Technical Articles
CPILint version 1.0.2 is out
Yesterday, I released CPILint version 1.0.2:
CPILint is an open source, command-line tool for SAP Cloud Integration, which lets you automate the governance of your integration flows by writing executable, rule-based development guidelines.
CPILint ships with a number of built-in rules, covering adapters, mapping, scripting, security and more. Once you’ve chosen the rules that make sense in your particular situation, CPILint does the heavy lifting of checking your integration flows for compliance, and presents you with a report of the issues discovered.
If this is the first time your hear about CPILint, please read this blog post for a much more in-depth introduction.
So what’s new in version 1.0.2? First and foremost, this release updates the tool to use the public integration packages API. Version 1.0.1 still used the undocumented API, which no longer works.
1.0.2 also introduces the CPILINT_JAVA_HOME environment variable, which you can use to launch CPILint with a specific Java runtime. Also, the Bash launch script now works correctly on macOS.
You can download CPILint version 1.0.2 from GitHub. If you want to tinker, the full source code and all other files needed to build CPILint is included in the download. Everything you need is available in the CPILint GitHub repository as well, of course. For documentation and installation instructions, please see the project’s wiki.
Have fun with CPILint! If you run into any issues at all, do please let me know. You can do that by either commenting below, or by creating an issue on GitHub.
Hi Morten,
Thanks for sharing this great tool. Do you support also custom identity providers (e.g. SAP IAS)?
Unfortunately it doesn't work for us...
Best regards,
Michael
Hi Michael
The credentials are used for the OData API calls, and I believe you should still use your SAP ID Service user for that, but let me check and get back to you.
Regards,
Morten
P.S. Also make sure that you are actually hitting the correct Tenant Management Node hostname.
Hi Morten,
Thanks a lot for the fast response. For our tenants also basic authentication is "redirected" to our custom IdP. I verified the basic authentication against one of the odata API endpoints.
Our error message looked like this:
Finally I solved it by using another client (outside company network). I guess the internet proxy was causing the issues.
Thank you again for sharing this great tool!
Best regards,
Michael
Happy to hear it worked out 😀
Just to share our experience on API authorization with custom IdP: We also faced further authorization issues in Neo environment when using a custom IdP in combination with group mapping between BTP authorization groups and LDAP groups (caused by CPI API). Finally we solved it by manually assigning the technical user ID of IAS (e.g. P000xxx) to the BTP developer group. LDAP username was not working for API authorization (even if automatically mapped to BTP group before & working in CPI environment).
Hi Michael
That's useful - thanks for sharing!
Regards,
Morten
I am thinkin of extending the tool a bit to make it an information gathering tool to list what resources are being used/addressed, and i created a small pull request to improve user experience a little bit.
Please let me know what you think about this.
Hi David
Thank you very much for you comment and the PR.
It is actually by choice, that the technical details are not in the regular error messages, that are output to the console. Instead, they go into the debug log (along with a lot of additional information). That means, however, that you need to run the tool again with the -debug option, to generate a log file.
I should probably make that more clear. Thank you for bringing that to my attention.
Regards,
Morten
In general I dont mind that structure, but when you are just typing the wrong password or getting a 404 on the wrong URL, it is not very userfriendly to have to open a debug log file to find out such a simple error. That is why I did not change all error reporting, just the ones I ran into during startup.
The one with the zipfile that is not an iflow is a real bug. It just crashes with a stacktrace on nullpointer exception if there is no manifest in the zipfile.
Hi Morten,
Thanks for this great tool CPILINT. when i am connecting to cpi tenant, i am getting below error. Pls advise.
Hi Narayana
If you run the command again with the -debug option, a log file called "cpilint.log" will be created. It will contain more information about what the real problem is.
Regards,
Morten
Hi Morten,
Thanks for the reply. i ran the command with debug option and i have got the log file. Here it is :
16:14:16.384 INFO dk.mwittrock.cpilint.CpiLint - Starting inspection of iflow artifacts
16:14:16.385 DEBUG d.m.c.api.CloudIntegrationOdataApi - Retrieving iflow artifact from tenant: Claims_Vistex_Demo
16:14:16.385 DEBUG d.m.c.api.CloudIntegrationOdataApi - Iflow artifact URI generated for ID Claims_Vistex_Demo: https://yy-btp-dev-txxxxxxxx8.it-cpi013-rt.cfapps.us21.hana.ondemand.com/api/v1/IntegrationDesigntimeArtifacts(Id='Claims_Vistex_Demo',Version='active')/$value
16:14:17.757 ERROR dk.mwittrock.cpilint.CliClient - Iflow artifact supplier error
dk.mwittrock.cpilint.suppliers.IflowArtifactSupplierError: API error when retrieving iflow
at dk.mwittrock.cpilint.suppliers.IteratingApiSupplierBase.supply(Unknown Source)
at dk.mwittrock.cpilint.suppliers.TenantSingleArtifactsSupplier.supply(Unknown Source)
at dk.mwittrock.cpilint.CpiLint.run(Unknown Source)
at dk.mwittrock.cpilint.CliClient.main(Unknown Source)
Caused by: dk.mwittrock.cpilint.api.CloudIntegrationApiError: Iflow artifact ID 'Claims_Vistex_Demo' could not be found
at dk.mwittrock.cpilint.api.CloudIntegrationOdataApi.getIflowArtifact(Unknown Source)
... 4 common frames omitted
16:14:17.758 INFO dk.mwittrock.cpilint.CliClient - Exiting CliClient with error status 2 and message: There was an error while retrieving iflow artifacts: API error when retrieving iflow
Please advise on this fix ?
Hi Narayana
This looks to me like the iflow ID is wrong. Please double-check that it matches the one in the tenant.
Regards,
Morten
Hi Morten,
Thank you for your reply. the issue was with host name and now we are able to connect CPI tenant directly. One last question, We want to inspect externalization parameters through CPILINT tool. Is there any possible way/ workaround solution for checking every field in the adapter should be externalized as per the given scope of externalization in CPI.
Kind regards,
Narayana.
Hi Narayana
That's not something that's currently supported. But I like the idea a lot, actually. I'll add it to the to-do list 😀
Regards,
Morten
Hi Morten,
Thanks for the confirmation. we are waiting for that feature to release...One more last question 🙂
how to add new values to the enumeration ? As an example, I want to add the following iflow steps to the rules so that it will be inspected through CPILINT tool.
Kind regards,
Narayana.
Hi Narayana
I like your enthusiasm! Each constant in that enumeration in the rules file is backed by a piece of code, so sadly it's not enough to extend the enumeration. But the NamingConventions rule will support even more steps in the next release.
And do keep asking questions; I'm happy to answer them!
Regards,
Morten
Hi Morten,
We recently removed default idp user authentication for our tenants. Now we are using custom idp. Earlier with the default S-user cilint was working fine but now it is throwing an error. Could this tool work with custom idp user or we must stick to a default idp user for this tool at the moment ?
Hi Subhadeep
IdP user should not be a problem. Please see this page. Alternative 1: Create a service key with the "api" plan and assign the required roles to it. Alternative 2: Copypaste the error message and we can have a look 🙂
Regards,
Morten
Hello Morten,
As suggested we tried going for the first alternative. We created a service key with a WorkspacePackagesRead role. When we are using the clientid and secret we still get the same error on cilint. We could see on the audit logs the authentication type being used is OpenIdConnect in this case.
Regards,
Subhadeep.
Hi Subhadeep
I need to see those logs, then. I've followed you here on the SAP Community. If you follow me back, we can use the messaging system and take it from there.
Regards,
Morten