GCP Linking #195

jpcoenen · 2020-06-23T10:38:14Z

No description provided.

This allows you to set up a local listener that deals with the OAuth2 authorization callback.

This will be used to verify the existence of a link between the GCP project and the namespace.

Behaviour of ValidateGCPServiceAccountEmail was changed to only accept user-managed service accounts and ProjectIDFromGCPEmail did not yet have a test.

SimonBarendse

I've asked a few questions in separate comments. Except from some small changes that might follow from that or some changes that might follow from my server-side review, I think this is good to go.

However, if we're including this, I think this code would benefit from some extra godoc. This will make it easier to be used and maintain.

internals/api/idp_link.go

pkg/oauthorizer/callback_handler.go

pkg/secrethub/idp_link.go

By also return the required link type, the function can be more generally used to check the required preconditions.

internals/api/idp_link.go

No longer mixing different channels, which made it very unclear what happened. By buffering the channels and doing best-effort sending to these channels, we prevent goroutines infinitely hanging on sending on a channel. It is possible that a channel ends up with an unread message after WaitForAuthorizationCode has returned, but that will be cleaned up by the GC.

SimonBarendse

Sweet!

Only thing left is deciding whether or not to already return an iterator.

The somewhat complex system of having a callback function is needed to be able to pass any server errors while creating the link to the user in the redirect.

It's not yet ready for public use.

It's unused.

This to avoid confusion with the RedirectURL used in the OAuth spec.

jpcoenen added 3 commits June 23, 2020 12:27

Add oauthorizer package to deal with OAuth2 authorization flow

df0d165

This allows you to set up a local listener that deals with the OAuth2 authorization callback.

Add IDP links client and API functionality

1a1f74d

Add functions to extract project ID from a GCP SA email

0f9a674

This will be used to verify the existence of a link between the GCP project and the namespace.

jpcoenen requested a review from SimonBarendse June 23, 2020 10:38

Update test for new GCP SA functions

14e18ae

Behaviour of ValidateGCPServiceAccountEmail was changed to only accept user-managed service accounts and ProjectIDFromGCPEmail did not yet have a test.

jpcoenen changed the base branch from master to develop June 23, 2020 13:03

SimonBarendse reviewed Jun 24, 2020

View reviewed changes

internals/api/idp_link.go Show resolved Hide resolved

pkg/oauthorizer/callback_handler.go Outdated Show resolved Hide resolved

pkg/secrethub/idp_link.go Outdated Show resolved Hide resolved

jpcoenen added 3 commits June 24, 2020 17:50

Refactor RequiredLinkedID to RequiredIDPLink

bf459e5

By also return the required link type, the function can be more generally used to check the required preconditions.

Add validation and error types for GCP IDP links

77b44b3

Add func to check whether the provided error is a known error

cc8cf8a

SimonBarendse reviewed Jun 25, 2020

View reviewed changes

internals/api/idp_link.go Outdated Show resolved Hide resolved

jpcoenen added 2 commits June 25, 2020 15:17

Fix typo

74355d0

Add extra error and replace status code

6f305ba

florisvdg reviewed Jun 25, 2020

View reviewed changes

internals/api/idp_link.go Outdated Show resolved Hide resolved

jpcoenen added 4 commits June 25, 2020 17:34

Add some comments to the IdentityProviderLink type

83c15e8

Fix typo

c6ae5c4

Add Exists method for IDPLinks

f7c68f7

jpcoenen requested a review from SimonBarendse June 26, 2020 08:18

SimonBarendse reviewed Jun 26, 2020

View reviewed changes

jpcoenen and others added 8 commits June 30, 2020 13:22

Redirect user to customizable page after authorization

ae4c5a5

The somewhat complex system of having a callback function is needed to be able to pass any server errors while creating the link to the user in the redirect.

Move oauthorizer to internals

09e2017

It's not yet ready for public use.

Remove oauthorizer dependency from api

9adfc0e

Return that link exists if linking feature is disabled server-side

16a22d4

Return an iterator when listing GCP identity provider links

d465926

Validate input on creating GCP credential

ba04add

Handle more error cases and return checkable errors

9ba7647

Remove error argument from authorization callback

1a36573

It's unused.

jpcoenen marked this pull request as ready for review July 2, 2020 13:41

Rename RedirectURL to ResultURL

2f54d22

This to avoid confusion with the RedirectURL used in the OAuth spec.

SimonBarendse approved these changes Jul 3, 2020

View reviewed changes

SimonBarendse merged commit 9f5d3de into develop Jul 3, 2020

SimonBarendse deleted the feature/gcp-linking branch July 3, 2020 09:20

jpcoenen mentioned this pull request Jul 8, 2020

Release v0.30.0 #203

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GCP Linking #195

GCP Linking #195

jpcoenen commented Jun 23, 2020

SimonBarendse left a comment

SimonBarendse left a comment •

edited

Loading

GCP Linking #195

GCP Linking #195

Conversation

jpcoenen commented Jun 23, 2020

SimonBarendse left a comment

Choose a reason for hiding this comment

SimonBarendse left a comment • edited Loading

Choose a reason for hiding this comment

SimonBarendse left a comment •

edited

Loading