GCP Linking

internals/api/credential.go

@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -224,6 +225,23 @@ func (req *CreateCredentialRequest) Validate() error {
 	return nil
 }
 
+// RequiredIDPLink can be used if the credential requires an IDP Link to exist before creation.
+// It returns the link type and the linked ID if a link is required.
+// It returns empty strings if no link is required for the credential type.
+func (req *CreateCredentialRequest) RequiredIDPLink() (IdentityProviderLinkType, string, error) {
+	switch req.Type {
+	case CredentialTypeGCPServiceAccount:
+		serviceAccountEmail, ok := req.Metadata[CredentialMetadataGCPServiceAccountEmail]
+		if !ok {
+			return IdentityProviderLinkGCP, "", errors.New("missing required metadata")
+		}
+		projectID, err := ProjectIDFromGCPEmail(serviceAccountEmail)
+		return IdentityProviderLinkGCP, projectID, err
+	default:
+		return "", "", nil
+	}
+}
+
 // CredentialProofAWS is proof for when the credential type is AWSSTS.
 type CredentialProofAWS struct {
 	Region  string `json:"region"`

internals/api/idp_link.go

@@ -0,0 +1,68 @@
+package api
+
+import (
+	"net/http"
+	"regexp"
+	"time"
+
+	"github.com/secrethub/secrethub-go/pkg/oauthorizer"
+)
+
+var (
+	ErrInvalidIDPLinkType          = errAPI.Code("invalid_idP_link_type").StatusError("invalid IDP link type", http.StatusBadRequest)
+	ErrInvalidGCPProjectID         = errAPI.Code("invalid_gcp_project_id").StatusErrorPref("invalid GCP project ID: %s", http.StatusBadRequest)
+	ErrVerifyingGCPAccessProof     = errAPI.Code("gcp_verification_error").StatusError("could not verify GCP authorization", http.StatusInternalServerError)
+	ErrInvalidGCPAuthorizationCode = errAPI.Code("invalid_authorization_code").StatusError("authorization code was not accepted by GCP", http.StatusPreconditionFailed)
+	ErrGCPLinkPermissionDenied     = errAPI.Code("gcp_permission_denied").StatusError("missing required projects.get permission to create link to GCP project", http.StatusPreconditionFailed)
+
+	gcpProjectIDPattern = regexp.MustCompile("^[a-z][a-z0-9-]*[a-z0-9]$")
+)
+
+type CreateIdentityProviderLinkGCPRequest struct {
+	RedirectURL       string `json:"redirect_url"`
+	AuthorizationCode string `json:"authorization_code"`
+}
+
+type IdentityProviderLinkType string
+
+const (
+	IdentityProviderLinkGCP IdentityProviderLinkType = "gcp"
+)
+
+type IdentityProviderLink struct {
+	Type      IdentityProviderLinkType `json:"type"`
+	Namespace string                   `json:"namespace"`
+	LinkedID  string                   `json:"linked_id"`
+	CreatedAt time.Time                `json:"created_at"`
+}
+
+type OAuthConfig struct {
+	ClientID string   `json:"client_id"`
+	AuthURI  string   `json:"auth_uri"`
+	Scopes   []string `json:"scopes"`
+}
+
+func (c OAuthConfig) Authorizer() oauthorizer.Authorizer {
+	return oauthorizer.NewAuthorizer(c.AuthURI, c.ClientID, c.Scopes...)
+}
+
+// ValidateLinkedID calls the validation function corresponding to the link type and returns the corresponding result.
+func ValidateLinkedID(linkType IdentityProviderLinkType, linkedID string) error {
+	switch linkType {
+	case IdentityProviderLinkGCP:
+		return ValidateGCPProjectID(linkedID)
+	default:
+		return ErrInvalidIDPLinkType
+	}
+}
+
+// ValidateGCPProjectID returns an error if the provided value is not a valid GCP project ID.
+func ValidateGCPProjectID(projectID string) error {
+	if len(projectID) < 6 || len(projectID) > 30 {
+		return ErrInvalidGCPProjectID("length must be 6 to 30 character")
+	}
+	if !gcpProjectIDPattern.MatchString(projectID) {
+		return ErrInvalidGCPProjectID("can only contains lowercase letter, digits and hyphens")
+	}
+	return nil
+}

internals/api/patterns.go

@@ -24,6 +24,8 @@ const (
 	// REGEX builder with unit tests: https://regex101.com/r/5DPAiZ/1
 	patternFullName    = `[\p{L}\p{Mn}\p{Pd}\'\x{2019} ]`
 	patternDescription = `^[\p{L}\p{Mn}\p{Pd}\x{2019} [:punct:]0-9]{0,144}$`
+
+	gcpServiceAccountEmailSuffix = ".iam.gserviceaccount.com"
 )
 
 var (
@@ -301,12 +303,27 @@ func ValidateGCPServiceAccountEmail(v string) error {
 	if !govalidator.IsEmail(v) {
 		return errors.New("invalid email")
 	}
-	if !strings.HasSuffix(v, ".gserviceaccount.com") {
-		return errors.New("not a GCP Service Account email")
+	if !strings.HasSuffix(v, gcpServiceAccountEmailSuffix) {
+		return errors.New("not a user-managed GCP Service Account email")
 	}
 	return nil
 }
 
+// ProjectIDFromGCPEmail returns the project ID included in the email of a GCP Service Account.
+// If the input is not a valid user-managed GCP Service Account email, an error is returned.
+func ProjectIDFromGCPEmail(in string) (string, error) {
+	err := ValidateGCPServiceAccountEmail(in)
+	if err != nil {
+		return "", err
+	}
+
+	spl := strings.Split(in, "@")
+	if len(spl) != 2 {
+		return "", errors.New("no @ in email")
+	}
+	return strings.TrimSuffix(spl[1], gcpServiceAccountEmailSuffix), nil
+}
+
 // ValidateGCPKMSKeyResourceID validates whether the given string is potentially a valid resource ID for a GCP KMS key
 // The function does a best-effort check. If no error is returned, this does not mean the value is accepted by GCP.
 func ValidateGCPKMSKeyResourceID(v string) error {

internals/api/patterns_test.go

@@ -474,13 +474,16 @@ func TestValidateGCPServiceAccountEmail(t *testing.T) {
 			in: "test-service-account@secrethub-test-1234567890.iam.gserviceaccount.com",
 		},
 		"appspot service account": {
-			in: "secrethub-1234567890@appspot.gserviceaccount.com",
+			in:        "secrethub-1234567890@appspot.gserviceaccount.com",
+			expectErr: true,
 		},
 		"compute service account": {
-			in: "secrethub-1234567890-compute@developer.gserviceaccount.com",
+			in:        "secrethub-1234567890-compute@developer.gserviceaccount.com",
+			expectErr: true,
 		},
 		"google managed service account": {
-			in: "secrethub-1234567890@cloudservices.gserviceaccount.com",
+			in:        "secrethub-1234567890@cloudservices.gserviceaccount.com",
+			expectErr: true,
 		},
 		"not an email": {
 			in:        "cloudservices.gserviceaccount.com",
@@ -505,6 +508,34 @@ func TestValidateGCPServiceAccountEmail(t *testing.T) {
 	}
 }
 
+func TestProjectIDFromGCPEmail(t *testing.T) {
+	cases := map[string]struct {
+		in        string
+		expectErr bool
+		expect    string
+	}{
+		"user  managed service account": {
+			in:     "test-service-account@secrethub-test-1234567890.iam.gserviceaccount.com",
+			expect: "secrethub-test-1234567890",
+		},
+		"invalid email": {
+			in:        "secrethub-1234567890-compute@developer.gserviceaccount.com",
+			expectErr: true,
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			projectID, err := api.ProjectIDFromGCPEmail(tc.in)
+
+			assert.Equal(t, err != nil, tc.expectErr)
+			if !tc.expectErr {
+				assert.Equal(t, projectID, tc.expect)
+			}
+		})
+	}
+}
+
 func TestValidateGCPKMSKeyResourceID(t *testing.T) {
 	cases := map[string]struct {
 		in        string

internals/api/server_errors.go

@@ -112,3 +112,9 @@ func IsErrNotFound(err error) bool {
 	}
 	return publicStatusError.StatusCode == 404
 }
+
+// IsKnownError returns whether the given error is a known SecretHub error.
+func IsKnownError(err error) bool {
+	var publicStatusError errio.PublicStatusError
+	return errors.As(err, &publicStatusError)
+}

pkg/oauthorizer/authorizer.go

@@ -0,0 +1,66 @@
+package oauthorizer
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type Authorizer interface {
+	AuthorizeLink(redirectURI string, state string) string
+	ParseResponse(r *http.Request, state string) (string, error)
+}
+
+func NewAuthorizer(authURI, clientID string, scopes ...string) Authorizer {
+	return authorizer{
+		AuthURI:  authURI,
+		ClientID: clientID,
+		Scopes:   scopes,
+	}
+}
+
+type authorizer struct {
+	AuthURI  string
+	ClientID string
+	Scopes   []string
+}
+
+func (a authorizer) AuthorizeLink(redirectURI string, state string) string {
+	return fmt.Sprintf(`%s?`+
+		`scope=%s&`+
+		`access_type=online&`+
+		`response_type=code&`+
+		`redirect_uri=%s&`+
+		`state=%s&`+
+		`prompt=select_account&`+
+		`client_id=%s`,
+		a.AuthURI,
+		url.QueryEscape(strings.Join(a.Scopes, ",")),
+		url.QueryEscape(redirectURI),
+		state,
+		a.ClientID,
+	)
+}
+
+func (a authorizer) ParseResponse(r *http.Request, expectedState string) (string, error) {
+	errorMessage := r.URL.Query().Get("error")
+	if errorMessage != "" {
+		return "", fmt.Errorf("authorization error: %s", errorMessage)
+	}
+
+	state := r.URL.Query().Get("state")
+	if state == "" {
+		return "", errors.New("missing state query parameter")
+	}
+	if state != expectedState {
+		return "", errors.New("state does not match")
+	}
+
+	code := r.URL.Query().Get("code")
+	if code == "" {
+		return "", errors.New("missing code query parameter")
+	}
+	return code, nil
+}

pkg/oauthorizer/callback_handler.go

@@ -0,0 +1,75 @@
+package oauthorizer
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+
+	"github.com/secrethub/secrethub-go/pkg/randchar"
+)
+
+type CallbackHandler struct {
+	authorizer Authorizer
+	listener   net.Listener
+	state      string
+
+	resChan chan string
+	errChan chan error
+}
+
+func NewCallbackHandler(authorizer Authorizer) (CallbackHandler, error) {
+	state, err := randchar.Generate(20)
+	if err != nil {
+		return CallbackHandler{}, fmt.Errorf("generating random state: %s", err)
+	}
+
+	l, err := net.Listen("tcp", "127.0.0.1:")
+	if err != nil {
+		return CallbackHandler{}, err
+	}
+
+	return CallbackHandler{
+		authorizer: authorizer,
+		listener:   l,
+		state:      string(state),
+		resChan:    make(chan string),
+		errChan:    make(chan error),
+	}, nil
+}
+
+func (s CallbackHandler) ListenURL() string {
+	return "http://" + s.listener.Addr().String()
+}
+
+func (s CallbackHandler) AuthorizeURL() string {
+	return s.authorizer.AuthorizeLink(s.ListenURL(), s.state)
+}
+
+func (s CallbackHandler) WaitForAuthorizationCode() (string, error) {
+	defer s.listener.Close()
+
+	go func() {
+		err := http.Serve(s.listener, http.HandlerFunc(s.handleRequest))
+		if err != nil && err != http.ErrServerClosed {
+			s.errChan <- err
+		}
+	}()
+
+	select {
+	case err := <-s.errChan:
+		return "", err
+	case res := <-s.resChan:
+		return res, nil
+	}
+}
+
+func (s CallbackHandler) handleRequest(w http.ResponseWriter, r *http.Request) {
+	code, err := s.authorizer.ParseResponse(r, s.state)
+	if err != nil {
+		s.errChan <- err
+		fmt.Fprintf(w, "Error: %s", err)
+	} else {
+		s.resChan <- code
+		fmt.Fprint(w, "Authorization complete. You can now close this tab")
+	}
+}

pkg/secrethub/client.go

@@ -37,6 +37,8 @@ type ClientInterface interface {
 	Credentials() CredentialService
 	// Dirs returns a service used to manage directories.
 	Dirs() DirService
+	// IDPLinks returns a service used to manage links between namespaces and Identity Providers.
+	IDPLinks() IDPLinkService
 	// Me returns a service used to manage the current authenticated account.
 	Me() MeService
 	// Orgs returns a service used to manage shared organization workspaces.
@@ -213,6 +215,10 @@ func (c *Client) Dirs() DirService {
 	return newDirService(c)
 }
 
+func (c *Client) IDPLinks() IDPLinkService {
+	return newIDPLinkService(c)
+}
+
 // Me returns a service used to manage the current authenticated account.
 func (c *Client) Me() MeService {
 	return newMeService(c)