Skip to content

[AUTHN-66] iam provider and pool commands#1303

Merged
Brian Strauch (brianstrauch) merged 32 commits intomainfrom
AUTHN-66
Jul 29, 2022
Merged

[AUTHN-66] iam provider and pool commands#1303
Brian Strauch (brianstrauch) merged 32 commits intomainfrom
AUTHN-66

Conversation

@kevin-wu24
Copy link
Member

@kevin-wu24 Kevin Wu (kevin-wu24) commented Jun 7, 2022
edited by arvindth
Loading

Checklist

  1. [CRUCIAL] Is the change for CP or CCloud functionalities that are already live in prod?
    • no

What

  • Implemented the CRUD sub commands for iam identity providers and iam identity pools, both of which are placed behind the cli.identity-provider feature flag

References

Test & Review

  • I wrote an integration test for each sub command in the iam_tests.go file which can be run with: make int-test INT_TEST_ARGS="-run TestCLI/TestIAM" and unit tests were not needed because the code is just hitting endpoints.

@kevin-wu24 Kevin Wu (kevin-wu24) requested a review from a team as a code owner June 7, 2022 18:22
brianstrauch
Brian Strauch (brianstrauch) reviewed Jun 7, 2022
View reviewed changes
Copy link

@brianstrauch Brian Strauch (brianstrauch) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Super clean! 🎉

brianstrauch
Brian Strauch (brianstrauch) reviewed Jun 8, 2022
View reviewed changes
Copy link

@brianstrauch Brian Strauch (brianstrauch) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good 🚀

brianstrauch
Brian Strauch (brianstrauch) reviewed Jun 9, 2022
View reviewed changes
@kevin-wu24 Kevin Wu (kevin-wu24) changed the title iam provider commands [AUTHN-66] iam provider and pool commands Jun 13, 2022
brianstrauch
Brian Strauch (brianstrauch) reviewed Jul 6, 2022
View reviewed changes
internal/cmd/iam/command.go Outdated
package iam

import (
"github.com/confluentinc/cli/internal/pkg/featureflags"
Copy link

@brianstrauch Brian Strauch (brianstrauch) Jul 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sort your imports!

internal/cmd/iam/command_provider_delete.go Outdated
RunE: c.delete,
Example: examples.BuildExampleString(
examples.Example{
Text: `Delete identity provider op-12345.`,
Copy link

@brianstrauch Brian Strauch (brianstrauch) Jul 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Text: `Delete identity provider op-12345.`,
Text: `Delete identity provider "op-12345".`,

Copy link

@brianstrauch Brian Strauch (brianstrauch) Jul 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment

brianstrauch
Brian Strauch (brianstrauch) reviewed Jul 11, 2022
View reviewed changes
arvindth
Arvind Thirunarayanan (arvindth) reviewed Jul 14, 2022
View reviewed changes
Copy link
Member

@arvindth Arvind Thirunarayanan (arvindth) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of observations:

  1. When I run this command:
> XX_LAUNCH_DARKLY_TEST_ENV=true dist/confluent_darwin_amd64/confluent iam pool get pool-q0yR --provider op-Jn
Error: unknown flag: --provider
Usage: ...

It gives me an unknown flag --provider error. I would have expected unknown command get instead.

  1. When you receive a 400 bad request, it would be helpful to also print out the error message to help diagnose the issue. eg: Deleting a provider that still has some pools gives a response of {"error_code":400,"message":"OpenID provider op-Pj at Org 5f93392c-f9bd-4bef-8523-2da64591e058 has 2 active identity pools associated."} but this message is not printed out by the cli.

arvindth
Arvind Thirunarayanan (arvindth) reviewed Jul 14, 2022
View reviewed changes
internal/cmd/iam/command_pool_create.go Outdated
Comment on lines +80 to +81
IdentityClaim: *resp.SubjectClaim,
Filter: *resp.Policy,
Copy link
Member

@arvindth Arvind Thirunarayanan (arvindth) Jul 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll be updating the api, and then the sdk soon to return identityClaim and filter. We'll keep the cli team posted when that happens, and you can update this to match at that time.

arvindth
Arvind Thirunarayanan (arvindth) reviewed Jul 14, 2022
View reviewed changes
arvindth
Arvind Thirunarayanan (arvindth) reviewed Jul 14, 2022
View reviewed changes
brianstrauch
Brian Strauch (brianstrauch) reviewed Jul 18, 2022
View reviewed changes
@brianstrauch Brian Strauch (brianstrauch) mentioned this pull request Jul 20, 2022
Merged
@arvindth
Copy link
Member

Arvind Thirunarayanan (arvindth) commented Jul 23, 2022
edited
Loading

Kevin Wu (@kevin-wu24) looks like the iam rbac role-binding list --role commands don't work when the principal is a pool id. eg:

XX_LAUNCH_DARKLY_TEST_ENV=true dist/confluent_darwin_amd64/confluent iam rbac role-binding list --principal User:pool-AB4O
    Principal    | Email |       Role        | Environment | Cloud Cluster | Cluster Type | Logical Cluster | Resource Type | Name | Pattern Type
-----------------+-------+-------------------+-------------+---------------+--------------+-----------------+---------------+------+---------------
  User:pool-AB4O |       | OrganizationAdmin |             |               |              |                 |               |      |

but

XX_LAUNCH_DARKLY_TEST_ENV=true dist/confluent_darwin_amd64/confluent iam rbac role-binding list --role OrganizationAdmin
    Principal    |                   Email                    |  Service Name
-----------------+--------------------------------------------+------------------
  User:sa-3wknoo |                                            | OAuthTestSvcAct
  User:sa-w5vny9 |                                            | testprivesc1
  User:u-lgzo0m  | athirunar+rbac+devel+orgadmin@confluent.io |

I see a call to /users being made when I run with -vvv. I think this call may be being made to get additional details about the user such as email/name. Since the pool id isn't part of the /users response, I think it's getting dropped.

arvindth
Arvind Thirunarayanan (arvindth) reviewed Jul 27, 2022
View reviewed changes
Copy link
Member

@arvindth Arvind Thirunarayanan (arvindth) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Kevin Wu (@kevin-wu24) had a couple of follow comments. Otherwise, functionality-wise it lgtm.

brianstrauch
Brian Strauch (brianstrauch) reviewed Jul 28, 2022
View reviewed changes
internal/cmd/iam/command_pool_delete.go Outdated
RunE: c.delete,
Example: examples.BuildExampleString(
examples.Example{
Text: `Delete identity pool pool-12345.`,
Copy link

@brianstrauch Brian Strauch (brianstrauch) Jul 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this change. Did you forget to commit?

brianstrauch
Brian Strauch (brianstrauch) reviewed Jul 28, 2022
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arvindth Arvind Thirunarayanan (arvindth) arvindth left review comments

+1 more reviewer

@brianstrauch Brian Strauch (brianstrauch) brianstrauch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kevin-wu24 @arvindth @brianstrauch