Skip to content

Commit

Permalink
remove identity from namespace wi request body
Browse files Browse the repository at this point in the history
  • Loading branch information
itsankit-google committed Nov 3, 2023
1 parent 247147a commit ee4af26
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 38 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@

package io.cdap.cdap.internal.namespace.credential.handler;

import com.google.common.base.Strings;
import com.google.gson.Gson;
import com.google.gson.JsonSyntaxException;
import com.google.inject.Inject;
Expand All @@ -28,7 +27,6 @@
import io.cdap.cdap.common.conf.Constants.Gateway;
import io.cdap.cdap.common.namespace.NamespaceQueryAdmin;
import io.cdap.cdap.internal.credential.CredentialIdentityManager;
import io.cdap.cdap.internal.credential.CredentialProfileManager;
import io.cdap.cdap.internal.namespace.credential.GcpWorkloadIdentityUtil;
import io.cdap.cdap.proto.NamespaceMeta;
import io.cdap.cdap.proto.credential.CredentialIdentity;
Expand Down Expand Up @@ -71,19 +69,16 @@ public class GcpWorkloadIdentityHttpHandler extends AbstractHttpHandler {
private final ContextAccessEnforcer accessEnforcer;
private final NamespaceQueryAdmin namespaceQueryAdmin;
private final CredentialIdentityManager credentialIdentityManager;
private final CredentialProfileManager credentialProfileManager;
private final CredentialProvider credentialProvider;

@Inject
GcpWorkloadIdentityHttpHandler(ContextAccessEnforcer accessEnforcer,
NamespaceQueryAdmin namespaceQueryAdmin,
CredentialIdentityManager credentialIdentityManager,
CredentialProfileManager credentialProfileManager,
CredentialProvider credentialProvider) {
this.accessEnforcer = accessEnforcer;
this.namespaceQueryAdmin = namespaceQueryAdmin;
this.credentialIdentityManager = credentialIdentityManager;
this.credentialProfileManager = credentialProfileManager;
this.credentialProvider = credentialProvider;
}

Expand All @@ -103,14 +98,10 @@ public void validateIdentity(FullHttpRequest request, HttpResponder responder,
accessEnforcer.enforce(new NamespaceId(namespace), NamespacePermission.PROVISION_CREDENTIAL);
NamespaceWorkloadIdentity namespaceWorkloadIdentity =
deserializeRequestContent(request, NamespaceWorkloadIdentity.class);
if (Strings.isNullOrEmpty(namespaceWorkloadIdentity.getIdentity())) {
throw new BadRequestException("Identity cannot be null or empty.");
}
NamespaceMeta namespaceMeta = getNamespaceMeta(namespace);
validateNamespaceIdentity(namespaceMeta, namespaceWorkloadIdentity);
CredentialIdentity credentialIdentity = new CredentialIdentity(
NamespaceId.SYSTEM.getNamespace(), GcpWorkloadIdentityUtil.SYSTEM_PROFILE_NAME,
namespaceWorkloadIdentity.getIdentity(),
namespaceMeta.getIdentity(),
namespaceWorkloadIdentity.getServiceAccount());
switchToInternalUser();
try {
Expand Down Expand Up @@ -146,8 +137,8 @@ public void getIdentity(HttpRequest request, HttpResponder responder,
if (!identity.isPresent()) {
throw new NotFoundException("Namespace identity not found.");
}
NamespaceWorkloadIdentity workloadIdentity = new NamespaceWorkloadIdentity(
identity.get().getIdentity(), identity.get().getSecureValue());
NamespaceWorkloadIdentity workloadIdentity =
new NamespaceWorkloadIdentity(identity.get().getSecureValue());
responder.sendJson(HttpResponseStatus.OK, GSON.toJson(workloadIdentity));
}

Expand All @@ -169,11 +160,7 @@ public void createIdentity(FullHttpRequest request, HttpResponder responder,
accessEnforcer.enforce(new NamespaceId(namespace), NamespacePermission.SET_SERVICE_ACCOUNT);
NamespaceWorkloadIdentity namespaceWorkloadIdentity =
deserializeRequestContent(request, NamespaceWorkloadIdentity.class);
if (Strings.isNullOrEmpty(namespaceWorkloadIdentity.getIdentity())) {
throw new BadRequestException("Identity cannot be null or empty.");
}
NamespaceMeta namespaceMeta = getNamespaceMeta(namespace);
validateNamespaceIdentity(namespaceMeta, namespaceWorkloadIdentity);
CredentialIdentityId credentialIdentityId = createIdentityIdOrPropagate(namespace,
GcpWorkloadIdentityUtil.getWorkloadIdentityName(namespaceMeta.getIdentity()));
switchToInternalUser();
Expand Down Expand Up @@ -232,13 +219,6 @@ private void switchToInternalUser() {
SecurityRequestContext.reset();
}

private void validateNamespaceIdentity(NamespaceMeta namespaceMeta, NamespaceWorkloadIdentity identity)
throws BadRequestException {
if (!namespaceMeta.getIdentity().equals(identity.getIdentity())) {
throw new BadRequestException("Incorrect value provided for namespace identity.");
}
}

private CredentialIdentityId createIdentityIdOrPropagate(String namespace, String name)
throws BadRequestException {
try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
import io.cdap.cdap.proto.codec.BasicThrowableCodec;
import io.cdap.cdap.proto.credential.CredentialProvisioningException;
import io.cdap.cdap.proto.credential.NamespaceCredentialProvider;
import io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer;
import io.cdap.http.AbstractHttpHandler;
import io.cdap.http.HttpHandler;
import io.cdap.http.HttpResponder;
Expand All @@ -49,13 +48,10 @@ public class GcpWorkloadIdentityHttpHandlerInternal extends AbstractHttpHandler
BasicThrowable.class, new BasicThrowableCodec()).create();

private final NamespaceCredentialProvider credentialProvider;
private final ContextAccessEnforcer accessEnforcer;

@Inject
GcpWorkloadIdentityHttpHandlerInternal(
ContextAccessEnforcer accessEnforcer, NamespaceCredentialProvider credentialProvider) {
GcpWorkloadIdentityHttpHandlerInternal(NamespaceCredentialProvider credentialProvider) {
this.credentialProvider = credentialProvider;
this.accessEnforcer = accessEnforcer;
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,26 +20,17 @@
* Defines an identity for credential provisioning.
*/
public class NamespaceWorkloadIdentity {

private final String identity;
private final String serviceAccount;

/**
* Constructs a namespace identity.
*
* @param identity The identity.
* @param serviceAccount The serviceAccount to store for the identity.
*/
public NamespaceWorkloadIdentity(String identity,
String serviceAccount) {
this.identity = identity;
public NamespaceWorkloadIdentity(String serviceAccount) {
this.serviceAccount = serviceAccount;
}

public String getIdentity() {
return identity;
}

public String getServiceAccount() {
return serviceAccount;
}
Expand Down

0 comments on commit ee4af26

Please sign in to comment.