feat: add flags to force create and/or delete keys

jsiebens · jsiebens · commit 6773f22071de · 2022-09-12T08:53:56.000+02:00
diff --git a/internal/cmd/rotate.go b/internal/cmd/rotate.go
@@ -16,12 +16,16 @@ func checkCommand() *coral.Command {
 	var bucket string
 	var expiryInDays int
 	var renewalWindowInDays int
+	var forceCreate bool
+	var forceDelete bool
 
 	command.Flags().StringVar(&name, "name", sakeyrotator.DefaultName, "")
 	command.Flags().StringVar(&serviceAccountEmail, "service-account", "", "")
 	command.Flags().StringVar(&bucket, "bucket", "", "")
 	command.Flags().IntVar(&expiryInDays, "days", 90, "number of days a key is valid for")
 	command.Flags().IntVar(&renewalWindowInDays, "window", 15, "span of days at the end of the key's validity period in which it should be renewed/rotated")
+	command.Flags().BoolVar(&forceCreate, "force-create", false, "")
+	command.Flags().BoolVar(&forceDelete, "force-delete", false, "")
 
 	_ = command.MarkFlagRequired("service-account")
 	_ = command.MarkFlagRequired("bucket")
@@ -46,7 +50,7 @@ func checkCommand() *coral.Command {
 			logger.Fatal("error creating the rotator", "service_account", serviceAccountEmail, "err", err)
 		}
 
-		if err := rotator.Rotate(ctx, serviceAccountEmail, name, bucket, expiryInDays, renewalWindowInDays); err != nil {
+		if err := rotator.Rotate(ctx, serviceAccountEmail, name, bucket, expiryInDays, renewalWindowInDays, forceCreate, forceDelete); err != nil {
 			logger.Fatal("error rotating keys", "service_account", serviceAccountEmail, "err", err)
 		}
 	}
diff --git a/internal/cmd/server.go b/internal/cmd/server.go
@@ -85,7 +85,7 @@ func NewHandler(rotator *sakeyrotator.Rotator, logger *sakeyrotator.Logger) func
 			return
 		}
 
-		if err := rotator.Rotate(r.Context(), m.ServiceAccountEmail, sakeyrotator.DefaultName, m.BucketName, m.Days, m.RenewalWindow); err != nil {
+		if err := rotator.Rotate(r.Context(), m.ServiceAccountEmail, sakeyrotator.DefaultName, m.BucketName, m.Days, m.RenewalWindow, false, false); err != nil {
 			logger.Error("error rotating service account key",
 				"service_account", m.ServiceAccountEmail,
 				"err", err,
diff --git a/pkg/sakeyrotator/rotator.go b/pkg/sakeyrotator/rotator.go
@@ -44,7 +44,15 @@ func NewRotator(ctx context.Context, logger *Logger) (*Rotator, error) {
 	}, nil
 }
 
-func (r *Rotator) Rotate(ctx context.Context, serviceAccountEmail, name, bucket string, expiryInDays, renewalWindowInDays int) error {
+func (r *Rotator) Rotate(ctx context.Context,
+	serviceAccountEmail,
+	name,
+	bucket string,
+	expiryInDays,
+	renewalWindowInDays int,
+	forceCreate,
+	forceDelete bool) error {
+
 	r.logger.Info("checking keys for service account", "service_account", serviceAccountEmail)
 
 	resource := "projects/-/serviceAccounts/" + serviceAccountEmail
@@ -79,28 +87,33 @@ func (r *Rotator) Rotate(ctx context.Context, serviceAccountEmail, name, bucket
 	for _, k := range userManagedKeys.Keys {
 		id := strings.Split(k.Name, "/")[5]
 		cn := commonNames[id]
-		if cn != name {
-			continue
-		}
 
 		validBefore, err := time.Parse(time.RFC3339, k.ValidBeforeTime)
 		if err != nil {
 			return err
 		}
 
+		if (forceDelete && cn == name) || now.After(validBefore) {
+			keysToRemove = append(keysToRemove, k.Name)
+		}
+
+		if cn != name {
+			continue
+		}
+
 		pivotDate := validBefore.AddDate(0, 0, -renewalWindowInDays)
 
 		if now.Before(pivotDate) {
 			createNewKey = false
 		}
-
-		if now.After(validBefore) {
-			keysToRemove = append(keysToRemove, k.Name)
-		}
 	}
 
-	if createNewKey {
-		r.logger.Info("current key is about to expire, uploading a new one", "service_account", serviceAccountEmail)
+	if forceCreate || createNewKey {
+		if forceCreate {
+			r.logger.Info("creating and uploading a new key (forced)", "service_account", serviceAccountEmail)
+		} else {
+			r.logger.Info("current key is about to expire, uploading a new one", "service_account", serviceAccountEmail)
+		}
 		if err := r.uploadNewKey(ctx, account, name, bucket, notBefore, notAfter); err != nil {
 			return err
 		}
@@ -110,7 +123,11 @@ func (r *Rotator) Rotate(ctx context.Context, serviceAccountEmail, name, bucket
 		if _, err := r.iamService.Projects.ServiceAccounts.Keys.Delete(k).Context(ctx).Do(); err != nil {
 			r.logger.Warn("failed to delete expired key", "service_account", serviceAccountEmail, "key_id", k, "err", err)
 		}
-		r.logger.Info("deleted expired key", "service_account", serviceAccountEmail, "key_id", k)
+		if forceDelete {
+			r.logger.Info("deleted existing key (forced)", "service_account", serviceAccountEmail, "key_id", k)
+		} else {
+			r.logger.Info("deleted expired key", "service_account", serviceAccountEmail, "key_id", k)
+		}
 	}
 
 	if !createNewKey && len(keysToRemove) == 0 {

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ func NewHandler(rotator sakeyrotator.Rotator, logger sakeyrotator.Logger) func`
`85`	`85`	`return`
`86`	`86`	`}`
`87`	`87`
`88`		`- if err := rotator.Rotate(r.Context(), m.ServiceAccountEmail, sakeyrotator.DefaultName, m.BucketName, m.Days, m.RenewalWindow); err != nil {`
	`88`	`+ if err := rotator.Rotate(r.Context(), m.ServiceAccountEmail, sakeyrotator.DefaultName, m.BucketName, m.Days, m.RenewalWindow, false, false); err != nil {`
`89`	`89`	`logger.Error("error rotating service account key",`
`90`	`90`	`"service_account", m.ServiceAccountEmail,`
`91`	`91`	`"err", err,`