CLOUDP-59682: Enable security on C/OM (#75)

Author: gssbzn

.githooks/pre-commit

@@ -1,4 +1,11 @@
 $!/usr/bin/env bash
 
-echo "==> Running pre-commit git hook..."
-make fmt check
+STAGED_GO_FILES=$(git diff --cached --name-only | grep ".go$")
+
+for FILE in $STAGED_GO_FILES
+do
+    gofmt -w -s $FILE
+    goimports -w $FILE
+done
+
+make check

internal/cli/ops_manager.go

@@ -32,6 +32,7 @@ func OpsManagerBuilder() *cobra.Command {
 	cmd.AddCommand(AtlasBackupsBuilder())
 	cmd.AddCommand(OpsManagerServersBuilder())
 	cmd.AddCommand(OpsManagerAutomationBuilder())
+	cmd.AddCommand(OpsManagerSecurityBuilder())
 	cmd.AddCommand(OpsManagerDBUsersBuilder())
 
 	return cmd

internal/cli/ops_manager_security.go

@@ -0,0 +1,30 @@
+// Copyright 2020 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cli
+
+import (
+	"github.com/mongodb/mongocli/internal/description"
+	"github.com/spf13/cobra"
+)
+
+func OpsManagerSecurityBuilder() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "security",
+		Short: description.Security,
+	}
+
+	cmd.AddCommand(OpsManagerSecurityEnableBuilder())
+	return cmd
+}

internal/cli/ops_manager_security_enable.go

@@ -0,0 +1,92 @@
+// Copyright 2020 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cli
+
+import (
+	"fmt"
+
+	"github.com/mongodb/mongocli/internal/config"
+	"github.com/mongodb/mongocli/internal/convert"
+	"github.com/mongodb/mongocli/internal/description"
+	"github.com/mongodb/mongocli/internal/flags"
+	"github.com/mongodb/mongocli/internal/messages"
+	"github.com/mongodb/mongocli/internal/store"
+	"github.com/mongodb/mongocli/internal/usage"
+	"github.com/spf13/cobra"
+)
+
+const (
+	cr     = "MONGODB-CR"
+	sha1   = "SCRAM-SHA-1"
+	sha256 = "SCRAM-SHA-256"
+)
+
+type opsManagerSecurityEnableOpts struct {
+	*globalOpts
+	mechanisms []string
+	store      store.AutomationPatcher
+}
+
+func (opts *opsManagerSecurityEnableOpts) init() error {
+	if opts.ProjectID() == "" {
+		return errMissingProjectID
+	}
+	var err error
+	opts.store, err = store.New()
+	return err
+}
+
+func (opts *opsManagerSecurityEnableOpts) Run() error {
+	current, err := opts.store.GetAutomationConfig(opts.ProjectID())
+
+	if err != nil {
+		return err
+	}
+
+	if err = convert.EnableMechanism(current, opts.mechanisms); err != nil {
+		return err
+	}
+	if err = opts.store.UpdateAutomationConfig(opts.ProjectID(), current); err != nil {
+		return err
+	}
+
+	fmt.Print(messages.DeploymentStatus(config.OpsManagerURL(), opts.ProjectID()))
+
+	return nil
+}
+
+// mongocli ops-manager security enable[MONGODB-CR|SCRAM-SHA-256]  [--projectId projectId]
+func OpsManagerSecurityEnableBuilder() *cobra.Command {
+	opts := &opsManagerSecurityEnableOpts{
+		globalOpts: newGlobalOpts(),
+	}
+	cmd := &cobra.Command{
+		Use:       fmt.Sprintf("enable [%s|%s]", cr, sha256),
+		Short:     description.EnableSecurity,
+		Args:      cobra.OnlyValidArgs,
+		ValidArgs: []string{cr, sha1, sha256},
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			return opts.init()
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.mechanisms = args
+			return opts.Run()
+		},
+	}
+
+	cmd.Flags().StringVar(&opts.projectID, flags.ProjectID, "", usage.ProjectID)
+
+	return cmd
+}

internal/cli/ops_manager_security_enable_test.go

@@ -0,0 +1,55 @@
+// Copyright 2020 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cli
+
+import (
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/mongodb/mongocli/internal/fixtures"
+	"github.com/mongodb/mongocli/internal/mocks"
+)
+
+func TestOpsManagerSecurityEnableOpts_Run(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	mockStore := mocks.NewMockAutomationPatcher(ctrl)
+
+	defer ctrl.Finish()
+
+	expected := fixtures.AutomationConfig()
+
+	createOpts := &opsManagerSecurityEnableOpts{
+		globalOpts: newGlobalOpts(),
+		mechanisms: []string{"something"},
+		store:      mockStore,
+	}
+
+	mockStore.
+		EXPECT().
+		GetAutomationConfig(createOpts.projectID).
+		Return(expected, nil).
+		Times(1)
+
+	mockStore.
+		EXPECT().
+		UpdateAutomationConfig(createOpts.projectID, expected).
+		Return(nil).
+		Times(1)
+
+	err := createOpts.Run()
+	if err != nil {
+		t.Fatalf("Run() unexpected error: %v", err)
+	}
+}

internal/convert/automation_config.go

@@ -22,7 +22,9 @@ import (
 )
 
 const (
-	mongod = "mongod"
+	mongod                         = "mongod"
+	atmAgentWindowsKeyFilePath     = "%SystemDrive%\\MMSAutomation\\versions\\keyfile"
+	atmAgentKeyFilePathInContainer = "/var/lib/mongodb-mms-automation/keyfile"
 )
 
 // FromAutomationConfig convert from cloud format to mCLI format
@@ -53,6 +55,25 @@ func FromAutomationConfig(in *om.AutomationConfig) (out []ClusterConfig) {
 	return
 }
 
+func setDisabledByClusterName(out *om.AutomationConfig, name string, disabled bool) {
+	// This value may not be present and is mandatory
+	if out.Auth.DeploymentAuthMechanisms == nil {
+		out.Auth.DeploymentAuthMechanisms = make([]string, 0)
+	}
+	for _, rs := range out.ReplicaSets {
+		if rs.ID == name {
+			for _, m := range rs.Members {
+				for k, p := range out.Processes {
+					if p.Name == m.Host {
+						out.Processes[k].Disabled = disabled
+					}
+				}
+			}
+			break
+		}
+	}
+}
+
 // Shutdown a cluster processes
 func Shutdown(out *om.AutomationConfig, name string) {
 	setDisabledByClusterName(out, name, true)
@@ -63,6 +84,64 @@ func Startup(out *om.AutomationConfig, name string) {
 	setDisabledByClusterName(out, name, false)
 }
 
+func EnableMechanism(out *om.AutomationConfig, m []string) error {
+	out.Auth.DeploymentAuthMechanisms = append(out.Auth.DeploymentAuthMechanisms, m...)
+	out.Auth.AutoAuthMechanisms = append(out.Auth.AutoAuthMechanisms, m...)
+	out.Auth.Disabled = false
+
+	var err error
+	if out.Auth.AutoUser == "" {
+		if err := setAutoUser(out); err != nil {
+			return err
+		}
+
+	}
+	addMonitoringUser(out)
+	addBackupUser(out)
+
+	if out.Auth.Key == "" {
+		if out.Auth.Key, err = generateRandomBase64String(500); err != nil {
+			return err
+		}
+	}
+	if out.Auth.KeyFile == "" {
+		out.Auth.KeyFile = atmAgentKeyFilePathInContainer
+	}
+	if out.Auth.KeyFileWindows == "" {
+		out.Auth.KeyFileWindows = atmAgentWindowsKeyFilePath
+	}
+
+	return nil
+}
+
+func addMonitoringUser(out *om.AutomationConfig) {
+	_, exists := search.MongoDBUsers(out.Auth.Users, func(user *om.MongoDBUser) bool {
+		return user.Username == monitoringAgentName
+	})
+	if !exists {
+		AddUser(out, newMonitoringUser(out.Auth.AutoPwd))
+	}
+}
+
+func addBackupUser(out *om.AutomationConfig) {
+	_, exists := search.MongoDBUsers(out.Auth.Users, func(user *om.MongoDBUser) bool {
+		return user.Username == backupAgentName
+	})
+	if !exists {
+		AddUser(out, newBackupUser(out.Auth.AutoPwd))
+	}
+}
+
+func setAutoUser(out *om.AutomationConfig) error {
+	var err error
+	out.Auth.AutoUser = automationAgentName
+	if out.Auth.AutoPwd, err = generateRandomASCIIString(500); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // AddUser adds a MongoDBUser to the config
 func AddUser(out *om.AutomationConfig, u *om.MongoDBUser) {
 	out.Auth.Users = append(out.Auth.Users, u)
@@ -78,25 +157,6 @@ func RemoveUser(out *om.AutomationConfig, username string, database string) {
 	}
 }
 
-func setDisabledByClusterName(out *om.AutomationConfig, name string, disabled bool) {
-	// This value may not be present and is mandatory
-	if out.Auth.DeploymentAuthMechanisms == nil {
-		out.Auth.DeploymentAuthMechanisms = make([]string, 0)
-	}
-	for _, rs := range out.ReplicaSets {
-		if rs.ID == name {
-			for _, m := range rs.Members {
-				for k, p := range out.Processes {
-					if p.Name == m.Host {
-						out.Processes[k].Disabled = disabled
-					}
-				}
-			}
-			break
-		}
-	}
-}
-
 // convertCloudMember map cloudmanager.Member -> convert.ProcessConfig
 func convertCloudMember(out *ProcessConfig, in om.Member) {
 	out.Votes = in.Votes

internal/convert/automation_config_test.go

@@ -95,3 +95,33 @@ func TestRemoveUser(t *testing.T) {
 		t.Error("User not removed\n")
 	}
 }
+
+func TestEnableMechanism(t *testing.T) {
+	config := fixtures.AutomationConfigWithoutMongoDBUsers()
+
+	e := EnableMechanism(config, []string{"SCRAM-SHA-256"})
+
+	if e != nil {
+		t.Fatalf("EnableMechanism() unexpected error: %v\n", e)
+	}
+
+	if config.Auth.Disabled {
+		t.Error("config.Auth.Disabled is true\n")
+	}
+
+	if config.Auth.AutoAuthMechanisms[0] != "SCRAM-SHA-256" {
+		t.Error("AutoAuthMechanisms not set\n")
+	}
+
+	if config.Auth.AutoUser == "" || config.Auth.AutoPwd == "" {
+		t.Error("config.Auth.Auto* not set\n")
+	}
+
+	if config.Auth.Key == "" || config.Auth.KeyFileWindows == "" || config.Auth.KeyFile == "" {
+		t.Error("config.Auth.Key* not set\n")
+	}
+
+	if len(config.Auth.Users) != 2 {
+		t.Error("automation and monitoring users not set\n")
+	}
+}

internal/convert/cluster_config_test.go

@@ -433,7 +433,7 @@ func TestClusterConfig_PatchAutomationConfig(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			err := tc.changes.PatchAutomationConfig(tc.current)
 			if err != nil {
-				t.Fatalf("PatchAutomationConfig() unexpected error: %v", err)
+				t.Fatalf("PatchAutomationConfig() unexpected error: %v\n", err)
 			}
 			if diff := deep.Equal(tc.current, tc.expected); diff != nil {
 				t.Error(diff)
@@ -460,7 +460,7 @@ func TestProtocolVersion(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			ver, err := protocolVer(tc.mdbVersion)
 			if err != nil {
-				t.Fatalf("protocolVer() unexpected error: %v", err)
+				t.Fatalf("protocolVer() unexpected error: %v\n", err)
 			}
 			if ver != tc.protocolVersion {
 				t.Errorf("protocolVer() expected: %s but got: %s", tc.protocolVersion, ver)