-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
cf5ad02
commit 07d1d9d
Showing
25 changed files
with
2,943 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package ibmiam | ||
|
||
import ( | ||
"os" | ||
|
||
"github.com/IBM/ibm-cos-sdk-go/aws" | ||
"github.com/IBM/ibm-cos-sdk-go/aws/credentials" | ||
) | ||
|
||
// EnvProviderName name of the IBM IAM provider that loads IAM trusted profile | ||
// credentials from environment variables | ||
const EnvProviderTrustedProfileName = "EnvProviderTrustedProfileIBM" | ||
|
||
// NewEnvProvider constructor of the IBM IAM provider that loads IAM trusted profile | ||
// credentials from environment variables | ||
// Parameter: | ||
// | ||
// AWS Config | ||
// | ||
// Returns: | ||
// | ||
// A new provider with AWS config, Trusted Profile ID, CR token file path, IBM IAM Authentication Server Endpoint and | ||
// Service Instance ID | ||
func NewEnvProviderTrustedProfile(config *aws.Config) *TrustedProfileProvider { | ||
trustedProfileID := os.Getenv("TRUSTED_PROFILE_ID") | ||
serviceInstanceID := os.Getenv("IBM_SERVICE_INSTANCE_ID") | ||
crTokenFilePath := os.Getenv("CR_TOKEN_FILE_PATH") | ||
authEndPoint := os.Getenv("IBM_AUTH_ENDPOINT") | ||
|
||
return NewTrustedProfileProvider(EnvProviderTrustedProfileName, config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID, "CR") | ||
} | ||
|
||
// NewEnvCredentials Constructor | ||
func NewEnvCredentialsTrustedProfile(config *aws.Config) *credentials.Credentials { | ||
return credentials.NewCredentials(NewEnvProviderTrustedProfile(config)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
package ibmiam | ||
|
||
import ( | ||
"os" | ||
|
||
"github.com/IBM/ibm-cos-sdk-go/aws/awserr" | ||
) | ||
|
||
// Helper function to check whether both api-key and trusted-profile-id are set | ||
// in environment variables. | ||
// | ||
// Returns: | ||
// | ||
// Error if both apiKey and trustedProfileID are set, nil if only either of them is set. | ||
func CheckForConflictingIamCredentials() error { | ||
apiKey := os.Getenv("IBM_API_KEY_ID") | ||
trustedProfileID := os.Getenv("TRUSTED_PROFILE_ID") | ||
|
||
if apiKey != "" && trustedProfileID != "" { | ||
return awserr.New("InvalidCredentials", | ||
`only one of ApiKey or TrustedProfileID should be set, not both`, | ||
nil) | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
package ibmiam | ||
|
||
import ( | ||
"github.com/IBM/go-sdk-core/v5/core" | ||
"github.com/IBM/ibm-cos-sdk-go/aws" | ||
"github.com/IBM/ibm-cos-sdk-go/aws/awserr" | ||
"github.com/IBM/ibm-cos-sdk-go/aws/credentials" | ||
"github.com/IBM/ibm-cos-sdk-go/aws/credentials/ibmiam/token" | ||
) | ||
|
||
// Provider Struct | ||
type TrustedProfileProvider struct { | ||
// Name of Provider | ||
providerName string | ||
|
||
// Type of Provider - SharedCred, SharedConfig, etc. | ||
providerType string | ||
|
||
// Authenticator instance, will be assigned dynamically | ||
authenticator core.Authenticator | ||
|
||
// Service Instance ID passes in a provider | ||
serviceInstanceID string | ||
|
||
// Error | ||
ErrorStatus error | ||
|
||
// Logger attributes | ||
logger aws.Logger | ||
logLevel *aws.LogLevelType | ||
} | ||
|
||
// NewTrustedProfileProvider allows the creation of a custom IBM IAM Trusted Profile Provider | ||
// Parameters: | ||
// | ||
// Provider Name | ||
// AWS Config | ||
// Trusted Profile ID | ||
// CR token file path | ||
// IBM IAM Authentication Server Endpoint | ||
// Service Instance ID | ||
// Resource type | ||
// | ||
// Returns: | ||
// | ||
// TrustedProfileProvider | ||
func NewTrustedProfileProvider(providerName string, config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, | ||
serviceInstanceID string, resourceType string) (provider *TrustedProfileProvider) { | ||
provider = new(TrustedProfileProvider) | ||
|
||
provider.providerName = providerName | ||
provider.providerType = "oauth" | ||
|
||
logLevel := aws.LogLevel(aws.LogOff) | ||
if config != nil && config.LogLevel != nil && config.Logger != nil { | ||
logLevel = config.LogLevel | ||
provider.logger = config.Logger | ||
} | ||
provider.logLevel = logLevel | ||
|
||
if crTokenFilePath == "" { | ||
provider.ErrorStatus = awserr.New("crTokenFilePathNotFound", "CR Token file path not found", nil) | ||
if provider.logLevel.Matches(aws.LogDebug) { | ||
provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus) | ||
} | ||
return | ||
} | ||
|
||
if trustedProfileID == "" { | ||
provider.ErrorStatus = awserr.New("trustedProfileIDNotFound", "Trusted profile id not found", nil) | ||
if provider.logLevel.Matches(aws.LogDebug) { | ||
provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus) | ||
} | ||
return | ||
} | ||
|
||
provider.serviceInstanceID = serviceInstanceID | ||
|
||
if authEndPoint == "" { | ||
authEndPoint = defaultAuthEndPoint | ||
if provider.logLevel.Matches(aws.LogDebug) { | ||
provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", "using default auth endpoint", authEndPoint) | ||
} | ||
} | ||
|
||
// This authenticator is dynamically initialized based on the resourceType parameter. | ||
// Since only cr-token based resources is supported now, it is initialized directly. | ||
// when other resources are supported, the authenticator should be initialized accordingly. | ||
authenticator, err := core.NewContainerAuthenticatorBuilder(). | ||
SetCRTokenFilename(crTokenFilePath). | ||
SetIAMProfileID(trustedProfileID). | ||
SetURL(authEndPoint). | ||
SetDisableSSLVerification(true). | ||
Build() | ||
if err != nil { | ||
provider.ErrorStatus = awserr.New("errCreatingAuthenticatorClient", "cannot setup new Authenticator client", err) | ||
if provider.logLevel.Matches(aws.LogDebug) { | ||
provider.logger.Log(debugLog, "<IBM IAM PROVIDER BUILD>", provider.ErrorStatus) | ||
} | ||
return | ||
} | ||
provider.authenticator = authenticator | ||
|
||
return provider | ||
} | ||
|
||
// IsValid ... | ||
// Returns: | ||
// | ||
// TrustedProfileProvider validation - boolean | ||
func (p *TrustedProfileProvider) IsValid() bool { | ||
return nil == p.ErrorStatus | ||
} | ||
|
||
// Retrieve ... | ||
// Returns: | ||
// | ||
// Credential values | ||
// Error | ||
func (p *TrustedProfileProvider) Retrieve() (credentials.Value, error) { | ||
if p.ErrorStatus != nil { | ||
if p.logLevel.Matches(aws.LogDebug) { | ||
p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, p.ErrorStatus) | ||
} | ||
return credentials.Value{ProviderName: p.providerName}, p.ErrorStatus | ||
} | ||
|
||
// The respective resourceTypes's class should be called based on the resourceType parameter. | ||
// Since only cr-token based resources is supported now, it is assigned to ContainerAuthenticator | ||
// directly. when other resource types are supported, the respective class should be used accordingly. | ||
tokenValue, err := p.authenticator.(*core.ContainerAuthenticator).GetToken() | ||
|
||
if err != nil { | ||
var returnErr error | ||
if p.logLevel.Matches(aws.LogDebug) { | ||
p.logger.Log(debugLog, ibmiamProviderLog, p.providerName, "ERROR ON GET", err) | ||
} | ||
returnErr = awserr.New("TokenManagerRetrieveError", "error retrieving the token", err) | ||
return credentials.Value{}, returnErr | ||
} | ||
|
||
return credentials.Value{ | ||
Token: token.Token{ | ||
AccessToken: tokenValue, | ||
TokenType: "Bearer", | ||
}, | ||
ProviderName: p.providerName, | ||
ProviderType: p.providerType, | ||
ServiceInstanceID: p.serviceInstanceID, | ||
}, nil | ||
} | ||
|
||
// IsExpired ... | ||
// | ||
// TrustedProfileProvider expired or not - boolean | ||
func (p *TrustedProfileProvider) IsExpired() bool { | ||
return true | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package ibmiam | ||
|
||
import ( | ||
"github.com/IBM/ibm-cos-sdk-go/aws" | ||
"github.com/IBM/ibm-cos-sdk-go/aws/credentials" | ||
) | ||
|
||
type ResourceType string | ||
|
||
// TrustedProfileProviderName name of the IBM IAM provider that uses IAM trusted-profile | ||
// details passed directly | ||
const ( | ||
TrustedProfileProviderName = "TrustedProfileProviderIBM" | ||
ResourceComputeResource ResourceType = "CR" | ||
) | ||
|
||
// NewTrustedProfileProviderWithCR constructor of the IBM IAM provider that uses IAM trusted-profile | ||
// details passed | ||
// Returns: New TrustedProfileProvider (AWS type) | ||
func NewTrustedProfileProviderCR(config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, serviceInstanceID string) *TrustedProfileProvider { | ||
// Resource type ResourceComputeResource is passed to identify that this is a CR-token based | ||
// resource. | ||
return NewTrustedProfileProvider(TrustedProfileProviderName, config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID, string(ResourceComputeResource)) | ||
} | ||
|
||
// NewTrustedProfileCredentials constructor for IBM IAM that uses IAM trusted-profile | ||
// credentials passed | ||
// Returns: credentials.NewCredentials(newTrustedProfileProvider()) (AWS type) | ||
func NewTrustedProfileCredentialsCR(config *aws.Config, authEndPoint string, trustedProfileID string, crTokenFilePath string, serviceInstanceID string) *credentials.Credentials { | ||
return credentials.NewCredentials(NewTrustedProfileProviderCR(config, authEndPoint, trustedProfileID, crTokenFilePath, serviceInstanceID)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.