Skip to content

Tencent Cloud support#99

Draft
punmechanic wants to merge 24 commits into
RiotGames:mainfrom
punmechanic:dan/tencent-cloud
Draft

Tencent Cloud support#99
punmechanic wants to merge 24 commits into
RiotGames:mainfrom
punmechanic:dan/tencent-cloud

Conversation

@punmechanic

@punmechanic punmechanic commented Sep 25, 2023

Copy link
Copy Markdown
Member

This PR re-implements Tencent Cloud support for KeyConjurer v2.

There are a few limitations to Tencent Cloud support which make it less-than-seamless to use:

  • Tencent Cloud applications cannot use the Token Exchange endpoint in Okta due to Okta limitations, which means that sessions must instead be initiated by directly visiting the application URL.
  • Consequently, the application URL and a type flag must be added to the returned applications from our API to indicate that an application is a Tencent Cloud application and stored within the configuration.
  • Because it's not possible to construct the link with just the application ID, the --bypass-cache flag cannot be used with Tencent applications; a Tencent Cloud application must be within the cache.

@punmechanic punmechanic changed the title Tencent Cloud suport Tencent Cloud support Sep 25, 2023
punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
Comment thread cli/get.go Outdated
outputType, _ := cmd.Flags().GetString(FlagOutputType)
shellType, _ := cmd.Flags().GetString(FlagShellType)
roleName, _ := cmd.Flags().GetString(FlagRoleName)
cloudType, _ := cmd.Flags().GetString(FlagCloudType)

@punmechanic punmechanic Sep 25, 2023

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can now infer the cloud type from the application in the cache. Giving the user the option to specify this doesn't make much sense - They'll almost certainly get it wrong. As such, this is removed.

It'll be removed from switch.go as well.

punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
Comment thread cli/get.go Outdated
}

if cloudType == cloudAws {
switch cloudType {

@punmechanic punmechanic Sep 25, 2023

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably fold this switch statement into the previous one if we're smart

punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
Comment thread internal/api/serverless_functions.go
return ApplicationTypeAWS, true
}

if strings.Contains(strings.ToLower(app.AppName), "tencent") {

@punmechanic punmechanic Sep 25, 2023

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is likely to be changed depending on our implementation -- Okta doesn't have good first-class support for Tencent Cloud so they don't have a defined naming scheme, but we need a naming scheme to identify them.

Most likely, app.AppName will be set to something like keyconjurer_tencent to be able to discern keyconjurer-enabled Tencent Cloud applications from ones that just take you to the console.

punmechanic
punmechanic commented Sep 25, 2023
View reviewed changes
Comment thread cli/get.go Outdated

// TODO: Spin up a web server that listens for a SAML callback.

// TODO: This only works for OSX.

@punmechanic punmechanic Sep 25, 2023

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the work we have to implement this to add a new flag, -b/--open-browser and add that to keyconjurer login so users don't need to copy/paste.

@punmechanic punmechanic force-pushed the dan/tencent-cloud branch 3 times, most recently from b1d461e to 3084bd1 Compare October 4, 2023 20:50
punmechanic and others added 20 commits October 6, 2023 14:06
@punmechanic
Alter Lambda function to return type of application
8d50e1f
@punmechanic
Make the search for Tencent applications case-insensitive
feb4d46
@punmechanic
Add a test API server
d718e3a
@punmechanic
Return well-defined errors from token exchange
e2ffc94
@punmechanic
use cloudType to infer the type of application
a6cf69e
@punmechanic
only print an error if an error occurred
ad88026
@punmechanic
Return the cloud type and add a branch for Tencent
29fc4ba
@punmechanic
Spin up a web browser for SAML
5ecf6d1
@punmechanic
Add SAML Listener skeleton
91b3493
@punmechanic
Open server in a Goroutine
fadfc2a
@punmechanic
Get the Redirect URL from the Oauth configuration
7669900
@punmechanic
Pass SAML assertion to the channel
afa4206
@punmechanic
Add SAMLProvider interface
c40912e
@punmechanic
Add wrapper around SAML library
d5ed558 
This will enable us to remove the old deprecated one
@punmechanic
Remove unused consts
220d02a
@punmechanic
Remove deprecated SAML library
4fb782b
@punmechanic
Move browser opening functionality to browser_darwin.go
c062fa7
@punmechanic
use the stored copy of the assertion
51cb17d
@punmechanic
Add Linux OpenBrowser function
d98e264 
Otherwise our pipeline breaks
@punmechanic
Use new SAMLProvider type for encapsulating exchange
6d9907f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@punmechanic