tokenserver/appengine/impl/projectscope/config.go - infra/luci/luci-go - Git at Google

 // Copyright 2019 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package projectscope

 import (
 	"context"

 	"google.golang.org/protobuf/encoding/prototext"

 	"go.chromium.org/luci/common/errors"
 	"go.chromium.org/luci/common/logging"
 	"go.chromium.org/luci/common/proto/config"
 	configset "go.chromium.org/luci/config"
 	"go.chromium.org/luci/config/cfgclient"
 	"go.chromium.org/luci/config/validation"

 	"go.chromium.org/luci/tokenserver/appengine/impl/utils/projectidentity"
 )

 // SetupConfigValidation registers the tokenserver custom projects.cfg validator.
 func SetupConfigValidation(rules *validation.RuleSet) {
 	rules.Add("services/${config_service_appid}", projectsCfg, func(ctx *validation.Context, configSet, path string, content []byte) error {
 		ctx.SetFile(projectsCfg)
 		cfg := &config.ProjectsCfg{}
 		if err := prototext.Unmarshal(content, cfg); err != nil {
 			ctx.Errorf("not a valid ProjectsCfg proto message - %s", err)
 		} else {
 			validateProjectsCfg(ctx, cfg)
 		}
 		return nil
 	})
 }

 // importIdentities analyzes projects.cfg to import or update project scoped service accounts.
 func importIdentities(c context.Context, cfg *config.ProjectsCfg) error {
 	storage := projectidentity.ProjectIdentities(c)

 	// TODO (fmatenaar): Make this transactional and provide some guarantees around cleanup
 	// but do this after we have a stronger story for warning about config changes which are
 	// about to remove an identity config from a project since this can cause an outage.
 	for _, project := range cfg.Projects {
 		identity := &projectidentity.ProjectIdentity{
 			Project: project.Id,
 		}
 		if project.IdentityConfig != nil && project.IdentityConfig.ServiceAccountEmail != "" {
 			identity.Email = project.IdentityConfig.ServiceAccountEmail
 			logging.Infof(c, "updating project scoped account: %v", identity)
 			if _, err := storage.Update(c, identity); err != nil {
 				logging.Errorf(c, "failed to update project scoped account: %v", identity)
 				return err
 			}
 		} else {
 			logging.Warningf(c, "removing project scoped account: %v", identity)
 			if err := storage.Delete(c, identity); err != nil {
 				logging.Errorf(c, "failed to remove project scoped account: %v", identity)
 			}
 		}
 	}
 	return nil
 }

 // fetchConfigs loads proto messages with rules from the config.
 func fetchConfigs(c context.Context) (*config.ProjectsCfg, string, error) {
 	cfg := &config.ProjectsCfg{}
 	var meta configset.Meta
 	if err := cfgclient.Get(c, "services/${config_service_appid}", projectsCfg, cfgclient.ProtoText(cfg), &meta); err != nil {
 		return nil, "", err
 	}
 	return cfg, meta.Revision, nil
 }

 // ImportConfigs fetches projects.cfg and updates datastore copy of it.
 //
 // Called from cron.
 func ImportConfigs(c context.Context) (string, error) {
 	cfg, rev, err := fetchConfigs(c)
 	if err != nil {
 		return "", errors.Annotate(err, "failed to fetch project configs").Err()
 	}
 	if err := importIdentities(c, cfg); err != nil {
 		return "", errors.Annotate(err, "failed to import project configs").Err()
 	}
 	return rev, nil
 }
	// Copyright 2019 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package projectscope

	import (
	"context"

	"google.golang.org/protobuf/encoding/prototext"

	"go.chromium.org/luci/common/errors"
	"go.chromium.org/luci/common/logging"
	"go.chromium.org/luci/common/proto/config"
	configset "go.chromium.org/luci/config"
	"go.chromium.org/luci/config/cfgclient"
	"go.chromium.org/luci/config/validation"

	"go.chromium.org/luci/tokenserver/appengine/impl/utils/projectidentity"
	)

	// SetupConfigValidation registers the tokenserver custom projects.cfg validator.
	func SetupConfigValidation(rules *validation.RuleSet) {
	rules.Add("services/${config_service_appid}", projectsCfg, func(ctx *validation.Context, configSet, path string, content []byte) error {
	ctx.SetFile(projectsCfg)
	cfg := &config.ProjectsCfg{}
	if err := prototext.Unmarshal(content, cfg); err != nil {
	ctx.Errorf("not a valid ProjectsCfg proto message - %s", err)
	} else {
	validateProjectsCfg(ctx, cfg)
	}
	return nil
	})
	}

	// importIdentities analyzes projects.cfg to import or update project scoped service accounts.
	func importIdentities(c context.Context, cfg *config.ProjectsCfg) error {
	storage := projectidentity.ProjectIdentities(c)

	// TODO (fmatenaar): Make this transactional and provide some guarantees around cleanup
	// but do this after we have a stronger story for warning about config changes which are
	// about to remove an identity config from a project since this can cause an outage.
	for _, project := range cfg.Projects {
	identity := &projectidentity.ProjectIdentity{
	Project: project.Id,
	}
	if project.IdentityConfig != nil && project.IdentityConfig.ServiceAccountEmail != "" {
	identity.Email = project.IdentityConfig.ServiceAccountEmail
	logging.Infof(c, "updating project scoped account: %v", identity)
	if _, err := storage.Update(c, identity); err != nil {
	logging.Errorf(c, "failed to update project scoped account: %v", identity)
	return err
	}
	} else {
	logging.Warningf(c, "removing project scoped account: %v", identity)
	if err := storage.Delete(c, identity); err != nil {
	logging.Errorf(c, "failed to remove project scoped account: %v", identity)
	}
	}
	}
	return nil
	}

	// fetchConfigs loads proto messages with rules from the config.
	func fetchConfigs(c context.Context) (*config.ProjectsCfg, string, error) {
	cfg := &config.ProjectsCfg{}
	var meta configset.Meta
	if err := cfgclient.Get(c, "services/${config_service_appid}", projectsCfg, cfgclient.ProtoText(cfg), &meta); err != nil {
	return nil, "", err
	}
	return cfg, meta.Revision, nil
	}

	// ImportConfigs fetches projects.cfg and updates datastore copy of it.
	//
	// Called from cron.
	func ImportConfigs(c context.Context) (string, error) {
	cfg, rev, err := fetchConfigs(c)
	if err != nil {
	return "", errors.Annotate(err, "failed to fetch project configs").Err()
	}
	if err := importIdentities(c, cfg); err != nil {
	return "", errors.Annotate(err, "failed to import project configs").Err()
	}
	return rev, nil
	}