Initial implementation of role config management

Signed-off-by: Ben <[email protected]>
noobaa · Nov 9, 2023 · 8c4e21b · 8c4e21b
1 parent a8b52d0
commit 8c4e21b
Show file tree

Hide file tree

Showing 4 changed files with 176 additions and 0 deletions.
diff --git a/pkg/cli/cli.go b/pkg/cli/cli.go
@@ -21,6 +21,7 @@ import (
 	"github.com/noobaa/noobaa-operator/v5/pkg/operator"
 	"github.com/noobaa/noobaa-operator/v5/pkg/options"
 	"github.com/noobaa/noobaa-operator/v5/pkg/pvstore"
+	"github.com/noobaa/noobaa-operator/v5/pkg/sts"
 	"github.com/noobaa/noobaa-operator/v5/pkg/system"
 	"github.com/noobaa/noobaa-operator/v5/pkg/util"
 	"github.com/noobaa/noobaa-operator/v5/pkg/version"
@@ -132,6 +133,7 @@ Load noobaa completion to bash:
 			diagnostics.CmdDiagnoseDeprecated(),
 			diagnostics.CmdDbDumpDeprecated(),
 			diagnostics.Cmd(),
+			sts.Cmd(),
 		},
 	}, {
 		Message: "Advanced:",

diff --git a/pkg/nb/api.go b/pkg/nb/api.go
@@ -43,6 +43,7 @@ type Client interface {
 	DeletePoolAPI(DeletePoolParams) error
 	DeleteNamespaceResourceAPI(DeleteNamespaceResourceParams) error
 
+	UpdateAccount(UpdateAccountParams) error
 	UpdateAccountS3Access(UpdateAccountS3AccessParams) error
 	UpdateAllBucketsDefaultPool(UpdateDefaultResourceParams) error
 	UpdateBucketClass(UpdateBucketClassParams) (BucketClassInfo, error)
@@ -326,6 +327,12 @@ func (c *RPCClient) DeletePoolAPI(params DeletePoolParams) error {
 	return c.Call(req, nil)
 }
 
+// UpdateAccount calls account_api.update_account()
+func (c *RPCClient) UpdateAccount(params UpdateAccountParams) error {
+	req := &RPCMessage{API: "account_api", Method: "update_account", Params: params}
+	return c.Call(req, nil)
+}
+
 // UpdateAccountS3Access calls account_api.update_account_s3_access()
 func (c *RPCClient) UpdateAccountS3Access(params UpdateAccountS3AccessParams) error {
 	req := &RPCMessage{API: "account_api", Method: "update_account_s3_access", Params: params}

diff --git a/pkg/nb/types.go b/pkg/nb/types.go
@@ -571,6 +571,23 @@ type DeleteNamespaceResourceParams struct {
 	Name string `json:"name"`
 }
 
+// UpdateAccountParams is the params of account_api.update_account_s3_access()
+type UpdateAccountParams struct {
+	Name                *string                  `json:"username,omitempty"`
+	Email               string                   `json:"email"`
+	MustChangePassword  *bool                    `json:"must_change_password,omitempty"`
+	NewEmail            *string                  `json:"new_email,omitempty"`
+	ForceMd5Etag        *bool                    `json:"force_md5_etag,omitempty"`
+	AllowedIPs          []struct {
+		Start   string `json:"start"`
+		End     string `json:"end"`
+	} `json:"ips,omitempty"`
+	Preferences         *struct{
+	    UITheme string `json:"ui_theme"`
+	} `json:"preferences,omitempty"`
+	RoleConfig          interface{}             `json:"role_config,omitempty"`
+}
+
 // UpdateAccountS3AccessParams is the params of account_api.update_account_s3_access()
 type UpdateAccountS3AccessParams struct {
 	Email               string                  `json:"email"`

diff --git a/pkg/sts/sts.go b/pkg/sts/sts.go
@@ -0,0 +1,150 @@
+package sts
+
+import (
+	"encoding/json"
+	"log"
+
+	"github.com/noobaa/noobaa-operator/v5/pkg/nb"
+	"github.com/noobaa/noobaa-operator/v5/pkg/system"
+	"github.com/noobaa/noobaa-operator/v5/pkg/util"
+
+	"github.com/spf13/cobra"
+)
+
+// Cmd returns a CLI command
+func Cmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "sts",
+		Short: "Manage the NooBaa Scurity Token Service",
+		Long: "Manage the NooBaa Scurity Token Service by assigning, updating or removing a NooBaa account's role config.\n" +
+			"The role config object must contain the keys 'role_name' and 'assume_role_policy', with their respective values.",
+	}
+	cmd.AddCommand(
+		CmdCreate(),
+		CmdUpdate(),
+		CmdRemove(),
+	)
+	return cmd
+}
+
+// CmdCreate returns a CLI command
+func CmdCreate() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "assign-role <noobaa-account-name> <role-config>",
+		Short: "Assign a role config to a NooBaa account",
+		Run:   RunUpdate,
+	}
+	cmd.Flags().String("email", "", "The email of the account that will be updated")
+	cmd.MarkFlagRequired("email")
+	cmd.Flags().String("role_config", "", "The new value that the account's role_config should be set to")
+	cmd.MarkFlagRequired("role_config")
+	return cmd
+}
+
+// CmdUpdate returns a CLI command
+func CmdUpdate() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "update-role <noobaa-accout-email> <role-config>",
+		Short: "Update a NooBaa account's role config",
+		Run:   RunUpdate,
+	}
+	cmd.Flags().String("email", "", "The email of the account that will be updated")
+	cmd.MarkFlagRequired("email")
+	cmd.Flags().String("role_config", "", "The new value that the account's role_config should be set to")
+	cmd.MarkFlagRequired("role_config")
+	return cmd
+}
+
+// CmdRemove returns a CLI command
+func CmdRemove() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "remove-role <noobaa-account-name>",
+		Short: "Remove a NooBaa account's role config",
+		Run:   RunRemove,
+	}
+	cmd.Flags().String("email", "", "The email of the account that will be updated")
+	cmd.MarkFlagRequired("email")
+	return cmd
+}
+
+// RunUpdate runs a CLI command
+func RunUpdate(cmd *cobra.Command, args []string) {
+	log := util.Logger()
+	email, _ := cmd.Flags().GetString("email")
+	roleConfig, _ := cmd.Flags().GetString("role_config")
+
+	if !json.Valid([]byte(roleConfig)) {
+		log.Fatalf(`❌ The provided role configuration is not valid JSON`)
+	}
+
+	sysClient, err := system.Connect(true)
+	if err != nil {
+		log.Fatalf(`❌ Failed to create RPC client %s`, err)
+	}
+	NBClient := sysClient.NBClient
+
+	var roleConfigObject interface{}
+	err = json.Unmarshal([]byte(roleConfig), &roleConfigObject)
+	if err != nil {
+		log.Fatalf("❌ Failed to parse role config - %s", err)
+	}
+	readAccountParams := nb.ReadAccountParams{Email: email}
+	accountInfo, err := NBClient.ReadAccountAPI(readAccountParams)
+	UpdateAccountParams := nb.UpdateAccountParams{
+		Email:      email,
+		AllowedIPs: accountInfo.AllowedIPs,
+		RoleConfig: roleConfigObject,
+	}
+
+	err = NBClient.UpdateAccount(UpdateAccountParams)
+	if err != nil {
+		log.Fatalf(`❌ Failed to update account - %s`, err)
+	}
+}
+
+// RunRemove runs a CLI command
+func RunRemove(cmd *cobra.Command, args []string) {
+	email, _ := cmd.Flags().GetString("email")
+
+	sysClient, err := system.Connect(true)
+	if err != nil {
+		log.Fatalf(`❌ Failed to create RPC client %s`, err)
+	}
+	NBClient := sysClient.NBClient
+
+	readAccountParams := nb.ReadAccountParams{Email: email}
+	accountInfo, _ := NBClient.ReadAccountAPI(readAccountParams)
+	var rolePolicyDeletion any
+	err = json.Unmarshal([]byte(`
+	{
+		"delete": true,
+		"role_name": "dummy-config", 
+		"assume_role_policy": 
+			{
+				"version": "2012-10-17",
+				"statement": 
+				[
+					{
+						"effect": "allow",
+						"principal": ["*"],
+						"action": ["sts:AssumeRole"]
+					}
+				]
+			}
+	}`), &rolePolicyDeletion)
+
+	if err != nil {
+		log.Fatalf(`❌ Failed to unmarshal the deletion config - %s`, err)
+	}
+
+	UpdateAccountParams := nb.UpdateAccountParams{
+		Email:      email,
+		AllowedIPs: accountInfo.AllowedIPs,
+		RoleConfig: rolePolicyDeletion,
+	}
+
+	err = NBClient.UpdateAccount(UpdateAccountParams)
+	if err != nil {
+		log.Fatalf(`❌ Failed to remove the requested role config - %s`, err)
+	}
+}