Skip to content

Commit

Permalink
⭐️ support scope mrn reading from service account
Browse files Browse the repository at this point in the history
  • Loading branch information
chris-rock committed Jan 28, 2024
1 parent da7ceb6 commit 1be52b4
Show file tree
Hide file tree
Showing 4 changed files with 234 additions and 142 deletions.
40 changes: 29 additions & 11 deletions cli/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,11 +182,15 @@ type CommonOpts struct {

// service account credentials
ServiceAccountMrn string `json:"mrn,omitempty" mapstructure:"mrn"`
ParentMrn string `json:"parent_mrn,omitempty" mapstructure:"parent_mrn"`
SpaceMrn string `json:"space_mrn,omitempty" mapstructure:"space_mrn"`
PrivateKey string `json:"private_key,omitempty" mapstructure:"private_key"`
Certificate string `json:"certificate,omitempty" mapstructure:"certificate"`
APIEndpoint string `json:"api_endpoint,omitempty" mapstructure:"api_endpoint"`
// The scope mrn is used to scope the service account to a specific organization or space.
ScopeMrn string `json:"scope_mrn,omitempty" mapstructure:"scope_mrn"`
// Deprecated: use scope_mrn instead
ParentMrn string `json:"parent_mrn,omitempty" mapstructure:"parent_mrn"`
// Deprecated: use scope_mrn instead
SpaceMrn string `json:"space_mrn,omitempty" mapstructure:"space_mrn"`
PrivateKey string `json:"private_key,omitempty" mapstructure:"private_key"`
Certificate string `json:"certificate,omitempty" mapstructure:"certificate"`
APIEndpoint string `json:"api_endpoint,omitempty" mapstructure:"api_endpoint"`

// authentication
Authentication *CliConfigAuthentication `json:"auth,omitempty" mapstructure:"auth"`
Expand Down Expand Up @@ -254,22 +258,36 @@ func (c *CommonOpts) GetServiceCredential() *upstream.ServiceAccountCredentials

return &upstream.ServiceAccountCredentials{
Mrn: c.ServiceAccountMrn,
ParentMrn: c.GetParentMrn(),
ParentMrn: c.GetScopeMrn(),
ScopeMrn: c.GetScopeMrn(),
PrivateKey: c.PrivateKey,
Certificate: c.Certificate,
ApiEndpoint: c.APIEndpoint,
}
}

func (c *CommonOpts) GetParentMrn() string {
parent := c.ParentMrn
// GetScopeMrn returns the scope mrn that is used for the service account.
// This is either the organization mrn or the space mrn.
func (c *CommonOpts) GetScopeMrn() string {
scopeMrn := c.ScopeMrn

// fallback to old space_mrn config
if parent == "" {
parent = c.SpaceMrn
if scopeMrn == "" {
scopeMrn = c.SpaceMrn
}

if scopeMrn == "" {
scopeMrn = c.ParentMrn
}

return parent
return scopeMrn
}

// GetParentMrn returns the scope mrn that is used for the service account.
// This is either the organization mrn or the space mrn.
// Deprecated: Use GetScopeMrn instead
func (c *CommonOpts) GetParentMrn() string {
return c.GetScopeMrn()
}

func (c *CommonOpts) UpstreamApiEndpoint() string {
Expand Down
77 changes: 67 additions & 10 deletions cli/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,9 @@ func Test_inventoryPath(t *testing.T) {
}

func TestConfigParsing(t *testing.T) {
data := `

t.Run("test config with space_mrn", func(t *testing.T) {
data := `
agent_mrn: //agents.api.mondoo.app/spaces/musing-saha-952142/agents/1zDY7auR20SgrFfiGUT5qZWx6mE
api_endpoint: https://us.api.mondoo.com
api_proxy: http://192.168.4.4:3128
Expand All @@ -122,14 +124,69 @@ private_key: |
space_mrn: //captain.api.mondoo.app/spaces/musing-saha-952142
`

viper.SetConfigType("yaml")
viper.ReadConfig(strings.NewReader(data))
viper.SetConfigType("yaml")
viper.ReadConfig(strings.NewReader(data))

Check failure on line 128 in cli/config/config_test.go

View workflow job for this annotation

GitHub Actions / golangci-lint

Error return value of `viper.ReadConfig` is not checked (errcheck)

cfg, err := Read()
require.NoError(t, err)
assert.Equal(t, "//agents.api.mondoo.app/spaces/musing-saha-952142/agents/1zDY7auR20SgrFfiGUT5qZWx6mE", cfg.AgentMrn)
assert.Equal(t, "//agents.api.mondoo.app/spaces/musing-saha-952142/serviceaccounts/1zDY7cJ7bA84JxxNBWDxBdui2xE", cfg.ServiceAccountMrn)
assert.Equal(t, "-----BEGIN PRIVATE KEY-----\nMIG2AgE....C0Dvs=\n-----END PRIVATE KEY-----\n", cfg.PrivateKey)
assert.Equal(t, "-----BEGIN CERTIFICATE-----\nMIICV .. fis=\n-----END CERTIFICATE-----\n", cfg.Certificate)
assert.Equal(t, "//captain.api.mondoo.app/spaces/musing-saha-952142", cfg.GetScopeMrn())
assert.Equal(t, "//captain.api.mondoo.app/spaces/musing-saha-952142", cfg.GetParentMrn())
})

t.Run("test space service account with scope_mrn", func(t *testing.T) {
data := `
{
"mrn": "//agents.api.mondoo.app/organizations/my-custom-org-id/serviceaccounts/2bB5gsCSGp2Tlwiyv7mKN9PRSHK",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICkjCCAhigAwI5MT...ju2MAkPg9dPc8MDZz7ukThmj1AZrap/5J166M=\n-----END CERTIFICATE-----\n",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIG2AgEAMBAGByqGSM...ju2MAkPg9dPc8MDZz7ukT/xQTS5FUmDNu7Rw8=\n-----END PRIVATE KEY-----\n",
"scope_mrn": "//captain.api.mondoo.app/organizations/my-custom-org-id",
"api_endpoint": "https://us.api.mondoo.com",
"space_mrn": "//captain.api.mondoo.app/organizations/my-custom-org-id",
"typename": "ServiceAccountCredential"
}
`
viper.SetConfigType("yaml")
viper.ReadConfig(strings.NewReader(data))

Check failure on line 153 in cli/config/config_test.go

View workflow job for this annotation

GitHub Actions / golangci-lint

Error return value of `viper.ReadConfig` is not checked (errcheck)

cfg, err := Read()
require.NoError(t, err)
assert.Equal(t, "", cfg.AgentMrn)
assert.Equal(t, "//agents.api.mondoo.app/organizations/my-custom-org-id/serviceaccounts/2bB5gsCSGp2Tlwiyv7mKN9PRSHK", cfg.ServiceAccountMrn)
assert.Equal(t, "-----BEGIN PRIVATE KEY-----\nMIG2AgEAMBAGByqGSM...ju2MAkPg9dPc8MDZz7ukT/xQTS5FUmDNu7Rw8=\n-----END PRIVATE KEY-----\n", cfg.PrivateKey)
assert.Equal(t, "-----BEGIN CERTIFICATE-----\nMIICkjCCAhigAwI5MT...ju2MAkPg9dPc8MDZz7ukThmj1AZrap/5J166M=\n-----END CERTIFICATE-----\n", cfg.Certificate)
assert.Equal(t, "//captain.api.mondoo.app/organizations/my-custom-org-id", cfg.GetScopeMrn())
assert.Equal(t, "//captain.api.mondoo.app/organizations/my-custom-org-id", cfg.GetParentMrn())
})

t.Run("test org service account with scope_mrn", func(t *testing.T) {

data := `
{
"mrn": "//agents.api.mondoo.app/spaces/my-space-id/serviceaccounts/2bUj407V4GF4IKxg3Qn6NhWCr6x",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICfDCCAgKgAwIBAgIQGwVGMqyjkNaCGTA96p/...\n2mm3zQE7mUokDf4qY3+SDw==\n-----END CERTIFICATE-----\n",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIG...ILipt7Y8zEZ7PRQPkGUYpWDE8=\n-----END PRIVATE KEY-----\n",
"scope_mrn": "//captain.api.mondoo.app/spaces/my-space-id",
"api_endpoint": "https://us.api.mondoo.com",
"space_mrn": "//captain.api.mondoo.app/spaces/my-space-id",
"typename": "ServiceAccountCredential"
}
`

viper.SetConfigType("yaml")
viper.ReadConfig(strings.NewReader(data))

Check failure on line 180 in cli/config/config_test.go

View workflow job for this annotation

GitHub Actions / golangci-lint

Error return value of `viper.ReadConfig` is not checked (errcheck)

cfg, err := Read()
require.NoError(t, err)
assert.Equal(t, "", cfg.AgentMrn)
assert.Equal(t, "//agents.api.mondoo.app/spaces/my-space-id/serviceaccounts/2bUj407V4GF4IKxg3Qn6NhWCr6x", cfg.ServiceAccountMrn)
assert.Equal(t, "-----BEGIN PRIVATE KEY-----\nMIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIG...ILipt7Y8zEZ7PRQPkGUYpWDE8=\n-----END PRIVATE KEY-----\n", cfg.PrivateKey)
assert.Equal(t, "-----BEGIN CERTIFICATE-----\nMIICfDCCAgKgAwIBAgIQGwVGMqyjkNaCGTA96p/...\n2mm3zQE7mUokDf4qY3+SDw==\n-----END CERTIFICATE-----\n", cfg.Certificate)
assert.Equal(t, "//captain.api.mondoo.app/spaces/my-space-id", cfg.GetScopeMrn())
assert.Equal(t, "//captain.api.mondoo.app/spaces/my-space-id", cfg.GetParentMrn())
})

cfg, err := Read()
require.NoError(t, err)
assert.Equal(t, "//agents.api.mondoo.app/spaces/musing-saha-952142/agents/1zDY7auR20SgrFfiGUT5qZWx6mE", cfg.AgentMrn)
assert.Equal(t, "//agents.api.mondoo.app/spaces/musing-saha-952142/serviceaccounts/1zDY7cJ7bA84JxxNBWDxBdui2xE", cfg.ServiceAccountMrn)
assert.Equal(t, "-----BEGIN PRIVATE KEY-----\nMIG2AgE....C0Dvs=\n-----END PRIVATE KEY-----\n", cfg.PrivateKey)
assert.Equal(t, "-----BEGIN CERTIFICATE-----\nMIICV .. fis=\n-----END CERTIFICATE-----\n", cfg.Certificate)
assert.Equal(t, "http://192.168.4.4:3128", cfg.APIProxy)
}
Loading

0 comments on commit 1be52b4

Please sign in to comment.