2019-12-11 19:07:43 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module Clusters
|
|
|
|
module Aws
|
|
|
|
class AuthorizeRoleService
|
|
|
|
attr_reader :user
|
|
|
|
|
|
|
|
Response = Struct.new(:status, :body)
|
|
|
|
|
|
|
|
ERRORS = [
|
|
|
|
ActiveRecord::RecordInvalid,
|
2020-09-02 11:10:54 -04:00
|
|
|
ActiveRecord::RecordNotFound,
|
2019-12-11 19:07:43 -05:00
|
|
|
Clusters::Aws::FetchCredentialsService::MissingRoleError,
|
|
|
|
::Aws::Errors::MissingCredentialsError,
|
|
|
|
::Aws::STS::Errors::ServiceError
|
|
|
|
].freeze
|
|
|
|
|
|
|
|
def initialize(user, params:)
|
|
|
|
@user = user
|
2020-10-22 20:08:30 -04:00
|
|
|
@role_arn = params[:role_arn]
|
|
|
|
@region = params[:region]
|
2019-12-11 19:07:43 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def execute
|
2020-09-02 11:10:54 -04:00
|
|
|
ensure_role_exists!
|
|
|
|
update_role_arn!
|
2019-12-11 19:07:43 -05:00
|
|
|
|
|
|
|
Response.new(:ok, credentials)
|
2020-08-18 02:10:30 -04:00
|
|
|
rescue *ERRORS => e
|
|
|
|
Gitlab::ErrorTracking.track_exception(e)
|
|
|
|
|
2020-12-08 10:09:45 -05:00
|
|
|
Response.new(:unprocessable_entity, response_details(e))
|
2019-12-11 19:07:43 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
2020-10-22 20:08:30 -04:00
|
|
|
attr_reader :role, :role_arn, :region
|
2019-12-11 19:07:43 -05:00
|
|
|
|
2020-09-02 11:10:54 -04:00
|
|
|
def ensure_role_exists!
|
|
|
|
@role = ::Aws::Role.find_by_user_id!(user.id)
|
|
|
|
end
|
2019-12-11 19:07:43 -05:00
|
|
|
|
2020-09-02 11:10:54 -04:00
|
|
|
def update_role_arn!
|
2020-11-12 01:09:02 -05:00
|
|
|
role.update!(role_arn: role_arn, region: region)
|
2019-12-11 19:07:43 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def credentials
|
2020-11-12 01:09:02 -05:00
|
|
|
Clusters::Aws::FetchCredentialsService.new(role).execute
|
2019-12-11 19:07:43 -05:00
|
|
|
end
|
2020-12-08 10:09:45 -05:00
|
|
|
|
|
|
|
def response_details(exception)
|
|
|
|
message =
|
|
|
|
case exception
|
|
|
|
when ::Aws::STS::Errors::AccessDenied
|
|
|
|
_("Access denied: %{error}") % { error: exception.message }
|
|
|
|
when ::Aws::STS::Errors::ServiceError
|
|
|
|
_("AWS service error: %{error}") % { error: exception.message }
|
|
|
|
when ActiveRecord::RecordNotFound
|
|
|
|
_("Error: Unable to find AWS role for current user")
|
|
|
|
when ActiveRecord::RecordInvalid
|
|
|
|
exception.message
|
|
|
|
when Clusters::Aws::FetchCredentialsService::MissingRoleError
|
|
|
|
_("Error: No AWS provision role found for user")
|
|
|
|
when ::Aws::Errors::MissingCredentialsError
|
|
|
|
_("Error: No AWS credentials were supplied")
|
|
|
|
else
|
|
|
|
_('An error occurred while authorizing your role')
|
|
|
|
end
|
|
|
|
|
|
|
|
{ message: message }.compact
|
|
|
|
end
|
2019-12-11 19:07:43 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|