Merge pull request #219 from yjinjo/master

Add service account agent mode

Author: yjinjo

pkg/pip_requirements.txt

@@ -3,4 +3,4 @@ langcodes
 bcrypt
 jinja2
 fakeredis
-pytz
+pytz

src/spaceone/identity/interface/grpc/service_account.py

@@ -1,5 +1,6 @@
+from google.protobuf.json_format import ParseDict
 from spaceone.core.pygrpc import BaseAPI
-from spaceone.api.identity.v2 import service_account_pb2, service_account_pb2_grpc
+from spaceone.api.identity.v2 import service_account_pb2, service_account_pb2_grpc, app_pb2
 from spaceone.identity.service.service_account_service import (
     ServiceAccountService,
 )
@@ -15,6 +16,12 @@ def create(self, request, context):
         response: dict = service_account_svc.create(params)
         return self.dict_to_message(response)
 
+    def create_app(self, request, context):
+        params, metadata = self.parse_request(request, context)
+        service_account_svc = ServiceAccountService(metadata)
+        response: dict = service_account_svc.create_app(params)
+        return ParseDict(response, app_pb2.AppInfo())
+
     def update(self, request, context):
         params, metadata = self.parse_request(request, context)
         service_account_svc = ServiceAccountService(metadata)
@@ -39,6 +46,30 @@ def delete(self, request, context):
         service_account_svc.delete(params)
         return self.empty()
 
+    def enable_app(self, request, context):
+        params, metadata = self.parse_request(request, context)
+        service_account_svc = ServiceAccountService(metadata)
+        response: dict = service_account_svc.enable_app(params)
+        return ParseDict(response, app_pb2.AppInfo())
+
+    def disable_app(self, request, context):
+        params, metadata = self.parse_request(request, context)
+        service_account_svc = ServiceAccountService(metadata)
+        response: dict = service_account_svc.disable_app(params)
+        return ParseDict(response, app_pb2.AppInfo())
+
+    def regenerate_app(self, request, context):
+        params, metadata = self.parse_request(request, context)
+        service_account_svc = ServiceAccountService(metadata)
+        response: dict = service_account_svc.regenerate_app(params)
+        return ParseDict(response, app_pb2.AppInfo())
+
+    def delete_app(self, request, context):
+        params, metadata = self.parse_request(request, context)
+        service_account_svc = ServiceAccountService(metadata)
+        service_account_svc.delete_app(params)
+        return self.empty()
+
     def get(self, request, context):
         params, metadata = self.parse_request(request, context)
         service_account_svc = ServiceAccountService(metadata)

src/spaceone/identity/lib/key_generator.py

@@ -11,13 +11,13 @@
 
 class KeyGenerator:
     def __init__(
-            self,
-            prv_jwk: dict,
-            domain_id: str,
-            owner_type: str,
-            audience: str,
-            client_id: str = None,
-            refresh_prv_jwk: dict = None,
+        self,
+        prv_jwk: dict,
+        domain_id: str,
+        owner_type: str,
+        audience: str,
+        client_id: str = None,
+        refresh_prv_jwk: dict = None,
     ):
         self.prv_jwk = prv_jwk
         self.domain_id = domain_id
@@ -33,14 +33,15 @@ def _check_parameter(self):
             raise ERROR_GENERATE_KEY_FAILURE()
 
     def generate_token(
-            self,
-            token_type: str,
-            expired_at: str = None,
-            timeout: int = None,
-            role_type: str = None,
-            workspace_id: str = None,
-            permissions: list = None,
-            projects: list = None,
+        self,
+        token_type: str,
+        expired_at: str = None,
+        timeout: int = None,
+        role_type: str = None,
+        workspace_id: str = None,
+        permissions: list = None,
+        projects: list = None,
+        injected_params: dict = None,
     ) -> str:
         payload = {
             "iss": "spaceone.identity",
@@ -70,6 +71,9 @@ def generate_token(
         if projects and len(projects) > 0:
             payload["projects"] = projects
 
+        if injected_params:
+            payload["injected_params"] = injected_params
+
         if token_type == "REFRESH_TOKEN":
             return JWTUtil.encode(payload, self.refresh_prv_jwk)
         else:
@@ -91,5 +95,6 @@ def _print_key(payload: dict):
             f'jti: {payload.get("jti")}, '
             f'projects: {payload.get("projects")},'
             f'permissions: {payload.get("permissions")},'
+            f'injected_params: {payload.get("injected_params")},'
             f'ver: {payload.get("ver")} )'
         )

src/spaceone/identity/manager/app_manager.py

@@ -54,6 +54,7 @@ def get_app(
         app_id: str,
         domain_id: str,
         workspace_id: Union[str, None] = None,
+        service_account_id: Union[str, None] = None,
     ) -> App:
         conditions = {
             "app_id": app_id,
@@ -63,6 +64,9 @@ def get_app(
         if workspace_id:
             conditions["workspace_id"] = workspace_id
 
+        if service_account_id:
+            conditions["service_account_id"] = service_account_id
+
         return self.app_model.get(**conditions)
 
     def filter_apps(self, **conditions) -> QuerySet:

src/spaceone/identity/manager/client_secret_manager.py

@@ -19,6 +19,7 @@ def generate_client_secret(
         role_type: str,
         workspace_id: str = None,
         permissions: list = None,
+        injected_params: dict = None,
     ) -> Tuple[str, str]:
         domain_secret_mgr = DomainSecretManager()
         prv_jwk = domain_secret_mgr.get_domain_private_key(domain_id)
@@ -40,6 +41,7 @@ def generate_client_secret(
             role_type=role_type,
             workspace_id=workspace_id,
             permissions=permissions,
+            injected_params=injected_params,
         )
 
         return client_id, client_secret

src/spaceone/identity/model/app/database.py

@@ -8,6 +8,7 @@ class App(MongoModel):
     state = StringField(
         max_length=20, default="ENABLED", choices=("ENABLED", "DISABLED", "EXPIRED")
     )
+    is_managed = BooleanField(default=False)
     tags = DictField(default=None)
     role_type = StringField(
         max_length=20,
@@ -18,6 +19,7 @@ class App(MongoModel):
     )
     client_id = StringField(max_length=40, default=None, null=True)
     role_id = StringField(max_length=40, required=True)
+    service_account_id = StringField(max_length=40, default=None, null=True)
     resource_group = StringField(max_length=40, choices=("DOMAIN", "WORKSPACE"))
     workspace_id = StringField(max_length=40)
     domain_id = StringField(max_length=40)
@@ -30,6 +32,7 @@ class App(MongoModel):
             "name",
             "state",
             "client_id",
+            "service_account_id",
             "tags",
             "expired_at",
             "last_accessed_at",

src/spaceone/identity/model/app/response.py

@@ -19,9 +19,11 @@ class AppResponse(BaseModel):
     name: Union[str, None] = None
     state: Union[State, None] = None
     tags: Union[dict, None] = None
+    is_managed: Union[bool, None] = None
     role_type: Union[RoleType, None] = None
     client_id: Union[str, None] = None
     role_id: Union[str, None] = None
+    service_account_id: Union[str, None] = None
     resource_group: Union[ResourceGroup, None] = None
     workspace_id: Union[str, None] = None
     domain_id: Union[str, None] = None

src/spaceone/identity/model/service_account/database.py

@@ -7,9 +7,11 @@ class ServiceAccount(MongoModel):
     name = StringField(max_length=255, unique_with=["domain_id", "workspace_id"])
     data = DictField(default=None)
     provider = StringField(max_length=40)
+    options = DictField(default=None)
     tags = DictField(default=None)
     secret_schema_id = StringField(max_length=40)
     secret_id = StringField(max_length=40)
+    app_id = StringField(max_length=40, null=True, default=None)
     trusted_account_id = StringField(max_length=40, null=True, default=None)
     project_id = StringField(max_length=40)
     workspace_id = StringField(max_length=40)
@@ -20,9 +22,11 @@ class ServiceAccount(MongoModel):
         "updatable_fields": [
             "name",
             "data",
+            "options",
             "tags",
             "secret_schema_id",
             "secret_id",
+            "app_id",
             "trusted_account_id",
             "project_id",
         ],

src/spaceone/identity/model/service_account/request.py

@@ -1,13 +1,17 @@
-from datetime import datetime
-from typing import Union, Literal
+from typing import Union
 from pydantic import BaseModel
 
 __all__ = [
     "ServiceAccountCreateRequest",
+    "ServiceAccountCreateAppRequest",
     "ServiceAccountUpdateRequest",
     "ServiceAccountUpdateSecretRequest",
     "ServiceAccountDeleteSecretRequest",
     "ServiceAccountDeleteRequest",
+    "ServiceAccountEnableAppRequest",
+    "ServiceAccountDisableAppRequest",
+    "ServiceAccountRegenerateAppRequest",
+    "ServiceAccountDeleteAppRequest",
     "ServiceAccountGetRequest",
     "ServiceAccountSearchQueryRequest",
     "ServiceAccountStatQueryRequest",
@@ -27,6 +31,14 @@ class ServiceAccountCreateRequest(BaseModel):
     domain_id: str
 
 
+class ServiceAccountCreateAppRequest(BaseModel):
+    service_account_id: str
+    options: Union[dict, None] = None
+    workspace_id: Union[str, None] = None
+    domain_id: str
+    user_projects: Union[list, None] = None
+
+
 class ServiceAccountUpdateRequest(BaseModel):
     service_account_id: str
     name: Union[str, None] = None
@@ -62,6 +74,34 @@ class ServiceAccountDeleteRequest(BaseModel):
     user_projects: Union[list, None] = None
 
 
+class ServiceAccountEnableAppRequest(BaseModel):
+    service_account_id: str
+    workspace_id: Union[str, None] = None
+    domain_id: str
+    user_projects: Union[list, None] = None
+
+
+class ServiceAccountDisableAppRequest(BaseModel):
+    service_account_id: str
+    workspace_id: Union[str, None] = None
+    domain_id: str
+    user_projects: Union[list, None] = None
+
+
+class ServiceAccountRegenerateAppRequest(BaseModel):
+    service_account_id: str
+    workspace_id: Union[str, None] = None
+    domain_id: str
+    user_projects: Union[list, None] = None
+
+
+class ServiceAccountDeleteAppRequest(BaseModel):
+    service_account_id: str
+    workspace_id: Union[str, None] = None
+    domain_id: str
+    user_projects: Union[list, None] = None
+
+
 class ServiceAccountGetRequest(BaseModel):
     service_account_id: str
     workspace_id: Union[str, None] = None

src/spaceone/identity/model/service_account/response.py

@@ -1,5 +1,5 @@
 from datetime import datetime
-from typing import Union, Literal, List
+from typing import Union, List
 from pydantic import BaseModel
 from spaceone.core import utils
 
@@ -11,9 +11,11 @@ class ServiceAccountResponse(BaseModel):
     name: Union[str, None] = None
     data: Union[dict, None] = None
     provider: Union[str, None] = None
+    options: Union[dict, None] = None
     tags: Union[dict, None] = None
     secret_schema_id: Union[str, None] = None
     secret_id: Union[str, None] = None
+    app_id: Union[str, None] = None
     trusted_account_id: Union[str, None] = None
     project_id: Union[str, None] = None
     workspace_id: Union[str, None] = None

src/spaceone/identity/service/app_service.py

@@ -192,6 +192,10 @@ def enable(self, params: AppEnableRequest) -> Union[AppResponse, dict]:
             params.workspace_id,
         )
         app_vo = self.app_mgr.enable_app(app_vo)
+
+        if app_vo.is_managed:
+            raise ERROR_PERMISSION_DENIED(key="app_id", _message="Managed App cannot be enabled.")
+
         return AppResponse(**app_vo.to_dict())
 
     @transaction(
@@ -214,6 +218,10 @@ def disable(self, params: AppDisableRequest) -> Union[AppResponse, dict]:
             params.workspace_id,
         )
         app_vo = self.app_mgr.disable_app(app_vo)
+
+        if app_vo.is_managed:
+            raise ERROR_PERMISSION_DENIED(key="app_id", _message="Managed App cannot be disabled.")
+
         return AppResponse(**app_vo.to_dict())
 
     @transaction(
@@ -237,6 +245,10 @@ def delete(self, params: AppDeleteRequest) -> None:
             params.domain_id,
             params.workspace_id,
         )
+
+        if app_vo.is_managed:
+            raise ERROR_PERMISSION_DENIED(key="app_id", _message="Managed App cannot be deleted.")
+
         self.app_mgr.delete_app_by_vo(app_vo)
 
     @transaction(