Locksmith

Agenda

What / Why
How
Do's and Don'ts
Demo
Next Steps

What is Locksmith?

Web service that elevates a user's PCF privileges to allow for change (either through a scheduled change request OR an incident)

Why?

People were making changes without CHGs...yada yada yada
Locked down changes to be done by ITO...yada yada yada
Locksmith provides a self-service mechanism for performing change that enables traceability

In the Beginning...

"THE CLOUD IS AWESOME!"

"I can deploy all day long"

"I gotta fix this...I can't waste time with a change request"

Then THE AUDIT...

"No more service accounts?!?"

"We can't deploy this ourselves?"

"Oh no, my script has a typo"

"I have an Incident...what do I do?"

"I can only deploy between 9 and 4?"

And Now...

"I can deploy my own stuff again!"

"I still need a change...but I probably should have had one all along"

"Self-service offering for elevating IDs - THANKS

How?

Create a change in Service Now
Get approval for change (IRB, Service Now, RE, etc.)
Before deploying, execute API call to Locksmith to elevate credentials of person "assigned" to changed in Service Now
Assigned to person performs change in PCF (ideally this is done through an automated script)

Be aware...

Due to separation of duties, assigned to person CANNOT have source control access (e.g. github) by being part of the GG_SCM_Access group
- Good opportunity for RE or Product Managers?
- Make sure this person is a SpaceAuditor in the production org/space
For standard changes, only works during change request window
Only lasts for 4 hours - need to re-request elevation after that (as long as it's in the change window)
Usual requirements around how to create a PCF change (Automation, CI, etc.)
- Check out the #cloudfoundry channel and wiki for more details

Do

Automate your deployment to production
Use your deployment script in non-prod AND production
Make sure you have a SpaceAuditor without GG_SCM_Access
Test locksmith with an incident
Get RE to deploy your code (soon)

Do Not

Have the assigned person execute cf push
Assign the change to someone with GG_SCM_Access
Wait until the last minute to realize you do not have someone to execute the change

"I can't wait to deploy your app!"

Call me any time on my cell phone: 404-555-8997

Demo

Locksmith Mock codebase: https://github.homedepot.com/bxr2249/locksmith-mock
Locksmith Mock deployed: https://locksmith-mock.apps-np.homedepot.com/
Locksmith Demo: https://github.homedepot.com/bxr2249/locksmith-demo
Jenkins (temp) Server: http://ld00841.homedepot.com/

Built a mock locksmith app that you can test scripts with
Demo app that scripts out locksmith and deployment

Important Code

# use locksmith (mock) to elevate credentials
LOCKSMITH_RESPONSE=$(curl -i -X POST "http://locksmith-mock.apps-np.homedepot.com/api/grants" \
    -H "accept: application/json" -H "content-type: application/json" -d "{ \"service_now_record\": \"${CHG_NUMBER}\"}")

#echo "*******"
#echo "Locksmith HTTP Response:"
#echo ${LOCKSMITH_RESPONSE}
#echo "*******"
#echo ""

REGEX_ELEVATED_USER="\"user\":\"([A-Za-z0-9 ]+)\""
REGEX_ERRORS="(\{\"errors\":\[[\{\}\"A-Za-z0-9\: ,]+\]\})"
REGEX_HTTP_CODE_201="201"
REGEX_HTTP_CODE_400="400"
REGEX_RESPONSE_CODE="^HTTP\/[0-9].[0-9] ([0-9]{3})"

if [[ ${LOCKSMITH_RESPONSE} =~ ${REGEX_RESPONSE_CODE} ]]; then
    LOCKSMITH_HTTP_CODE=${BASH_REMATCH[1]}
    echo "Locksmith HTTP Code: ${LOCKSMITH_HTTP_CODE}"
else
	echo "Response code from locksmith not found"
    exit 1
fi

if [ "${LOCKSMITH_HTTP_CODE}" == "${REGEX_HTTP_CODE_201}" ]; then
	if [[ ${LOCKSMITH_RESPONSE} =~ ${REGEX_ELEVATED_USER} ]]; then
    	ELEVATED_USER=${BASH_REMATCH[1]}
		echo "User \"${ELEVATED_USER}\" permissions have been elevated to execute change"
	fi
elif [ "${LOCKSMITH_HTTP_CODE}" == "${REGEX_HTTP_CODE_400}" ]; then
	if [[ ${LOCKSMITH_RESPONSE} =~ ${REGEX_ERRORS} ]]; then
    	LOCKSMITH_ERRORS=${BASH_REMATCH[1]}
		echo "Locksmith Errors:"
    	echo ${LOCKSMITH_ERRORS}
    	exit 1
	fi
else
	echo "Response code unhandled: ${LOCKSMITH_HTTP_CODE}"
    exit 1
fi

Call Locksmith

Get HTTP Code

Handle success or error

Alternative

As of 7/26, ci-cd/concourse-common has a locksmith.sh script
https://github.homedepot.com/ci-cd/concourse-common/blob/master/scripts/locksmith.sh

Next Steps

Jenkins or Drone seems to be the preferred method for deployment to production (where credentials can be injected at runtime)
Very easy to setup an instance of Jenkins with SoD
"Old" deploy method goes away beginning of August