Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
oscarleiva
/
energylink
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: 6fb76b7c9b
Atzari Tagi
energylink
/
vendor
/
github.com
/
aws
/
aws-sdk-go
/
aws
/
credentials
/
endpointcreds
/
provider.go

provider.go 6.0 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 
  1. // Package endpointcreds provides support for retrieving credentials from an
    2. 

  2. // arbitrary HTTP endpoint.
    3. 

  3. //
    4. 

  4. // The credentials endpoint Provider can receive both static and refreshable
    5. 

  5. // credentials that will expire. Credentials are static when an "Expiration"
    6. 

  6. // value is not provided in the endpoint's response.
    7. 

  7. //
    8. 

  8. // Static credentials will never expire once they have been retrieved. The format
    9. 

  9. // of the static credentials response:
    10. 

  10. //    {
    11. 

  11. //        "AccessKeyId" : "MUA...",
    12. 

  12. //        "SecretAccessKey" : "/7PC5om....",
    13. 

  13. //    }
    14. 

  14. //
    15. 

  15. // Refreshable credentials will expire within the "ExpiryWindow" of the Expiration
    16. 

  16. // value in the response. The format of the refreshable credentials response:
    17. 

  17. //    {
    18. 

  18. //        "AccessKeyId" : "MUA...",
    19. 

  19. //        "SecretAccessKey" : "/7PC5om....",
    20. 

  20. //        "Token" : "AQoDY....=",
    21. 

  21. //        "Expiration" : "2016-02-25T06:03:31Z"
    22. 

  22. //    }
    23. 

  23. //
    24. 

  24. // Errors should be returned in the following format and only returned with 400
    25. 

  25. // or 500 HTTP status codes.
    26. 

  26. //    {
    27. 

  27. //        "code": "ErrorCode",
    28. 

  28. //        "message": "Helpful error message."
    29. 

  29. //    }
    30. 

  30. package endpointcreds
    31. 

  31. 

  32. import (
    33. 

  33. 	"encoding/json"
    34. 

  34. 	"time"
    35. 

  35. 

  36. 	"github.com/aws/aws-sdk-go/aws"
    37. 

  37. 	"github.com/aws/aws-sdk-go/aws/awserr"
    38. 

  38. 	"github.com/aws/aws-sdk-go/aws/client"
    39. 

  39. 	"github.com/aws/aws-sdk-go/aws/client/metadata"
    40. 

  40. 	"github.com/aws/aws-sdk-go/aws/credentials"
    41. 

  41. 	"github.com/aws/aws-sdk-go/aws/request"
    42. 

  42. )
    43. 

  43. 

  44. // ProviderName is the name of the credentials provider.
    45. 

  45. const ProviderName = `CredentialsEndpointProvider`
    46. 

  46. 

  47. // Provider satisfies the credentials.Provider interface, and is a client to
    48. 

  48. // retrieve credentials from an arbitrary endpoint.
    49. 

  49. type Provider struct {
    50. 

  50. 	staticCreds bool
    51. 

  51. 	credentials.Expiry
    52. 

  52. 

  53. 	// Requires a AWS Client to make HTTP requests to the endpoint with.
    54. 

  54. 	// the Endpoint the request will be made to is provided by the aws.Config's
    55. 

  55. 	// Endpoint value.
    56. 

  56. 	Client *client.Client
    57. 

  57. 

  58. 	// ExpiryWindow will allow the credentials to trigger refreshing prior to
    59. 

  59. 	// the credentials actually expiring. This is beneficial so race conditions
    60. 

  60. 	// with expiring credentials do not cause request to fail unexpectedly
    61. 

  61. 	// due to ExpiredTokenException exceptions.
    62. 

  62. 	//
    63. 

  63. 	// So a ExpiryWindow of 10s would cause calls to IsExpired() to return true
    64. 

  64. 	// 10 seconds before the credentials are actually expired.
    65. 

  65. 	//
    66. 

  66. 	// If ExpiryWindow is 0 or less it will be ignored.
    67. 

  67. 	ExpiryWindow time.Duration
    68. 

  68. 

  69. 	// Optional authorization token value if set will be used as the value of
    70. 

  70. 	// the Authorization header of the endpoint credential request.
    71. 

  71. 	AuthorizationToken string
    72. 

  72. }
    73. 

  73. 

  74. // NewProviderClient returns a credentials Provider for retrieving AWS credentials
    75. 

  75. // from arbitrary endpoint.
    76. 

  76. func NewProviderClient(cfg aws.Config, handlers request.Handlers, endpoint string, options ...func(*Provider)) credentials.Provider {
    77. 

  77. 	p := &Provider{
    78. 

  78. 		Client: client.New(
    79. 

  79. 			cfg,
    80. 

  80. 			metadata.ClientInfo{
    81. 

  81. 				ServiceName: "CredentialsEndpoint",
    82. 

  82. 				Endpoint:    endpoint,
    83. 

  83. 			},
    84. 

  84. 			handlers,
    85. 

  85. 		),
    86. 

  86. 	}
    87. 

  87. 

  88. 	p.Client.Handlers.Unmarshal.PushBack(unmarshalHandler)
    89. 

  89. 	p.Client.Handlers.UnmarshalError.PushBack(unmarshalError)
    90. 

  90. 	p.Client.Handlers.Validate.Clear()
    91. 

  91. 	p.Client.Handlers.Validate.PushBack(validateEndpointHandler)
    92. 

  92. 

  93. 	for _, option := range options {
    94. 

  94. 		option(p)
    95. 

  95. 	}
    96. 

  96. 

  97. 	return p
    98. 

  98. }
    99. 

  99. 

  100. // NewCredentialsClient returns a Credentials wrapper for retrieving credentials
    101. 

  101. // from an arbitrary endpoint concurrently. The client will request the
    102. 

  102. func NewCredentialsClient(cfg aws.Config, handlers request.Handlers, endpoint string, options ...func(*Provider)) *credentials.Credentials {
    103. 

  103. 	return credentials.NewCredentials(NewProviderClient(cfg, handlers, endpoint, options...))
    104. 

  104. }
    105. 

  105. 

  106. // IsExpired returns true if the credentials retrieved are expired, or not yet
    107. 

  107. // retrieved.
    108. 

  108. func (p *Provider) IsExpired() bool {
    109. 

  109. 	if p.staticCreds {
    110. 

  110. 		return false
    111. 

  111. 	}
    112. 

  112. 	return p.Expiry.IsExpired()
    113. 

  113. }
    114. 

  114. 

  115. // Retrieve will attempt to request the credentials from the endpoint the Provider
    116. 

  116. // was configured for. And error will be returned if the retrieval fails.
    117. 

  117. func (p *Provider) Retrieve() (credentials.Value, error) {
    118. 

  118. 	resp, err := p.getCredentials()
    119. 

  119. 	if err != nil {
    120. 

  120. 		return credentials.Value{ProviderName: ProviderName},
    121. 

  121. 			awserr.New("CredentialsEndpointError", "failed to load credentials", err)
    122. 

  122. 	}
    123. 

  123. 

  124. 	if resp.Expiration != nil {
    125. 

  125. 		p.SetExpiration(*resp.Expiration, p.ExpiryWindow)
    126. 

  126. 	} else {
    127. 

  127. 		p.staticCreds = true
    128. 

  128. 	}
    129. 

  129. 

  130. 	return credentials.Value{
    131. 

  131. 		AccessKeyID:     resp.AccessKeyID,
    132. 

  132. 		SecretAccessKey: resp.SecretAccessKey,
    133. 

  133. 		SessionToken:    resp.Token,
    134. 

  134. 		ProviderName:    ProviderName,
    135. 

  135. 	}, nil
    136. 

  136. }
    137. 

  137. 

  138. type getCredentialsOutput struct {
    139. 

  139. 	Expiration      *time.Time
    140. 

  140. 	AccessKeyID     string
    141. 

  141. 	SecretAccessKey string
    142. 

  142. 	Token           string
    143. 

  143. }
    144. 

  144. 

  145. type errorOutput struct {
    146. 

  146. 	Code    string `json:"code"`
    147. 

  147. 	Message string `json:"message"`
    148. 

  148. }
    149. 

  149. 

  150. func (p *Provider) getCredentials() (*getCredentialsOutput, error) {
    151. 

  151. 	op := &request.Operation{
    152. 

  152. 		Name:       "GetCredentials",
    153. 

  153. 		HTTPMethod: "GET",
    154. 

  154. 	}
    155. 

  155. 

  156. 	out := &getCredentialsOutput{}
    157. 

  157. 	req := p.Client.NewRequest(op, nil, out)
    158. 

  158. 	req.HTTPRequest.Header.Set("Accept", "application/json")
    159. 

  159. 	if authToken := p.AuthorizationToken; len(authToken) != 0 {
    160. 

  160. 		req.HTTPRequest.Header.Set("Authorization", authToken)
    161. 

  161. 	}
    162. 

  162. 

  163. 	return out, req.Send()
    164. 

  164. }
    165. 

  165. 

  166. func validateEndpointHandler(r *request.Request) {
    167. 

  167. 	if len(r.ClientInfo.Endpoint) == 0 {
    168. 

  168. 		r.Error = aws.ErrMissingEndpoint
    169. 

  169. 	}
    170. 

  170. }
    171. 

  171. 

  172. func unmarshalHandler(r *request.Request) {
    173. 

  173. 	defer r.HTTPResponse.Body.Close()
    174. 

  174. 

  175. 	out := r.Data.(*getCredentialsOutput)
    176. 

  176. 	if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil {
    177. 

  177. 		r.Error = awserr.New("SerializationError",
    178. 

  178. 			"failed to decode endpoint credentials",
    179. 

  179. 			err,
    180. 

  180. 		)
    181. 

  181. 	}
    182. 

  182. }
    183. 

  183. 

  184. func unmarshalError(r *request.Request) {
    185. 

  185. 	defer r.HTTPResponse.Body.Close()
    186. 

  186. 

  187. 	var errOut errorOutput
    188. 

  188. 	if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&errOut); err != nil {
    189. 

  189. 		r.Error = awserr.New("SerializationError",
    190. 

  190. 			"failed to decode endpoint credentials",
    191. 

  191. 			err,
    192. 

  192. 		)
    193. 

  193. 	}
    194. 

  194. 

  195. 	// Response body format is not consistent between metadata endpoints.
    196. 

  196. 	// Grab the error message as a string and include that as the source error
    197. 

  197. 	r.Error = awserr.New(errOut.Code, errOut.Message, nil)
    198. 

  198. }
    199.