From e130560b58f4fc52ead9b5ce46c7fa608378422c Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Fri, 17 Sep 2021 11:24:42 -0400 Subject: [PATCH 1/3] fix: rename token alias source to sa_uid --- backend.go | 6 +++--- path_login.go | 2 +- path_login_test.go | 4 ++-- path_role.go | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/backend.go b/backend.go index b8c64bcf..4a7c62ac 100644 --- a/backend.go +++ b/backend.go @@ -17,14 +17,14 @@ const ( // aliasNameSourceUnset provides backwards compatibility with preexisting roles. aliasNameSourceUnset = "" - aliasNameSourceSAToken = "sa_token" + aliasNameSourceSAUid = "sa_uid" aliasNameSourceSAPath = "sa_path" - aliasNameSourceDefault = aliasNameSourceSAToken + aliasNameSourceDefault = aliasNameSourceSAUid ) var ( // when adding new alias name sources make sure to update the corresponding FieldSchema description in path_role.go - aliasNameSources = []string{aliasNameSourceSAToken, aliasNameSourceSAPath} + aliasNameSources = []string{aliasNameSourceSAUid, aliasNameSourceSAPath} errInvalidAliasNameSource = fmt.Errorf(`invalid alias_name_source, must be one of: %s`, strings.Join(aliasNameSources, ", ")) ) diff --git a/path_login.go b/path_login.go index a1eaecea..15cc2daa 100644 --- a/path_login.go +++ b/path_login.go @@ -156,7 +156,7 @@ func (b *kubeAuthBackend) getFieldValueStr(data *framework.FieldData, param stri func (b *kubeAuthBackend) getAliasName(role *roleStorageEntry, serviceAccount *serviceAccount) (string, error) { switch role.AliasNameSource { - case aliasNameSourceSAToken, aliasNameSourceUnset: + case aliasNameSourceSAUid, aliasNameSourceUnset: uid, err := serviceAccount.uid() if err != nil { return "", err diff --git a/path_login_test.go b/path_login_test.go index f049aca0..b72dc38a 100644 --- a/path_login_test.go +++ b/path_login_test.go @@ -610,14 +610,14 @@ func TestAliasLookAhead(t *testing.T) { config: defaultTestBackendConfig(), wantErr: errors.New("missing jwt"), }, - "sa_token": { + "sa_uid": { role: "plugin-test", jwt: jwtData, config: &testBackendConfig{ pems: testDefaultPEMs, saName: testName, saNamespace: testNamespace, - aliasNameSource: aliasNameSourceSAToken, + aliasNameSource: aliasNameSourceSAUid, }, expectedAliasName: testUID, }, diff --git a/path_role.go b/path_role.go index 7f3b3ed5..be123384 100644 --- a/path_role.go +++ b/path_role.go @@ -56,7 +56,7 @@ valid choices: %q : e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) %q : / e.g. vault/vault-agent default: %q -`, aliasNameSourceSAToken, aliasNameSourceSAPath, aliasNameSourceDefault), +`, aliasNameSourceSAUid, aliasNameSourceSAPath, aliasNameSourceDefault), Default: aliasNameSourceDefault, }, "policies": { From 110d5d8bcb6dd6e601379e421a07c9c79457c43a Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Fri, 17 Sep 2021 11:43:59 -0400 Subject: [PATCH 2/3] fix: make alias name source params more verbose. --- backend.go | 4 ++-- path_login_test.go | 4 ++-- path_role_test.go | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/backend.go b/backend.go index 4a7c62ac..e3cc88ad 100644 --- a/backend.go +++ b/backend.go @@ -17,8 +17,8 @@ const ( // aliasNameSourceUnset provides backwards compatibility with preexisting roles. aliasNameSourceUnset = "" - aliasNameSourceSAUid = "sa_uid" - aliasNameSourceSAPath = "sa_path" + aliasNameSourceSAUid = "serviceaccount_uid" + aliasNameSourceSAPath = "serviceaccount_path" aliasNameSourceDefault = aliasNameSourceSAUid ) diff --git a/path_login_test.go b/path_login_test.go index b72dc38a..45fce3fe 100644 --- a/path_login_test.go +++ b/path_login_test.go @@ -610,7 +610,7 @@ func TestAliasLookAhead(t *testing.T) { config: defaultTestBackendConfig(), wantErr: errors.New("missing jwt"), }, - "sa_uid": { + "serviceaccount_uid": { role: "plugin-test", jwt: jwtData, config: &testBackendConfig{ @@ -621,7 +621,7 @@ func TestAliasLookAhead(t *testing.T) { }, expectedAliasName: testUID, }, - "sa_path": { + "serviceaccount_path": { role: "plugin-test", jwt: jwtData, config: &testBackendConfig{ diff --git a/path_role_test.go b/path_role_test.go index d67a01e3..a419d129 100644 --- a/path_role_test.go +++ b/path_role_test.go @@ -73,7 +73,7 @@ func TestPath_Create(t *testing.T) { AliasNameSource: aliasNameSourceDefault, }, }, - "alias_name_source_sa_path": { + "alias_name_source_serviceaccount_path": { data: map[string]interface{}{ "bound_service_account_names": "name", "bound_service_account_namespaces": "namespace", From 2fcb99aa83599cef93a5ef2ff6513004544e7c40 Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Fri, 17 Sep 2021 17:30:17 -0400 Subject: [PATCH 3/3] fix: rename alias name source param to name --- backend.go | 4 ++-- path_login.go | 2 +- path_login_test.go | 4 ++-- path_role.go | 2 +- path_role_test.go | 6 +++--- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/backend.go b/backend.go index e3cc88ad..3c06d7d9 100644 --- a/backend.go +++ b/backend.go @@ -18,13 +18,13 @@ const ( // aliasNameSourceUnset provides backwards compatibility with preexisting roles. aliasNameSourceUnset = "" aliasNameSourceSAUid = "serviceaccount_uid" - aliasNameSourceSAPath = "serviceaccount_path" + aliasNameSourceSAName = "serviceaccount_name" aliasNameSourceDefault = aliasNameSourceSAUid ) var ( // when adding new alias name sources make sure to update the corresponding FieldSchema description in path_role.go - aliasNameSources = []string{aliasNameSourceSAUid, aliasNameSourceSAPath} + aliasNameSources = []string{aliasNameSourceSAUid, aliasNameSourceSAName} errInvalidAliasNameSource = fmt.Errorf(`invalid alias_name_source, must be one of: %s`, strings.Join(aliasNameSources, ", ")) ) diff --git a/path_login.go b/path_login.go index 15cc2daa..a76aa95f 100644 --- a/path_login.go +++ b/path_login.go @@ -162,7 +162,7 @@ func (b *kubeAuthBackend) getAliasName(role *roleStorageEntry, serviceAccount *s return "", err } return uid, nil - case aliasNameSourceSAPath: + case aliasNameSourceSAName: return fmt.Sprintf("%s/%s", serviceAccount.Namespace, serviceAccount.Name), nil default: return "", fmt.Errorf("unknown alias_name_source %q", role.AliasNameSource) diff --git a/path_login_test.go b/path_login_test.go index 45fce3fe..d5fe753c 100644 --- a/path_login_test.go +++ b/path_login_test.go @@ -621,14 +621,14 @@ func TestAliasLookAhead(t *testing.T) { }, expectedAliasName: testUID, }, - "serviceaccount_path": { + "serviceaccount_name": { role: "plugin-test", jwt: jwtData, config: &testBackendConfig{ pems: testDefaultPEMs, saName: testName, saNamespace: testNamespace, - aliasNameSource: aliasNameSourceSAPath, + aliasNameSource: aliasNameSourceSAName, }, expectedAliasName: fmt.Sprintf("%s/%s", testNamespace, testName), }, diff --git a/path_role.go b/path_role.go index be123384..3822d19b 100644 --- a/path_role.go +++ b/path_role.go @@ -56,7 +56,7 @@ valid choices: %q : e.g. 474b11b5-0f20-4f9d-8ca5-65715ab325e0 (most secure choice) %q : / e.g. vault/vault-agent default: %q -`, aliasNameSourceSAUid, aliasNameSourceSAPath, aliasNameSourceDefault), +`, aliasNameSourceSAUid, aliasNameSourceSAName, aliasNameSourceDefault), Default: aliasNameSourceDefault, }, "policies": { diff --git a/path_role_test.go b/path_role_test.go index a419d129..3abafa38 100644 --- a/path_role_test.go +++ b/path_role_test.go @@ -73,7 +73,7 @@ func TestPath_Create(t *testing.T) { AliasNameSource: aliasNameSourceDefault, }, }, - "alias_name_source_serviceaccount_path": { + "alias_name_source_serviceaccount_name": { data: map[string]interface{}{ "bound_service_account_names": "name", "bound_service_account_namespaces": "namespace", @@ -82,7 +82,7 @@ func TestPath_Create(t *testing.T) { "ttl": "1s", "num_uses": 12, "max_ttl": "5s", - "alias_name_source": aliasNameSourceSAPath, + "alias_name_source": aliasNameSourceSAName, }, expected: &roleStorageEntry{ TokenParams: tokenutil.TokenParams{ @@ -101,7 +101,7 @@ func TestPath_Create(t *testing.T) { MaxTTL: 5 * time.Second, NumUses: 12, BoundCIDRs: nil, - AliasNameSource: aliasNameSourceSAPath, + AliasNameSource: aliasNameSourceSAName, }, }, "invalid_alias_name_source": {