Merge branch 'master' into release-v4.2.0

.travis.yml

@@ -1,3 +1,9 @@
 language: go
 go: "1.10"
 
+services:
+  - docker
+
+script:
+  - go test -v ./... -tags=service_broker
+  - docker build -t gcp-service-broker .

Dockerfile

@@ -0,0 +1,27 @@
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     https://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.11-alpine AS build
+
+WORKDIR /go/src/github.com/GoogleCloudPlatform/gcp-service-broker
+COPY . .
+
+RUN CGO_ENABLED=0 go build -o /bin/gcp-service-broker
+
+FROM scratch
+COPY --from=build /go/src/github.com/GoogleCloudPlatform/gcp-service-broker /src
+COPY --from=build /bin/gcp-service-broker /bin/gcp-service-broker
+
+ENTRYPOINT ["/bin/gcp-service-broker"]
+CMD ["help"]

Gopkg.toml

@@ -1,6 +1,8 @@
 # Refer to https://golang.github.io/dep/docs/Gopkg.toml.html
 # for detailed Gopkg.toml documentation.
 
+ignored = ["github.com/GoogleCloudPlatform/gcp-service-broker/tools/osdfgen*"]
+
 [[constraint]]
   branch = "master"
   name = "code.cloudfoundry.org/lager"
@@ -13,14 +15,6 @@
   name = "github.com/jinzhu/gorm"
   version = "1.9.0"
 
-[[constraint]]
-  name = "github.com/onsi/ginkgo"
-  version = "~1.2.0"
-
-[[constraint]]
-  name = "github.com/onsi/gomega"
-  version = "~1.0.0"
-
 [[constraint]]
   name = "github.com/pivotal-cf/brokerapi"
   version = "2.0.4"

README.md

@@ -54,21 +54,14 @@ It supports the following sub-commands:
  * `config` - Show and merge configuration options together.
  * `generate` - Generate documentation and tiles.
  * `help` - Help about any command.
- * `migrate` - Upgrade your database (you generally won't need this because the databases auto-upgrade).
- * `plan-info` - Dump plan information from the database.
  * `serve` - Start the service broker.
- * `show` - Show info about the provisioned resources.
 
 ## Testing
 
-Production testing for the GCP Service Broker is administered via a private Concourse pipeline.
-
-To run tests locally, use [Ginkgo](https://onsi.github.io/ginkgo/).
-
-Integration tests require the `ROOT_SERVICE_ACCOUNT_JSON` environment variable to be set.
-
-**Note: Integration tests create and destroy real project resources and therefore have associated costs to run**
+Pull requests are unit-tested with Travis. You can run the same tests Travis does using `go test ./...`.
 
+Integration tests are run on a private [Concourse](https://concourse-ci.org/) pipeline for all changes to the `master` branch.
+You can set up your own pipeline using the sources in the `ci` directory if you like.
 
 ## Support
 

brokerapi/brokers/account_managers/service_account_manager.go

@@ -18,16 +18,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"strings"
 	"time"
 
 	"code.cloudfoundry.org/lager"
 	"github.com/GoogleCloudPlatform/gcp-service-broker/brokerapi/brokers/models"
 	"github.com/GoogleCloudPlatform/gcp-service-broker/pkg/broker"
 	"github.com/GoogleCloudPlatform/gcp-service-broker/pkg/validation"
 	"github.com/GoogleCloudPlatform/gcp-service-broker/pkg/varcontext"
-	"github.com/GoogleCloudPlatform/gcp-service-broker/utils"
-	"github.com/spf13/viper"
 
 	"golang.org/x/net/context"
 	"golang.org/x/oauth2/jwt"
@@ -37,12 +34,9 @@ import (
 )
 
 const (
-	roleResourcePrefix     = "roles/"
-	saResourcePrefix       = "serviceAccount:"
-	projectResourcePrefix  = "projects/"
-	overridableBindMessage = `The role for the account without the "roles/" prefix.
-	See: https://cloud.google.com/iam/docs/understanding-roles for more details.
-	Note: The default enumeration may be overridden by your operator.`
+	roleResourcePrefix    = "roles/"
+	saResourcePrefix      = "serviceAccount:"
+	projectResourcePrefix = "projects/"
 )
 
 type ServiceAccountManager struct {
@@ -207,34 +201,7 @@ type ServiceAccountInfo struct {
 	PrivateKeyData string `json:"PrivateKeyData"`
 }
 
-// ServiceAccountBindInputVariables holds overridable whitelists with default values.
-// This function SHOULD NOT be used for new services.
-func ServiceAccountBindInputVariables(serviceName string, defaultWhitelist []string, defaultRole string) []broker.BrokerVariable {
-	whitelist := roleWhitelist(serviceName, defaultWhitelist)
-	whitelistEnum := make(map[interface{}]string)
-	for _, val := range whitelist {
-		whitelistEnum[val] = roleResourcePrefix + val
-	}
-
-	var realDefault interface{} = nil
-	if whitelistEnum[defaultRole] != "" {
-		realDefault = defaultRole
-	}
-
-	return []broker.BrokerVariable{
-		{
-			Required:  realDefault == nil,
-			FieldName: "role",
-			Type:      broker.JsonTypeString,
-			Details:   overridableBindMessage,
-			Default:   realDefault,
-			Enum:      whitelistEnum,
-		},
-	}
-}
-
 // ServiceAccountWhitelistWithDefault holds non-overridable whitelists with default values.
-// This function SHOULD be used for new services over ServiceAccountBindInputVariables.
 func ServiceAccountWhitelistWithDefault(whitelist []string, defaultValue string) []broker.BrokerVariable {
 	whitelistEnum := make(map[interface{}]string)
 	for _, val := range whitelist {
@@ -323,25 +290,3 @@ func ServiceAccountBindOutputVariables() []broker.BrokerVariable {
 		},
 	}
 }
-
-func whitelistAllows(whitelist []string, role string) bool {
-	return utils.NewStringSet(whitelist...).Contains(role)
-}
-
-// RoleWhitelistProperty computes the Viper property name for the boolean the user
-// can set to enable or disable the role whitelist.
-func RoleWhitelistProperty(serviceName string) string {
-	return fmt.Sprintf("service.%s.whitelist", serviceName)
-}
-
-// roleWhitelist returns the whitelist of roles the operator has allowed or the
-// default if it is blank.
-func roleWhitelist(serviceName string, defaultRoleWhitelist []string) []string {
-	rawWhitelist := viper.GetString(RoleWhitelistProperty(serviceName))
-	wl := strings.Split(rawWhitelist, ",")
-	if strings.TrimSpace(rawWhitelist) != "" {
-		return wl
-	}
-
-	return defaultRoleWhitelist
-}

brokerapi/brokers/account_managers/service_account_manager_test.go

@@ -15,72 +15,17 @@
 package account_managers
 
 import (
-	"fmt"
 	"reflect"
 	"testing"
 
 	"github.com/GoogleCloudPlatform/gcp-service-broker/pkg/broker"
-	"github.com/spf13/viper"
 )
 
-func TestWhitelistAllows(t *testing.T) {
-	cases := map[string]struct {
-		Whitelist []string
-		Role      string
-		Expected  bool
-	}{
-		"Empty Whitelist": {
-			Whitelist: []string{},
-			Role:      "test",
-			Expected:  false,
-		},
-		"Contained": {
-			Whitelist: []string{"foo", "bar", "bazz"},
-			Role:      "bar",
-			Expected:  true,
-		},
-		"Not Contained": {
-			Whitelist: []string{"foo", "bar", "bazz"},
-			Role:      "bazzz",
-			Expected:  false,
-		},
-	}
-
-	for name, testcase := range cases {
-		actual := whitelistAllows(testcase.Whitelist, testcase.Role)
-		if actual != testcase.Expected {
-			t.Errorf("%s) test failed expected? %v actual: %v, test: %#v", name, testcase.Expected, actual, testcase)
-		}
-	}
-}
-
-func ExampleRoleWhitelistProperty() {
-	serviceName := "left-handed-smoke-sifter"
-
-	fmt.Println(RoleWhitelistProperty(serviceName))
-
-	// Output: service.left-handed-smoke-sifter.whitelist
-}
-
-func ExampleroleWhitelist() {
-	serviceName := "my-service"
-	defaultRoleWhitelist := []string{"a", "b", "c"}
-
-	viper.Set(RoleWhitelistProperty(serviceName), "")
-	fmt.Println(roleWhitelist(serviceName, defaultRoleWhitelist))
-
-	viper.Set(RoleWhitelistProperty(serviceName), "x,y,z")
-	fmt.Println(roleWhitelist(serviceName, defaultRoleWhitelist))
-
-	// Output: [a b c]
-	// [x y z]
-}
-
-func TestServiceAccountBindInputVariables(t *testing.T) {
+func TestServiceAccountWhitelistWithDefault(t *testing.T) {
+	details := `The role for the account without the "roles/" prefix. See: https://cloud.google.com/iam/docs/understanding-roles for more details.`
 
 	cases := map[string]struct {
 		Whitelist   []string
-		Override    string
 		DefaultRole string
 		Expected    broker.BrokerVariable
 	}{
@@ -90,7 +35,7 @@ func TestServiceAccountBindInputVariables(t *testing.T) {
 			Expected: broker.BrokerVariable{
 				FieldName: "role",
 				Type:      broker.JsonTypeString,
-				Details:   overridableBindMessage,
+				Details:   details,
 
 				Required: false,
 				Default:  "foo",
@@ -104,43 +49,25 @@ func TestServiceAccountBindInputVariables(t *testing.T) {
 			Expected: broker.BrokerVariable{
 				FieldName: "role",
 				Type:      broker.JsonTypeString,
-				Details:   overridableBindMessage,
+				Details:   details,
 
-				Required: true,
-				Default:  nil,
+				Required: false,
+				Default:  "test",
 				Enum:     map[interface{}]string{"foo": "roles/foo"},
 			},
 		},
-
-		"default not in override whitelist": {
-			Whitelist:   []string{"foo"},
-			Override:    "bar,bazz",
-			DefaultRole: "foo",
-			Expected: broker.BrokerVariable{
-				FieldName: "role",
-				Type:      broker.JsonTypeString,
-				Details:   overridableBindMessage,
-
-				Required: true,
-				Default:  nil,
-				Enum:     map[interface{}]string{"bar": "roles/bar", "bazz": "roles/bazz"},
-			},
-		},
 	}
 
 	for tn, tc := range cases {
 		t.Run(tn, func(t *testing.T) {
-			viper.Set(RoleWhitelistProperty("my-service"), tc.Override)
-			vars := ServiceAccountBindInputVariables("my-service", tc.Whitelist, tc.DefaultRole)
+			vars := ServiceAccountWhitelistWithDefault(tc.Whitelist, tc.DefaultRole)
 			if len(vars) != 1 {
 				t.Fatalf("Expected 1 input variable, got %d", len(vars))
 			}
 
 			if !reflect.DeepEqual(vars[0], tc.Expected) {
 				t.Fatalf("Expected %#v, got %#v", tc.Expected, vars[0])
-
 			}
 		})
-
 	}
 }