From 9dcc3c21ed502f776e9547c8049a817ed2ae00c8 Mon Sep 17 00:00:00 2001
From: Laura Seidler <hello@laura-seidler.de>
Date: Thu, 16 Feb 2023 14:54:33 +0100
Subject: [PATCH] Output namespace and KSA explicitly for Workload Identity
 Users

To make misconfigurations where e.g. namespace and KSA might be switched
easier to spot.
---
 src/gsa.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/gsa.py b/src/gsa.py
index 0bd1021..23b804f 100644
--- a/src/gsa.py
+++ b/src/gsa.py
@@ -6,6 +6,19 @@
 
 logger = logging.getLogger()
 
+
+def format_wi_user(user):
+    try:
+        match = re.search(r'\[([\w-]+/[\w-]+)\]$', user)
+    except TypeError:
+        match = None
+    if match:
+        namespace, ksa = match.group(1).split('/')
+        return '%s (Namespace: %s, KSA: %s)' % (user, namespace, ksa)
+    else:
+        return '%s (Namespace and KSA could not be determined - wrong binding?)' % user
+
+
 class GsaProject(object):
     """This class represents a GCP Project in which a GSA resides"""
 
@@ -41,7 +54,7 @@ def print_info(self):
         if self.gsa:
             logger.info('Google Service Account: "%s"' % self.gsa_link)
             logger.info('Has the following Workload Identity Users:\n%s' %
-                        '\n'.join(self.wi_users))
+                        '\n'.join(map(format_wi_user, self.wi_users)))
         else:
             logger.info('Google Service Account information could '
                         'not be determined, fix previous issues')