File: projectvalidator.go

package info (click to toggle)
golang-github-smallstep-certificates 0.29.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 6,720 kB
  • sloc: sh: 385; makefile: 129
file content (84 lines) | stat: -rw-r--r-- 1,982 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
package gcp

import (
	"context"
	"net/http"

	"google.golang.org/api/cloudresourcemanager/v1"

	"github.com/smallstep/certificates/errs"
)

type ProjectValidator struct {
	ProjectIDs []string
}

func (p *ProjectValidator) ValidateProject(_ context.Context, projectID string) error {
	if len(p.ProjectIDs) == 0 {
		return nil
	}

	for _, pi := range p.ProjectIDs {
		if pi == projectID {
			return nil
		}
	}

	return errs.Unauthorized("gcp.authorizeToken; invalid gcp token - invalid project id")
}

type OrganizationValidator struct {
	*ProjectValidator
	OrganizationID  string
	projectsService *cloudresourcemanager.ProjectsService
}

func NewOrganizationValidator(projectIDs []string, organizationID string) (*OrganizationValidator, error) {
	var svc *cloudresourcemanager.ProjectsService

	if organizationID != "" {
		crm, err := cloudresourcemanager.NewService(context.Background())
		if err != nil {
			return nil, err
		}

		svc = crm.Projects
	}

	return &OrganizationValidator{
		ProjectValidator: &ProjectValidator{projectIDs},
		OrganizationID:   organizationID,
		projectsService:  svc,
	}, nil
}

func (p *OrganizationValidator) ValidateProject(ctx context.Context, projectID string) error {
	if err := p.ProjectValidator.ValidateProject(ctx, projectID); err != nil {
		return err
	}

	if p.OrganizationID == "" {
		return nil
	}

	ancestry, err := p.projectsService.
		GetAncestry(projectID, &cloudresourcemanager.GetAncestryRequest{}).
		Context(ctx).
		Do()

	if err != nil {
		return errs.Wrap(http.StatusInternalServerError, err, "gcp.authorizeToken")
	}

	if len(ancestry.Ancestor) < 1 {
		return errs.InternalServer("gcp.authorizeToken; getAncestry response malformed")
	}

	progenitor := ancestry.Ancestor[len(ancestry.Ancestor)-1]

	if progenitor.ResourceId.Type != "organization" || progenitor.ResourceId.Id != p.OrganizationID {
		return errs.Unauthorized("gcp.authorizeToken; invalid gcp token - project does not belong to organization")
	}

	return nil
}