feat: add basic auth to Zeebe deployments

app/lib/zeebe-api/constants.js

@@ -0,0 +1,20 @@
+/**
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership.
+ *
+ * Camunda licenses this file to you under the MIT; you may not use this file
+ * except in compliance with the MIT License.
+ */
+
+module.exports.AUTH_TYPES = {
+  NONE: 'none',
+  BASIC: 'basic',
+  OAUTH: 'oauth'
+};
+
+module.exports.ENDPOINT_TYPES = {
+  SELF_HOSTED: 'selfHosted',
+  CAMUNDA_CLOUD: 'camundaCloud'
+};

app/lib/zeebe-api/zeebe-api.js

@@ -17,9 +17,11 @@ const createLog = require('../log');
 const { X509Certificate } = require('node:crypto');
 
 const {
+  get,
+  isDefined,
   pick,
-  values,
-  reduce
+  set,
+  values
 } = require('min-dash');
 
 const ERROR_REASONS = {
@@ -34,25 +36,36 @@ const ERROR_REASONS = {
   INVALID_CREDENTIALS: 'INVALID_CREDENTIALS'
 };
 
-const ENDPOINT_TYPES = {
-  SELF_HOSTED: 'selfHosted',
-  OAUTH: 'oauth',
-  CAMUNDA_CLOUD: 'camundaCloud'
-};
+const {
+  AUTH_TYPES,
+  ENDPOINT_TYPES
+} = require('./constants');
 
 const RESOURCE_TYPES = {
   BPMN: 'bpmn',
   DMN: 'dmn',
   FORM: 'form'
 };
 
+const ENDPOINT_SECRETS = [
+  'endpoint.clientId',
+  'endpoint.clientSecret',
+  'endpoint.basicAuthUsername',
+  'endpoint.basicAuthPassword'
+];
+
+const CLIENT_OPTIONS_SECRETS = [
+  'options.basicAuth.username',
+  'options.basicAuth.password'
+];
+
 /**
  * @typedef {Object} ZeebeClientParameters
  * @property {Endpoint} endpoint
  */
 
 /**
- * @typedef {SelfHostedNoAuthEndpoint|SelfHostedOAuthEndpoint|CamundaCloudEndpoint} Endpoint
+ * @typedef {SelfHostedNoAuthEndpoint|SelfHostedBasicAuthEndpoint|SelfHostedOAuthEndpoint|CamundaCloudEndpoint} Endpoint
  */
 
 /**
@@ -61,6 +74,13 @@ const RESOURCE_TYPES = {
  * @property {string} url
  */
 
+/**
+ * @typedef {Object} SelfHostedBasicAuthEndpoint
+ * @property {'basic'} type
+ * @property {string} username
+ * @property {string} password
+ */
+
 /**
  * @typedef {Object} SelfHostedOAuthEndpoint
  * @property {'oauth'} type
@@ -117,15 +137,15 @@ class ZeebeAPI {
     const client = await this._getZeebeClient(endpoint);
 
     this._log.debug('check connection', {
-      parameters: withoutSecrets(parameters)
+      parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
     });
 
     try {
       await client.topology();
       return { success: true };
     } catch (err) {
       this._log.error('connection check failed', {
-        parameters: withoutSecrets(parameters)
+        parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
       }, err);
 
       return {
@@ -157,7 +177,7 @@ class ZeebeAPI {
     } = this._fs.readFile(filePath, { encoding: false });
 
     this._log.debug('deploy', {
-      parameters: withoutSecrets(parameters)
+      parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
     });
 
     const client = await this._getZeebeClient(endpoint);
@@ -176,7 +196,7 @@ class ZeebeAPI {
         response: response
       };
     } catch (err) {
-      this._log.error('deploy failed', withoutSecrets(parameters), err);
+      this._log.error('deploy failed', withoutSecrets(parameters, ENDPOINT_SECRETS), err);
 
       return {
         success: false,
@@ -203,7 +223,7 @@ class ZeebeAPI {
     } = parameters;
 
     this._log.debug('run', {
-      parameters: withoutSecrets(parameters)
+      parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
     });
 
     const client = await this._getZeebeClient(endpoint);
@@ -222,7 +242,7 @@ class ZeebeAPI {
       };
     } catch (err) {
       this._log.error('run failed', {
-        parameters: withoutSecrets(parameters)
+        parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
       }, err);
 
       return {
@@ -247,7 +267,7 @@ class ZeebeAPI {
     } = parameters;
 
     this._log.debug('fetch gateway version', {
-      parameters: withoutSecrets(parameters)
+      parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
     });
 
     const client = await this._getZeebeClient(endpoint);
@@ -263,7 +283,7 @@ class ZeebeAPI {
       };
     } catch (err) {
       this._log.error('fetch gateway version failed', {
-        parameters: withoutSecrets(parameters)
+        parameters: withoutSecrets(parameters, ENDPOINT_SECRETS)
       }, err);
 
       return {
@@ -307,18 +327,27 @@ class ZeebeAPI {
   async _createZeebeClient(endpoint) {
     const {
       type,
+      authType = AUTH_TYPES.NONE,
       url
     } = endpoint;
 
     let options = {
       retry: false
     };
 
-    if (!values(ENDPOINT_TYPES).includes(type)) {
+    if (!values(ENDPOINT_TYPES).includes(type) || !values(AUTH_TYPES).includes(authType)) {
       return;
     }
 
-    if (type === ENDPOINT_TYPES.OAUTH) {
+    if (authType === AUTH_TYPES.BASIC) {
+      options = {
+        ...options,
+        basicAuth: {
+          username: endpoint.basicAuthUsername,
+          password: endpoint.basicAuthPassword
+        }
+      };
+    } else if (authType === AUTH_TYPES.OAUTH) {
       options = {
         ...options,
         oAuth: {
@@ -349,12 +378,15 @@ class ZeebeAPI {
 
     this._log.debug('creating client', {
       url,
-      options: filterRecursive(options, [
-        'clientId:secret',
-        'clientSecret:secret',
-        'customRootCert:blob',
-        'rootCerts:blob'
-      ])
+      options: withoutSecrets(
+        filterRecursive(options, [
+          'clientId:secret',
+          'clientSecret:secret',
+          'customRootCert:blob',
+          'rootCerts:blob'
+        ]),
+        CLIENT_OPTIONS_SECRETS
+      )
     });
 
     return new this._ZeebeNode.ZBClient(url, options);
@@ -523,7 +555,8 @@ function getErrorReason(error, endpoint) {
   } = error;
 
   const {
-    type
+    type,
+    authType = AUTH_TYPES.NONE
   } = endpoint;
 
   // (1) handle grpc errors
@@ -542,7 +575,7 @@ function getErrorReason(error, endpoint) {
 
   // (3) handle <not found>
   if (message.includes('ENOTFOUND') || message.includes('Not Found')) {
-    if (type === ENDPOINT_TYPES.OAUTH) {
+    if (authType === AUTH_TYPES.OAUTH) {
       return ERROR_REASONS.OAUTH_URL;
     } else if (type === ENDPOINT_TYPES.CAMUNDA_CLOUD) {
       return ERROR_REASONS.INVALID_CLIENT_ID;
@@ -563,7 +596,7 @@ function getErrorReason(error, endpoint) {
     return ERROR_REASONS.FORBIDDEN;
   }
 
-  if (message.includes('Unsupported protocol') && type === ENDPOINT_TYPES.OAUTH) {
+  if (message.includes('Unsupported protocol') && authType === AUTH_TYPES.OAUTH) {
     return ERROR_REASONS.OAUTH_URL;
   }
 
@@ -574,25 +607,18 @@ function isHashEqual(parameter1, parameter2) {
   return JSON.stringify(parameter1) === JSON.stringify(parameter2);
 }
 
-function withoutSecrets(parameters) {
-
-  const endpointSecrets = [
-    'clientId',
-    'clientSecret',
-  ];
+function withoutSecrets(parameters, paths) {
+  paths.forEach(secret => {
+    const path = secret.split('.');
 
-  const endpoint = reduce(parameters.endpoint, (filteredEndpoint, value, key) => {
+    const value = get(parameters, path);
 
-    if (endpointSecrets.includes(key)) {
-      value = '******';
+    if (isDefined(value)) {
+      set(parameters, path, '******');
     }
+  });
 
-    filteredEndpoint[key] = value;
-
-    return filteredEndpoint;
-  }, {});
-
-  return { ...parameters, endpoint };
+  return parameters;
 }
 
 function asSerializedError(error) {