From d2fad3b280ef56f8da34bd5f82786e1344a1028d Mon Sep 17 00:00:00 2001 From: Jason Collins <47123298+jcollins-axway@users.noreply.github.com> Date: Tue, 24 Oct 2023 10:00:01 -0700 Subject: [PATCH] APIGOV-26527 - add client_credentials auth flow for agent (#175) * add client_credentials auth flow for agent * docs --- README_discovery.md | 152 +++++++++++++------------- README_traceability.md | 104 +++++++++--------- build/mulesoft_discovery_agent.yml | 2 + build/mulesoft_traceability_agent.yml | 2 + pkg/anypoint/client.go | 31 ++++-- pkg/config/config.go | 22 +++- 6 files changed, 175 insertions(+), 138 deletions(-) diff --git a/README_discovery.md b/README_discovery.md index 3c84d02..816aa47 100644 --- a/README_discovery.md +++ b/README_discovery.md @@ -30,82 +30,84 @@ The agents read their configuration from a YAML files or optionally from an envi ## Configuration Variables -| Variable Name | YAML Path | Description | **Location** / _Default_ | -| ------------------------------------------------------------------ | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | -| CENTRAL_AGENTNAME | central.agentname | Agent name to visualize the agent status in Amplify | | -| CENTRAL_ADDITIONALTAGS | central.additionalTags | Additional tag names to publish separated by a comma | | -| CENTRAL_APISERVERVERSION | central.apiServerVersion | Version of the API Server that the agent will communicate with | _v1alpha1_ | -| CENTRAL_APPENDDATAPLANETOTITLE | central.appenddataplanetotitle | When true appends the data plane title to the Consumer Instance description and title. When false, nothing is changed | true | -| CENTRAL_AUTH_CLIENTID | central.auth.clientId | The DOSA ID of the AMPLIFY Central Service Account created | **AMPLIFY Central -> Access -> Service Accounts** | -| CENTRAL_AUTH_KEYPASSWORD | central.auth.keyPassword | The password for the private key, if applicable | | -| CENTRAL_AUTH_PRIVATEKEY | central.auth.privateKey | The private key file path from the commands above | _./private_key.pem_ | -| CENTRAL_AUTH_PUBLICKEY | central.auth.publicKey | The public key file path from the commands above | _./public_key.pem_ | -| CENTRAL_AUTH_REALM | central.auth.realm | The Realm used to authenticate for AMPLIFY Central | _Broker_ | -| CENTRAL_AUTH_TIMEOUT | central.auth.timeout | The timeout to wait for the authentication server to respond (ns - default, us, ms, s, m, h) | _10s_ | -| CENTRAL_AUTH_URL | central.auth.url | The URL used to authenticate for AMPLIFY Central | __ | -| CENTRAL_ENVIRONMENT | central.environment | Environment eventually set by download kit in AMPLIFY Central | **Name of the AMPLIFY Central environment** | -| CENTRAL_MODE | central.mode | How to send endpoints back to Central. (publishToEnvironment = API Server, publishToEnvironmentAndCatalog = API Server and Catalog) | _publishToEnvironmentAndCatalog_ | -| CENTRAL_ORGANIZATIONID | central.organizationID | The Organization ID from AMPLIFY Central | **Platform -> Click User -> Organization** | -| CENTRAL_PLATFORMURL | central.platformURL | The URL to the platform instance being used to get user information such as email address used for smtp notifications | __ | -| CENTRAL_POLLINTERVAL | central.pollInterval | The frequency in which Central is polled for subscriptions (ns - default, us, ms, s, m, h) | _60s_ | -| CENTRAL_PROXYURL | central.proxyUrl | The url for the proxy for Amplify Central (e.g. ). If empty, no proxy is defined. | Internally, this value defaults to empty | -| CENTRAL_SSL_CIPHERSUITES | central.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | -| CENTRAL_SSL_INSECURESKIPVERIFY | central.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | -| CENTRAL_SSL_MAXVERSION | central.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | -| CENTRAL_SSL_MINVERSION | central.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | -| CENTRAL_SSL_NEXTPROTOS | central.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | -| CENTRAL_SUBSCRIPTIONS_APPROVAL_MODE | central.subscriptions.approval.mode | The mode for approving subscriptions on AMPLIFY Central (manual, auto, webhook) | _manual_ | -| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_AUTHSECRET | central.subscriptions.approval.webhook.authSecret | The authentication secret to pass to the subscription approval webhook (if any) | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_HEADERS | central.subscriptions.approval.webhook.headers | The headers to pass to the subscription approval webhook (if any). | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_URL | central.subscriptions.approval.webhook.url | The url for a subscription approval webhook (if any). CENTRAL_SUBSCRIPTIONS_APPROVAL_MODE must be set to "webhook" for webhooks to be invoked | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_AUTHTYPE | central.subscriptions.approval.notifications.smtp.authtype | The authentication type based on the email server. You may have to refer to the email server properties and specifications | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_FROMADDRESS | central.subscriptions.notifications.smtp.fromaddress | Email address which will represent the sender | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_HOST | central.subscriptions.notifications.smtp.host | SMTP server where the email notifications will originate from | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_PASSWORD | central.subscriptions.approval.notifications.smtp.password | Login password for the SMTP server | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_PORT | central.subscriptions.notifications.smtp.port | Port of the SMTP server | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_APIKEYS | central.subscriptions.notifications.smtp.subscribe.apikeys | Body of the email notification for action subscribe on APIKey authorization if your API is secured using an APIKey credential:header:{keyHeaderName}/value:${key} | Internally, this value defaults to "Your API is secured using an APIKey credential: header: ${keyHeaderName} / value: ${key}" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_BODY | central.subscriptions.approval.notifications.smtp.subscribe.body | Body of the email notification for action subscribe. | Internally, this value defaults to "Subscription created for Catalog Item: ${catalogItemName}
${authtemplate}
" | +| Variable Name | YAML Path | Description | **Location** / _Default_ | +|--------------------------------------------------------------------|---------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CENTRAL_AGENTNAME | central.agentname | Agent name to visualize the agent status in Amplify | | +| CENTRAL_ADDITIONALTAGS | central.additionalTags | Additional tag names to publish separated by a comma | | +| CENTRAL_APISERVERVERSION | central.apiServerVersion | Version of the API Server that the agent will communicate with | _v1alpha1_ | +| CENTRAL_APPENDDATAPLANETOTITLE | central.appenddataplanetotitle | When true appends the data plane title to the Consumer Instance description and title. When false, nothing is changed | true | +| CENTRAL_AUTH_CLIENTID | central.auth.clientId | The DOSA ID of the AMPLIFY Central Service Account created | **AMPLIFY Central -> Access -> Service Accounts** | +| CENTRAL_AUTH_KEYPASSWORD | central.auth.keyPassword | The password for the private key, if applicable | | +| CENTRAL_AUTH_PRIVATEKEY | central.auth.privateKey | The private key file path from the commands above | _./private_key.pem_ | +| CENTRAL_AUTH_PUBLICKEY | central.auth.publicKey | The public key file path from the commands above | _./public_key.pem_ | +| CENTRAL_AUTH_REALM | central.auth.realm | The Realm used to authenticate for AMPLIFY Central | _Broker_ | +| CENTRAL_AUTH_TIMEOUT | central.auth.timeout | The timeout to wait for the authentication server to respond (ns - default, us, ms, s, m, h) | _10s_ | +| CENTRAL_AUTH_URL | central.auth.url | The URL used to authenticate for AMPLIFY Central | __ | +| CENTRAL_ENVIRONMENT | central.environment | Environment eventually set by download kit in AMPLIFY Central | **Name of the AMPLIFY Central environment** | +| CENTRAL_MODE | central.mode | How to send endpoints back to Central. (publishToEnvironment = API Server, publishToEnvironmentAndCatalog = API Server and Catalog) | _publishToEnvironmentAndCatalog_ | +| CENTRAL_ORGANIZATIONID | central.organizationID | The Organization ID from AMPLIFY Central | **Platform -> Click User -> Organization** | +| CENTRAL_PLATFORMURL | central.platformURL | The URL to the platform instance being used to get user information such as email address used for smtp notifications | __ | +| CENTRAL_POLLINTERVAL | central.pollInterval | The frequency in which Central is polled for subscriptions (ns - default, us, ms, s, m, h) | _60s_ | +| CENTRAL_PROXYURL | central.proxyUrl | The url for the proxy for Amplify Central (e.g. ). If empty, no proxy is defined. | Internally, this value defaults to empty | +| CENTRAL_SSL_CIPHERSUITES | central.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | +| CENTRAL_SSL_INSECURESKIPVERIFY | central.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | +| CENTRAL_SSL_MAXVERSION | central.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | +| CENTRAL_SSL_MINVERSION | central.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | +| CENTRAL_SSL_NEXTPROTOS | central.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | +| CENTRAL_SUBSCRIPTIONS_APPROVAL_MODE | central.subscriptions.approval.mode | The mode for approving subscriptions on AMPLIFY Central (manual, auto, webhook) | _manual_ | +| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_AUTHSECRET | central.subscriptions.approval.webhook.authSecret | The authentication secret to pass to the subscription approval webhook (if any) | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_HEADERS | central.subscriptions.approval.webhook.headers | The headers to pass to the subscription approval webhook (if any). | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_URL | central.subscriptions.approval.webhook.url | The url for a subscription approval webhook (if any). CENTRAL_SUBSCRIPTIONS_APPROVAL_MODE must be set to "webhook" for webhooks to be invoked | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_AUTHTYPE | central.subscriptions.approval.notifications.smtp.authtype | The authentication type based on the email server. You may have to refer to the email server properties and specifications | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_FROMADDRESS | central.subscriptions.notifications.smtp.fromaddress | Email address which will represent the sender | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_HOST | central.subscriptions.notifications.smtp.host | SMTP server where the email notifications will originate from | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_PASSWORD | central.subscriptions.approval.notifications.smtp.password | Login password for the SMTP server | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_PORT | central.subscriptions.notifications.smtp.port | Port of the SMTP server | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_APIKEYS | central.subscriptions.notifications.smtp.subscribe.apikeys | Body of the email notification for action subscribe on APIKey authorization if your API is secured using an APIKey credential:header:{keyHeaderName}/value:${key} | Internally, this value defaults to "Your API is secured using an APIKey credential: header: ${keyHeaderName} / value: ${key}" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_BODY | central.subscriptions.approval.notifications.smtp.subscribe.body | Body of the email notification for action subscribe. | Internally, this value defaults to "Subscription created for Catalog Item: ${catalogItemName}
${authtemplate}
" | | CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_OAUTH | central.subscriptions.notifications.smtp.subscribe.oauth | Body of the email notification for action subscribe on OAuth authorization if your API is secured using OAuth token. You can obtain your token using grant_type=client_credentials with the following client_id=${clientID} and client_secret=${clientSecret} | Internally, this value defaults to "Your API is secured using OAuth token. You can obtain your token using grant_type=client_credentials with the following client_id=${clientID} and client_secret=${clientSecret}" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_SUBJECT | central.subscriptions.approval.notifications.smtp.subscribe.subject | Subject of the email notification for action subscribe. | Internally, this value defaults to "Subscription Notification" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBEFAILED_BODY | central.subscriptions.notifications.smtp.subscribedfailed.body | Body of the email notification for action subscribe failed. | Internally, this value defaults to "Could not subscribe to CatalogItem: ${catalogItemName}" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBEFAILED_SUBJECT | central.subscriptions.notifications.smtp.subscribefailed.subject | Subject of the email notification for action subscribe failed. | Internally, this value defaults to "Subscription Failed Notification" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBE_BODY | central.subscriptions.notifications.smtp.unsubscribe.body | Body of the email notification for action unsubscribe. | Internally, this value defaults to "Subscription for Catalog Item: ${catalogItemName} has been unsubscribed" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBE_SUBJECT | central.subscriptions.notifications.smtp.unsbuscribe.subject | Subject of the email notification for action unsubscribe. | Internally, this value defaults to "Subscription Removal Notification" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBEFAILED_BODY | central.subscriptions.notifications.smtp.unsbuscribedfailed.body | Body of the email notification for action unsubscribe failed. | Internally, this value defaults to "Could not unsubscribe to Catalog Item: ${catalogItemName}" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBEFAILED_SUBJECT | central.subscriptions.notifications.smtp.unsubscribefailed.subject | Subject of the email notification for action unsubscribe failed. | Internally, this value defaults to "Subscription Removal Failed" | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_USERNAME | central.subscriptions.notifications.smtp.username | Login user for the SMTP server | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_WEBHOOK_HEADERS | central.subscriptions.notifications.webhook.headers | Information used to verify the webhook. Provided by the customer, and may include such information as contentType and Authorization. | Internally, this value defaults to empty | -| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_WEBHOOK_URL | central.subscriptions.notifications.webhook.url | URL where the webhook server is defined | Internally, this value defaults to empty | -| CENTRAL_TEAM | central.team | The Team name in AMPLIFY Central that all published APIs will be linked to | **AMPLIFY Central -> Access -> Teams** | -| CENTRAL_URL | central.url | The URL to the AMPLIFY Central instance being used for this discovery agent | __ | -| LOG_FILE_CLEANBACKUPS | log.file.cleanbackups | The max age of a backup file, in days | _0_ | -| LOG_FILE_KEEPFILES | log.file.keepfiles | The max number of log file backups to keep | _7_ | -| LOG_FILE_NAME | log.file.name | The name of the log files | [[Agent executable name]].log | -| LOG_FILE_PATH | log.file.path | The path (relative or absolute) to save logs files, if output type file or both | _logs_ | -| LOG_FILE_ROTATEEVERYMEGABYTES | log.file.rotateeverymegabytes | The max size, in megabytes that a log file can grow to | _100_ | -| LOG_FORMAT | log.format | The format to print log messages (json, line, package) | _json_ | -| LOG_LEVEL | log.level | The log level for output messages (debug, info, warn, error) | _info_ | -| LOG_MASKEDVALUES | log.maskedValues | Comma-separated list of key words to identify within the agent config and used to mask its corresponding sensitive data. Key words are matched by whole words and are case sensitive | (empty value list) | -| LOG_OUTPUT | log.output | The output for the log lines (stdout, file, both) | _stdout_ | -| MULESOFT_ANYPOINTEXCHANGEURL | mulesoft.anypointExchangeUrl | Mulesoft Anypoint Exchange URL | | -| MULESOFT_AUTH_LIFETIME | mulesoft.auth.lifetime | The session lifetime. The agent will automatically refresh the access token as it approaches the end of its lifetime | 60m | -| MULESOFT_AUTH_PASSWORD | mulesoft.auth.password | The password for the Mulesoft Anypoint username created for this agent | | -| MULESOFT_AUTH_USERNAME | mulesoft.auth.username | The Mulesoft Anypoint username created for this agent | | -| MULESOFT_CACHEPATH | mulesoft.cachePath | Path entry to store stateful cache between agent invocations | _/tmp_ | -| MULESOFT_DISCOVERYIGNORETAGS | mulesoft.discoveryIgnoreTags | Comma-separated black list of tags that, if any are present, will prevent an API being publised to Amplify Central. Take precedence over MULESOFT_DISCOVERYTAGS | (empty tag list) | -| MULESOFT_DISCOVERYTAGS | mulesoft.discoveryTags | Comma-separated list of tags that, if any are present, will allow an API to be publised to Amplify Central. All APIs are discovered if not tags are specified | (empty tag list) | -| MULESOFT_ENVIRONMENT | mulesoft.environment | The Mulesoft Anypoint Exchange the agent connects to, e.g. Sandbox. | | -| MULESOFT_ORGNAME | mulesoft.orgName | The Mulesoft Anypoint Business Unit the agent connects to | | -| MULESOFT_POLLINTERVAL | mulesoft.pollInterval | The frequency in which Mulesoft API Manager is polled for new endpoints. | _30s_ | -| MULESOFT_PROXYURL | mulesoft.proxyUrl | The url for the proxy for API Manager (e.g. ). If empty, no proxy is defined. | Internally, this value defaults to empty | -| MULESOFT_SSL_CIPHERSUITES | mulesoft.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | -| MULESOFT_SSL_INSECURESKIPVERIFY | mulesoft.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | -| MULESOFT_SSL_MAXVERSION | mulesoft.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | -| MULESOFT_SSL_MINVERSION | mulesoft.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | -| MULESOFT_SSL_NEXTPROTOS | mulesoft.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | -| STATUS_HEALTHCHECKINTERVAL | status.healthCheckInterval | Time in seconds between running periodic health checker (binary agents only). Allowed values are from 30 to 300 seconds. | _30s_ | -| STATUS_HEALTHCHECKPERIOD | status.healthCheckPeriod | Time in minutes allotted for services to be ready before exiting the agent. Allowed values are from 1 to 5 minutes. | _3m_ | -| STATUS_PORT | status.port | The port that the healthcheck endpoint will listen on | _8989_ | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_SUBJECT | central.subscriptions.approval.notifications.smtp.subscribe.subject | Subject of the email notification for action subscribe. | Internally, this value defaults to "Subscription Notification" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBEFAILED_BODY | central.subscriptions.notifications.smtp.subscribedfailed.body | Body of the email notification for action subscribe failed. | Internally, this value defaults to "Could not subscribe to CatalogItem: ${catalogItemName}" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBEFAILED_SUBJECT | central.subscriptions.notifications.smtp.subscribefailed.subject | Subject of the email notification for action subscribe failed. | Internally, this value defaults to "Subscription Failed Notification" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBE_BODY | central.subscriptions.notifications.smtp.unsubscribe.body | Body of the email notification for action unsubscribe. | Internally, this value defaults to "Subscription for Catalog Item: ${catalogItemName} has been unsubscribed" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBE_SUBJECT | central.subscriptions.notifications.smtp.unsbuscribe.subject | Subject of the email notification for action unsubscribe. | Internally, this value defaults to "Subscription Removal Notification" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBEFAILED_BODY | central.subscriptions.notifications.smtp.unsbuscribedfailed.body | Body of the email notification for action unsubscribe failed. | Internally, this value defaults to "Could not unsubscribe to Catalog Item: ${catalogItemName}" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBEFAILED_SUBJECT | central.subscriptions.notifications.smtp.unsubscribefailed.subject | Subject of the email notification for action unsubscribe failed. | Internally, this value defaults to "Subscription Removal Failed" | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_USERNAME | central.subscriptions.notifications.smtp.username | Login user for the SMTP server | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_WEBHOOK_HEADERS | central.subscriptions.notifications.webhook.headers | Information used to verify the webhook. Provided by the customer, and may include such information as contentType and Authorization. | Internally, this value defaults to empty | +| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_WEBHOOK_URL | central.subscriptions.notifications.webhook.url | URL where the webhook server is defined | Internally, this value defaults to empty | +| CENTRAL_TEAM | central.team | The Team name in AMPLIFY Central that all published APIs will be linked to | **AMPLIFY Central -> Access -> Teams** | +| CENTRAL_URL | central.url | The URL to the AMPLIFY Central instance being used for this discovery agent | __ | +| LOG_FILE_CLEANBACKUPS | log.file.cleanbackups | The max age of a backup file, in days | _0_ | +| LOG_FILE_KEEPFILES | log.file.keepfiles | The max number of log file backups to keep | _7_ | +| LOG_FILE_NAME | log.file.name | The name of the log files | [[Agent executable name]].log | +| LOG_FILE_PATH | log.file.path | The path (relative or absolute) to save logs files, if output type file or both | _logs_ | +| LOG_FILE_ROTATEEVERYMEGABYTES | log.file.rotateeverymegabytes | The max size, in megabytes that a log file can grow to | _100_ | +| LOG_FORMAT | log.format | The format to print log messages (json, line, package) | _json_ | +| LOG_LEVEL | log.level | The log level for output messages (debug, info, warn, error) | _info_ | +| LOG_MASKEDVALUES | log.maskedValues | Comma-separated list of key words to identify within the agent config and used to mask its corresponding sensitive data. Key words are matched by whole words and are case sensitive | (empty value list) | +| LOG_OUTPUT | log.output | The output for the log lines (stdout, file, both) | _stdout_ | +| MULESOFT_ANYPOINTEXCHANGEURL | mulesoft.anypointExchangeUrl | Mulesoft Anypoint Exchange URL | | +| MULESOFT_AUTH_LIFETIME | mulesoft.auth.lifetime | The session lifetime. The agent will automatically refresh the access token as it approaches the end of its lifetime | 60m | +| MULESOFT_AUTH_PASSWORD | mulesoft.auth.password | The password for the Mulesoft Anypoint username created for this agent | | +| MULESOFT_AUTH_USERNAME | mulesoft.auth.username | The Mulesoft Anypoint username created for this agent | | +| MULESOFT_AUTH_CLIENTID | mulesoft.auth.clientID | The client id for the environment the agent will connect to | | +| MULESOFT_AUTH_CLIENTSECRET | mulesoft.auth.clientSecret | The client secret for the environment the agent will connect to | | +| MULESOFT_CACHEPATH | mulesoft.cachePath | Path entry to store stateful cache between agent invocations | _/tmp_ | +| MULESOFT_DISCOVERYIGNORETAGS | mulesoft.discoveryIgnoreTags | Comma-separated black list of tags that, if any are present, will prevent an API being publised to Amplify Central. Take precedence over MULESOFT_DISCOVERYTAGS | (empty tag list) | +| MULESOFT_DISCOVERYTAGS | mulesoft.discoveryTags | Comma-separated list of tags that, if any are present, will allow an API to be publised to Amplify Central. All APIs are discovered if not tags are specified | (empty tag list) | +| MULESOFT_ENVIRONMENT | mulesoft.environment | The Mulesoft Anypoint Exchange the agent connects to, e.g. Sandbox. | | +| MULESOFT_ORGNAME | mulesoft.orgName | The Mulesoft Anypoint Business Unit the agent connects to | | +| MULESOFT_POLLINTERVAL | mulesoft.pollInterval | The frequency in which Mulesoft API Manager is polled for new endpoints. | _30s_ | +| MULESOFT_PROXYURL | mulesoft.proxyUrl | The url for the proxy for API Manager (e.g. ). If empty, no proxy is defined. | Internally, this value defaults to empty | +| MULESOFT_SSL_CIPHERSUITES | mulesoft.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | +| MULESOFT_SSL_INSECURESKIPVERIFY | mulesoft.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | +| MULESOFT_SSL_MAXVERSION | mulesoft.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | +| MULESOFT_SSL_MINVERSION | mulesoft.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | +| MULESOFT_SSL_NEXTPROTOS | mulesoft.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | +| STATUS_HEALTHCHECKINTERVAL | status.healthCheckInterval | Time in seconds between running periodic health checker (binary agents only). Allowed values are from 30 to 300 seconds. | _30s_ | +| STATUS_HEALTHCHECKPERIOD | status.healthCheckPeriod | Time in minutes allotted for services to be ready before exiting the agent. Allowed values are from 1 to 5 minutes. | _3m_ | +| STATUS_PORT | status.port | The port that the healthcheck endpoint will listen on | _8989_ | ### Supported Cipher Suites diff --git a/README_traceability.md b/README_traceability.md index 6310b37..5ec64f3 100644 --- a/README_traceability.md +++ b/README_traceability.md @@ -32,57 +32,59 @@ The agents read their configuration from a YAML files or optionally from an envi - The following are all of the Environment variables that can be set, they will override the defaults -| Variable Name | YAML Path |Description | **Location** / _Default_ | -| ------------------------------ | ---------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | -| CENTRAL_AGENTNAME | central.agentname | Agent name to visualize the agent status in Amplify | | -| CENTRAL_AUTH_CLIENTID | central.auth.clientId |The DOSA ID of the AMPLIFY Central Service Account created | **AMPLIFY Central -> Access -> Service Accounts** | -| CENTRAL_AUTH_KEYPASSWORD | central.auth.keyPassword |The password for the private key, if applicable | | -| CENTRAL_AUTH_PRIVATEKEY | central.auth.privateKey |The private key file path from the commands above | _/keys/private_key.pem_ | -| CENTRAL_AUTH_PUBLICKEY | central.auth.publicKey |The public key file path from the commands above | _/keys/public_key.pem_ | -| CENTRAL_AUTH_REALM | central.auth.realm |The Realm used to authenticate for AMPLIFY Central | _Broker_ | -| CENTRAL_AUTH_URL | central.auth.url |The URL used to authenticate for AMPLIFY Central | __ | -| CENTRAL_DEPLOYMENT | central.deployment |The AMPLIFY Central deployment environment (beano, dev, prod, preprod) | _prod_ | -| CENTRAL_ENVIRONMENT | central.environment |The Environment Name for the AMPLIFY Central Environment | **See Instructions below** | -| CENTRAL_ORGANIZATIONID | central.platformURL |The Organization ID from AMPLIFY Central | **Platform -> Click User -> Organization** | -| CENTRAL_SSL_CIPHERSUITES | central.ssl.cipherSuites |An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | -| CENTRAL_SSL_INSECURESKIPVERIFY | central.ssl.insecureSkipVerify |InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | -| CENTRAL_SSL_MAXVERSION | central.ssl.maxVersion |String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | -| CENTRAL_SSL_MINVERSION | central.ssl.minVersion |String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | -| CENTRAL_SSL_NEXTPROTOS | central.ssl.nextProtos |An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | -| CENTRAL_URL | central.URL |The URL to the AMPLIFY Central instance being used for this traceability agent | __ | -| LOG_FORMAT | log.format |The format to print log messages (json, line, package) | _json_ | -| LOG_LEVEL | log.level |The log level for output messages (debug, info, warn, error) | _info_ | -| LOG_OUTPUT | log.output |The output for the log lines (stdout, file, both) | _stdout_ | -| LOG_PATH | log.path |The path (relative or absolute) to save logs files, if output type file or both | _logs_ | -| MULESOFT_ANYPOINTEXCHANGEURL | mulesoft.anypointExchangeUrl | MuleSoft Anypoint Exchange URL | | -| MULESOFT_AUTH_LIFETIME | mulesoft.auth.lifetime | The session lifetime. The agent will automatically refresh the access token as it approaches the end of its lifetime | 60m | -| MULESOFT_AUTH_PASSWORD | mulesoft.auth.password | The password for the MuleSoft Anypoint username created for this agent | | -| MULESOFT_AUTH_USERNAME | mulesoft.auth.username | The MuleSoft Anypoint username created for this agent | | -| MULESOFT_CACHEPATH | mulesoft.cachePath | Path entry to store stateful cache between agent invocations | _/tmp_ | -| MULESOFT_ENVIRONMENT | mulesoft.environment | The MuleSoft Anypoint Exchange the agent connects to, e.g. Sandbox. | | -| MULESOFT_ORGNAME | mulesoft.orgName | The MuleSoft Anypoint Business Unit the agent connects to | | -| MULESOFT_POLLINTERVAL | mulesoft.pollInterval | The frequency in which MuleSoft API Manager is polled for new endpoints. | _30s_ | -| MULESOFT_PROXYURL | mulesoft.proxyUrl | The url for the proxy for API Manager (e.g. ). If empty, no proxy is defined. | Internally, this value defaults to empty | -| MULESOFT_SSL_CIPHERSUITES | mulesoft.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | -| MULESOFT_SSL_INSECURESKIPVERIFY | mulesoft.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | -| MULESOFT_SSL_MAXVERSION | mulesoft.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | -| MULESOFT_SSL_MINVERSION | mulesoft.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | -| MULESOFT_SSL_NEXTPROTOS | mulesoft.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | -| STATUS_HEALTHCHECKINTERVAL | sstatus.healthCheckInterval |Time in seconds between running periodic health checker (binary agents only). Allowed values are from 30 to 300 seconds. | _30s_ | -| STATUS_HEALTHCHECKPERIOD | status.healthCheckPeriod |Time in minutes allotted for services to be ready before exiting the agent. Allowed values are from 1 to 5 minutes. | _3m_ | -| STATUS_PORT | status.port |The port that the healthcheck endpoint will listen on | _8989_ | -| TRACEABILITY_COMPRESSIONLEVEL | output.traceability.compression_level |The gzip compression level for the output event. Setting this to 0 will disable the compression | Defaults to _3_ | -| TRACEABILITY_HOST | output.traceability.host |Host name and port of the ingestion service to forward the transaction log entries, | _ingestion-lumberjack.datasearch.axway.com:453_ | -| TRACEABILITY_PROTOCOL | output.traceability.protocol |Protocol(https or tcp) to be used for communicating with ingestion service | tcp | -| TRACEABILITY_PROXYURL | output.traceability.proxy_url |The url for the proxy for ingestion service (e.g. socks5://hostname:port). If empty, no proxy is defined. | Internally, this value defaults to empty | -| TRACEABILITY_PROXYURL | output.traceability.proxy_url |The url for the proxy for ingestion service (e.g. socks5://hostname:port). If empty, no proxy is defined. | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_PATH_SHOW| output.traceability.redaction.path.show |The redaction environment variable to set a Regex expression to show Paths | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_QUERYARGUMENT_SHOW| output.traceability.redaction.queryargument.show |The redaction environment variable to set a Regex expression to show Query Params | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_QUERYARGUMENT_SANITIZE| output.traceability.redaction.queryargument.sanitize |The redaction environment variable to set a Regex expression to sanitize Query Params | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_REQUESTHEADER_SHOW| output.traceability.redaction.requestheader.show |The redaction environment variable to set a Regex expression to show Request headers | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_REQUESTHEADER_SANITIZE| output.traceability.redaction.requestheader.sanitize |The redaction environment variable to set a Regex expression to sanitize Request headers | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_RESPONSEHEADER_SHOW| output.traceability.redaction.response.show |The redaction environment variable to set a Regex expression to show Response headers | Internally, this value defaults to empty | -| TRACEABILITY_REDACTION_RESPONSEHEADER_SANITIZE| output.traceability.redaction.responseheader.sanitize |The redaction environment variable to set a Regex expression to sanitize Response headers | Internally, this value defaults to empty | +| Variable Name | YAML Path | Description | **Location** / _Default_ | +|------------------------------------------------|-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------| +| CENTRAL_AGENTNAME | central.agentname | Agent name to visualize the agent status in Amplify | | +| CENTRAL_AUTH_CLIENTID | central.auth.clientId | The DOSA ID of the AMPLIFY Central Service Account created | **AMPLIFY Central -> Access -> Service Accounts** | +| CENTRAL_AUTH_KEYPASSWORD | central.auth.keyPassword | The password for the private key, if applicable | | +| CENTRAL_AUTH_PRIVATEKEY | central.auth.privateKey | The private key file path from the commands above | _/keys/private_key.pem_ | +| CENTRAL_AUTH_PUBLICKEY | central.auth.publicKey | The public key file path from the commands above | _/keys/public_key.pem_ | +| CENTRAL_AUTH_REALM | central.auth.realm | The Realm used to authenticate for AMPLIFY Central | _Broker_ | +| CENTRAL_AUTH_URL | central.auth.url | The URL used to authenticate for AMPLIFY Central | __ | +| CENTRAL_DEPLOYMENT | central.deployment | The AMPLIFY Central deployment environment (beano, dev, prod, preprod) | _prod_ | +| CENTRAL_ENVIRONMENT | central.environment | The Environment Name for the AMPLIFY Central Environment | **See Instructions below** | +| CENTRAL_ORGANIZATIONID | central.platformURL | The Organization ID from AMPLIFY Central | **Platform -> Click User -> Organization** | +| CENTRAL_SSL_CIPHERSUITES | central.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | +| CENTRAL_SSL_INSECURESKIPVERIFY | central.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | +| CENTRAL_SSL_MAXVERSION | central.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | +| CENTRAL_SSL_MINVERSION | central.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | +| CENTRAL_SSL_NEXTPROTOS | central.ssl.nextProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | +| CENTRAL_URL | central.URL | The URL to the AMPLIFY Central instance being used for this traceability agent | __ | +| LOG_FORMAT | log.format | The format to print log messages (json, line, package) | _json_ | +| LOG_LEVEL | log.level | The log level for output messages (debug, info, warn, error) | _info_ | +| LOG_OUTPUT | log.output | The output for the log lines (stdout, file, both) | _stdout_ | +| LOG_PATH | log.path | The path (relative or absolute) to save logs files, if output type file or both | _logs_ | +| MULESOFT_ANYPOINTEXCHANGEURL | mulesoft.anypointExchangeUrl | MuleSoft Anypoint Exchange URL | | +| MULESOFT_AUTH_LIFETIME | mulesoft.auth.lifetime | The session lifetime. The agent will automatically refresh the access token as it approaches the end of its lifetime | 60m | +| MULESOFT_AUTH_PASSWORD | mulesoft.auth.password | The password for the MuleSoft Anypoint username created for this agent | | +| MULESOFT_AUTH_USERNAME | mulesoft.auth.username | The MuleSoft Anypoint username created for this agent | | +| MULESOFT_AUTH_CLIENTID | mulesoft.auth.clientID | The client id for the environment the agent will connect to | | +| MULESOFT_AUTH_CLIENTSECRET | mulesoft.auth.clientSecret | The client secret for the environment the agent will connect to | | +| MULESOFT_CACHEPATH | mulesoft.cachePath | Path entry to store stateful cache between agent invocations | _/tmp_ | +| MULESOFT_ENVIRONMENT | mulesoft.environment | The MuleSoft Anypoint Exchange the agent connects to, e.g. Sandbox. | | +| MULESOFT_ORGNAME | mulesoft.orgName | The MuleSoft Anypoint Business Unit the agent connects to | | +| MULESOFT_POLLINTERVAL | mulesoft.pollInterval | The frequency in which MuleSoft API Manager is polled for new endpoints. | _30s_ | +| MULESOFT_PROXYURL | mulesoft.proxyUrl | The url for the proxy for API Manager (e.g. ). If empty, no proxy is defined. | Internally, this value defaults to empty | +| MULESOFT_SSL_CIPHERSUITES | mulesoft.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. [See below](#supported-cipher-suites) for currently supported cipher suites. | [See below](#default-cipher-suites) for default cipher suite setting | +| MULESOFT_SSL_INSECURESKIPVERIFY | mulesoft.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false | +| MULESOFT_SSL_MAXVERSION | mulesoft.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty | +| MULESOFT_SSL_MINVERSION | mulesoft.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 | +| MULESOFT_SSL_NEXTPROTOS | mulesoft.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. | +| STATUS_HEALTHCHECKINTERVAL | sstatus.healthCheckInterval | Time in seconds between running periodic health checker (binary agents only). Allowed values are from 30 to 300 seconds. | _30s_ | +| STATUS_HEALTHCHECKPERIOD | status.healthCheckPeriod | Time in minutes allotted for services to be ready before exiting the agent. Allowed values are from 1 to 5 minutes. | _3m_ | +| STATUS_PORT | status.port | The port that the healthcheck endpoint will listen on | _8989_ | +| TRACEABILITY_COMPRESSIONLEVEL | output.traceability.compression_level | The gzip compression level for the output event. Setting this to 0 will disable the compression | Defaults to _3_ | +| TRACEABILITY_HOST | output.traceability.host | Host name and port of the ingestion service to forward the transaction log entries, | _ingestion-lumberjack.datasearch.axway.com:453_ | +| TRACEABILITY_PROTOCOL | output.traceability.protocol | Protocol(https or tcp) to be used for communicating with ingestion service | tcp | +| TRACEABILITY_PROXYURL | output.traceability.proxy_url | The url for the proxy for ingestion service (e.g. socks5://hostname:port). If empty, no proxy is defined. | Internally, this value defaults to empty | +| TRACEABILITY_PROXYURL | output.traceability.proxy_url | The url for the proxy for ingestion service (e.g. socks5://hostname:port). If empty, no proxy is defined. | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_PATH_SHOW | output.traceability.redaction.path.show | The redaction environment variable to set a Regex expression to show Paths | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_QUERYARGUMENT_SHOW | output.traceability.redaction.queryargument.show | The redaction environment variable to set a Regex expression to show Query Params | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_QUERYARGUMENT_SANITIZE | output.traceability.redaction.queryargument.sanitize | The redaction environment variable to set a Regex expression to sanitize Query Params | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_REQUESTHEADER_SHOW | output.traceability.redaction.requestheader.show | The redaction environment variable to set a Regex expression to show Request headers | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_REQUESTHEADER_SANITIZE | output.traceability.redaction.requestheader.sanitize | The redaction environment variable to set a Regex expression to sanitize Request headers | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_RESPONSEHEADER_SHOW | output.traceability.redaction.response.show | The redaction environment variable to set a Regex expression to show Response headers | Internally, this value defaults to empty | +| TRACEABILITY_REDACTION_RESPONSEHEADER_SANITIZE | output.traceability.redaction.responseheader.sanitize | The redaction environment variable to set a Regex expression to sanitize Response headers | Internally, this value defaults to empty | For the redaction based environment variables, please refer to [Setting up Redaction](https://axway-open-docs.netlify.app/docs/central/connected_agent_common_reference/trace_redaction/) diff --git a/build/mulesoft_discovery_agent.yml b/build/mulesoft_discovery_agent.yml index 6f01f21..fe7403c 100644 --- a/build/mulesoft_discovery_agent.yml +++ b/build/mulesoft_discovery_agent.yml @@ -40,4 +40,6 @@ mulesoft: auth: username: password: + clientID: + clientSecret: diff --git a/build/mulesoft_traceability_agent.yml b/build/mulesoft_traceability_agent.yml index ee2d702..703add8 100644 --- a/build/mulesoft_traceability_agent.yml +++ b/build/mulesoft_traceability_agent.yml @@ -47,6 +47,8 @@ mulesoft_traceability_agent: auth: username: "${MULESOFT_AUTH_USERNAME}" password: "${MULESOFT_AUTH_PASSWORD}" + clientID: "${MULESOFT_AUTH_CLIENTID}" + clientSecret: "${MULESOFT_AUTH_CLIENTSECRET}" agentFeatures: persistCache: ${AGENTFEATURES_PERSISTCACHE} marketplaceProvisioning: ${AGENTFEATURES_MARKETPLACEPROVISIONING} diff --git a/pkg/anypoint/client.go b/pkg/anypoint/client.go index a1b3a59..efc3d1a 100644 --- a/pkg/anypoint/client.go +++ b/pkg/anypoint/client.go @@ -65,14 +65,16 @@ type ListAssetClient interface { // AnypointClient is the client for interacting with Mulesoft Anypoint. type AnypointClient struct { - baseURL string - username string - password string - lifetime time.Duration - apiClient coreapi.Client - auth Auth - environment *Environment - orgName string + baseURL string + username string + password string + clientID string + clientSecret string + lifetime time.Duration + apiClient coreapi.Client + auth Auth + environment *Environment + orgName string } type ClientOptions func(*AnypointClient) @@ -101,6 +103,8 @@ func (c *AnypointClient) OnConfigChange(mulesoftConfig *config.MulesoftConfig) { c.baseURL = mulesoftConfig.AnypointExchangeURL c.username = mulesoftConfig.Username c.password = mulesoftConfig.Password + c.clientID = mulesoftConfig.ClientID + c.clientSecret = mulesoftConfig.ClientSecret c.orgName = mulesoftConfig.OrgName c.lifetime = mulesoftConfig.SessionLifetime @@ -143,10 +147,19 @@ func (c *AnypointClient) healthcheck(name string) (status *hc.Status) { // GetAccessToken retrieves a token func (c *AnypointClient) GetAccessToken() (string, *User, time.Duration, error) { + url := c.baseURL + "/accounts/login" body := map[string]string{ "username": c.username, "password": c.password, } + if c.clientID != "" { + url = c.baseURL + "/accounts/oauth2/token" + body = map[string]string{ + "grant_type": "client_credentials", + "client_id": c.clientID, + "client_secret": c.clientSecret, + } + } buffer, err := json.Marshal(body) if err != nil { return "", nil, 0, agenterrors.Wrap(ErrMarshallingBody, err.Error()) @@ -158,7 +171,7 @@ func (c *AnypointClient) GetAccessToken() (string, *User, time.Duration, error) request := coreapi.Request{ Method: coreapi.POST, - URL: c.baseURL + "/accounts/login", + URL: url, Headers: headers, Body: buffer, } diff --git a/pkg/config/config.go b/pkg/config/config.go index a8b3ca7..f688762 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -21,6 +21,8 @@ const ( pathDiscoveryIgnoreTags = "mulesoft.discoveryIgnoreTags" pathAuthUsername = "mulesoft.auth.username" pathAuthPassword = "mulesoft.auth.password" + pathAuthClientID = "mulesoft.auth.clientID" + pathAuthClientSecret = "mulesoft.auth.clientSecret" pathAuthLifetime = "mulesoft.auth.lifetime" pathSSLNextProtos = "mulesoft.ssl.nextProtos" pathSSLInsecureSkipVerify = "mulesoft.ssl.insecureSkipVerify" @@ -63,6 +65,8 @@ type MulesoftConfig struct { SessionLifetime time.Duration `config:"auth.lifetime"` TLS corecfg.TLSConfig `config:"ssl"` Username string `config:"auth.username"` + ClientID string `config:"auth.clientID"` + ClientSecret string `config:"auth.clientSecret"` } // ValidateCfg - Validates the gateway config @@ -71,14 +75,22 @@ func (c *MulesoftConfig) ValidateCfg() (err error) { return errors.New("invalid mulesoft configuration: anypointExchangeUrl is not configured") } - if c.Username == "" { - return errors.New("invalid mulesoft configuration: username is not configured") + if c.Username == "" && c.ClientID == "" { + return errors.New("invalid mulesoft configuration: username or client id must be configured") } - if c.Password == "" { + if c.Username != "" && c.ClientID != "" { + return errors.New("invalid mulesoft configuration: both username or client id can not be configured") + } + + if c.Username != "" && c.Password == "" { return errors.New("invalid mulesoft configuration: password is not configured") } + if c.ClientID != "" && c.ClientSecret == "" { + return errors.New("invalid mulesoft configuration: client secret is not configured") + } + if c.Environment == "" { return errors.New("invalid mulesoft configuration: environment is not configured") } @@ -105,6 +117,8 @@ func AddConfigProperties(props properties.Properties) { props.AddStringProperty(pathOrgName, "", "Mulesoft Anypoint Business Group.") props.AddStringProperty(pathAuthUsername, "", "Mulesoft username.") props.AddStringProperty(pathAuthPassword, "", "Mulesoft password.") + props.AddStringProperty(pathAuthClientID, "", "Mulesoft client id.") + props.AddStringProperty(pathAuthClientSecret, "", "Mulesoft client secret.") props.AddDurationProperty(pathAuthLifetime, 60*time.Minute, "Mulesoft session lifetime.") props.AddStringProperty(pathDiscoveryTags, "", "APIs containing any of these tags are selected for discovery.") props.AddStringProperty(pathDiscoveryIgnoreTags, "", "APIs containing any of these tags are ignored. Takes precedence over "+pathDiscoveryIgnoreTags+".") @@ -134,6 +148,8 @@ func NewMulesoftConfig(props properties.Properties) *MulesoftConfig { ProxyURL: props.StringPropertyValue(pathProxyURL), SessionLifetime: props.DurationPropertyValue(pathAuthLifetime), Username: props.StringPropertyValue(pathAuthUsername), + ClientID: props.StringPropertyValue(pathAuthClientID), + ClientSecret: props.StringPropertyValue(pathAuthClientSecret), TLS: &corecfg.TLSConfiguration{ NextProtos: props.StringSlicePropertyValue(pathSSLNextProtos), InsecureSkipVerify: props.BoolPropertyValue(pathSSLInsecureSkipVerify),