Update nozzle with client-id and client-secret for token refresh authentication

Author: cholick

.circleci/ci_nozzle_manifest.yml

@@ -10,6 +10,8 @@ applications:
       API_ENDPOINT:
       API_USER:
       API_PASSWORD:
+      CLIENT_ID:
+      CLIENT_SECRET:
       SPLUNK_HOST:
       SPLUNK_TOKEN:
       SPLUNK_INDEX:

.circleci/update_manifest.sh

@@ -6,6 +6,8 @@ set -e
 sed -i 's@API_ENDPOINT:.*@'"API_ENDPOINT: $API_ENDPOINT"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@API_USER:.*@'"API_USER: $API_USER"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@API_PASSWORD:.*@'"API_PASSWORD: $API_PASSWORD"'@' .circleci/ci_nozzle_manifest.yml
+sed -i 's@CLIENT_ID:.*@'"CLIENT_ID: $CLIENT_ID"'@' .circleci/ci_nozzle_manifest.yml
+sed -i 's@CLIENT_SECRET:.*@'"CLIENT_SECRET: $CLIENT_SECRET"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@SPLUNK_HOST:.*@'"SPLUNK_HOST: $SPLUNK_HOST"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@SPLUNK_TOKEN:.*@'"SPLUNK_TOKEN: $SPLUNK_TOKEN"'@' .circleci/ci_nozzle_manifest.yml
 sed -i 's@SPLUNK_INDEX:.*@'"SPLUNK_INDEX: $SPLUNK_INDEX"'@' .circleci/ci_nozzle_manifest.yml

README.md

@@ -19,30 +19,36 @@ In addition, logs from the nozzle itself are of sourcetype `cf:splunknozzle`.
 
 ### Setup
 
-The Nozzle requires a user with the scope `doppler.firehose` and
-`cloud_controller.admin_read_only` (the latter is only required if `ADD_APP_INFO` is true). If `cloud_controller.admin_read_only` is not
+The Nozzle requires a client with the authorities `doppler.firehose` and `cloud_controller.admin_read_only` (the latter is only required if `ADD_APP_INFO` is true) and grant-types `client_credentials` and `refresh_token`. If `cloud_controller.admin_read_only` is not
 available in the system, switch to use `cloud_controller.admin`.
 
 You can either
-* Add the user manually using [uaac](https://github.com/cloudfoundry/cf-uaac)
-* Add a new user to the deployment manifest; see [uaa.scim.users](https://github.com/cloudfoundry/uaa-release/blob/master/jobs/uaa/spec)
+* Add the client manually using [uaac](https://github.com/cloudfoundry/cf-uaac)
+* Add the client to the deployment manifest; see [uaa.scim.users](https://github.com/cloudfoundry/uaa-release/blob/master/jobs/uaa/spec)
 
 Manifest example:
 
 ```yaml
-uaa:
-  scim:
-    users:
-      - splunk-firehose|password123|cloud_controller.admin_read_only,doppler.firehose
+
+# Clients
+uaa.clients:
+    splunk-firehose:
+      id: splunk-firehose
+      override: true
+      secret: splunk-firehose-secret
+      authorized-grant-types: client_credentials,refresh_token
+      authorities: doppler.firehose,cloud_controller.admin_read_only
 ```
 
 `uaac` example:
 ```shell
 uaac target https://uaa.[system domain url]
 uaac token client get admin -s [admin client credentials secret]
-uaac -t user add splunk-nozzle --password password123 --emails na
-uaac -t member add cloud_controller.admin_read_only splunk-nozzle
-uaac -t member add doppler.firehose splunk-nozzle
+uaac client add splunk-firehose --name splunk-firehose
+uaac client add splunk-firehose --secret [your_client_secret]
+uaac client add splunk-firehose --authorized_grant_types client_credentials,refresh_token
+uaac client add splunk-firehose --authorities doppler.firehose,cloud_controller.admin_read_only
+
 ```
 
 `cloud_controller.admin_read_only` will work for cf v241
@@ -55,8 +61,8 @@ You can declare parameters by making a copy of the scripts/nozzle.sh.template.
 
 __Cloud Foundry configuration parameters:__
 * `API_ENDPOINT`: Cloud Foundry API endpoint address.
-* `API_USER`: Cloud Foundry user name. (Must have scope described above)
-* `API_PASSWORD`: Cloud Foundry user password.
+* `CLIENT_ID`: UAA Client ID (Must have authorities and grant_types described above).
+* `CLIENT_SECRET`: Secret for Client ID.
 
 __Splunk configuration parameters:__
 * `SPLUNK_TOKEN`: [Splunk HTTP event collector token](http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector/).

cache/boltdb.go

@@ -359,6 +359,7 @@ func (c *Boltdb) fromPCFApp(app *cfclient.App) *App {
 		Guid:       app.Guid,
 		SpaceGuid:  app.SpaceGuid,
 		IgnoredApp: c.isOptOut(app.Environment),
+		CfAppEnv:   app.Environment,
 	}
 
 	c.fillOrgAndSpace(cachedApp)

ci/nozzle_manifest.yml

@@ -8,8 +8,8 @@ applications:
     env:
       GOPACKAGENAME: main
       API_ENDPOINT:
-      API_USER:
-      API_PASSWORD:
+      CLIENT_ID:
+      CLIENT_SECRET:
       SPLUNK_HOST:
       SPLUNK_TOKEN:
       SPLUNK_INDEX:

glide.lock

@@ -11,9 +11,11 @@ import (
 )
 
 type Config struct {
-	ApiEndpoint string `json:"api-endpoint"`
-	User        string `json:"-"`
-	Password    string `json:"-"`
+	ApiEndpoint  string `json:"api-endpoint"`
+	User         string `json:"-"`
+	Password     string `json:"-"`
+	ClientID     string `json:"-"`
+	ClientSecret string `json:"-"`
 
 	SplunkToken string `json:"-"`
 	SplunkHost  string `json:"splunk-host"`
@@ -67,9 +69,13 @@ func NewConfigFromCmdFlags(version, branch, commit, buildos string) *Config {
 	kingpin.Flag("api-endpoint", "API endpoint address").
 		OverrideDefaultFromEnvar("API_ENDPOINT").Required().StringVar(&c.ApiEndpoint)
 	kingpin.Flag("user", "Admin user.").
-		OverrideDefaultFromEnvar("API_USER").Required().StringVar(&c.User)
+		OverrideDefaultFromEnvar("API_USER").StringVar(&c.User)
 	kingpin.Flag("password", "Admin password.").
-		OverrideDefaultFromEnvar("API_PASSWORD").Required().StringVar(&c.Password)
+		OverrideDefaultFromEnvar("API_PASSWORD").StringVar(&c.Password)
+	kingpin.Flag("client-id", "Client ID.").
+		OverrideDefaultFromEnvar("CLIENT_ID").Required().StringVar(&c.ClientID)
+	kingpin.Flag("client-secret", "Client secret.").
+		OverrideDefaultFromEnvar("CLIENT_SECRET").Required().StringVar(&c.ClientSecret)
 
 	kingpin.Flag("splunk-host", "Splunk HTTP event collector host").
 		OverrideDefaultFromEnvar("SPLUNK_HOST").Required().StringVar(&c.SplunkHost)

splunknozzle/config.go

@@ -28,6 +28,8 @@ var _ = Describe("Config", func() {
 			os.Setenv("API_ENDPOINT", "api.bosh-lite.com")
 			os.Setenv("API_USER", "admin")
 			os.Setenv("API_PASSWORD", "abc123")
+			os.Setenv("CLIENT_ID", "client123")
+			os.Setenv("CLIENT_SECRET", "secret123")
 
 			os.Setenv("SPLUNK_TOKEN", "sometoken")
 			os.Setenv("SPLUNK_HOST", "splunk.example.com")
@@ -69,6 +71,8 @@ var _ = Describe("Config", func() {
 			Expect(c.ApiEndpoint).To(Equal("api.bosh-lite.com"))
 			Expect(c.User).To(Equal("admin"))
 			Expect(c.Password).To(Equal("abc123"))
+			Expect(c.ClientID).To(Equal("client123"))
+			Expect(c.ClientSecret).To(Equal("secret123"))
 
 			Expect(c.SplunkHost).To(Equal("splunk.example.com"))
 			Expect(c.SplunkToken).To(Equal("sometoken"))
@@ -160,6 +164,8 @@ var _ = Describe("Config", func() {
 				"--api-endpoint=api.bosh-lite.comc",
 				"--user=adminc",
 				"--password=abc123c",
+				"--client-id=client123",
+				"--client-secret=secret123",
 				"--splunk-host=splunk.example.comc",
 				"--splunk-token=sometokenc",
 				"--splunk-index=splunk_indexc",
@@ -196,6 +202,8 @@ var _ = Describe("Config", func() {
 			Expect(c.ApiEndpoint).To(Equal("api.bosh-lite.comc"))
 			Expect(c.User).To(Equal("adminc"))
 			Expect(c.Password).To(Equal("abc123c"))
+			Expect(c.ClientID).To(Equal("client123"))
+			Expect(c.ClientSecret).To(Equal("secret123"))
 
 			Expect(c.SplunkHost).To(Equal("splunk.example.comc"))
 			Expect(c.SplunkToken).To(Equal("sometokenc"))

splunknozzle/config_test.go

@@ -43,6 +43,8 @@ func (s *SplunkFirehoseNozzle) PCFClient() (*cfclient.Client, error) {
 		Username:          s.config.User,
 		Password:          s.config.Password,
 		SkipSslValidation: s.config.SkipSSLCF,
+		ClientID:          s.config.ClientID,
+		ClientSecret:      s.config.ClientSecret,
 	}
 
 	return cfclient.NewClient(cfConfig)
@@ -80,7 +82,6 @@ func (s *SplunkFirehoseNozzle) EventSink(logger lager.Logger) (eventsink.Sink, e
 		Logger:  logger,
 	}
 
-
 	var writers []eventwriter.Writer
 	for i := 0; i < s.config.HecWorkers+1; i++ {
 		splunkWriter := eventwriter.NewSplunk(writerConfig)

splunknozzle/nozzle.go

@@ -16,9 +16,11 @@ import (
 
 func newConfig() *Config {
 	return &Config{
-		ApiEndpoint: "http://localhost:9911",
-		User:        "admin",
-		Password:    "admin",
+		ApiEndpoint:  "http://localhost:9911",
+		User:         "admin",
+		Password:     "admin",
+		ClientID:     "admin",
+		ClientSecret: "admin",
 
 		SplunkToken: "token",
 		SplunkHost:  "localhost:8088",