feat: create impersonated service credentials #499
Conversation
viacheslav-rostovtsev
force-pushed
the
dev/virost/impersonated_creds
branch
2 times, most recently
from
3a8238c
to
68627a3
Compare
viacheslav-rostovtsev
force-pushed
the
dev/virost/impersonated_creds
branch
from
743091e
to
2ed3089
Compare
|
|
||
| describe "duplicates" do | ||
| before :example do | ||
| Google::Cloud.env.compute_smbios.override_product_name = "Google Compute Engine" |
There was a problem hiding this comment.
Should probably undo this in an after clause, so it doesn't affect other tests.
| # and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint. | ||
| # The short-lived token and its expiration time are cached. | ||
| class ImpersonatedServiceAccountCredentials | ||
| ERROR_SUFFIX = <<~ERROR.freeze |
There was a problem hiding this comment.
Mark this # @private so it's not part of the public interface
| from IAM Credentials endpoint using the credentials provided. | ||
| ERROR | ||
|
|
||
| IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze |
| include Google::Auth::BaseClient | ||
| include Helpers::Connection | ||
|
|
||
| attr_reader :base_credentials |
There was a problem hiding this comment.
Each of these should have YARD documentation.
| new options | ||
| end | ||
|
|
||
| def initialize options = {} |
There was a problem hiding this comment.
Either document this or mark it # @private.
| # to fetch short-lived impersionation access token | ||
| # @param impersonation_url [String] the URL to use to impersonate the service account. | ||
| # This URL should be in the format: | ||
| # https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken |
There was a problem hiding this comment.
Put backticks around the URL format string, otherwise YARD will try to linkify it.
| # This URL should be in the format: | ||
| # https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken | ||
| # where: | ||
| # * {universe_domain} is the domain of the IAMCredentials API endpoint (e.g. 'googleapis.com') |
There was a problem hiding this comment.
Put backticks around anything with literal curly braces, since it is a linkification syntax for YARD.
| # and request short-lived credentials for a service account | ||
| # that has the authorization that your use case requires. | ||
| # | ||
| # @param base_credentials [Object] the authenticated principal that will be used |
There was a problem hiding this comment.
Are these parameters required? (Seems like they are.) If so, can you note that in the documentation, and also put some checks in the constructor to fail fast if they are not provided?
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| spec_dir = File.expand_path File.join(File.dirname(__FILE__)) |
There was a problem hiding this comment.
File.join() with only one argument is kind of a noop.
Also, I think this $LOAD_PATH hackery is unnecessary here. We're not requiring any files in the spec/googleauth directory like some of the other spec files are. (And even in those, this is an ugly way to require those files and should just be changed to require_relative.)
|
|
||
| describe "#initialize" do | ||
| it "should call duplicate when available" do | ||
| allow(@base_creds).to receive(:duplicate).and_return(@base_creds) |
There was a problem hiding this comment.
maybe return something else so you can verify that source_credentials is that other thing rather than @base_creds.
feat: create impersonated service credentials
feat: add duplication mechanism to various credentials to support "re-scoping" them for IAM requests