feat: Enable SSH tunnel in CF backend middleware for OnPremise destinations (#4520)

* feat: add ssh tunnel logic and adjust middleware

* refactor: change destination types and returns

* refactor: change method return type

* refactor: move methods to adp-tooling

* chore: add cset

* Linting auto fix commit

* refactor: improve code for ssh tunnel and env options

* refactor: move btp http methods

* fix: lint

* Linting auto fix commit

* fix: test

* fix: test

* feat: add changes and i18n routes injection

* refactor: change texts

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: nikmace

.changeset/short-mangos-search.md

@@ -0,0 +1,6 @@
+---
+'@sap-ux/backend-proxy-middleware-cf': patch
+'@sap-ux/adp-tooling': patch
+---
+
+feat: Enable SSH tunnel in CF backend middleware for OnPremise destinations

packages/adp-tooling/src/btp/api.ts

@@ -0,0 +1,65 @@
+import axios from 'axios';
+
+import type { ToolsLogger } from '@sap-ux/logger';
+
+import { t } from '../i18n';
+import type { Uaa, BtpDestinationConfig } from '../types';
+
+/**
+ * Obtain an OAuth2 access token using the client credentials grant.
+ *
+ * @param uaa - UAA service credentials (clientid, clientsecret, url).
+ * @param logger - Optional logger.
+ * @returns OAuth2 access token.
+ */
+export async function getToken(uaa: Uaa, logger?: ToolsLogger): Promise<string> {
+    const auth = Buffer.from(`${uaa.clientid}:${uaa.clientsecret}`);
+    const options = {
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Authorization': 'Basic ' + auth.toString('base64')
+        }
+    };
+    const uri = `${uaa.url}/oauth/token`;
+    logger?.debug(`Requesting OAuth token from ${uri}`);
+    try {
+        const response = await axios.post(uri, 'grant_type=client_credentials', options);
+        logger?.debug('OAuth token obtained successfully');
+        return response.data['access_token'];
+    } catch (e) {
+        logger?.error(`Failed to obtain OAuth token from ${uri}: ${e.message}`);
+        throw new Error(t('error.failedToGetAuthKey', { error: e.message }));
+    }
+}
+
+/**
+ * Get a single destination's configuration from the BTP Destination Configuration API.
+ * Note: This calls the BTP Destination Configuration API, not the BAS listDestinations API.
+ *
+ * @param uri - Destination Configuration API base URI (e.g. https://destination-configuration.cfapps.us20.hana.ondemand.com).
+ * @param token - OAuth2 bearer token obtained via {@link getToken}.
+ * @param destinationName - Name of the destination to look up.
+ * @param logger - Optional logger.
+ * @returns The destinationConfiguration object (e.g. Name, ProxyType, URL, Authentication) or undefined on failure.
+ */
+export async function getBtpDestinationConfig(
+    uri: string,
+    token: string,
+    destinationName: string,
+    logger?: ToolsLogger
+): Promise<BtpDestinationConfig | undefined> {
+    const url = `${uri}/destination-configuration/v1/destinations/${encodeURIComponent(destinationName)}`;
+    logger?.debug(`Fetching BTP destination config for "${destinationName}" from ${url}`);
+
+    try {
+        const response = await axios.get<{ destinationConfiguration?: BtpDestinationConfig }>(url, {
+            headers: { 'Authorization': `Bearer ${token}` }
+        });
+        const config = response.data?.destinationConfiguration;
+        logger?.debug(`Destination "${destinationName}" config: ProxyType=${config?.ProxyType}`);
+        return config;
+    } catch (e) {
+        logger?.error(`Failed to fetch destination config for "${destinationName}": ${e.message}`);
+        return undefined;
+    }
+}

packages/adp-tooling/src/btp/index.ts

@@ -0,0 +1 @@
+export * from './api';

packages/adp-tooling/src/cf/app/html5-repo.ts

@@ -5,34 +5,12 @@ import type { ToolsLogger } from '@sap-ux/logger';
 import type { Manifest } from '@sap-ux/project-access';
 
 import { t } from '../../i18n';
+import type { HTML5Content, ServiceInfo, CfAppParams } from '../../types';
+import { getToken } from '../../btp/api';
 import { getServiceNameByTags, getOrCreateServiceInstanceKeys, createServiceInstance } from '../services/api';
-import type { HTML5Content, ServiceInfo, Uaa, CfAppParams } from '../../types';
 
 const HTML5_APPS_REPO_RUNTIME = 'html5-apps-repo-runtime';
 
-/**
- * Get the OAuth token from HTML5 repository.
- *
- * @param {Uaa} uaa UAA credentials
- * @returns {Promise<string>} OAuth token
- */
-export async function getToken(uaa: Uaa): Promise<string> {
-    const auth = Buffer.from(`${uaa.clientid}:${uaa.clientsecret}`);
-    const options = {
-        headers: {
-            'Content-Type': 'application/json',
-            'Authorization': 'Basic ' + auth.toString('base64')
-        }
-    };
-    const uri = `${uaa.url}/oauth/token?grant_type=client_credentials`;
-    try {
-        const response = await axios.get(uri, options);
-        return response.data['access_token'];
-    } catch (e) {
-        throw new Error(t('error.failedToGetAuthKey', { error: e.message }));
-    }
-}
-
 /**
  * Download zip from HTML5 repository.
  *
@@ -109,7 +87,7 @@ export async function downloadAppContent(
     try {
         const { serviceKeys, serviceInstance } = await getHtml5RepoCredentials(spaceGuid, logger);
 
-        const token = await getToken(serviceKeys[0]?.credentials.uaa);
+        const token = await getToken(serviceKeys[0]?.credentials.uaa, logger);
         const uri = `${serviceKeys[0]?.credentials.uri}/applications/content/${appNameVersion}?pathSuffixFilter=manifest.json,xs-app.json`;
         const zip = await downloadZip(token, appHostId, uri);
 

packages/adp-tooling/src/cf/services/cli.ts

@@ -151,3 +151,52 @@ export async function requestCfApi<T = unknown>(url: string): Promise<T> {
         throw new Error(t('error.failedToRequestCFAPI', { error: e.message }));
     }
 }
+
+/**
+ * Check whether a CF app exists.
+ *
+ * @param appName - CF app name.
+ * @returns True if the app exists.
+ */
+export async function checkAppExists(appName: string): Promise<boolean> {
+    const result = await Cli.execute(['app', appName], ENV);
+    return result.exitCode === 0;
+}
+
+/**
+ * Push a minimal no-route CF app from a given directory.
+ *
+ * @param appName - CF app name.
+ * @param appPath - Local path to push.
+ * @param args - Additional cf push arguments.
+ */
+export async function pushApp(appName: string, appPath: string, args: string[] = []): Promise<void> {
+    const result = await Cli.execute(['push', appName, '-p', appPath, ...args], ENV);
+    if (result.exitCode !== 0) {
+        throw new Error(t('error.cfPushFailed', { appName, error: result.stderr }));
+    }
+}
+
+/**
+ * Enable SSH access on a CF app.
+ *
+ * @param appName - CF app name.
+ */
+export async function enableSsh(appName: string): Promise<void> {
+    const result = await Cli.execute(['enable-ssh', appName], ENV);
+    if (result.exitCode !== 0) {
+        throw new Error(t('error.cfEnableSshFailed', { appName, error: result.stderr }));
+    }
+}
+
+/**
+ * Restart a CF app using rolling strategy.
+ *
+ * @param appName - CF app name.
+ */
+export async function restartApp(appName: string): Promise<void> {
+    const result = await Cli.execute(['restart', appName, '--strategy', 'rolling', '--no-wait'], ENV);
+    if (result.exitCode !== 0) {
+        throw new Error(t('error.cfRestartFailed', { appName, error: result.stderr }));
+    }
+}

packages/adp-tooling/src/cf/services/index.ts

@@ -1,3 +1,4 @@
 export * from './api';
+export * from './ssh';
 export * from './cli';
 export * from './manifest';

packages/adp-tooling/src/cf/services/ssh.ts

@@ -0,0 +1,64 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+import type { ToolsLogger } from '@sap-ux/logger';
+
+import { checkAppExists, pushApp, enableSsh, restartApp } from './cli';
+
+/**
+ * Default CF app name used for SSH tunneling to the connectivity proxy.
+ */
+export const DEFAULT_TUNNEL_APP_NAME = 'adp-ssh-tunnel-app';
+
+/**
+ * Ensure a tunnel app exists in CF. If not found, deploy a minimal no-route app
+ * using the binary_buildpack with minimum memory so it can serve as an SSH target.
+ *
+ * @param appName - CF app name.
+ * @param logger - Logger instance.
+ */
+export async function ensureTunnelAppExists(appName: string, logger: ToolsLogger): Promise<void> {
+    if (await checkAppExists(appName)) {
+        logger.info(`Tunnel app "${appName}" already exists.`);
+        return;
+    }
+
+    logger.debug(`Tunnel app "${appName}" not found. Deploying minimal app...`);
+
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'adp-tunnel-'));
+    fs.writeFileSync(path.join(tmpDir, '.keep'), '');
+
+    try {
+        await pushApp(appName, tmpDir, [
+            '--no-route',
+            '-m',
+            '64M',
+            '-k',
+            '256M',
+            '-b',
+            'binary_buildpack',
+            '-c',
+            'sleep infinity',
+            '--health-check-type',
+            'process'
+        ]);
+        logger.info(`Tunnel app "${appName}" deployed successfully.`);
+    } finally {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+}
+
+/**
+ * Enable SSH on a CF app and restart it.
+ *
+ * @param appName - CF app name.
+ * @param logger - Logger instance.
+ */
+export async function enableSshAndRestart(appName: string, logger: ToolsLogger): Promise<void> {
+    logger.info(`Enabling SSH on "${appName}"...`);
+    await enableSsh(appName);
+
+    logger.info(`Restarting "${appName}"...`);
+    await restartApp(appName);
+}

packages/adp-tooling/src/index.ts

@@ -6,6 +6,7 @@ export * from './source';
 export * from './ui5';
 export * from './base/cf';
 export * from './cf';
+export * from './btp';
 export * from './base/helper';
 export * from './base/credentials';
 export * from './base/constants';

packages/adp-tooling/src/translations/adp-tooling.i18n.json

@@ -114,7 +114,10 @@
         "noServiceInstanceNameFound": "No serviceInstanceName found in the app-variant-bundler-build configuration",
         "noServiceKeysFoundForInstance": "No service keys found for service instance: {{serviceInstanceName}}",
         "couldNotFetchServiceKeys": "Cannot fetch the service keys. Error: {{error}}",
-        "metadataFetchingNotSupportedForCF": "Metadata fetching is not supported for Cloud Foundry projects."
+        "metadataFetchingNotSupportedForCF": "Metadata fetching is not supported for Cloud Foundry projects.",
+        "cfPushFailed": "cf push failed for the '{{appName}}' app: {{error}}",
+        "cfEnableSshFailed": "cf enable-ssh failed for the '{{appName}}' app: {{error}}",
+        "cfRestartFailed": "cf restart failed for the '{{appName}}' app: {{error}}"
     },
     "choices": {
         "true": "true",

packages/adp-tooling/src/types.ts

@@ -943,6 +943,23 @@ export interface ServiceKeyCredentialsWithTags {
     credentials: ServiceKeys['credentials'] | undefined;
 }
 
+/**
+ * Destination configuration returned by the BTP Destination Configuration API.
+ * Contains the known properties; additional custom properties may also be present.
+ */
+export interface BtpDestinationConfig {
+    Name: string;
+    Type: string;
+    URL: string;
+    Authentication: string;
+    ProxyType: string;
+    Description?: string;
+    User?: string;
+    Password?: string;
+    'sap-client'?: string;
+    [key: string]: string | undefined;
+}
+
 export interface AppRouterEnvOptions {
     'VCAP_SERVICES'?: Record<string, unknown>;
     destinations?: { name: string; url: string }[];