new/appcreds: added NewWithOptions (#74)

Also add option to define the max issued token validity
PaloAltoNetworks · Jun 3, 2020 · b49628f · b49628f
1 parent d8f3a2a
commit b49628f
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 3 deletions.
diff --git a/appcreds/appcreds.go b/appcreds/appcreds.go
@@ -22,13 +22,20 @@ import (
 	"go.aporeto.io/tg/tglib"
 )
 
-// New creates a new *gaia.AppCredential.
-func New(ctx context.Context, m manipulate.Manipulator, namespace string, name string, roles []string, subnets []string) (*gaia.AppCredential, error) {
+// NewWithOptions returns an *gaia.AppCredential according to the
+// provided configuration.
+func NewWithOptions(ctx context.Context, m manipulate.Manipulator, namespace string, name string, roles []string, options ...Option) (*gaia.AppCredential, error) {
+
+	cfg := newConfig()
+	for _, opt := range options {
+		opt(&cfg)
+	}
 
 	creds := gaia.NewAppCredential()
 	creds.Name = name
 	creds.Roles = roles
-	creds.AuthorizedSubnets = subnets
+	creds.AuthorizedSubnets = cfg.subnets
+	creds.MaxIssuedTokenValidity = cfg.maxValidity.String()
 
 	if err := Create(ctx, m, namespace, creds); err != nil {
 		return nil, err
@@ -37,6 +44,15 @@ func New(ctx context.Context, m manipulate.Manipulator, namespace string, name s
 	return creds, nil
 }
 
+// New creates a new *gaia.AppCredential.
+func New(ctx context.Context, m manipulate.Manipulator, namespace string, name string, roles []string, subnets []string) (*gaia.AppCredential, error) {
+
+	return NewWithOptions(
+		ctx, m, namespace, name, roles,
+		OptionSubnets(subnets),
+	)
+}
+
 // Create generates a new CSR for the provided app credential and calls the upstream service using the supplied
 // manipulator to provision the app credential. The returned credential will have the private key used to generate the CSR
 // added back as an attribute. An error and a nil app cred reference is returned if CSR generation or the API call to the

diff --git a/appcreds/options.go b/appcreds/options.go
@@ -0,0 +1,31 @@
+package appcreds
+
+import "time"
+
+type config struct {
+	subnets     []string
+	maxValidity time.Duration
+}
+
+func newConfig() config {
+	return config{}
+}
+
+// An Option can be used to configure a new appcred.
+type Option func(*config)
+
+// OptionSubnets configures the appcred to only
+// work when used from one of the provided subnet.
+func OptionSubnets(subnets []string) Option {
+	return func(c *config) {
+		c.subnets = subnets
+	}
+}
+
+// OptionMaxValidity configures the appcred to only capable
+// of delivering token with the provided max validity.
+func OptionMaxValidity(max time.Duration) Option {
+	return func(c *config) {
+		c.maxValidity = max
+	}
+}
diff --git a/appcreds/options_test.go b/appcreds/options_test.go
@@ -0,0 +1,29 @@
+package appcreds
+
+import (
+	"testing"
+	"time"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestOptions(t *testing.T) {
+
+	Convey("calling newConfig should work", t, func() {
+		cfg := newConfig()
+		So(cfg.subnets, ShouldBeNil)
+		So(cfg.maxValidity, ShouldEqual, 0)
+	})
+
+	Convey("calling OptionSubnets should work", t, func() {
+		cfg := newConfig()
+		OptionSubnets([]string{"1.2.3.4/4"})(&cfg)
+		So(cfg.subnets, ShouldResemble, []string{"1.2.3.4/4"})
+	})
+
+	Convey("calling OptionMaxValidity should work", t, func() {
+		cfg := newConfig()
+		OptionMaxValidity(3 * time.Minute)(&cfg)
+		So(cfg.maxValidity, ShouldEqual, 3*time.Minute)
+	})
+}
diff --git a/go.mod b/go.mod
@@ -24,3 +24,5 @@ require (
 	golang.org/x/tools v0.0.0-20200226171234-020676185e75 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
+
+replace go.aporeto.io/gaia => go.aporeto.io/gaia v1.94.1-0.20200603182337-2b86363a94b7
diff --git a/go.sum b/go.sum
@@ -207,6 +207,8 @@ go.aporeto.io/elemental v1.100.1-0.20200507181306-04bb5d99c40b h1:4qCgUQTl/SliFu
 go.aporeto.io/elemental v1.100.1-0.20200507181306-04bb5d99c40b/go.mod h1:Sy/SOOvxrPrk0KfDH0393Dw58GvstAsipd9afF80BUw=
 go.aporeto.io/gaia v1.94.1-0.20200526193011-9121839fecd5 h1:HfNhvv/pX8UM3REC5v/XZrfFtEyF6/AzxiKiRHtEY3E=
 go.aporeto.io/gaia v1.94.1-0.20200526193011-9121839fecd5/go.mod h1:QG7NZb0tNqivQcS/gFJzW9bgSIAXktdk/C71BJsif8Q=
+go.aporeto.io/gaia v1.94.1-0.20200603182337-2b86363a94b7 h1:Th3vvwh+idj1iQcX59KnRD5fqqn5d1oek8kE+TFATrE=
+go.aporeto.io/gaia v1.94.1-0.20200603182337-2b86363a94b7/go.mod h1:QG7NZb0tNqivQcS/gFJzW9bgSIAXktdk/C71BJsif8Q=
 go.aporeto.io/manipulate v1.114.1-0.20200507181335-716acb6ba06d h1:c0KUcdFyHmSb7SFRDb27nmK7Z/r2MJkYfHFHLg+jlRk=
 go.aporeto.io/manipulate v1.114.1-0.20200507181335-716acb6ba06d/go.mod h1:VxbbA50osGONO/uDtVx7uz1/Vqsa7Sr70PewgB1rQP8=
 go.aporeto.io/regolithe v1.50.1-0.20200507173956-ac0245f292d1/go.mod h1:+CaUtk6vhi0QJKdW6rabnCbqXUUBzQeQb6uMUNzmqZE=