Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add google_service_account inline field option for Google Workspace/GSuite OIDC #5563

Merged
merged 38 commits into from
Mar 12, 2021
Merged

Add google_service_account inline field option for Google Workspace/GSuite OIDC #5563

merged 38 commits into from
Mar 12, 2021

Conversation

stevenGravy
Copy link
Contributor

Address #5523

  • Added a field option for OIDC connection, google_service_account, that allows for populating the JSON google service account inline. Cloud users wouldn't be able to set a file path for the json contents currently in google_service_account_uri.
  • Updated GSuite logging to use Google Workspace wording
  • Added validation that only google_service_account or google_service_account_uri is allowed
  • Excludes contents of google_service_account when not retrieving with secrets.
  • Confirmed this is still backwards compatible using the google_service_account_uri instead

Ex:

kind: oidc
metadata:
  name: Google
spec:
  claims_to_roles:
  - claim: groups
    roles:
    - admin
    value: developer@myworkspace
  client_id: 572ads33232332ispljk.apps.googleusercontent.com
  client_secret: 7TFQTpadsaed3
  display: Google
  google_admin_email: admin@myworkspace
  google_service_account: |
    {
     "type": "service_account",
     "project_id": "access-303333",
     "private_key_id": "b05d2016asdfasdf498fa19ba14870",
     "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCea10OG7LKppWV\nHC2YrgiNs0d0UoNXwJkihQggRo+yEh8tIRKcMxK2d3Cs5A76hkpeIBWpzgcMfI0m\nZpVz1YZCQF/cHe8Ts85KQdtxai1FqgWADXjw4OotlPDpC/4T0/MpdUGQbOg95DrJ\nEaRBgQC2XirBINUpCEXNe4qEnPFIsbtqC/8geLnP\n33SoF77ljEqAcNaum9SGdWEVRroczOibNpqBJaha7XTudYNg5gbtl63xcScHdtfe\ndL0phMQzTye8NQKe56gEZL2RgtEm7IeudSAHKJvzklAjQ132uSeNmG52yKiVa1Yp\n5gLdE/dGiQKBgQDcwp+FxWWLV/+99I8ho5lL9T0ZSla2+FFAgKzzi1UtsFCuQIXm\nulD2wd0NZjDDUs5jlUvFuimAnvFsJSHRCCRjm4KB4KwVeXUO9ycrXn7y6ZfdQ1kD\n+kwzwVsLdfFoB1EUFjiUd/h31hfPFIjGi3g1IUHBiFxImMVZe+1MYNTgEQKBgAik\nmd4hUjjpnXVJn5z9WyoY0ksKWoMNdbD2ZC77QR7b8UP5FROdawscUQeTHIr04ylI\nAzaPtFTq4BnVE+7pt/ZWs/W3aSQfa8etPLHVCv9rhvSShpdFX18l7x4QVx1DJIMO\nJgBw2kNG8elZ7gAdclRxnvqeM+8w8Rp3PjeAFL4RAoGAeL3+nqSbyYdZ03xow+ge\nVP9hyMggxpEaTKWi9ort308tzY7Qhdq+21FoFLp6++xJuQUC+icz2flJd5Dm8nUk\nE835lzBhFskBvb7yLOMSAbJuOKCmpcIfkYipJ6y3BLqYQb1UTCPezqrq9OuHalRQ\nuhOI6uxZe8hFvV3t1Jn157o=\n-----END PRIVATE KEY-----\n",
     "client_email": "teleport-service-account@access-dddd.iam.gserviceaccount.com",
     "client_id": "32322322311111",
     "auth_uri": "https://accounts.google.com/o/oauth2/auth",
     "token_uri": "https://oauth2.googleapis.com/token",
     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
     "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/teleport-service-account%40access-304316.iam.gserviceaccount.com"
    }
  issuer_url: https://accounts.google.com
  redirect_url: https://teleport.example.com:3080/v1/webapi/oidc/callback
  scope:
  - openid
  - email
version: v2

@stevenGravy stevenGravy added sso Used for single sign on related tasks. cloud Cloud labels Feb 12, 2021
@stevenGravy stevenGravy changed the title Add google_service_account inline field option for Google Workspace OIDC Add google_service_account inline field option for Google Workspace/GSuite OIDC Feb 12, 2021
webvictim
webvictim reviewed Feb 16, 2021
View reviewed changes
Copy link
Contributor

@webvictim webvictim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few suggestions

api/types/oidc.go Outdated Show resolved Hide resolved
api/types/oidc.go Outdated Show resolved Hide resolved
api/types/oidc.go Outdated Show resolved Hide resolved
api/types/oidc.go Outdated Show resolved Hide resolved
api/types/oidc.go Outdated Show resolved Hide resolved
lib/auth/oidc.go Show resolved Hide resolved
lib/auth/oidc.go Outdated Show resolved Hide resolved
lib/auth/oidc.go Show resolved Hide resolved
lib/auth/oidc.go Outdated Show resolved Hide resolved
lib/services/oidc.go Outdated Show resolved Hide resolved
stevenGravy and others added 13 commits February 16, 2021 11:22
@stevenGravy @webvictim
change comment
afe56ab 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy @webvictim
spacing
4f23afd 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy @webvictim
change comment for googleserviceaccount
b4f1194 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy @webvictim
correct comment
bd93792 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy @webvictim
modify comment on GetGoogleServiceAccount
7fd9216 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy @webvictim
add comment on loading google service account
0eda340 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy
Moved comments to correct line and modified language
fff0251
@stevenGravy
Merge branch 'stevenGravy/sso/gsuite' of https://github.com/gravitati…
5a4912b 
…onal/teleport into stevenGravy/sso/gsuite
@stevenGravy
Merge branch 'master' into stevenGravy/sso/gsuite
4d074ed
@stevenGravy
lint fix
46f089f
@stevenGravy
added credential loading method variable for better error reporting w…
6db19d1 
…hen using google service account uri or inline.
@stevenGravy
Merge branch 'stevenGravy/sso/gsuite' of https://github.com/gravitati…
829f3dc 
…onal/teleport into stevenGravy/sso/gsuite
@stevenGravy
modified debug message to use variable name while giving google works…
5bced25 
…pace context
awly
awly reviewed Feb 16, 2021
View reviewed changes
api/types/oidc.go Outdated Show resolved Hide resolved
lib/auth/oidc.go Outdated Show resolved Hide resolved
lib/auth/oidc.go Outdated Show resolved Hide resolved
lib/services/local/users.go Outdated Show resolved Hide resolved
lib/services/local/users.go Outdated Show resolved Hide resolved
lib/services/oidc.go Outdated Show resolved Hide resolved
lib/services/oidc.go Outdated Show resolved Hide resolved
stevenGravy and others added 2 commits February 16, 2021 20:01
@stevenGravy
take out unnecessary if check
5bc53c2 
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
@stevenGravy
better error message handling
fe84366 
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
@awly awly requested review from webvictim and awly February 17, 2021 19:40
webvictim
webvictim reviewed Feb 17, 2021
View reviewed changes
api/types/oidc.go Outdated Show resolved Hide resolved
webvictim
webvictim approved these changes Feb 17, 2021
View reviewed changes
lib/services/oidc.go Outdated Show resolved Hide resolved
stevenGravy and others added 4 commits February 17, 2021 14:57
@stevenGravy @webvictim
Fix language
936ce88 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy @webvictim
language change
3d08355 
Co-authored-by: Gus Luxton <gus@gravitational.com>
@stevenGravy
Merge branch 'master' into stevenGravy/sso/gsuite
842e8b8
@stevenGravy
Merge branch 'master' into stevenGravy/sso/gsuite
0434d70
@webvictim
Copy link
Contributor

webvictim commented Feb 18, 2021
edited
Loading

@russjones Could you please review and then approve this PR if it looks OK?

@russjones russjones added this to the 6.0.1 "Ides of March" milestone Feb 20, 2021
@awly
Copy link
Contributor

awly commented Mar 3, 2021

Ping @russjones

@stevenGravy stevenGravy mentioned this pull request Mar 12, 2021
Merged
stevenGravy added a commit that referenced this pull request Mar 12, 2021
@stevenGravy
backport branch/v6.0: Add google_service_account inline field option …
b169431 
…for Google Workspace/GSuite OIDC (#5964)

Backport of #5563
This was referenced Mar 12, 2021
Closed
Merged
@stevenGravy stevenGravy enabled auto-merge (squash) March 12, 2021 03:06
@stevenGravy stevenGravy merged commit 94084f8 into master Mar 12, 2021
@stevenGravy stevenGravy deleted the stevenGravy/sso/gsuite branch March 12, 2021 03:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russjones russjones russjones approved these changes

@awly awly awly approved these changes

@webvictim webvictim webvictim approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas

@r0mant r0mant Awaiting requested review from r0mant

@a-palchikov a-palchikov Awaiting requested review from a-palchikov

Assignees
No one assigned
Labels
cloud Cloud sso Used for single sign on related tasks.
Projects
None yet
Milestone
6.0.3 "Ides of March"
Development

Successfully merging this pull request may close these issues.
4 participants
@stevenGravy @webvictim @awly @russjones