GCP Linking

internals/api/credential.go

@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -224,6 +225,23 @@ func (req *CreateCredentialRequest) Validate() error {
 	return nil
 }
 
+// RequiredIDPLink can be used if the credential requires an IDP Link to exist before creation.
+// It returns the link type and the linked ID if a link is required.
+// It returns empty strings if no link is required for the credential type.
+func (req *CreateCredentialRequest) RequiredIDPLink() (IdentityProviderLinkType, string, error) {
+	switch req.Type {
+	case CredentialTypeGCPServiceAccount:
+		serviceAccountEmail, ok := req.Metadata[CredentialMetadataGCPServiceAccountEmail]
+		if !ok {
+			return IdentityProviderLinkGCP, "", errors.New("missing required metadata")
+		}
+		projectID, err := ProjectIDFromGCPEmail(serviceAccountEmail)
+		return IdentityProviderLinkGCP, projectID, err
+	default:
+		return "", "", nil
+	}
+}
+
 // CredentialProofAWS is proof for when the credential type is AWSSTS.
 type CredentialProofAWS struct {
 	Region  string `json:"region"`

internals/api/idp_link.go

@@ -0,0 +1,72 @@
+package api
+
+import (
+	"net/http"
+	"net/url"
+	"regexp"
+	"time"
+)
+
+var (
+	ErrInvalidIDPLinkType          = errAPI.Code("invalid_idp_link_type").StatusError("invalid IDP link type", http.StatusBadRequest)
+	ErrInvalidGCPProjectID         = errAPI.Code("invalid_gcp_project_id").StatusErrorPref("invalid GCP project ID: %s", http.StatusBadRequest)
+	ErrVerifyingGCPAccessProof     = errAPI.Code("gcp_verification_error").StatusError("could not verify GCP authorization", http.StatusInternalServerError)
+	ErrInvalidGCPAuthorizationCode = errAPI.Code("invalid_authorization_code").StatusError("authorization code was not accepted by GCP", http.StatusPreconditionFailed)
+	ErrGCPLinkPermissionDenied     = errAPI.Code("gcp_permission_denied").StatusError("missing required projects.get permission to create link to GCP project", http.StatusPreconditionFailed)
+
+	gcpProjectIDPattern = regexp.MustCompile("^[a-z][a-z0-9-]*[a-z0-9]$")
+)
+
+type CreateIdentityProviderLinkGCPRequest struct {
+	RedirectURL       string `json:"redirect_url"`
+	AuthorizationCode string `json:"authorization_code"`
+}
+
+type IdentityProviderLinkType string
+
+const (
+	IdentityProviderLinkGCP IdentityProviderLinkType = "gcp"
+)
+
+// IdentityProviderLink is a prerequisite for creating some identity provider backed service accounts.
+// These links prove that a namespace's member has access to a resource (identified by the LinkedID) within
+// the identity provider. Once a link between a namespace and an identity provider has been created, from then on
+// service accounts can be created within the scope described by the LinkedID. For example, after creating a link
+// to a GCP Project, GCP service accounts within that project can be used for the GCP Identity Provider.
+//
+// The meaning of LinkedID depends on the type of the IdentityProviderLink in the following way:
+// - GCP: LinkedID is a GCP Project ID.
+type IdentityProviderLink struct {
+	Type      IdentityProviderLinkType `json:"type"`
+	Namespace string                   `json:"namespace"`
+	LinkedID  string                   `json:"linked_id"`
+	CreatedAt time.Time                `json:"created_at"`
+}
+
+type OAuthConfig struct {
+	ClientID  string   `json:"client_id"`
+	AuthURI   string   `json:"auth_uri"`
+	Scopes    []string `json:"scopes"`
+	ResultURL *url.URL `json:"result_url"`
+}
+
+// ValidateLinkedID calls the validation function corresponding to the link type and returns the corresponding result.
+func ValidateLinkedID(linkType IdentityProviderLinkType, linkedID string) error {
+	switch linkType {
+	case IdentityProviderLinkGCP:
+		return ValidateGCPProjectID(linkedID)
+	default:
+		return ErrInvalidIDPLinkType
+	}
+}
+
+// ValidateGCPProjectID returns an error if the provided value is not a valid GCP project ID.
+func ValidateGCPProjectID(projectID string) error {
+	if len(projectID) < 6 || len(projectID) > 30 {
+		return ErrInvalidGCPProjectID("length must be 6 to 30 character")
+	}
+	if !gcpProjectIDPattern.MatchString(projectID) {
+		return ErrInvalidGCPProjectID("can only contains lowercase letter, digits and hyphens")
+	}
+	return nil
+}

internals/api/patterns.go

@@ -24,6 +24,9 @@ const (
 	// REGEX builder with unit tests: https://regex101.com/r/5DPAiZ/1
 	patternFullName    = `[\p{L}\p{Mn}\p{Pd}\'\x{2019} ]`
 	patternDescription = `^[\p{L}\p{Mn}\p{Pd}\x{2019} [:punct:]0-9]{0,144}$`
+
+	gcpServiceAccountEmailSuffix            = ".gserviceaccount.com"
+	gcpUserManagedServiceAccountEmailSuffix = ".iam.gserviceaccount.com"
 )
 
 var (
@@ -82,6 +85,10 @@ var (
 		"credential fingerprint must consist of 64 hexadecimal characters",
 		http.StatusBadRequest,
 	)
+
+	ErrInvalidGCPServiceAccountEmail        = errAPI.Code("invalid_service_account_email").StatusError("not a valid GCP service account email", http.StatusBadRequest)
+	ErrNotUserManagerGCPServiceAccountEmail = errAPI.Code("require_user_managed_service_account").StatusError("provided GCP service account email is not for a user-manager service account", http.StatusBadRequest)
+	ErrInvalidGCPKMSResourceID              = errAPI.Code("invalid_key_resource_id").StatusError("not a valid resource ID, expected: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", http.StatusBadRequest)
 )
 
 // ValidateNamespace validates a username.
@@ -299,32 +306,49 @@ func ValidateShortCredentialFingerprint(fingerprint string) error {
 // accepted by GCP.
 func ValidateGCPServiceAccountEmail(v string) error {
 	if !govalidator.IsEmail(v) {
-		return errors.New("invalid email")
+		return ErrInvalidGCPServiceAccountEmail
+	}
+	if !strings.HasSuffix(v, gcpServiceAccountEmailSuffix) {
+		return ErrInvalidGCPServiceAccountEmail
 	}
-	if !strings.HasSuffix(v, ".gserviceaccount.com") {
-		return errors.New("not a GCP Service Account email")
+	if !strings.HasSuffix(v, gcpUserManagedServiceAccountEmailSuffix) {
+		return ErrNotUserManagerGCPServiceAccountEmail
 	}
 	return nil
 }
 
+// ProjectIDFromGCPEmail returns the project ID included in the email of a GCP Service Account.
+// If the input is not a valid user-managed GCP Service Account email, an error is returned.
+func ProjectIDFromGCPEmail(in string) (string, error) {
+	err := ValidateGCPServiceAccountEmail(in)
+	if err != nil {
+		return "", err
+	}
+
+	spl := strings.Split(in, "@")
+	if len(spl) != 2 {
+		return "", errors.New("no @ in email")
+	}
+	return strings.TrimSuffix(spl[1], gcpUserManagedServiceAccountEmailSuffix), nil
+}
+
 // ValidateGCPKMSKeyResourceID validates whether the given string is potentially a valid resource ID for a GCP KMS key
 // The function does a best-effort check. If no error is returned, this does not mean the value is accepted by GCP.
 func ValidateGCPKMSKeyResourceID(v string) error {
-	invalidErr := errors.New("not a valid resource ID, expected: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY")
 	u, err := url.Parse(v)
 	if err != nil {
-		return invalidErr
+		return ErrInvalidGCPKMSResourceID
 	}
 	if u.Host != "" || u.Scheme != "" || u.Hostname() != "" || len(u.Query()) != 0 {
-		return invalidErr
+		return ErrInvalidGCPKMSResourceID
 	}
 
 	split := strings.Split(v, "/")
 	if len(split) != 8 {
-		return invalidErr
+		return ErrInvalidGCPKMSResourceID
 	}
 	if split[0] != "projects" || split[2] != "locations" || split[4] != "keyRings" || split[6] != "cryptoKeys" {
-		return invalidErr
+		return ErrInvalidGCPKMSResourceID
 	}
 
 	return nil

internals/api/patterns_test.go

@@ -474,13 +474,16 @@ func TestValidateGCPServiceAccountEmail(t *testing.T) {
 			in: "test-service-account@secrethub-test-1234567890.iam.gserviceaccount.com",
 		},
 		"appspot service account": {
-			in: "secrethub-1234567890@appspot.gserviceaccount.com",
+			in:        "secrethub-1234567890@appspot.gserviceaccount.com",
+			expectErr: true,
 		},
 		"compute service account": {
-			in: "secrethub-1234567890-compute@developer.gserviceaccount.com",
+			in:        "secrethub-1234567890-compute@developer.gserviceaccount.com",
+			expectErr: true,
 		},
 		"google managed service account": {
-			in: "secrethub-1234567890@cloudservices.gserviceaccount.com",
+			in:        "secrethub-1234567890@cloudservices.gserviceaccount.com",
+			expectErr: true,
 		},
 		"not an email": {
 			in:        "cloudservices.gserviceaccount.com",
@@ -505,6 +508,34 @@ func TestValidateGCPServiceAccountEmail(t *testing.T) {
 	}
 }
 
+func TestProjectIDFromGCPEmail(t *testing.T) {
+	cases := map[string]struct {
+		in        string
+		expectErr bool
+		expect    string
+	}{
+		"user  managed service account": {
+			in:     "test-service-account@secrethub-test-1234567890.iam.gserviceaccount.com",
+			expect: "secrethub-test-1234567890",
+		},
+		"invalid email": {
+			in:        "secrethub-1234567890-compute@developer.gserviceaccount.com",
+			expectErr: true,
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			projectID, err := api.ProjectIDFromGCPEmail(tc.in)
+
+			assert.Equal(t, err != nil, tc.expectErr)
+			if !tc.expectErr {
+				assert.Equal(t, projectID, tc.expect)
+			}
+		})
+	}
+}
+
 func TestValidateGCPKMSKeyResourceID(t *testing.T) {
 	cases := map[string]struct {
 		in        string

internals/api/server_errors.go

@@ -112,3 +112,19 @@ func IsErrNotFound(err error) bool {
 	}
 	return publicStatusError.StatusCode == 404
 }
+
+// IsErrDisabled returns whether the given error is caused because the feature is disabled.
+func IsErrDisabled(err error) bool {
+	var publicStatusError errio.PublicStatusError
+	ok := errors.As(err, &publicStatusError)
+	if !ok {
+		return false
+	}
+	return publicStatusError.StatusCode == http.StatusNotImplemented
+}
+
+// IsKnownError returns whether the given error is a known SecretHub error.
+func IsKnownError(err error) bool {
+	var publicStatusError errio.PublicStatusError
+	return errors.As(err, &publicStatusError)
+}

internals/gcp/errors.go

@@ -2,18 +2,23 @@ package gcp
 
 import (
 	"net/http"
+	"strings"
 
 	"google.golang.org/api/googleapi"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	"github.com/secrethub/secrethub-go/internals/errio"
 )
 
 // Errors
 var (
-	gcpErr              = errio.Namespace("gcp")
-	ErrGCPAlreadyExists = gcpErr.Code("already_exists")
-	ErrGCPNotFound      = gcpErr.Code("not_found")
-	ErrGCPAccessDenied  = gcpErr.Code("access_denied")
+	gcpErr                = errio.Namespace("gcp")
+	ErrGCPAlreadyExists   = gcpErr.Code("already_exists")
+	ErrGCPNotFound        = gcpErr.Code("not_found")
+	ErrGCPAccessDenied    = gcpErr.Code("access_denied")
+	ErrGCPInvalidArgument = gcpErr.Code("invalid_argument")
+	ErrGCPUnauthenticated = gcpErr.Code("unauthenticated").Error("missing valid GCP authentication")
 )
 
 func HandleError(err error) error {
@@ -31,5 +36,19 @@ func HandleError(err error) error {
 			return gcpErr.Code(errGCP.Errors[0].Reason).Error(errGCP.Errors[0].Message)
 		}
 	}
+	errStatus, ok := status.FromError(err)
+	if ok {
+		msg := strings.TrimSuffix(errStatus.Message(), ".")
+		switch errStatus.Code() {
+		case codes.InvalidArgument:
+			return ErrGCPInvalidArgument.Error(msg)
+		case codes.NotFound:
+			return ErrGCPNotFound.Error(msg)
+		case codes.PermissionDenied:
+			return ErrGCPAccessDenied.Error(msg)
+		case codes.Unauthenticated:
+			return ErrGCPUnauthenticated
+		}
+	}
 	return err
 }

internals/gcp/service_creator.go

@@ -23,6 +23,13 @@ type CredentialCreator struct {
 // NewCredentialCreator returns a CredentialCreator that uses the provided GCP KMS key and Service Account Email to create a new credential.
 // The GCP client is configured with the optionally provided option.ClientOption.
 func NewCredentialCreator(serviceAccountEmail, keyResourceID string, gcpOptions ...option.ClientOption) (*CredentialCreator, map[string]string, error) {
+	if err := api.ValidateGCPServiceAccountEmail(serviceAccountEmail); err != nil {
+		return nil, nil, err
+	}
+	if err := api.ValidateGCPKMSKeyResourceID(keyResourceID); err != nil {
+		return nil, nil, err
+	}
+
 	kmsClient, err := kms.NewKeyManagementClient(context.Background(), gcpOptions...)
 	if err != nil {
 		return nil, nil, fmt.Errorf("creating kms client: %v", HandleError(err))

internals/oauthorizer/authorizer.go

@@ -0,0 +1,66 @@
+package oauthorizer
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type Authorizer interface {
+	AuthorizeLink(redirectURI string, state string) string
+	ParseResponse(r *http.Request, state string) (string, error)
+}
+
+func NewAuthorizer(authURI, clientID string, scopes ...string) Authorizer {
+	return authorizer{
+		AuthURI:  authURI,
+		ClientID: clientID,
+		Scopes:   scopes,
+	}
+}
+
+type authorizer struct {
+	AuthURI  string
+	ClientID string
+	Scopes   []string
+}
+
+func (a authorizer) AuthorizeLink(redirectURI string, state string) string {
+	return fmt.Sprintf(`%s?`+
+		`scope=%s&`+
+		`access_type=online&`+
+		`response_type=code&`+
+		`redirect_uri=%s&`+
+		`state=%s&`+
+		`prompt=select_account&`+
+		`client_id=%s`,
+		a.AuthURI,
+		url.QueryEscape(strings.Join(a.Scopes, ",")),
+		url.QueryEscape(redirectURI),
+		state,
+		a.ClientID,
+	)
+}
+
+func (a authorizer) ParseResponse(r *http.Request, expectedState string) (string, error) {
+	errorMessage := r.URL.Query().Get("error")
+	if errorMessage != "" {
+		return "", fmt.Errorf("authorization error: %s", errorMessage)
+	}
+
+	state := r.URL.Query().Get("state")
+	if state == "" {
+		return "", errors.New("missing state query parameter")
+	}
+	if state != expectedState {
+		return "", errors.New("state does not match")
+	}
+
+	code := r.URL.Query().Get("code")
+	if code == "" {
+		return "", errors.New("missing code query parameter")
+	}
+	return code, nil
+}