/lib/google_api/cloud_platform/client.rb
Ruby | 224 lines | 174 code | 45 blank | 5 comment | 2 complexity | f69dfab99eaf1ffabb42c9d45529f5be MD5 | raw file
- # frozen_string_literal: true
- require 'securerandom'
- require 'google/apis/compute_v1'
- require 'google/apis/container_v1'
- require 'google/apis/container_v1beta1'
- require 'google/apis/cloudbilling_v1'
- require 'google/apis/cloudresourcemanager_v1'
- require 'google/apis/iam_v1'
- require 'google/apis/serviceusage_v1'
- module GoogleApi
- module CloudPlatform
- class Client < GoogleApi::Auth
- SCOPE = 'https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/service.management'
- LEAST_TOKEN_LIFE_TIME = 10.minutes
- CLUSTER_MASTER_AUTH_USERNAME = 'admin'
- CLUSTER_IPV4_CIDR_BLOCK = '/16'
- CLUSTER_OAUTH_SCOPES = [
- "https://www.googleapis.com/auth/devstorage.read_only",
- "https://www.googleapis.com/auth/logging.write",
- "https://www.googleapis.com/auth/monitoring"
- ].freeze
- ROLES_LIST = %w[roles/iam.serviceAccountUser roles/artifactregistry.admin roles/cloudbuild.builds.builder roles/run.admin roles/storage.admin roles/cloudsql.admin roles/browser].freeze
- REVOKE_URL = 'https://oauth2.googleapis.com/revoke'
- class << self
- def session_key_for_token
- :cloud_platform_access_token
- end
- def session_key_for_expires_at
- :cloud_platform_expires_at
- end
- def new_session_key_for_redirect_uri
- SecureRandom.hex.tap do |state|
- yield session_key_for_redirect_uri(state)
- end
- end
- def session_key_for_redirect_uri(state)
- "cloud_platform_second_redirect_uri_#{state}"
- end
- end
- def scope
- SCOPE
- end
- def validate_token(expires_at)
- return false unless access_token
- return false unless expires_at
- # Making sure that the token will have been still alive during the cluster creation.
- return false if token_life_time(expires_at) < LEAST_TOKEN_LIFE_TIME
- true
- end
- def projects_zones_clusters_get(project_id, zone, cluster_id)
- service = Google::Apis::ContainerV1::ContainerService.new
- service.authorization = access_token
- service.get_zone_cluster(project_id, zone, cluster_id, options: user_agent_header)
- end
- def projects_zones_clusters_create(project_id, zone, cluster_name, cluster_size, machine_type:, legacy_abac:, enable_addons: [])
- service = Google::Apis::ContainerV1beta1::ContainerService.new
- service.authorization = access_token
- cluster_options = make_cluster_options(cluster_name, cluster_size, machine_type, legacy_abac, enable_addons)
- request_body = Google::Apis::ContainerV1beta1::CreateClusterRequest.new(**cluster_options)
- service.create_cluster(project_id, zone, request_body, options: user_agent_header)
- end
- def projects_zones_operations(project_id, zone, operation_id)
- service = Google::Apis::ContainerV1::ContainerService.new
- service.authorization = access_token
- service.get_zone_operation(project_id, zone, operation_id, options: user_agent_header)
- end
- def parse_operation_id(self_link)
- m = self_link.match(%r{projects/.*/zones/.*/operations/(.*)})
- m[1] if m
- end
- def list_projects
- result = []
- response = cloud_resource_manager_service.fetch_all(items: :projects) do |token|
- cloud_resource_manager_service.list_projects
- end
- # Google API results are paged by default, so we need to iterate through
- response.each do |project|
- result.append(project)
- end
- result
- end
- def create_service_account(gcp_project_id, display_name, description)
- name = "projects/#{gcp_project_id}"
- # initialize google iam service
- service = Google::Apis::IamV1::IamService.new
- service.authorization = access_token
- # generate account id
- random_account_id = "gitlab-" + SecureRandom.hex(11)
- body_params = { account_id: random_account_id,
- service_account: { display_name: display_name,
- description: description } }
- request_body = Google::Apis::IamV1::CreateServiceAccountRequest.new(**body_params)
- service.create_service_account(name, request_body)
- end
- def create_service_account_key(gcp_project_id, service_account_id)
- service = Google::Apis::IamV1::IamService.new
- service.authorization = access_token
- name = "projects/#{gcp_project_id}/serviceAccounts/#{service_account_id}"
- request_body = Google::Apis::IamV1::CreateServiceAccountKeyRequest.new
- service.create_service_account_key(name, request_body)
- end
- def grant_service_account_roles(gcp_project_id, email)
- body = policy_request_body(gcp_project_id, email)
- cloud_resource_manager_service.set_project_iam_policy(gcp_project_id, body)
- end
- def enable_cloud_run(gcp_project_id)
- enable_service(gcp_project_id, 'run.googleapis.com')
- end
- def enable_artifacts_registry(gcp_project_id)
- enable_service(gcp_project_id, 'artifactregistry.googleapis.com')
- end
- def enable_cloud_build(gcp_project_id)
- enable_service(gcp_project_id, 'cloudbuild.googleapis.com')
- end
- def revoke_authorizations
- uri = URI(REVOKE_URL)
- Gitlab::HTTP.post(uri, body: { 'token' => access_token })
- end
- private
- def enable_service(gcp_project_id, service_name)
- name = "projects/#{gcp_project_id}/services/#{service_name}"
- service = Google::Apis::ServiceusageV1::ServiceUsageService.new
- service.authorization = access_token
- service.enable_service(name)
- end
- def make_cluster_options(cluster_name, cluster_size, machine_type, legacy_abac, enable_addons)
- {
- cluster: {
- name: cluster_name,
- initial_node_count: cluster_size,
- node_config: {
- machine_type: machine_type,
- oauth_scopes: CLUSTER_OAUTH_SCOPES
- },
- master_auth: {
- client_certificate_config: {
- issue_client_certificate: true
- }
- },
- legacy_abac: {
- enabled: legacy_abac
- },
- ip_allocation_policy: {
- use_ip_aliases: true,
- cluster_ipv4_cidr_block: CLUSTER_IPV4_CIDR_BLOCK
- },
- addons_config: make_addons_config(enable_addons)
- }
- }
- end
- def make_addons_config(enable_addons)
- enable_addons.each_with_object({}) do |addon, hash|
- hash[addon] = { disabled: false }
- end
- end
- def token_life_time(expires_at)
- DateTime.strptime(expires_at, '%s').to_time.utc - Time.now.utc
- end
- def user_agent_header
- Google::Apis::RequestOptions.new.tap do |options|
- options.header = { 'User-Agent': "GitLab/#{Gitlab::VERSION.match('(\d+\.\d+)').captures.first} (GPN:GitLab;)" }
- end
- end
- def policy_request_body(gcp_project_id, email)
- policy = cloud_resource_manager_service.get_project_iam_policy(gcp_project_id)
- policy.bindings = policy.bindings + additional_policy_bindings("serviceAccount:#{email}")
- Google::Apis::CloudresourcemanagerV1::SetIamPolicyRequest.new(policy: policy)
- end
- def additional_policy_bindings(member)
- ROLES_LIST.map do |role|
- Google::Apis::CloudresourcemanagerV1::Binding.new(role: role, members: [member])
- end
- end
- def cloud_resource_manager_service
- @gpc_service ||= Google::Apis::CloudresourcemanagerV1::CloudResourceManagerService.new.tap { |s| s.authorization = access_token }
- end
- end
- end
- end