Certs (#2001)

* json to iac certs * feat: state * feat: front-end * bump version * feat: remove excess tags from cert * fix: domains * feat: update groups / certs unfound * feat: idps * rm: diagram * fixes * fixes * fixes * fixes * fixes * fixes * fixes * fixes * fixes * fixes * fixes
IBM · Aug 30, 2024 · 74bb7da · 74bb7da
1 parent 8206fb0
commit 74bb7da
Show file tree

Hide file tree

Showing 23 changed files with 2,536 additions and 28 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## 1.16.5
+
+### Features
+
+- Users can now create SSL certificates in Secrets Manager using the Certificates subform
+- Users can now disable the Facebook, Google, and SAML logins for an App ID instance from the App ID page
+
 ## 1.16.4
 
 ### Features

diff --git a/client/package-lock.json b/client/package-lock.json
diff --git a/client/package.json b/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "craig",
-  "version": "1.16.4",
+  "version": "1.16.5",
   "private": true,
   "license": "Apache-2.0",
   "scripts": {

diff --git a/client/src/components/pages/CraigForms.js b/client/src/components/pages/CraigForms.js
@@ -208,6 +208,11 @@ function craigForms(craig) {
           resource_group: craig.appid.resource_group,
           encryption_key: craig.appid.encryption_key,
         },
+        {
+          disable_facebook: craig.appid.disable_facebook,
+          disable_google: craig.appid.disable_google,
+          disable_saml: craig.appid.disable_saml,
+        },
       ],
       subForms: [
         {
@@ -1366,6 +1371,61 @@ function craigForms(craig) {
             ],
           },
         },
+        {
+          name: "Certificates",
+          addText: "Add a Certificate",
+          jsonField: "certificates",
+          form: {
+            groups: [
+              {
+                name: craig.secrets_manager.certificates.name,
+              },
+              {
+                description: craig.secrets_manager.certificates.description,
+              },
+              {
+                type: craig.secrets_manager.certificates.type,
+                common_name: craig.secrets_manager.certificates.common_name,
+                signing_method:
+                  craig.secrets_manager.certificates.signing_method,
+              },
+              {
+                secrets_group: craig.secrets_manager.certificates.secrets_group,
+                max_ttl: craig.secrets_manager.certificates.max_ttl,
+                ttl: craig.secrets_manager.certificates.ttl,
+                key_bits: craig.secrets_manager.certificates.key_bits,
+              },
+              {
+                country: craig.secrets_manager.certificates.country,
+                organization: craig.secrets_manager.certificates.organization,
+                issuer: craig.secrets_manager.certificates.issuer,
+                certificate_authority:
+                  craig.secrets_manager.certificates.certificate_authority,
+                certificate_template:
+                  craig.secrets_manager.certificates.certificate_template,
+              },
+              {
+                key_usage: craig.secrets_manager.certificates.key_usage,
+                ext_key_usage: craig.secrets_manager.certificates.ext_key_usage,
+              },
+              {
+                server_flag: craig.secrets_manager.certificates.server_flag,
+                client_flag: craig.secrets_manager.certificates.client_flag,
+                allow_subdomains:
+                  craig.secrets_manager.certificates.allow_subdomains,
+              },
+              {
+                allowed_domains:
+                  craig.secrets_manager.certificates.allowed_domains,
+              },
+              {
+                auto_rotate: craig.secrets_manager.certificates.auto_rotate,
+                unit: craig.secrets_manager.certificates.unit,
+                interval: craig.secrets_manager.certificates.interval,
+              },
+            ],
+          },
+        },
       ],
     },
     scc_v2: {

diff --git a/client/src/lib/docs/release-notes.json b/client/src/lib/docs/release-notes.json
@@ -1,4 +1,13 @@
 [
+  {
+    "version": "1.16.5",
+    "features": [
+      "Users can now create SSL certificates in Secrets Manager using the Certificates subform",
+      "Users can now disable the Facebook, Google, and SAML logins for an App ID instance from the App ID page"
+    ],
+    "fixes": [],
+    "upgrade_notes": []
+  },
   {
     "version": "1.16.4",
     "features": [

diff --git a/client/src/lib/docs/templates/power-sap-hana.json b/client/src/lib/docs/templates/power-sap-hana.json
@@ -31,7 +31,10 @@
           "name": "sap-appid-key",
           "appid": "appid"
         }
-      ]
+      ],
+      "disable_facebook": false,
+      "disable_google": false,
+      "disable_saml": false
     }
   ],
   "atracker": {

diff --git a/client/src/lib/docs/templates/vpn-as-a-service.json b/client/src/lib/docs/templates/vpn-as-a-service.json
@@ -219,7 +219,8 @@
       "plan": "trial",
       "add_k8s_authorization": false,
       "add_cis_authorization": false,
-      "secrets_groups": []
+      "secrets_groups": [],
+      "certificates": []
     }
   ],
   "security_groups": [

diff --git a/client/src/lib/forms/disable-save.js b/client/src/lib/forms/disable-save.js
@@ -102,6 +102,7 @@ function disableSave(field, stateData, componentProps, craig) {
     "power_shared_processor_pools",
     "secrets_groups",
     "cloud_logs",
+    "certificates",
   ];
   let isPowerSshKey = field === "ssh_keys" && componentProps.arrayParentName;
   if (contains(stateDisableSaveComponents, field) || isPowerSshKey) {
@@ -166,8 +167,8 @@ function disableSave(field, stateData, componentProps, craig) {
         ? componentProps.craig.vpn_gateways.connections
         : field === "classic_sg_rules"
         ? componentProps.craig.classic_security_groups.classic_sg_rules
-        : field === "secrets_groups"
-        ? componentProps.craig.secrets_manager.secrets_groups
+        : contains(["secrets_groups", "certificates"], field)
+        ? componentProps.craig.secrets_manager[field]
         : componentProps.craig[field]
     ).shouldDisableSave(stateData, componentProps);
   } else return false;

diff --git a/client/src/lib/forms/props-match-state.js b/client/src/lib/forms/props-match-state.js
@@ -102,6 +102,7 @@ function propsMatchState(field, stateData, componentProps) {
     // this is to catch in cloud services form to prevent form from crashing the page
     // somewhere a function gets sent on load to deepEqual for propsMatchState. I believe
     // this is happening before component render
+
     return true;
   }
 }

diff --git a/client/src/lib/json-to-iac/appid.js b/client/src/lib/json-to-iac/appid.js
@@ -136,12 +136,30 @@ function ibmResourceInstanceAppId(instance, config) {
  */
 function formatAppId(instance, config) {
   let appid = ibmResourceInstanceAppId(instance, config);
-  return jsonToTfPrint(
+  let tfString = jsonToTfPrint(
     getResourceOrData(instance),
     "ibm_resource_instance",
     appid.name,
     appid.data
   );
+  ["facebook", "google", "saml"].forEach((idp) => {
+    if (instance["disable_" + idp]) {
+      tfString += jsonToTfPrint(
+        "resource",
+        "ibm_appid_idp_" + idp,
+        instance.name + "_" + idp,
+        {
+          tenant_id: resourceRef(
+            instance.name,
+            "guid",
+            useData(instance.use_data)
+          ),
+          is_active: false,
+        }
+      );
+    }
+  });
+  return tfString;
 }
 
 /**

diff --git a/client/src/lib/json-to-iac/secrets-manager.js b/client/src/lib/json-to-iac/secrets-manager.js
@@ -4,6 +4,7 @@ const {
   getObjectFromArray,
   kebabCase,
   distinct,
+  isEmpty,
 } = require("lazy-z");
 const {
   rgIdRef,
@@ -400,6 +401,101 @@ function formatSecretsManagerK8sSecret(secret, config) {
   );
 }
 
+function formatCertificate(cert) {
+  let certJson = {
+    instance_id: `\${ibm_resource_instance.${snakeCase(
+      cert.secrets_manager
+    )}_secrets_manager.guid}`,
+    name: "${var.prefix}-" + cert.name,
+    region: varDotRegion,
+    common_name: cert.common_name ? cert.common_name : undefined,
+    description: cert.description ? cert.description : undefined,
+    secret_group_id: cert.secrets_group
+      ? `\${ibm_sm_secret_group.${snakeCase(
+          cert.secrets_manager
+        )}_group_${snakeCase(cert.secrets_group)}.secret_group_id}`
+      : undefined,
+    max_ttl: cert.max_ttl ? cert.max_ttl : undefined,
+    country: cert.country ? [cert.country] : undefined,
+    organization: cert.organization ? [cert.organization] : undefined,
+    key_bits: cert.key_bits ? parseInt(cert.key_bits) : undefined,
+    signing_method: cert?.signing_method ? cert.signing_method : undefined,
+    client_flag: cert.client_flag ? cert.client_flag : undefined,
+    server_flag: cert.server_flag ? cert.server_flag : undefined,
+    allow_subdomains: cert.allow_subdomains ? cert.allow_subdomains : undefined,
+    allowed_domains:
+      cert.allowed_domains && !isEmpty(cert.allowed_domains)
+        ? cert.allowed_domains
+        : undefined,
+    key_usage:
+      cert.key_usage && !isEmpty(cert.key_usage) ? cert.key_usage : undefined,
+    ext_key_usage:
+      cert.ext_key_usage && !isEmpty(cert.ext_key_usage)
+        ? cert.ext_key_usage
+        : undefined,
+    ttl: cert.ttl ? cert.ttl : undefined,
+  };
+  if (cert.issuer) {
+    certJson.issuer = `\${ibm_sm_private_certificate_configuration_root_ca.${
+      snakeCase(cert.secrets_manager) +
+      "_secrets_manager_root_ca_configuration_" +
+      snakeCase(cert.issuer)
+    }.name}`;
+    certJson.depends_on = [
+      `\${ibm_sm_private_certificate_configuration_root_ca.${
+        snakeCase(cert.secrets_manager) +
+        "_secrets_manager_root_ca_configuration_" +
+        snakeCase(cert.issuer)
+      }}`,
+    ];
+  } else if (cert.certificate_authority) {
+    certJson.certificate_authority = `\${ibm_sm_private_certificate_configuration_intermediate_ca.${
+      snakeCase(cert.secrets_manager) +
+      "_secrets_manager_intermediate_ca_configuration_" +
+      snakeCase(cert.certificate_authority)
+    }.name}`;
+    certJson.depends_on = [
+      `\${ibm_sm_private_certificate_configuration_intermediate_ca.${
+        snakeCase(cert.secrets_manager) +
+        "_secrets_manager_intermediate_ca_configuration_" +
+        snakeCase(cert.certificate_authority)
+      }}`,
+    ];
+  } else if (cert.certificate_template) {
+    certJson.certificate_template = `\${ibm_sm_private_certificate_configuration_template.${snakeCase(
+      cert.secrets_manager
+    )}_secrets_manager_template_configuration_${snakeCase(
+      cert.certificate_template
+    )}.name}`;
+    certJson.rotation = [
+      {
+        auto_rotate: cert.auto_rotate,
+        interval: cert.interval,
+        unit: cert.unit,
+      },
+    ];
+    certJson.depends_on = [
+      `\${ibm_sm_private_certificate_configuration_template.${snakeCase(
+        cert.secrets_manager
+      )}_secrets_manager_template_configuration_${snakeCase(
+        cert.certificate_template
+      )}}`,
+    ];
+  }
+  return jsonToTfPrint(
+    "resource",
+    cert.type === "private"
+      ? "ibm_sm_private_certificate"
+      : "ibm_sm_private_certificate_configuration_" + snakeCase(cert.type),
+    snakeCase(cert.secrets_manager) +
+      "_secrets_manager_" +
+      snakeCase(cert.type) +
+      (cert.type === "private" ? "_certificate_" : "_configuration_") +
+      snakeCase(cert.name),
+    certJson
+  );
+}
+
 /**
  * create secrets manager terraform
  * @param {Object} config
@@ -455,6 +551,13 @@ function secretsManagerTf(config) {
         secretsManagerData += formatSecretsManagerSecret(secret, config);
       });
     }
+
+    if (instance.certificates) {
+      instance.certificates.forEach((cert) => {
+        secretsManagerData += formatCertificate(cert);
+      });
+    }
+
     tf +=
       tfBlock(instance.name + " Secrets Manager", secretsManagerData) +
       (index !== config.secrets_manager.length - 1 ? "\n" : "");

diff --git a/client/src/lib/state/appid.js b/client/src/lib/state/appid.js
@@ -137,6 +137,24 @@ function initAppIdStore(store) {
         groups: encryptionKeyGroups,
         size: "small",
       },
+      disable_facebook: {
+        size: "small",
+        type: "toggle",
+        default: false,
+        labelText: "Disable Facebook Login",
+      },
+      disable_google: {
+        size: "small",
+        type: "toggle",
+        default: false,
+        labelText: "Disable Google Login",
+      },
+      disable_saml: {
+        size: "small",
+        type: "toggle",
+        default: false,
+        labelText: "Disable SAML Login",
+      },
     },
     subComponents: {
       keys: {

diff --git a/client/src/lib/state/reusable-fields.js b/client/src/lib/state/reusable-fields.js
@@ -147,6 +147,12 @@ function hasDuplicateName(field, stateData, componentProps, overrideField) {
         });
       }
     );
+  } else if (field === "certificates") {
+    allOtherNames = nestedSplat(
+      componentProps.craig.store.json.secrets_manager,
+      field,
+      "name"
+    );
   } else if (
     field === "arbitrary_secret_name" ||
     field === "username_password_secret_name"