/
credential.go
93 lines (80 loc) · 2.65 KB
/
credential.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// Copyright 2019 Canonical Ltd.
// Licensed under the AGPLv3, see LICENCE file for details.
package caas
import (
"encoding/hex"
"math/rand"
"github.com/juju/errors"
"github.com/juju/juju/caas/kubernetes/clientconfig"
k8scloud "github.com/juju/juju/caas/kubernetes/cloud"
"github.com/juju/juju/caas/kubernetes/provider"
jujucloud "github.com/juju/juju/cloud"
environscloudspec "github.com/juju/juju/environs/cloudspec"
)
const rbacLabelKeyName = k8scloud.RBACLabelKeyName
func ensureCredentialUID(
credentialName, credentialUID string,
credential jujucloud.Credential,
) (cred jujucloud.Credential, _ error) {
newAttr := credential.Attributes()
if newAttr == nil {
return cred, errors.NotValidf("empty credential %q", credentialName)
}
newAttr[rbacLabelKeyName] = credentialUID
return jujucloud.NewNamedCredential(
credentialName, credential.AuthType(), newAttr, credential.Revoked,
), nil
}
type credentialGetter interface {
// CredentialForCloud gets credentials for the named cloud.
CredentialForCloud(string) (*jujucloud.CloudCredential, error)
}
func getExistingLocalCredential(store credentialGetter, cloudName, credentialName string) (credential jujucloud.Credential, err error) {
cloudCredential, err := store.CredentialForCloud(cloudName)
if err != nil {
return credential, errors.Trace(err)
}
var ok bool
if credential, ok = cloudCredential.AuthCredentials[credentialName]; !ok {
return credential, errors.NotFoundf("credential %q for cloud %q", credentialName, cloudName)
}
return credential, nil
}
func decideCredentialUID(store credentialGetter, cloudName, credentialName string) (string, error) {
var credUID string
existingCredential, err := getExistingLocalCredential(store, cloudName, credentialName)
if err != nil && !errors.IsNotFound(err) {
return "", errors.Trace(err)
}
if err == nil && existingCredential.Attributes() != nil {
credUID = existingCredential.Attributes()[rbacLabelKeyName]
}
if credUID == "" {
b := make([]byte, 4)
if _, err := rand.Read(b); err != nil {
return credUID, errors.Trace(err)
}
credUID = hex.EncodeToString(b)
}
return credUID, nil
}
func cleanUpCredentialRBAC(cloud jujucloud.Cloud, credential jujucloud.Credential) error {
attr := credential.Attributes()
if attr == nil {
return nil
}
credUID := attr[rbacLabelKeyName]
if credUID == "" {
return nil
}
cloudSpec, err := environscloudspec.MakeCloudSpec(cloud, "", &credential)
if err != nil {
return errors.Trace(err)
}
restConfig, err := provider.CloudSpecToK8sRestConfig(cloudSpec)
if err != nil {
return errors.Trace(err)
}
err = clientconfig.RemoveCredentialRBACResources(restConfig, credUID)
return errors.Trace(err)
}