From ee4af2679c5744ce4b6eb63d1ec5594ac9368e9f Mon Sep 17 00:00:00 2001 From: itsankit-google Date: Thu, 2 Nov 2023 19:23:43 +0000 Subject: [PATCH] remove identity from namespace wi request body --- .../GcpWorkloadIdentityHttpHandler.java | 26 +++---------------- ...cpWorkloadIdentityHttpHandlerInternal.java | 6 +---- .../credential/NamespaceWorkloadIdentity.java | 11 +------- 3 files changed, 5 insertions(+), 38 deletions(-) diff --git a/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandler.java b/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandler.java index 10a0a8b6b11d..374a0800e0b2 100644 --- a/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandler.java +++ b/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandler.java @@ -16,7 +16,6 @@ package io.cdap.cdap.internal.namespace.credential.handler; -import com.google.common.base.Strings; import com.google.gson.Gson; import com.google.gson.JsonSyntaxException; import com.google.inject.Inject; @@ -28,7 +27,6 @@ import io.cdap.cdap.common.conf.Constants.Gateway; import io.cdap.cdap.common.namespace.NamespaceQueryAdmin; import io.cdap.cdap.internal.credential.CredentialIdentityManager; -import io.cdap.cdap.internal.credential.CredentialProfileManager; import io.cdap.cdap.internal.namespace.credential.GcpWorkloadIdentityUtil; import io.cdap.cdap.proto.NamespaceMeta; import io.cdap.cdap.proto.credential.CredentialIdentity; @@ -71,19 +69,16 @@ public class GcpWorkloadIdentityHttpHandler extends AbstractHttpHandler { private final ContextAccessEnforcer accessEnforcer; private final NamespaceQueryAdmin namespaceQueryAdmin; private final CredentialIdentityManager credentialIdentityManager; - private final CredentialProfileManager credentialProfileManager; private final CredentialProvider credentialProvider; @Inject GcpWorkloadIdentityHttpHandler(ContextAccessEnforcer accessEnforcer, NamespaceQueryAdmin namespaceQueryAdmin, CredentialIdentityManager credentialIdentityManager, - CredentialProfileManager credentialProfileManager, CredentialProvider credentialProvider) { this.accessEnforcer = accessEnforcer; this.namespaceQueryAdmin = namespaceQueryAdmin; this.credentialIdentityManager = credentialIdentityManager; - this.credentialProfileManager = credentialProfileManager; this.credentialProvider = credentialProvider; } @@ -103,14 +98,10 @@ public void validateIdentity(FullHttpRequest request, HttpResponder responder, accessEnforcer.enforce(new NamespaceId(namespace), NamespacePermission.PROVISION_CREDENTIAL); NamespaceWorkloadIdentity namespaceWorkloadIdentity = deserializeRequestContent(request, NamespaceWorkloadIdentity.class); - if (Strings.isNullOrEmpty(namespaceWorkloadIdentity.getIdentity())) { - throw new BadRequestException("Identity cannot be null or empty."); - } NamespaceMeta namespaceMeta = getNamespaceMeta(namespace); - validateNamespaceIdentity(namespaceMeta, namespaceWorkloadIdentity); CredentialIdentity credentialIdentity = new CredentialIdentity( NamespaceId.SYSTEM.getNamespace(), GcpWorkloadIdentityUtil.SYSTEM_PROFILE_NAME, - namespaceWorkloadIdentity.getIdentity(), + namespaceMeta.getIdentity(), namespaceWorkloadIdentity.getServiceAccount()); switchToInternalUser(); try { @@ -146,8 +137,8 @@ public void getIdentity(HttpRequest request, HttpResponder responder, if (!identity.isPresent()) { throw new NotFoundException("Namespace identity not found."); } - NamespaceWorkloadIdentity workloadIdentity = new NamespaceWorkloadIdentity( - identity.get().getIdentity(), identity.get().getSecureValue()); + NamespaceWorkloadIdentity workloadIdentity = + new NamespaceWorkloadIdentity(identity.get().getSecureValue()); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(workloadIdentity)); } @@ -169,11 +160,7 @@ public void createIdentity(FullHttpRequest request, HttpResponder responder, accessEnforcer.enforce(new NamespaceId(namespace), NamespacePermission.SET_SERVICE_ACCOUNT); NamespaceWorkloadIdentity namespaceWorkloadIdentity = deserializeRequestContent(request, NamespaceWorkloadIdentity.class); - if (Strings.isNullOrEmpty(namespaceWorkloadIdentity.getIdentity())) { - throw new BadRequestException("Identity cannot be null or empty."); - } NamespaceMeta namespaceMeta = getNamespaceMeta(namespace); - validateNamespaceIdentity(namespaceMeta, namespaceWorkloadIdentity); CredentialIdentityId credentialIdentityId = createIdentityIdOrPropagate(namespace, GcpWorkloadIdentityUtil.getWorkloadIdentityName(namespaceMeta.getIdentity())); switchToInternalUser(); @@ -232,13 +219,6 @@ private void switchToInternalUser() { SecurityRequestContext.reset(); } - private void validateNamespaceIdentity(NamespaceMeta namespaceMeta, NamespaceWorkloadIdentity identity) - throws BadRequestException { - if (!namespaceMeta.getIdentity().equals(identity.getIdentity())) { - throw new BadRequestException("Incorrect value provided for namespace identity."); - } - } - private CredentialIdentityId createIdentityIdOrPropagate(String namespace, String name) throws BadRequestException { try { diff --git a/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandlerInternal.java b/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandlerInternal.java index e2b53f81a0c9..c4405537261f 100644 --- a/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandlerInternal.java +++ b/cdap-app-fabric/src/main/java/io/cdap/cdap/internal/namespace/credential/handler/GcpWorkloadIdentityHttpHandlerInternal.java @@ -25,7 +25,6 @@ import io.cdap.cdap.proto.codec.BasicThrowableCodec; import io.cdap.cdap.proto.credential.CredentialProvisioningException; import io.cdap.cdap.proto.credential.NamespaceCredentialProvider; -import io.cdap.cdap.security.spi.authorization.ContextAccessEnforcer; import io.cdap.http.AbstractHttpHandler; import io.cdap.http.HttpHandler; import io.cdap.http.HttpResponder; @@ -49,13 +48,10 @@ public class GcpWorkloadIdentityHttpHandlerInternal extends AbstractHttpHandler BasicThrowable.class, new BasicThrowableCodec()).create(); private final NamespaceCredentialProvider credentialProvider; - private final ContextAccessEnforcer accessEnforcer; @Inject - GcpWorkloadIdentityHttpHandlerInternal( - ContextAccessEnforcer accessEnforcer, NamespaceCredentialProvider credentialProvider) { + GcpWorkloadIdentityHttpHandlerInternal(NamespaceCredentialProvider credentialProvider) { this.credentialProvider = credentialProvider; - this.accessEnforcer = accessEnforcer; } /** diff --git a/cdap-proto/src/main/java/io/cdap/cdap/proto/credential/NamespaceWorkloadIdentity.java b/cdap-proto/src/main/java/io/cdap/cdap/proto/credential/NamespaceWorkloadIdentity.java index 2e8d827a8dd8..7511adbfa10e 100644 --- a/cdap-proto/src/main/java/io/cdap/cdap/proto/credential/NamespaceWorkloadIdentity.java +++ b/cdap-proto/src/main/java/io/cdap/cdap/proto/credential/NamespaceWorkloadIdentity.java @@ -20,26 +20,17 @@ * Defines an identity for credential provisioning. */ public class NamespaceWorkloadIdentity { - - private final String identity; private final String serviceAccount; /** * Constructs a namespace identity. * - * @param identity The identity. * @param serviceAccount The serviceAccount to store for the identity. */ - public NamespaceWorkloadIdentity(String identity, - String serviceAccount) { - this.identity = identity; + public NamespaceWorkloadIdentity(String serviceAccount) { this.serviceAccount = serviceAccount; } - public String getIdentity() { - return identity; - } - public String getServiceAccount() { return serviceAccount; }