diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index fb3d9c3cf..57c67c3c5 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -58,12 +58,18 @@ func main() { if err != nil { log.Fatal("APIHandler initialization failed", err) } - - err = iamclient.RegisterWithIam(log) + IC, err := iamclient.NewClient(oryclient, log) + if err != nil { + log.Fatal("Error occured while created IAM client", err) + } + err = IC.RegisterWithIam() if err != nil { log.Fatal("Registering capten server as oauth client through IAM failed", err) } - + err = IC.RegisterRolesActions() + if err != nil { + log.Fatal("Registering Roles and Actions in IAM failed", err) + } rpcServer, err := rpcapi.NewServer(log, serverStore, oryclient) if err != nil { log.Fatal("grpc server initialization failed", err) diff --git a/server/go.mod b/server/go.mod index 8eaf48c53..b81601205 100644 --- a/server/go.mod +++ b/server/go.mod @@ -9,15 +9,15 @@ require ( github.com/gocql/gocql v1.3.1 github.com/golang/protobuf v1.5.3 github.com/google/uuid v1.3.0 - github.com/intelops/go-common v1.0.15 + github.com/intelops/go-common v1.0.17 github.com/kelseyhightower/envconfig v1.4.0 github.com/kube-tarian/kad/agent v0.0.0-20221228201013-ed4f78e4b887 - github.com/ory/client-go v1.1.41 + github.com/ory/client-go v1.1.49 github.com/pkg/errors v0.9.1 github.com/stargate/stargate-grpc-go-client v0.0.0-20220822130422-9a1c6261d4fa github.com/stretchr/testify v1.8.2 - golang.org/x/oauth2 v0.10.0 - google.golang.org/grpc v1.55.0 + golang.org/x/oauth2 v0.11.0 + google.golang.org/grpc v1.57.0 google.golang.org/protobuf v1.31.0 ) @@ -67,13 +67,13 @@ require ( github.com/sirupsen/logrus v1.9.0 // indirect github.com/ugorji/go/codec v1.2.7 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.11.0 // indirect - golang.org/x/net v0.12.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect + golang.org/x/crypto v0.12.0 // indirect + golang.org/x/net v0.14.0 // indirect + golang.org/x/sys v0.11.0 // indirect + golang.org/x/text v0.12.0 // indirect golang.org/x/time v0.1.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/server/go.sum b/server/go.sum index 11983ee0e..13c8478fd 100644 --- a/server/go.sum +++ b/server/go.sum @@ -131,8 +131,8 @@ github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3C github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/hashicorp/vault/api/auth/kubernetes v0.4.1 h1:amFWL1ZhwMWdmqvT51J9phXu835kY25wFfTrY/3yXd0= github.com/hashicorp/vault/api/auth/kubernetes v0.4.1/go.mod h1:ikWDT8Adnfvm+8DzKez50vvLD9GWD/unZfJxeqP09sU= -github.com/intelops/go-common v1.0.15 h1:w5arGiN4bUxYNOK+Bhk3nUGgRy2mzrzyqMQSZHTLg5g= -github.com/intelops/go-common v1.0.15/go.mod h1:MtFNUbf8Br2pyCB4cOOGXnLcODJm6oBgmpnWpnFUD4g= +github.com/intelops/go-common v1.0.17 h1:eGMN915D+s0IxQr2P5Zi6cOoFSIlER8uMsPt6zLwBK8= +github.com/intelops/go-common v1.0.17/go.mod h1:GDDr2xP2uqtjMgATC4BLDt29kC7W9R3EW+8Du2LlNt8= github.com/invopop/yaml v0.1.0 h1:YW3WGUoJEXYfzWBjn00zIlrw7brGVD0fUKRYDPAPhrc= github.com/invopop/yaml v0.1.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdiBN3Q= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -192,8 +192,8 @@ github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c h1:nXxl5PrvVm2L/wCy8d github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI= github.com/opencontainers/runc v1.0.0-rc95 h1:RMuWVfY3E1ILlVsC3RhIq38n4sJtlOFwU9gfFZSqrd0= -github.com/ory/client-go v1.1.41 h1:dMt3jHpYeSVaNDrgfDrhYZuUYcfz9qry/G42zalsrTo= -github.com/ory/client-go v1.1.41/go.mod h1:g5jXHLTrOo8479mSmgPbA9/QWnEgQ2K8pgsaOwhidRs= +github.com/ory/client-go v1.1.49 h1:cHeiCxbtFOY+o/nQMpTlWLa6DFdTPfmrqyqcau/c+S4= +github.com/ory/client-go v1.1.49/go.mod h1:txO25o+LB3I03DNgHV679Jnpx19/AYKIb2CY+GHQJGw= github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU= github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -242,8 +242,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -262,11 +262,11 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= -golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= -golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -290,8 +290,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= @@ -301,8 +301,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -322,15 +322,15 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA= -google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= -google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/server/pkg/iam-client/client.go b/server/pkg/iam-client/client.go index bf841bf1f..c3ec15a5a 100644 --- a/server/pkg/iam-client/client.go +++ b/server/pkg/iam-client/client.go @@ -3,19 +3,48 @@ package iamclient import ( "context" + cm "github.com/intelops/go-common/iam" "github.com/intelops/go-common/logging" "github.com/kelseyhightower/envconfig" "github.com/kube-tarian/kad/server/pkg/credential" + oryclient "github.com/kube-tarian/kad/server/pkg/ory-client" iampb "github.com/kube-tarian/kad/server/pkg/pb/iampb" + "github.com/pkg/errors" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/metadata" ) type Config struct { IamURL string `envconfig:"IAM_URL" required:"true"` } +type Client struct { + oryClient oryclient.OryClient + log logging.Logger + oryURL string + oryPAT string +} -func RegisterWithIam(log logging.Logger) error { +func NewClient(ory oryclient.OryClient, log logging.Logger) (*Client, error) { + cfg, err := ory.GetOryEnv() + if err != nil { + return nil, err + } + serviceCredential, err := credential.GetServiceUserCredential(context.Background(), + cfg.OryEntityName, cfg.CredentialIdentifier) + if err != nil { + return nil, err + } + oryPAT := serviceCredential.AdditionalData["ORY_PAT"] + oryURL := serviceCredential.AdditionalData["ORY_URL"] + return &Client{ + oryClient: ory, + log: log, + oryURL: oryURL, + oryPAT: oryPAT, + }, nil +} +func (c *Client) RegisterWithIam() error { cfg, err := getIamEnv() if err != nil { return err @@ -27,7 +56,7 @@ func RegisterWithIam(log logging.Logger) error { return err } iamclient := iampb.NewOauthServiceClient(conn) - log.Info("Registering capten as client in ory through...") + c.log.Info("Registering capten as client in ory through...") oauthClientReq := &iampb.CreateClientCredentialsClientRequest{ ClientName: "CaptenServer", } @@ -49,3 +78,48 @@ func getIamEnv() (*Config, error) { } return cfg, nil } + +// at the line cm.WithIamYamlPath("provide the yaml location here"), +// the roles and actions should be added to ConfigMap +// the the location should be provided +func (c *Client) RegisterRolesActions() error { + cfg, err := getIamEnv() + if err != nil { + return err + } + + iamURL := cfg.IamURL + grpcOpts := []grpc.DialOption{ + grpc.WithTransportCredentials(insecure.NewCredentials()), + } + // Create an instance of IamConn with desired options + // the order of calling the options should be same as given in example + iamConn := cm.NewIamConn( + cm.WithGrpcDialOption(grpcOpts...), + cm.WithIamAddress(iamURL), + // TODO: here need to add the roles and actions yaml location + cm.WithIamYamlPath("provide the yaml location here"), + ) + ctx := context.Background() + tkn, err := c.oryClient.GetCaptenServiceRegOauthToken() + if err != nil { + err = errors.WithMessage(err, "error getting capten service reg oauth token") + return err + } + if tkn == nil { + return errors.New("capten service reg oauth token is nil") + } + md := metadata.Pairs( + "oauth_token", *tkn, + "ory_url", c.oryURL, + "ory_pat", c.oryPAT, + ) + newCtx := metadata.NewOutgoingContext(ctx, md) + // Update action roles + err = iamConn.UpdateActionRoles(newCtx) + if err != nil { + c.log.Errorf("Failed to update action roles: %v", err) + return err + } + return nil +} diff --git a/server/pkg/ory-client/client.go b/server/pkg/ory-client/client.go index e4cb51c72..52e6215ac 100644 --- a/server/pkg/ory-client/client.go +++ b/server/pkg/ory-client/client.go @@ -51,6 +51,8 @@ type OryClient interface { GetSessionTokenFromContext(ctx context.Context) (string, error) Authorize(ctx context.Context, accessToken string) (context.Context, error) UnaryInterceptor(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error + GetCaptenServiceRegOauthToken() (*string, error) + GetOryEnv() (*Config, error) } // NewOryClient returns a OryClient interface @@ -75,6 +77,13 @@ func NewOryClient(log logging.Logger) (OryClient, error) { }, nil } +func (c *Client) GetOryEnv() (*Config, error) { + cfg := &Config{} + if err := envconfig.Process("", cfg); err != nil { + return nil, err + } + return cfg, nil +} func getOryEnv() (*Config, error) { cfg := &Config{} if err := envconfig.Process("", cfg); err != nil { @@ -82,7 +91,6 @@ func getOryEnv() (*Config, error) { } return cfg, nil } - func getTokenEnv() (*TokenConfig, error) { cfg := &TokenConfig{} if err := envconfig.Process("", cfg); err != nil {