blob: 08e327654061555ab30369efaff2d836213baea8 [file] [log] [blame]
// Copyright 2019 The LUCI Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
package projectscope
import (
const (
projectsCfg = "projects.cfg"
func validateHasIdentityConfig(ctx *validation.Context, project *config.Project) (*config.IdentityConfig, bool) {
if project.IdentityConfig != nil && project.IdentityConfig.ServiceAccountEmail != "" {
return project.IdentityConfig, true
return nil, false
func validateProjectsCfg(ctx *validation.Context, cfg *config.ProjectsCfg) {
validateSingleIdentityProjectAssignment(ctx, cfg)
func validateSingleIdentityProjectAssignment(ctx *validation.Context, cfg *config.ProjectsCfg) {
ctx.Enter("identity configuration")
defer ctx.Exit()
// Service account email => list of project that use it.
idents := map[string][]string{}
for _, project := range cfg.Projects {
ctx.Enter("Validate project %s IdentityConfig", project.Id)
// Check whether valid identity config is present, otherwise skip the project
// TODO(fmatenaar): Enforce valid identity config once migration towards
// project identities is completed by all customers.
if identcfg, valid := validateHasIdentityConfig(ctx, project); valid {
validateCanIssueTokenForIdentity(ctx, identcfg.ServiceAccountEmail)
idents[identcfg.ServiceAccountEmail] = append(idents[identcfg.ServiceAccountEmail], project.Id)
// Warn when projects share identities.
var shared []string
for ident, projs := range idents {
if len(projs) > 1 {
shared = append(shared, ident)
for _, ident := range shared {
"project-scoped account %s is used by multiple projects: %s",
ident, strings.Join(idents[ident], ", "))
func validateCanIssueTokenForIdentity(ctx *validation.Context, identity string) {
// TODO(fmatenaar): Issue a token for the identity with minimum validity to check tokenserver access.
This actually will require some careful approach:
1. We probably do not want to mint tokens for all projects on all validation calls (this is a lot of RPCs). Only for accounts we haven't seen before. So we may need some cache.
2. If the account had invalid ACLs, and they were fixed, there's currently no way to retrigger the validation. LUCI Config uses contents of the config as sole input. If config body didn't change, it would think the config is still broken. The workaround is either a whitespace change in the config, or manually "Reimport config" button in UI.
this is one of my use-cases for validation context warning instead of Error.
config may eventually be correct if some other system's state change,
=> accept config, but tell user about problems.