From 26252f48c413ee8d3ee420403f224abf4457f469 Mon Sep 17 00:00:00 2001 From: hyeon Date: Mon, 19 Aug 2024 22:47:28 +0900 Subject: [PATCH] Add IAP-adhoc account to issue token easily --- .github/workflows/deploy.yml | 4 ++++ .github/workflows/main.yml | 3 +++ .github/workflows/synth.yml | 3 +++ common/shared_stack.py | 1 + common/utils/aws.py | 7 +++++-- worker/worker/issue_tokens.py | 3 ++- 6 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 74b10356..07cc2292 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,6 +24,8 @@ on: required: true KMS_KEY_ID: required: true + ADHOC_KEY_ID: + required: true GOOGLE_CREDENTIAL: required: true APPLE_CREDENTIAL: @@ -135,6 +137,7 @@ jobs: ODIN_GQL_URL: ${{ vars.ODIN_GQL_URL }} HEIMDALL_GQL_URL: ${{ vars.HEIMDALL_GQL_URL }} KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }} + ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }} GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }} GOOGLE_PACKAGE_NAME: ${{ vars.GOOGLE_PACKAGE_NAME }} APPLE_BUNDLE_ID: ${{ vars.APPLE_BUNDLE_ID }} @@ -172,6 +175,7 @@ jobs: ODIN_GQL_URL: ${{ vars.ODIN_GQL_URL }} HEIMDALL_GQL_URL: ${{ vars.HEIMDALL_GQL_URL }} KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }} + ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }} GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }} GOOGLE_PACKAGE_NAME: ${{ vars.GOOGLE_PACKAGE_NAME }} APPLE_BUNDLE_ID: ${{ vars.APPLE_BUNDLE_ID }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0c64ac53..8a8d86e2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -43,6 +43,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }} + ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }} GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }} APPLE_CREDENTIAL: ${{ secrets.APPLE_CREDENTIAL }} APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} @@ -71,6 +72,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }} + ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }} GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }} APPLE_CREDENTIAL: ${{ secrets.APPLE_CREDENTIAL }} APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} @@ -111,6 +113,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }} + ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }} GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }} APPLE_CREDENTIAL: ${{ secrets.APPLE_CREDENTIAL }} APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} diff --git a/.github/workflows/synth.yml b/.github/workflows/synth.yml index 8ccc9b90..a7ffb2f1 100644 --- a/.github/workflows/synth.yml +++ b/.github/workflows/synth.yml @@ -18,6 +18,8 @@ on: required: true KMS_KEY_ID: required: true + ADHOC_KMS_KEY_ID: + required: true GOOGLE_CREDENTIAL: required: true APPLE_CREDENTIAL: @@ -122,6 +124,7 @@ jobs: ODIN_GQL_URL: ${{ vars.ODIN_GQL_URL }} HEIMDALL_GQL_URL: ${{ vars.HEIMDALL_GQL_URL }} KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }} + ADHOC_KMS_KEY_ID: ${{ secrets.ADHOC_KMS_KEY_ID }} GOOGLE_CREDENTIAL: ${{ secrets.GOOGLE_CREDENTIAL }} GOOGLE_PACKAGE_NAME: ${{ vars.GOOGLE_PACKAGE_NAME }} APPLE_BUNDLE_ID: ${{ vars.APPLE_BUNDLE_ID }} diff --git a/common/shared_stack.py b/common/shared_stack.py index d0571b4e..f5253400 100644 --- a/common/shared_stack.py +++ b/common/shared_stack.py @@ -94,6 +94,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: # SecureStrings in Parameter Store PARAMETER_LIST = ( ("KMS_KEY_ID", True), + ("ADHOC_KMS_KEY_ID", True), ("GOOGLE_CREDENTIAL", True), ("APPLE_CREDENTIAL", True), ("SEASON_PASS_JWT_SECRET", True), diff --git a/common/utils/aws.py b/common/utils/aws.py index 65ee1234..4cc235e4 100644 --- a/common/utils/aws.py +++ b/common/utils/aws.py @@ -21,10 +21,13 @@ def fetch_secrets(region: str, secret_arn: str) -> Dict: return json.loads(resp["SecretString"]) -def fetch_kms_key_id(stage: str, region: str) -> Optional[str]: +def fetch_kms_key_id(stage: str, region: str, adhoc: bool = False) -> Optional[str]: client = boto3.client("ssm", region_name=region) try: - return client.get_parameter(Name=f"{stage}_9c_IAP_KMS_KEY_ID", WithDecryption=True)["Parameter"]["Value"] + return client.get_parameter( + Name=f"{stage}_9c_IAP{'_ADHOC' if adhoc else ''}_KMS_KEY_ID", + WithDecryption=True + )["Parameter"]["Value"] except Exception as e: logger.error(e) return None diff --git a/worker/worker/issue_tokens.py b/worker/worker/issue_tokens.py index 2fc680d4..fd3c919d 100644 --- a/worker/worker/issue_tokens.py +++ b/worker/worker/issue_tokens.py @@ -24,6 +24,7 @@ NONCE = 0 PLANET_ID = PlanetID.XXX GQL_URL = "https://example.com/graphql" # Use Odin/Heimdall GQL host +USE_ADHOC = True # to here HEADLESS_GQL_JWT_SECRET = fetch_parameter( @@ -37,7 +38,7 @@ def issue(event, context): spec_list = [] gql = GQL(GQL_URL, HEADLESS_GQL_JWT_SECRET) - account = Account(fetch_kms_key_id(os.environ.get("STAGE"), os.environ.get("REGION_NAME"))) + account = Account(fetch_kms_key_id(os.environ.get("STAGE"), os.environ.get("REGION_NAME"), adhoc=USE_ADHOC)) for data in event: data = dict(zip(DICT_HEADER, data))