From 44ae9d3bfb062fec1ddc8628101d2ce52f45bec2 Mon Sep 17 00:00:00 2001 From: Kyle Michel Date: Tue, 2 Apr 2024 11:15:45 -0400 Subject: [PATCH] Have the file system signer read the cert files when it needs to in case they have changed --- .gitignore | 2 +- Makefile | 17 +++- aws_signing_helper/file_system_signer.go | 84 +++++++++++++++---- aws_signing_helper/serve.go | 12 ++- aws_signing_helper/signer.go | 64 +++++++------- aws_signing_helper/signer_test.go | 57 +++++++++++-- cmd/read_certificate_data.go | 2 +- go.mod | 18 ++-- go.sum | 39 ++++----- rolesanywhere/api.go | 20 ++--- rolesanywhere/doc.go | 2 +- rolesanywhere/errors.go | 6 +- rolesanywhere/rolesanywhereiface/interface.go | 46 +++++----- rolesanywhere/service.go | 11 +-- 14 files changed, 240 insertions(+), 140 deletions(-) diff --git a/.gitignore b/.gitignore index 1c8c754..869b53f 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,4 @@ tst/certs/ credential-process-data/ tst/softhsm/ tst/softhsm2.conf - +.idea/ diff --git a/Makefile b/Makefile index 3faf4a4..0a1ccab 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,15 @@ VERSION=1.1.1 -release: +.PHONY: release +release: build/bin/aws_signing_helper + +build/bin/aws_signing_helper: go build -buildmode=pie -ldflags "-X 'github.com/aws/rolesanywhere-credential-helper/cmd.Version=${VERSION}' -linkmode=external -w -s" -trimpath -o build/bin/aws_signing_helper main.go +.PHONY: clean +clean: + rm -rf build + # Setting up SoftHSM for PKCS#11 tests. # This portion is largely copied from https://gitlab.com/openconnect/openconnect/-/blob/v9.12/tests/Makefile.am#L363. SHM2_UTIL=SOFTHSM2_CONF=tst/softhsm2.conf.tmp softhsm2-util @@ -20,7 +27,7 @@ PKCS12CERTS := $(patsubst %-cert.pem, %.p12, $(RSACERTS) $(ECCERTS)) # It's hard to do a file-based rule for the contents of the SoftHSM token. # So just populate it as a side-effect of creating the softhsm2.conf file. -tst/softhsm2.conf: tst/softhsm2.conf.template $(PKCS8KEYS) $(RSACERTS) $(ECCERTS) +tst/softhsm2.conf: tst/softhsm2.conf.template $(PKCS8KEYS) $(RSACERTS) $(ECCERTS) tst/certs/rsa-2048-2-sha256-cert.pem rm -rf tst/softhsm/* sed 's|@top_srcdir@|${curdir}|g' $< > $@.tmp $(SHM2_UTIL) --show-slots @@ -50,6 +57,7 @@ tst/softhsm2.conf: tst/softhsm2.conf.template $(PKCS8KEYS) $(RSACERTS) $(ECCERTS --mark-always-authenticate mv $@.tmp $@ +.PHONY: test test: test-certs tst/softhsm2.conf SOFTHSM2_CONF=$(curdir)/tst/softhsm2.conf go test -v ./... @@ -62,6 +70,9 @@ test: test-certs tst/softhsm2.conf %-sha256-cert.pem: %-key.pem SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \ openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha256 +%-2-sha256-cert.pem: %-key.pem + SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \ + openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha256 %-sha384-cert.pem: %-key.pem SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \ openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha384 @@ -111,8 +122,10 @@ $(certsdir)/cert-bundle-with-comments.pem: $(RSACERTS) $(ECCERTS) echo "Comment in bundle\n" >> $@; \ done +.PHONY: test-certs test-certs: $(PKCS8KEYS) $(RSAKEYS) $(ECKEYS) $(RSACERTS) $(ECCERTS) $(PKCS12CERTS) $(certsdir)/cert-bundle.pem $(certsdir)/cert-bundle-with-comments.pem tst/softhsm2.conf +.PHONY: test-clean test-clean: rm -f $(RSAKEYS) $(ECKEYS) rm -f $(PKCS8KEYS) diff --git a/aws_signing_helper/file_system_signer.go b/aws_signing_helper/file_system_signer.go index ba0e365..8682923 100644 --- a/aws_signing_helper/file_system_signer.go +++ b/aws_signing_helper/file_system_signer.go @@ -10,23 +10,26 @@ import ( "errors" "io" "log" + "os" ) type FileSystemSigner struct { - PrivateKey crypto.PrivateKey - cert *x509.Certificate - certChain []*x509.Certificate + bundlePath string + certPath string + isPkcs12 bool + privateKeyPath string } -func (fileSystemSigner FileSystemSigner) Public() crypto.PublicKey { +func (fileSystemSigner *FileSystemSigner) Public() crypto.PublicKey { + privateKey, _, _ := fileSystemSigner.readCertFiles() { - privateKey, ok := fileSystemSigner.PrivateKey.(ecdsa.PrivateKey) + privateKey, ok := privateKey.(ecdsa.PrivateKey) if ok { return &privateKey.PublicKey } } { - privateKey, ok := fileSystemSigner.PrivateKey.(rsa.PrivateKey) + privateKey, ok := privateKey.(rsa.PrivateKey) if ok { return &privateKey.PublicKey } @@ -34,9 +37,10 @@ func (fileSystemSigner FileSystemSigner) Public() crypto.PublicKey { return nil } -func (fileSystemSigner FileSystemSigner) Close() {} +func (fileSystemSigner *FileSystemSigner) Close() {} -func (fileSystemSigner FileSystemSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { +func (fileSystemSigner *FileSystemSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { + privateKey, _, _ := fileSystemSigner.readCertFiles() var hash []byte switch opts.HashFunc() { case crypto.SHA256: @@ -52,7 +56,7 @@ func (fileSystemSigner FileSystemSigner) Sign(rand io.Reader, digest []byte, opt return nil, ErrUnsupportedHash } - ecdsaPrivateKey, ok := fileSystemSigner.PrivateKey.(ecdsa.PrivateKey) + ecdsaPrivateKey, ok := privateKey.(ecdsa.PrivateKey) if ok { sig, err := ecdsa.SignASN1(rand, &ecdsaPrivateKey, hash[:]) if err == nil { @@ -60,7 +64,7 @@ func (fileSystemSigner FileSystemSigner) Sign(rand io.Reader, digest []byte, opt } } - rsaPrivateKey, ok := fileSystemSigner.PrivateKey.(rsa.PrivateKey) + rsaPrivateKey, ok := privateKey.(rsa.PrivateKey) if ok { sig, err := rsa.SignPKCS1v15(rand, &rsaPrivateKey, opts.HashFunc(), hash[:]) if err == nil { @@ -72,16 +76,20 @@ func (fileSystemSigner FileSystemSigner) Sign(rand io.Reader, digest []byte, opt return nil, errors.New("unsupported algorithm") } -func (fileSystemSigner FileSystemSigner) Certificate() (*x509.Certificate, error) { - return fileSystemSigner.cert, nil +func (fileSystemSigner *FileSystemSigner) Certificate() (*x509.Certificate, error) { + _, cert, _ := fileSystemSigner.readCertFiles() + return cert, nil } -func (fileSystemSigner FileSystemSigner) CertificateChain() ([]*x509.Certificate, error) { - return fileSystemSigner.certChain, nil +func (fileSystemSigner *FileSystemSigner) CertificateChain() ([]*x509.Certificate, error) { + _, _, certChain := fileSystemSigner.readCertFiles() + return certChain, nil } -// Returns a FileSystemSigner, that signs a payload using the private key passed in -func GetFileSystemSigner(privateKey crypto.PrivateKey, certificate *x509.Certificate, certificateChain []*x509.Certificate) (signer Signer, signingAlgorithm string, err error) { +// GetFileSystemSigner returns a FileSystemSigner, that signs a payload using the private key passed in +func GetFileSystemSigner(privateKeyPath string, certPath string, bundlePath string, isPkcs12 bool) (signer Signer, signingAlgorithm string, err error) { + fsSigner := &FileSystemSigner{bundlePath: bundlePath, certPath: certPath, isPkcs12: isPkcs12, privateKeyPath: privateKeyPath} + privateKey, _, _ := fsSigner.readCertFiles() // Find the signing algorithm _, isRsaKey := privateKey.(rsa.PrivateKey) if isRsaKey { @@ -96,5 +104,47 @@ func GetFileSystemSigner(privateKey crypto.PrivateKey, certificate *x509.Certifi return nil, "", errors.New("unsupported algorithm") } - return FileSystemSigner{privateKey, certificate, certificateChain}, signingAlgorithm, nil + return fsSigner, signingAlgorithm, nil +} + +func (fileSystemSigner *FileSystemSigner) readCertFiles() (crypto.PrivateKey, *x509.Certificate, []*x509.Certificate) { + if fileSystemSigner.isPkcs12 { + chain, privateKey, err := ReadPKCS12Data(fileSystemSigner.certPath) + if err != nil { + log.Printf("Failed to read PKCS12 certificate: %s\n", err) + os.Exit(1) + } + return privateKey, chain[0], chain + } else { + privateKey, err := ReadPrivateKeyData(fileSystemSigner.privateKeyPath) + if err != nil { + log.Printf("Failed to read private key: %s\n", err) + os.Exit(1) + } + var chain []*x509.Certificate + if fileSystemSigner.bundlePath != "" { + chain, err = GetCertChain(fileSystemSigner.bundlePath) + if err != nil { + privateKey = nil + log.Printf("Failed to read certificate bundle: %s\n", err) + os.Exit(1) + } + } + var cert *x509.Certificate + if fileSystemSigner.certPath != "" { + _, cert, err = ReadCertificateData(fileSystemSigner.certPath) + if err != nil { + privateKey = nil + log.Printf("Failed to read certificate: %s\n", err) + os.Exit(1) + } + } else if len(chain) > 0 { + cert = chain[0] + } else { + log.Println("No certificate path or certificate bundle path provided") + os.Exit(1) + } + + return privateKey, cert, chain + } } diff --git a/aws_signing_helper/serve.go b/aws_signing_helper/serve.go index 343e54b..6106e36 100644 --- a/aws_signing_helper/serve.go +++ b/aws_signing_helper/serve.go @@ -219,12 +219,19 @@ func AllIssuesHandlers(cred *RefreshableCred, roleName string, opts *Credentials err := CheckValidToken(w, r) if err != nil { + log.Printf("Token validation received error: %s\n", err) return } var nextRefreshTime = cred.Expiration.Add(-RefreshTime) if time.Until(nextRefreshTime) < RefreshTime { - credentialProcessOutput, _ := GenerateCredentials(opts, signer, signatureAlgorithm) + if Debug { + log.Println("Generating credentials") + } + credentialProcessOutput, gcErr := GenerateCredentials(opts, signer, signatureAlgorithm) + if gcErr != nil { + log.Printf("Error generating credentials: %s\n", gcErr) + } cred.AccessKeyId = credentialProcessOutput.AccessKeyId cred.SecretAccessKey = credentialProcessOutput.SecretAccessKey cred.Token = credentialProcessOutput.SessionToken @@ -240,6 +247,9 @@ func AllIssuesHandlers(cred *RefreshableCred, roleName string, opts *Credentials return } } else { + if Debug { + log.Println("Using previously obtained credentials") + } err := json.NewEncoder(w).Encode(cred) if err != nil { w.WriteHeader(http.StatusInternalServerError) diff --git a/aws_signing_helper/signer.go b/aws_signing_helper/signer.go index 3ba3296..0b6829d 100644 --- a/aws_signing_helper/signer.go +++ b/aws_signing_helper/signer.go @@ -165,12 +165,11 @@ func encodeEcdsaSigValue(signature []byte) (out []byte, err error) { big.NewInt(0).SetBytes(signature[sigLen:])}) } -// Gets the Signer based on the flags passed in by the user (from which the CredentialsOpts structure is derived) +// GetSigner gets the Signer based on the flags passed in by the user (from which the CredentialsOpts structure is derived) func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, err error) { var ( certificate *x509.Certificate certificateChain []*x509.Certificate - privateKey crypto.PrivateKey ) privateKeyId := opts.PrivateKeyId @@ -185,16 +184,9 @@ func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, } if opts.CertificateId != "" && !strings.HasPrefix(opts.CertificateId, "pkcs11:") { - certificateData, err := ReadCertificateData(opts.CertificateId) + _, cert, err := ReadCertificateData(opts.CertificateId) if err == nil { - certificateDerData, err := base64.StdEncoding.DecodeString(certificateData.CertificateData) - if err != nil { - return nil, "", err - } - certificate, err = x509.ParseCertificate([]byte(certificateDerData)) - if err != nil { - return nil, "", err - } + certificate = cert } else if opts.PrivateKeyId == "" { if Debug { log.Println("not a PEM certificate, so trying PKCS#12") @@ -205,35 +197,21 @@ func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, " within the PKCS#12 file") } // Not a PEM certificate? Try PKCS#12 - certificateChain, privateKey, err = ReadPKCS12Data(opts.CertificateId) + _, _, err = ReadPKCS12Data(opts.CertificateId) if err != nil { return nil, "", err } - if privateKey != nil { - ecPrivateKeyPtr, isEcKey := privateKey.(*ecdsa.PrivateKey) - if isEcKey { - privateKey = *ecPrivateKeyPtr - } - - rsaPrivateKeyPtr, isRsaKey := privateKey.(*rsa.PrivateKey) - if isRsaKey { - privateKey = *rsaPrivateKeyPtr - } - } - return GetFileSystemSigner(privateKey, certificateChain[0], certificateChain) + return GetFileSystemSigner(opts.PrivateKeyId, opts.CertificateId, opts.CertificateBundleId, true) } else { return nil, "", err } } if opts.CertificateBundleId != "" { - certificateChainPointers, err := ReadCertificateBundleData(opts.CertificateBundleId) + certificateChain, err = GetCertChain(opts.CertificateBundleId) if err != nil { return nil, "", err } - for _, certificate := range certificateChainPointers { - certificateChain = append(certificateChain, certificate) - } } if strings.HasPrefix(privateKeyId, "pkcs11:") { @@ -245,15 +223,18 @@ func GetSigner(opts *CredentialsOpts) (signer Signer, signatureAlgorithm string, } return GetPKCS11Signer(opts.LibPkcs11, certificate, certificateChain, opts.PrivateKeyId, opts.CertificateId, opts.ReusePin) } else { - privateKey, err = ReadPrivateKeyData(privateKeyId) + _, err = ReadPrivateKeyData(privateKeyId) if err != nil { return nil, "", err } + if certificate == nil { + return nil, "", errors.New("undefined certificate value") + } if Debug { log.Println("attempting to use FileSystemSigner") } - return GetFileSystemSigner(privateKey, certificate, certificateChain) + return GetFileSystemSigner(privateKeyId, opts.CertificateId, opts.CertificateBundleId, false) } } @@ -709,18 +690,18 @@ func ReadPrivateKeyDataFromPEMBlock(block *pem.Block) (key crypto.PrivateKey, er return nil, errors.New("unable to parse private key") } -// Load the certificate referenced by `certificateId` and extract +// ReadCertificateData loads the certificate referenced by `certificateId` and extracts // details required by the SDK to construct the StringToSign. -func ReadCertificateData(certificateId string) (CertificateData, error) { +func ReadCertificateData(certificateId string) (CertificateData, *x509.Certificate, error) { block, err := parseDERFromPEM(certificateId, "CERTIFICATE") if err != nil { - return CertificateData{}, errors.New("could not parse PEM data") + return CertificateData{}, nil, errors.New("could not parse PEM data") } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { log.Println("could not parse certificate", err) - return CertificateData{}, errors.New("could not parse certificate") + return CertificateData{}, nil, errors.New("could not parse certificate") } //extract serial number @@ -747,5 +728,18 @@ func ReadCertificateData(certificateId string) (CertificateData, error) { } //return struct - return CertificateData{keyType, encodedDer, serialNumber, supportedAlgorithms}, nil + return CertificateData{keyType, encodedDer, serialNumber, supportedAlgorithms}, cert, nil +} + +// GetCertChain reads a certificate bundle and returns a chain of all the certificates it contains +func GetCertChain(certificateBundleId string) ([]*x509.Certificate, error) { + certificateChainPointers, err := ReadCertificateBundleData(certificateBundleId) + var chain []*x509.Certificate + if err != nil { + return nil, err + } + for _, certificate := range certificateChainPointers { + chain = append(chain, certificate) + } + return chain, nil } diff --git a/aws_signing_helper/signer_test.go b/aws_signing_helper/signer_test.go index fbb3d78..3476eac 100644 --- a/aws_signing_helper/signer_test.go +++ b/aws_signing_helper/signer_test.go @@ -1,6 +1,7 @@ package aws_signing_helper import ( + "bytes" "crypto" "crypto/ecdsa" "crypto/rand" @@ -27,7 +28,7 @@ import ( const TestCredentialsFilePath = "/tmp/credentials" func setup() error { - generateCredentialProcessDataScript := exec.Command("/bin/sh", "../generate-credential-process-data.sh") + generateCredentialProcessDataScript := exec.Command("/bin/bash", "../generate-credential-process-data.sh") _, err := generateCredentialProcessDataScript.Output() return err } @@ -56,7 +57,7 @@ func TestReadCertificateData(t *testing.T) { {"../tst/certs/rsa-2048-sha256-cert.pem", "RSA"}, } for _, fixture := range fixtures { - certData, err := ReadCertificateData(fixture.CertPath) + certData, _, err := ReadCertificateData(fixture.CertPath) if err != nil { t.Log("Failed to read certificate data") @@ -71,7 +72,7 @@ func TestReadCertificateData(t *testing.T) { } func TestReadInvalidCertificateData(t *testing.T) { - _, err := ReadCertificateData("../tst/certs/invalid-rsa-cert.pem") + _, _, err := ReadCertificateData("../tst/certs/invalid-rsa-cert.pem") if err == nil || !strings.Contains(err.Error(), "could not parse certificate") { t.Log("Failed to throw a handled error") t.Fail() @@ -128,28 +129,68 @@ func TestBuildAuthorizationHeader(t *testing.T) { t.Fail() } - certificateList, _ := ReadCertificateBundleData("../tst/certs/rsa-2048-sha256-cert.pem") - certificate := certificateList[0] - privateKey, _ := ReadPrivateKeyData("../tst/certs/rsa-2048-key.pem") + path := "../tst/certs/rsa-2048-sha256-cert.pem" + certificateList1, _ := ReadCertificateBundleData(path) + certificate1 := certificateList1[0] + pkPath := "../tst/certs/rsa-2048-key.pem" awsRequest := request.Request{HTTPRequest: testRequest} - signer, signingAlgorithm, err := GetFileSystemSigner(privateKey, certificate, nil) + signer, signingAlgorithm, err := GetFileSystemSigner(pkPath, "", path, false) if err != nil { t.Log(err) t.Fail() } - certificate, err = signer.Certificate() + certificate, err := signer.Certificate() if err != nil { t.Log(err) t.Fail() } + if !bytes.Equal(certificate.Raw, certificate1.Raw) { + t.Log("Certificate does not match signer certificate") + t.Fail() + } certificateChain, err := signer.CertificateChain() if err != nil { t.Log(err) t.Fail() } + for i, cert := range certificateChain { + if !bytes.Equal(cert.Raw, certificateList1[i].Raw) { + t.Log("Certificate chain does not match signer certificate chain") + t.Fail() + } + } requestSignFunction := CreateRequestSignFunction(signer, signingAlgorithm, certificate, certificateChain) requestSignFunction(&awsRequest) + + certificateList2, _ := ReadCertificateBundleData("../tst/certs/rsa-2048-2-sha256-cert.pem") + certificate2 := certificateList2[0] + os.Rename("../tst/certs/rsa-2048-sha256-cert.pem", "../tst/certs/rsa-2048-sha256-cert.pem.bak") + os.Rename("../tst/certs/rsa-2048-2-sha256-cert.pem", "../tst/certs/rsa-2048-sha256-cert.pem") + certificate, err = signer.Certificate() + if err != nil { + t.Log(err) + t.Fail() + } + if !bytes.Equal(certificate.Raw, certificate2.Raw) { + t.Log("Certificate does not match signer certificate after update") + t.Fail() + } + certificateChain, err = signer.CertificateChain() + if err != nil { + t.Log(err) + t.Fail() + } + for i, cert := range certificateChain { + if !bytes.Equal(cert.Raw, certificateList2[i].Raw) { + t.Log("Certificate chain does not match signer certificate chain after update") + t.Fail() + } + } + os.Rename("../tst/certs/rsa-2048-sha256-cert.pem", "../tst/certs/rsa-2048-2-sha256-cert.pem") + os.Rename("../tst/certs/rsa-2048-sha256-cert.pem.bak", "../tst/certs/rsa-2048-sha256-cert.pem") + requestSignFunction2 := CreateRequestSignFunction(signer, signingAlgorithm, certificate, certificateChain) + requestSignFunction2(&awsRequest) } // Verify that the provided payload was signed correctly with the provided options. diff --git a/cmd/read_certificate_data.go b/cmd/read_certificate_data.go index 0476e6b..6ad2c33 100644 --- a/cmd/read_certificate_data.go +++ b/cmd/read_certificate_data.go @@ -68,7 +68,7 @@ var readCertificateDataCmd = &cobra.Command{ os.Exit(1) } } else if certificateId != "" { - data, err := helper.ReadCertificateData(certificateId) + data, _, err := helper.ReadCertificateData(certificateId) if err != nil { os.Exit(1) } diff --git a/go.mod b/go.mod index 10ba30a..1f96a07 100644 --- a/go.mod +++ b/go.mod @@ -1,21 +1,21 @@ module github.com/aws/rolesanywhere-credential-helper -go 1.18 +go 1.21 require ( - github.com/aws/aws-sdk-go v1.44.57 - github.com/spf13/cobra v1.6.1 - golang.org/x/crypto v0.10.0 - golang.org/x/sys v0.10.0 + github.com/aws/aws-sdk-go v1.50.30 + github.com/miekg/pkcs11 v1.1.1 + github.com/spf13/cobra v1.8.0 + github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 + golang.org/x/crypto v0.20.0 + golang.org/x/sys v0.17.0 + golang.org/x/term v0.17.0 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect - github.com/inconshreveable/mousetrap v1.0.1 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect - github.com/miekg/pkcs11 v1.1.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stefanberger/go-pkcs11uri v0.0.0-20230614165346-c1cad3d2f68c // indirect - golang.org/x/term v0.10.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 19c118e..b8350b8 100644 --- a/go.sum +++ b/go.sum @@ -1,42 +1,33 @@ -github.com/aws/aws-sdk-go v1.44.57 h1:Dx1QD+cA89LE0fVQWSov22tpnTa0znq2Feyaa/myVjg= -github.com/aws/aws-sdk-go v1.44.57/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/aws/aws-sdk-go v1.50.30 h1:2OelKH1eayeaH7OuL1Y9Ombfw4HK+/k0fEnJNWjyLts= +github.com/aws/aws-sdk-go v1.50.30/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= -github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= -github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stefanberger/go-pkcs11uri v0.0.0-20230614165346-c1cad3d2f68c h1:HxmodsFg2lqbspDblBhyR6fXOYwilB6Esnw3PJSaSCA= -github.com/stefanberger/go-pkcs11uri v0.0.0-20230614165346-c1cad3d2f68c/go.mod h1:39R/xuhNgVhi+K0/zst4TLrJrVmbm6LVgl4A0+ZFS5M= +github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 h1:pnnLyeX7o/5aX8qUQ69P/mLojDqwda8hFOCBTmP/6hw= +github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6/go.mod h1:39R/xuhNgVhi+K0/zst4TLrJrVmbm6LVgl4A0+ZFS5M= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= -golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= +golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= diff --git a/rolesanywhere/api.go b/rolesanywhere/api.go index bf79923..4b04348 100644 --- a/rolesanywhere/api.go +++ b/rolesanywhere/api.go @@ -28,14 +28,13 @@ const opCreateSession = "CreateSession" // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // +// // Example sending a request using the CreateSessionRequest method. +// req, resp := client.CreateSessionRequest(params) // -// // Example sending a request using the CreateSessionRequest method. -// req, resp := client.CreateSessionRequest(params) -// -// err := req.Send() -// if err == nil { // resp is now filled -// fmt.Println(resp) -// } +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } // // See also, https://docs.aws.amazon.com/goto/WebAPI/roles-anywhere-2018-05-10/CreateSession func (c *RolesAnywhere) CreateSessionRequest(input *CreateSessionInput) (req *request.Request, output *CreateSessionOutput) { @@ -64,11 +63,12 @@ func (c *RolesAnywhere) CreateSessionRequest(input *CreateSessionInput) (req *re // API operation CreateSession for usage and error information. // // Returned Error Types: -// * ValidationException // -// * ResourceNotFoundException +// - ValidationException +// +// - ResourceNotFoundException // -// * AccessDeniedException +// - AccessDeniedException // // See also, https://docs.aws.amazon.com/goto/WebAPI/roles-anywhere-2018-05-10/CreateSession func (c *RolesAnywhere) CreateSession(input *CreateSessionInput) (*CreateSessionOutput, error) { diff --git a/rolesanywhere/doc.go b/rolesanywhere/doc.go index 5d3231b..78ded2c 100644 --- a/rolesanywhere/doc.go +++ b/rolesanywhere/doc.go @@ -8,7 +8,7 @@ // See rolesanywhere package documentation for more information. // https://docs.aws.amazon.com/sdk-for-go/api/service/rolesanywhere/ // -// Using the Client +// # Using the Client // // To contact RolesAnywhere Service with the SDK use the New function to create // a new service client. With that client you can make API requests to the service. diff --git a/rolesanywhere/errors.go b/rolesanywhere/errors.go index 4b86a45..60f94f7 100644 --- a/rolesanywhere/errors.go +++ b/rolesanywhere/errors.go @@ -22,7 +22,7 @@ const ( ) var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{ - "AccessDeniedException": newErrorAccessDeniedException, - "ResourceNotFoundException": newErrorResourceNotFoundException, - "ValidationException": newErrorValidationException, + "AccessDeniedException": newErrorAccessDeniedException, + "ResourceNotFoundException": newErrorResourceNotFoundException, + "ValidationException": newErrorValidationException, } diff --git a/rolesanywhere/rolesanywhereiface/interface.go b/rolesanywhere/rolesanywhereiface/interface.go index e1f86f0..494fc67 100644 --- a/rolesanywhere/rolesanywhereiface/interface.go +++ b/rolesanywhere/rolesanywhereiface/interface.go @@ -23,37 +23,37 @@ import ( // can be stubbed out for unit testing your code with the SDK without needing // to inject custom request handlers into the SDK's request pipeline. // -// // myFunc uses an SDK service client to make a request to -// // RolesAnywhere Service. -// func myFunc(svc rolesanywhereiface.RolesAnywhereAPI) bool { -// // Make svc.CreateSession request -// } +// // myFunc uses an SDK service client to make a request to +// // RolesAnywhere Service. +// func myFunc(svc rolesanywhereiface.RolesAnywhereAPI) bool { +// // Make svc.CreateSession request +// } // -// func main() { -// sess := session.New() -// svc := rolesanywhere.New(sess) +// func main() { +// sess := session.New() +// svc := rolesanywhere.New(sess) // -// myFunc(svc) -// } +// myFunc(svc) +// } // // In your _test.go file: // -// // Define a mock struct to be used in your unit tests of myFunc. -// type mockRolesAnywhereClient struct { -// rolesanywhereiface.RolesAnywhereAPI -// } -// func (m *mockRolesAnywhereClient) CreateSession(input *rolesanywhere.CreateSessionInput) (*rolesanywhere.CreateSessionOutput, error) { -// // mock response/functionality -// } +// // Define a mock struct to be used in your unit tests of myFunc. +// type mockRolesAnywhereClient struct { +// rolesanywhereiface.RolesAnywhereAPI +// } +// func (m *mockRolesAnywhereClient) CreateSession(input *rolesanywhere.CreateSessionInput) (*rolesanywhere.CreateSessionOutput, error) { +// // mock response/functionality +// } // -// func TestMyFunc(t *testing.T) { -// // Setup Test -// mockSvc := &mockRolesAnywhereClient{} +// func TestMyFunc(t *testing.T) { +// // Setup Test +// mockSvc := &mockRolesAnywhereClient{} // -// myfunc(mockSvc) +// myfunc(mockSvc) // -// // Verify myFunc's functionality -// } +// // Verify myFunc's functionality +// } // // It is important to note that this interface will have breaking changes // when the service model is updated and adds new API operations, paginators, diff --git a/rolesanywhere/service.go b/rolesanywhere/service.go index 30e9faf..a41e46f 100644 --- a/rolesanywhere/service.go +++ b/rolesanywhere/service.go @@ -40,13 +40,14 @@ const ( // aws.Config parameter to add your extra config. // // Example: -// mySession := session.Must(session.NewSession()) // -// // Create a RolesAnywhere client from just a session. -// svc := rolesanywhere.New(mySession) +// mySession := session.Must(session.NewSession()) // -// // Create a RolesAnywhere client with additional configuration -// svc := rolesanywhere.New(mySession, aws.NewConfig().WithRegion("us-west-2")) +// // Create a RolesAnywhere client from just a session. +// svc := rolesanywhere.New(mySession) +// +// // Create a RolesAnywhere client with additional configuration +// svc := rolesanywhere.New(mySession, aws.NewConfig().WithRegion("us-west-2")) func New(p client.ConfigProvider, cfgs ...*aws.Config) *RolesAnywhere { c := p.ClientConfig(EndpointsID, cfgs...) if c.SigningNameDerived || len(c.SigningName) == 0 {