2022-03-22 11:03:15 -04:00
|
|
|
package client
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
|
2022-06-07 08:52:47 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/gcpshared"
|
2022-03-22 11:03:15 -04:00
|
|
|
adminpb "google.golang.org/genproto/googleapis/iam/admin/v1"
|
|
|
|
)
|
|
|
|
|
|
|
|
// CreateServiceAccount creates a new GCP service account and returns an account key as service account URI.
|
|
|
|
func (c *Client) CreateServiceAccount(ctx context.Context, input ServiceAccountInput) (string, error) {
|
|
|
|
insertInput := insertServiceAccountInput{
|
|
|
|
Project: c.project,
|
|
|
|
AccountID: "constellation-app-" + c.uid,
|
|
|
|
DisplayName: "constellation-app-" + c.uid,
|
2022-05-04 03:13:46 -04:00
|
|
|
Description: "This service account belongs to a Constellation cluster.",
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
email, err := c.insertServiceAccount(ctx, insertInput)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
c.serviceAccount = email
|
|
|
|
|
|
|
|
iamInput := input.addIAMPolicyBindingInput(c.serviceAccount)
|
|
|
|
if err := c.addIAMPolicyBindings(ctx, iamInput); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
key, err := c.createServiceAccountKey(ctx, email)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2022-06-07 08:52:47 -04:00
|
|
|
return key.ToCloudServiceAccountURI(), nil
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) TerminateServiceAccount(ctx context.Context) error {
|
|
|
|
if c.serviceAccount != "" {
|
|
|
|
req := &adminpb.DeleteServiceAccountRequest{
|
|
|
|
Name: "projects/-/serviceAccounts/" + c.serviceAccount,
|
|
|
|
}
|
|
|
|
if err := c.iamAPI.DeleteServiceAccount(ctx, req); err != nil {
|
2022-06-09 10:04:30 -04:00
|
|
|
return fmt.Errorf("deleting service account: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
c.serviceAccount = ""
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type ServiceAccountInput struct {
|
|
|
|
Roles []string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i ServiceAccountInput) addIAMPolicyBindingInput(serviceAccount string) AddIAMPolicyBindingInput {
|
|
|
|
iamPolicyBindingInput := AddIAMPolicyBindingInput{
|
|
|
|
Bindings: make([]PolicyBinding, len(i.Roles)),
|
|
|
|
}
|
|
|
|
for i, role := range i.Roles {
|
|
|
|
iamPolicyBindingInput.Bindings[i] = PolicyBinding{
|
|
|
|
ServiceAccount: serviceAccount,
|
|
|
|
Role: role,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return iamPolicyBindingInput
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) insertServiceAccount(ctx context.Context, input insertServiceAccountInput) (string, error) {
|
|
|
|
req := input.createServiceAccountRequest()
|
|
|
|
account, err := c.iamAPI.CreateServiceAccount(ctx, req)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return account.Email, nil
|
|
|
|
}
|
|
|
|
|
2022-06-07 08:52:47 -04:00
|
|
|
func (c *Client) createServiceAccountKey(ctx context.Context, email string) (gcpshared.ServiceAccountKey, error) {
|
2022-03-22 11:03:15 -04:00
|
|
|
req := createServiceAccountKeyRequest(email)
|
|
|
|
key, err := c.iamAPI.CreateServiceAccountKey(ctx, req)
|
|
|
|
if err != nil {
|
2022-06-09 10:04:30 -04:00
|
|
|
return gcpshared.ServiceAccountKey{}, fmt.Errorf("creating service account key: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
2022-06-07 08:52:47 -04:00
|
|
|
var serviceAccountKey gcpshared.ServiceAccountKey
|
2022-03-22 11:03:15 -04:00
|
|
|
if err := json.Unmarshal(key.PrivateKeyData, &serviceAccountKey); err != nil {
|
2022-06-09 10:04:30 -04:00
|
|
|
return gcpshared.ServiceAccountKey{}, fmt.Errorf("decoding service account key JSON: %w", err)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return serviceAccountKey, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// insertServiceAccountInput is the input for a createServiceAccount operation.
|
|
|
|
type insertServiceAccountInput struct {
|
|
|
|
Project string
|
|
|
|
AccountID string
|
|
|
|
DisplayName string
|
|
|
|
Description string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c insertServiceAccountInput) createServiceAccountRequest() *adminpb.CreateServiceAccountRequest {
|
|
|
|
return &adminpb.CreateServiceAccountRequest{
|
|
|
|
Name: "projects/" + c.Project,
|
|
|
|
AccountId: c.AccountID,
|
|
|
|
ServiceAccount: &adminpb.ServiceAccount{
|
|
|
|
DisplayName: c.DisplayName,
|
|
|
|
Description: c.Description,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createServiceAccountKeyRequest(email string) *adminpb.CreateServiceAccountKeyRequest {
|
|
|
|
return &adminpb.CreateServiceAccountKeyRequest{
|
|
|
|
Name: "projects/-/serviceAccounts/" + email,
|
|
|
|
}
|
|
|
|
}
|