          command: pylint tasks
       - run:
-          name: test healthz endpoint
-          command: |
-            reponse=$(curl https://twdps.io/v1/hello/healthz)
-            if [[ $(echo $reponse | jq -r .status) != "ok" ]]; then
-                echo "error: healthz not ok"
-                exit 1
-            fi
-      # deploy observability
+          name: configure Auth0 tenant
+          command: inv idp.install
+      - run:
+          name: write tenant Application credentials to secrets store
+          command: bash scripts/write_client_credentials.sh
 
 workflows:
-  version: 2
 
-  development-build:
+  development tenant build:
     jobs:
-      - python/static-analysis:
-          name: static code analysis
+      - configure-auth0-tenant:
+          name: configure dev-pskctl tenant
           context: *context
-          shell: *shell
-          package-manager: *package-manager
-          install-dev: true
-          lint-path: api
-          report-coverage: codeclimate
-          after-checkout:
-            - run:
-                name: set API_VERSION
-                command: |
-                  echo "export API_VERSION=dev.${CIRCLE_SHA1:0:7}" >> $BASH_ENV
-                  source $BASH_ENV
+          tenant: dev-pskctl
           filters: *on-push-main
+
+  production tenant configuration:
+    jobs:
+      - configure-auth0-tenant:
+          name: configure pskctl tenant
+          context: *context
+          tenant: pskctl
+          filters: *on-tag-main
+
+      - do/release:
+          name: generate release notes
+          context: *context
+          on-tag: true
+          before-release:
+            - set-environment:
+                tenant: pskctl
+          requires:
+            - configure pskctl tenant
+          filters: *on-tag-main
+
+      - do/slack-bot:
+          name: post lab-events
+          context: *context
+          channel: lab-events
+          message: pskctl Auth0 tenant application release
+          include-link: true
+          include-tag: true
+          before-message:
+            - set-environment:
+                tenant: pskctl
+          requires:
+            - configure pskctl tenant
+          filters: *on-tag-main

.gitignore

@@ -2,4 +2,8 @@ get-token.sh
 .venv
 access_token
 source.env
-client_credentials.json
+client_credentials.json
+request-body/github-social-connection.json
+request-body/set-claims-as-github-teams-trigger-binding.json
+request-body/set-claims-as-github-teams.json
+actions/set-claims-as-github-teams.js

.pre-commit-config.yaml

@@ -0,0 +1,24 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: check-merge-conflict
+      - id: check-added-large-files
+      - id: check-json
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: forbid-new-submodules
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+  - repo: local
+    hooks:
+      - id: git-secrets
+        name: git-secrets
+        entry: git-secrets
+        language: system
+        args: ["--scan"]

.python-version

@@ -1 +1 @@
-3.11.2
+3.11.6

README.md

@@ -6,17 +6,27 @@
 	</p>
   <br />
   <h3>pskctl-auth0-management</h3>
-    <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/github/license/ThoughtWorks-DPS/psk-aws-platform-vpc"></a> <a href="https://github.com"><img src="https://img.shields.io/badge/-social-blank.svg?style=social&logo=github"></a>
+    <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/github/license/ThoughtWorks-DPS/pskctl-auth0-management"></a> <a href="https://github.com"><img src="https://img.shields.io/badge/-social-blank.svg?style=social&logo=github"></a>
 </div>
 <br />
 
-Configuration of Auth0 applications, social integrations, and actions to support the EMPC labs Platform Starter Kits command line tool (`pskctl`).  
+Configuration of Auth0 applications, social integrations, and actions to support the EMPC labs Platform Starter Kits engineering platform user experience.  
+
+PSK Platform access is based around team membership. If you are part of a team that has been authorized to use the platform, then you will have permission to interact with all of that particular teams resources on the platform.  
+
+The intended integration pattern is that all the SaaS developer tools are integrated into the organization's SSO provider. Generally, corporations have Okta (of which Auth0 is now a part) or another IDP (Azure AD) and this is used to create an authentication workflow with the tool. As the authorization experience is intended to be around team membership and we also want customers of the platform to be able to self-manage those teams, we will use GitHub as the oauth2 integration point for the platform. It is relatively straightforward to configure such an experience within GitHub itself (and most organization have) as far creating and managing teams in an authorized manner.  
+
+A User (customer, developer) has access to the platform by virtue of being added to a GitHub Team that has been onboarded.  
+
+The Auth0 tenant application created by this pipeline is used in two ways:  
+- An the 0auth2/oidc integration with each of the kubernetes cluster to enable bounded access to team resources on the cluster, and
+- to authN/Z calls to the custom platfom product APIs (typically using the platform cli `pskctl`).
 
 The oauth0/oidc flow required by the pskctl tool is available in the free tier of Auth0. Complete these [bootstrap](doc/bootstrap.md) steps as part of signing up for Auth0 and preparing for the pipeline managed Auth0 configuration.  
 
 With a management api token now available, this pipeline will perform the following tasks:
 
-* Create an application client to be used by the pskctl tool. 
+* Create an application client to be used by the pskctl tool.
 
 * Create a custom action that will run after a successful github social-authentication. The action fetches the Users teams for the integrated (above) github organization.  
 
@@ -28,45 +38,16 @@ The above results in the creation of an oauth2/oidc device-auth-flow endpoint th
 
 This endpoint implements the oauth2/oidc device-auth-flow. Using the pskctl cli, when you perform a `login` command, you will be provided a link. From your browser, proceed to the link and enter the provided device code. You must then authenticate to Github. This is performed via Githubs oauth service and no credential information is made available to Auth0.  
 
-In addition to this social-login connection, upon a successful github login, the auth0 application client will fetch the list of github teams the user is a member of the github organization. This list is included as a claim within the resulting id token. 
+In addition to this social-login connection, upon a successful github login, the auth0 application client will fetch the list of organization github teams in which the user is a member. This list is included as a claim within the resulting id token.
 
+The Auth0 tenant application is also integrated with the kubernetes clusters of the PSK engineering platform. The pskctl cli can also generate kubeconfig files that enable users to authenticate to the EKS cluster with permissions based on role bindings tied to the github team claims.  
 
 ### development
 
 The above github oauth app and auth0 management api tokens must be available in th environment for the python scripts to work. See op.*.env  
 
-
-
-
-
+These setting are all configurable in the request-body/TENANT.json file.
 - token expires after 1hr (3600)
 - can be refreshed (refresh token provided)
 - absolute lifetime for refresh for token in active use is 7 days (604800)
 - an idle token cannot be refreshed after 2days (172800)
-
-
-
-
-
-
-
-After completing the bootstrap steps, the github social connection in place and the Management API client endpoint available, now this repo pipeline can manage the Applications and Rules that define the functionality of our oidc endpoint.  
-
-The pipeline has three essential steps:
-
-1. Fetch a management api token to use for creating and updating Auth0 configuration
-2. Deploy the dev or prod tenant dpsctl application definitions
-3. Deploy all rules used by the dpsctl application login process
-
-Since Auth0 is not used to perform any authentication functions, the rules are the steps to take in constructing a jwt to return from a successful authentication.  
-
-In this case that means, if the user is a member of the github org where the github oauth-app is defined (in this case ThoughtWorks-DPS) then they will be able to successfully authenticate, after which:  
-
-* with the users own github access token, fetch all org teams of which the user is a member
-* insert those teams as a list into the returned idToken
-
-See repo pipeline for specific details.  
-
-
-
-