s3gof3r/auth.go

package s3gof3r

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"time"

	"github.com/github/s3gof3r/internal/s3client"
)

// Keys for an Amazon Web Services account.
// Used for signing http requests.
type Keys struct {
	AccessKey     string
	SecretKey     string
	SecurityToken string
}

type mdCreds struct {
	Code            string
	LastUpdated     string
	Type            string
	AccessKeyID     string `xml:"AccessKeyId"`
	SecretAccessKey string
	Token           string
	Expiration      string
}

// InstanceKeys Requests the AWS keys from the instance-based metadata on EC2
// Assumes only one IAM role.
func InstanceKeys() (Keys, error) {
	rolePath := "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
	var creds mdCreds

	// request the role name for the instance
	// assumes there is only one
	resp, err := ClientWithTimeout(2 * time.Second).Get(rolePath)
	if err != nil {
		return Keys{}, err
	}
	if resp.StatusCode != 200 {
		return Keys{}, s3client.NewRespError(resp)
	}

	role, err := ioutil.ReadAll(resp.Body)
	closeErr := resp.Body.Close()
	if err != nil {
		return Keys{}, err
	}
	if closeErr != nil {
		return Keys{}, closeErr
	}

	// request the credential metadata for the role
	resp, err = http.Get(rolePath + string(role))
	if err != nil {
		return Keys{}, err
	}
	if resp.StatusCode != 200 {
		return Keys{}, s3client.NewRespError(resp)
	}

	metadata, err := ioutil.ReadAll(resp.Body)
	closeErr = resp.Body.Close()
	if err != nil {
		return Keys{}, err
	}
	if closeErr != nil {
		return Keys{}, closeErr
	}

	if err = json.Unmarshal([]byte(metadata), &creds); err != nil {
		return Keys{}, err
	}

	return Keys{
		AccessKey:     creds.AccessKeyID,
		SecretKey:     creds.SecretAccessKey,
		SecurityToken: creds.Token,
	}, nil
}

// EnvKeys Reads the AWS keys from the environment
func EnvKeys() (keys Keys, err error) {
	keys = Keys{
		AccessKey:     os.Getenv("AWS_ACCESS_KEY_ID"),
		SecretKey:     os.Getenv("AWS_SECRET_ACCESS_KEY"),
		SecurityToken: os.Getenv("AWS_SECURITY_TOKEN"),
	}
	if keys.AccessKey == "" || keys.SecretKey == "" {
		err = fmt.Errorf("keys not set in environment: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY")
	}
	return
}
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`package s3gof3r`

			`import (`
			`"encoding/json"`
Remove errors dependency. 2014-06-16 01:07:37 +04:00			`"fmt"`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`"io/ioutil"`
			`"net/http"`
			`"os"`
Reduce instance metadata request timeout to 2 seconds. 2014-04-03 23:28:52 +04:00			`"time"`
internal/s3client: new package Move the low-level S3 interface here. 2021-09-13 15:13:35 +03:00
			`"github.com/github/s3gof3r/internal/s3client"`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`)`

			`// Keys for an Amazon Web Services account.`
			`// Used for signing http requests.`
			`type Keys struct {`
			`AccessKey string`
			`SecretKey string`
			`SecurityToken string`
			`}`

			`type mdCreds struct {`
			`Code string`
			`LastUpdated string`
			`Type string`
Small improvements 2015-11-03 04:06:33 +03:00			AccessKeyID string `xml:"AccessKeyId"`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`SecretAccessKey string`
			`Token string`
			`Expiration string`
			`}`

Address golint recommendations. 2014-06-24 01:40:29 +04:00			`// InstanceKeys Requests the AWS keys from the instance-based metadata on EC2`
Add InstanceKeys and EnvKeys functions. #4 2014-02-23 22:02:11 +04:00			`// Assumes only one IAM role.`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`func InstanceKeys() (Keys, error) {`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`rolePath := "http://169.254.169.254/latest/meta-data/iam/security-credentials/"`
			`var creds mdCreds`

			`// request the role name for the instance`
			`// assumes there is only one`
Reduce instance metadata request timeout to 2 seconds. 2014-04-03 23:28:52 +04:00			`resp, err := ClientWithTimeout(2 * time.Second).Get(rolePath)`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`if err != nil {`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`return Keys{}, err`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`
			`if resp.StatusCode != 200 {`
internal/s3client: new package Move the low-level S3 interface here. 2021-09-13 15:13:35 +03:00			`return Keys{}, s3client.NewRespError(resp)`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`

Never call both `checkClose()` and `newRespError()` Both of these functions have the effect of closing the body of the response. Since it is undefined to close the body more than once, we should call one function or the other, not both. There are still problems in some of these callsites, to be addressed. 2021-09-06 14:17:18 +03:00			`role, err := ioutil.ReadAll(resp.Body)`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`closeErr := resp.Body.Close()`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`if err != nil {`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`return Keys{}, err`
			`}`
			`if closeErr != nil {`
			`return Keys{}, closeErr`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`

			`// request the credential metadata for the role`
			`resp, err = http.Get(rolePath + string(role))`
			`if err != nil {`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`return Keys{}, err`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`
			`if resp.StatusCode != 200 {`
internal/s3client: new package Move the low-level S3 interface here. 2021-09-13 15:13:35 +03:00			`return Keys{}, s3client.NewRespError(resp)`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`
Never call both `checkClose()` and `newRespError()` Both of these functions have the effect of closing the body of the response. Since it is undefined to close the body more than once, we should call one function or the other, not both. There are still problems in some of these callsites, to be addressed. 2021-09-06 14:17:18 +03:00
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`metadata, err := ioutil.ReadAll(resp.Body)`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`closeErr = resp.Body.Close()`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`if err != nil {`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`return Keys{}, err`
			`}`
			`if closeErr != nil {`
			`return Keys{}, closeErr`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`

Check deferred closes for errors. Additional error handling. 2014-04-01 01:27:33 +04:00			`if err = json.Unmarshal([]byte(metadata), &creds); err != nil {`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`return Keys{}, err`
Check deferred closes for errors. Additional error handling. 2014-04-01 01:27:33 +04:00			`}`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00
			`return Keys{`
Small improvements 2015-11-03 04:06:33 +03:00			`AccessKey: creds.AccessKeyID,`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`SecretKey: creds.SecretAccessKey,`
			`SecurityToken: creds.Token,`
InstanceKeys(): handle errors explicitly `checkClose()` doesn't work (because it only modifies a local `err` variable), and named return values make code trickier to understand anyway. So handle errors inline, instead. 2021-09-06 18:38:16 +03:00			`}, nil`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`

Address golint recommendations. 2014-06-24 01:40:29 +04:00			`// EnvKeys Reads the AWS keys from the environment`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`func EnvKeys() (keys Keys, err error) {`
Use AWS_SECURITY_TOKEN environment variable `gof3r` should work with environments that have temporary tokens. These environments set a AWS_SECURITY_TOKEN. Without the token the comannd will always fail due to authorization errors. This change optionally pulls in AWS_SECURITY_TOKEN and sets it so `gof3r` can run as expected. 2016-02-10 04:28:59 +03:00			`keys = Keys{`
			`AccessKey: os.Getenv("AWS_ACCESS_KEY_ID"),`
			`SecretKey: os.Getenv("AWS_SECRET_ACCESS_KEY"),`
			`SecurityToken: os.Getenv("AWS_SECURITY_TOKEN"),`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`
			`if keys.AccessKey == "" \|\| keys.SecretKey == "" {`
Address golint recommendations. 2014-06-24 01:40:29 +04:00			`err = fmt.Errorf("keys not set in environment: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY")`
WIP. Instance role support. 2014-02-21 20:22:33 +04:00			`}`
			`return`
			`}`