Merge branch 'latest' into UAT-44

.gitignore

@@ -27,7 +27,7 @@ yarn.lock
 dist/
 
 # Ignore the Azure credentials file
-azure_creds.json
+*_creds.json
 
 # Ignore the .env file
 .env

Dockerfile

@@ -22,7 +22,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     tzdata=2024a-3ubuntu1.1 \
-    curl=8.5.0-2ubuntu10.3 \
+    curl=8.5.0-2ubuntu10.4 \
     bash=5.2.21-2ubuntu4 \
     gettext=0.21-14ubuntu2 \
     gnupg=2.4.4-2ubuntu17 \

Makefile

@@ -50,7 +50,7 @@ log:
 
 # Delete the running container
 clean:
-	@echo "Deleting Docker container..."
+	@echo "Deleting Docker container if exists..."
 	@docker rm -f $(CONTAINER_NAME) || true
 
 # Run the validation tests

lib/auth/aws.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Example usage of the function
+# aws_authenticate "/path/to/your/aws_creds.json"
+#
+# Example AWS credentials JSON file:
+#
+# {
+#     "AccessKeyId": "your-access-key-id",
+#     "SecretAccessKey": "your-secret-access-key",
+#     "Region": "your-aws-region"
+# }
+
+# Function to authenticate AWS using IAM user credentials
+aws_authenticate() {
+    echo "Not supported yet. Is in progress"
+}
+
+# Example usage of the function
+# aws_authenticate "/path/to/your/aws_creds.json"

lib/auth/azure.sh

@@ -1,5 +1,20 @@
 #!/bin/bash
 
+# Function to authenticate Azure accounts
+#
+# Example usage of the function
+# azure_authenticate "/path/to/your/azure_creds.json"
+#
+# Example Azure credentials JSON file:
+#
+# {
+#     "clientId": "your-client-id",
+#     "clientSecret": "your-client-secret",
+#     "subscriptionId": "your-subscription-id",
+#     "tenantId": "your-tenant-id"
+# }
+#
+
 # Function to authenticate Azure accounts
 azure_authenticate() {
     local creds_json="$1"

lib/auth/bitwarden.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Function to authenticate Bitwarden using API key or master password
+#
+# Example usage of the function
+# bitwarden_authenticate "/path/to/your/bitwarden_creds.json"
+#
+# Example Bitwarden credentials JSON file:
+#
+# {
+#     "clientId": "your-client-id",
+#     "clientSecret": "your-client-secret",
+#     "masterPassword": "your-master-password"
+# }
+#
+
+# Function to authenticate Bitwarden using API key or master password
+bitwarden_authenticate() {
+    echo "Not supported yet. Is in progress"
+}
+
+# Example usage of the function
+# bitwarden_authenticate "/path/to/your/bitwarden_creds.json"

lib/auth/gcp.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Function to authenticate GCP service accounts
+#
+# Example usage of the function
+# gcp_authenticate "/path/to/your/gcp_creds.json"
+#
+# Example GCP credentials JSON file:
+#
+# {
+#     "type": "service_account",
+#     "project_id": "your-project-id",
+#     "private_key_id": "your-private-key-id",
+#     "private_key": "your-private-key",
+#     "client_email": "your-client-email",
+#     "client_id": "your-client-id",
+#     "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+#     "token_uri": "https://oauth2.googleapis.com/token",
+#     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+#     "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-client-email"
+# }
+#
+
+# Function to authenticate GCP service accounts
+gcp_authenticate() {
+    local creds_json="$1"
+
+    # Read the contents of the file
+    local creds_content
+    creds_content=$(cat "$creds_json")
+
+    if [[ -z "$creds_content" ]]; then
+        echo "[ERROR] No GCP credentials provided." >&2
+        return 1
+    fi
+
+    # Extract necessary fields from the JSON credentials
+    local clientEmail privateKey projectId
+
+    clientEmail=$(echo "$creds_content" | jq -r '.client_email')
+    privateKey=$(echo "$creds_content" | jq -r '.private_key')
+    projectId=$(echo "$creds_content" | jq -r '.project_id')
+
+    if [[ -z "$clientEmail" || -z "$privateKey" || -z "$projectId" ]]; then
+        echo "[ERROR] Missing required GCP credentials." >&2
+        return 1
+    fi
+
+    # Create a temporary credentials file for gcloud authentication
+    local temp_creds_file="/tmp/gcp_creds.json"
+    echo "$creds_content" > "$temp_creds_file"
+
+    echo "[INFO] Authenticating GCP service account..."
+    if ! gcloud auth activate-service-account "$clientEmail" --key-file="$temp_creds_file" >/dev/null 2>&1; then
+        echo "[ERROR] GCP service account authentication failed." >&2
+        rm -f "$temp_creds_file"
+        return 1
+    fi
+
+    if ! gcloud config set project "$projectId" >/dev/null 2>&1; then
+        echo "[ERROR] Failed to set GCP project." >&2
+        rm -f "$temp_creds_file"
+        return 1
+    fi
+
+    echo "[INFO] GCP service account authenticated and project set."
+
+    # Clean up temporary credentials file
+    rm -f "$temp_creds_file"
+}

lib/auth/readme.md

@@ -27,12 +27,9 @@ Note the appId, password, and tenant.
 Update your `worker.yml` configuration file to include the Azure Service Principal credentials:
 
 ```yaml
-workerActors:
-  - type: azure-service-principal
-    subscription: "YOUR_SUBSCRIPTION_ID"
-    tenant: "YOUR_TENANT_ID"
-    application: "YOUR_APP_ID"
-    password: "YOUR_CLIENT_SECRET"
+actors:
+  - type: azure
+    creds: "${AZURE_CREDS}"    
 ```
 
 ### AWS IAM Role (TBD)
@@ -43,6 +40,10 @@ Instructions for setting up AWS IAM Role will be provided here.
 
 Instructions for setting up GCP Service Account will be provided here.
 
+### Bitwarden Service Account (TBD)
+
+Instructions for setting up GCP Service Account will be provided here.
+
 ## Best Practices
 
 - **Use least privilege**: Assign the minimum required permissions to service accounts and roles.

lib/cleanup.sh

@@ -6,71 +6,34 @@ source /usr/local/lib/utils.sh
 # shellcheck source=/dev/null
 source /usr/local/lib/worker_config.sh
 
-# Function to clean up Azure authentication
-cleanup_azure() {
-    log_info "Cleaning up Azure authentication"
-    if command -v az > /dev/null; then
-        if az account show > /dev/null 2>&1; then
-            if ! az logout; then
-                log_error "Failed to log out of Azure"
-            fi
-        else
-            log_info "No active Azure accounts found."
-        fi
-    else
-        log_warn "Azure CLI not found. Skipping Azure cleanup."
+# Generic function to clean up authentication for any provider
+cleanup_provider() {
+    local provider=$1
+    local logout_cmd=$2
+    local list_cmd=$3
+    local name=$4
+
+    log_info "Cleaning up $name authentication"
+
+    if ! command -v "$provider" > /dev/null; then
+        log_warn "$name CLI not found. Skipping $name cleanup."
+        return 0
     fi
-}
 
-# Function to clean up GCP authentication
-cleanup_gcp() {
-    log_info "Cleaning up GCP authentication"
-    if command -v gcloud > /dev/null; then
-        if gcloud auth list --format="value(account)" > /dev/null 2>&1; then
-            if ! gcloud auth revoke --all; then
-                log_error "Failed to revoke GCP authentication"
-            fi
-        else
-            log_info "No active GCP accounts found."
-        fi
-    else
-        log_warn "GCP CLI not found. Skipping GCP cleanup."
+    if ! eval "$list_cmd" > /dev/null 2>&1; then
+        log_info "No active $name accounts or sessions found."
+        return 0
     fi
-}
 
-# Function to clean up AWS authentication
-cleanup_aws() {
-    log_info "Cleaning up AWS authentication"
-    if command -v aws > /dev/null; then
-        if aws sso list-accounts > /dev/null 2>&1; then
-            if ! aws sso logout; then
-                log_warn "AWS SSO logout not configured or failed"
-            fi
-        else
-            log_info "No active AWS SSO sessions found."
-        fi
-    else
-        log_warn "AWS CLI not found. Skipping AWS cleanup."
+    if ! eval "$logout_cmd"; then
+        log_error "Failed to log out of $name"
+        return 1
     fi
-}
 
-# Function to clean up Bitwarden authentication
-cleanup_bitwarden() {
-    log_info "Cleaning up Bitwarden authentication"
-    if command -v bw > /dev/null; then
-        if bw status > /dev/null 2>&1; then
-            if ! bw logout --force; then
-                log_error "Failed to log out of Bitwarden"
-            fi
-        else
-            log_info "No active Bitwarden sessions found."
-        fi
-    else
-        log_warn "Bitwarden CLI not found. Skipping Bitwarden cleanup."
-    fi
+    log_info "$name authentication cleaned up successfully."
 }
 
-# Function to clean up actors
+# Function to clean up actors based on the worker configuration
 cleanup_actors() {
     log_info "Starting cleanup of actors"
 
@@ -88,51 +51,47 @@ cleanup_actors() {
         return 0
     fi
 
-    # Process each actor in the configuration
+    # Process each actor type
     echo "$actors_json" | jq -c '.[]' | while IFS= read -r actor; do
         local type
         type=$(echo "$actor" | jq -r '.type')
-
-        local cleanup_function="cleanup_${type//[-]/_}"
-        if declare -F "$cleanup_function" > /dev/null; then
-            $cleanup_function
-        else
-            log_warn "Unsupported or unavailable actor type for cleanup: $type"
-        fi
+
+        case "$type" in
+            azure)
+                cleanup_provider "az" "az logout" "az account show" "Azure"
+                ;;
+            gcp)
+                cleanup_provider "gcloud" "gcloud auth revoke --all" "gcloud auth list" "GCP"
+                ;;
+            aws)
+                cleanup_provider "aws" "aws sso logout" "aws sso list-accounts" "AWS"
+                ;;
+            bitwarden)
+                cleanup_provider "bw" "bw logout --force" "bw status" "Bitwarden"
+                ;;
+            *)
+                log_warn "Unsupported or unavailable actor type for cleanup: $type"
+                ;;
+        esac
     done
 }
 
-# Function to clean up sensitive environment variables
+# Function to clean up sensitive environment variables based on a pattern
 cleanup_sensitive_env_vars() {
     log_info "Cleaning up sensitive environment variables"
 
-    local env_config
-    if ! env_config=$(get_worker_config_path); then
-        log_error "Failed to retrieve configuration path."
-        return 1
-    fi
-
-    # Extract environment variable names defined in worker.yml (both variables and secrets)
-    local defined_vars
-    defined_vars=$(yq e -o=json '.config.variables, .config.secrets' "$env_config" 2>/dev/null | jq -r 'to_entries[].key')
-
-    if [[ -z "$defined_vars" ]]; then
-        log_info "No sensitive environment variables found."
-        return 0
-    fi
+    # Define a pattern for sensitive environment variables (e.g., AZURE_CREDS, GCP_CREDS, etc.)
+    local pattern="_CREDS"
 
-    # Unset the defined environment variables
-    for var in $defined_vars; do
-        unset "$var" || log_warn "Failed to unset environment variable: $var"
+    # Loop through environment variables that match the pattern
+    for var in $(env | grep "${pattern}" | cut -d'=' -f1); do
+        unset "$var"
+        log_info "Unset sensitive environment variable: $var"
     done
 
     log_info "Sensitive environment variables cleaned up successfully."
 }
 
-# Example usage:
-# cleanup_azure
-# cleanup_gcp
-# cleanup_aws
-# cleanup_bitwarden
+# Example usage
 # cleanup_actors
 # cleanup_sensitive_env_vars

lib/environment.sh

@@ -8,21 +8,8 @@ source /usr/local/lib/secrets.sh
 source /usr/local/lib/cleanup.sh
 source /usr/local/lib/worker_config.sh
 
-# Load environment variables from .env file if it exists
-load_env_file() {
-    if [ -f .env ]; then
-        log_info "Loading environment variables from .env file."
-        # Quote the command substitution to prevent word splitting
-        export "$(grep -v '^#' .env | xargs -r)"
-    else
-        log_info "No .env file found. Proceeding with environment variables from the host."
-    fi
-}
-
 # Main function to coordinate environment setup
 configure_environment() {
-    # Load environment variables from .env file if it exists
-    load_env_file
 
     # Load and resolve the worker configuration
     local resolved_config