From 0028df21bc9ab70ee0d3c856a0bec738ce3faef6 Mon Sep 17 00:00:00 2001 From: alesstimec Date: Thu, 4 Apr 2024 10:29:21 +0200 Subject: [PATCH] Various OAuth fixes - fixes the proxy session token verification - changes the format of the client credentials client id bringing it in line with juju user tags - various local testing fixes --- cmd/jaas/cmd/addserviceaccount_test.go | 2 +- cmd/jaas/cmd/grant_test.go | 2 +- .../cmd/listserviceaccountcredentials_test.go | 2 +- cmd/jaas/cmd/updatecredentials_test.go | 18 ++++---- docker-compose.yaml | 9 +++- go.mod | 17 ++++---- go.sum | 41 +++++++++++------- internal/auth/oauth2_test.go | 2 +- internal/jimm/service_account_test.go | 8 ++-- internal/jujuapi/admin_test.go | 4 +- internal/jujuapi/service_account_test.go | 42 +++++++++---------- internal/rpc/proxy.go | 9 ++-- local/jimm/setup-controller.sh | 2 +- local/keycloak/jimm-realm.json | 2 +- local/traefik/traefik.yaml | 13 +++--- pkg/names/service_account.go | 18 ++++---- pkg/names/service_account_test.go | 22 ++++++---- 17 files changed, 118 insertions(+), 95 deletions(-) diff --git a/cmd/jaas/cmd/addserviceaccount_test.go b/cmd/jaas/cmd/addserviceaccount_test.go index 18ed7f18e..565ae5d53 100644 --- a/cmd/jaas/cmd/addserviceaccount_test.go +++ b/cmd/jaas/cmd/addserviceaccount_test.go @@ -24,7 +24,7 @@ type addServiceAccountSuite struct { var _ = gc.Suite(&addServiceAccountSuite{}) func (s *addServiceAccountSuite) TestAddServiceAccount(c *gc.C) { - clientID := "abda51b2-d735-4794-a8bd-49c506baa4af" + clientID := "abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com" // alice is superuser bClient := jimmtest.NewUserSessionLogin(c, "alice") _, err := cmdtesting.RunCommand(c, cmd.NewAddServiceAccountCommandForTesting(s.ClientStore(), bClient), clientID) diff --git a/cmd/jaas/cmd/grant_test.go b/cmd/jaas/cmd/grant_test.go index 042d167cb..7dd1503de 100644 --- a/cmd/jaas/cmd/grant_test.go +++ b/cmd/jaas/cmd/grant_test.go @@ -27,7 +27,7 @@ var _ = gc.Suite(&grantSuite{}) func (s *grantSuite) TestGrant(c *gc.C) { ctx := context.Background() - clientID := "abda51b2-d735-4794-a8bd-49c506baa4af" + clientID := "abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com" // alice is superuser bClient := jimmtest.NewUserSessionLogin(c, "alice") diff --git a/cmd/jaas/cmd/listserviceaccountcredentials_test.go b/cmd/jaas/cmd/listserviceaccountcredentials_test.go index 03bf8184c..0a7c9c4c8 100644 --- a/cmd/jaas/cmd/listserviceaccountcredentials_test.go +++ b/cmd/jaas/cmd/listserviceaccountcredentials_test.go @@ -34,7 +34,7 @@ func (s *listServiceAccountCredentialsSuite) TestListServiceAccountCredentials(c }) c.Assert(err, gc.IsNil) // Create Alice Identity and Service Account Identity. - clientID := "abda51b2-d735-4794-a8bd-49c506baa4af" + clientID := "abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com" // alice is superuser ctx := context.Background() user := dbmodel.Identity{Name: "alice@canonical.com"} diff --git a/cmd/jaas/cmd/updatecredentials_test.go b/cmd/jaas/cmd/updatecredentials_test.go index e57a453ec..b03e7e6a8 100644 --- a/cmd/jaas/cmd/updatecredentials_test.go +++ b/cmd/jaas/cmd/updatecredentials_test.go @@ -28,7 +28,7 @@ var _ = gc.Suite(&updateCredentialsSuite{}) func (s *updateCredentialsSuite) TestUpdateCredentialsWithNewCredentials(c *gc.C) { ctx := context.Background() - clientID := "abda51b2-d735-4794-a8bd-49c506baa4af" + clientID := "abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com" // alice is superuser bClient := jimmtest.NewUserSessionLogin(c, "alice") @@ -69,7 +69,7 @@ func (s *updateCredentialsSuite) TestUpdateCredentialsWithNewCredentials(c *gc.C cmdContext, err := cmdtesting.RunCommand(c, cmd.NewUpdateCredentialsCommandForTesting(clientStore, bClient), clientID, "test-cloud", "test-credentials") c.Assert(err, gc.IsNil) c.Assert(cmdtesting.Stdout(cmdContext), gc.Equals, `results: -- credentialtag: cloudcred-test-cloud_abda51b2-d735-4794-a8bd-49c506baa4af_test-credentials +- credentialtag: cloudcred-test-cloud_abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com_test-credentials error: null models: [] `) @@ -89,7 +89,7 @@ func (s *updateCredentialsSuite) TestUpdateCredentialsWithNewCredentials(c *gc.C func (s *updateCredentialsSuite) TestUpdateCredentialsWithExistingCredentials(c *gc.C) { ctx := context.Background() - clientID := "abda51b2-d735-4794-a8bd-49c506baa4af" + clientID := "abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com" // alice is superuser bClient := jimmtest.NewUserSessionLogin(c, "alice") @@ -139,7 +139,7 @@ func (s *updateCredentialsSuite) TestUpdateCredentialsWithExistingCredentials(c cmdContext, err := cmdtesting.RunCommand(c, cmd.NewUpdateCredentialsCommandForTesting(clientStore, bClient), clientID, "test-cloud", "test-credentials") c.Assert(err, gc.IsNil) c.Assert(cmdtesting.Stdout(cmdContext), gc.Equals, `results: -- credentialtag: cloudcred-test-cloud_abda51b2-d735-4794-a8bd-49c506baa4af_test-credentials +- credentialtag: cloudcred-test-cloud_abda51b2-d735-4794-a8bd-49c506baa4af@canonical.com_test-credentials error: null models: [] `) @@ -159,7 +159,7 @@ func (s *updateCredentialsSuite) TestUpdateCredentialsWithExistingCredentials(c func (s *updateCredentialsSuite) TestCloudNotInLocalStore(c *gc.C) { bClient := jimmtest.NewUserSessionLogin(c, "alice") _, err := cmdtesting.RunCommand(c, cmd.NewUpdateCredentialsCommandForTesting(s.ClientStore(), bClient), - "00000000-0000-0000-0000-000000000000", + "00000000-0000-0000-0000-000000000000@canonical.com", "non-existing-cloud", "foo", ) @@ -178,7 +178,7 @@ func (s *updateCredentialsSuite) TestCredentialNotInLocalStore(c *gc.C) { c.Assert(err, gc.IsNil) _, err = cmdtesting.RunCommand(c, cmd.NewUpdateCredentialsCommandForTesting(clientStore, bClient), - "00000000-0000-0000-0000-000000000000", + "00000000-0000-0000-0000-000000000000@canonical.com", "some-cloud", "non-existing-credential-name", ) @@ -196,15 +196,15 @@ func (s *updateCredentialsSuite) TestMissingArgs(c *gc.C) { expectedError: "client ID not specified", }, { name: "missing cloud", - args: []string{"some-client-id"}, + args: []string{"some-client-id@canonical.com"}, expectedError: "cloud not specified", }, { name: "missing credential name", - args: []string{"some-client-id", "some-cloud"}, + args: []string{"some-client-id@canonical.com", "some-cloud"}, expectedError: "credential name not specified", }, { name: "too many args", - args: []string{"some-client-id", "some-cloud", "some-credential-name", "extra-arg"}, + args: []string{"some-client-id@canonical.com", "some-cloud", "some-credential-name", "extra-arg"}, expectedError: "too many args", }} diff --git a/docker-compose.yaml b/docker-compose.yaml index c7cf27977..5725cffea 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -21,7 +21,12 @@ services: interval: 10s timeout: 5s retries: 3 - + labels: + traefik.enable: true + traefik.http.routers.traefik.rule: Host(`127.0.0.1`) + traefik.http.routers.traefik.entrypoints: websecure + traefik.http.routers.traefik.tls: true + jimm: image: cosmtrek/air:latest profiles: ["dev"] @@ -46,7 +51,7 @@ services: JIMM_DSN: "postgresql://jimm:jimm@db/jimm" # Not needed for local test (yet). # BAKERY_AGENT_FILE: "" - JIMM_ADMINS: "jimm@candid.localhost" + JIMM_ADMINS: "jimm-test@canonical.com" # Note: You can comment out the Vault ENV vars below and instead use INSECURE_SECRET_STORAGE to place secrets in Postgres. VAULT_ADDR: "http://vault:8200" VAULT_PATH: "/jimm-kv/" diff --git a/go.mod b/go.mod index d61ff3809..1a650eb26 100644 --- a/go.mod +++ b/go.mod @@ -50,14 +50,15 @@ require ( github.com/dustinkirkland/golang-petname v0.0.0-20231002161417-6a283f1aaaf2 github.com/go-chi/chi/v5 v5.0.8 github.com/go-chi/render v1.0.2 + github.com/gorilla/sessions v1.2.1 github.com/hashicorp/golang-lru/v2 v2.0.7 github.com/itchyny/gojq v0.12.12 github.com/juju/charm/v12 v12.0.0 github.com/juju/names/v5 v5.0.0 github.com/lestrrat-go/iter v1.0.2 - github.com/lestrrat-go/jwx/v2 v2.0.19 + github.com/lestrrat-go/jwx/v2 v2.0.21 github.com/oklog/ulid/v2 v2.1.0 - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 golang.org/x/oauth2 v0.15.0 gopkg.in/errgo.v1 v1.0.1 gopkg.in/httprequest.v1 v1.2.1 @@ -121,7 +122,7 @@ require ( github.com/gdamore/encoding v1.0.0 // indirect github.com/gdamore/tcell/v2 v2.5.1 // indirect github.com/go-goose/goose/v5 v5.0.0-20230421180421-abaee9096e3a // indirect - github.com/go-jose/go-jose/v3 v3.0.1 // indirect + github.com/go-jose/go-jose/v3 v3.0.3 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-macaroon-bakery/macaroonpb v1.0.0 // indirect @@ -143,7 +144,6 @@ require ( github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/gorilla/schema v1.2.1 // indirect github.com/gorilla/securecookie v1.1.2 // indirect - github.com/gorilla/sessions v1.2.1 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect @@ -212,7 +212,7 @@ require ( github.com/kylelemons/godebug v1.1.0 // indirect github.com/lestrrat-go/blackmagic v1.0.2 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect - github.com/lestrrat-go/httprc v1.0.4 // indirect + github.com/lestrrat-go/httprc v1.0.5 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/lestrrat/go-jspointer v0.0.0-20160229021354-f4881e611bdb // indirect github.com/lestrrat/go-jsref v0.0.0-20160601013240-e452c7b5801d // indirect @@ -251,7 +251,6 @@ require ( github.com/muhlemmer/gu v0.3.1 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/oracle/oci-go-sdk/v65 v65.55.0 // indirect github.com/packethost/packngo v0.28.1 // indirect @@ -296,10 +295,10 @@ require ( go.uber.org/atomic v1.11.0 // indirect go.uber.org/mock v0.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.19.0 // indirect + golang.org/x/crypto v0.21.0 // indirect golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect - golang.org/x/sys v0.17.0 // indirect - golang.org/x/term v0.17.0 // indirect + golang.org/x/sys v0.18.0 // indirect + golang.org/x/term v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect google.golang.org/api v0.154.0 // indirect diff --git a/go.sum b/go.sum index d00d9fbe1..c2e7de565 100644 --- a/go.sum +++ b/go.sum @@ -255,8 +255,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-goose/goose/v5 v5.0.0-20230421180421-abaee9096e3a h1:H/l82+fC6idmYg1kfpQlCq7gYctri7AGn9RemqwN6bw= github.com/go-goose/goose/v5 v5.0.0-20230421180421-abaee9096e3a/go.mod h1:BxICmnmP7QlxZhKP2BHkpWQS0tbb3LrsrLtd9TQyyms= -github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= -github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= +github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -294,8 +294,6 @@ github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZg github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= -github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -745,12 +743,12 @@ github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= -github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8= -github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= +github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/OLUk= +github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx/v2 v2.0.19 h1:ekv1qEZE6BVct89QA+pRF6+4pCpfVrOnEJnTnT4RXoY= -github.com/lestrrat-go/jwx/v2 v2.0.19/go.mod h1:l3im3coce1lL2cDeAjqmaR+Awx+X8Ih+2k8BuHNJ4CU= +github.com/lestrrat-go/jwx/v2 v2.0.21 h1:jAPKupy4uHgrHFEdjVjNkUgoBKtVDgrQPB/h55FHrR0= +github.com/lestrrat-go/jwx/v2 v2.0.21/go.mod h1:09mLW8zto6bWL9GbwnqAli+ArLf+5M33QLQPDggkUWM= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat/go-jspointer v0.0.0-20160229021354-f4881e611bdb h1:ZWuRImtpQp2QxwzMFDYqSgym24d7N0HE38JRVoJ/Piw= @@ -883,8 +881,6 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U= -github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk= -github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw= github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU= github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ= github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= @@ -1010,8 +1006,9 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -1021,8 +1018,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= @@ -1122,8 +1120,9 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= -golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1162,6 +1161,7 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20150829230318-ea47fc708ee3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180406214816-61147c48b25b/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1210,6 +1210,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1238,6 +1240,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1305,18 +1308,23 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1328,6 +1336,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1395,6 +1405,7 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/internal/auth/oauth2_test.go b/internal/auth/oauth2_test.go index 634ecd882..dcf3e9edd 100644 --- a/internal/auth/oauth2_test.go +++ b/internal/auth/oauth2_test.go @@ -245,7 +245,7 @@ func TestVerifyClientCredentials(t *testing.T) { const ( // these are valid client credentials hardcoded into the jimm realm - validClientID = "test-client-id" + validClientID = "test-client-id@canonical.com" validClientSecret = "2M2blFbO4GX4zfggQpivQSxwWX1XGgNf" ) diff --git a/internal/jimm/service_account_test.go b/internal/jimm/service_account_test.go index 2da83030f..302ba3222 100644 --- a/internal/jimm/service_account_test.go +++ b/internal/jimm/service_account_test.go @@ -35,7 +35,7 @@ func TestAddServiceAccount(t *testing.T) { }, client, ) - clientID := "39caae91-b914-41ae-83f8-c7b86ca5ad5a" + clientID := "39caae91-b914-41ae-83f8-c7b86ca5ad5a@canonical.com" err = j.AddServiceAccount(ctx, user, clientID) c.Assert(err, qt.IsNil) err = j.AddServiceAccount(ctx, user, clientID) @@ -73,7 +73,7 @@ func TestGrantServiceAccountAccess(t *testing.T) { "user-bob", "group-1#member", }, - clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", username: "alice", }, { about: "Group that doesn't exist", @@ -86,7 +86,7 @@ func TestGrantServiceAccountAccess(t *testing.T) { // This group doesn't exist. "group-bar", }, - clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", username: "alice", expectedError: "group bar not found", }, { @@ -99,7 +99,7 @@ func TestGrantServiceAccountAccess(t *testing.T) { "user-bob", "controller-jimm", }, - clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", username: "alice", expectedError: "invalid entity - not user or group", }} diff --git a/internal/jujuapi/admin_test.go b/internal/jujuapi/admin_test.go index 239c32f75..4f6a827ee 100644 --- a/internal/jujuapi/admin_test.go +++ b/internal/jujuapi/admin_test.go @@ -305,7 +305,7 @@ func (s *adminSuite) TestLoginWithClientCredentials(c *gc.C) { const ( // these are valid client credentials hardcoded into the jimm realm - validClientID = "test-client-id" + validClientID = "test-client-id@canonical.com" validClientSecret = "2M2blFbO4GX4zfggQpivQSxwWX1XGgNf" ) @@ -316,7 +316,7 @@ func (s *adminSuite) TestLoginWithClientCredentials(c *gc.C) { }, &loginResult) c.Assert(err, gc.IsNil) c.Assert(loginResult.ControllerTag, gc.Equals, names.NewControllerTag(s.Params.ControllerUUID).String()) - c.Assert(loginResult.UserInfo.Identity, gc.Equals, names.NewUserTag("test-client-id").String()) + c.Assert(loginResult.UserInfo.Identity, gc.Equals, names.NewUserTag("test-client-id@canonical.com").String()) err = conn.APICall("Admin", 4, "", "LoginWithClientCredentials", params.LoginWithClientCredentialsRequest{ ClientID: "invalid-client-id", diff --git a/internal/jujuapi/service_account_test.go b/internal/jujuapi/service_account_test.go index 07e044875..531ab2935 100644 --- a/internal/jujuapi/service_account_test.go +++ b/internal/jujuapi/service_account_test.go @@ -38,7 +38,7 @@ func TestAddServiceAccount(t *testing.T) { return nil }, args: params.AddServiceAccountRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", }, }, { about: "Invalid Client ID", @@ -80,17 +80,17 @@ func TestGetServiceAccount(t *testing.T) { expectedError string }{{ about: "Valid request", - clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", username: "alice", addTuples: []openfga.Tuple{{ Object: ofganames.ConvertTag(names.NewUserTag("alice")), Relation: ofganames.AdministratorRelation, - Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be")), + Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com")), }}, }, { about: "Missing service account administrator permission", username: "alice", - clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + clientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", expectedError: "unauthorized", }, { about: "Invalid Client ID", @@ -164,7 +164,7 @@ func TestUpdateServiceAccountCredentials(t *testing.T) { }, }}, args: params.UpdateServiceAccountCredentialsRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", UpdateCredentialArgs: jujuparams.UpdateCredentialArgs{ Credentials: []jujuparams.TaggedCredential{ { @@ -181,7 +181,7 @@ func TestUpdateServiceAccountCredentials(t *testing.T) { addTuples: []openfga.Tuple{{ Object: ofganames.ConvertTag(names.NewUserTag("alice")), Relation: ofganames.AdministratorRelation, - Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be")), + Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com")), }}, }, { about: "Invalid Credential Tag", @@ -199,7 +199,7 @@ func TestUpdateServiceAccountCredentials(t *testing.T) { }, }}, args: params.UpdateServiceAccountCredentialsRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", UpdateCredentialArgs: jujuparams.UpdateCredentialArgs{ Credentials: []jujuparams.TaggedCredential{ { @@ -212,7 +212,7 @@ func TestUpdateServiceAccountCredentials(t *testing.T) { addTuples: []openfga.Tuple{{ Object: ofganames.ConvertTag(names.NewUserTag("alice")), Relation: ofganames.AdministratorRelation, - Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be")), + Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com")), }}, }, { about: "Invalid Service account ID", @@ -237,7 +237,7 @@ func TestUpdateServiceAccountCredentials(t *testing.T) { return nil, nil }, args: params.UpdateServiceAccountCredentialsRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", UpdateCredentialArgs: jujuparams.UpdateCredentialArgs{ Credentials: []jujuparams.TaggedCredential{ { @@ -307,7 +307,7 @@ func TestListServiceAccountCredentials(t *testing.T) { expectedResult: jujuparams.CredentialContentResults{ Results: []jujuparams.CredentialContentResult{}}, args: params.ListServiceAccountCredentialsRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", }, getCloudCredential: func(ctx context.Context, user *openfga.User, tag names.CloudCredentialTag) (*dbmodel.CloudCredential, error) { cred := &dbmodel.CloudCredential{} @@ -320,7 +320,7 @@ func TestListServiceAccountCredentials(t *testing.T) { addTuples: []openfga.Tuple{{ Object: ofganames.ConvertTag(names.NewUserTag("alice")), Relation: ofganames.AdministratorRelation, - Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be")), + Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com")), }}, }, { about: "Invalid Service account ID", @@ -345,7 +345,7 @@ func TestListServiceAccountCredentials(t *testing.T) { return nil }, args: params.ListServiceAccountCredentialsRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", }, getCloudCredential: func(ctx context.Context, user *openfga.User, tag names.CloudCredentialTag) (*dbmodel.CloudCredential, error) { cred := &dbmodel.CloudCredential{} @@ -417,13 +417,13 @@ func TestGrantServiceAccountAccess(t *testing.T) { "user-alice", "user-bob", }, - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", }, username: "alice", addTuples: []openfga.Tuple{{ Object: ofganames.ConvertTag(names.NewUserTag("alice")), Relation: ofganames.AdministratorRelation, - Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be")), + Target: ofganames.ConvertTag(jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com")), }}, }, { about: "Invalid Service account ID", @@ -449,7 +449,7 @@ func TestGrantServiceAccountAccess(t *testing.T) { "user-alice", "user-bob", }, - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", }, username: "alice", expectedError: "unauthorized", @@ -501,7 +501,7 @@ func (s *serviceAccountSuite) TestUpdateServiceAccountCredentialsIntegration(c * conn := s.open(c, nil, "bob") defer conn.Close() - serviceAccount := jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be") + serviceAccount := jimmnames.NewServiceAccountTag("fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com") tuple := openfga.Tuple{ Object: ofganames.ConvertTag(names.NewUserTag("bob@canonical.com")), @@ -517,15 +517,15 @@ func (s *serviceAccountSuite) TestUpdateServiceAccountCredentialsIntegration(c * var credResults jujuparams.UpdateCredentialResults err := conn.APICall("JIMM", 4, "", "UpdateServiceAccountCredentials", params.UpdateServiceAccountCredentialsRequest{ - ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be", + ClientID: "fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com", UpdateCredentialArgs: jujuparams.UpdateCredentialArgs{ Credentials: []jujuparams.TaggedCredential{ { - Tag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be/cred-name", + Tag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com/cred-name", Credential: jujuparams.CloudCredential{Attributes: map[string]string{"foo": "bar"}}, }, { - Tag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be/cred-name2", + Tag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com/cred-name2", Credential: jujuparams.CloudCredential{Attributes: map[string]string{"wolf": "low"}}, }, }}, @@ -534,12 +534,12 @@ func (s *serviceAccountSuite) TestUpdateServiceAccountCredentialsIntegration(c * expectedResult := jujuparams.UpdateCredentialResults{ Results: []jujuparams.UpdateCredentialResult{ { - CredentialTag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be/cred-name", + CredentialTag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com/cred-name", Error: nil, Models: nil, }, { - CredentialTag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be/cred-name2", + CredentialTag: "cloudcred-aws/fca1f605-736e-4d1f-bcd2-aecc726923be@canonical.com/cred-name2", Error: nil, Models: nil, }, diff --git a/internal/rpc/proxy.go b/internal/rpc/proxy.go index 12e2ab0f3..4357ccc24 100644 --- a/internal/rpc/proxy.go +++ b/internal/rpc/proxy.go @@ -609,9 +609,12 @@ func (p *clientProxy) handleAdminFacade(ctx context.Context, msg *message) (clie } // Verify the session token - // TODO(CSS-7081): Ensure for tests that the secret key can be configured. - // Or configure cmd tests to use the configured secret. - token, err := p.jimm.OAuthAuthenticationService().VerifySessionToken(request.SessionToken, "test-secret") + secretKey, err := p.jimm.GetCredentialStore().GetOAuthSecret(ctx) + if err != nil { + return errorFnc(err) + } + + token, err := p.jimm.OAuthAuthenticationService().VerifySessionToken(request.SessionToken, string(secretKey)) if err != nil { return errorFnc(err) } diff --git a/local/jimm/setup-controller.sh b/local/jimm/setup-controller.sh index a18833ec9..8bb982336 100755 --- a/local/jimm/setup-controller.sh +++ b/local/jimm/setup-controller.sh @@ -23,4 +23,4 @@ CLOUDINIT_TEMPLATE=$'cloudinit-userdata: | printf "$CLOUDINIT_TEMPLATE" "$(lxc network get lxdbr0 ipv4.address | cut -f1 -d/)" "$(cat local/traefik/certs/ca.crt | sed -e 's/^/ /')" > "${CLOUDINIT_FILE}" echo "Bootstrapping controller" -juju bootstrap localhost "${CONTROLLER_NAME}" --config allow-model-access=true --config "${CLOUDINIT_FILE}" --config login-token-refresh-url=https://jimm.localhost/.well-known/jwks.json +juju bootstrap lxd "${CONTROLLER_NAME}" --config "${CLOUDINIT_FILE}" --config login-token-refresh-url=https://jimm.localhost/.well-known/jwks.json --debug diff --git a/local/keycloak/jimm-realm.json b/local/keycloak/jimm-realm.json index cf0a1488d..67c223e28 100644 --- a/local/keycloak/jimm-realm.json +++ b/local/keycloak/jimm-realm.json @@ -693,7 +693,7 @@ ] }, { - "clientId": "test-client-id", + "clientId": "test-client-id@canonical.com", "name": "", "description": "", "rootUrl": "", diff --git a/local/traefik/traefik.yaml b/local/traefik/traefik.yaml index 6285cf2c2..00585c0e5 100644 --- a/local/traefik/traefik.yaml +++ b/local/traefik/traefik.yaml @@ -41,17 +41,18 @@ entryPoints: websecure: address: :443 - ## DYNAMIC CONFIG tls: certificates: - certFile: /certs/server.crt keyFile: /certs/server.key - -# when troubleshooting certs, enable this so traefik doesn't use + default: + keyFile: /certs/server.key + certFile: /certs/server.crt +# when troubleshooting certs, enable this so traefik doesn't use # its own self-signed. By default if it can't find a matching # cert, it'll just create its own which will cause cert warnings # in browser and can be confusing to troubleshoot - # options: - # default: - # sniStrict: true +# options: +# default: +# sniStrict: true diff --git a/pkg/names/service_account.go b/pkg/names/service_account.go index 585d62864..ae6c2c424 100644 --- a/pkg/names/service_account.go +++ b/pkg/names/service_account.go @@ -6,7 +6,8 @@ package names import ( "fmt" - "regexp" + + "github.com/juju/names/v5" ) const ( @@ -15,11 +16,6 @@ const ( ServiceAccountTagKind = "serviceaccount" ) -var ( - validClientIdSnippet = `^[0-9a-zA-Z-]+$` - validClientId = regexp.MustCompile(validClientIdSnippet) -) - // ServiceAccount represents a service account where id is the client ID. // Implements juju names.Tag. type ServiceAccountTag struct { @@ -38,13 +34,11 @@ func (t ServiceAccountTag) String() string { return ServiceAccountTagKind + "-" // NewServiceAccountTag creates a valid ServiceAccountTag if it is possible to parse // the provided tag. func NewServiceAccountTag(clientId string) ServiceAccountTag { - id := validClientId.FindString(clientId) - if !IsValidServiceAccountId(clientId) { panic(fmt.Sprintf("invalid client tag %q", clientId)) } - return ServiceAccountTag{id: id} + return ServiceAccountTag{id: clientId} } // ParseServiceAccountTag parses a service account tag string. @@ -62,5 +56,9 @@ func ParseServiceAccountTag(tag string) (ServiceAccountTag, error) { // IsValidServiceAccountId verifies the client id for a service account is valid according to a regex internally. func IsValidServiceAccountId(id string) bool { - return validClientId.MatchString(id) + if !names.IsValidUser(id) { + return false + } + t := names.NewUserTag(id) + return t.Domain() != "" } diff --git a/pkg/names/service_account_test.go b/pkg/names/service_account_test.go index 2f2b29434..156fb8869 100644 --- a/pkg/names/service_account_test.go +++ b/pkg/names/service_account_test.go @@ -14,16 +14,20 @@ func TestParseServiceAccountID(t *testing.T) { err string }{{ about: "Valid svc account tag", - tag: "serviceaccount-1e654457-a195-4a41-8360-929c7f455d43", - expectedID: "1e654457-a195-4a41-8360-929c7f455d43", + tag: "serviceaccount-1e654457-a195-4a41-8360-929c7f455d43@canonical.com", + expectedID: "1e654457-a195-4a41-8360-929c7f455d43@canonical.com", err: "", + }, { + about: "Invalid svc account tag (no domain)", + tag: "serviceaccount-1e654457-a195-4a41-8360-929c7f455d43", + err: "is not a valid serviceaccount tag", }, { about: "Invalid svc account tag (serviceaccounts)", - tag: "serviceaccounts-1e654457-a195-4a41-8360-929c7f455d43", + tag: "serviceaccounts-1e654457-a195-4a41-8360-929c7f455d43@canonical.com", err: "is not a valid tag", }, { about: "Invalid svc account tag (no prefix)", - tag: "1e654457-a195-4a41-8360-929c7f455d43", + tag: "1e654457-a195-4a41-8360-929c7f455d43@canonical.com", err: "is not a valid tag", }, { about: "Invalid svc account tag (missing ID)", @@ -47,10 +51,12 @@ func TestParseServiceAccountID(t *testing.T) { } func TestIsValidServiceAccountId(t *testing.T) { - assert.True(t, IsValidServiceAccountId("1e654457-a195-4a41-8360-929c7f455d43")) - assert.True(t, IsValidServiceAccountId("12345")) - assert.True(t, IsValidServiceAccountId("abc123")) - assert.True(t, IsValidServiceAccountId("ABC123")) + assert.True(t, IsValidServiceAccountId("1e654457-a195-4a41-8360-929c7f455d43@canonical.com")) + assert.True(t, IsValidServiceAccountId("12345@canonical.com")) + assert.True(t, IsValidServiceAccountId("abc123@canonical.com")) + assert.True(t, IsValidServiceAccountId("ABC123@canonical.com")) + assert.True(t, IsValidServiceAccountId("ABC123@canonical.com")) + assert.False(t, IsValidServiceAccountId("ABC123")) assert.False(t, IsValidServiceAccountId("abc 123")) assert.False(t, IsValidServiceAccountId("")) assert.False(t, IsValidServiceAccountId(" "))