spacebar/kamal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Simplify parsing by changing account separators

Browse Source
This commit is contained in:
André Laszlo
2024-12-06 17:15:22 +01:00
parent e314f38bdc
commit 18f2aae936
2 changed files with 8 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
lib/kamal/secrets/adapters/gcp_secret_manager.rb
View File

@@ -5,7 +5,7 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
# impersonation. # impersonation.
# #
# Syntax: # Syntax:
# ACCOUNT: USER | USER "," DELEGATION_CHAIN # ACCOUNT: USER | USER "|" DELEGATION_CHAIN
# USER: DEFAULT_USER | EMAIL # USER: DEFAULT_USER | EMAIL
# DELEGATION_CHAIN: EMAIL | EMAIL "," DELEGATION_CHAIN # DELEGATION_CHAIN: EMAIL | EMAIL "," DELEGATION_CHAIN
# EMAIL: <The email address of the user or service account, like "my-user@example.com" > # EMAIL: <The email address of the user or service account, like "my-user@example.com" >
@@ -13,10 +13,10 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
# #
# Some valid examples: # Some valid examples:
# - "my-user@example.com" sets the user # - "my-user@example.com" sets the user
# - "my-user@example.com,my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user # - "my-user@example.com|my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user
# - "default" will use the default user and no impersonation # - "default" will use the default user and no impersonation
# - "default,my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user # - "default|my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
# - "default,my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain # - "default|my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
if !logged_in? if !logged_in?
raise RuntimeError, "gcloud is not authenticated, please run `gcloud auth login`" raise RuntimeError, "gcloud is not authenticated, please run `gcloud auth login`"
@@ -102,19 +102,7 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
end end
def parse_account(account) def parse_account(account)
return "default", nil if account == "default" account.split("|", 2)
parts = account.split(",", 2)
if parts.length == 2
return parts.shift, parts.shift
elsif parts.length != 1
raise RuntimeError, "Invalid account, too many parts: #{account}"
elsif is_user?(account)
return account, nil
end
raise RuntimeError, "Invalid account, not a user: #{account}"
end end
def is_user?(candidate) def is_user?(candidate)

6
test/secrets/gcp_secret_manager_adapter_test.rb
View File

@@ -91,7 +91,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
stub_authenticated stub_authenticated
stub_items(0, project: "some-project", version: "123", impersonate_service_account: "service-user@example.com") stub_items(0, project: "some-project", version: "123", impersonate_service_account: "service-user@example.com")
json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "default,service-user@example.com"))) json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "default|service-user@example.com")))
expected_json = { expected_json = {
"some-project/item1"=>"secret1" "some-project/item1"=>"secret1"
@@ -105,7 +105,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
stub_authenticated stub_authenticated
stub_items(0, project: "some-project", version: "123", account: "user@example.com", impersonate_service_account: "service-user@example.com,service-user2@example.com") stub_items(0, project: "some-project", version: "123", account: "user@example.com", impersonate_service_account: "service-user@example.com,service-user2@example.com")
json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "user@example.com,service-user@example.com,service-user2@example.com"))) json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "user@example.com|service-user@example.com,service-user2@example.com")))
expected_json = { expected_json = {
"some-project/item1"=>"secret1" "some-project/item1"=>"secret1"
@@ -119,7 +119,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
stub_authenticated stub_authenticated
stub_items(0, project: "some-project", version: "123", account: "email@example.com", impersonate_service_account: "service-user@example.com") stub_items(0, project: "some-project", version: "123", account: "email@example.com", impersonate_service_account: "service-user@example.com")
json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "email@example.com,service-user@example.com"))) json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "email@example.com|service-user@example.com")))
expected_json = { expected_json = {
"some-project/item1"=>"secret1" "some-project/item1"=>"secret1"