Revert "Revert "PMM-8273 download templates from SaaS (#786)" (#801)" PMM-8710 (#816)

* Revert "Revert "PMM-8273 download templates from SaaS (#786)" (#801)"

PMM-8273 was mistakenly merged and later reverted. Since IA template is now
available on SaaS we can re-introduce the feature.

This reverts commit 3c660c3.

Author: palash25

main.go

@@ -649,7 +649,10 @@ func main() {
 	}
 
 	// Integrated alerts services
-	templatesService := ia.NewTemplatesService(db)
+	templatesService, err := ia.NewTemplatesService(db)
+	if err != nil {
+		l.Fatalf("Could not create templates service: %s", err)
+	}
 	rulesService := ia.NewRulesService(db, templatesService, vmalert, alertmanager)
 	alertsService := ia.NewAlertsService(db, alertmanager, templatesService)
 

services/checks/checks.go

@@ -43,13 +43,13 @@ import (
 	"github.com/percona/pmm-managed/services"
 	"github.com/percona/pmm-managed/utils/envvars"
 	"github.com/percona/pmm-managed/utils/saasdial"
+	"github.com/percona/pmm-managed/utils/signatures"
 )
 
 const (
 	defaultStartDelay = time.Minute
 
 	// Environment variables that affect checks service; only for testing.
-	envPublicKey         = "PERCONA_TEST_CHECKS_PUBLIC_KEY"
 	envCheckFile         = "PERCONA_TEST_CHECKS_FILE"
 	envResendInterval    = "PERCONA_TEST_CHECKS_RESEND_INTERVAL"
 	envDisableStartDelay = "PERCONA_TEST_CHECKS_DISABLE_START_DELAY"
@@ -78,12 +78,6 @@ var (
 	pmmAgentInvalid = version.MustParse("3.0.0-invalid")
 )
 
-var defaultPublicKeys = []string{
-	"RWTfyQTP3R7VzZggYY7dzuCbuCQWqTiGCqOvWRRAMVEiw0eSxHMVBBE5", // PMM 2.6
-	"RWRxgu1w3alvJsQf+sHVUYiF6guAdEsBWXDe8jHZuB9dXVE9b5vw7ONM", // PMM 2.12
-	"RWTHhufOlJ38dWt+DrprOg702YvZgqQJsx1XKfzF+MaB/pe9eCJgKkiF", // PMM 2.17
-}
-
 // Service is responsible for interactions with Percona Check service.
 type Service struct {
 	agentsRegistry      agentsRegistry
@@ -135,7 +129,6 @@ func New(agentsRegistry agentsRegistry, alertmanagerService alertmanagerService,
 
 		l:               l,
 		host:            host,
-		publicKeys:      defaultPublicKeys,
 		startDelay:      defaultStartDelay,
 		resendInterval:  defaultResendInterval,
 		localChecksFile: os.Getenv(envCheckFile),
@@ -155,9 +148,9 @@ func New(agentsRegistry agentsRegistry, alertmanagerService alertmanagerService,
 		}, []string{"service_type", "check_type"}),
 	}
 
-	if k := os.Getenv(envPublicKey); k != "" {
-		s.publicKeys = strings.Split(k, ",")
+	if k := envvars.GetPublicKeys(); k != nil {
 		l.Warnf("Public keys changed to %q.", k)
+		s.publicKeys = k
 	}
 	if d, _ := strconv.ParseBool(os.Getenv(envDisableStartDelay)); d {
 		l.Warn("Start delay disabled.")
@@ -1081,7 +1074,7 @@ func (s *Service) downloadChecks(ctx context.Context) ([]check.Check, error) {
 		return nil, errors.Wrap(err, "failed to request checks service")
 	}
 
-	if err = s.verifySignatures(resp); err != nil {
+	if err = signatures.Verify(s.l, resp.File, resp.Signatures, s.publicKeys); err != nil {
 		return nil, err
 	}
 
@@ -1147,26 +1140,6 @@ func (s *Service) UpdateIntervals(rare, standard, frequent time.Duration) {
 	s.l.Infof("Intervals are changed: rare %s, standard %s, frequent %s", rare, standard, frequent)
 }
 
-// verifySignatures verifies checks signatures and returns error in case of verification problem.
-func (s *Service) verifySignatures(resp *api.GetAllChecksResponse) error {
-	if len(resp.Signatures) == 0 {
-		return errors.New("zero signatures received")
-	}
-
-	var err error
-	for _, sign := range resp.Signatures {
-		for _, key := range s.publicKeys {
-			if err = check.Verify([]byte(resp.File), key, sign); err == nil {
-				s.l.Debugf("Key %q matches signature %q.", key, sign)
-				return nil
-			}
-			s.l.Debugf("Key %q doesn't match signature %q: %s.", key, sign, err)
-		}
-	}
-
-	return errors.New("no verified signatures")
-}
-
 // Describe implements prom.Collector.
 func (s *Service) Describe(ch chan<- *prom.Desc) {
 	s.mScriptsExecuted.Describe(ch)

services/checks/checks_test.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	"github.com/AlekSi/pointer"
-	api "github.com/percona-platform/saas/gen/check/retrieval"
 	"github.com/percona-platform/saas/pkg/check"
 	"github.com/percona/pmm/version"
 	promtest "github.com/prometheus/client_golang/prometheus/testutil"
@@ -297,63 +296,6 @@ func TestSTTMetrics(t *testing.T) {
 		assert.NoError(t, promtest.CollectAndCompare(s, expected))
 	})
 }
-
-func TestVerifySignatures(t *testing.T) {
-	t.Parallel()
-
-	t.Run("normal", func(t *testing.T) {
-		t.Parallel()
-
-		s, err := New(nil, nil, nil)
-		require.NoError(t, err)
-		s.host = devChecksHost
-
-		validKey := "RWSdGihBPffV2c4IysqHAIxc5c5PLfmQStbRPkuLXDr3igJOqFWt7aml"
-		invalidKey := "RWSdGihBPffV2c4IysqHAIxc5c5PLfmQStbRPkuLXDr3igJO+INVALID"
-
-		s.publicKeys = []string{invalidKey, validKey}
-
-		validSign := strings.TrimSpace(`
-untrusted comment: signature from minisign secret key
-RWSdGihBPffV2W/zvmIiTLh8UnocoF3OcwmczGdZ+zM13eRnm2Qq9YxfQ9cLzAp1dA5w7C5a3Cp5D7jlYiydu5hqZhJUxJt/ugg=
-trusted comment: some comment
-uEF33ScMPYpvHvBKv8+yBkJ9k4+DCfV4nDs6kKYwGhalvkkqwWkyfJffO+KW7a1m3y42WHpOnzBxLJeU/AuzDw==
-`)
-
-		invalidSign := strings.TrimSpace(`
-untrusted comment: signature from minisign secret key
-RWSdGihBPffV2W/zvmIiTLh8UnocoF3OcwmczGdZ+zM13eRnm2Qq9YxfQ9cLzAp1dA5w7C5a3Cp5D7jlYiydu5hqZhJ+INVALID=
-trusted comment: some comment
-uEF33ScMPYpvHvBKv8+yBkJ9k4+DCfV4nDs6kKYwGhalvkkqwWkyfJffO+KW7a1m3y42WHpOnzBxLJ+INVALID==
-`)
-
-		resp := api.GetAllChecksResponse{
-			File:       "random data",
-			Signatures: []string{invalidSign, validSign},
-		}
-
-		err = s.verifySignatures(&resp)
-		assert.NoError(t, err)
-	})
-
-	t.Run("empty signatures", func(t *testing.T) {
-		t.Parallel()
-
-		s, err := New(nil, nil, nil)
-		require.NoError(t, err)
-		s.host = devChecksHost
-		s.publicKeys = []string{"RWSdGihBPffV2c4IysqHAIxc5c5PLfmQStbRPkuLXDr3igJOqFWt7aml"}
-
-		resp := api.GetAllChecksResponse{
-			File:       "random data",
-			Signatures: []string{},
-		}
-
-		err = s.verifySignatures(&resp)
-		assert.EqualError(t, err, "zero signatures received")
-	})
-}
-
 func TestGetSecurityCheckResults(t *testing.T) {
 	sqlDB := testdb.Open(t, models.SkipFixtures, nil)
 	db := reform.NewDB(sqlDB, postgresql.Dialect, nil)

services/management/ia/alerts_service_test.go

@@ -271,7 +271,8 @@ func TestListAlerts(t *testing.T) {
 	}
 	mockAlert.On("GetAlerts", ctx).Return(mockedAlerts, nil)
 
-	tmplSvc := NewTemplatesService(db)
+	tmplSvc, err := NewTemplatesService(db)
+	require.NoError(t, err)
 	tmplSvc.Collect(ctx)
 	svc := NewAlertsService(db, mockAlert, tmplSvc)
 

services/management/ia/rules_service_test.go

@@ -72,7 +72,8 @@ func TestCreateAlertRule(t *testing.T) {
 	channelID := respC.ChannelId
 
 	// Load test templates
-	templates := NewTemplatesService(db)
+	templates, err := NewTemplatesService(db)
+	require.NoError(t, err)
 	templates.userTemplatesPath = testTemplates2
 	templates.Collect(ctx)
 

services/management/ia/templates_service.go

@@ -27,6 +27,7 @@ import (
 	"text/template"
 	"time"
 
+	api "github.com/percona-platform/saas/gen/check/retrieval"
 	"github.com/percona-platform/saas/pkg/alert"
 	"github.com/percona-platform/saas/pkg/common"
 	iav1beta1 "github.com/percona/pmm/api/managementpb/ia"
@@ -40,9 +41,14 @@ import (
 	"github.com/percona/pmm-managed/data"
 	"github.com/percona/pmm-managed/models"
 	"github.com/percona/pmm-managed/utils/dir"
+	"github.com/percona/pmm-managed/utils/envvars"
+	"github.com/percona/pmm-managed/utils/saasdial"
+	"github.com/percona/pmm-managed/utils/signatures"
 )
 
-const templatesDir = "/srv/ia/templates"
+const (
+	templatesDir = "/srv/ia/templates"
+)
 
 // templateInfo represents alerting rule template information from various sources.
 //
@@ -61,25 +67,41 @@ type TemplatesService struct {
 	l                 *logrus.Entry
 	userTemplatesPath string
 
+	host       string
+	publicKeys []string
+
 	rw        sync.RWMutex
 	templates map[string]templateInfo
 }
 
 // NewTemplatesService creates a new TemplatesService.
-func NewTemplatesService(db *reform.DB) *TemplatesService {
+func NewTemplatesService(db *reform.DB) (*TemplatesService, error) {
 	l := logrus.WithField("component", "management/ia/templates")
 
 	err := dir.CreateDataDir(templatesDir, "pmm", "pmm", dirPerm)
 	if err != nil {
 		l.Error(err)
 	}
 
-	return &TemplatesService{
+	host, err := envvars.GetSAASHost()
+	if err != nil {
+		return nil, err
+	}
+
+	s := &TemplatesService{
 		db:                db,
 		l:                 l,
 		userTemplatesPath: templatesDir,
+		host:              host,
 		templates:         make(map[string]templateInfo),
 	}
+
+	if k := envvars.GetPublicKeys(); k != nil {
+		l.Warnf("Public keys changed to %q.", k)
+		s.publicKeys = k
+	}
+
+	return s, nil
 }
 
 // Enabled returns if service is enabled and can be used.
@@ -110,6 +132,7 @@ func (s *TemplatesService) getTemplates() map[string]templateInfo {
 
 // Collect collects IA rule templates from various sources like:
 // builtin templates: read from the generated code in bindata.go.
+// SaaS templates: templates downloaded from checks service.
 // user file templates: read from yaml files created by the user in `/srv/ia/templates`
 // user API templates: in the DB created using the API.
 func (s *TemplatesService) Collect(ctx context.Context) {
@@ -131,7 +154,14 @@ func (s *TemplatesService) Collect(ctx context.Context) {
 		return
 	}
 
-	templates := make([]templateInfo, 0, len(builtInTemplates)+len(userDefinedTemplates)+len(dbTemplates))
+	saasTemplates, err := s.downloadTemplates(ctx)
+	if err != nil {
+		// just log the error and don't return, if the user is not connected to SaaS
+		// we should still collect and show the Built-In templates.
+		s.l.Errorf("Failed to download rule templates from SaaS: %s.", err)
+	}
+
+	templates := make([]templateInfo, 0, len(builtInTemplates)+len(userDefinedTemplates)+len(dbTemplates)+len(saasTemplates))
 
 	for _, t := range builtInTemplates {
 		templates = append(templates, templateInfo{
@@ -147,9 +177,14 @@ func (s *TemplatesService) Collect(ctx context.Context) {
 		})
 	}
 
-	templates = append(templates, dbTemplates...)
+	for _, t := range saasTemplates {
+		templates = append(templates, templateInfo{
+			Template: t,
+			Source:   iav1beta1.TemplateSource_SAAS,
+		})
+	}
 
-	// TODO download templates from SAAS.
+	templates = append(templates, dbTemplates...)
 
 	// replace previously stored templates with newly collected ones.
 	s.rw.Lock()
@@ -331,6 +366,49 @@ func (s *TemplatesService) loadTemplatesFromDB() ([]templateInfo, error) {
 	return res, nil
 }
 
+// downloadTemplates downloads IA templates from SaaS.
+func (s *TemplatesService) downloadTemplates(ctx context.Context) ([]alert.Template, error) {
+	s.l.Infof("Downloading templates from %s ...", s.host)
+
+	settings, err := models.GetSettings(s.db)
+	if err != nil {
+		return nil, err
+	}
+
+	cc, err := saasdial.Dial(ctx, settings.SaaS.SessionID, s.host)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to dial")
+	}
+	defer cc.Close() //nolint:errcheck
+
+	resp, err := api.NewRetrievalAPIClient(cc).GetAllAlertRuleTemplates(ctx, &api.GetAllAlertRuleTemplatesRequest{})
+	if err != nil {
+		// if credentials are invalid then force a logout so that the next check download
+		// attempt can be successful.
+		logoutErr := saasdial.LogoutIfInvalidAuth(s.db, s.l, err)
+		if logoutErr != nil {
+			s.l.Warnf("Failed to force logout: %v", logoutErr)
+		}
+		return nil, errors.Wrap(err, "failed to request checks service")
+	}
+
+	if err = signatures.Verify(s.l, resp.File, resp.Signatures, s.publicKeys); err != nil {
+		return nil, err
+	}
+
+	// be liberal about files from SaaS for smooth transition to future versions
+	params := &alert.ParseParams{
+		DisallowUnknownFields:    false,
+		DisallowInvalidTemplates: false,
+	}
+	templates, err := alert.Parse(strings.NewReader(resp.File), params)
+	if err != nil {
+		return nil, err
+	}
+
+	return templates, nil
+}
+
 // validateUserTemplate validates user-provided template (API or file).
 func validateUserTemplate(t *alert.Template) error {
 	// TODO move to some better place

services/management/ia/templates_service_test.go

@@ -44,15 +44,17 @@ func TestCollect(t *testing.T) {
 	t.Run("builtin are valid", func(t *testing.T) {
 		t.Parallel()
 
-		svc := NewTemplatesService(db)
-		_, err := svc.loadTemplatesFromAssets(ctx)
+		svc, err := NewTemplatesService(db)
+		require.NoError(t, err)
+		_, err = svc.loadTemplatesFromAssets(ctx)
 		require.NoError(t, err)
 	})
 
 	t.Run("bad template paths", func(t *testing.T) {
 		t.Parallel()
 
-		svc := NewTemplatesService(db)
+		svc, err := NewTemplatesService(db)
+		require.NoError(t, err)
 		svc.userTemplatesPath = testBadTemplates
 		templates, err := svc.loadTemplatesFromUserFiles(ctx)
 		assert.NoError(t, err)
@@ -62,7 +64,8 @@ func TestCollect(t *testing.T) {
 	t.Run("valid template paths", func(t *testing.T) {
 		t.Parallel()
 
-		svc := NewTemplatesService(db)
+		svc, err := NewTemplatesService(db)
+		require.NoError(t, err)
 		svc.userTemplatesPath = testTemplates2
 		svc.Collect(ctx)
 
@@ -136,7 +139,8 @@ templates:
       summary: MySQL too many connections (instance {{ $labels.instance }})
 `
 
-		svc := NewTemplatesService(db)
+		svc, err := NewTemplatesService(db)
+		require.NoError(t, err)
 		resp, err := svc.CreateTemplate(ctx, &iav1beta1.CreateTemplateRequest{
 			Yaml: templateWithMissingParam,
 		})
@@ -228,7 +232,8 @@ templates:
       summary: MySQL too many connections (instance {{ $labels.instance }})
 `
 
-		svc := NewTemplatesService(db)
+		svc, err := NewTemplatesService(db)
+		require.NoError(t, err)
 		createResp, err := svc.CreateTemplate(ctx, &iav1beta1.CreateTemplateRequest{
 			Yaml: validTemplate,
 		})