aws

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AmazonSigV4AuthorizationPrefix is AWS Authorization prefix indicating that the request
	// was signed by AWS Signature Version 4.
	// https://github.com/aws/aws-sdk-go/blob/main/aws/signer/v4/v4.go#L83
	// https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
	AmazonSigV4AuthorizationPrefix = "AWS4-HMAC-SHA256"

	// AmzDateTimeFormat is time format used in X-Amz-Date header.
	// https://github.com/aws/aws-sdk-go/blob/main/aws/signer/v4/v4.go#L84
	AmzDateTimeFormat = "20060102T150405Z"

	// AmzDateHeader is header name containing timestamp when signature was generated.
	// https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
	AmzDateHeader = "X-Amz-Date"

	AuthorizationHeader = "Authorization"

	// AmzTargetHeader is a header containing the API target.
	// Format: target_version.operation
	// Example: DynamoDB_20120810.Scan
	AmzTargetHeader = "X-Amz-Target"
	// AmzJSON1_0 is an AWS Content-Type header that indicates the media type is JSON.
	AmzJSON1_0 = "application/x-amz-json-1.0"
	// AmzJSON1_1 is an AWS Content-Type header that indicates the media type is JSON.
	AmzJSON1_1 = "application/x-amz-json-1.1"
)

Variables

This section is empty.

Functions

func BuildRoleARN 

func BuildRoleARN(username, region, accountID string) (string, error)

BuildRoleARN constructs a string AWS ARN from a username, region, and account ID. If username is an AWS ARN, this function checks that the ARN is an AWS IAM Role ARN in the correct partition and account.

func CheckARNPartitionAndAccount 

func CheckARNPartitionAndAccount(ARN *arn.ARN, wantPartition, wantAccountID string) error

CheckARNPartitionAndAccount checks an AWS ARN against an expected AWS partition and account ID. An empty expected AWS partition or account ID is not checked.

func ConvertS3Error 

func ConvertS3Error(err error, args ...interface{}) error

ConvertS3Error wraps S3 error and returns trace equivalent It works on both sdk v1 and v2.

func GetKnownRegions 

func GetKnownRegions() []string

GetKnownRegions returns a list of "well-known" AWS regions generated from AWS SDK.

func IsKnownRegion 

func IsKnownRegion(region string) bool

IsKnownRegion returns true if provided region is one of the "well-known" AWS regions.

func IsPartialRoleARN 

func IsPartialRoleARN(roleARN string) bool

IsPartialRoleARN returns true if the provided role ARN only contains the resource name.

func IsRoleARN 

func IsRoleARN(roleARN string) bool

IsRoleARN returns true if the provided string is a AWS role ARN.

func IsSignedByAWSSigV4 

func IsSignedByAWSSigV4(r *http.Request) bool

IsSignedByAWSSigV4 checks is the request was signed by AWS Signature Version 4 algorithm. https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html

func IsUserARN 

func IsUserARN(userARN string) bool

IsUserARN returns true if the provided string is a AWS user ARN.

func IsXMLOfLocalName 

func IsXMLOfLocalName(data []byte, wantLocalName string) bool

IsXMLOfLocalName returns true if the root XML has the provided (local) name.

func MarshalXML 

func MarshalXML(rootName xml.Name, children map[string]any) ([]byte, error)

MarshalXML marshals the provided root name and a map of children in XML with default indent (prefix "", indent " ").

func NewS3V2FileWriter 

func NewS3V2FileWriter(ctx context.Context, s3Client managerV2.UploadAPIClient, bucket, key string, uploaderOptions []func(*managerV2.Uploader), putObjectInputOptions ...func(*s3v2.PutObjectInput)) (*s3V2FileWriter, error)

NewS3V2FileWriter created s3V2FileWriter. Close method on writer should be called to make sure that reader has finished.

func NewSigner 

func NewSigner(credentials *credentials.Credentials, signingServiceName string) *v4.Signer

NewSigner creates a new V4 signer.

func ParseRoleARN 

func ParseRoleARN(roleARN string) (*arn.ARN, error)

ParseRoleARN parses an AWS ARN and checks that the ARN is for an IAM Role resource.

func PolicyARN 

func PolicyARN(partition, accountID, policy string) string

PolicyARN returns the ARN representation of an AWS IAM Policy.

func RoleARN 

func RoleARN(partition, accountID, role string) string

RoleARN returns the ARN representation of an AWS IAM Role.

func UnmarshalRequestBody 

func UnmarshalRequestBody(req *http.Request) (*apievents.Struct, error)

UnmarshalRequestBody reads and unmarshals a JSON request body into a protobuf Struct wrapper. If the request is not a recognized AWS JSON media type, or the body cannot be read, or the body is not valid JSON, then this function returns a nil value and an error. The protobuf Struct wrapper is useful for serializing JSON into a protobuf, because otherwise when the protobuf is marshaled it will re-marshall a JSON string field with escape characters or base64 encode a []byte field. Examples showing differences: - JSON string in proto: `{"Table": "some-table"}` --marshal to JSON--> `"{\"Table\": \"some-table\"}"` - bytes in proto: []byte --marshal to JSON--> `eyJUYWJsZSI6ICJzb21lLXRhYmxlIn0K` (base64 encoded) - *Struct in proto: *Struct --marshal to JSON--> `{"Table": "some-table"}` (unescaped JSON)

func UnmarshalXMLChildNode 

func UnmarshalXMLChildNode(v interface{}, data []byte, childName string) error

UnmarshalXMLChildNode decodes the XML-encoded data and stores the child node with the specified name to v, where v is a pointer to an AWS SDK v1 struct.

func ValidateRoleARNAndExtractRoleName 

func ValidateRoleARNAndExtractRoleName(roleARN, wantPartition, wantAccountID string) (string, error)

ValidateRoleARNAndExtractRoleName validates the role ARN and extracts the short role name from it.

func VerifyAWSSignature 

func VerifyAWSSignature(req *http.Request, credentials *credentials.Credentials) error

VerifyAWSSignature verifies the request signature ensuring that the request originates from tsh aws command execution AWS CLI signs the request with random generated credentials that are passed to LocalProxy by the AWSCredentials LocalProxyConfig configuration.

Types

type CachedCredentialsGetterConfig 

type CachedCredentialsGetterConfig struct {
	// Getter is the CredentialsGetter for obtaining the STS credentials.
	Getter CredentialsGetter
	// CacheTTL is the cache TTL.
	CacheTTL time.Duration
	// Clock is used to control time.
	Clock clockwork.Clock
}

CachedCredentialsGetterConfig is the config for creating a CredentialsGetter that caches credentials.

func (*CachedCredentialsGetterConfig) SetDefaults 

func (c *CachedCredentialsGetterConfig) SetDefaults()

SetDefaults sets default values for CachedCredentialsGetterConfig.

type CredentialsGetter 

type CredentialsGetter interface {
	// Get obtains STS credentials.
	Get(ctx context.Context, request GetCredentialsRequest) (*credentials.Credentials, error)
}

CredentialsGetter defines an interface for obtaining STS credentials.

func NewCachedCredentialsGetter 

func NewCachedCredentialsGetter(config CachedCredentialsGetterConfig) (CredentialsGetter, error)

NewCachedCredentialsGetter returns a CredentialsGetter that caches credentials.

func NewCredentialsGetter 

func NewCredentialsGetter() CredentialsGetter

NewCredentialsGetter returns a new CredentialsGetter.

func NewStaticCredentialsGetter 

func NewStaticCredentialsGetter(credentials *credentials.Credentials) CredentialsGetter

NewStaticCredentialsGetter returns a CredentialsGetter that always returns the same provided credentials.

Used in testing to mock CredentialsGetter.

type GetCredentialsRequest 

type GetCredentialsRequest struct {
	// Provider is the user session used to create the STS client.
	Provider client.ConfigProvider
	// Expiry is session expiry to be requested.
	Expiry time.Time
	// SessionName is the session name to be requested.
	SessionName string
	// RoleARN is the role ARN to be requested.
	RoleARN string
	// ExternalID is the external ID to be requested, if not empty.
	ExternalID string
	// Tags is a list of AWS STS session tags.
	Tags map[string]string
}

GetCredentialsRequest is the request for obtaining STS credentials.

type Role 

type Role struct {
	// Name is the full role name with the entire path.
	Name string `json:"name"`
	// Display is the role display name.
	Display string `json:"display"`
	// ARN is the full role ARN.
	ARN string `json:"arn"`
}

Role describes an AWS IAM role for AWS console access.

type Roles 

type Roles []Role

Roles is a slice of roles.

func FilterAWSRoles 

func FilterAWSRoles(arns []string, accountID string) (result Roles)

FilterAWSRoles returns role ARNs from the provided list that belong to the specified AWS account ID.

If AWS account ID is empty, all valid AWS IAM roles are returned.

func (Roles) FindRoleByARN 

func (roles Roles) FindRoleByARN(arn string) (Role, bool)

FindRoleByARN finds the role with the provided ARN.

func (Roles) FindRolesByName 

func (roles Roles) FindRolesByName(name string) (result Roles)

FindRolesByName finds all roles matching the provided name.

func (Roles) Sort 

func (roles Roles) Sort()

Sort sorts the roles by their display names.

type SigV4 

type SigV4 struct {
	// KeyIS is an AWS access-key-id
	KeyID string
	// Date value is specified using YYYYMMDD format.
	Date string
	// Region is an AWS Region.
	Region string
	// Service is an AWS Service.
	Service string
	// SignedHeaders is a  list of request headers that you used to compute Signature.
	SignedHeaders []string
	// Signature is the 256-bit Signature of the request.
	Signature string
}

SigV4 contains parsed content of the AWS Authorization header.

func ParseSigV4 

func ParseSigV4(header string) (*SigV4, error)

ParseSigV4 AWS SigV4 credentials string sections. AWS SigV4 header example: Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

type SigningCtx 

type SigningCtx struct {
	// SigningName is the AWS signing service name.
	SigningName string
	// SigningRegion is the AWS region to sign a request for.
	SigningRegion string
	// Expiry is the expiration of the AWS credentials used to sign requests.
	Expiry time.Time
	// SessionName is role session name of AWS credentials used to sign requests.
	SessionName string
	// AWSRoleArn is the AWS ARN of the role to assume for signing requests.
	AWSRoleArn string
	// AWSExternalID is an optional external ID used when getting sts credentials.
	AWSExternalID string
	// SessionTags is a list of AWS STS session tags.
	SessionTags map[string]string
}

SigningCtx contains AWS SigV4 signing context parameters.

func (*SigningCtx) Check 

func (sc *SigningCtx) Check(clock clockwork.Clock) error

Check checks signing context parameters.

type SigningService 

type SigningService struct {
	// SigningServiceConfig is the SigningService configuration.
	SigningServiceConfig
}

SigningService is an AWS CLI proxy service that signs AWS requests based on user identity.

func NewSigningService 

func NewSigningService(config SigningServiceConfig) (*SigningService, error)

NewSigningService creates a new instance of SigningService.

func (*SigningService) SignRequest 

func (s *SigningService) SignRequest(ctx context.Context, req *http.Request, signCtx *SigningCtx) (*http.Request, error)

SignRequest creates a new HTTP request and rewrites the header from the original request and returns a new HTTP request signed by STS AWS API. Signing steps: 1) Decode Authorization Header. Authorization Header example: 

	Authorization: AWS4-HMAC-SHA256
	Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,
	SignedHeaders=host;range;x-amz-date,
	Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

 2. Extract credential section from credential Authorization Header.
 3. Extract aws-region and aws-service from the credential section.
 4. Build AWS API endpoint based on extracted aws-region and aws-service fields.
    Not that for endpoint resolving the https://github.com/aws/aws-sdk-go/aws/endpoints/endpoints.go
    package is used and when Amazon releases a new API the dependency update is needed.
 5. Sign HTTP request.

type SigningServiceConfig 

type SigningServiceConfig struct {
	// Session is AWS session.
	Session *awssession.Session
	// Clock is used to override time in tests.
	Clock clockwork.Clock
	// CredentialsGetter is used to obtain STS credentials.
	CredentialsGetter CredentialsGetter
}

SigningServiceConfig is the SigningService configuration.

func (*SigningServiceConfig) CheckAndSetDefaults 

func (s *SigningServiceConfig) CheckAndSetDefaults() error

CheckAndSetDefaults validates the SigningServiceConfig config.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.