op

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 25, 2019 License: BSD-3-Clause Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ErrNoAccess indicates missing or invalid account credentials.
	ErrNoAccess = Error("account access denied")

	// ErrNoCtl indicates missing account control information.
	ErrNoCtl = Error("account control not initialized")

	// ErrCtlUpdate indicates that account control information was not saved.
	ErrCtlUpdate = Error("account control update interrupted")
)
View Source 
const (
	IAMPath    = "/oktapus/"
	IAMTmpPath = IAMPath + "tmp/"
)

Paths for managed IAM users and roles.

View Source 
const (
	DaemonEnv     = "OKTAPUS_DAEMON"
	SecretFileEnv = "OKTAPUS_SECRET_FILE"
	AliasFileEnv  = "OKTAPUS_ALIAS_FILE"
	ProfileEnv    = "OKTAPUS_AWS_PROFILE"
	MasterRoleEnv = "OKTAPUS_MASTER_ROLE"
	CommonRoleEnv = "OKTAPUS_COMMON_ROLE"

	OktaHostEnv    = "OKTA_ORG"
	OktaUserEnv    = "OKTA_USERNAME"
	OktaAWSAppEnv  = "OKTA_AWS_APP_URL"
	OktaAWSRoleEnv = "OKTA_AWS_ROLE_TO_ASSUME"
)

Oktapus environment variables. Okta variables use same names as: https://github.com/oktadeveloper/okta-aws-cli-assume-role/

View Source 
const CtlRole = "OktapusAccountControl"

CtlRole is the IAM role that stores account control information in its description.

View Source 
const CtxVer = Ver(1)

CtxVer identifies Ctx and SavedCtx struct versions. It should be incremented for any incompatible changes to force the daemon to restart.

Variables

This section is empty.

Functions

func Run 

func Run(c cmd) (interface{}, error)

Run executes the specified command with a local context.

func RunAndPrint 

func RunAndPrint(c printCmd) error

RunAndPrint executes the specified command with a local context and prints its output.

Types

type Account 

type Account struct {
	Flags

	ID   string
	Name string
	IAM  iamx.Client
	Ctl  Ctl
	Err  error
	// contains filtered or unexported fields
}

Account maintains control information and provides IAM access for one AWS account.

func NewAccount 

func NewAccount(id, name string) *Account

NewAccount returns a new account with the given id and name.

func (*Account) CredsProvider 

func (ac *Account) CredsProvider() *creds.Provider

CredsProvider returns the credentials provider for account ac.

func (*Account) CtlUpdate 

func (ac *Account) CtlUpdate(err error) error

CtlUpdate updates account flags after control init/load/store operation.

type AccountSpec 

type AccountSpec struct {
	// contains filtered or unexported fields
}

AccountSpec specifies how to filter accounts.

func ParseAccountSpec 

func ParseAccountSpec(spec, user string) *AccountSpec

ParseAccountSpec parses the account spec string. User argument determines the meaning of "owner=me" specification.

func (*AccountSpec) Filter 

func (s *AccountSpec) Filter(acs Accounts) (Accounts, error)

Filter returns only those accounts that match the spec.

func (*AccountSpec) IsStatic 

func (s *AccountSpec) IsStatic(acs Accounts) bool

IsStatic returns true if the spec uses account IDs and/or names.

type Accounts 

type Accounts []*Account

Accounts is a group of accounts that can be operated on concurrently.

func (Accounts) ClearErr 

func (s Accounts) ClearErr() Accounts

ClearErr clears the error state of all accounts.

func (Accounts) CredsOrErr 

func (s Accounts) CredsOrErr() Accounts

CredsOrErr sets the Err field of all accounts without valid credentials or an an existing error.

func (Accounts) CtlOrErr 

func (s Accounts) CtlOrErr() Accounts

CtlOrErr sets the Err field of all accounts without control information or an existing error.

func (Accounts) EnsureCreds 

func (s Accounts) EnsureCreds(d time.Duration) Accounts

EnsureCreds ensures that credentials of all accounts will remain valid for the specified duration, renewing them if necessary.

func (Accounts) Filter 

func (s Accounts) Filter(fn func(ac *Account) bool) Accounts

Filter returns a new slice containing only those accounts for which fn evaluates to true.

func (Accounts) InitCtl 

func (s Accounts) InitCtl() Accounts

InitCtl initializes control information of all accounts.

func (Accounts) LoadCtl 

func (s Accounts) LoadCtl(reload bool) Accounts

LoadCtl loads control information for accounts without LoadFlag set. If reload is true, the flag is ignored.

func (Accounts) Map 

func (s Accounts) Map(fn func(i int, ac *Account) error) Accounts

Map concurrently executes fn for each account. Any error returned by fn is stored in the associated account.

func (Accounts) SortByID 

func (s Accounts) SortByID() Accounts

SortByID sorts accounts by ID.

func (Accounts) SortByName 

func (s Accounts) SortByName() Accounts

SortByName sorts accounts by name.

func (Accounts) StoreCtl 

func (s Accounts) StoreCtl() Accounts

StoreCtl stores modified control information of all accounts. When setting an owner, the caller must refresh account control information after a delay to confirm ownership.

type AuthMode 

type AuthMode int

AuthMode is the context authentication mode. 

const (
	Unknown AuthMode = iota // Context not initialized
	IAM                     // IAM user access key
	STS                     // STS session (single-account mode)
	Okta                    // Okta-federated IAM role
)

type Ctl 

type Ctl struct {
	Owner string `json:"owner,omitempty"`
	Desc  string `json:"desc,omitempty"`
	Tags  Tags   `json:"tags,omitempty"`
}

Ctl contains account control information.

func (*Ctl) Decode 

func (ctl *Ctl) Decode(b64 string) error

Decode decodes account control information from a base64 string.

func (*Ctl) Encode 

func (ctl *Ctl) Encode() (string, error)

Encode encodes account control information into a base64 string.

func (*Ctl) Init 

func (ctl *Ctl) Init(c iamx.Client) error

Init creates account control information in an uncontrolled account.

func (*Ctl) Load 

func (ctl *Ctl) Load(c iamx.Client) error

Load retrieves current account control information.

func (*Ctl) Store 

func (ctl *Ctl) Store(c iamx.Client) error

Store stores account control information.

type Ctx 

type Ctx struct {
	// Oktapus environment config
	Daemon     daemon.Addr `env:"OKTAPUS_DAEMON"`
	SecretFile string      `env:"OKTAPUS_SECRET_FILE"`
	AliasFile  string      `env:"OKTAPUS_ALIAS_FILE"`
	Profile    string      `env:"OKTAPUS_AWS_PROFILE"`
	MasterRole string      `env:"OKTAPUS_MASTER_ROLE"`
	CommonRole string      `env:"OKTAPUS_COMMON_ROLE"`

	// Okta environment config
	OktaHost    string `env:"OKTA_ORG"`
	OktaUser    string `env:"OKTA_USERNAME"`
	OktaAWSApp  string `env:"OKTA_AWS_APP_URL"`
	OktaAWSRole string `env:"OKTA_AWS_ROLE_TO_ASSUME"`

	// AWS environment config
	EnvCfg external.EnvConfig
	// contains filtered or unexported fields
}

Ctx provides global config information and account access. A context can be local or non-local. Local contexts are allowed to access the file system, refresh accounts, communicate with the daemon, and perform other client functions. Non-local contexts, maintained by the daemon, are only allowed to make API calls to keep account credentials and control information current.

func EnvCtx 

func EnvCtx() *Ctx

EnvCtx returns a local context populated from the environment variables.

func NewCtx 

func NewCtx() *Ctx

NewCtx returns an empty local context.

func (*Ctx) Accounts 

func (c *Ctx) Accounts() Accounts

Accounts returns all registered accounts sorted by name.

func (*Ctx) AuthMode 

func (c *Ctx) AuthMode() AuthMode

AuthMode returns the context authentication mode.

func (*Ctx) Cfg 

func (c *Ctx) Cfg() aws.Config

Cfg returns the active AWS client config.

func (*Ctx) CredsProvider 

func (c *Ctx) CredsProvider(accountID string) *creds.Provider

CredsProvider returns a credentials provider for the specified account ID.

func (*Ctx) Ident 

func (c *Ctx) Ident() creds.Ident

Ident returns the identity of the client config credentials.

func (*Ctx) Init 

func (c *Ctx) Init(cfg *aws.Config) error

Init initializes a local context before first use. If cfg is nil, client config is loaded from context state and shared AWS config files.

func (*Ctx) MasterExternalID 

func (c *Ctx) MasterExternalID() *string

MasterExternalID derives the external id for the master role.

func (*Ctx) Match 

func (c *Ctx) Match(spec string) (Accounts, error)

Match returns all accounts that match the spec.

func (*Ctx) Okta 

func (c *Ctx) Okta() *okta.Client

Okta returns the Okta client if the current AuthMode is Okta.

func (*Ctx) Org 

func (c *Ctx) Org() account.Org

Org returns organization info.

func (*Ctx) Refresh 

func (c *Ctx) Refresh() error

Refresh updates the list of known accounts from the alias file and/or AWS Organizations API.

func (*Ctx) Register 

func (c *Ctx) Register(acs Accounts) Accounts

Register adds new accounts to the context and configures their IAM clients.

func (*Ctx) Role 

func (c *Ctx) Role() arn.ARN

Role returns the common role ARN with an empty account field.

func (*Ctx) Save 

func (c *Ctx) Save() *SavedCtx

Save returns a serializable context representation.

type Error 

type Error string

Error is an error type that can be encoded by gob.

func (Error) Error 

func (e Error) Error() string

Error implements error interface.

type Flags 

type Flags uint32

Flags contains account state flags. 

const (
	CredsFlag Flags = 1 << iota // Credentials are valid
	LoadFlag                    // Control information load was attempted
	CtlFlag                     // Control information is valid
	OrgFlag                     // Account belongs to an organization
)

Flag bits.

func (*Flags) Clear 

func (f *Flags) Clear(b Flags)

Clear clears the specified flag bits.

func (Flags) CredsValid 

func (f Flags) CredsValid() bool

CredsValid returns true if the account credentials are valid.

func (Flags) CtlValid 

func (f Flags) CtlValid() bool

CtlValid returns true if the account control information is valid.

func (*Flags) Set 

func (f *Flags) Set(b Flags)

Set sets the specified flag bits.

func (Flags) Test 

func (f Flags) Test(b Flags) bool

Test returns true if all specified flag bits are set.

type GetCtx 

type GetCtx struct {
	Ver
	Sig string
}

GetCtx is a daemon message requesting the context with the specified signature. The daemon either sends the matching *SavedCtx or closes the connection if the context was not found.

type SavedCtx 

type SavedCtx struct {
	Ver
	Ctx           Ctx
	Sig           string
	Secret        string
	OktaSess      *okta.Session
	OktaCreds     *aws.Credentials // TODO: Save creds in other modes?
	ProxyIdent    creds.Ident
	ProxySessName string
	DirOrg        account.Org
	Creds         []savedCreds
	Accounts      []Account
}

SavedCtx is a serializable context representation.

func (*SavedCtx) Restore 

func (sc *SavedCtx) Restore() (*Ctx, error)

Restore creates a new non-local context from saved state.

type Tags 

type Tags []string

Tags is a collection of keywords associated with an account. All methods assume that tags are sorted, each tag is unique, and no tag is negated.

func ParseTags 

func ParseTags(s string) (set, clr Tags, err error)

ParseTags splits s into two disjoint sets of non-negated and negated tags.

func (*Tags) Apply 

func (t *Tags) Apply(set, clr Tags)

Apply updates t by adding tags in set and removing those in clr. Setting tags takes priority over clearing them if the sets are not disjoint.

func (Tags) Diff 

func (t Tags) Diff(u Tags) (set, clr Tags)

Diff returns tags that are set and/or cleared in t relative to u. Calling u.Apply(set, clr) would make u == t.

func (Tags) Sort 

func (t Tags) Sort() Tags

Sort sorts tags in place and returns the original slice.

func (Tags) String 

func (t Tags) String() string

String implements fmt.Stringer.

type Ver 

type Ver int

Ver identifies the version of a type sent over a gob stream.

func (Ver) Version 

func (v Ver) Version() Ver

Version returns v to satisfy a common interface.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.