cmd

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 10, 2024 License: AGPL-3.0 Imports: 42 Imported by: 0

Documentation

Overview

Copyright © 2024 NAME HERE <EMAIL ADDRESS>

Copyright (c) 2024 VITObelgium

This file was inspired by https://github.com/minio/minio/blob/master/cmd/sts-handlers.go which has the following copyright notic:

Copyright (c) 2015-2021 MinIO, Inc.

That file was part of MinIO Object Storage stack

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

Index

Constants

View Source 
const (
	// AmzSecurityTokenKey indicates the security token to be used with temporary credentials
	AmzSecurityTokenKey = "X-Amz-Security-Token"

	// EmptyStringSHA256 is the hex encoded sha256 value of an empty string
	EmptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`

	// AmzAlgorithmKey indicates the signing algorithm
	AmzAlgorithmKey = "X-Amz-Algorithm"

	// AmzDateKey is the UTC timestamp for the request in the format YYYYMMDD'T'HHMMSS'Z'
	AmzDateKey = "X-Amz-Date"

	//AmzExpiresKey is how long the url is valid for in seconds since X-Amz-Date(AmzDateKey)
	AmzExpiresKey = "X-Amz-Expires"

	// AmzCredentialKey is the access key ID and credential scope
	AmzCredentialKey = "X-Amz-Credential"

	// AmzSignedHeadersKey is the set of headers signed for the request
	AmzSignedHeadersKey = "X-Amz-SignedHeaders"

	// AmzSignatureKey is the query parameter to store the SigV4 signature
	AmzSignatureKey = "X-Amz-Signature"

	// TimeFormat is the time format to be used in the X-Amz-Date header or query parameter
	TimeFormat = "20060102T150405Z"
)

The AWS SDK does not seem to provide packages that export these constants :(

View Source 
const (

	//Environment variables are upper cased
	//Unless they are wellknown environment variables they should be prefixed
	AWS_ACCESS_KEY_ID                     = "AWS_ACCESS_KEY_ID"
	AWS_SECRET_ACCESS_KEY                 = "AWS_SECRET_ACCESS_KEY"
	FAKES3PP_S3_PROXY_FQDN                = "FAKES3PP_S3_PROXY_FQDN"
	FAKES3PP_S3_PROXY_PORT                = "FAKES3PP_S3_PROXY_PORT"
	FAKES3PP_S3_PROXY_CERT_FILE           = "FAKES3PP_S3_PROXY_CERT_FILE"
	FAKES3PP_S3_PROXY_KEY_FILE            = "FAKES3PP_S3_PROXY_KEY_FILE"
	FAKES3PP_S3_PROXY_JWT_PUBLIC_RSA_KEY  = "FAKES3PP_S3_PROXY_JWT_PUBLIC_RSA_KEY"
	FAKES3PP_S3_PROXY_JWT_PRIVATE_RSA_KEY = "FAKES3PP_S3_PROXY_JWT_PRIVATE_RSA_KEY"
	FAKES3PP_S3_PROXY_TARGET              = "FAKES3PP_S3_PROXY_TARGET"
	FAKES3PP_STS_PROXY_FQDN               = "FAKES3PP_STS_PROXY_FQDN"
	FAKES3PP_STS_PROXY_PORT               = "FAKES3PP_STS_PROXY_PORT"
	FAKES3PP_STS_PROXY_CERT_FILE          = "FAKES3PP_STS_PROXY_CERT_FILE"
	FAKES3PP_STS_PROXY_KEY_FILE           = "FAKES3PP_STS_PROXY_KEY_FILE"
	FAKES3PP_SECURE                       = "FAKES3PP_SECURE"
	FAKES3PP_STS_OIDC_CONFIG              = "FAKES3PP_STS_OIDC_CONFIG"
	FAKES3PP_ROLE_POLICY_PATH             = "FAKES3PP_ROLE_POLICY_PATH"
	FAKES3PP_STS_MAX_DURATION_SECONDS     = "FAKES3PP_STS_MAX_DURATION_SECONDS"
	FAKES3PP_SIGNEDURL_GRACE_TIME_SECONDS = "FAKES3PP_SIGNEDURL_GRACE_TIME_SECONDS"
)
View Source 
const (
	IAMActionS3PutObject            = "s3:PutObject"
	IAMActionS3GetObject            = "s3:GetObject"
	IAMActionS3ListBucket           = "s3:ListBucket"
	IAMActionS3AbortMultipartUpload = "s3:AbortMultipartUpload"
	IAMActionS3ListAllMyBuckets     = "s3:ListAllMyBuckets"
)

S3 IAM actions

View Source 
const (
	IAMConditionS3Prefix = "s3:prefix"
)

S3 Condition keys

View Source 
const PathSeparator = "/"
View Source 
const SlashSeparator = "/"

Variables

This section is empty.

Functions

func Add1Day 

func Add1Day(t time.Time) time.Time

func BindEnvVariables 

func BindEnvVariables(cmd string)

Bind the environment variables for a command

func CalculateS3PresignedUrl 

func CalculateS3PresignedUrl(req *http.Request, creds aws.Credentials, expirySeconds int) (string, error)

Calculate a Presigned URL out of a Request using AWS Credentials If you want to generate an URL for a new request set expirySeconds >0 to chose how long it will be valid If expirySeconds is set to 0 it is expected that a query parameter Expires is passed as part of the URL With a value an epoch timestamp This function will not make changes to the passed in request

func CalculateS3PresignedUrlWithExpiryTime 

func CalculateS3PresignedUrlWithExpiryTime(req *http.Request, creds aws.Credentials, expires string) (string, error)

func CalculateSecretKey 

func CalculateSecretKey(accessKey string, signingkey *rsa.PrivateKey) string

Probably not how AWS or another S3* service calculates the secret key but it doesn't really matter As we never pass this on upstream. But we chose to be able to derive the key using a shared secret since that allows calculation everywhere without keeping state to lookup secret key for an access key

func CheckPresignedUrl 

func CheckPresignedUrl(ctx context.Context, presignedUrlToCheck, sessionToken string) error

If presigned url is valid return nil otherwise error why it is invalid It also verifies whether the URL was valid at time of checking

func CleanHeaders 

func CleanHeaders(ctx context.Context, req *http.Request)

CleanHeaders removes headers which are potentially added along the way

func CreateSignedToken 

func CreateSignedToken(t *jwt.Token, signingKey *rsa.PrivateKey) (string, error)

func Execute 

func Execute()

Execute adds all child commands to the root command and sets flags appropriately. This is called by main.main(). It only needs to happen once to the rootCmd.

func GetS3PresignedUrlExpiresTime 

func GetS3PresignedUrlExpiresTime(req *http.Request) (time.Time, error)

For a presigned url get the time when it expires or return an error if invalid input

func GetSignRequestParams 

func GetSignRequestParams(ctx context.Context, req *http.Request, expiryInSeconds int, signingTime time.Time, creds aws.Credentials) (context.Context, aws.Credentials, *http.Request, string, string, string, time.Time)

Sign an HTTP request with a sigv4 signature. If expiry in seconds is bigger than zero then the signature has an explicit limited lifetime use a negative value to not set an explicit expiry time

func HasGetS3PresignedUrlValidSignature 

func HasGetS3PresignedUrlValidSignature(testUrl string, creds aws.Credentials) (validSignature bool, err error)

func HasS3PresignedUrlValidSignature 

func HasS3PresignedUrlValidSignature(req *http.Request, creds aws.Credentials) (validSignature bool, err error)

func NewAccessKey 

func NewAccessKey() string

func NewIamAction 

func NewIamAction(action, resource string, context map[string]*policy.ConditionValue) iamAction

func NewIamActionsFromS3Request 

func NewIamActionsFromS3Request(api_action S3ApiAction, req *http.Request) (actions []iamAction, err error)

Buid a new IAM action based out of an HTTP Request. The IAM action should resemble the required Permissions. The api_action is passed in as a string argument

func Now 

func Now() time.Time

func PolicyTemplateDataFromClaims 

func PolicyTemplateDataFromClaims(sc *SessionClaims) policyTemplateData

func PreSignRequestForGet 

func PreSignRequestForGet(bucket, key string, signingTime time.Time, expirySeconds int) (string, error)

func PreSignRequestWithCreds 

func PreSignRequestWithCreds(ctx context.Context, req *http.Request, expiryInSeconds int, signingTime time.Time, creds aws.Credentials) (signedURI string, signedHeaders http.Header, err error)

func PreSignRequestWithServerCreds 

func PreSignRequestWithServerCreds(req *http.Request, exiryInSeconds int, signingTime time.Time) (signedURI string, signedHeaders http.Header, err error)

Pre-sign the requests with the credentials that are used by the proxy itself

func PrivateKeyFromPem 

func PrivateKeyFromPem(pemBytes []byte) (*rsa.PrivateKey, error)

func PrivateKeyFromPemFile 

func PrivateKeyFromPemFile(filePath string) (*rsa.PrivateKey, error)

func PublicKeyFromPem 

func PublicKeyFromPem(pemBytes []byte) (*rsa.PublicKey, error)

func PublickKeyFromPemFile 

func PublickKeyFromPemFile(filePath string) (*rsa.PublicKey, error)

func ReTargetRequest 

func ReTargetRequest(r *http.Request)

Take a request that is signed but strip signature and point it to new target. Drop the old signature (Authorization header) Adapt Host to the new target We also have to clear RequestURI and set URL appropriately as explained in https://stackoverflow.com/questions/19595860/http-request-requesturi-field-when-making-request-in-go

func ReqToURI 

func ReqToURI(r *http.Request) string

func SignRequest 

func SignRequest(ctx context.Context, req *http.Request) error

func SignRequestWithCreds 

func SignRequestWithCreds(ctx context.Context, req *http.Request, expiryInSeconds int, signingTime time.Time, creds aws.Credentials) (err error)

func SignWithCreds 

func SignWithCreds(ctx context.Context, req *http.Request, creds aws.Credentials) error

func UrlDropSchemeFQDNPort 

func UrlDropSchemeFQDNPort(url string) string

func WriteButLogOnError 

func WriteButLogOnError(ctx context.Context, w http.ResponseWriter, bytes []byte)

Whenever we write back we should log if there are errors

func XAmzDateToTime 

func XAmzDateToTime(XAmzDate string) (time.Time, error)

Convert query parameter like X-Amz-Date=20240914T190903Z

func XAmzExpiryToTime 

func XAmzExpiryToTime(XAmzDate string, expirySeconds uint) (time.Time, error)

func YYYYmmdd 

func YYYYmmdd(t time.Time) string

func YYYYmmddSlashed 

func YYYYmmddSlashed(t time.Time) string

Types

type AWSCredentials 

type AWSCredentials struct {
	AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty" yaml:"accessKey"`
	SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty" yaml:"secretKey"`
	SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty" yaml:"sessionToken"`
	Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty" yaml:"-"`
}

AWSCredentials holds access and secret keys.

func NewAWSCredentials 

func NewAWSCredentials(token *jwt.Token, expiry time.Duration) (*AWSCredentials, error)

Generate New AWS Credentials out of a JWT and a specified duration

func (*AWSCredentials) Retrieve 

func (cred *AWSCredentials) Retrieve(ctx context.Context) (aws.Credentials, error)

To satisfy the CredentialsProvider interface

type AssumeRoleWithWebIdentityResponse 

type AssumeRoleWithWebIdentityResponse struct {
	XMLName          xml.Name          `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
	Result           WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
	ResponseMetadata struct {
		RequestID string `xml:"RequestId,omitempty"`
	} `xml:"ResponseMetadata,omitempty"`
}

AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.

type AssumedRoleUser 

type AssumedRoleUser struct {
	// The ARN of the temporary security credentials that are returned from the
	// AssumeRole action. For more information about ARNs and how to use them in
	// policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
	// in Using IAM.
	//
	// Arn is a required field
	Arn string

	// A unique identifier that contains the role ID and the role session name of
	// the role that is being assumed. The role ID is generated by AWS when the
	// role is created.
	//
	// AssumedRoleId is a required field
	AssumedRoleID string `xml:"AssumeRoleId"`
}

AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser

type LocalPolicyRetriever 

type LocalPolicyRetriever struct {
	// contains filtered or unexported fields
}

func NewLocalPolicyRetriever 

func NewLocalPolicyRetriever(stsRolePolicyPath string) *LocalPolicyRetriever

type PolicyEvaluator 

type PolicyEvaluator struct {
	// contains filtered or unexported fields
}

func NewPolicyEvaluator 

func NewPolicyEvaluator(pol *policy.Policy) *PolicyEvaluator

func NewPolicyEvaluatorFromStr 

func NewPolicyEvaluatorFromStr(policyContent string) (*PolicyEvaluator, error)

func (*PolicyEvaluator) Evaluate 

func (e *PolicyEvaluator) Evaluate(a iamAction) (isAllowed bool, reason evalReason, err error)

func (*PolicyEvaluator) EvaluateAll 

func (e *PolicyEvaluator) EvaluateAll(actions []iamAction) (isAllowed bool, reason evalReason, err error)

When evaluating multiple iamActions all must be allowed

type PolicyManager 

type PolicyManager struct {
	// contains filtered or unexported fields
}

func NewPolicyManager 

func NewPolicyManager(r PolicyRetriever) *PolicyManager

func (*PolicyManager) DoesPolicyExist 

func (m *PolicyManager) DoesPolicyExist(arn string) bool

Check if a policy manager can get a policy corresponding to an ARN

func (*PolicyManager) GetPolicy 

func (m *PolicyManager) GetPolicy(arn string, data policyTemplateData) (string, error)

func (*PolicyManager) PreWarm 

func (m *PolicyManager) PreWarm() error

Check if a policy manager can get a policy corresponding to an ARN

type PolicyRetriever 

type PolicyRetriever interface {
	// contains filtered or unexported methods
}

type RequestID 

type RequestID string

type S3ApiAction 

type S3ApiAction string

type S3Error 

type S3Error struct {
	Code           string
	Description    string
	HTTPStatusCode int
}

type S3ErrorCode 

type S3ErrorCode int
const (
	ErrS3None S3ErrorCode = iota
	ErrS3AccessDenied
	ErrS3InternalError
	ErrS3UpstreamError
	ErrS3InvalidAccessKeyId
	ErrS3InvalidSignature
	ErrS3InvalidSecurity
)

func (S3ErrorCode) String 

func (i S3ErrorCode) String() string

type S3ErrorResponse 

type S3ErrorResponse struct {
	XMLName   xml.Name `xml:"Error" json:"-"`
	Code      string   `xml:"Code"`
	Message   string   `xml:"Message"`
	RequestID string   `xml:"RequestId"`
	HostId    string   `xml:"HostId"`
}

type STSError 

type STSError struct {
	Code           string
	Description    string
	HTTPStatusCode int
}

STSError structure

type STSErrorCode 

type STSErrorCode int

STSErrorCode type of error status. 

const (
	ErrSTSNone STSErrorCode = iota
	ErrSTSAccessDenied
	ErrSTSMissingParameter
	ErrSTSInvalidParameterValue
	ErrSTSWebIdentityExpiredToken
	ErrSTSClientGrantsExpiredToken
	ErrSTSInvalidClientGrantsToken
	ErrSTSMalformedPolicyDocument
	ErrSTSInsecureConnection
	ErrSTSInvalidClientCertificate
	ErrSTSNotInitialized
	ErrSTSIAMNotInitialized
	ErrSTSUpstreamError
	ErrSTSInternalError
)

Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

func (STSErrorCode) String 

func (i STSErrorCode) String() string

type STSErrorResponse 

type STSErrorResponse struct {
	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
	Error   struct {
		Type    string `xml:"Type"`
		Code    string `xml:"Code"`
		Message string `xml:"Message"`
	} `xml:"Error"`
	RequestID string `xml:"RequestId"`
}

STSErrorResponse - error response format

type SessionClaims 

type SessionClaims struct {
	RoleARN string `json:"role_arn"`
	//The issuer of the initial OIDC refresh token
	IIssuer string `json:"initial_issuer"`
	jwt.RegisteredClaims
}

func ExtractOIDCTokenClaims 

func ExtractOIDCTokenClaims(token string) (*SessionClaims, error)

ExtractOIDCTokenClaims extracts JWT claims from a security token using the public key of the OIDC provider if the OIDC provider is registered key

func ExtractTokenClaims 

func ExtractTokenClaims(token string, keyFunc func(t *jwt.Token) (interface{}, error)) (*SessionClaims, error)

ExtractTokenClaims extracts JWT claims using a key functions

type WebIdentityResult 

type WebIdentityResult struct {
	// The identifiers for the temporary security credentials that the operation
	// returns.
	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`

	// The intended audience (also known as client ID) of the web identity token.
	// This is traditionally the client identifier issued to the application that
	// requested the client grants.
	Audience string `xml:",omitempty"`

	// The temporary security credentials, which include an access key ID, a secret
	// access key, and a security (or session) token.
	//
	// Note: The size of the security token that STS APIs return is not fixed. We
	// strongly recommend that you make no assumptions about the maximum size. As
	// of this writing, the typical size is less than 4096 bytes, but that can vary.
	// Also, future updates to AWS might require larger sizes.
	Credentials AWSCredentials `xml:",omitempty"`

	// A percentage value that indicates the size of the policy in packed form.
	// The service rejects any policy with a packed size greater than 100 percent,
	// which means the policy exceeded the allowed space.
	PackedPolicySize int `xml:",omitempty"`

	// The issuing authority of the web identity token presented. For OpenID Connect
	// ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens,
	// this contains the value of the ProviderId parameter that was passed in the
	// AssumeRoleWithWebIdentity request.
	Provider string `xml:",omitempty"`

	// The unique user identifier that is returned by the identity provider.
	// This identifier is associated with the Token that was submitted
	// with the AssumeRoleWithWebIdentity call. The identifier is typically unique to
	// the user and the application that acquired the WebIdentityToken (pairwise identifier).
	// For OpenID Connect ID tokens, this field contains the value returned by the identity
	// provider as the token's sub (Subject) claim.
	SubjectFromWebIdentityToken string `xml:",omitempty"`
}

WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary credentials that can be used to make MinIO API requests.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.