add IAM member type

Signed-off-by: Ben Ye <yb532204897@gmail.com>
openshift · Sep 23, 2020 · b942e3e · b942e3e
1 parent a1c2512
commit b942e3e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 10 deletions.
diff --git a/pkg/controller/projectreference/projectreference_adapter.go b/pkg/controller/projectreference/projectreference_adapter.go
@@ -250,7 +250,7 @@ func EnsureProjectConfigured(r *ReferenceAdapter) (gcputil.OperationResult, erro
 		for _, email := range r.OperatorConfig.CCSConsoleAccess {
 			// TODO(yeya24): Use google API to check whether this email is
 			// for a group or a service account.
-			if err := r.SetIAMPolicy(email, OSDSREConsoleAccessRoles, true); err != nil {
+			if err := r.SetIAMPolicy(email, OSDSREConsoleAccessRoles, gcputil.GoogleGroup); err != nil {
 				return result, err
 			}
 		}
@@ -498,7 +498,7 @@ func (r *ReferenceAdapter) configureServiceAccount(policies []string) (gcputil.O
 	}
 
 	r.logger.V(1).Info("Setting Service Account Policies")
-	err = r.SetIAMPolicy(serviceAccount.Email, policies, false)
+	err = r.SetIAMPolicy(serviceAccount.Email, policies, gcputil.ServiceAccount)
 	if err != nil {
 		return gcputil.RequeueWithError(operrors.Wrap(err, fmt.Sprintf("could not update policy on project for %s", r.ProjectReference.Spec.GCPProjectID)))
 	}
@@ -634,14 +634,14 @@ type AddorUpdateBindingResponse struct {
 }
 
 // AddOrUpdateBindings gets the policy and checks if the bindings match the required roles
-func (r *ReferenceAdapter) AddOrUpdateBindings(serviceAccountEmail string, policies []string, group bool) (AddorUpdateBindingResponse, error) {
+func (r *ReferenceAdapter) AddOrUpdateBindings(serviceAccountEmail string, policies []string, memberType gcputil.IamMemberType) (AddorUpdateBindingResponse, error) {
 	policy, err := r.gcpClient.GetIamPolicy(r.ProjectReference.Spec.GCPProjectID)
 	if err != nil {
 		return AddorUpdateBindingResponse{}, err
 	}
 
 	//Checking if policy is modified
-	newBindings, modified := gcputil.AddOrUpdateBinding(policy.Bindings, policies, serviceAccountEmail, group)
+	newBindings, modified := gcputil.AddOrUpdateBinding(policy.Bindings, policies, serviceAccountEmail, memberType)
 
 	// add new bindings to policy
 	policy.Bindings = newBindings
@@ -652,13 +652,13 @@ func (r *ReferenceAdapter) AddOrUpdateBindings(serviceAccountEmail string, polic
 }
 
 // SetIAMPolicy attempts to update policy if the policy needs to be modified
-func (r *ReferenceAdapter) SetIAMPolicy(serviceAccountEmail string, policies []string, group bool) error {
+func (r *ReferenceAdapter) SetIAMPolicy(serviceAccountEmail string, policies []string, memberType gcputil.IamMemberType) error {
 	// Checking if policy needs to be updated
 	var retry int
 	for {
 		retry++
 		time.Sleep(time.Second)
-		addorUpdateResponse, err := r.AddOrUpdateBindings(serviceAccountEmail, policies, group)
+		addorUpdateResponse, err := r.AddOrUpdateBindings(serviceAccountEmail, policies, memberType)
 		if err != nil {
 			return err
 		}

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -13,6 +13,14 @@ import (
 	kubeclientpkg "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// IamMemberType represents different type of IAM members.
+type IamMemberType int
+
+const (
+	ServiceAccount IamMemberType = iota
+	GoogleGroup
+)
+
 const (
 	// secret information
 	gcpSecretName = "gcp"
@@ -86,10 +94,10 @@ func GetGCPCredentialsFromSecret(kubeClient kubeclientpkg.Client, namespace, nam
 // If the required binding does not exist it creates a new binding for the role
 // it returns a []*cloudresourcemanager.Binding that contains all the previous bindings and the new ones if no new bindings are required it returns false
 // TODO(MJ): add tests
-func AddOrUpdateBinding(existingBindings []*cloudresourcemanager.Binding, requiredBindings []string, serviceAccount string, group bool) ([]*cloudresourcemanager.Binding, bool) {
+func AddOrUpdateBinding(existingBindings []*cloudresourcemanager.Binding, requiredBindings []string, serviceAccount string, memberType IamMemberType) ([]*cloudresourcemanager.Binding, bool) {
 	Modified := false
 	// get map of required rolebindings
-	requiredBindingMap := rolebindingMap(requiredBindings, serviceAccount, group)
+	requiredBindingMap := rolebindingMap(requiredBindings, serviceAccount, memberType)
 	var result []*cloudresourcemanager.Binding
 
 	for i, eBinding := range existingBindings {
@@ -125,9 +133,9 @@ func AddOrUpdateBinding(existingBindings []*cloudresourcemanager.Binding, requir
 }
 
 // roleBindingMap returns a map of requiredBindings role bindings for the added members
-func rolebindingMap(roles []string, member string, group bool) map[string]cloudresourcemanager.Binding {
+func rolebindingMap(roles []string, member string, memberType IamMemberType) map[string]cloudresourcemanager.Binding {
 	prefix := "serviceAccount:"
-	if group {
+	if memberType == GoogleGroup {
 		prefix = "group:"
 	}
 	requiredBindings := make(map[string]cloudresourcemanager.Binding)