OCM-5397 | feat: add aws, account roles and oidc config common

go.mod

@@ -8,44 +8,31 @@ require (
 	github.com/hashicorp/go-version v1.6.0
 	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.8
+	github.com/openshift-online/ocm-sdk-go v0.1.391
+	go.uber.org/mock v0.3.0
+	gopkg.in/square/go-jose.v2 v2.6.0
 )
 
 require (
-	github.com/aws/smithy-go v1.16.0 // indirect
+	github.com/aws/smithy-go v1.16.0
 	github.com/kr/pretty v0.1.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 )
 
 require (
-	github.com/aymerick/douceur v0.2.0 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/glog v1.0.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/css v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.18 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/openshift-online/ocm-sdk-go v0.1.388 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/stretchr/testify v1.7.0 // indirect
-	go.uber.org/mock v0.3.0 // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/sys v0.9.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/tools v0.9.3 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

pkg/aws/consts/consts.go

@@ -0,0 +1,5 @@
+package consts
+
+const (
+	MaxAwsRoleLength = 64
+)

pkg/aws/utils/utils.go

@@ -0,0 +1,22 @@
+package utils
+
+import (
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+)
+
+func GetPathFromArn(arnStr string) (string, error) {
+	parse, err := arn.Parse(arnStr)
+	if err != nil {
+		return "", err
+	}
+	resource := parse.Resource
+	firstIndex := strings.Index(resource, "/")
+	lastIndex := strings.LastIndex(resource, "/")
+	if firstIndex == lastIndex {
+		return "", nil
+	}
+	path := resource[firstIndex : lastIndex+1]
+	return path, nil
+}

pkg/aws/utils/utils_suite_test.go

@@ -0,0 +1,13 @@
+package utils_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHelper(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "AWS Utils Suite")
+}

pkg/aws/utils/utils_test.go

@@ -0,0 +1,28 @@
+package utils_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	. "github.com/openshift-online/ocm-common/pkg/aws/utils"
+)
+
+var _ = Describe("AWS Utils", func() {
+	var _ = Describe("Validates GetPathFromArn function", func() {
+		It("Gets the path from arn", func() {
+			path, err := GetPathFromArn(
+				"arn:partition:service:region:account-id:resource-type/test-path/resource-id")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(path).To(Equal("/test-path/"))
+		})
+		It("Retrieves empty when there's no path", func() {
+			path, err := GetPathFromArn(
+				"arn:partition:service:region:account-id:resource-type/resource-id")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(path).To(Equal(""))
+		})
+		It("Errors if arn isn't valid", func() {
+			_, err := GetPathFromArn("aaaa")
+			Expect(err).To(HaveOccurred())
+		})
+	})
+})

pkg/aws/validations/iam_helpers.go

@@ -3,28 +3,28 @@ package validations
 import (
 	"fmt"
 
-	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	semver "github.com/hashicorp/go-version"
-	"github.com/openshift-online/ocm-common/pkg"
+	. "github.com/openshift-online/ocm-common/pkg/aws/consts"
 )
 
 func GetRoleName(prefix string, role string) string {
 	name := fmt.Sprintf("%s-%s-Role", prefix, role)
-	if len(name) > pkg.MaxByteSize {
-		name = name[0:pkg.MaxByteSize]
+	if len(name) > MaxAwsRoleLength {
+		name = name[0:MaxAwsRoleLength]
 	}
 	return name
 }
 
 func IsManagedRole(roleTags []iamtypes.Tag) bool {
-    for _, tag := range roleTags {
-        if aws.ToString(tag.Key) == ManagedPolicies && aws.ToString(tag.Value) == "true" {
-            return true
-        }
-    }
+	for _, tag := range roleTags {
+		if aws.ToString(tag.Key) == ManagedPolicies && aws.ToString(tag.Value) == "true" {
+			return true
+		}
+	}
 
-    return false
+	return false
 }
 
 func HasCompatibleVersionTags(iamTags []iamtypes.Tag, version string) (bool, error) {
@@ -36,13 +36,13 @@ func HasCompatibleVersionTags(iamTags []iamtypes.Tag, version string) (bool, err
 	if err != nil {
 		return false, err
 	}
-	
+
 	for _, tag := range iamTags {
 		if aws.ToString(tag.Key) == OpenShiftVersion {
 			if version == aws.ToString(tag.Value) {
 				return true, nil
 			}
-			
+
 			currentVersion, err := semver.NewVersion(aws.ToString(tag.Value))
 			if err != nil {
 				return false, err

pkg/ocm/consts/custom_properties.go

@@ -0,0 +1,6 @@
+package consts
+
+const (
+	rosa_prefix = "rosa_"
+	CreatorArn  = rosa_prefix + "creator_arn"
+)

pkg/ocm/consts/version.go

@@ -0,0 +1,5 @@
+package consts
+
+const (
+	DefaultChannelGroup = "stable"
+)

pkg/ocm/utils/utils_suite_test.go

@@ -0,0 +1,13 @@
+package utils_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHelper(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "OCM Utils Suite")
+}

pkg/ocm/utils/versions.go

@@ -0,0 +1,15 @@
+package utils
+
+import (
+	"fmt"
+
+	"github.com/openshift-online/ocm-common/pkg/ocm/consts"
+)
+
+func CreateVersionId(version string, channelGroup string) string {
+	versionId := fmt.Sprintf("openshift-v%s", version)
+	if channelGroup != consts.DefaultChannelGroup {
+		versionId = fmt.Sprintf("%s-%s", versionId, channelGroup)
+	}
+	return versionId
+}

pkg/ocm/utils/versions_test.go

@@ -0,0 +1,22 @@
+package utils_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/openshift-online/ocm-common/pkg/ocm/consts"
+	. "github.com/openshift-online/ocm-common/pkg/ocm/utils"
+)
+
+var _ = Describe("OCM Utils", func() {
+	var _ = Describe("Validates CreateVersionId function", func() {
+		It("Generates the version ID on stable channel", func() {
+			versionId := CreateVersionId("4.10.32", consts.DefaultChannelGroup)
+			Expect(versionId).To(Equal("openshift-v4.10.32"))
+		})
+
+		It("Generates the version ID on other channel", func() {
+			versionId := CreateVersionId("4.10.32", "candidate")
+			Expect(versionId).To(Equal("openshift-v4.10.32-candidate"))
+		})
+	})
+})

pkg/rosa/accountroles/accountroles.go

@@ -0,0 +1,42 @@
+package accountroles
+
+import (
+	awsUtils "github.com/openshift-online/ocm-common/pkg/aws/utils"
+	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+)
+
+const (
+	InstallerAccountRole    = "installer"
+	ControlPlaneAccountRole = "instance_controlplane"
+	WorkerAccountRole       = "instance_worker"
+	SupportAccountRole      = "support"
+)
+
+type AccountRole struct {
+	Name string
+	Flag string
+}
+
+var AccountRoles = map[string]AccountRole{
+	InstallerAccountRole:    {Name: "Installer", Flag: "role-arn"},
+	ControlPlaneAccountRole: {Name: "ControlPlane", Flag: "controlplane-iam-role"},
+	WorkerAccountRole:       {Name: "Worker", Flag: "worker-iam-role"},
+	SupportAccountRole:      {Name: "Support", Flag: "support-role-arn"},
+}
+
+func GetPathFromAccountRole(cluster *cmv1.Cluster, roleNameSuffix string) (string, error) {
+	accRoles := GetAccountRolesArnsMap(cluster)
+	if accRoles[roleNameSuffix] == "" {
+		return "", nil
+	}
+	return awsUtils.GetPathFromArn(accRoles[roleNameSuffix])
+}
+
+func GetAccountRolesArnsMap(cluster *cmv1.Cluster) map[string]string {
+	return map[string]string{
+		AccountRoles[InstallerAccountRole].Name:    cluster.AWS().STS().RoleARN(),
+		AccountRoles[SupportAccountRole].Name:      cluster.AWS().STS().SupportRoleARN(),
+		AccountRoles[ControlPlaneAccountRole].Name: cluster.AWS().STS().InstanceIAMRoles().MasterRoleARN(),
+		AccountRoles[WorkerAccountRole].Name:       cluster.AWS().STS().InstanceIAMRoles().WorkerRoleARN(),
+	}
+}

pkg/rosa/accountroles/accountroles_suite_test.go

@@ -0,0 +1,13 @@
+package accountroles_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHelper(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Account Roles Suite")
+}

pkg/rosa/accountroles/accountroles_test.go

@@ -0,0 +1,58 @@
+package accountroles_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	. "github.com/openshift-online/ocm-common/pkg/rosa/accountroles"
+	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+)
+
+var _ = Describe("Account Role functions", func() {
+	var _ = Describe("Validates GetPathFromAccountRole function", func() {
+		It("Generates the version ID on stable channel", func() {
+			fakeCluster, err := cmv1.NewCluster().
+				AWS(
+					cmv1.NewAWS().
+						STS(
+							cmv1.NewSTS().
+								RoleARN("arn:partition:service:region:account-id:resource-type/test-path/resource-id").
+								SupportRoleARN("support").
+								InstanceIAMRoles(
+									cmv1.NewInstanceIAMRoles().
+										MasterRoleARN("controlplane").
+										WorkerRoleARN("worker"),
+								),
+						),
+				).Build()
+			Expect(err).ToNot(HaveOccurred())
+			path, err := GetPathFromAccountRole(fakeCluster, AccountRoles[InstallerAccountRole].Name)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(path).To(Equal("/test-path/"))
+		})
+	})
+
+	var _ = Describe("Validates GetAccountRolesArnsMap function", func() {
+		It("Checks the account roles are retrieved from a cluster", func() {
+			fakeCluster, err := cmv1.NewCluster().
+				AWS(
+					cmv1.NewAWS().
+						STS(
+							cmv1.NewSTS().
+								RoleARN("installer").
+								SupportRoleARN("support").
+								InstanceIAMRoles(
+									cmv1.NewInstanceIAMRoles().
+										MasterRoleARN("controlplane").
+										WorkerRoleARN("worker"),
+								),
+						),
+				).Build()
+			Expect(err).ToNot(HaveOccurred())
+			accRolesMap := GetAccountRolesArnsMap(fakeCluster)
+			Expect(accRolesMap[AccountRoles[InstallerAccountRole].Name]).To(Equal("installer"))
+			Expect(accRolesMap[AccountRoles[SupportAccountRole].Name]).To(Equal("support"))
+			Expect(accRolesMap[AccountRoles[ControlPlaneAccountRole].Name]).To(Equal("controlplane"))
+			Expect(accRolesMap[AccountRoles[WorkerAccountRole].Name]).To(Equal("worker"))
+		})
+	})
+})