feat: [CI-8680]: integrated gitness jwt in ci

Author: devkimittal

332-ci-manager/app/src/main/java/io/harness/ci/CIManagerServiceModule.java

@@ -15,6 +15,7 @@
 import static io.harness.lock.DistributedLockImplementation.MONGO;
 import static io.harness.pms.listener.NgOrchestrationNotifyEventListener.NG_ORCHESTRATION;
 
+import io.harness.AccessControlClientConfiguration;
 import io.harness.AccessControlClientModule;
 import io.harness.account.AccountClientModule;
 import io.harness.annotations.dev.HarnessTeam;
@@ -192,6 +193,12 @@ public ObjectMapper getYamlSchemaObjectMapper() {
     return objectMapper;
   }
 
+  @Provides
+  @Singleton
+  public AccessControlClientConfiguration getAccessControlClientConfiguration() {
+    return ciManagerConfiguration.getAccessControlClientConfiguration();
+  }
+
   @Provides
   @Named("yaml-schema-subtypes")
   @Singleton

332-ci-manager/service/src/main/java/io/harness/ci/execution/buildstate/CodebaseUtils.java

@@ -435,7 +435,8 @@ private void validateGitConnector(ConnectorDetails gitConnector) {
     //    }
   }
 
-  public ConnectorDetails getGitConnector(NGAccess ngAccess, CodeBase codeBase, boolean skipGitClone) {
+  public ConnectorDetails getGitConnector(
+      NGAccess ngAccess, CodeBase codeBase, boolean skipGitClone, Ambiance ambiance) {
     if (skipGitClone) {
       return null;
     }
@@ -445,14 +446,15 @@ public ConnectorDetails getGitConnector(NGAccess ngAccess, CodeBase codeBase, bo
     }
 
     String connectorRefValue = codeBase.getConnectorRef().getValue();
-    return getGitConnector(ngAccess, connectorRefValue);
+    return getGitConnector(ngAccess, connectorRefValue, ambiance, codeBase.getRepoName().getValue());
   }
 
-  public ConnectorDetails getGitConnector(NGAccess ngAccess, String gitConnectorRefValue) {
+  public ConnectorDetails getGitConnector(
+      NGAccess ngAccess, String gitConnectorRefValue, Ambiance ambiance, String repoName) {
     if (gitConnectorRefValue == null) {
       log.warn("GitConnectorRefValue is empty");
     }
-    return connectorUtils.getConnectorDetails(ngAccess, gitConnectorRefValue, true);
+    return connectorUtils.getConnectorDetailsWithToken(ngAccess, gitConnectorRefValue, true, ambiance, repoName);
   }
 
   public static String getCompleteURLFromConnector(ConnectorDetails connectorDetails, String repoName) {

332-ci-manager/service/src/main/java/io/harness/ci/execution/buildstate/ConnectorUtils.java

@@ -12,6 +12,7 @@
 import static io.harness.data.structure.EmptyPredicate.isEmpty;
 import static io.harness.data.structure.EmptyPredicate.isNotEmpty;
 
+import io.harness.AccessControlClientConfiguration;
 import io.harness.annotations.dev.HarnessTeam;
 import io.harness.annotations.dev.OwnedBy;
 import io.harness.beans.FeatureName;
@@ -29,22 +30,27 @@
 import io.harness.delegate.beans.connector.k8Connector.KubernetesClusterConfigDTO;
 import io.harness.exception.ConnectorNotFoundException;
 import io.harness.exception.ngexception.CIStageExecutionException;
+import io.harness.git.GitClientHelper;
 import io.harness.ng.core.BaseNGAccess;
 import io.harness.ng.core.NGAccess;
 import io.harness.plancreator.steps.TaskSelectorYaml;
 import io.harness.pms.contracts.ambiance.Ambiance;
+import io.harness.pms.contracts.plan.ExecutionPrincipalInfo;
 import io.harness.pms.execution.utils.AmbianceUtils;
 import io.harness.pms.sdk.core.data.OptionalSweepingOutput;
 import io.harness.pms.sdk.core.resolver.RefObjectUtils;
 import io.harness.pms.sdk.core.resolver.outputs.ExecutionSweepingOutputService;
 import io.harness.secretmanagerclient.services.api.SecretManagerClientService;
+import io.harness.security.JWTTokenServiceUtils;
 
+import com.google.common.collect.ImmutableMap;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import com.google.inject.name.Named;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 import lombok.extern.slf4j.Slf4j;
 
@@ -56,6 +62,7 @@ public class ConnectorUtils extends BaseConnectorUtils {
   private final SecretManagerClientService secretManagerClientService;
   private final SecretUtils secretUtils;
   private final CIExecutionServiceConfig cIExecutionServiceConfig;
+  @Inject private AccessControlClientConfiguration accessControlClientConfiguration;
   @Inject private CIFeatureFlagService featureFlagService;
   @Inject @Named("ngBaseUrl") private String ngBaseUrl;
 
@@ -156,7 +163,8 @@ public ConnectorDetails getConnectorDetails(NGAccess ngAccess, String connectorI
         && featureFlagService.isEnabled(FeatureName.CODE_ENABLED, ngAccess.getAccountIdentifier())) {
       log.info("fetching harness scm connector");
       String baseUrl = getSCMBaseUrl(ngBaseUrl);
-      return super.getHarnessConnectorDetails(ngAccess, baseUrl);
+      String authToken = "";
+      return super.getHarnessConnectorDetails(ngAccess, baseUrl, authToken);
     }
 
     if (isEmpty(connectorIdentifier)) {
@@ -165,4 +173,37 @@ public ConnectorDetails getConnectorDetails(NGAccess ngAccess, String connectorI
 
     return super.getConnectorDetails(ngAccess, connectorIdentifier);
   }
+
+  public ConnectorDetails getConnectorDetailsWithToken(
+      NGAccess ngAccess, String connectorIdentifier, boolean isGitConnector, Ambiance ambiance, String repoName) {
+    if (isGitConnector && isEmpty(connectorIdentifier)
+        && featureFlagService.isEnabled(FeatureName.CODE_ENABLED, ngAccess.getAccountIdentifier())) {
+      log.info("fetching harness scm connector");
+      String baseUrl = getSCMBaseUrl(ngBaseUrl);
+      String authToken = fetchAuthToken(ngAccess, ambiance, repoName);
+      return super.getHarnessConnectorDetails(ngAccess, baseUrl, authToken);
+    }
+
+    if (isEmpty(connectorIdentifier)) {
+      throw new CIStageExecutionException("Git connector is mandatory in case git clone is enabled");
+    }
+
+    return super.getConnectorDetails(ngAccess, connectorIdentifier);
+  }
+
+  private String fetchAuthToken(NGAccess ngAccess, Ambiance ambiance, String repoName) {
+    ExecutionPrincipalInfo executionPrincipalInfo = ambiance.getMetadata().getPrincipalInfo();
+    String principal = executionPrincipalInfo.getPrincipal();
+    String email = AmbianceUtils.getEmail(ambiance);
+
+    String completeRepoName = GitClientHelper.getCompleteHarnessRepoName(
+        ngAccess.getAccountIdentifier(), ngAccess.getOrgIdentifier(), ngAccess.getProjectIdentifier(), repoName);
+    String[] allowedResources = {completeRepoName};
+
+    ImmutableMap<String, String> claims = ImmutableMap.of("name", principal, "type", "USER", "email", email);
+    ImmutableMap<String, String[]> arrayClaims = ImmutableMap.of("allowedResources", allowedResources);
+
+    return JWTTokenServiceUtils.generateJWTToken(claims, arrayClaims, TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS),
+        accessControlClientConfiguration.getAccessControlServiceSecret());
+  }
 }

332-ci-manager/service/src/main/java/io/harness/ci/execution/buildstate/PluginSettingUtils.java

@@ -176,7 +176,8 @@ public Map<String, String> getPluginCompatibleEnvVariables(PluginCompatibleStep
       case GIT_CLONE:
         final String connectorRef = stepInfo.getConnectorRef().getValue();
         final NGAccess ngAccess = AmbianceUtils.getNgAccess(ambiance);
-        final ConnectorDetails gitConnector = codebaseUtils.getGitConnector(ngAccess, connectorRef);
+        final ConnectorDetails gitConnector = codebaseUtils.getGitConnector(
+            ngAccess, connectorRef, ambiance, ((GitCloneStepInfo) stepInfo).getRepoName().getValue());
         return getGitCloneStepInfoEnvVariables((GitCloneStepInfo) stepInfo, ambiance, gitConnector, identifier);
       case SSCA_ORCHESTRATION:
         return sscaOrchestrationPluginUtils.getSscaOrchestrationStepEnvVariables(

332-ci-manager/service/src/main/java/io/harness/ci/execution/integrationstage/K8InitializeTaskParamsBuilder.java

@@ -169,7 +169,7 @@ private CIK8PodParams<CIK8ContainerParams> getK8HostedPodParams(InitializeStepIn
     String namespace = "account-" + getAccountIdentifier(ngAccess.getAccountIdentifier());
 
     ConnectorDetails gitConnector = codebaseUtils.getGitConnector(
-        ngAccess, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone());
+        ngAccess, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone(), ambiance);
     Pair<CIK8ContainerParams, List<CIK8ContainerParams>> podContainers = getStageContainers(
         initializeStepInfo, k8PodDetails, k8sHostedInfraYaml, ambiance, volumes, logPrefix, gitConnector);
     saveSweepingOutput(podName, k8sHostedInfraYaml, podContainers, ambiance);
@@ -215,7 +215,7 @@ private CIK8PodParams<CIK8ContainerParams> getK8DirectPodParams(InitializeStepIn
 
     NGAccess ngAccess = AmbianceUtils.getNgAccess(ambiance);
     ConnectorDetails gitConnector = codebaseUtils.getGitConnector(
-        ngAccess, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone());
+        ngAccess, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone(), ambiance);
     List<PodVolume> volumes = k8InitializeTaskUtils.convertDirectK8Volumes(k8sDirectInfraYaml);
     Pair<CIK8ContainerParams, List<CIK8ContainerParams>> podContainers = getStageContainers(
         initializeStepInfo, k8PodDetails, k8sDirectInfraYaml, ambiance, volumes, logPrefix, gitConnector);

332-ci-manager/service/src/main/java/io/harness/ci/execution/integrationstage/VmInitializeTaskParamsBuilder.java

@@ -207,7 +207,7 @@ public CIVmInitializeTaskParams getVmInitializeParams(
 
     NGAccess ngAccess = AmbianceUtils.getNgAccess(ambiance);
     ConnectorDetails gitConnector = codebaseUtils.getGitConnector(
-        ngAccess, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone());
+        ngAccess, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone(), ambiance);
     Map<String, String> codebaseEnvVars = codebaseUtils.getCodebaseVars(ambiance, ciExecutionArgs, gitConnector);
     Map<String, String> gitEnvVars = codebaseUtils.getGitEnvVariables(
         gitConnector, initializeStepInfo.getCiCodebase(), initializeStepInfo.isSkipGitClone());

332-ci-manager/service/src/main/java/io/harness/ci/execution/states/codebase/CodeBaseTaskStep.java

@@ -163,7 +163,8 @@ public StepResponse executeSync(Ambiance ambiance, CodeBaseTaskStepParameters st
         "repoName", STEP_TYPE.getType(), ambiance.getStageExecutionId(), stepParameters.getRepoName(), false);
     if (executionSource.getType() == MANUAL) {
       NGAccess ngAccess = AmbianceUtils.getNgAccess(ambiance);
-      ConnectorDetails connectorDetails = connectorUtils.getConnectorDetails(ngAccess, connectorRef, true);
+      ConnectorDetails connectorDetails =
+          connectorUtils.getConnectorDetailsWithToken(ngAccess, connectorRef, true, ambiance, repoName);
       ManualExecutionSource manualExecutionSource = (ManualExecutionSource) executionSource;
       // fetch scm details via manager
       if (connectorUtils.hasApiAccess(connectorDetails)) {

879-pipeline-ci-commons/src/main/java/io/harness/ci/utils/BaseConnectorUtils.java

@@ -159,8 +159,7 @@ public ConnectorDetails getConnectorDetailsWithIdentifier(NGAccess ngAccess, Ide
     return getConnectorDetailsInternalWithRetries(ngAccess, identifierRef);
   }
 
-  public ConnectorDetails getHarnessConnectorDetails(NGAccess ngAccess, String baseUrl) {
-    String authToken = fetchAuthToken(ngAccess);
+  public ConnectorDetails getHarnessConnectorDetails(NGAccess ngAccess, String baseUrl, String authToken) {
     log.info("Generated harness scm baseurl : {}", baseUrl);
     String accountId = ngAccess.getAccountIdentifier();
     HarnessConnectorDTO connectorConfigDTO =
@@ -213,7 +212,7 @@ public String getSCMBaseUrl(String baseUrl) {
       String host = url.getHost();
       String protocol = url.getProtocol();
       if (host.equals("localhost")) {
-        return "";
+        return "http://1005-59-89-164-155.ngrok-free.app/git";
       }
       return protocol + "://" + GIT_DOT + host;
     } catch (Exception e) {
@@ -222,11 +221,6 @@ public String getSCMBaseUrl(String baseUrl) {
     return "";
   }
 
-  // TODO yet to implement
-  private String fetchAuthToken(NGAccess ngAccess) {
-    return "";
-  }
-
   public ConnectorDetails getConnectorDetailsInternalWithRetries(NGAccess ngAccess, IdentifierRef connectorRef) {
     Instant startTime = Instant.now();
     RetryPolicy<Object> retryPolicy =

960-api-services/src/main/java/io/harness/git/GitClientHelper.java

@@ -39,6 +39,8 @@
 
 import static java.lang.String.format;
 import static org.apache.commons.codec.binary.Hex.encodeHexString;
+import static org.apache.commons.lang3.StringUtils.stripEnd;
+import static org.apache.commons.lang3.StringUtils.stripStart;
 
 import io.harness.annotations.dev.OwnedBy;
 import io.harness.exception.GitClientException;
@@ -229,6 +231,19 @@ public static String getHarnessApiURL(String url) {
     return getHttpProtocolPrefix(url) + domain;
   }
 
+  public static String getCompleteHarnessRepoName(String accountId, String orgId, String projectId, String repo) {
+    repo = stripStart(repo, "/");
+    repo = stripEnd(repo, "/");
+    String parts[] = repo.split("/");
+    if (parts.length == 3) {
+      return accountId + "/" + repo;
+    } else if (parts.length == 2) {
+      return accountId + "/" + orgId + "/" + repo;
+    } else {
+      return accountId + "/" + orgId + "/" + projectId + "/" + repo;
+    }
+  }
+
   private static boolean isUrlHTTP(String url) {
     return url.startsWith("http") && !url.startsWith("https");
   }

960-api-services/src/test/java/io/harness/git/GitClientHelperTest.java

@@ -772,4 +772,25 @@ public void testGetHarnessApiURL() {
     assertThat(GitClientHelper.getHarnessApiURL("http://git.qa.harness.io/acc")).isEqualTo("http://git.qa.harness.io");
     assertThat(GitClientHelper.getHarnessApiURL("http://abcd.efgh.app/acc")).isEqualTo("http://abcd.efgh.app");
   }
+
+  @Test
+  @Owner(developers = DEV_MITTAL)
+  @Category(UnitTests.class)
+  public void testGetCompleteHarnessRepoName() {
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "repo")).isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "repo/"))
+        .isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "/repo/"))
+        .isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "proj/repo"))
+        .isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "proj/repo/"))
+        .isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "org/proj/repo"))
+        .isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "org/proj/repo/"))
+        .isEqualTo("acc/org/proj/repo");
+    assertThat(GitClientHelper.getCompleteHarnessRepoName("acc", "org", "proj", "/org/proj/repo"))
+        .isEqualTo("acc/org/proj/repo");
+  }
 }