Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(272)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tokenserver/appengine/impl/serviceaccounts/config.go

Issue 2997433002: tokenserver: Validate and parse service_accounts.cfg rules. (Closed)
Patch Set: tokenserver: Validate and parse service_accounts.cfg rules. Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | tokenserver/appengine/impl/serviceaccounts/config_test.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The LUCI Authors. 1 // Copyright 2017 The LUCI Authors.
2 // 2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License. 4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at 5 // You may obtain a copy of the License at
6 // 6 //
7 // http://www.apache.org/licenses/LICENSE-2.0 7 // http://www.apache.org/licenses/LICENSE-2.0
8 // 8 //
9 // Unless required by applicable law or agreed to in writing, software 9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, 10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and 12 // See the License for the specific language governing permissions and
13 // limitations under the License. 13 // limitations under the License.
14 14
15 package serviceaccounts 15 package serviceaccounts
16 16
17 import ( 17 import (
18 "fmt" 18 "fmt"
19 19
20 "golang.org/x/net/context" 20 "golang.org/x/net/context"
21 21
22 "github.com/luci/luci-go/common/config/validation"
23 "github.com/luci/luci-go/common/data/stringset"
24
22 "github.com/luci/luci-go/tokenserver/api/admin/v1" 25 "github.com/luci/luci-go/tokenserver/api/admin/v1"
26 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/identityset"
23 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy" 27 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy"
24 ) 28 )
25 29
26 // serviceAccountsCfg is name of the config file with the policy. 30 // serviceAccountsCfg is name of the config file with the policy.
27 // 31 //
28 // Also used as a name for the imported configs in the datastore, so change it 32 // Also used as a name for the imported configs in the datastore, so change it
29 // very carefully. 33 // very carefully.
30 const serviceAccountsCfg = "service_accounts.cfg" 34 const serviceAccountsCfg = "service_accounts.cfg"
31 35
36 const (
37 // defaultMaxGrantValidityDuration is value for max_grant_validity_durat ion if
38 // it isn't specified in the config.
39 defaultMaxGrantValidityDuration = 24 * 3600
40
41 // maxAllowedMaxGrantValidityDuration is maximal allowed value for
42 // max_grant_validity_duration in service_accounts.cfg.
43 maxAllowedMaxGrantValidityDuration = 7 * 24 * 3600
44 )
45
32 // Rules is queryable representation of service_accounts.cfg rules. 46 // Rules is queryable representation of service_accounts.cfg rules.
33 type Rules struct { 47 type Rules struct {
34 » revision string // config revision this policy is import ed from 48 » revision string // config revision this policy is imported fro m
35 » rules map[string]*parsedRule // service account email -> rule for it 49 » rules map[string]*Rule // service account email -> rule for it
36 } 50 }
37 51
38 // parsedRule is queriable in-memory representation of ServiceAccountRule. 52 // Rule is queriable in-memory representation of ServiceAccountRule.
39 type parsedRule struct { 53 //
40 » // TODO(vadimsh): Implement. 54 // It should be treated like read-only object. It is shared by many concurrent
55 // requests.
56 type Rule struct {
57 » Rule *admin.ServiceAccountRule // original proto with the rule
58 » AllowedScopes stringset.Set // parsed 'allowed_scope'
59 » EndUsers *identityset.Set // parsed 'end_user'
60 » Proxies *identityset.Set // parsed 'proxy'
41 } 61 }
42 62
43 // RulesCache is a stateful object with parsed service_accounts.cfg rules. 63 // RulesCache is a stateful object with parsed service_accounts.cfg rules.
44 // 64 //
45 // It uses policy.Policy internally to manage datastore-cached copy of imported 65 // It uses policy.Policy internally to manage datastore-cached copy of imported
46 // service accounts configs. 66 // service accounts configs.
47 // 67 //
48 // Use NewRulesCache() to create a new instance. Each instance owns its own 68 // Use NewRulesCache() to create a new instance. Each instance owns its own
49 // in-memory cache, but uses same shared datastore cache. 69 // in-memory cache, but uses same shared datastore cache.
50 // 70 //
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
96 } 116 }
97 117
98 // prepareRules converts validated configs into *Rules. 118 // prepareRules converts validated configs into *Rules.
99 // 119 //
100 // Returns them as policy.Queryable object to satisfy policy.Policy API. 120 // Returns them as policy.Queryable object to satisfy policy.Policy API.
101 func prepareRules(cfg policy.ConfigBundle, revision string) (policy.Queryable, e rror) { 121 func prepareRules(cfg policy.ConfigBundle, revision string) (policy.Queryable, e rror) {
102 parsed, ok := cfg[serviceAccountsCfg].(*admin.ServiceAccountsPermissions ) 122 parsed, ok := cfg[serviceAccountsCfg].(*admin.ServiceAccountsPermissions )
103 if !ok { 123 if !ok {
104 return nil, fmt.Errorf("wrong type of %s - %T", serviceAccountsC fg, cfg[serviceAccountsCfg]) 124 return nil, fmt.Errorf("wrong type of %s - %T", serviceAccountsC fg, cfg[serviceAccountsCfg])
105 } 125 }
106 » // TODO(vadimsh): Convert parsed.Rules into map[string]*parsedRule. 126
107 » _ = parsed 127 » // Note: per policy.Policy API the config here was already validated whe n it
128 » // was imported, but we double check core assumptions anyway. This check may
129 » // fail if new code (with some new validation rules) uses old configs st ored
130 » // in the datastore (which were validated by old code). In practice this most
131 » // certainly never happens.
132 » rules := map[string]*Rule{}
133 » for _, ruleProto := range parsed.Rules {
134 » » r, err := makeRule(ruleProto)
135 » » if err != nil {
136 » » » return nil, err
137 » » }
138 » » for _, account := range ruleProto.ServiceAccount {
139 » » » if rules[account] != nil {
140 » » » » return nil, fmt.Errorf("two rules for service ac count %q", account)
141 » » » }
142 » » » rules[account] = r
143 » » }
144 » }
145
108 return &Rules{ 146 return &Rules{
109 revision: revision, 147 revision: revision,
148 rules: rules,
110 }, nil 149 }, nil
111 } 150 }
112 151
113 // ConfigRevision is part of policy.Queryable interface. 152 // ConfigRevision is part of policy.Queryable interface.
114 func (r *Rules) ConfigRevision() string { 153 func (r *Rules) ConfigRevision() string {
115 return r.revision 154 return r.revision
116 } 155 }
117 156
118 // TODO(vadimsh): Implement rest of Rules. 157 // Rule returns a rule governing the access to the given service account.
158 //
159 // Returns nil if such service account is not specified in the config.
160 func (r *Rules) Rule(serviceAccount string) *Rule {
161 » return r.rules[serviceAccount]
162 }
163
164 // makeRule converts ServiceAccountRule into queriable Rule.
165 //
166 // Mutates 'ruleProto' in-place filling in defaults.
167 func makeRule(ruleProto *admin.ServiceAccountRule) (*Rule, error) {
168 » v := validation.Context{}
169 » validateRule(ruleProto.Name, ruleProto, &v)
170 » if err := v.Finalize(); err != nil {
171 » » return nil, err
172 » }
173
174 » allowedScopes := stringset.New(len(ruleProto.AllowedScope))
175 » for _, scope := range ruleProto.AllowedScope {
176 » » allowedScopes.Add(scope)
177 » }
178
179 » endUsers, err := identityset.FromStrings(ruleProto.EndUser, nil)
180 » if err != nil {
181 » » return nil, fmt.Errorf("bad 'end_user' set - %s", err)
182 » }
183
184 » proxies, err := identityset.FromStrings(ruleProto.Proxy, nil)
185 » if err != nil {
186 » » return nil, fmt.Errorf("bad 'proxy' set - %s", err)
187 » }
188
189 » if ruleProto.MaxGrantValidityDuration == 0 {
190 » » ruleProto.MaxGrantValidityDuration = defaultMaxGrantValidityDura tion
191 » }
192
193 » return &Rule{
194 » » Rule: ruleProto,
195 » » AllowedScopes: allowedScopes,
196 » » EndUsers: endUsers,
197 » » Proxies: proxies,
198 » }, nil
199 }
OLDNEW
« no previous file with comments | « no previous file | tokenserver/appengine/impl/serviceaccounts/config_test.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698