fixed usgov scope thing, also changed few things.

2024-05-22 21:07:15 +05:30 · 2024-05-22 21:07:15 +05:30 · ca06e6de0f
--- a/cmd/aro/gateway.go
+++ b/cmd/aro/gateway.go
@ -5,6 +5,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"os"
 	"os/signal"
 	"syscall"
@ -54,7 +55,8 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 	}

 	dbAccountName := os.Getenv(envDatabaseAccountName)
-	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, []string{})
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err
 	}
--- a/cmd/aro/monitor.go
+++ b/cmd/aro/monitor.go
@ -5,6 +5,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"os"

 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"
@ -93,7 +94,8 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
 	}
 	logrusEntry := log.WithField("component", "database")
-	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, []string{})
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err
 	}
--- a/cmd/aro/portal.go
+++ b/cmd/aro/portal.go
@ -6,6 +6,7 @@ package main
 import (
 	"context"
 	"crypto/x509"
+	"fmt"
 	"net"
 	"os"
 	"strings"
@ -103,7 +104,8 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
 	}
 	logrusEntry := log.WithField("component", "database")
-	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, []string{})
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err
 	}
--- a/cmd/aro/rp.go
+++ b/cmd/aro/rp.go
@ -114,7 +114,8 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
 	}
 	logrusEntry := log.WithField("component", "database")
-	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, []string{})
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err
 	}
--- a/pkg/database/database.go
+++ b/pkg/database/database.go
@ -6,7 +6,6 @@ package database
 import (
 	"context"
 	"crypto/tls"
-	"fmt"
 	"net/http"
 	"reflect"
 	"time"
@ -75,7 +74,6 @@ func NewMasterKeyAuthorizer(ctx context.Context, log *logrus.Entry, token azcore
 }

 func NewTokenAuthorizer(ctx context.Context, log *logrus.Entry, cred azcore.TokenCredential, databaseAccountName string, scopes []string) (cosmosdb.Authorizer, error) {
-	scopes = append(scopes, fmt.Sprintf("https://%s.documents.azure.com/.default", databaseAccountName))
 	acquireToken := func() (token string, newExpiration time.Time, err error) {
 		tk, err := cred.GetToken(ctx, azcorepolicy.TokenRequestOptions{Scopes: scopes})
 		if err != nil {
--- a/pkg/database/openshiftclusters.go
+++ b/pkg/database/openshiftclusters.go
@ -26,8 +26,6 @@ const (
 	OpenshiftClustersPrefixQuery        = `SELECT * FROM OpenShiftClusters doc WHERE STARTSWITH(doc.key, @prefix)`
 	OpenshiftClustersClientIdQuery      = `SELECT * FROM OpenShiftClusters doc WHERE doc.clientIdKey = @clientID`
 	OpenshiftClustersResourceGroupQuery = `SELECT * FROM OpenShiftClusters doc WHERE doc.clusterResourceGroupIdKey = @resourceGroupID`
-
-	openShiftClusterContainerName = "OpenShiftClusters"
 )

 type OpenShiftClusterDocumentMutator func(*api.OpenShiftClusterDocument) error
@ -90,7 +88,7 @@ func NewOpenShiftClusters(ctx context.Context, dbc cosmosdb.DatabaseClient, dbNa
 		ctx, cancel := context.WithTimeout(ctx, time.Minute*5)
 		defer cancel()

-		poller, err := sqlResourceClient.BeginCreateUpdateSQLTrigger(ctx, resourceGroup, dbAccountName, dbName, openShiftClusterContainerName, *triggerResource.ID, createUpdateSQLTriggerParameters, nil)
+		poller, err := sqlResourceClient.BeginCreateUpdateSQLTrigger(ctx, resourceGroup, dbAccountName, dbName, collOpenShiftClusters, *triggerResource.ID, createUpdateSQLTriggerParameters, nil)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/database/subscriptions.go
+++ b/pkg/database/subscriptions.go
@ -20,7 +20,6 @@ import (

 const (
 	SubscriptionsDequeueQuery string = `SELECT * FROM Subscriptions doc WHERE (doc.deleting ?? false) AND (doc.leaseExpires ?? 0) < GetCurrentTimestamp() / 1000`
-	subscriptionContainerName string = "Subscriptions"
 )

 type subscriptions struct {
@ -81,7 +80,7 @@ func NewSubscriptions(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName s
 		ctx, cancel := context.WithTimeout(ctx, time.Minute*5)
 		defer cancel()

-		poller, err := sqlResourceClient.BeginCreateUpdateSQLTrigger(ctx, resourceGroup, dbAccountName, dbName, subscriptionContainerName, *triggerResource.ID, createUpdateSQLTriggerParameters, nil)
+		poller, err := sqlResourceClient.BeginCreateUpdateSQLTrigger(ctx, resourceGroup, dbAccountName, dbName, collSubscriptions, *triggerResource.ID, createUpdateSQLTriggerParameters, nil)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/deploy/devconfig.go
+++ b/pkg/deploy/devconfig.go
@ -157,9 +157,6 @@ func DevConfig(_env env.Core) (*Config, error) {
 				"qos.ppe.warm.ingest.monitor.core.windows.net",
 				"test1.diagnostics.monitoring.core.windows.net",
 			},
-			// GatewayFeatures: []string{
-			// 	"InsecureSkipVerifyDBTokenCertificate",
-			// },
 			GatewayMDSDConfigVersion:    to.StringPtr(version.DevGatewayGenevaLoggingConfigVersion),
 			GatewayVMSSCapacity:         to.IntPtr(1),
 			GlobalResourceGroupLocation: to.StringPtr(_env.Location()),
--- a/pkg/util/azureclient/environments.go
+++ b/pkg/util/azureclient/environments.go
@ -34,6 +34,7 @@ type AROEnvironment struct {
 	ResourceManagerScope string
 	KeyVaultScope        string
 	MicrosoftGraphScope  string
+	CosmosDBDNSSuffix    string
 }

 // AzureRbacPDPEnvironment contains cloud specific instance of Authz RBAC PDP Remote Server
@ -62,6 +63,7 @@ var (
 		ResourceManagerScope: azure.PublicCloud.ResourceManagerEndpoint + "/.default",
 		KeyVaultScope:        azure.PublicCloud.ResourceIdentifiers.KeyVault + "/.default",
 		MicrosoftGraphScope:  azure.PublicCloud.MicrosoftGraphEndpoint + "/.default",
+		CosmosDBDNSSuffix:    azure.PublicCloud.CosmosDBDNSSuffix + "/.default",
 	}

 	// USGovernmentCloud contains additional ARO information for the US Gov cloud environment.
@ -84,6 +86,7 @@ var (
 		ResourceManagerScope: azure.USGovernmentCloud.ResourceManagerEndpoint + "/.default",
 		KeyVaultScope:        azure.USGovernmentCloud.ResourceIdentifiers.KeyVault + "/.default",
 		MicrosoftGraphScope:  azure.USGovernmentCloud.MicrosoftGraphEndpoint + "/.default",
+		CosmosDBDNSSuffix:    azure.USGovernmentCloud.CosmosDBDNSSuffix + "/.default",
 	}
 )