Allow configuration of auth for package and app installs (#268)

docs/attributes.md

@@ -29,6 +29,7 @@ Configurable (with defaults)
 * `node['splunk']['package']['file_suffix']` - URI path portion, suffix to append after building (set based on ohai attributes)
 * `node['splunk']['package']['file_name']` - Actual package file name (`"#{node['splunk']['package']['name']}#{node['splunk']['package']['file_suffix']}"`)
 * `node['splunk']['package']['url']` - Full URI to the Splunk package to download (Constructed from above package attributes)
+* `node['splunk']['package']['authorization']` - A Contextual Hash of coordinate strings (see [data bags documentation][data_bags]) pointing to a key within a data bag item containing the Authorization header value for retrieving the splunk package. (nil - no default)
 * `node['splunk']['config']['alerts']` - Data bag item used to configure alerts (`nil` - alerts not managed by chef)
 * `node['splunk']['config']['authentication']` - Data bag item used to configure authentication (`nil` - authentication not managed by chef)
 * `node['splunk']['config']['host']` - Hostname to configure the Splunk instance to report as. (EC2 Instance ID or Fully Qualified Domain Name)
@@ -42,7 +43,7 @@ Configurable (with defaults)
 * `node['splunk']['config']['assumed_index']` - Name of the index to which data is forwarded to by default, when the index is not configured for the input.(`main`)
 * `node['splunk']['bootstrap_shc_member']` - Set this attribute to `true` to bootstrap a member to the Search Head Cluster (SHC). (`false`)
 * `node['splunk']['heavy_forwarder']['use_license_uri']` - Set this attribute to `true` to point the Heavy Forwarder to the license master. (`false`)
-* `node['splunk']['apps']` - An [apps hash](databags.md#apps-hash) of apps to configure locally. (Does not support downloading apps ... yet...)
+* `node['splunk']['apps']` - An [apps hash](databags.md#apps-hash) of apps to configure locally.
 * `node['splunk']['data_bag_secret']` - The location of the shared secret file if your encrypted data bags are encrypted via shared secret rather than chef-vault. If this is not specified, and the encrypted data bags are using shared secret encryption then chef looks for a secret at the path specified by the encrypted_data_bag_secret setting in the client.rb file.
 * `node['splunk']['forwarder_site']` - Set this attribute to configure site awareness for your forwarders.(`site0`)
 * `node['splunk']['mgmt_host']` - The host other SHC members use when connecting to the current node. You probably want a wrapper cookbook to override this. By default `node['splunk']['mgmt_interface']` is now used, but to support existing configurations this attribute is still available and takes precedence when set. (`nil`)

docs/databags.md

@@ -142,6 +142,7 @@ An apps hash is a contextual (see above) Hash, part of a plaintext data bag item
 * `[app]['download']` - Information for downloading an app
 * `[app]['download']['url']` - URL of where to download the app .tar.gz or .spl file. Archive is expected to contain a top-level directory with name matching 'app' attribute above.
 * `[app]['download']['version']` - Expected [version number][app.conf] (if any) used to determine if a new app should be downloaded.
+* `[app]['download']['authorization']` - A contextual Hash of coordinate strings pointing to a key within a data bag item containing the Authorization header value for downloading the splunk app.
 * `[app]['files']` - Hash of files to manage under the "default" or "local" directory.
 * `[app]['files'][filename]` - Contents of a particular file to manage. It can take 3 values, a hash of stanzas -> key-value pairs (then written with the splunk template), a string (written as is), or nil / false (deleted). If the hash or string is empty, the file is also deleted.
 * `[app]['files'][filename][stanza][attribute]` - A particular attribute in a configuration file. Can be either a discrete value or a hash (parts described below)

libraries/splunk_app.rb

@@ -99,6 +99,10 @@ def version(arg = nil)
         set_or_return(:version, arg, kind_of: String)
       end
 
+      def authorization(arg = nil)
+        set_or_return(:authorization, arg, kind_of: String)
+      end
+
       # Calculated attributes
       def required_directories
         %w[local default metadata lookups].collect { |d| "#{root_dir}/#{d}" }.unshift(root_dir)
@@ -216,8 +220,9 @@ def download_and_install
         return unless should_download? expected_version, installed_version
 
         filename = "#{Chef::Config[:file_cache_path]}/#{new_resource.app}.tgz"
+        authorization = CernerSplunk::DataBag.load(new_resource.authorization, secret: node['splunk']['data_bag_secret']) if new_resource.authorization
 
-        download = download_file filename, new_resource.url
+        download = download_file filename, new_resource.url, authorization
 
         install_from_tar filename, expected_version, installed_version
       ensure

metadata.rb

@@ -6,7 +6,7 @@
 license          'Apache-2.0'
 description      'Installs/Configures Splunk Servers and Forwarders'
 
-version          '2.57.1'
+version          '2.58.0'
 
 source_url       'https://github.com/cerner/cerner_splunk'
 issues_url       'https://github.com/cerner/cerner_splunk/issues'

recipes/_configure_apps.rb

@@ -26,6 +26,7 @@
     action app_data['remove'] ? :remove : :create
     url download_data['url']
     version download_data['version']
+    authorization download_data['authorization']
     local app_data['local']
     files app_data['files']
     lookups app_data['lookups']

recipes/_install.rb

@@ -67,10 +67,12 @@ def nsp
 end
 
 splunk_file = "#{Chef::Config[:file_cache_path]}/#{node['splunk']['package']['file_name']}"
-
+package_auth = node['splunk']['package']['authorization']
+auth_header = CernerSplunk::DataBag.load(package_auth, secret: node['splunk']['data_bag_secret']) if package_auth
 remote_file splunk_file do
   source node['splunk']['package']['url']
   action :create
+  headers('Authorization' => auth_header) if auth_header
   only_if(&manifest_missing)
 end
 

spec/unit/recipes/_configure_apps_spec.rb

@@ -10,49 +10,76 @@
     runner.converge('cerner_splunk::_restart_marker', described_recipe)
   end
 
-  let(:apps) do
-    {
-      'test_app' => {
-        'files' => {
-          'app.conf' => {
-            'ui' => {
-              'is_visible' => '1',
-              'label' => 'Test App'
+  context 'when there is no download url' do
+    let(:apps) do
+      {
+        'test_app' => {
+          'files' => {
+            'app.conf' => {
+              'ui' => {
+                'is_visible' => '1',
+                'label' => 'Test App'
+              }
+            }
+          },
+          'lookups' => {
+            'index-owners.csv' => 'http://33.33.33.33:5000/lookups/index-owners.csv',
+            'test.csv' => {
+              'url' => 'http://33.33.33.33:5000/lookups/test.csv',
+              'authorization' => 'test_bag/test_item:test_attribute'
             }
           }
-        },
-        'lookups' => {
+        }
+      }
+    end
+
+    it { is_expected.to_not be_nil }
+
+    it 'installs the app with the expected attributes' do
+      expected_attributes = {
+        lookups: {
           'index-owners.csv' => 'http://33.33.33.33:5000/lookups/index-owners.csv',
           'test.csv' => {
             'url' => 'http://33.33.33.33:5000/lookups/test.csv',
             'authorization' => 'test_bag/test_item:test_attribute'
           }
+        },
+        files: {
+          'app.conf' => {
+            'ui' => {
+              'is_visible' => '1',
+              'label' => 'Test App'
+            }
+          }
         }
       }
-    }
+      expect(subject).to create_splunk_app('test_app').with(expected_attributes)
+    end
   end
 
-  it { is_expected.to_not be_nil }
-
-  it 'installs the app with the expected attributes' do
-    expected_attributes = {
-      lookups: {
-        'index-owners.csv' => 'http://33.33.33.33:5000/lookups/index-owners.csv',
-        'test.csv' => {
-          'url' => 'http://33.33.33.33:5000/lookups/test.csv',
-          'authorization' => 'test_bag/test_item:test_attribute'
-        }
-      },
-      files: {
-        'app.conf' => {
-          'ui' => {
-            'is_visible' => '1',
-            'label' => 'Test App'
+  context 'when there is a download url' do
+    let(:apps) do
+      {
+        'test_app' => {
+          'download' => {
+            'url' => 'http://33.33.33.33:5000/test_app.tgz',
+            'version' => '1.0',
+            'authorization' => 'test_bag/test_item:test_attribute'
           }
         }
       }
-    }
-    expect(subject).to create_splunk_app('test_app').with(expected_attributes)
+    end
+
+    it { is_expected.to_not be_nil }
+
+    it 'installs the app with the expected attributes' do
+      expected_attributes = {
+        url: 'http://33.33.33.33:5000/test_app.tgz',
+        version: '1.0',
+        authorization: 'test_bag/test_item:test_attribute'
+      }
+      expect(subject).to create_splunk_app('test_app').with(expected_attributes)
+    end
   end
 
   context 'when remove is set to true' do

spec/unit/recipes/_install_spec.rb

@@ -10,6 +10,7 @@
       node.override['splunk']['package']['base_name'] = 'splunkforwarder'
       node.override['splunk']['package']['download_group'] = 'universalforwarder'
       node.override['splunk']['package']['file_suffix'] = '.txt'
+      node.override['splunk']['package']['authorization'] = package_authorization
       node.override['splunk']['config']['clusters'] = ['cerner_splunk/cluster']
     end
     runner.converge(described_recipe)
@@ -31,6 +32,7 @@
 
   let(:platform) { 'centos' }
   let(:platform_version) { '6.10' }
+  let(:package_authorization) { nil }
 
   let(:initd_exists) { nil }
   let(:ui_login_exists) { nil }
@@ -92,6 +94,21 @@
       expect(subject).to create_remote_file(splunk_filepath)
     end
 
+    context 'when authorization is provided' do
+      let(:package_authorization) { 'cerner_splunk/test_item:auth' }
+
+      before do
+        stub_data_bag_item('cerner_splunk', 'test_item').and_return('auth' => 'Basic user:pass')
+      end
+
+      it 'downloads the remote file' do
+        expected_attrs = {
+          headers: {'Authorization' => 'Basic user:pass'}
+        }
+        expect(subject).to create_remote_file(splunk_filepath).with(expected_attrs)
+      end
+    end
+
     it 'does not delete the downloaded splunk package' do
       expect(subject).to_not delete_file(splunk_filepath)
     end
@@ -100,12 +117,9 @@
       let(:platform) { 'windows' }
       let(:platform_version) { '2012R2' }
       let(:windows) { true }
-      let(:password_databag) { 'cerner_splunk/passwords:winpass' }
 
       before do
         ENV['PROGRAMW6432'] = 'test'
-        allow(ChefVault::Item).to receive(:data_bag_item_type).and_return(:normal)
-        stub_data_bag_item('cerner_splunk', 'passwords').and_return('winpass' => 'foobar')
       end
 
       it 'installs downloaded splunk package' do