feat: service account kms

backend/api/auth.py

@@ -17,6 +17,18 @@
 logger = logging.getLogger(__name__)
 
 
+class ServiceAccountUser:
+    """Mock ServiceAccount user"""
+
+    def __init__(self, service_account):
+        self.userId = service_account.id
+        self.id = service_account.id
+        self.is_authenticated = True
+        self.is_active = True
+        self.username = service_account.name
+        self.service_account = service_account
+
+
 class PhaseTokenAuthentication(authentication.BaseAuthentication):
     def authenticate(self, request):
 
@@ -122,8 +134,14 @@ def authenticate(self, request):
 
             try:
                 service_token = get_service_token(auth_token)
-                service_account = get_service_account_from_token(auth_token)
-                user = service_token.created_by.user
+                service_account = get_service_account_from_token(auth_token)          
+
+                creator = getattr(service_token, "created_by", None)
+                if creator:
+                    user = creator.user
+                else:
+                    user = ServiceAccountUser(service_account)
+
                 auth["service_account"] = service_account
                 auth["service_account_token"] = service_token
 

backend/api/identity_providers.py

@@ -0,0 +1,57 @@
+class IdentityProviders:
+    """
+    Configuration for supported identity providers.
+    Similar to Providers in services.py but specifically for identity authentication.
+    """
+
+    AWS_IAM = {
+        "id": "aws_iam",
+        "name": "AWS IAM",
+        "description": "Use AWS STS GetCallerIdentity to authenticate.",
+        "icon_id": "aws",  # Maps to ProviderIcon component
+        "supported": True,
+    }
+
+    # Future identity providers can be added here:
+    # GitHub OIDC
+    #     "id": "github_oidc", 
+    #     "name": "GitHub OIDC",
+    #     "description": "Use GitHub OIDC for authentication.",
+    #     "icon_id": "github",
+    #     "supported": False,
+    # }
+    #
+    # Kubernetes OIDC
+    #     "id": "kubernetes_oidc",
+    #     "name": "Kubernetes OIDC", 
+    #     "description": "Use Kubernetes OIDC for authentication.",
+    #     "icon_id": "kubernetes",
+    #     "supported": False,
+    # }
+
+    @classmethod
+    def get_all_providers(cls):
+        """Get all identity providers, including unsupported ones for future roadmap display."""
+        return [
+            provider
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict)
+        ]
+
+    @classmethod
+    def get_supported_providers(cls):
+        """Get only currently supported identity providers."""
+        return [
+            provider
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict) and provider.get("supported", False)
+        ]
+
+    @classmethod
+    def get_provider_config(cls, provider_id):
+        """Get configuration for a specific provider by ID."""
+        for provider in cls.__dict__.values():
+            if isinstance(provider, dict) and provider["id"] == provider_id:
+                return provider
+        raise ValueError(f"Identity provider '{provider_id}' not found")
+

backend/api/migrations/0110_serviceaccounttoken_created_by_service_account.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.2.22 on 2025-08-22 08:59
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0109_alter_dynamicsecret_key_map"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="serviceaccounttoken",
+            name="created_by_service_account",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="created_tokens",
+                to="api.serviceaccount",
+            ),
+        ),
+    ]

backend/api/migrations/0111_identity_serviceaccount_identities.py

@@ -0,0 +1,56 @@
+# Generated by Django 4.2.22 on 2025-08-25 13:24
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0110_serviceaccounttoken_created_by_service_account"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Identity",
+            fields=[
+                (
+                    "id",
+                    models.TextField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("provider", models.CharField(max_length=64)),
+                ("name", models.CharField(max_length=100)),
+                ("description", models.TextField(blank=True, null=True)),
+                ("config", models.JSONField(default=dict)),
+                (
+                    "token_name_pattern",
+                    models.CharField(blank=True, max_length=128, null=True),
+                ),
+                ("default_ttl_seconds", models.IntegerField(default=3600)),
+                ("max_ttl_seconds", models.IntegerField(default=86400)),
+                ("created_at", models.DateTimeField(auto_now_add=True, null=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("deleted_at", models.DateTimeField(blank=True, null=True)),
+                (
+                    "organisation",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="api.organisation",
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="serviceaccount",
+            name="identities",
+            field=models.ManyToManyField(
+                blank=True, related_name="service_accounts", to="api.identity"
+            ),
+        ),
+    ]

backend/api/models.py

@@ -279,6 +279,9 @@ class ServiceAccount(models.Model):
     network_policies = models.ManyToManyField(
         NetworkAccessPolicy, blank=True, related_name="service_accounts"
     )
+    identities = models.ManyToManyField(
+        "Identity", blank=True, related_name="service_accounts"
+    )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
     updated_at = models.DateTimeField(auto_now=True)
     deleted_at = models.DateTimeField(null=True, blank=True)
@@ -556,11 +559,37 @@ class ServiceAccountToken(models.Model):
     created_by = models.ForeignKey(
         OrganisationMember, on_delete=models.CASCADE, blank=True, null=True
     )
+    created_by_service_account = models.ForeignKey(
+        ServiceAccount,
+        on_delete=models.SET_NULL,
+        blank=True,
+        null=True,
+        related_name="created_tokens",
+    )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
     updated_at = models.DateTimeField(auto_now=True)
     deleted_at = models.DateTimeField(blank=True, null=True)
     expires_at = models.DateTimeField(null=True)
 
+    def clean(self):
+        # Ensure only one of created_by or created_by_service_account is set
+        # Service accounts can create tokens for themselves and others
+        if not (self.created_by or self.created_by_service_account):
+            raise ValidationError(
+                "Must set either created_by (organisation member) or created_by_service_account"
+            )
+        if self.created_by and self.created_by_service_account:
+            raise ValidationError(
+                "Only one of created_by or created_by_service_account may be set"
+            )
+
+    def save(self, *args, **kwargs):
+        self.full_clean()  # This calls clean() and field validation
+        super().save(*args, **kwargs)
+
+    def get_creator_account(self):
+        return self.created_by or self.created_by_service_account
+
     def delete(self, *args, **kwargs):
         """
         Soft delete the object by setting the 'deleted_at' field.
@@ -878,6 +907,50 @@ class SecretEvent(models.Model):
     user_agent = models.TextField(null=True, blank=True)
 
 
+class Identity(models.Model):
+    """
+    Third-party identity configuration.
+
+    Scope: Organisation level; can be attached to multiple ServiceAccounts.
+    """
+
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    organisation = models.ForeignKey(Organisation, on_delete=models.CASCADE)
+    provider = models.CharField(max_length=64)
+    name = models.CharField(max_length=100)
+    description = models.TextField(blank=True, null=True)
+
+    # Provider-specific configuration
+    # Example for aws_iam:
+    # {
+    #   "trustedPrincipals": "arn:..., arn:...",
+    #   "signatureTtlSeconds": 60,
+    #   "stsEndpoint": "https://sts.amazonaws.com"
+    # }
+    config = models.JSONField(default=dict)
+
+    # Token configuration
+    token_name_pattern = models.CharField(max_length=128, blank=True, null=True)
+    default_ttl_seconds = models.IntegerField(default=3600)
+    max_ttl_seconds = models.IntegerField(default=86400)
+
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+    deleted_at = models.DateTimeField(blank=True, null=True)
+
+    def get_trusted_list(self):
+        try:
+            principals = self.config.get("trustedPrincipals", [])
+            if isinstance(principals, list):
+                return [
+                    p.strip() for p in principals if isinstance(p, str) and p.strip()
+                ]
+            # Fallback for legacy comma-separated string format
+            return [p.strip() for p in str(principals).split(",") if p.strip()]
+        except Exception:
+            return []
+
+
 class PersonalSecret(models.Model):
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
     secret = models.ForeignKey(Secret, on_delete=models.CASCADE)

backend/api/serializers.py

@@ -17,6 +17,7 @@
     Secret,
     ServiceAccount,
     ServiceToken,
+    ServiceAccountToken,
     UserToken,
     PersonalSecret,
 )
@@ -307,7 +308,7 @@ class ServiceAccountTokenSerializer(serializers.ModelSerializer):
     )
 
     class Meta:
-        model = UserToken
+        model = ServiceAccountToken
         fields = [
             "wrapped_key_share",
             "account_id",

backend/api/utils/access/roles.py

@@ -12,6 +12,7 @@
             "MemberPersonalAccessTokens": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
+            "ExternalIdentities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -43,6 +44,7 @@
             "MemberPersonalAccessTokens": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
+            "ExternalIdentities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -73,6 +75,7 @@
             "Members": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
+            "ExternalIdentities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -103,6 +106,7 @@
             "Members": ["read"],
             "ServiceAccounts": [],
             "ServiceAccountTokens": [],
+            "ExternalIdentities": [],
             "Roles": ["read"],
             "IntegrationCredentials": [
                 "create",
@@ -137,6 +141,7 @@
             "Members": ["read"],
             "ServiceAccounts": ["read"],
             "ServiceAccountTokens": ["read"],
+            "ExternalIdentities": ["read"],
             "Roles": ["read"],
             "IntegrationCredentials": ["read"],
             "NetworkAccessPolicies": ["read"],