Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCI join method - Add server auth ceremony #51446

Merged
merged 1 commit into from
Feb 7, 2025
Merged

OCI join method - Add server auth ceremony #51446

merged 1 commit into from
Feb 7, 2025

Conversation

atburke
Copy link
Contributor

@atburke atburke commented Jan 24, 2025
edited
Loading

This change adds the server side of the auth ceremony for the Oracle join method (RFD).

Part of #41705.
Follows #51445.

Changelog: Added Oracle cloud join method

@atburke atburke force-pushed the atburke/oci-join-2 branch from e353656 to acaf9c2 Compare January 28, 2025 21:47
nklaassen
nklaassen reviewed Jan 29, 2025
View reviewed changes
go.mod Outdated Show resolved Hide resolved
lib/auth/join/oracle/oracle_test.go Outdated Show resolved Hide resolved
@atburke atburke force-pushed the atburke/oci-join-2 branch 2 times, most recently from 6ad2308 to 21128b0 Compare January 29, 2025 21:40
@atburke atburke force-pushed the atburke/oci-join-3 branch from 5fee41e to 90e7eac Compare January 29, 2025 21:41
@atburke atburke marked this pull request as ready for review January 29, 2025 21:42
@github-actions github-actions bot requested review from bl-nero and ravicious January 29, 2025 21:43
bl-nero
bl-nero reviewed Jan 30, 2025
View reviewed changes
lib/auth/join/oracle/oracle.go Outdated Show resolved Hide resolved
lib/auth/join_oracle.go Show resolved Hide resolved
lib/auth/join_oracle.go Outdated
}

// Check allow rules.
token, ok := provisionToken.(*types.ProvisionTokenV2)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if we introduce V3? Perhaps using provisionToken.GetVersion() and asserting a minimum version here would be more future-proof?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd still need to cast to v2 to get the v2 spec.

lib/auth/join_oracle.go Outdated Show resolved Hide resolved
lib/auth/join_oracle_test.go Outdated Show resolved Hide resolved
@atburke atburke force-pushed the atburke/oci-join-3 branch from 939e2e2 to 83ab4f3 Compare January 30, 2025 20:49
strideynet
strideynet reviewed Jan 31, 2025
View reviewed changes
lib/auth/join_oracle.go Outdated Show resolved Hide resolved
rosstimothy
rosstimothy reviewed Jan 31, 2025
View reviewed changes
lib/auth/auth_with_roles.go
// validateOracleJoinToken validates the fields in a token using the Oracle
// join method. It's done here instead of in the client so the client doesn't
// have to import the Oracle SDK.
func validateOracleJoinToken(token types.ProvisionToken) error {
Copy link
Contributor

@rosstimothy rosstimothy Jan 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would be more consistent with other types if this were moved within a new func ValidateProvisionToken(token types.ProvisionToken) error in services/provisioning.go. However, as indicated in your comment, that would add the Oracle SDK to more dependency trees than desired.

Copy link
Contributor

@strideynet strideynet Feb 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would definitely make sure we add a comment /somewhere/ that indicates that the validation for these fields exists here - I can see this being super hard to find. Probably more evidence that we need to break clients away from depending on lib/services.

@atburke atburke force-pushed the atburke/oci-join-3 branch from d897eee to a8c5529 Compare February 1, 2025 01:00
@atburke atburke force-pushed the atburke/oci-join-2 branch from d647b43 to db0511e Compare February 4, 2025 01:06
@atburke atburke force-pushed the atburke/oci-join-3 branch from f7c60aa to 40c332a Compare February 4, 2025 01:15
Base automatically changed from atburke/oci-join-2 to master February 4, 2025 01:44
@public-teleport-github-review-bot
Copy link

@atburke - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

@atburke atburke force-pushed the atburke/oci-join-3 branch from ebdc51e to 3994680 Compare February 4, 2025 20:37
rosstimothy
rosstimothy approved these changes Feb 5, 2025
View reviewed changes
lib/auth/join/oracle/oracle.go Outdated Show resolved Hide resolved
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from ravicious February 7, 2025 14:24
@atburke
Add oci join server auth
ef524ca 
This change adds the server side of the auth ceremony for the
Oracle join method.
@atburke atburke force-pushed the atburke/oci-join-3 branch from 153419a to ef524ca Compare February 7, 2025 17:30
@atburke atburke enabled auto-merge February 7, 2025 17:30
@atburke atburke added this pull request to the merge queue Feb 7, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 7, 2025
@atburke atburke added this pull request to the merge queue Feb 7, 2025
Merged via the queue into master with commit 68cf11b Feb 7, 2025
44 checks passed
@atburke atburke deleted the atburke/oci-join-3 branch February 7, 2025 18:29
atburke added a commit that referenced this pull request Feb 7, 2025
@atburke
Add oci join server auth (#51446)
c1ef613 
This change adds the server side of the auth ceremony for the
Oracle join method.
@atburke atburke mentioned this pull request Feb 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bl-nero bl-nero bl-nero approved these changes

@strideynet strideynet strideynet approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

@nklaassen nklaassen Awaiting requested review from nklaassen

Assignees
No one assigned
Labels
size/lg
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@atburke @bl-nero @strideynet @nklaassen @rosstimothy