GetDeploymentCredentials returns runtime info and JWT on behalf of a specific user, or alternatively for a raw set of JWT attributes
(ctx context.Context, req *adminv1.GetDeploymentCredentialsRequest)
| 505 | |
| 506 | // GetDeploymentCredentials returns runtime info and JWT on behalf of a specific user, or alternatively for a raw set of JWT attributes |
| 507 | func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetDeploymentCredentialsRequest) (*adminv1.GetDeploymentCredentialsResponse, error) { |
| 508 | observability.AddRequestAttributes(ctx, |
| 509 | attribute.String("args.organization", req.Org), |
| 510 | attribute.String("args.project", req.Project), |
| 511 | attribute.String("args.branch", req.Branch), |
| 512 | attribute.String("args.ttl_seconds", strconv.FormatUint(uint64(req.TtlSeconds), 10)), |
| 513 | ) |
| 514 | |
| 515 | proj, err := s.admin.DB.FindProjectByName(ctx, req.Org, req.Project) |
| 516 | if err != nil { |
| 517 | return nil, err |
| 518 | } |
| 519 | |
| 520 | if proj.PrimaryDeploymentID == nil { |
| 521 | return nil, status.Error(codes.FailedPrecondition, "project does not have a deployment") |
| 522 | } |
| 523 | |
| 524 | prodDepl, err := s.admin.DB.FindDeployment(ctx, *proj.PrimaryDeploymentID) |
| 525 | if err != nil { |
| 526 | return nil, err |
| 527 | } |
| 528 | |
| 529 | if req.Branch != "" && req.Branch != prodDepl.Branch { |
| 530 | return nil, status.Error(codes.FailedPrecondition, "project does not have a deployment for given branch") |
| 531 | } |
| 532 | |
| 533 | claims := auth.GetClaims(ctx) |
| 534 | forceAccess := claims.Superuser(ctx) && req.SuperuserForceAccess |
| 535 | permissions := claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID) |
| 536 | |
| 537 | if !forceAccess && !permissions.ManageProd { |
| 538 | return nil, status.Error(codes.PermissionDenied, "does not have permission to manage deployment") |
| 539 | } |
| 540 | |
| 541 | ttlDuration := runtimeAccessTokenEmbedTTL |
| 542 | if req.TtlSeconds > 0 { |
| 543 | ttlDuration = time.Duration(req.TtlSeconds) * time.Second |
| 544 | } |
| 545 | |
| 546 | opts := &issueRuntimeTokenOptions{ |
| 547 | project: proj, |
| 548 | deployment: prodDepl, |
| 549 | projectPermissions: permissions, |
| 550 | externalUserID: req.ExternalUserId, |
| 551 | ttl: ttlDuration, |
| 552 | } |
| 553 | switch forVal := req.For.(type) { |
| 554 | case nil: |
| 555 | if req.ExternalUserId == "" { |
| 556 | opts.forOwner = true |
| 557 | } |
| 558 | case *adminv1.GetDeploymentCredentialsRequest_UserId: |
| 559 | opts.forUserID = forVal.UserId |
| 560 | case *adminv1.GetDeploymentCredentialsRequest_UserEmail: |
| 561 | opts.forUserEmail = forVal.UserEmail |
| 562 | case *adminv1.GetDeploymentCredentialsRequest_Attributes: |
| 563 | opts.forUserAttributes = forVal.Attributes.AsMap() |
| 564 | default: |
nothing calls this directly
no test coverage detected