rapps/rapps-rapp-jwt-invoker.go - local/oransc/nonrtric-prototyping - Gitiles

 // -
 //   ========================LICENSE_START=================================
 //   O-RAN-SC
 //   %%
 //   Copyright (C) 2022: Nordix Foundation
 //   %%
 //   Licensed under the Apache License, Version 2.0 (the "License");
 //   you may not use this file except in compliance with the License.
 //   You may obtain a copy of the License at
 //
 //        http://www.apache.org/licenses/LICENSE-2.0
 //
 //   Unless required by applicable law or agreed to in writing, software
 //   distributed under the License is distributed on an "AS IS" BASIS,
 //   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 //   See the License for the specific language governing permissions and
 //   limitations under the License.
 //   ========================LICENSE_END===================================
 //

 package main

 import (
 	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"github.com/elastic/go-elasticsearch/v8"
 	"github.com/elastic/go-elasticsearch/esapi"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"rapps/utils/generatejwt"
 	"strings"
 	"time"
 	"log"
 )

 type Jwttoken struct {
 	Access_token       string
 	Expires_in         int
 	Refresh_expires_in int
 	Refresh_token      string
 	Token_type         string
 	Not_before_policy  int
 	Session_state      string
 	Scope              string
 }

 var gatewayHost string
 var gatewayPort string
 var keycloakHost string
 var keycloakPort string
 var keycloakAlias string
 var elasticHost string
 var elasticPort string
 var elasticAlias string
 var securityEnabled string
 var useGateway string
 var role string
 var rapp string
 var methods string
 var realmName string
 var clientId string
 var healthy bool = true
 var ttime time.Time
 var jwt Jwttoken

 const (
 	namespace             = "istio-nonrtric"
 	scope                 = "email"
 	client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 )

 var (
 	reqDuration = prometheus.NewHistogramVec(prometheus.HistogramOpts{
 		Name:    "rapp_http_request_duration_seconds",
 		Help:    "Duration of the last request call.",
 		Buckets: []float64{0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10},
 	}, []string{"app", "func", "handler", "method", "code"})
 	reqBytes = prometheus.NewSummaryVec(prometheus.SummaryOpts{
 		Name: "rapp_bytes_summary",
 		Help: "Summary of bytes transferred over http",
 	}, []string{"app", "func", "handler", "method", "code"})
 )

 type MyDocument struct {
         Timestamp string `json:"@timestamp"`
         App string `json:"app"`
         Func string `json:"func"`
         Handler string `json:"handler"`
         Method string `json:"method"`
         Code string `json:"code"`
         Bytes int64 `json:"bytes"`
 }

 var client *elasticsearch.Client

 func connectToElasticsearch() *elasticsearch.Client {
 	clusterURLs := []string{"https://" + elasticAlias + ":" + elasticPort }
         username := "elastic"
         password := "secret"
         cert, _ := ioutil.ReadFile("/ca/ca.crt")

 	dialer := &net.Dialer{
                 Timeout:   30 * time.Second,
                 KeepAlive: 30 * time.Second,
                 DualStack: true,
         }

         // client configuration
         cfg := elasticsearch.Config{
                 Addresses: clusterURLs,
                 Username:  username,
                 Password:  password,
                 CACert:    cert,
 		Transport: &http.Transport{
                         DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
                                 //fmt.Println("address original =", addr)
                                 if addr == elasticAlias+":"+elasticPort {
                                         addr = elasticHost + ":" + elasticPort
                                         //fmt.Println("address modified =", addr)
                                 }
                                 return dialer.DialContext(ctx, network, addr)
                         },
 		        TLSClientConfig: &tls.Config{
 				MinVersion: tls.VersionTLS12,
 			},
 		},
         }

         es, err := elasticsearch.NewClient(cfg)
         if err != nil {
                 log.Fatalf("Error creating the client: %s", err)
         }
 	log.Println(elasticsearch.Version)

         resp, err := es.Info()
         if err != nil {
                 log.Fatalf("Error getting response: %s", err)
         }
         defer resp.Body.Close()
         log.Println(resp)
 	return es
 }

 func addEsIndex(app, fnc, hnd, meth, code string, bytes int64){
 	ts := time.Now().Format(time.RFC3339)
 	doc := MyDocument{Timestamp: ts, App: app, Func: fnc, Handler: hnd, Method: meth, Code: code, Bytes: bytes }
         jsonString, _ := json.Marshal(doc)
 	uid := fmt.Sprintf("%v", uuid.New())
 	indexName := "gostash-"+time.Now().Format("2006.01.02")
         request := esapi.IndexRequest{Index: indexName, DocumentID: uid, Body: strings.NewReader(string(jsonString))}
         _, err := request.Do(context.Background(), client)
         if err != nil {
                 fmt.Println(err)
         }
 }

 func getToken() string {
 	if ttime.Before(time.Now()) {
 		resp := &http.Response{}
 		client_assertion := getClientAssertion()
 		keycloakUrl := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName + "/protocol/openid-connect/token"
 		fmt.Printf("Making token request to %s\n", keycloakUrl)
 		timer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {
 			reqDuration.WithLabelValues("rapp-jwt-invoker", "getToken", resp.Request.URL.Path, resp.Request.Method,
 				resp.Status).Observe(v)
 		}))
 		defer timer.ObserveDuration()
 	        var err error
 		if jwt.Refresh_token != "" {
 			resp, err = http.PostForm(keycloakUrl, url.Values{"client_assertion_type": {client_assertion_type},
 				"client_assertion": {client_assertion}, "grant_type": {"refresh_token"},
 				"refresh_token": {jwt.Refresh_token}, "client_id": {clientId}, "scope": {scope}})
 		} else {
 			resp, err = http.PostForm(keycloakUrl, url.Values{"client_assertion_type": {client_assertion_type},
 				"client_assertion": {client_assertion}, "grant_type": {"client_credentials"},
 				"client_id": {clientId}, "scope": {scope}})
 		}
 		if err != nil {
 			fmt.Println(err)
 			panic("Something wrong with the credentials or url ")
 		}

 		defer resp.Body.Close()
 		body, err := ioutil.ReadAll(resp.Body)
 		json.Unmarshal([]byte(body), &jwt)

 		reqBytes.WithLabelValues("rapp-jwt-invoker", "getToken", resp.Request.URL.Path, resp.Request.Method,
 			resp.Status).Observe(float64(resp.ContentLength))
                 addEsIndex("rapp-jwt-invoker", "getToken", resp.Request.URL.Path, resp.Request.Method,
                             resp.Status, resp.ContentLength)
 	        ttime = time.Now()
 	        ttime = ttime.Add(time.Second * time.Duration(jwt.Expires_in))
 	}
 	return jwt.Access_token
 }

 func getClientAssertion() string {
 	realm := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName
 	clientAssertion := generatejwt.CreateJWT("/certs/client.key", "/certs/client_pub.key", "", clientId, realm)
 	return clientAssertion
 }

 func MakeRequest(client *http.Client, prefix string, method string, ch chan string) {
 	var service = strings.Split(prefix, "/")[1]
 	var gatewayUrl = "http://" + gatewayHost + ":" + gatewayPort
 	var token = ""
 	var jsonValue []byte = []byte{}
 	var restUrl string = ""

 	if securityEnabled == "true" {
 		token = getToken()
 	} else {
 		useGateway = "N"
 	}

 	if strings.ToUpper(useGateway) != "Y" {
 		gatewayUrl = "http://" + service + "." + namespace + ":80"
 		prefix = ""
 	}

 	restUrl = gatewayUrl + prefix
 	resp := &http.Response{}

 	timer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {
 		reqDuration.WithLabelValues("rapp-jwt-invoker", "MakeRequest", resp.Request.URL.Path, resp.Request.Method,
 			resp.Status).Observe(v)
 	}))
 	defer timer.ObserveDuration()
 	req, err := http.NewRequest(method, restUrl, bytes.NewBuffer(jsonValue))
 	if err != nil {
 		fmt.Printf("Got error %s", err.Error())
 	}
 	req.Header.Set("Content-type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+token)

 	resp, err = client.Do(req)
 	if err != nil {
 		fmt.Printf("Got error %s", err.Error())
 	}

 	defer resp.Body.Close()
 	body, _ := ioutil.ReadAll(resp.Body)
 	reqBytes.WithLabelValues("rapp-jwt-invoker", "MakeRequest", req.URL.Path, req.Method,
 		resp.Status).Observe(float64(resp.ContentLength))
         addEsIndex("rapp-jwt-invoker", "MakeRequest", req.URL.Path, req.Method, resp.Status, resp.ContentLength)

 	respString := string(body[:])
 	if respString == "RBAC: access denied" {
 		respString += " for " + service + " " + strings.ToLower(method) + " request"
 	}
 	fmt.Printf("Received response for %s %s request - %s\n", service, strings.ToLower(method), respString)
 	ch <- prefix + "," + method
 }

 func health(res http.ResponseWriter, req *http.Request) {
 	if healthy {
 		res.WriteHeader(http.StatusOK)
 		res.Write([]byte("healthy"))
 	} else {
 		res.WriteHeader(http.StatusInternalServerError)
 		res.Write([]byte("unhealthy"))
 	}
 }

 func main() {
 	ttime = time.Now()
 	time.Sleep(3 * time.Second)
 	prometheus.Register(reqDuration)
 	prometheus.Register(reqBytes)

 	flag.StringVar(&gatewayHost, "gatewayHost", "istio-ingressgateway.istio-system", "Gateway Host")
 	flag.StringVar(&gatewayPort, "gatewayPort", "80", "Gateway Port")
 	flag.StringVar(&keycloakHost, "keycloakHost", "istio-ingressgateway.istio-system", "Keycloak Host")
 	flag.StringVar(&keycloakPort, "keycloakPort", "80", "Keycloak Port")
         flag.StringVar(&elasticHost, "elasticHost", "istio-ingressgateway.istio-system", "Elasticsearch Host")
         flag.StringVar(&elasticPort, "elasticPort", "443", "Elasticsearch Port")
         flag.StringVar(&elasticAlias, "elasticAlias", "elasticsearch.est.tech", "Elasticsearch URL Alias")
 	flag.StringVar(&useGateway, "useGateway", "Y", "Connect to services through API gateway")
 	flag.StringVar(&securityEnabled, "securityEnabled", "true", "Security is required to use this application")
 	flag.StringVar(&realmName, "realm", "jwt", "Keycloak realm")
 	flag.StringVar(&clientId, "client", "jwtprovider-cli", "Keycloak client")
 	flag.StringVar(&role, "role", "provider-viewer", "Role granted to application")
 	flag.StringVar(&rapp, "rapp", "rapp-jwt-provider", "Name of rapp to invoke")
 	flag.StringVar(&methods, "methods", "GET", "Methods to access application")
 	flag.Parse()

 	healthHandler := http.HandlerFunc(health)
 	http.Handle("/health", healthHandler)
 	http.Handle("/metrics", promhttp.Handler())
 	client = connectToElasticsearch()
 	go func() {
 		http.ListenAndServe(":9000", nil)
 	}()

 	client := &http.Client{
 		Timeout: time.Second * 10,
 	}

 	ch := make(chan string)
 	var prefixArray []string = []string{"/" + rapp}
 	var methodArray []string = []string{methods}
 	for _, prefix := range prefixArray {
 		for _, method := range methodArray {
 			go MakeRequest(client, prefix, method, ch)
 		}
 	}

 	ioutil.WriteFile("init.txt", []byte("Initialization done."), 0644)

 	for r := range ch {
 		go func(resp string) {
 			time.Sleep(10 * time.Second)
 			elements := strings.Split(resp, ",")
 			prefix := elements[0]
 			method := elements[1]
 			MakeRequest(client, prefix, method, ch)
 		}(r)
 	}
 }
	// -
	// ========================LICENSE_START=================================
	// O-RAN-SC
	// %%
	// Copyright (C) 2022: Nordix Foundation
	// %%
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	// ========================LICENSE_END===================================
	//

	package main

	import (
	"bytes"
	"context"
	"crypto/tls"
	"encoding/json"
	"flag"
	"fmt"
	"github.com/elastic/go-elasticsearch/v8"
	"github.com/elastic/go-elasticsearch/esapi"
	"github.com/google/uuid"
	"github.com/prometheus/client_golang/prometheus"
	"github.com/prometheus/client_golang/prometheus/promhttp"
	"io/ioutil"
	"net"
	"net/http"
	"net/url"
	"rapps/utils/generatejwt"
	"strings"
	"time"
	"log"
	)

	type Jwttoken struct {
	Access_token string
	Expires_in int
	Refresh_expires_in int
	Refresh_token string
	Token_type string
	Not_before_policy int
	Session_state string
	Scope string
	}

	var gatewayHost string
	var gatewayPort string
	var keycloakHost string
	var keycloakPort string
	var keycloakAlias string
	var elasticHost string
	var elasticPort string
	var elasticAlias string
	var securityEnabled string
	var useGateway string
	var role string
	var rapp string
	var methods string
	var realmName string
	var clientId string
	var healthy bool = true
	var ttime time.Time
	var jwt Jwttoken

	const (
	namespace = "istio-nonrtric"
	scope = "email"
	client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
	)

	var (
	reqDuration = prometheus.NewHistogramVec(prometheus.HistogramOpts{
	Name: "rapp_http_request_duration_seconds",
	Help: "Duration of the last request call.",
	Buckets: []float64{0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10},
	}, []string{"app", "func", "handler", "method", "code"})
	reqBytes = prometheus.NewSummaryVec(prometheus.SummaryOpts{
	Name: "rapp_bytes_summary",
	Help: "Summary of bytes transferred over http",
	}, []string{"app", "func", "handler", "method", "code"})
	)

	type MyDocument struct {
	Timestamp string `json:"@timestamp"`
	App string `json:"app"`
	Func string `json:"func"`
	Handler string `json:"handler"`
	Method string `json:"method"`
	Code string `json:"code"`
	Bytes int64 `json:"bytes"`
	}

	var client *elasticsearch.Client

	func connectToElasticsearch() *elasticsearch.Client {
	clusterURLs := []string{"https://" + elasticAlias + ":" + elasticPort }
	username := "elastic"
	password := "secret"
	cert, _ := ioutil.ReadFile("/ca/ca.crt")

	dialer := &net.Dialer{
	Timeout: 30 * time.Second,
	KeepAlive: 30 * time.Second,
	DualStack: true,
	}

	// client configuration
	cfg := elasticsearch.Config{
	Addresses: clusterURLs,
	Username: username,
	Password: password,
	CACert: cert,
	Transport: &http.Transport{
	DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
	//fmt.Println("address original =", addr)
	if addr == elasticAlias+":"+elasticPort {
	addr = elasticHost + ":" + elasticPort
	//fmt.Println("address modified =", addr)
	}
	return dialer.DialContext(ctx, network, addr)
	},
	TLSClientConfig: &tls.Config{
	MinVersion: tls.VersionTLS12,
	},
	},
	}

	es, err := elasticsearch.NewClient(cfg)
	if err != nil {
	log.Fatalf("Error creating the client: %s", err)
	}
	log.Println(elasticsearch.Version)

	resp, err := es.Info()
	if err != nil {
	log.Fatalf("Error getting response: %s", err)
	}
	defer resp.Body.Close()
	log.Println(resp)
	return es
	}

	func addEsIndex(app, fnc, hnd, meth, code string, bytes int64){
	ts := time.Now().Format(time.RFC3339)
	doc := MyDocument{Timestamp: ts, App: app, Func: fnc, Handler: hnd, Method: meth, Code: code, Bytes: bytes }
	jsonString, _ := json.Marshal(doc)
	uid := fmt.Sprintf("%v", uuid.New())
	indexName := "gostash-"+time.Now().Format("2006.01.02")
	request := esapi.IndexRequest{Index: indexName, DocumentID: uid, Body: strings.NewReader(string(jsonString))}
	_, err := request.Do(context.Background(), client)
	if err != nil {
	fmt.Println(err)
	}
	}

	func getToken() string {
	if ttime.Before(time.Now()) {
	resp := &http.Response{}
	client_assertion := getClientAssertion()
	keycloakUrl := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName + "/protocol/openid-connect/token"
	fmt.Printf("Making token request to %s\n", keycloakUrl)
	timer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {
	reqDuration.WithLabelValues("rapp-jwt-invoker", "getToken", resp.Request.URL.Path, resp.Request.Method,
	resp.Status).Observe(v)
	}))
	defer timer.ObserveDuration()
	var err error
	if jwt.Refresh_token != "" {
	resp, err = http.PostForm(keycloakUrl, url.Values{"client_assertion_type": {client_assertion_type},
	"client_assertion": {client_assertion}, "grant_type": {"refresh_token"},
	"refresh_token": {jwt.Refresh_token}, "client_id": {clientId}, "scope": {scope}})
	} else {
	resp, err = http.PostForm(keycloakUrl, url.Values{"client_assertion_type": {client_assertion_type},
	"client_assertion": {client_assertion}, "grant_type": {"client_credentials"},
	"client_id": {clientId}, "scope": {scope}})
	}
	if err != nil {
	fmt.Println(err)
	panic("Something wrong with the credentials or url ")
	}

	defer resp.Body.Close()
	body, err := ioutil.ReadAll(resp.Body)
	json.Unmarshal([]byte(body), &jwt)

	reqBytes.WithLabelValues("rapp-jwt-invoker", "getToken", resp.Request.URL.Path, resp.Request.Method,
	resp.Status).Observe(float64(resp.ContentLength))
	addEsIndex("rapp-jwt-invoker", "getToken", resp.Request.URL.Path, resp.Request.Method,
	resp.Status, resp.ContentLength)
	ttime = time.Now()
	ttime = ttime.Add(time.Second * time.Duration(jwt.Expires_in))
	}
	return jwt.Access_token
	}

	func getClientAssertion() string {
	realm := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName
	clientAssertion := generatejwt.CreateJWT("/certs/client.key", "/certs/client_pub.key", "", clientId, realm)
	return clientAssertion
	}

	func MakeRequest(client *http.Client, prefix string, method string, ch chan string) {
	var service = strings.Split(prefix, "/")[1]
	var gatewayUrl = "http://" + gatewayHost + ":" + gatewayPort
	var token = ""
	var jsonValue []byte = []byte{}
	var restUrl string = ""

	if securityEnabled == "true" {
	token = getToken()
	} else {
	useGateway = "N"
	}

	if strings.ToUpper(useGateway) != "Y" {
	gatewayUrl = "http://" + service + "." + namespace + ":80"
	prefix = ""
	}

	restUrl = gatewayUrl + prefix
	resp := &http.Response{}

	timer := prometheus.NewTimer(prometheus.ObserverFunc(func(v float64) {
	reqDuration.WithLabelValues("rapp-jwt-invoker", "MakeRequest", resp.Request.URL.Path, resp.Request.Method,
	resp.Status).Observe(v)
	}))
	defer timer.ObserveDuration()
	req, err := http.NewRequest(method, restUrl, bytes.NewBuffer(jsonValue))
	if err != nil {
	fmt.Printf("Got error %s", err.Error())
	}
	req.Header.Set("Content-type", "application/json")
	req.Header.Set("Authorization", "Bearer "+token)

	resp, err = client.Do(req)
	if err != nil {
	fmt.Printf("Got error %s", err.Error())
	}

	defer resp.Body.Close()
	body, _ := ioutil.ReadAll(resp.Body)
	reqBytes.WithLabelValues("rapp-jwt-invoker", "MakeRequest", req.URL.Path, req.Method,
	resp.Status).Observe(float64(resp.ContentLength))
	addEsIndex("rapp-jwt-invoker", "MakeRequest", req.URL.Path, req.Method, resp.Status, resp.ContentLength)

	respString := string(body[:])
	if respString == "RBAC: access denied" {
	respString += " for " + service + " " + strings.ToLower(method) + " request"
	}
	fmt.Printf("Received response for %s %s request - %s\n", service, strings.ToLower(method), respString)
	ch <- prefix + "," + method
	}

	func health(res http.ResponseWriter, req *http.Request) {
	if healthy {
	res.WriteHeader(http.StatusOK)
	res.Write([]byte("healthy"))
	} else {
	res.WriteHeader(http.StatusInternalServerError)
	res.Write([]byte("unhealthy"))
	}
	}

	func main() {
	ttime = time.Now()
	time.Sleep(3 * time.Second)
	prometheus.Register(reqDuration)
	prometheus.Register(reqBytes)

	flag.StringVar(&gatewayHost, "gatewayHost", "istio-ingressgateway.istio-system", "Gateway Host")
	flag.StringVar(&gatewayPort, "gatewayPort", "80", "Gateway Port")
	flag.StringVar(&keycloakHost, "keycloakHost", "istio-ingressgateway.istio-system", "Keycloak Host")
	flag.StringVar(&keycloakPort, "keycloakPort", "80", "Keycloak Port")
	flag.StringVar(&elasticHost, "elasticHost", "istio-ingressgateway.istio-system", "Elasticsearch Host")
	flag.StringVar(&elasticPort, "elasticPort", "443", "Elasticsearch Port")
	flag.StringVar(&elasticAlias, "elasticAlias", "elasticsearch.est.tech", "Elasticsearch URL Alias")
	flag.StringVar(&useGateway, "useGateway", "Y", "Connect to services through API gateway")
	flag.StringVar(&securityEnabled, "securityEnabled", "true", "Security is required to use this application")
	flag.StringVar(&realmName, "realm", "jwt", "Keycloak realm")
	flag.StringVar(&clientId, "client", "jwtprovider-cli", "Keycloak client")
	flag.StringVar(&role, "role", "provider-viewer", "Role granted to application")
	flag.StringVar(&rapp, "rapp", "rapp-jwt-provider", "Name of rapp to invoke")
	flag.StringVar(&methods, "methods", "GET", "Methods to access application")
	flag.Parse()

	healthHandler := http.HandlerFunc(health)
	http.Handle("/health", healthHandler)
	http.Handle("/metrics", promhttp.Handler())
	client = connectToElasticsearch()
	go func() {
	http.ListenAndServe(":9000", nil)
	}()

	client := &http.Client{
	Timeout: time.Second * 10,
	}

	ch := make(chan string)
	var prefixArray []string = []string{"/" + rapp}
	var methodArray []string = []string{methods}
	for _, prefix := range prefixArray {
	for _, method := range methodArray {
	go MakeRequest(client, prefix, method, ch)
	}
	}

	ioutil.WriteFile("init.txt", []byte("Initialization done."), 0644)

	for r := range ch {
	go func(resp string) {
	time.Sleep(10 * time.Second)
	elements := strings.Split(resp, ",")
	prefix := elements[0]
	method := elements[1]
	MakeRequest(client, prefix, method, ch)
	}(r)
	}
	}