towk/magellan
1
0
Fork 0
mirror of https://github.com/davidallendj/magellan.git synced 2025-12-20 03:27:03 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #87 from OpenCHAMI/default-secrets

Browse source 
Add "default" secret lookup in `LocalStore` for `crawl` and `collect` commands
This commit is contained in:
David Allen 2025-04-21 16:07:43 -06:00 committed by GitHub
commit fcfe76295e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 407 additions and 190 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -254,11 +254,17 @@ magellan collect \
--password $default_bmc_password
```
If you pass agruments with the `--username/--password` flags, they will be used as a fallback if no credentials are found in the store. However, the secret store credentials are always used first if they exists.
If you pass arguments with the `--username/--password` flags, the arguments will override all credentials set in the secret store for each flag. However, it is possible only override a single flag (e.g. `magellan collect --username`).
> [!NOTE]
> Make sure that the `secretID` is EXACTLY as show with `magellan list`. Otherwise, `magellan` will not be able to do the lookup from the secret store correctly.
> [!TIP]
> You can set default fallback credentials by storing a secret with the `secretID` of "default". This is used if no `secretID` is found in the local store for the specified host. This is useful when you want to set a username and password that is the same for all BMCs with the exception of the ones specified.
> ```bash
> magellan secrets default $username:$password
> ```
### Starting the Emulator
This repository includes a quick and dirty way to test `magellan` using a Redfish emulator with little to no effort to get running.

115
cmd/collect.go
View file

@ -1,6 +1,7 @@
package cmd
import (
"encoding/json"
"fmt"
"os/user"
@ -8,6 +9,7 @@ import (
urlx "github.com/OpenCHAMI/magellan/internal/url"
magellan "github.com/OpenCHAMI/magellan/pkg"
"github.com/OpenCHAMI/magellan/pkg/auth"
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/OpenCHAMI/magellan/pkg/secrets"
"github.com/cznic/mathutil"
"github.com/rs/zerolog/log"
@ -19,17 +21,19 @@ import (
// This command should be ran after the `scan` to find available hosts
// on a subnet.
var CollectCmd = &cobra.Command{
Use: "collect",
Use: "collect",
Example: ` // basic collect after scan without making a follow-up request
magellan collect --cache ./assets.db --cacert ochami.pem -o ./logs -t 30
// set username and password for all nodes and make request to specified host
magellan collect --host https://smd.openchami.cluster -u $bmc_username -p $bmc_password
// run a collect using secrets manager with fallback username and password
export MASTER_KEY=$(magellan secrets generatekey)
magellan secrets store $node_creds_json -f nodes.json
magellan collect --host https://smd.openchami.cluster -u $fallback_bmc_username -p $fallback_bmc_password`,
Short: "Collect system information by interrogating BMC node",
Long: "Send request(s) to a collection of hosts running Redfish services found stored from the 'scan' in cache.\n" +
"See the 'scan' command on how to perform a scan.\n\n" +
"Examples:\n" +
" magellan collect --cache ./assets.db --output ./logs --timeout 30 --cacert cecert.pem\n" +
" magellan collect --host smd.example.com --port 27779 --username $username --password $password\n\n" +
// example using `collect`
" export MASTER_KEY=$(magellan secrets generatekey)\n" +
" magellan secrets store $node_creds_json -f nodes.json" +
" magellan collect --host openchami.cluster --username $username --password $password \\\n",
Long: "Send request(s) to a collection of hosts running Redfish services found stored from the 'scan' in cache.\nSee the 'scan' command on how to perform a scan.",
Run: func(cmd *cobra.Command, args []string) {
// get probe states stored in db from scan
scannedResults, err := sqlite.GetScannedAssets(cachePath)
@ -57,6 +61,59 @@ var CollectCmd = &cobra.Command{
concurrency = mathutil.Clamp(len(scannedResults), 1, 10000)
}
// use secret store for BMC credentials, and/or credential CLI flags
var store secrets.SecretStore
if username != "" && password != "" {
// First, try and load credentials from --username and --password if both are set.
log.Debug().Msgf("--username and --password specified, using them for BMC credentials")
store = secrets.NewStaticStore(username, password)
} else {
// Alternatively, locate specific credentials (falling back to default) and override those
// with --username or --password if either are passed.
log.Debug().Msgf("one or both of --username and --password NOT passed, attempting to obtain missing credentials from secret store at %s", secretsFile)
if store, err = secrets.OpenStore(secretsFile); err != nil {
log.Error().Err(err).Msg("failed to open local secrets store")
}
// Temporarily override username/password of each BMC if one of those
// flags is passed. The expectation is that if the flag is specified
// on the command line, it should be used.
if username != "" {
log.Info().Msg("--username passed, temporarily overriding all usernames from secret store with value")
}
if password != "" {
log.Info().Msg("--password passed, temporarily overriding all passwords from secret store with value")
}
switch s := store.(type) {
case *secrets.StaticStore:
if username != "" {
s.Username = username
}
if password != "" {
s.Password = password
}
case *secrets.LocalSecretStore:
for k, _ := range s.Secrets {
if creds, err := bmc.GetBMCCredentials(store, k); err != nil {
log.Error().Str("id", k).Err(err).Msg("failed to override BMC credentials")
} else {
if username != "" {
creds.Username = username
}
if password != "" {
creds.Password = password
}
if newCreds, err := json.Marshal(creds); err != nil {
log.Error().Str("id", k).Err(err).Msg("failed to override BMC credentials: marshal error")
} else {
s.StoreSecretByID(k, string(newCreds))
}
}
}
}
}
// set the collect parameters from CLI params
params := &magellan.CollectParams{
URI: host,
@ -67,9 +124,7 @@ var CollectCmd = &cobra.Command{
OutputPath: outputPath,
ForceUpdate: forceUpdate,
AccessToken: accessToken,
SecretsFile: secretsFile,
Username: username,
Password: password,
SecretStore: store,
}
// show all of the 'collect' parameters being set from CLI if verbose
@ -77,16 +132,7 @@ var CollectCmd = &cobra.Command{
log.Debug().Any("params", params)
}
// load the secrets file to get node credentials by ID (i.e. the BMC node's URI)
store, err := secrets.OpenStore(params.SecretsFile)
if err != nil {
// Something went wrong with the store so try using
// Create a StaticSecretStore to hold the username and password
log.Warn().Err(err).Msg("failed to open local store")
store = secrets.NewStaticStore(username, password)
}
_, err = magellan.CollectInventory(&scannedResults, params, store)
_, err = magellan.CollectInventory(&scannedResults, params)
if err != nil {
log.Error().Err(err).Msg("failed to collect data")
}
@ -95,23 +141,18 @@ var CollectCmd = &cobra.Command{
func init() {
currentUser, _ = user.Current()
CollectCmd.PersistentFlags().StringVar(&host, "host", "", "Set the URI to the SMD root endpoint")
CollectCmd.PersistentFlags().StringVarP(&username, "username", "u", "", "Set the master BMC username")
CollectCmd.PersistentFlags().StringVarP(&password, "password", "p", "", "Set the master BMC password")
CollectCmd.PersistentFlags().StringVar(&secretsFile, "secrets-file", "", "Set path to the node secrets file")
CollectCmd.PersistentFlags().StringVar(&scheme, "scheme", "https", "Set the default scheme used to query when not included in URI")
CollectCmd.PersistentFlags().StringVar(&protocol, "protocol", "tcp", "Set the protocol used to query")
CollectCmd.PersistentFlags().StringVarP(&outputPath, "output", "o", fmt.Sprintf("/tmp/%smagellan/inventory/", currentUser.Username+"/"), "Set the path to store collection data")
CollectCmd.PersistentFlags().BoolVar(&forceUpdate, "force-update", false, "Set flag to force update data sent to SMD")
CollectCmd.PersistentFlags().StringVar(&cacertPath, "cacert", "", "Set the path to CA cert file. (defaults to system CAs when blank)")
// set flags to only be used together
CollectCmd.MarkFlagsRequiredTogether("username", "password")
CollectCmd.Flags().StringVar(&host, "host", "", "Set the URI to the SMD root endpoint")
CollectCmd.Flags().StringVarP(&username, "username", "u", "", "Set the master BMC username")
CollectCmd.Flags().StringVarP(&password, "password", "p", "", "Set the master BMC password")
CollectCmd.Flags().StringVar(&secretsFile, "secrets-file", "", "Set path to the node secrets file")
CollectCmd.Flags().StringVar(&scheme, "scheme", "https", "Set the default scheme used to query when not included in URI")
CollectCmd.Flags().StringVar(&protocol, "protocol", "tcp", "Set the protocol used to query")
CollectCmd.Flags().StringVarP(&outputPath, "output", "o", fmt.Sprintf("/tmp/%smagellan/inventory/", currentUser.Username+"/"), "Set the path to store collection data")
CollectCmd.Flags().BoolVar(&forceUpdate, "force-update", false, "Set flag to force update data sent to SMD")
CollectCmd.Flags().StringVar(&cacertPath, "cacert", "", "Set the path to CA cert file. (defaults to system CAs when blank)")
// bind flags to config properties
checkBindFlagError(viper.BindPFlag("collect.host", CollectCmd.Flags().Lookup("host")))
checkBindFlagError(viper.BindPFlag("collect.username", CollectCmd.Flags().Lookup("username")))
checkBindFlagError(viper.BindPFlag("collect.password", CollectCmd.Flags().Lookup("password")))
checkBindFlagError(viper.BindPFlag("collect.scheme", CollectCmd.Flags().Lookup("scheme")))
checkBindFlagError(viper.BindPFlag("collect.protocol", CollectCmd.Flags().Lookup("protocol")))
checkBindFlagError(viper.BindPFlag("collect.output", CollectCmd.Flags().Lookup("output")))

55
cmd/crawl.go
View file

@ -7,6 +7,7 @@ import (
"github.com/rs/zerolog/log"
urlx "github.com/OpenCHAMI/magellan/internal/url"
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/OpenCHAMI/magellan/pkg/crawler"
"github.com/OpenCHAMI/magellan/pkg/secrets"
"github.com/spf13/cobra"
@ -17,13 +18,11 @@ import (
// specfic inventory detail. This command only expects host names and does
// not require a scan to be performed beforehand.
var CrawlCmd = &cobra.Command{
Use: "crawl [uri]",
Use: "crawl [uri]",
Example: ` magellan crawl https://bmc.example.com
magellan crawl https://bmc.example.com -i -u username -p password`,
Short: "Crawl a single BMC for inventory information",
Long: "Crawl a single BMC for inventory information with URI. This command does NOT scan subnets nor store scan information\n" +
"in cache after completion. To do so, use the 'collect' command instead\n\n" +
"Examples:\n" +
" magellan crawl https://bmc.example.com\n" +
" magellan crawl https://bmc.example.com -i -u username -p password",
Long: "Crawl a single BMC for inventory information with URI.\n\n NOTE: This command does not scan subnets, store scan information in cache, nor make a request to a specified host. It is used only to retrieve inventory data directly. Otherwise, use 'scan' and 'collect' instead.",
Args: func(cmd *cobra.Command, args []string) error {
// Validate that the only argument is a valid URI
var err error
@ -42,24 +41,46 @@ var CrawlCmd = &cobra.Command{
store secrets.SecretStore
err error
)
// try and load credentials from local store first
store, err = secrets.OpenStore(secretsFile)
if err != nil {
log.Warn().Err(err).Msg("failed to open local store...falling back to default provided arguments")
// try and use the `username` and `password` arguments instead
store = secrets.NewStaticStore(username, password)
}
// found the store so try to load the creds
_, err = store.GetSecretByID(uri)
if err != nil {
if username != "" && password != "" {
// First, try and load credentials from --username and --password if both are set.
log.Debug().Str("id", uri).Msgf("--username and --password specified, using them for BMC credentials")
store = secrets.NewStaticStore(username, password)
} else {
// Alternatively, locate specific credentials (falling back to default) and override those
// with --username or --password if either are passed.
log.Debug().Str("id", uri).Msgf("one or both of --username and --password NOT passed, attempting to obtain missing credentials from secret store at %s", secretsFile)
if store, err = secrets.OpenStore(secretsFile); err != nil {
log.Error().Str("id", uri).Err(err).Msg("failed to open local secrets store")
}
// Either none of the flags were passed or only one of them were; get
// credentials from secrets store to fill in the gaps.
bmcCreds, _ := bmc.GetBMCCredentials(store, uri)
nodeCreds := secrets.StaticStore{
Username: bmcCreds.Username,
Password: bmcCreds.Password,
}
// If either of the flags were passed, override the fetched
// credentials with them.
if username != "" {
log.Info().Str("id", uri).Msg("--username was set, overriding username for this BMC")
nodeCreds.Username = username
}
if password != "" {
log.Info().Str("id", uri).Msg("--password was set, overriding password for this BMC")
nodeCreds.Password = password
}
store = &nodeCreds
}
systems, err := crawler.CrawlBMCForSystems(crawler.CrawlerConfig{
URI: uri,
CredentialStore: store,
Insecure: insecure,
UseDefault: true,
})
if err != nil {
log.Error().Err(err).Msg("failed to crawl BMC")
@ -82,8 +103,6 @@ func init() {
CrawlCmd.Flags().BoolVarP(&insecure, "insecure", "i", false, "Ignore SSL errors")
CrawlCmd.Flags().StringVarP(&secretsFile, "file", "f", "nodes.json", "set the secrets file with BMC credentials")
checkBindFlagError(viper.BindPFlag("crawl.username", CrawlCmd.Flags().Lookup("username")))
checkBindFlagError(viper.BindPFlag("crawl.password", CrawlCmd.Flags().Lookup("password")))
checkBindFlagError(viper.BindPFlag("crawl.insecure", CrawlCmd.Flags().Lookup("insecure")))
rootCmd.AddCommand(CrawlCmd)

11
cmd/list.go
View file

@ -20,14 +20,15 @@ var (
// and stored in a cache database from a scan. The data that's stored
// is what is consumed by the `collect` command with the --cache flag.
var ListCmd = &cobra.Command{
Use: "list",
Use: "list",
Example: ` magellan list
magellan list --cache ./assets.db
magellan list --cache-info
`,
Args: cobra.ExactArgs(0),
Short: "List information stored in cache from a scan",
Long: "Prints all of the host and associated data found from performing a scan.\n" +
"See the 'scan' command on how to perform a scan.\n\n" +
"Examples:\n" +
" magellan list\n" +
" magellan list --cache ./assets.db",
"See the 'scan' command on how to perform a scan.",
Run: func(cmd *cobra.Command, args []string) {
// check if we just want to show cache-related info and exit
if showCache {

8
cmd/root.go
View file

@ -52,7 +52,7 @@ var (
var rootCmd = &cobra.Command{
Use: "magellan",
Short: "Redfish-based BMC discovery tool",
Long: "",
Long: "Redfish-based BMC discovery tool with dynamic discovery features.",
Run: func(cmd *cobra.Command, args []string) {
if len(args) == 0 {
err := cmd.Help()
@ -75,8 +75,8 @@ func Execute() {
func init() {
currentUser, _ = user.Current()
cobra.OnInitialize(InitializeConfig)
rootCmd.PersistentFlags().IntVar(&concurrency, "concurrency", -1, "Set the number of concurrent processes")
rootCmd.PersistentFlags().IntVar(&timeout, "timeout", 5, "Set the timeout for requests")
rootCmd.PersistentFlags().IntVarP(&concurrency, "concurrency", "j", -1, "Set the number of concurrent processes")
rootCmd.PersistentFlags().IntVarP(&timeout, "timeout", "t", 5, "Set the timeout for requests")
rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "Set the config file path")
rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Set to enable/disable verbose output")
rootCmd.PersistentFlags().BoolVarP(&debug, "debug", "d", false, "Set to enable/disable debug messages")
@ -94,7 +94,7 @@ func init() {
func checkBindFlagError(err error) {
if err != nil {
log.Error().Err(err).Msg("failed to bind flag")
log.Error().Err(err).Msg("failed to bind cobra/viper flag")
}
}

40
cmd/scan.go
View file

@ -33,7 +33,28 @@ var (
// See the `ScanForAssets()` function in 'internal/scan.go' for details
// related to the implementation.
var ScanCmd = &cobra.Command{
Use: "scan urls...",
Use: "scan urls...",
Example: `
// assumes host https://10.0.0.101:443
magellan scan 10.0.0.101
// assumes subnet using HTTPS and port 443 except for specified host
magellan scan http://10.0.0.101:80 https://user:password@10.0.0.102:443 http://172.16.0.105:8080 --subnet 172.16.0.0/24
// assumes hosts http://10.0.0.101:8080 and http://10.0.0.102:8080
magellan scan 10.0.0.101 10.0.0.102 https://172.16.0.10:443 --port 8080 --protocol tcp
// assumes subnet using default unspecified subnet-masks
magellan scan --subnet 10.0.0.0
// assumes subnet using HTTPS and port 443 with specified CIDR
magellan scan --subnet 10.0.0.0/16
// assumes subnet using HTTP and port 5000 similar to 192.168.0.0/16
magellan scan --subnet 192.168.0.0 --protocol tcp --scheme https --port 5000 --subnet-mask 255.255.0.0
// assumes subnet without CIDR has a subnet-mask of 255.255.0.0
magellan scan --subnet 10.0.0.0/24 --subnet 172.16.0.0 --subnet-mask 255.255.0.0 --cache ./assets.db`,
Short: "Scan to discover BMC nodes on a network",
Long: "Perform a net scan by attempting to connect to each host and port specified and getting a response.\n" +
"Each host is passed *with a full URL* including the protocol and port. Additional subnets can be added\n" +
@ -46,22 +67,7 @@ var ScanCmd = &cobra.Command{
"'--protocol' flag.\n\n" +
"If the '--disable-probe` flag is used, the tool will not send another request to probe for available.\n" +
"Redfish services. This is not recommended, since the extra request makes the scan a bit more reliable\n" +
"for determining which hosts to collect inventory data.\n\n" +
"Examples:\n" +
// assumes host https://10.0.0.101:443
" magellan scan 10.0.0.101\n" +
// assumes subnet using HTTPS and port 443 except for specified host
" magellan scan http://10.0.0.101:80 https://user:password@10.0.0.102:443 http://172.16.0.105:8080 --subnet 172.16.0.0/24\n" +
// assumes hosts http://10.0.0.101:8080 and http://10.0.0.102:8080
" magellan scan 10.0.0.101 10.0.0.102 https://172.16.0.10:443 --port 8080 --protocol tcp\n" +
// assumes subnet using default unspecified subnet-masks
" magellan scan --subnet 10.0.0.0\n" +
// assumes subnet using HTTPS and port 443 with specified CIDR
" magellan scan --subnet 10.0.0.0/16\n" +
// assumes subnet using HTTP and port 5000 similar to 192.168.0.0/16
" magellan scan --subnet 192.168.0.0 --protocol tcp --scheme https --port 5000 --subnet-mask 255.255.0.0\n" +
// assumes subnet without CIDR has a subnet-mask of 255.255.0.0
" magellan scan --subnet 10.0.0.0/24 --subnet 172.16.0.0 --subnet-mask 255.255.0.0 --cache ./assets.db\n",
"for determining which hosts to collect inventory data.\n\n",
Run: func(cmd *cobra.Command, args []string) {
// add default ports for hosts if none are specified with flag
if len(ports) == 0 {

28
cmd/secrets.go
View file

@ -20,17 +20,21 @@ var (
)
var secretsCmd = &cobra.Command{
Use: "secrets",
Use: "secrets",
Example: `
// generate new key and set environment variable
export MASTER_KEY=$(magellan secrets generatekey)
// store specific BMC node creds for collect and crawl in default secrets store (--file/-f flag not set)
magellan secrets store $bmc_host $bmc_creds
// retrieve creds from secrets store
magellan secrets retrieve $bmc_host -f nodes.json
// list creds from specific secrets
magellan secrets list -f nodes.json`,
Short: "Manage credentials for BMC nodes",
Long: "Manage credentials for BMC nodes to for querying information through redfish. This requires generating a key and setting the 'MASTER_KEY' environment variable for the secrets store.\n" +
"Examples:\n\n" +
" export MASTER_KEY=$(magellan secrets generatekey)\n" +
// store specific BMC node creds for `collect` and `crawl` in default secrets store (`--file/-f`` flag not set)
" magellan secrets store $bmc_host $bmc_creds" +
// retrieve creds from secrets store
" magellan secrets retrieve $bmc_host -f nodes.json" +
// list creds from specific secrets
" magellan secrets list -f nodes.json",
Long: "Manage credentials for BMC nodes to for querying information through redfish. This requires generating a key and setting the 'MASTER_KEY' environment variable for the secrets store.",
Run: func(cmd *cobra.Command, args []string) {
// show command help and exit
if len(args) < 1 {
@ -219,8 +223,8 @@ var secretsListCmd = &cobra.Command{
os.Exit(1)
}
for key := range secrets {
fmt.Printf("%s\n", key)
for key, value := range secrets {
fmt.Printf("%s: %s\n", key, value)
}
},
}

96
cmd/update.go
View file

@ -5,6 +5,8 @@ import (
"strings"
magellan "github.com/OpenCHAMI/magellan/pkg"
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/OpenCHAMI/magellan/pkg/secrets"
"github.com/rs/zerolog/log"
"github.com/spf13/cobra"
"github.com/spf13/viper"
@ -12,7 +14,7 @@ import (
var (
host string
firmwareUrl string
firmwareUri string
firmwareVersion string
component string
transferProtocol string
@ -24,12 +26,16 @@ var (
// using Redfish. It also provides a simple way to check the status of
// an update in-progress.
var updateCmd = &cobra.Command{
Use: "update hosts...",
Use: "update hosts...",
Example: ` // perform an firmware update
magellan update 172.16.0.108:443 -i -u $bmc_username -p $bmc_password \
--firmware-url http://172.16.0.200:8005/firmware/bios/image.RBU \
--component BIOS
// check update status
magellan update 172.16.0.108:443 -i -u $bmc_username -p $bmc_password --status`,
Short: "Update BMC node firmware",
Long: "Perform an firmware update using Redfish by providing a remote firmware URL and component.\n\n" +
"Examples:\n" +
" magellan update 172.16.0.108:443 --insecure --username bmc_username --password bmc_password --firmware-url http://172.16.0.200:8005/firmware/bios/image.RBU --component BIOS\n" +
" magellan update 172.16.0.108:443 --insecure --status --username bmc_username --password bmc_password",
Long: "Perform an firmware update using Redfish by providing a remote firmware URL and component.",
Run: func(cmd *cobra.Command, args []string) {
// check that we have at least one host
if len(args) <= 0 {
@ -37,20 +43,57 @@ var updateCmd = &cobra.Command{
os.Exit(1)
}
// use secret store for BMC credentials, and/or credential CLI flags
var (
store secrets.SecretStore
uri = args[0]
err error
)
if username != "" && password != "" {
// First, try and load credentials from --username and --password if both are set.
log.Debug().Str("id", uri).Msgf("--username and --password specified, using them for BMC credentials")
store = secrets.NewStaticStore(username, password)
} else {
// Alternatively, locate specific credentials (falling back to default) and override those
// with --username or --password if either are passed.
log.Debug().Str("id", uri).Msgf("one or both of --username and --password NOT passed, attempting to obtain missing credentials from secret store at %s", secretsFile)
if store, err = secrets.OpenStore(secretsFile); err != nil {
log.Error().Str("id", uri).Err(err).Msg("failed to open local secrets store")
}
// Either none of the flags were passed or only one of them were; get
// credentials from secrets store to fill in the gaps.
bmcCreds, _ := bmc.GetBMCCredentials(store, uri)
nodeCreds := secrets.StaticStore{
Username: bmcCreds.Username,
Password: bmcCreds.Password,
}
// If either of the flags were passed, override the fetched
// credentials with them.
if username != "" {
log.Info().Str("id", uri).Msg("--username was set, overriding username for this BMC")
nodeCreds.Username = username
}
if password != "" {
log.Info().Str("id", uri).Msg("--password was set, overriding password for this BMC")
nodeCreds.Password = password
}
store = &nodeCreds
}
// get status if flag is set and exit
for _, arg := range args {
if showStatus {
err := magellan.GetUpdateStatus(&magellan.UpdateParams{
FirmwarePath: firmwareUrl,
FirmwareVersion: firmwareVersion,
Component: component,
FirmwareURI: firmwareUri,
TransferProtocol: transferProtocol,
Insecure: Insecure,
CollectParams: magellan.CollectParams{
URI: arg,
Username: username,
Password: password,
Timeout: timeout,
URI: arg,
SecretStore: store,
Timeout: timeout,
},
})
if err != nil {
@ -61,16 +104,13 @@ var updateCmd = &cobra.Command{
// initiate a remote update
err := magellan.UpdateFirmwareRemote(&magellan.UpdateParams{
FirmwarePath: firmwareUrl,
FirmwareVersion: firmwareVersion,
Component: component,
FirmwareURI: firmwareUri,
TransferProtocol: strings.ToUpper(transferProtocol),
Insecure: Insecure,
CollectParams: magellan.CollectParams{
URI: arg,
Username: username,
Password: password,
Timeout: timeout,
URI: arg,
SecretStore: store,
Timeout: timeout,
},
})
if err != nil {
@ -81,21 +121,15 @@ var updateCmd = &cobra.Command{
}
func init() {
updateCmd.Flags().StringVar(&username, "username", "", "Set the BMC user")
updateCmd.Flags().StringVar(&password, "password", "", "Set the BMC password")
updateCmd.Flags().StringVarP(&username, "username", "u", "", "Set the BMC user")
updateCmd.Flags().StringVarP(&password, "password", "p", "", "Set the BMC password")
updateCmd.Flags().StringVar(&transferProtocol, "scheme", "https", "Set the transfer protocol")
updateCmd.Flags().StringVar(&firmwareUrl, "firmware-url", "", "Set the path to the firmware")
updateCmd.Flags().StringVar(&firmwareVersion, "firmware-version", "", "Set the version of firmware to be installed")
updateCmd.Flags().StringVar(&component, "component", "", "Set the component to upgrade (BMC|BIOS)")
updateCmd.Flags().StringVar(&firmwareUri, "firmware-uri", "", "Set the URI to retrieve the firmware")
updateCmd.Flags().BoolVar(&showStatus, "status", false, "Get the status of the update")
updateCmd.Flags().BoolVar(&Insecure, "insecure", false, "Allow insecure connections to the server")
updateCmd.Flags().BoolVarP(&Insecure, "insecure", "i", false, "Allow insecure connections to the server")
checkBindFlagError(viper.BindPFlag("update.username", updateCmd.Flags().Lookup("username")))
checkBindFlagError(viper.BindPFlag("update.password", updateCmd.Flags().Lookup("password")))
checkBindFlagError(viper.BindPFlag("update.scheme", updateCmd.Flags().Lookup("scheme")))
checkBindFlagError(viper.BindPFlag("update.firmware-url", updateCmd.Flags().Lookup("firmware-url")))
checkBindFlagError(viper.BindPFlag("update.firmware-version", updateCmd.Flags().Lookup("firmware-version")))
checkBindFlagError(viper.BindPFlag("update.component", updateCmd.Flags().Lookup("component")))
checkBindFlagError(viper.BindPFlag("update.firmware-uri", updateCmd.Flags().Lookup("firmware-uri")))
checkBindFlagError(viper.BindPFlag("update.status", updateCmd.Flags().Lookup("status")))
checkBindFlagError(viper.BindPFlag("update.insecure", updateCmd.Flags().Lookup("insecure")))

47
internal/util/bmc.go Normal file
View file

@ -0,0 +1,47 @@
package util
import (
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/OpenCHAMI/magellan/pkg/secrets"
"github.com/rs/zerolog/log"
)
func GetBMCCredentials(store secrets.SecretStore, id string) bmc.BMCCredentials {
var (
creds bmc.BMCCredentials
err error
)
if id == "" {
log.Error().Msg("failed to get BMC credentials: id was empty")
return creds
}
if id == secrets.DEFAULT_KEY {
log.Info().Msg("fetching default credentials")
if creds, err = bmc.GetBMCCredentialsDefault(store); err != nil {
log.Warn().Err(err).Msg("failed to get default credentials")
} else {
log.Info().Msg("default credentials found, using")
}
return creds
}
if creds, err = bmc.GetBMCCredentials(store, id); err != nil {
// Specific credentials for URI not found, fetch default.
log.Warn().Str("id", id).Msg("specific credentials not found, falling back to default")
if defaultSecret, err := bmc.GetBMCCredentialsDefault(store); err != nil {
// We've exhausted all options, the credentials will be blank unless
// overridden by a CLI flag.
log.Warn().Str("id", id).Err(err).Msg("no default credentials were set, they will be blank unless overridden by CLI flags")
} else {
// Default credentials found, use them.
log.Info().Str("id", id).Msg("default credentials found, using")
creds = defaultSecret
}
} else {
log.Info().Str("id", id).Msg("specific credentials found, using")
}
return creds
}

65
pkg/bmc/bmc.go Normal file
View file

@ -0,0 +1,65 @@
package bmc
import (
"encoding/json"
"fmt"
"github.com/OpenCHAMI/magellan/pkg/secrets"
)
type BMCCredentials struct {
Username string `json:"username"`
Password string `json:"password"`
}
func GetBMCCredentialsDefault(store secrets.SecretStore) (BMCCredentials, error) {
var creds BMCCredentials
if strCreds, err := store.GetSecretByID(secrets.DEFAULT_KEY); err != nil {
return creds, fmt.Errorf("get default BMC credentials from secret store: %w", err)
} else {
// Default URI credentials found, use them.
if err = json.Unmarshal([]byte(strCreds), &creds); err != nil {
return creds, fmt.Errorf("get default BMC credentials from secret store: failed to unmarshal: %w", err)
}
return creds, nil
}
}
func GetBMCCredentials(store secrets.SecretStore, id string) (BMCCredentials, error) {
var creds BMCCredentials
if strCreds, err := store.GetSecretByID(id); err != nil {
return creds, fmt.Errorf("get BMC credentials from secret store: %w", err)
} else {
// Specific URI credentials found, use them.
if err = json.Unmarshal([]byte(strCreds), &creds); err != nil {
return creds, fmt.Errorf("get BMC credentials from secret store: failed to unmarshal: %w", err)
}
}
return creds, nil
}
func GetBMCCredentialsOrDefault(store secrets.SecretStore, id string) BMCCredentials {
var (
creds BMCCredentials
err error
)
if id == "" {
return creds
}
if id == secrets.DEFAULT_KEY {
creds, _ = GetBMCCredentialsDefault(store)
return creds
}
if creds, err = GetBMCCredentials(store, id); err != nil {
if defaultSecret, err := GetBMCCredentialsDefault(store); err == nil {
// Default credentials found, use them.
creds = defaultSecret
}
}
return creds
}

65
pkg/collect.go
View file

@ -15,6 +15,7 @@ import (
"sync"
"time"
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/OpenCHAMI/magellan/pkg/client"
"github.com/OpenCHAMI/magellan/pkg/crawler"
"github.com/OpenCHAMI/magellan/pkg/secrets"
@ -31,17 +32,15 @@ import (
// CollectParams is a collection of common parameters passed to the CLI
// for the 'collect' subcommand.
type CollectParams struct {
URI string // set by the 'host' flag
Username string // set the BMC username with the 'username' flag
Password string // set the BMC password with the 'password' flag
Concurrency int // set the of concurrent jobs with the 'concurrency' flag
Timeout int // set the timeout with the 'timeout' flag
CaCertPath string // set the cert path with the 'cacert' flag
Verbose bool // set whether to include verbose output with 'verbose' flag
OutputPath string // set the path to save output with 'output' flag
ForceUpdate bool // set whether to force updating SMD with 'force-update' flag
AccessToken string // set the access token to include in request with 'access-token' flag
SecretsFile string // set the path to secrets file
URI string // set by the 'host' flag
Concurrency int // set the of concurrent jobs with the 'concurrency' flag
Timeout int // set the timeout with the 'timeout' flag
CaCertPath string // set the cert path with the 'cacert' flag
Verbose bool // set whether to include verbose output with 'verbose' flag
OutputPath string // set the path to save output with 'output' flag
ForceUpdate bool // set whether to force updating SMD with 'force-update' flag
AccessToken string // set the access token to include in request with 'access-token' flag
SecretStore secrets.SecretStore // set BMC credentials
}
// This is the main function used to collect information from the BMC nodes via Redfish.
@ -50,7 +49,7 @@ type CollectParams struct {
//
// Requests can be made to several of the nodes using a goroutine by setting the q.Concurrency
// property value between 1 and 10000.
func CollectInventory(assets *[]RemoteAsset, params *CollectParams, localStore secrets.SecretStore) ([]map[string]any, error) {
func CollectInventory(assets *[]RemoteAsset, params *CollectParams) ([]map[string]any, error) {
// check for available remote assets found from scan
if assets == nil {
return nil, fmt.Errorf("no assets found")
@ -120,40 +119,36 @@ func CollectInventory(assets *[]RemoteAsset, params *CollectParams, localStore s
// crawl BMC node to fetch inventory data via Redfish
var (
fallbackStore = secrets.NewStaticStore(params.Username, params.Password)
systems []crawler.InventoryDetail
managers []crawler.Manager
config = crawler.CrawlerConfig{
systems []crawler.InventoryDetail
managers []crawler.Manager
config = crawler.CrawlerConfig{
URI: uri,
CredentialStore: localStore,
CredentialStore: params.SecretStore,
Insecure: true,
UseDefault: true,
}
err error
)
// determine if local store exists and has credentials for
// the provided secretID...
// if it does not, use the fallback static store instead with
// the username and password provided as arguments
if localStore != nil {
_, err := localStore.GetSecretByID(uri)
if err != nil {
log.Warn().Err(err).Msgf("could not retrieve secrets for %s...falling back to default provided credentials for user '%s'", uri, params.Username)
config.CredentialStore = fallbackStore
}
} else {
log.Warn().Msgf("invalid store for %s...falling back to default provided credentials for user '%s'", uri, params.Username)
config.CredentialStore = fallbackStore
}
// crawl for node and BMC information
systems, err = crawler.CrawlBMCForSystems(config)
if err != nil {
log.Error().Err(err).Msg("failed to crawl BMC for systems")
log.Error().Err(err).Str("uri", uri).Msg("failed to crawl BMC for systems")
}
managers, err = crawler.CrawlBMCForManagers(config)
if err != nil {
log.Error().Err(err).Msg("failed to crawl BMC for managers")
log.Error().Err(err).Str("uri", uri).Msg("failed to crawl BMC for managers")
}
// we didn't find anything so do not proceed
if len(systems) == 0 && len(managers) == 0 {
continue
}
// get BMC username to send
bmcCreds := bmc.GetBMCCredentialsOrDefault(params.SecretStore, config.URI)
if bmcCreds == (bmc.BMCCredentials{}) {
log.Warn().Str("id", config.URI).Msg("username will be blank")
}
// data to be sent to smd
@ -162,7 +157,7 @@ func CollectInventory(assets *[]RemoteAsset, params *CollectParams, localStore s
"Type": "",
"Name": "",
"FQDN": sr.Host,
"User": params.Username,
"User": bmcCreds.Username,
"MACRequired": true,
"RediscoverOnUpdate": false,
"Systems": systems,

34
pkg/crawler/main.go
View file

@ -1,10 +1,11 @@
package crawler
import (
"encoding/json"
"fmt"
"strings"
"github.com/OpenCHAMI/magellan/internal/util"
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/OpenCHAMI/magellan/pkg/secrets"
"github.com/rs/zerolog/log"
"github.com/stmcginnis/gofish"
@ -15,17 +16,13 @@ type CrawlerConfig struct {
URI string // URI of the BMC
Insecure bool // Whether to ignore SSL errors
CredentialStore secrets.SecretStore
UseDefault bool
}
func (cc *CrawlerConfig) GetUserPass() (BMCUsernamePassword, error) {
func (cc *CrawlerConfig) GetUserPass() (bmc.BMCCredentials, error) {
return loadBMCCreds(*cc)
}
type BMCUsernamePassword struct {
Username string `json:"username"`
Password string `json:"password"`
}
type EthernetInterface struct {
URI string `json:"uri,omitempty"` // URI of the interface
MAC string `json:"mac,omitempty"` // MAC address of the interface
@ -372,25 +369,14 @@ func walkManagers(rf_managers []*redfish.Manager, baseURI string) ([]Manager, er
return managers, nil
}
func loadBMCCreds(config CrawlerConfig) (BMCUsernamePassword, error) {
func loadBMCCreds(config CrawlerConfig) (bmc.BMCCredentials, error) {
// NOTE: it is possible for the SecretStore to be nil, so we need a check
if config.CredentialStore == nil {
return BMCUsernamePassword{}, fmt.Errorf("credential store is invalid")
return bmc.BMCCredentials{}, fmt.Errorf("credential store is invalid")
}
creds, err := config.CredentialStore.GetSecretByID(config.URI)
if err != nil {
event := log.Error()
event.Err(err)
event.Msg("failed to get credentials from secret store")
return BMCUsernamePassword{}, err
if creds := util.GetBMCCredentials(config.CredentialStore, config.URI); creds == (bmc.BMCCredentials{}) {
return creds, fmt.Errorf("%s: credentials blank for BNC", config.URI)
} else {
return creds, nil
}
var bmc_creds BMCUsernamePassword
err = json.Unmarshal([]byte(creds), &bmc_creds)
if err != nil {
event := log.Error()
event.Err(err)
event.Msg("failed to unmarshal credentials")
return BMCUsernamePassword{}, err
}
return bmc_creds, nil
}

2
pkg/secrets/main.go
View file

@ -1,5 +1,7 @@
package secrets
const DEFAULT_KEY = "default"
type SecretStore interface {
GetSecretByID(secretID string) (string, error)
StoreSecretByID(secretID, secret string) error

23
pkg/update.go
View file

@ -4,15 +4,14 @@ import (
"fmt"
"net/url"
"github.com/OpenCHAMI/magellan/pkg/bmc"
"github.com/stmcginnis/gofish"
"github.com/stmcginnis/gofish/redfish"
)
type UpdateParams struct {
CollectParams
FirmwarePath string
FirmwareVersion string
Component string
FirmwareURI string
TransferProtocol string
Insecure bool
}
@ -36,8 +35,14 @@ func UpdateFirmwareRemote(q *UpdateParams) error {
return fmt.Errorf("failed to parse URI: %w", err)
}
// Get BMC credentials from secret store in update parameters
bmcCreds, err := bmc.GetBMCCredentials(q.SecretStore, q.URI)
if err != nil {
return fmt.Errorf("failed to get BMC credentials: %w", err)
}
// Connect to the Redfish service using gofish
client, err := gofish.Connect(gofish.ClientConfig{Endpoint: uri.String(), Username: q.Username, Password: q.Password, Insecure: q.Insecure})
client, err := gofish.Connect(gofish.ClientConfig{Endpoint: uri.String(), Username: bmcCreds.Username, Password: bmcCreds.Password, Insecure: q.Insecure})
if err != nil {
return fmt.Errorf("failed to connect to Redfish service: %w", err)
}
@ -51,7 +56,7 @@ func UpdateFirmwareRemote(q *UpdateParams) error {
// Build the update request payload
req := redfish.SimpleUpdateParameters{
ImageURI: q.FirmwarePath,
ImageURI: q.FirmwareURI,
TransferProtocol: redfish.TransferProtocolType(q.TransferProtocol),
}
@ -72,8 +77,14 @@ func GetUpdateStatus(q *UpdateParams) error {
return fmt.Errorf("failed to parse URI: %w", err)
}
// Get BMC credentials from secret store in update parameters
bmcCreds, err := bmc.GetBMCCredentials(q.SecretStore, q.URI)
if err != nil {
return fmt.Errorf("failed to get BMC credentials: %w", err)
}
// Connect to the Redfish service using gofish
client, err := gofish.Connect(gofish.ClientConfig{Endpoint: uri.String(), Username: q.Username, Password: q.Password, Insecure: q.Insecure})
client, err := gofish.Connect(gofish.ClientConfig{Endpoint: uri.String(), Username: bmcCreds.Username, Password: bmcCreds.Password, Insecure: q.Insecure})
if err != nil {
return fmt.Errorf("failed to connect to Redfish service: %w", err)
}