S3 rebased (#16)

* Added feature of checking user group when creating a deployment

* Fixed the case when using token with wlcg.groups claim instead groups

* Create authorizeRequestedGroup function used in creating a deployment and listing the deployments for a specific group

* Fixes after jacoco test

* Added the force papameter in deployment deletion to skip IAM clients deletion

* Fixed code after jacoco tests

* Fixed tests and updated documentation

* Fix comment in documentation

* Try to fix jackson dependency

* Fix indentation in pom.xml

* Use macos for the VM where to run the github action

* Use ubuntu-20.04 to run the github workflow

* Enabled force parameter from IM

* Fixed explanation of force parameter

* Added PAAS DEP USER tag

* Modified descritpion of force parameter

* Not setting monitoring url is now allowed

* Added .DS_Store in gitignore

* Fix monitoring + ower string empty/null

* remove default of monitoring.url in application.properties

* Add new line at the end of application.properties

* Modify the readme to add new information about features of the orchestrator's IAM client

* Add functionality of s3 buckets management

* Start working on creation/deletion buckets with reading secrets from vault

* Added possibility to contact vault to read secrets

* Fix code after jacoco tests

* Refactoring of the code introducing S3Service class

* Modify definition of constants

* Fix IM test

* Change projectKey and organization for sonarcloud

* Introduced better handling of exceptions, and the S3ServiceException class

* Fix exception handling

* added and used getter for bucket_name, s3_url and s3_tosca_node_type

* Move getters of tosca variables in ToscaService class

* Enabled bucket versioning

* Metedata should be written before eventual failures

* Created a proper function to enable bucket versioning and put metadata writing after bucket creation and before enabling versioning

* Orchestrator now writes aws_access_key and aws_secret_key in the template, and proper bucket_name

* Implemented a regular expression to check the bucket name

* Fix checking bucket name with Boolean.FALSE.equals

* Update Jenkinsfile

* Update Jenkinsfile

* Remove github clone and checkout in Jenkinsfile

* Added userGroup in the vault path where read secrets

* Implemented deleting objects, obect versions and delete markers from buckets

---------

Co-authored-by: Luca Giommi <[email protected]>

Author: lgiommi

.github/workflows/sonar.yml

@@ -47,6 +47,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn -Dcheckstyle.skip -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar 
-                 -Dsonar.projectKey=indigo-paas_orchestrator
-                 -Dsonar.organization=indigo-paas
+                 -Dsonar.projectKey=infn-datacloud_orchestrator
+                 -Dsonar.organization=infn-datacloud
                  -Dsonar.host.url=https://sonarcloud.io

.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 *.pydevproject
 .metadata
 .gradle

Jenkinsfile

@@ -1,235 +1,77 @@
-#!/usr/bin/groovy
-
-@Library(['github.com/indigo-dc/[email protected]']) _
-
 pipeline {
+
     agent {
-        label 'java'
+        node { label 'jenkinsworker00' }
     }
 
     environment {
-        dockerhub_repo = "indigodatacloud/orchestrator"
-        dockerhub_image_id = ""
+        DOCKER_HUB_CREDENTIALS = 'docker-hub-credentials'
+        DOCKER_HUB_IMAGE_NAME = 'indigopaas/orchestrator'
+        HARBOR_CREDENTIALS = 'harbor-paas-credentials'
+        HARBOR_IMAGE_NAME = 'datacloud-middleware/orchestrator'
     }
 
     stages {
-        stage('Fetch code') {
-            steps {
-                checkout scm
-            }
-        }
 
-        stage('Style Analysis') {
-            steps {
-                MavenRun('checkstyle')
-            }
-            post {
-                always {
-                    CheckstyleReport()
-                    dir("$WORKSPACE/target") {
-                        deleteDir()
-                    }
-                }
-            }
-        }
-
-        stage('Unit testing coverage') {
-            steps {
-                MavenRun('cobertura')
-            }
-            post {
-                success {
-                    CoberturaReport('**/target/site/cobertura/coverage.xml')
-                    JUnitReport()
-                    dir("$WORKSPACE/target") {
-                        deleteDir()
-                    }
-                }
-            }
-        }
-
-        stage('Integration tests') {
-            steps {
-                MavenRun('integration-test')
-            }
-            post {
-                success {
-                    JUnitReport()
-                }
-            }
-        }
-
-        /*
-        stage('Dependency check') {
+        stage('checkout and compiling') {
             agent {
-                label 'docker-build'
-            }
-            steps {
-                checkout scm
-                OWASPDependencyCheckRun("$WORKSPACE/orchestrator/src", project="Orchestrator")
-            }
-            post {
-                always {
-                    OWASPDependencyCheckPublish()
-                    HTMLReport("$WORKSPACE/orchestrator/src",
-                               'dependency-check-report.html',
-                               'OWASP Dependency Report')
-                    deleteDir()
-                }
-            }
-        }
-
-
-        stage('Build Javadoc and REST documentation') {
-            when {
-                branch 'master'
-            }
-            steps {
-                withCredentials([string(
-                    credentialsId: "indigo-github-token",
-                    variable: "GITHUB_TOKEN")]) {
-                    // git defaults
-                    sh 'git remote set-url origin "https://indigobot:${GITHUB_TOKEN}@github.com/indigo-dc/orchestrator"'
-                    sh 'git config user.name "indigobot"'
-                    sh 'git config user.email "<>"'
-                    // build docs
-                    sh 'git checkout gh-pages'
-                    sh 'git merge --ff -s recursive -X theirs --commit -m "Merge remote-tracking branch <origin/master>"'
-                    sh 'rm -rf "${WORKSPACE}/apidocs"'
-                    sh 'rm -rf "${WORKSPACE}/restdocs"'
-                    MavenRun('clean javadoc:javadoc package -P restdocs -Deditorconfig.skip=true')
-                    sh "mv ${WORKSPACE}/target/site/apidocs ${WORKSPACE}/apidocs"
-                    sh 'git add -A'
-                    sh 'git commit -am "Update documentation"'
-                    // push to gh-pages
-                    sh 'git push origin HEAD:gh-pages'
+                docker {
+                    label 'jenkinsworker00'
+                    image 'maven:3.5.4-ibmjava-8'
+                    args '--privileged'
+                    reuseNode true
                 }
             }
-        }
-        */
-        stage('Metrics') {
-            agent {
-                label 'sloc'
-            }
             steps {
-                checkout scm
-                SLOCRun()
-            }
-            post {
-                success {
-                    SLOCPublish()
+                configFileProvider([configFile(fileId: 'maven-nexus-settings.xml', variable: 'MAVEN_SETTINGS')]) {
+                    sh 'mvn -s $MAVEN_SETTINGS editorconfig:format'
+                    sh 'mvn -s $MAVEN_SETTINGS clean install'
                 }
             }
         }
 
-        stage('DockerHub delivery') {
-            when {
-                anyOf {
-                    branch 'master'
-                    branch 'releases/*'
-                    tag 'v*'
-                }
-            }
-            agent {
-                label 'docker-build'
-            }
+        stage('Build and tag Docker Image') {
             steps {
-                checkout scm
                 script {
-                    PROJECT_VERSION="""${sh([
-                        returnStdout: true,
-                        script: 'mvn -q -Dexec.executable=echo -Dexec.args=\'${project.version}\' --non-recursive exec:exec']).trim()
-                    }"""
-                    MavenRun('-DskipTests=true package')
-                    dockerhub_image_id = DockerBuild(
-                        dockerhub_repo,
-                        tag: PROJECT_VERSION,
-                        build_dir: 'docker')
-                }
-            }
-            post {
-                success {
-                    DockerPush(dockerhub_image_id)
-                }
-                failure {
-                    DockerClean()
-                }
-                always {
-                    cleanWs()
-                }
-            }
-        }
+                    def dockerImage = docker.build("orchestrator:${env.BRANCH_NAME}", "-f docker/Dockerfile docker/")
 
-        stage('DockerHub delivery (for pull requests)') {
-            when {
-                changeRequest()
-            }
-            agent {
-                label 'docker-build'
-            }
-            steps {
-                checkout scm
-                script {
-                    MavenRun('-DskipTests=true package')
-                    dockerhub_image_id = DockerBuild(dockerhub_repo,
-                                                     tag: env.CHANGE_ID,
-                                                     build_dir: 'docker')
-                }
-            }
-            post {
-                success {
-                    DockerPush(dockerhub_image_id)
-                }
-                failure {
-                    DockerClean()
-                }
-                always {
-                    cleanWs()
+                    sh("docker tag orchestrator:${env.BRANCH_NAME} ${HARBOR_IMAGE_NAME}:${env.BRANCH_NAME}")
+                    sh("docker tag orchestrator:${env.BRANCH_NAME} ${DOCKER_HUB_IMAGE_NAME}:${env.BRANCH_NAME}")
                 }
             }
         }
-
-        stage('Notifications') {
-            when {
-                tag 'v*'
-            }
+        stage('Push to Docker Hub and Harbor') {
             parallel {
-                stage('Notify DEEP') {
+                stage('Push to Docker Hub') {
                     steps {
-                        JiraIssueNotification(
-                            'DEEP',
-                            'DPM',
-                            '10204',
-                            "[preview-testbed] New orchestrator version ${env.BRANCH_NAME} available",
-                            "Check new artifacts at:\n\t- Docker image: [${dockerhub_image_id}|https://hub.docker.com/r/${dockerhub_repo}/tags/]",
-                            ['wp3', 'preview-testbed', "orchestrator-${env.BRANCH_NAME}"],
-                            'Task',
-                            'mariojmdavid',
-                            ['wgcastell',
-                            'vkozlov',
-                            'dlugo',
-                            'keiichiito',
-                            'laralloret',
-                            'ignacioheredia']
-                        )
+                        script {
+                            // Retrieve the Docker image object from the previous stage
+                            def dockerhubImage = docker.image("${DOCKER_HUB_IMAGE_NAME}:${env.BRANCH_NAME}")
+
+                            // Login to Docker Hub
+                            docker.withRegistry('https://index.docker.io/v1/', DOCKER_HUB_CREDENTIALS) {
+                                // Push the Docker image to Docker Hub
+                                dockerhubImage.push()
+                            }
+                        }
                     }
                 }
-                stage('Notify XDC') {
+
+                stage('Push to Harbor') {
                     steps {
-                        JiraIssueNotification(
-                            'XDC',
-                            'XDM',
-                            '10100',
-                            "[preview-testbed] New orchestrator version ${env.BRANCH_NAME} available",
-                            "Check new artifacts at:\n\t- Docker image: [${dockerhub_image_id}|https://hub.docker.com/r/${dockerhub_repo}/tags/]",
-                            ['WP3', 't3.2', 'preview-testbed', "orchestrator-${env.BRANCH_NAME}"],
-                            'Task',
-                            'doinacristinaduma',
-                            ['doinacristinaduma']
-                        )
+                        script {
+                            // Retrieve the Docker image object from the previous stage
+                            def harborImage = docker.image("${HARBOR_IMAGE_NAME}:${env.BRANCH_NAME}")
+
+                            // Login to Harbor
+                            docker.withRegistry('https://harbor.cloud.infn.it', HARBOR_CREDENTIALS) {
+                                // Push the Docker image to Harbor
+                                harborImage.push()
+                            }
+                        }
                     }
                 }
             }
         }
-    } // stages
-} // pipeline
+    }
+}

asciidoc/index.adoc

@@ -239,6 +239,11 @@ include::{snippets}/reset-deployment/http-response.adoc[]
 
 A `DELETE` request is used to delete the deployment from the id.
 
+=== Request parameters
+
+[cols=",a"]
+include::{snippets}/delete-deployment/request-parameters.adoc[]
+
 ==== Example request
 
 include::{snippets}/delete-deployment/curl-request.adoc[]

gitbook/how_to_deploy.md

@@ -143,6 +143,7 @@ By default the REST APIs are not authenticated; if you want to enable the IAM in
      * **Description**: The CLUES OAuth2 client secret
 
 Please make reference to the [IAM guide](https://indigo-dc.gitbooks.io/iam/content) for further information on how to register the Orchestrator as protected resource server.
+To allow orchestrator to create IAM clients, the IAM client of the orchestrator should also have `client_credentials` as grant type, and `iam:admin.read` and `iam:admin.write` as scopes (starting with IAM v1.8.2).
 
 :warning: Even if the authentication is optional and disabled by default, you are highly encouraged to enable it, otherwise you will not be able to create deployments neither on OpenStack nor on OpenNebula.
 

pom.xml

@@ -75,7 +75,7 @@
     <elasticsearch.version>1.7.5</elasticsearch.version>
     <assertj.version>3.8.0</assertj.version>
     <openid-connect.version>1.3.3</openid-connect.version>
-    <im-java-api.version>0.4.15</im-java-api.version>
+    <im-java-api.version>0.4.17</im-java-api.version>
     <monitoring-pillar-domain.version>1.8.1-FINAL</monitoring-pillar-domain.version>
     <flowable.version>6.5.0</flowable.version>
     <alien4cloud.version>2.1.0-DEEP-1.3.1</alien4cloud.version>
@@ -119,11 +119,23 @@
       <url>https://repository.indigo-datacloud.eu/repository/maven-public</url>
     </repository>
 
+    <repository>
+      <id>cnaf-sd-nexus-repository</id>
+      <name>CNAF SD Nexus repository</name>
+      <url>https://repo.cloud.cnaf.infn.it/repository/maven-public/</url>
+    </repository>
+
   </repositories>
 
 
   <dependencies>
 
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>s3</artifactId>
+      <version>2.20.52</version>
+    </dependency>
+
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
@@ -208,6 +220,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-xml</artifactId>
+      <version>2.8.11</version>
     </dependency>
 
     <!-- Ignite -->

src/main/java/it/reply/orchestrator/Application.java

@@ -18,7 +18,6 @@
 package it.reply.orchestrator;
 
 import java.util.TimeZone;
-
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration;

src/main/java/it/reply/orchestrator/config/WebAppInitializer.java

@@ -19,7 +19,6 @@
 
 import it.reply.orchestrator.config.filters.CustomRequestLoggingFilter;
 import it.reply.orchestrator.config.properties.OrchestratorProperties;
-
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;

src/main/java/it/reply/orchestrator/config/properties/MonitoringProperties.java

@@ -18,12 +18,9 @@
 package it.reply.orchestrator.config.properties;
 
 import java.net.URI;
-
 import javax.validation.constraints.NotNull;
-
 import lombok.Data;
 import lombok.NoArgsConstructor;
-
 import org.checkerframework.checker.nullness.qual.NonNull;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.validation.annotation.Validated;
@@ -34,8 +31,6 @@
 @NoArgsConstructor
 public class MonitoringProperties {
 
-  @NotNull
-  @NonNull
   private URI url;
 
   @NotNull