Member Management Part2

backend/lib/routes/members.js

@@ -8,6 +8,7 @@
 
 const express = require('express')
 const { members } = require('../services')
+const { UnprocessableEntity } = require('http-errors')
 
 const router = module.exports = express.Router({
   mergeParams: true
@@ -56,6 +57,23 @@ router.route('/:name')
       next(err)
     }
   })
+  .post(async (req, res, next) => {
+    try {
+      const user = req.user
+      const { namespace, name } = req.params
+      const { method } = req.body
+
+      switch (method) {
+        case 'rotateSecret':
+          res.send(await members.rotateSecret({ user, namespace, name }))
+          break
+        default:
+          throw new UnprocessableEntity(`${method} not allowed for members`)
+      }
+    } catch (err) {
+      next(err)
+    }
+  })
   .delete(async (req, res, next) => {
     try {
       const user = req.user

backend/lib/routes/terminals.js

@@ -9,6 +9,7 @@
 const express = require('express')
 const { terminals, authorization } = require('../services')
 const _ = require('lodash')
+const { UnprocessableEntity } = require('http-errors')
 
 const router = module.exports = express.Router({
   mergeParams: true
@@ -37,7 +38,7 @@ router.route('/')
       const { method, params: body } = req.body
 
       if (!_.includes(['create', 'fetch', 'list', 'config', 'remove', 'heartbeat', 'listProjectTerminalShortcuts'], method)) {
-        throw new Error(`${method} not allowed for terminals`)
+        throw new UnprocessableEntity(`${method} not allowed for terminals`)
       }
       res.send(await terminals[method]({ user, body }))
     } catch (err) {

backend/lib/services/members/MemberManager.js

@@ -97,6 +97,19 @@ class MemberManager {
     return this.subjectList.members
   }
 
+  async rotateServiceAccountSecret (id) {
+    const item = this.subjectList.get(id)
+    if (!item) {
+      return
+    }
+
+    if (item.kind !== 'ServiceAccount') {
+      throw new UnprocessableEntity('Member is not a ServiceAccount')
+    }
+
+    await this.deleteServiceAccountSecret(item)
+  }
+
   setItemRoles (item, roles) {
     roles = _.compact(roles)
     if (!roles.length && item.kind !== 'ServiceAccount') {
@@ -114,7 +127,7 @@ class MemberManager {
   async createServiceAccount (item, { createdBy, description }) {
     const { namespace, name } = Member.parseUsername(item.id)
     if (namespace !== this.namespace) {
-      return
+      return // foreign service account => early exit, nothing to create
     }
 
     const serviceAccount = await this.client.core.serviceaccounts.create(namespace, {
@@ -144,7 +157,7 @@ class MemberManager {
   async updateServiceAccount (item, { description }) {
     const { namespace, name } = Member.parseUsername(item.id)
     if (namespace !== this.namespace) {
-      return
+      throw new UnprocessableEntity('It is not possible to modify ServiceAccount from another namespace')
     }
 
     const isDirty = item.extend({ description })
@@ -162,13 +175,33 @@ class MemberManager {
   async deleteServiceAccount (item) {
     const { namespace, name } = Member.parseUsername(item.id)
     if (namespace !== this.namespace) {
-      return
+      return // foreign service account => early exit, nothing to delete
     }
 
     await this.client.core.serviceaccounts.delete(namespace, name)
     this.subjectList.delete(item.id)
   }
 
+  async deleteServiceAccountSecret (item) {
+    const { namespace } = Member.parseUsername(item.id)
+    if (namespace !== this.namespace) {
+      throw new UnprocessableEntity('It is not possible to modify a ServiceAccount from another namespace')
+    }
+
+    const name = _
+      .chain(item)
+      .get('extensions.secrets', [])
+      .tap(secrets => {
+        if (secrets.length > 1) {
+          throw new UnprocessableEntity(`ServiceAccount ${namespace} has more than one secret`)
+        }
+      })
+      .head()
+      .get('name')
+      .value()
+    return await this.client.core.secrets.delete(namespace, name)
+  }
+
   async getKubeconfig (item) {
     const { namespace, name } = Member.parseUsername(item.id)
     const secretName = _

backend/lib/services/members/index.js

@@ -32,3 +32,8 @@ exports.remove = async function ({ user, namespace, name }) {
   const memberManager = await MemberManager.create(user, namespace)
   return memberManager.delete(name)
 }
+
+exports.rotateSecret = async function ({ user, namespace, name }) {
+  const memberManager = await MemberManager.create(user, namespace)
+  memberManager.rotateServiceAccountSecret(name)
+}

backend/test/acceptance/__snapshots__/api.members.spec.js.snap

@@ -1290,6 +1290,40 @@ Array [
 ]
 `;
 
+exports[`api members should rotate a service account secret 1`] = `
+Array [
+  Array [
+    Object {
+      ":authority": "kubernetes:6443",
+      ":method": "get",
+      ":path": "/apis/core.gardener.cloud/v1beta1/projects/foo",
+      ":scheme": "https",
+      "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImJhckBleGFtcGxlLm9yZyIsImlhdCI6MTU3NzgzNjgwMCwiYXVkIjpbImdhcmRlbmVyIl0sImV4cCI6MzE1NTcxNjgwMCwianRpIjoianRpIn0.7WKy0sNVkJzIqh3QJIF1zk3QjzwFe_zMTv8PmnOCsxg",
+    },
+  ],
+  Array [
+    Object {
+      ":authority": "kubernetes:6443",
+      ":method": "get",
+      ":path": "/api/v1/namespaces/garden-foo/serviceaccounts",
+      ":scheme": "https",
+      "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImJhckBleGFtcGxlLm9yZyIsImlhdCI6MTU3NzgzNjgwMCwiYXVkIjpbImdhcmRlbmVyIl0sImV4cCI6MzE1NTcxNjgwMCwianRpIjoianRpIn0.7WKy0sNVkJzIqh3QJIF1zk3QjzwFe_zMTv8PmnOCsxg",
+    },
+  ],
+  Array [
+    Object {
+      ":authority": "kubernetes:6443",
+      ":method": "delete",
+      ":path": "/api/v1/namespaces/garden-foo/secrets/robot-token-726f6",
+      ":scheme": "https",
+      "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImJhckBleGFtcGxlLm9yZyIsImlhdCI6MTU3NzgzNjgwMCwiYXVkIjpbImdhcmRlbmVyIl0sImV4cCI6MzE1NTcxNjgwMCwianRpIjoianRpIn0.7WKy0sNVkJzIqh3QJIF1zk3QjzwFe_zMTv8PmnOCsxg",
+    },
+  ],
+]
+`;
+
+exports[`api members should rotate a service account secret 2`] = `Object {}`;
+
 exports[`api members should update roles of a project member 1`] = `
 Array [
   Array [

backend/test/acceptance/api.members.spec.js

@@ -393,5 +393,25 @@ describe('api', function () {
 
       expect(res.body).toMatchSnapshot()
     })
+
+    it('should rotate a service account secret', async function () {
+      const name = 'system:serviceaccount:garden-foo:robot'
+
+      mockRequest.mockImplementationOnce(fixtures.projects.mocks.get())
+      mockRequest.mockImplementationOnce(fixtures.serviceaccounts.mocks.list())
+      mockRequest.mockImplementationOnce(fixtures.serviceaccounts.mocks.delete())
+
+      const res = await agent
+        .post(`/api/namespaces/${namespace}/members/${name}`)
+        .set('cookie', await user.cookie)
+        .send({
+          method: 'rotateSecret'
+        })
+
+      expect(mockRequest).toBeCalledTimes(3)
+      expect(mockRequest.mock.calls).toMatchSnapshot()
+
+      expect(res.body).toMatchSnapshot()
+    })
   })
 })

backend/test/services.members.spec.js

@@ -111,7 +111,12 @@ describe('services', function () {
             'dashboard.gardener.cloud/description': 'description'
           },
           creationTimestamp: 'bar-time'
-        }
+        },
+        secrets: [
+          {
+            name: 'secret-1'
+          }
+        ]
       },
       {
         metadata: {
@@ -131,7 +136,15 @@ describe('services', function () {
             'dashboard.gardener.cloud/created-by': 'foo'
           },
           creationTimestamp: 'bar-time'
-        }
+        },
+        secrets: [
+          {
+            name: 'secret-1'
+          },
+          {
+            name: 'secret-2'
+          }
+        ]
       },
       {
         metadata: {
@@ -171,6 +184,9 @@ describe('services', function () {
         delete: jest.fn().mockResolvedValue(),
         mergePatch: jest.fn().mockResolvedValue()
       }
+      client.core.secrets = {
+        delete: jest.fn().mockResolvedValue()
+      }
     })
 
     describe('SubjectList', function () {
@@ -361,6 +377,13 @@ describe('services', function () {
       })
 
       describe('#deleteServiceAccount', function () {
+        it('should delete a serviceaccount', async function () {
+          const id = 'system:serviceaccount:garden-foo:robot-sa'
+          const item = memberManager.subjectList.get(id)
+          await memberManager.deleteServiceAccount(item)
+          expect(client.core.serviceaccounts.delete).toBeCalledWith('garden-foo', 'robot-sa')
+        })
+
         it('should not delete a serviceaccount from a different namespace', async function () {
           const id = 'system:serviceaccount:garden-foreign:robot-foreign-namespace'
           const item = memberManager.subjectList.get(id)
@@ -370,11 +393,31 @@ describe('services', function () {
       })
 
       describe('#updateServiceAccount ', function () {
-        it('should not delete a serviceaccount from a different namespace', async function () {
+        it('should not update a serviceaccount from a different namespace', async function () {
           const id = 'system:serviceaccount:garden-foreign:robot-foreign-namespace'
           const item = memberManager.subjectList.get(id)
-          await memberManager.updateServiceAccount(item, {})
-          expect(client.core.serviceaccounts.mergePatch).not.toBeCalled()
+          await expect(memberManager.updateServiceAccount(item, {})).rejects.toThrow(UnprocessableEntity)
+        })
+      })
+
+      describe('#deleteServiceAccountSecret', function () {
+        it('should delete a serviceaccount secret', async function () {
+          const id = 'system:serviceaccount:garden-foo:robot-sa'
+          const item = memberManager.subjectList.get(id)
+          await memberManager.deleteServiceAccountSecret(item)
+          expect(client.core.secrets.delete).toBeCalledWith('garden-foo', 'secret-1')
+        })
+
+        it('should not delete a serviceaccount secret from a different namespace', async function () {
+          const id = 'system:serviceaccount:garden-foreign:robot-foreign-namespace'
+          const item = memberManager.subjectList.get(id)
+          await expect(memberManager.deleteServiceAccountSecret(item)).rejects.toThrow(UnprocessableEntity)
+        })
+
+        it('should not delete a service account secret if there is one more secret attached', async function () {
+          const id = 'system:serviceaccount:garden-foo:robot-multiple'
+          const item = memberManager.subjectList.get(id)
+          await expect(memberManager.deleteServiceAccountSecret(item)).rejects.toThrow(UnprocessableEntity)
         })
       })
     })

frontend/src/components/ServiceAccountRoles.vue → frontend/src/components/MemberAccountRoles.vue

@@ -5,10 +5,10 @@ SPDX-License-Identifier: Apache-2.0
  -->
 
 <template>
-  <div d-flex flex-row>
-    <v-tooltip top v-for="{ displayName, notEditable, tooltip } in roleDisplayNames" :key="displayName" :disabled="!tooltip">
+  <div>
+    <v-tooltip top v-for="({ displayName, notEditable, tooltip }, index) in roleDisplayNames" :key="displayName" :disabled="!tooltip">
       <template v-slot:activator="{ on }">
-        <v-chip v-on="on" class="mr-3" small :color="notEditable ? 'grey' : 'black'" outlined>
+        <v-chip v-on="on" small :color="notEditable ? 'grey' : 'black'" outlined :class="{'ml-3': index > 0}">
           {{displayName}}
         </v-chip>
       </template>