-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for client cert credential type #20425
Conversation
@@ -121,6 +121,7 @@ func newUserReqToProto(req NewUserRequest) (*proto.NewUserRequest, error) { | |||
CredentialType: int32(req.CredentialType), | |||
Password: req.Password, | |||
PublicKey: req.PublicKey, | |||
Subject: req.Subject, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanted to note that we should manually test running the mongodb atlas plugin as an external plugin before merging this. I remember hitting some non-obvious errors when introducing new fields for the snowflake keypair credential type. Happy to help with this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Thank you both @austingebauer and @Zlaticanin for the walk through on the call :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a minor comment about testing for specific errors, but ✅
t.Run(tt.name, func(t *testing.T) { | ||
got, err := newClientCertificateGenerator(tt.args.config) | ||
if tt.wantErr { | ||
assert.Error(t, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: It would be good to specific about the exact error instead of just the presence of an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Had 1 nit about potentially adding a test, but LGTM otherwise. Great work! 🎉
return cg, nil | ||
} | ||
|
||
func (cg *ClientCertificateGenerator) generate(r io.Reader, expiration time.Time, userMeta dbplugin.UsernameMetadata) (*certutil.CertBundle, string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: is it possible to write a test for this? Understand if it is hard to do with the SDK 🙏🏼
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll create a separate task for this, it will require some more time
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Great job, @MilenaHC 🚀
This PR adds functionality to the
ClientCertificateGenerator
struct. Specifically, thenewClientCertificateGenerator
andgenerate
methods have been implemented. These methods use a given configuration and an expiration date to create a client certificate. ThenewClientCertificateGenerator
method sets default values if they are not provided in the configuration and validates the input parameters. The generate method generates the certificate using the configuration and the expiration date.More details in RFC here
Dynamic Role Usage:
PR on MongoDB Atlas Secrets Engine: hashicorp/vault-plugin-database-mongodbatlas#52