authorize: add support for service accounts (#1374)

cmd/pomerium-cli/cli.go

@@ -2,16 +2,25 @@ package main
 
 import (
 	"bufio"
+	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
+	"github.com/rs/zerolog"
 	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/timestamppb"
 	"gopkg.in/square/go-jose.v2/jwt"
 
 	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 type stringSlice []string
@@ -46,11 +55,15 @@ type serviceAccount struct {
 }
 
 var serviceAccountOptions struct {
-	aud               stringSlice
-	groups            stringSlice
-	impersonateGroups stringSlice
-	expiry            time.Duration
-	serviceAccount    serviceAccount
+	aud                     stringSlice
+	groups                  stringSlice
+	impersonateGroups       stringSlice
+	expiry                  time.Duration
+	serviceAccount          serviceAccount
+	dataBrokerURL           string
+	overrideCertificateName string
+	ca                      string
+	caFile                  string
 }
 
 func init() {
@@ -64,6 +77,10 @@ func init() {
 	flags.Var(&serviceAccountOptions.groups, "groups", "Groups (e.g. admins@pomerium.io,users@pomerium.io)")
 	flags.Var(&serviceAccountOptions.impersonateGroups, "impersonate_groups", "Impersonation Groups (optional)")
 	flags.DurationVar(&serviceAccountOptions.expiry, "expiry", time.Hour, "Expiry")
+	flags.StringVar(&serviceAccountOptions.dataBrokerURL, "databroker-url", "http://localhost:5443", "the URL of the databroker used to store service accounts")
+	flags.StringVar(&serviceAccountOptions.overrideCertificateName, "override-certificate-name", "", "override the certificate name")
+	flags.StringVar(&serviceAccountOptions.ca, "certificate-authority", "", "custom certificate authority")
+	flags.StringVar(&serviceAccountOptions.caFile, "certificate-authority-file", "", "customer certificate authority file")
 	rootCmd.AddCommand(serviceAccountCmd)
 }
 
@@ -71,6 +88,26 @@ var serviceAccountCmd = &cobra.Command{
 	Use:   "service-account",
 	Short: "generates a pomerium service account from a shared key.",
 	RunE: func(cmd *cobra.Command, args []string) error {
+		l := zerolog.Nop()
+		log.SetLogger(&l)
+
+		dataBrokerURL, err := url.Parse(serviceAccountOptions.dataBrokerURL)
+		if err != nil {
+			return fmt.Errorf("invalid databroker url: %w", err)
+		}
+
+		cc, err := grpc.GetGRPCClientConn("databroker", &grpc.Options{
+			Addr:                    dataBrokerURL,
+			OverrideCertificateName: serviceAccountOptions.overrideCertificateName,
+			CA:                      serviceAccountOptions.ca,
+			CAFile:                  serviceAccountOptions.caFile,
+			WithInsecure:            !strings.HasSuffix(dataBrokerURL.Scheme, "s"),
+		})
+		if err != nil {
+			return fmt.Errorf("error creating databroker connection: %w", err)
+		}
+		defer cc.Close()
+
 		// hydrate our session
 		serviceAccountOptions.serviceAccount.Audience = jwt.Audience(serviceAccountOptions.aud)
 		serviceAccountOptions.serviceAccount.Groups = []string(serviceAccountOptions.groups)
@@ -106,6 +143,19 @@ var serviceAccountCmd = &cobra.Command{
 		if serviceAccountOptions.serviceAccount.Issuer == "" {
 			return errors.New("iss is required")
 		}
+
+		sa := &user.ServiceAccount{
+			Id:        uuid.New().String(),
+			UserId:    serviceAccountOptions.serviceAccount.User,
+			ExpiresAt: timestamppb.New(serviceAccountOptions.serviceAccount.Expiry.Time()),
+			IssuedAt:  timestamppb.Now(),
+		}
+		_, err = user.SetServiceAccount(context.Background(), databroker.NewDataBrokerServiceClient(cc), sa)
+		if err != nil {
+			return fmt.Errorf("error saving service account: %w", err)
+		}
+		serviceAccountOptions.serviceAccount.ID = sa.GetId()
+
 		encoder, err := jws.NewHS256Signer([]byte(sharedKey), serviceAccountOptions.serviceAccount.Issuer)
 		if err != nil {
 			return fmt.Errorf("bad shared key: %w", err)