diff --git a/appcreds/appcreds.go b/appcreds/appcreds.go index 648bd54..713e2cd 100644 --- a/appcreds/appcreds.go +++ b/appcreds/appcreds.go @@ -22,13 +22,20 @@ import ( "go.aporeto.io/tg/tglib" ) -// New creates a new *gaia.AppCredential. -func New(ctx context.Context, m manipulate.Manipulator, namespace string, name string, roles []string, subnets []string) (*gaia.AppCredential, error) { +// NewWithOptions returns an *gaia.AppCredential according to the +// provided configuration. +func NewWithOptions(ctx context.Context, m manipulate.Manipulator, namespace string, name string, roles []string, options ...Option) (*gaia.AppCredential, error) { + + cfg := newConfig() + for _, opt := range options { + opt(&cfg) + } creds := gaia.NewAppCredential() creds.Name = name creds.Roles = roles - creds.AuthorizedSubnets = subnets + creds.AuthorizedSubnets = cfg.subnets + creds.MaxIssuedTokenValidity = cfg.maxValidity.String() if err := Create(ctx, m, namespace, creds); err != nil { return nil, err @@ -37,6 +44,15 @@ func New(ctx context.Context, m manipulate.Manipulator, namespace string, name s return creds, nil } +// New creates a new *gaia.AppCredential. +func New(ctx context.Context, m manipulate.Manipulator, namespace string, name string, roles []string, subnets []string) (*gaia.AppCredential, error) { + + return NewWithOptions( + ctx, m, namespace, name, roles, + OptionSubnets(subnets), + ) +} + // Create generates a new CSR for the provided app credential and calls the upstream service using the supplied // manipulator to provision the app credential. The returned credential will have the private key used to generate the CSR // added back as an attribute. An error and a nil app cred reference is returned if CSR generation or the API call to the diff --git a/appcreds/options.go b/appcreds/options.go new file mode 100644 index 0000000..5d523fd --- /dev/null +++ b/appcreds/options.go @@ -0,0 +1,31 @@ +package appcreds + +import "time" + +type config struct { + subnets []string + maxValidity time.Duration +} + +func newConfig() config { + return config{} +} + +// An Option can be used to configure a new appcred. +type Option func(*config) + +// OptionSubnets configures the appcred to only +// work when used from one of the provided subnet. +func OptionSubnets(subnets []string) Option { + return func(c *config) { + c.subnets = subnets + } +} + +// OptionMaxValidity configures the appcred to only capable +// of delivering token with the provided max validity. +func OptionMaxValidity(max time.Duration) Option { + return func(c *config) { + c.maxValidity = max + } +} diff --git a/appcreds/options_test.go b/appcreds/options_test.go new file mode 100644 index 0000000..f074277 --- /dev/null +++ b/appcreds/options_test.go @@ -0,0 +1,29 @@ +package appcreds + +import ( + "testing" + "time" + + . "github.com/smartystreets/goconvey/convey" +) + +func TestOptions(t *testing.T) { + + Convey("calling newConfig should work", t, func() { + cfg := newConfig() + So(cfg.subnets, ShouldBeNil) + So(cfg.maxValidity, ShouldEqual, 0) + }) + + Convey("calling OptionSubnets should work", t, func() { + cfg := newConfig() + OptionSubnets([]string{"1.2.3.4/4"})(&cfg) + So(cfg.subnets, ShouldResemble, []string{"1.2.3.4/4"}) + }) + + Convey("calling OptionMaxValidity should work", t, func() { + cfg := newConfig() + OptionMaxValidity(3 * time.Minute)(&cfg) + So(cfg.maxValidity, ShouldEqual, 3*time.Minute) + }) +} diff --git a/go.mod b/go.mod index 5d1ddf1..458fc35 100644 --- a/go.mod +++ b/go.mod @@ -24,3 +24,5 @@ require ( golang.org/x/tools v0.0.0-20200226171234-020676185e75 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0 ) + +replace go.aporeto.io/gaia => go.aporeto.io/gaia v1.94.1-0.20200603182337-2b86363a94b7 diff --git a/go.sum b/go.sum index 10e175d..6c02314 100644 --- a/go.sum +++ b/go.sum @@ -207,6 +207,8 @@ go.aporeto.io/elemental v1.100.1-0.20200507181306-04bb5d99c40b h1:4qCgUQTl/SliFu go.aporeto.io/elemental v1.100.1-0.20200507181306-04bb5d99c40b/go.mod h1:Sy/SOOvxrPrk0KfDH0393Dw58GvstAsipd9afF80BUw= go.aporeto.io/gaia v1.94.1-0.20200526193011-9121839fecd5 h1:HfNhvv/pX8UM3REC5v/XZrfFtEyF6/AzxiKiRHtEY3E= go.aporeto.io/gaia v1.94.1-0.20200526193011-9121839fecd5/go.mod h1:QG7NZb0tNqivQcS/gFJzW9bgSIAXktdk/C71BJsif8Q= +go.aporeto.io/gaia v1.94.1-0.20200603182337-2b86363a94b7 h1:Th3vvwh+idj1iQcX59KnRD5fqqn5d1oek8kE+TFATrE= +go.aporeto.io/gaia v1.94.1-0.20200603182337-2b86363a94b7/go.mod h1:QG7NZb0tNqivQcS/gFJzW9bgSIAXktdk/C71BJsif8Q= go.aporeto.io/manipulate v1.114.1-0.20200507181335-716acb6ba06d h1:c0KUcdFyHmSb7SFRDb27nmK7Z/r2MJkYfHFHLg+jlRk= go.aporeto.io/manipulate v1.114.1-0.20200507181335-716acb6ba06d/go.mod h1:VxbbA50osGONO/uDtVx7uz1/Vqsa7Sr70PewgB1rQP8= go.aporeto.io/regolithe v1.50.1-0.20200507173956-ac0245f292d1/go.mod h1:+CaUtk6vhi0QJKdW6rabnCbqXUUBzQeQb6uMUNzmqZE=