Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tencent Cloud support #99

Draft
wants to merge 24 commits into
base: main
Choose a base branch
from
Draft

Tencent Cloud support #99

wants to merge 24 commits into from

Conversation

punmechanic
Copy link
Member

This PR re-implements Tencent Cloud support for KeyConjurer v2.

There are a few limitations to Tencent Cloud support which make it less-than-seamless to use:

  • Tencent Cloud applications cannot use the Token Exchange endpoint in Okta due to Okta limitations, which means that sessions must instead be initiated by directly visiting the application URL.
  • Consequently, the application URL and a type flag must be added to the returned applications from our API to indicate that an application is a Tencent Cloud application and stored within the configuration.
  • Because it's not possible to construct the link with just the application ID, the --bypass-cache flag cannot be used with Tencent applications; a Tencent Cloud application must be within the cache.

@punmechanic punmechanic changed the title Tencent Cloud suport Tencent Cloud support Sep 25, 2023
punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
cli/get.go
@@ -82,7 +85,6 @@ A role must be specified when using this command through the --role flag. You ma
outputType, _ := cmd.Flags().GetString(FlagOutputType)
shellType, _ := cmd.Flags().GetString(FlagShellType)
roleName, _ := cmd.Flags().GetString(FlagRoleName)
cloudType, _ := cmd.Flags().GetString(FlagCloudType)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can now infer the cloud type from the application in the cache. Giving the user the option to specify this doesn't make much sense - They'll almost certainly get it wrong. As such, this is removed.

It'll be removed from switch.go as well.

punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
cli/get.go Outdated
@@ -166,7 +211,8 @@ A role must be specified when using this command through the --role flag. You ma
ttl = config.TTL
}

if cloudType == cloudAws {
switch cloudType {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably fold this switch statement into the previous one if we're smart

punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
internal/api/serverless_functions.go
return ApplicationTypeAWS, true
}

if strings.Contains(strings.ToLower(app.AppName), "tencent") {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is likely to be changed depending on our implementation -- Okta doesn't have good first-class support for Tencent Cloud so they don't have a defined naming scheme, but we need a naming scheme to identify them.

Most likely, app.AppName will be set to something like keyconjurer_tencent to be able to discern keyconjurer-enabled Tencent Cloud applications from ones that just take you to the console.

punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
cli/get.go Outdated

// TODO: Spin up a web server that listens for a SAML callback.

// TODO: This only works for OSX.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the work we have to implement this to add a new flag, -b/--open-browser and add that to keyconjurer login so users don't need to copy/paste.

@punmechanic punmechanic force-pushed the dan/tencent-cloud branch 3 times, most recently from b1d461e to 3084bd1 Compare October 4, 2023 20:50
punmechanic and others added 20 commits October 6, 2023 14:06
@punmechanic
Alter Lambda function to return type of application
8d50e1f
@punmechanic
Make the search for Tencent applications case-insensitive
feb4d46
@punmechanic
Add a test API server
d718e3a
@punmechanic
Return well-defined errors from token exchange
e2ffc94
@punmechanic
use cloudType to infer the type of application
a6cf69e
@punmechanic
only print an error if an error occurred
ad88026
@punmechanic
Return the cloud type and add a branch for Tencent
29fc4ba
@punmechanic
Spin up a web browser for SAML
5ecf6d1
@punmechanic
Add SAML Listener skeleton
91b3493
@punmechanic
Open server in a Goroutine
fadfc2a
@punmechanic
Get the Redirect URL from the Oauth configuration
7669900
@punmechanic
Pass SAML assertion to the channel
afa4206
@punmechanic
Add SAMLProvider interface
c40912e
@punmechanic
Add wrapper around SAML library
d5ed558 
This will enable us to remove the old deprecated one
@punmechanic
Remove unused consts
220d02a
@punmechanic
Remove deprecated SAML library
4fb782b
@punmechanic
Move browser opening functionality to browser_darwin.go
c062fa7
@punmechanic
use the stored copy of the assertion
51cb17d
@punmechanic
Add Linux OpenBrowser function
d98e264 
Otherwise our pipeline breaks
@punmechanic
Use new SAMLProvider type for encapsulating exchange
6d9907f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@punmechanic