diff --git a/builtin/credential/aws/path_config_rotate_root.go b/builtin/credential/aws/path_config_rotate_root.go index 84a7bd4121ee9..7f55b98993680 100644 --- a/builtin/credential/aws/path_config_rotate_root.go +++ b/builtin/credential/aws/path_config_rotate_root.go @@ -146,6 +146,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R } }() + oldAccessKey := clientConf.AccessKey + clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId + clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey + // Now get ready to update storage, doing everything beforehand so we can minimize how long // we need to hold onto the lock. newEntry, err := b.configClientToEntry(clientConf) @@ -154,10 +158,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R return nil, errs } - oldAccessKey := clientConf.AccessKey - clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId - clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey - // Someday we may want to allow the user to send a number of seconds to wait here // before deleting the previous access key to allow work to complete. That would allow // AWS, which is eventually consistent, to finish populating the new key in all places. diff --git a/builtin/credential/aws/path_config_rotate_root_test.go b/builtin/credential/aws/path_config_rotate_root_test.go index 83dc849bbd1f2..59361090f266b 100644 --- a/builtin/credential/aws/path_config_rotate_root_test.go +++ b/builtin/credential/aws/path_config_rotate_root_test.go @@ -3,14 +3,12 @@ package awsauth import ( "context" "testing" - "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam/iamiface" - "github.com/hashicorp/go-hclog" - "github.com/hashicorp/vault/sdk/helper/awsutil" + "github.com/hashicorp/go-secure-stdlib/awsutil" "github.com/hashicorp/vault/sdk/logical" ) @@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) { } ctx := context.Background() + config := logical.TestBackendConfig() + logical.TestBackendConfig() storage := &logical.InmemStorage{} - b, err := Factory(ctx, &logical.BackendConfig{ - StorageView: storage, - Logger: hclog.Default(), - System: &logical.StaticSystemView{ - DefaultLeaseTTLVal: time.Hour, - MaxLeaseTTLVal: time.Hour, - }, - }) + config.StorageView = storage + + b, err := Backend(config) + if err != nil { t.Fatal(err) } @@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) { if resp.Data["access_key"].(string) != "fizz2" { t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"]) } + newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage) + if resp.Data["access_key"].(string) != newClientConf.AccessKey { + t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey) + } } diff --git a/changelog/12715.txt b/changelog/12715.txt new file mode 100644 index 0000000000000..b4a61a7deb8c8 --- /dev/null +++ b/changelog/12715.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/aws: fix config/rotate-root to store new key +``` diff --git a/go.mod b/go.mod index 71de24ec2460a..0e2601f016792 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,7 @@ require ( github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-discover v0.0.0-20201029210230-738cb3105cd0 github.com/hashicorp/go-gcp-common v0.7.0 - github.com/hashicorp/go-hclog v0.16.1 + github.com/hashicorp/go-hclog v0.16.2 github.com/hashicorp/go-kms-wrapping v0.5.16 github.com/hashicorp/go-memdb v1.0.2 github.com/hashicorp/go-msgpack v1.1.5 @@ -68,6 +68,7 @@ require ( github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a github.com/hashicorp/go-retryablehttp v0.6.7 github.com/hashicorp/go-rootcerts v1.0.2 + github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2 github.com/hashicorp/go-sockaddr v1.0.2 github.com/hashicorp/go-syslog v1.0.0 github.com/hashicorp/go-uuid v1.0.2 diff --git a/go.sum b/go.sum index 679195092ee79..813aa89e70532 100644 --- a/go.sum +++ b/go.sum @@ -588,8 +588,9 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v0.16.1 h1:IVQwpTGNRRIHafnTs2dQLIk4ENtneRIEEJWOVDqz99o= github.com/hashicorp/go-hclog v0.16.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.0 h1:8exGP7ego3OmkfksihtSouGMZ+hQrhxx+FVELeXpVPE= @@ -621,6 +622,8 @@ github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2 h1:AEcLbDoaRC9JMmtZXsuCykztH53rvHsQFnwhoKtpNQM= +github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2/go.mod h1:QRJZ7siKie+SZJB9jLbfKrs0Gd0yPWMtbneg0iU1PrY= github.com/hashicorp/go-slug v0.4.1 h1:/jAo8dNuLgSImoLXaX7Od7QB4TfYCVPam+OpAt5bZqc= github.com/hashicorp/go-slug v0.4.1/go.mod h1:I5tq5Lv0E2xcNXNkmx7BSfzi1PsJ2cNjs3cC3LwyhK8= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= diff --git a/vendor/github.com/hashicorp/go-hclog/intlogger.go b/vendor/github.com/hashicorp/go-hclog/intlogger.go index 6099e67260e8e..d491ae8f97893 100644 --- a/vendor/github.com/hashicorp/go-hclog/intlogger.go +++ b/vendor/github.com/hashicorp/go-hclog/intlogger.go @@ -295,6 +295,9 @@ func (l *intLogger) logPlain(t time.Time, name string, level Level, msg string, continue FOR case Format: val = fmt.Sprintf(st[0].(string), st[1:]...) + case Quote: + raw = true + val = strconv.Quote(string(st)) default: v := reflect.ValueOf(st) if v.Kind() == reflect.Slice { diff --git a/vendor/github.com/hashicorp/go-hclog/logger.go b/vendor/github.com/hashicorp/go-hclog/logger.go index 7f36b1fd20f4a..6a4665ba9fea7 100644 --- a/vendor/github.com/hashicorp/go-hclog/logger.go +++ b/vendor/github.com/hashicorp/go-hclog/logger.go @@ -67,6 +67,12 @@ type Octal int // text output. For example: L.Info("bits", Binary(17)) type Binary int +// A simple shortcut to format strings with Go quoting. Control and +// non-printable characters will be escaped with their backslash equivalents in +// output. Intended for untrusted or multiline strings which should be logged +// as concisely as possible. +type Quote string + // ColorOption expresses how the output should be colored, if at all. type ColorOption uint8 diff --git a/vendor/github.com/hashicorp/go-hclog/stdlog.go b/vendor/github.com/hashicorp/go-hclog/stdlog.go index f35d875d327ae..271d546d5c92d 100644 --- a/vendor/github.com/hashicorp/go-hclog/stdlog.go +++ b/vendor/github.com/hashicorp/go-hclog/stdlog.go @@ -64,7 +64,7 @@ func (s *stdlogAdapter) pickLevel(str string) (Level, string) { case strings.HasPrefix(str, "[INFO]"): return Info, strings.TrimSpace(str[6:]) case strings.HasPrefix(str, "[WARN]"): - return Warn, strings.TrimSpace(str[7:]) + return Warn, strings.TrimSpace(str[6:]) case strings.HasPrefix(str, "[ERROR]"): return Error, strings.TrimSpace(str[7:]) case strings.HasPrefix(str, "[ERR]"): diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/LICENSE b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/LICENSE new file mode 100644 index 0000000000000..e87a115e462e1 --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/LICENSE @@ -0,0 +1,363 @@ +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. "Contributor" + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. "Contributor Version" + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the terms of + a Secondary License. + +1.6. "Executable Form" + + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + + means a work that combines Covered Software with other material, in a + separate file or files, that is not Covered Software. + +1.8. "License" + + means this document. + +1.9. "Licensable" + + means having the right to grant, to the maximum extent possible, whether + at the time of the initial grant or subsequently, any and all of the + rights conveyed by this License. + +1.10. "Modifications" + + means any of the following: + + a. any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. "Patent Claims" of a Contributor + + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the License, + by the making, using, selling, offering for sale, having made, import, + or transfer of either its Contributions or its Contributor Version. + +1.12. "Secondary License" + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. "Source Code Form" + + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, "control" means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution + become effective for each Contribution on the date the Contributor first + distributes such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under + this License. No additional rights or licenses will be implied from the + distribution or licensing of Covered Software under this License. + Notwithstanding Section 2.1(b) above, no patent license is granted by a + Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of + its Contributions. + + This License does not grant any rights in the trademarks, service marks, + or logos of any Contributor (except as may be necessary to comply with + the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this + License (see Section 10.2) or under the terms of a Secondary License (if + permitted under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its + Contributions are its original creation(s) or it has sufficient rights to + grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under + applicable copyright doctrines of fair use, fair dealing, or other + equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under + the terms of this License. You must inform recipients that the Source + Code Form of the Covered Software is governed by the terms of this + License, and how they can obtain a copy of this License. You may not + attempt to alter or restrict the recipients' rights in the Source Code + Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter the + recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for + the Covered Software. If the Larger Work is a combination of Covered + Software with a work governed by one or more Secondary Licenses, and the + Covered Software is not Incompatible With Secondary Licenses, this + License permits You to additionally distribute such Covered Software + under the terms of such Secondary License(s), so that the recipient of + the Larger Work may, at their option, further distribute the Covered + Software under the terms of either this License or such Secondary + License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices + (including copyright notices, patent notices, disclaimers of warranty, or + limitations of liability) contained within the Source Code Form of the + Covered Software, except that You may alter any license notices to the + extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on + behalf of any Contributor. You must make it absolutely clear that any + such warranty, support, indemnity, or liability obligation is offered by + You alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, + judicial order, or regulation then You must: (a) comply with the terms of + this License to the maximum extent possible; and (b) describe the + limitations and the code they affect. Such description must be placed in a + text file included with all distributions of the Covered Software under + this License. Except to the extent prohibited by statute or regulation, + such description must be sufficiently detailed for a recipient of ordinary + skill to be able to understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing + basis, if such Contributor fails to notify You of the non-compliance by + some reasonable means prior to 60 days after You have come back into + compliance. Moreover, Your grants from a particular Contributor are + reinstated on an ongoing basis if such Contributor notifies You of the + non-compliance by some reasonable means, this is the first time You have + received notice of non-compliance with this License from such + Contributor, and You become compliant prior to 30 days after Your receipt + of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, + counter-claims, and cross-claims) alleging that a Contributor Version + directly or indirectly infringes any patent, then the rights granted to + You by any and all Contributors for the Covered Software under Section + 2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an "as is" basis, + without warranty of any kind, either expressed, implied, or statutory, + including, without limitation, warranties that the Covered Software is free + of defects, merchantable, fit for a particular purpose or non-infringing. + The entire risk as to the quality and performance of the Covered Software + is with You. Should any Covered Software prove defective in any respect, + You (not any Contributor) assume the cost of any necessary servicing, + repair, or correction. This disclaimer of warranty constitutes an essential + part of this License. No use of any Covered Software is authorized under + this License except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from + such party's negligence to the extent applicable law prohibits such + limitation. Some jurisdictions do not allow the exclusion or limitation of + incidental or consequential damages, so this exclusion and limitation may + not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts + of a jurisdiction where the defendant maintains its principal place of + business and such litigation shall be governed by laws of that + jurisdiction, without reference to its conflict-of-law provisions. Nothing + in this Section shall prevent a party's ability to bring cross-claims or + counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. Any law or regulation which provides that + the language of a contract shall be construed against the drafter shall not + be used to construe this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version + of the License under which You originally received the Covered Software, + or under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a + modified version of this License if you rename the license and remove + any references to the name of the license steward (except to note that + such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary + Licenses If You choose to distribute Source Code Form that is + Incompatible With Secondary Licenses under the terms of this version of + the License, the notice described in Exhibit B of this License must be + attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, +then You may include the notice in a location (such as a LICENSE file in a +relevant directory) where a recipient would be likely to look for such a +notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice + + This Source Code Form is "Incompatible + With Secondary Licenses", as defined by + the Mozilla Public License, v. 2.0. + diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/error.go b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/error.go new file mode 100644 index 0000000000000..248ab82e3d86d --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/error.go @@ -0,0 +1,34 @@ +package awsutil + +import ( + "errors" + + awsRequest "github.com/aws/aws-sdk-go/aws/request" + multierror "github.com/hashicorp/go-multierror" +) + +var ErrUpstreamRateLimited = errors.New("upstream rate limited") + +// CheckAWSError will examine an error and convert to a logical error if +// appropriate. If no appropriate error is found, return nil +func CheckAWSError(err error) error { + // IsErrorThrottle will check if the error returned is one that matches + // known request limiting errors: + // https://github.com/aws/aws-sdk-go/blob/488d634b5a699b9118ac2befb5135922b4a77210/aws/request/retryer.go#L35 + if awsRequest.IsErrorThrottle(err) { + return ErrUpstreamRateLimited + } + return nil +} + +// AppendAWSError checks if the given error is a known AWS error we modify, +// and if so then returns a go-multierror, appending the original and the +// AWS error. +// If the error is not an AWS error, or not an error we wish to modify, then +// return the original error. +func AppendAWSError(err error) error { + if awserr := CheckAWSError(err); awserr != nil { + err = multierror.Append(err, awserr) + } + return err +} diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/generate_credentials.go b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/generate_credentials.go new file mode 100644 index 0000000000000..063d7093df0ac --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/generate_credentials.go @@ -0,0 +1,242 @@ +package awsutil + +import ( + "encoding/base64" + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + "os" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/defaults" + "github.com/aws/aws-sdk-go/aws/endpoints" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/sts" + "github.com/hashicorp/go-hclog" + "github.com/pkg/errors" +) + +const iamServerIdHeader = "X-Vault-AWS-IAM-Server-ID" + +type CredentialsConfig struct { + // The access key if static credentials are being used + AccessKey string + + // The secret key if static credentials are being used + SecretKey string + + // The session token if it is being used + SessionToken string + + // If specified, the region will be provided to the config of the + // EC2RoleProvider's client. This may be useful if you want to e.g. reuse + // the client elsewhere. + Region string + + // The filename for the shared credentials provider, if being used + Filename string + + // The profile for the shared credentials provider, if being used + Profile string + + // The role ARN to use if using the web identity token provider + RoleARN string + + // The role session name to use if using the web identity token provider + RoleSessionName string + + // The web identity token file to use if using the web identity token provider + WebIdentityTokenFile string + + // The http.Client to use, or nil for the client to use its default + HTTPClient *http.Client + + // The logger to use for credential acquisition debugging + Logger hclog.Logger +} + +// Make sure the logger isn't nil before logging +func (c *CredentialsConfig) log(level hclog.Level, msg string, args ...interface{}) { + if c.Logger != nil { + c.Logger.Log(level, msg, args...) + } +} + +func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, error) { + var providers []credentials.Provider + + switch { + case c.AccessKey != "" && c.SecretKey != "": + // Add the static credential provider + providers = append(providers, &credentials.StaticProvider{ + Value: credentials.Value{ + AccessKeyID: c.AccessKey, + SecretAccessKey: c.SecretKey, + SessionToken: c.SessionToken, + }, + }) + c.log(hclog.Debug, "added static credential provider", "AccessKey", c.AccessKey) + + case c.AccessKey == "" && c.SecretKey == "": + // Attempt to get credentials from the IAM instance role below + + default: // Have one or the other but not both and not neither + return nil, fmt.Errorf( + "static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)") + } + + roleARN := c.RoleARN + if roleARN == "" { + roleARN = os.Getenv("AWS_ROLE_ARN") + } + tokenPath := c.WebIdentityTokenFile + if tokenPath == "" { + tokenPath = os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + } + roleSessionName := c.RoleSessionName + if roleSessionName == "" { + roleSessionName = os.Getenv("AWS_ROLE_SESSION_NAME") + } + if roleARN != "" && tokenPath != "" { + // this session is only created to create the WebIdentityRoleProvider, as the env variables are already there + // this automatically assumes the role, but the provider needs to be added to the chain + c.log(hclog.Debug, "adding web identity provider", "roleARN", roleARN) + sess, err := session.NewSession() + if err != nil { + return nil, errors.Wrap(err, "error creating a new session to create a WebIdentityRoleProvider") + } + webIdentityProvider := stscreds.NewWebIdentityRoleProvider(sts.New(sess), roleARN, roleSessionName, tokenPath) + + // Check if the webIdentityProvider can successfully retrieve + // credentials (via sts:AssumeRole), and warn if there's a problem. + if _, err := webIdentityProvider.Retrieve(); err != nil { + c.log(hclog.Warn, "error assuming role", "roleARN", roleARN, "tokenPath", tokenPath, "sessionName", roleSessionName, "err", err) + } + + // Add the web identity role credential provider + providers = append(providers, webIdentityProvider) + } + + // Add the environment credential provider + providers = append(providers, &credentials.EnvProvider{}) + + // Add the shared credentials provider + providers = append(providers, &credentials.SharedCredentialsProvider{ + Filename: c.Filename, + Profile: c.Profile, + }) + + // Add the remote provider + def := defaults.Get() + if c.Region != "" { + def.Config.Region = aws.String(c.Region) + } + if c.HTTPClient != nil { + def.Config.HTTPClient = c.HTTPClient + _, checkFullURI := os.LookupEnv("AWS_CONTAINER_CREDENTIALS_FULL_URI") + _, checkRelativeURI := os.LookupEnv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") + if !checkFullURI && !checkRelativeURI { + // match the sdk defaults from https://github.com/aws/aws-sdk-go/pull/3066 + def.Config.HTTPClient.Timeout = 1 * time.Second + def.Config.MaxRetries = aws.Int(2) + } + } + + providers = append(providers, defaults.RemoteCredProvider(*def.Config, def.Handlers)) + + // Create the credentials required to access the API. + creds := credentials.NewChainCredentials(providers) + if creds == nil { + return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, web identity or instance metadata") + } + + return creds, nil +} + +func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error) { + credConfig := CredentialsConfig{ + AccessKey: accessKey, + SecretKey: secretKey, + SessionToken: sessionToken, + Logger: logger, + } + creds, err := credConfig.GenerateCredentialChain() + if err != nil { + return nil, err + } + if creds == nil { + return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata") + } + + _, err = creds.Get() + if err != nil { + return nil, fmt.Errorf("failed to retrieve credentials from credential chain: %w", err) + } + return creds, nil +} + +// GenerateLoginData populates the necessary data to send to the Vault server for generating a token +// This is useful for other API clients to use +func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, logger hclog.Logger) (map[string]interface{}, error) { + loginData := make(map[string]interface{}) + + // Use the credentials we've found to construct an STS session + region, err := GetRegion(configuredRegion) + if err != nil { + logger.Warn(fmt.Sprintf("defaulting region to %q due to %s", DefaultRegion, err.Error())) + region = DefaultRegion + } + stsSession, err := session.NewSessionWithOptions(session.Options{ + Config: aws.Config{ + Credentials: creds, + Region: ®ion, + EndpointResolver: endpoints.ResolverFunc(stsSigningResolver), + }, + }) + if err != nil { + return nil, err + } + + var params *sts.GetCallerIdentityInput + svc := sts.New(stsSession) + stsRequest, _ := svc.GetCallerIdentityRequest(params) + + // Inject the required auth header value, if supplied, and then sign the request including that header + if headerValue != "" { + stsRequest.HTTPRequest.Header.Add(iamServerIdHeader, headerValue) + } + stsRequest.Sign() + + // Now extract out the relevant parts of the request + headersJson, err := json.Marshal(stsRequest.HTTPRequest.Header) + if err != nil { + return nil, err + } + requestBody, err := ioutil.ReadAll(stsRequest.HTTPRequest.Body) + if err != nil { + return nil, err + } + loginData["iam_http_request_method"] = stsRequest.HTTPRequest.Method + loginData["iam_request_url"] = base64.StdEncoding.EncodeToString([]byte(stsRequest.HTTPRequest.URL.String())) + loginData["iam_request_headers"] = base64.StdEncoding.EncodeToString(headersJson) + loginData["iam_request_body"] = base64.StdEncoding.EncodeToString(requestBody) + + return loginData, nil +} + +// STS is a really weird service that used to only have global endpoints but now has regional endpoints as well. +// For backwards compatibility, even if you request a region other than us-east-1, it'll still sign for us-east-1. +// See, e.g., https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code +// So we have to shim in this EndpointResolver to force it to sign for the right region +func stsSigningResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { + defaultEndpoint, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...) + if err != nil { + return defaultEndpoint, err + } + defaultEndpoint.SigningRegion = region + return defaultEndpoint, nil +} diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/go.mod b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/go.mod new file mode 100644 index 0000000000000..869bcee121bbf --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/go.mod @@ -0,0 +1,11 @@ +module github.com/hashicorp/go-secure-stdlib/awsutil + +go 1.16 + +require ( + github.com/aws/aws-sdk-go v1.30.27 + github.com/hashicorp/errwrap v1.1.0 + github.com/hashicorp/go-hclog v0.16.2 + github.com/hashicorp/go-multierror v1.1.1 + github.com/pkg/errors v0.9.1 +) diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/go.sum b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/go.sum new file mode 100644 index 0000000000000..3bd74315293c6 --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/go.sum @@ -0,0 +1,40 @@ +github.com/aws/aws-sdk-go v1.30.27 h1:9gPjZWVDSoQrBO2AvqrWObS6KAZByfEJxQoCYo4ZfK0= +github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc= +github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= +github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20191008105621-543471e840be h1:QAcqgptGM8IQBC9K/RC4o+O9YmqEm0diQn9QmZw/0mU= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/mocks.go b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/mocks.go new file mode 100644 index 0000000000000..43e4bb21cfffa --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/mocks.go @@ -0,0 +1,26 @@ +package awsutil + +import ( + "github.com/aws/aws-sdk-go/service/iam" + "github.com/aws/aws-sdk-go/service/iam/iamiface" +) + +type MockIAM struct { + iamiface.IAMAPI + + CreateAccessKeyOutput *iam.CreateAccessKeyOutput + DeleteAccessKeyOutput *iam.DeleteAccessKeyOutput + GetUserOutput *iam.GetUserOutput +} + +func (m *MockIAM) CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error) { + return m.CreateAccessKeyOutput, nil +} + +func (m *MockIAM) DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error) { + return m.DeleteAccessKeyOutput, nil +} + +func (m *MockIAM) GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error) { + return m.GetUserOutput, nil +} diff --git a/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/region.go b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/region.go new file mode 100644 index 0000000000000..93456cdddf2d6 --- /dev/null +++ b/vendor/github.com/hashicorp/go-secure-stdlib/awsutil/region.go @@ -0,0 +1,74 @@ +package awsutil + +import ( + "net/http" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/ec2metadata" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/hashicorp/errwrap" +) + +// "us-east-1 is used because it's where AWS first provides support for new features, +// is a widely used region, and is the most common one for some services like STS. +const DefaultRegion = "us-east-1" + +// This is nil by default, but is exposed in case it needs to be changed for tests. +var ec2Endpoint *string + +/* +It's impossible to mimic "normal" AWS behavior here because it's not consistent +or well-defined. For example, boto3, the Python SDK (which the aws cli uses), +loads `~/.aws/config` by default and only reads the `AWS_DEFAULT_REGION` environment +variable (and not `AWS_REGION`, while the golang SDK does _mostly_ the opposite -- it +reads the region **only** from `AWS_REGION` and not at all `~/.aws/config`, **unless** +the `AWS_SDK_LOAD_CONFIG` environment variable is set. So, we must define our own +approach to walking AWS config and deciding what to use. + +Our chosen approach is: + + "More specific takes precedence over less specific." + +1. User-provided configuration is the most explicit. +2. Environment variables are potentially shared across many invocations and so they have less precedence. +3. Configuration in `~/.aws/config` is shared across all invocations of a given user and so this has even less precedence. +4. Configuration retrieved from the EC2 instance metadata service is shared by all invocations on a given machine, and so it has the lowest precedence. + +This approach should be used in future updates to this logic. +*/ +func GetRegion(configuredRegion string) (string, error) { + if configuredRegion != "" { + return configuredRegion, nil + } + + sess, err := session.NewSessionWithOptions(session.Options{ + SharedConfigState: session.SharedConfigEnable, + }) + if err != nil { + return "", errwrap.Wrapf("got error when starting session: {{err}}", err) + } + + region := aws.StringValue(sess.Config.Region) + if region != "" { + return region, nil + } + + metadata := ec2metadata.New(sess, &aws.Config{ + Endpoint: ec2Endpoint, + EC2MetadataDisableTimeoutOverride: aws.Bool(true), + HTTPClient: &http.Client{ + Timeout: time.Second, + }, + }) + if !metadata.Available() { + return DefaultRegion, nil + } + + region, err = metadata.Region() + if err != nil { + return "", errwrap.Wrapf("unable to retrieve region from instance metadata: {{err}}", err) + } + + return region, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 1e69b89b7ea4e..3db20e1e72421 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -529,7 +529,7 @@ github.com/hashicorp/go-discover/provider/vsphere # github.com/hashicorp/go-gcp-common v0.7.0 ## explicit github.com/hashicorp/go-gcp-common/gcputil -# github.com/hashicorp/go-hclog v0.16.1 +# github.com/hashicorp/go-hclog v0.16.2 ## explicit github.com/hashicorp/go-hclog # github.com/hashicorp/go-immutable-radix v1.3.0 @@ -569,6 +569,9 @@ github.com/hashicorp/go-retryablehttp # github.com/hashicorp/go-rootcerts v1.0.2 ## explicit github.com/hashicorp/go-rootcerts +# github.com/hashicorp/go-secure-stdlib/awsutil v0.1.2 +## explicit +github.com/hashicorp/go-secure-stdlib/awsutil # github.com/hashicorp/go-slug v0.4.1 github.com/hashicorp/go-slug # github.com/hashicorp/go-sockaddr v1.0.2