SWI-4838 vault-shim (#1)

* vault-shim

* README update

* going to rewrite readme later

* Update root.go

* Update docker-shim-installer.sh

* Update Dockerfile

* removed last of docker shim

* removed last of docker shim

* ripping out our account IDs

* docker -> vault

* Update .gitignore

* Update vault.go

* docker -> vault

.github/draft_release.yaml

@@ -0,0 +1,21 @@
+name-template: 'v$NEXT_MINOR_VERSION'
+tag-template: 'v$NEXT_MINOR_VERSION'
+categories:
+  - title: 'Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: 'Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: 'Maintenance'
+    label: 'chore'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+exclude-labels:
+  - 'skip-changelog'
+template: |
+  ## Changes
+
+  $CHANGES

.github/workflows/action.yaml

@@ -0,0 +1,33 @@
+name: Go package
+
+on:
+  release:
+    types:
+      - 'published'
+    branches:
+      - 'main'
+      - 'release/**'
+
+jobs:
+  build:
+    permissions:
+      id-token: write
+      contents: write
+
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.20.6'
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/draft_release.yaml

@@ -0,0 +1,19 @@
+name: Draft Release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  draft-release:
+    environment: staging
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      # Drafts your next Release notes as Pull Requests are merged
+      - uses: release-drafter/release-drafter@v5
+        with:
+          config-name: draft_release.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,73 @@
+#Intellij files
+.idea
+*.iml
+
+# macOS
+.DS_Store
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Coverage directory generated when running tests with coverage
+coverage
+
+# Dependencies
+node_modules/
+
+# Yarn 3 files
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+# Node version directives
+.nvmrc
+
+# dotenv environment variables file
+#.env
+.env.test
+
+# Build output
+dist
+dist-types
+
+# Temporary change files created by Vim
+*.swp
+
+# MkDocs build output
+site
+
+# Local configuration files
+*.local.yaml
+
+# Sensitive credentials
+*-credentials.yaml
+
+# vscode database functionality support files
+*.session.sql
+
+# CDK
+/devops/*.js
+!/devops/jest.config.js
+/devops/*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+cdk.context.json
+
+# Local env file
+.env.local
+
+# Executable
+*vault-shim*
+
+!vault-shim-installer.sh

.goreleaser.yaml

@@ -0,0 +1,34 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+project_name: vault-shim
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of uname.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+    - goos: windows
+      format: zip
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Bandwidth, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

application/main.go

@@ -0,0 +1,103 @@
+package application
+
+import (
+	"fmt"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"io"
+	"os"
+	"os/exec"
+	"os/signal"
+	"syscall"
+)
+
+type Application struct {
+	Executable string
+	Dir        string
+	Args       []string
+	Env        []string
+
+	//// Logger to use. Default is logrus.StandardLogger().
+	Logger logrus.FieldLogger
+
+	// Stdout to connect to spawned processes
+	Stdout io.Writer
+
+	// Stderr to connect to spawned processes
+	Stderr io.Writer
+}
+
+// Creates a new Application.
+func NewApplication() *Application {
+	return &Application{
+		Logger: logrus.StandardLogger(),
+		Stdout: os.Stdout,
+		Stderr: os.Stderr,
+	}
+}
+
+// Run the application.
+func (a *Application) Run() (*os.ProcessState, error) {
+	// Take directory from application if specified
+	dir := a.Dir
+	if dir == "" {
+		dir = "."
+	}
+	return a.run(dir)
+}
+
+// Run the application in the given directory
+func (a *Application) run(dir string) (*os.ProcessState, error) {
+	var err error
+	fi, err := os.Stat(a.Executable)
+	if err != nil {
+		return nil, err
+	}
+
+	if fi.IsDir() {
+		return nil, fmt.Errorf("%s is a directory", a.Executable)
+	}
+
+	if fi.Mode()&0111 == 0 {
+		return nil, fmt.Errorf("%s is not executable", a.Executable)
+	}
+
+	// Execute command in background
+	cmd := exec.Command(a.Executable, a.Args...)
+	cmd.Dir = dir
+	cmd.Stdout = a.Stdout
+	cmd.Stderr = a.Stderr
+	cmd.Env = a.Env
+	// Place the process in its own process group. This ensures that
+	// the executable will not be part of the foreground process group which would
+	// be sent a SIGINT when Ctrl-c is pressed in an interactive shell.
+	// Without this, the process would be sent a SIGINT immediately upon Ctrl-c
+	// being pressed, likely terminating the process before we have a chance
+	// to run any additional tasks.
+	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
+	if err = cmd.Start(); err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf("%s failed to start", a.Executable))
+	}
+
+	// Handle stop signals in background
+	signaled := make(chan os.Signal, 1)
+	signal.Notify(signaled, syscall.SIGTERM, syscall.SIGINT)
+	defer signal.Reset(syscall.SIGTERM, syscall.SIGINT)
+	go func() {
+		// Wait for a signal
+		receivedSignal := <-signaled
+
+		// Send SIGINT/SIGTERM to the process
+		cmd.Process.Signal(receivedSignal)
+
+		// Ignore future SIGINT/SIGTERM. Wait until the process exits or we get
+		// SIGKILL'ed.
+		signal.Ignore(syscall.SIGTERM, syscall.SIGINT)
+	}()
+
+	if err = cmd.Wait(); err != nil {
+		return cmd.ProcessState, errors.Wrap(err, fmt.Sprintf("%s exited with non-zero exit code", a.Executable))
+	}
+
+	return cmd.ProcessState, nil
+}

cmd/awsCredentials.go

@@ -0,0 +1,64 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/Bandwidth/vault-shim/vault"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var (
+	namespace         string
+	secretPath        string
+	accountID         string
+	vaultStsRoleName  string
+	awsAssumeRoleName string
+
+	awsCredentials = &cobra.Command{
+		Use:   "aws-credentials",
+		Short: "Output aws credentials",
+		Long:  "Prints the required values for the aws profile credential process",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := GetVaultToken()
+			if err != nil {
+				logrus.Fatal(err)
+			}
+
+			awsSecretOutput, err := vault.GetAwsCredentials(vaultToken, namespace, secretPath, accountID, vaultStsRoleName, awsAssumeRoleName, vaultAddr)
+			if err != nil {
+				logrus.Fatal(err)
+			}
+
+			json, err := json.Marshal(awsSecretOutput)
+			if err != nil {
+				logrus.Fatal(err)
+			}
+
+			fmt.Printf(string(json))
+
+			return nil
+		},
+	}
+)
+
+func init() {
+	awsCredentials.PersistentFlags().StringVar(&namespace, "namespace", "", "The vault namespace")
+	awsCredentials.PersistentFlags().StringVar(&secretPath, "secret-path", "", "Vault path of the aws role")
+	awsCredentials.PersistentFlags().StringVar(&accountID, "account-id", "", "AWS account ID")
+	awsCredentials.PersistentFlags().StringVar(&vaultStsRoleName, "vault-sts-role-name", "", "The name of the vault sts role")
+	awsCredentials.PersistentFlags().StringVar(&awsAssumeRoleName, "aws-assume-role-name", "", "The optional name of the role in AWS to assume")
+
+	awsCredentials.MarkPersistentFlagRequired("secret-path")
+	awsCredentials.MarkPersistentFlagRequired("account-id")
+	awsCredentials.MarkPersistentFlagRequired("vault-sts-role-name")
+
+	viper.BindPFlag("namespace", rootCmd.PersistentFlags().Lookup("namespace"))
+	viper.BindPFlag("secret-path", rootCmd.PersistentFlags().Lookup("secret-path"))
+	viper.BindPFlag("account-id", rootCmd.PersistentFlags().Lookup("account-id"))
+	viper.BindPFlag("vault-sts-role-name", rootCmd.PersistentFlags().Lookup("vault-sts-role-name"))
+	viper.BindPFlag("aws-assume-role-name", rootCmd.PersistentFlags().Lookup("aws-assume-role-name"))
+	rootCmd.AddCommand(awsCredentials)
+}