Merge pull request #9 from naphelps/issue-1

Issue 1

.github/workflows/build-push.yml

@@ -19,14 +19,14 @@ env:
 jobs:
   # Build and pushes to Dockerhub
   build-push:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     # Environment variables available to all steps
     env:
-      GOPATH: ${{ github.workspace }}/go 
+      GOPATH: ${{ github.workspace }}/go
       REPO_DIR: ${{ github.workspace }}/go/src/github.com/${{ github.repository }}
       IMAGE_NAME: amd64_bao
-      BINARY_NAME: hznbaoauth
+      BINARY_NAME: openbao-plugin-auth-openhorizon
 
     # Executed sequentially when job runs
     steps:
@@ -67,33 +67,33 @@ jobs:
           sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
           sudo apt-get update
           sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-      
+
       # Authenticate Dockerhub to allow pushing to our image repo
       - name: Login to Dockerhub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
       # Authenticate GHCR to allow pushing to our alternate image registry
       - name: Login to Github Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Checkout our Github repo
       - name: Checkout Github Repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           path: go/src/github.com/${{ github.repository }}
 
       # Prepare the environment
-      - name: Set up golang 1.22.1
-        uses: actions/setup-go@v2
+      - name: Set up golang 1.22.7
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.22.1'
+          go-version: '1.22.7'
           check-latest: true
 
       # Configure version variables for later steps, stored in our workflow env. variables
@@ -123,4 +123,4 @@ jobs:
           docker push ${GITHUB_CONTAINER_REGISTRY}/${IMAGE_NAME}:testing; \
           fi
         env:
-          VERSION: '${{ steps.config-version.outputs.VERSION }}-${{ steps.offset.outputs.BUILD_NUMBER }}'
+          VERSION: '${{ steps.config-version.outputs.VERSION }}-${{ steps.offset.outputs.BUILD_NUMBER }}'c

.github/workflows/release.yaml

@@ -0,0 +1,115 @@
+# Creates a GitHub Release.
+# Workflow is manually run.
+# Preselect branch or tag before running this workflow.
+name: release
+
+on:
+  workflow_dispatch:
+    inputs:
+      prerelease:
+        description: "Mark this release as a prerelease"
+        required: true
+        default: true
+        type: boolean
+      make-latest:
+        description: "Latest release"
+        required: true
+        default: false
+        type: boolean
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    strategy:
+      matrix:
+        release_os:
+          - darwin
+          - freebsd
+          - illumos
+          - linux
+          - netbsd
+          - openbsd
+          - solaris
+          - windows
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required by GoRelease
+
+      - name: Golang Setup
+        uses: actions/setup-go@v5
+        with:
+          go-version: "^1.23.3"
+
+      - name: go-check
+        run: go version
+
+      # Supports syft/sbom generation
+      - uses: anchore/sbom-action/download-syft@v0
+
+        # Supports Buildx
+      - name: Qemu Setup
+        uses: docker/setup-qemu-action@v3
+
+      - name: Buildx Setup
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cosign Install
+        uses: sigstore/cosign-installer@v3
+
+      #- name: GPG Import
+      #  id: gpg-import
+      #  uses: crazy-max/ghaction-import-gpg@v6
+      #  with:
+      #    gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      #    passphrase: ${{ secrets.GPG_PASSWORD }}
+
+      - name: Cache Setup
+        uses: actions/cache@v4
+        with:
+          path: |
+            ./dist/**/openbao-plugin-auth-openhorizon
+            ./dist/**/*.exe
+            ./dist/*.tar.gz
+            ./dist/*.tar.gz.zst
+            ./dist/*.zip
+          key: ${{ github.ref }}
+
+      - name: "GoReleaser: Release"
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean --timeout=60m --verbose --parallelism 2
+        env:
+          RELEASE_BUILD_GOOS: ${{ matrix.release_os }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          #GPG_FINGERPRINT: ${{ steps.gpg-import.outputs.fingerprint }}
+          #GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GITHUB_RELEASE_PRERELEASE: ${{ inputs.prerelease }}
+          GITHUB_RELEASE_MAKE_LATEST: ${{ inputs.make-latest }}
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          #NFPM_DEFAULT_PASSPHRASE: ${{ secrets.GPG_PASSWORD }}
+
+      #- name: Remove GPG Signing Key File
+      #  if: always()
+      #  run: |
+      #    if [ -n "${GPG_KEY_FILE}" ]; then
+      #      rm -rf "${GPG_KEY_FILE}"
+      #    fi
+
+      - name: "Check free space on runner"
+        run: |
+          df -h .

.gitignore

@@ -1 +1,7 @@
-/docker/bin/hznbaoauth
+.DS_Store
+.idea
+.vscode
+
+bin
+dist
+docker/bin

CHANGELOG.md

@@ -2,7 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
-## [1.2.0] - 2024-04-10
+## [] - 2024-11-19
+- Golang 1.22.1 -> 1.23.3
+- openbao/api v1.100.0-development20240408 -> v2.1.0
+- openbao/sdk v1.100.0-development20240408 -> v2.1.0
+
+
+## [] - 2024-04-10
 - Issue 1: Change Hashicorp Vault references to OpenBao 2.0.0-alpha20240329.
   - Docker registries not available yet.
   - Artifact signing is not available yet.

Makefile

@@ -4,47 +4,56 @@ SHELL := /bin/bash
 arch_tag ?= $(shell ./tools/arch-tag)
 arch ?= $(arch_tag)
 
-BAO_VERSION ?= 2.0.0-alpha20240329
-BAO_GPGKEY ?= "" #C874011F0AB405110D02105534365D9472D7468F
+BAO_VERSION ?= 2.0.2
+BAO_GPGKEY ?= ""
 VAULT_PLUGIN_HASH := ""
 
-EXECUTABLE := hznbaoauth
+EXECUTABLE := openbao-plugin-auth-openhorizon
 DOCKER_INAME ?= openhorizon/$(arch)_bao
 VERSION ?= 1.2.0
 DEV_VERSION ?=testing
 DOCKER_IMAGE_LABELS ?= --label "name=$(arch)_bao" --label "version=$(VERSION)" --label "bao_version=$(BAO_VERSION)" --label "release=$(shell git rev-parse --short HEAD)"
+DUMB_INIT_VERSION ?= 1.2.5
 
-DOCKER_DEV_OPTS ?= --rm --no-cache --build-arg ARCH=$(arch) --build-arg BAO_VERSION=$(BAO_VERSION) --build-arg BAO_GPGKEY=$(BAO_GPGKEY) --build-arg BAO_PLUGIN_HASH=$(BAO_PLUGIN_HASH)
+DOCKER_DEV_OPTS ?= --rm --no-cache --build-arg ARCH=$(arch) --build-arg BAO_VERSION=$(BAO_VERSION) --build-arg BAO_GPGKEY=$(BAO_GPGKEY) --build-arg BAO_PLUGIN_HASH=$(BAO_PLUGIN_HASH) --build-arg DUMB_INIT_VERSION=$(DUMB_INIT_VERSION)
 
 # license file name
 export LICENSE_FILE = LICENSE.txt
 
-COMPILE_ARGS ?= CGO_ENABLED=0 GOARCH=amd64 GOOS=linux
+
+GOOS ?= linux
+GOARCH ?= amd
+CGO_ENABLED ?= 0
+COMPILE_ARGS ?= CGO_ENABLED=$(CGO_ENABLED) GOARCH=$(GOARCH) GOOS=$(GOOS)
 
 ifndef verbose
 .SILENT:
 endif
 
-all: $(EXECUTABLE) bao-image
-dev: $(EXECUTABLE) bao-dev-image
+all: $(EXECUTABLE)
+dev:  bao-dev-image
+image: bao-image
 check: test
 
 clean:
-	rm -f ./docker/bin/$(EXECUTABLE)
+	rm -f /bin/$(EXECUTABLE)
 	-@docker rmi $(DOCKER_INAME):$(VERSION) 2> /dev/null || :
 	-@docker rmi $(DOCKER_INAME):testing 2> /dev/null || :
 
+.PHONY: format
 format:
 	@echo "Formatting all Golang source code with gofmt"
 	find . -name '*.go' -exec gofmt -l -w {} \;
 
 $(EXECUTABLE): $(shell find . -name '*.go')
 	@echo "Producing $(EXECUTABLE) for arch: amd64"
-	$(COMPILE_ARGS) go build -o ./docker/bin/$(EXECUTABLE)
+	go mod tidy
+	go generate ./...
+	$(COMPILE_ARGS) go build -o bin/$(EXECUTABLE)
 
 bao-image: VAULT_PLUGIN_HASH=$(shell shasum -a 256 ./docker/bin/$(EXECUTABLE) | awk '{ print $$1 }')
 
-bao-image:
+bao-image: $(EXECUTABLE)
 	@echo "Handling $(DOCKER_INAME):$(VERSION) with hash $(VAULT_PLUGIN_HASH)"
 	if [ -n "$(shell docker images | grep '$(DOCKER_INAME):$(VERSION)')" ]; then \
 		echo "Skipping since $(DOCKER_INAME):$(VERSION) image exists, run 'make clean && make' if a rebuild is desired"; \
@@ -53,7 +62,7 @@ bao-image:
 		docker build $(DOCKER_DEV_OPTS) $(DOCKER_IMAGE_LABELS) -t $(DOCKER_INAME):$(VERSION) -f docker/Dockerfile.ubi.$(arch) ./docker; \
 	else echo "Building the openbao docker image is not supported on $(arch)"; fi
 
-bao-dev-image:
+bao-dev-image: $(EXECUTABLE)
 	@echo "Handling $(DOCKER_INAME):$(DEV_VERSION)"
 	if [ -n "$(shell docker images | grep '$(DOCKER_INAME):$(DEV_VERSION)')" ]; then \
 		echo "Skipping since $(DOCKER_INAME):$(DEV_VERSION) image exists, run 'make clean && make' if a rebuild is desired"; \
@@ -66,5 +75,9 @@ test:
 	@echo "Executing unit tests"
 	-@$(COMPILE_ARGS) go test -cover -tags=unit
 
-
-.PHONY: format
+.PHONY: dev-goreleaser
+#dev-goreleaser: export GPG_KEY_FILE := /dev/null
+dev-goreleaser: export GITHUB_REPOSITORY_OWNER = none
+dev-goreleaser: export RELEASE_BUILD_GOOS = linux
+dev-goreleaser:
+	goreleaser release --clean --timeout=60m --verbose --parallelism 2 --snapshot --skip sbom,sign

README.md

@@ -1,6 +1,5 @@
-# openbao-exchange-auth
+# openbao-plugin-auth-openhorizon
 
 ## Introduction
 
-This project contains an authentication plugin for the Linux Foundation Edge project OpenBao, which enables Open Horizon users to authenticate to the openbao instance, and allow the openbao to provide ACL and audit of each user's access.
-
+This project contains an authentication plugin for the Linux Foundation Edge project OpenBao, which enables Open Horizon users to authenticate to the OpenBao instance, and allow OpenBao to provide ACL and audit of each user's access.

plugin/auth.go → auth.go

@@ -1,19 +1,20 @@
-package plugin
+package openhorizon
 
 import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/openbao/openbao/sdk/framework"
-	"github.com/openbao/openbao/sdk/logical"
 	"strings"
+
+	"github.com/openbao/openbao/sdk/v2/framework"
+	"github.com/openbao/openbao/sdk/v2/logical"
 )
 
 // The exchange root user id.
 const EX_ROOT_USER = "root"
 
 // The bao plugin framework calls this method to process login requests.
-func (o *ohAuthPlugin) pathAuthLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+func (o *backend) pathAuthLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 
 	// Extract the user authentication info from the request.
 	userOrg, userId, password, err := extractAndVerifyAuthCreds(d)

plugin/auth_agbot.go → auth_agbot.go

@@ -1,21 +1,22 @@
-package plugin
+package openhorizon
 
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/openbao/openbao/sdk/logical"
 	"io/ioutil"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/openbao/openbao/sdk/v2/logical"
 )
 
 const AGBOTID_RENEW_SECRET = "agbotid"
 const AGBOTPW_RENEW_SECRET = "password"
 
 // Attempt to authenticate the caller as an open horizon agbot.
-func (o *ohAuthPlugin) AuthenticateAsAgbot(exURL string, tok string, renewal int, userOrg, userId, password string) (*logical.Response, error) {
+func (o *backend) AuthenticateAsAgbot(exURL string, tok string, renewal int, userOrg, userId, password string) (*logical.Response, error) {
 
 	agbots, err := o.verifyAgbotCredentials(exURL, userOrg, userId, password)
 
@@ -85,7 +86,7 @@ func (o *ohAuthPlugin) AuthenticateAsAgbot(exURL string, tok string, renewal int
 			Metadata: map[string]string{
 				"agbot": strconv.FormatBool(true),
 			},
-			Period: time.Duration(renewal) * time.Second,
+			Period:    time.Duration(renewal) * time.Second,
 			TokenType: logical.TokenTypeService,
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
@@ -97,7 +98,7 @@ func (o *ohAuthPlugin) AuthenticateAsAgbot(exURL string, tok string, renewal int
 
 // Call the openhorizon exchange to validate the caller's credentials as an Agbot. This API call will use the caller's own credentials to verify that it can
 // retrieve the definition of it's own idenity from the exchange. This verifies that the caller's creds are good.
-func (o *ohAuthPlugin) verifyAgbotCredentials(exURL string, userOrg string, userId string, password string) (*GetAgbotsResponse, error) {
+func (o *backend) verifyAgbotCredentials(exURL string, userOrg string, userId string, password string) (*GetAgbotsResponse, error) {
 
 	// Log the exchange API that we are going to call.
 	url := fmt.Sprintf("%v/orgs/%v/agbots/%v", exURL, userOrg, userId)