From dd4e087d6c1c67a58b99adfb0d23f6d39d176d53 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 9 Feb 2022 03:18:37 +0000 Subject: [PATCH 1/8] Update usage of AWS SDK in aws_pca UpstreamAuthority plugin to v2 This is primarily motivated by trying to consolidate to a single AWS SDK dependency in SPIRE. The max wait time for certificate issuance introduced in this change matches the default behavior used in the v1 SDK. Signed-off-by: Ryan Turner --- go.mod | 2 + go.sum | 2 + .../plugin/upstreamauthority/awspca/pca.go | 54 ++++++++------ .../upstreamauthority/awspca/pca_client.go | 74 ++++++++++++------- .../awspca/pca_client_fake.go | 35 ++++++--- .../upstreamauthority/awspca/pca_test.go | 66 ++++++++++------- 6 files changed, 146 insertions(+), 87 deletions(-) diff --git a/go.mod b/go.mod index aa8d40b3a8..22b0d11c23 100644 --- a/go.mod +++ b/go.mod @@ -76,6 +76,8 @@ require ( sigs.k8s.io/controller-runtime v0.11.0 ) +require github.com/aws/aws-sdk-go-v2/service/acmpca v1.14.0 + require ( cloud.google.com/go v0.100.2 // indirect cloud.google.com/go/compute v1.1.0 // indirect diff --git a/go.sum b/go.sum index 06422da788..90db88fe21 100644 --- a/go.sum +++ b/go.sum @@ -228,6 +228,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.2.0 h1:3ADoioDMOtF4uiK59vC github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.2.0/go.mod h1:BsCSJHx5DnDXIrOcqB8KN1/B+hXLG/bi4Y6Vjcx/x9E= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.5 h1:ixotxbfTCFpqbuwFv/RcZwyzhkxPSYDYEMcj4niB5Uk= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.5/go.mod h1:R3sWUqPcfXSiF/LSFJhjyJmpg9uV6yP2yv3YZZjldVI= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.14.0 h1:sSD2N0B3VDQFG99UdQ0mFrMXFrYATQmabRL9PmxQ2Xw= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.14.0/go.mod h1:ofh63tUw372aK3DEX1TRnZY8OYateQQiLO+SgRHpFag= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.7.0 h1:4QAOB3KrvI1ApJK14sliGr3Ie2pjyvNypn/lfzDHfUw= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.7.0/go.mod h1:K/qPe6AP2TGYv4l6n7c88zh9jWBDf6nHhvg1fx/EWfU= github.com/aws/aws-sdk-go-v2/service/kms v1.14.0 h1:A8FMqkP+OlnSiVY+2QakwqW0fAGnE18TqPig/T7aJU0= diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca.go b/pkg/server/plugin/upstreamauthority/awspca/pca.go index d4f59eb511..7484c16970 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca.go @@ -9,8 +9,9 @@ import ( "time" "github.com/andres-erbsen/clock" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + acmpcatypes "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/hashicorp/go-hclog" "github.com/hashicorp/hcl" upstreamauthorityv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/upstreamauthority/v1" @@ -31,8 +32,13 @@ const ( // The default CA signing template to use. // The SPIRE server intermediate CA can sign end-entity SVIDs only. defaultCASigningTemplateArn = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" + // Max certificate issuance wait duration + maxCertIssuanceWaitDur = 3 * time.Minute ) +type newACMPCAClientFunc func(context.Context, *Configuration) (PCAClient, error) +type newCertificateIssuedWaiterFunc func(acmpca.GetCertificateAPIClient, ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter + func BuiltIn() catalog.BuiltIn { return builtin(New()) } @@ -67,8 +73,9 @@ type PCAPlugin struct { config *configuration hooks struct { - clock clock.Clock - newClient func(config *Configuration) (PCAClient, error) + clock clock.Clock + newClient newACMPCAClientFunc + newCertificateIssuedWaiter newCertificateIssuedWaiterFunc } } @@ -81,13 +88,14 @@ type configuration struct { // New returns an instantiated plugin func New() *PCAPlugin { - return newPlugin(newPCAClient) + return newPlugin(newPCAClient, newCertificateIssuedWaiter) } -func newPlugin(newClient func(config *Configuration) (PCAClient, error)) *PCAPlugin { +func newPlugin(newClient newACMPCAClientFunc, newWaiter newCertificateIssuedWaiterFunc) *PCAPlugin { p := &PCAPlugin{} p.hooks.clock = clock.New() p.hooks.newClient = newClient + p.hooks.newCertificateIssuedWaiter = newWaiter return p } @@ -112,14 +120,14 @@ func (p *PCAPlugin) Configure(ctx context.Context, req *configv1.ConfigureReques } // Create the client - pcaClient, err := p.hooks.newClient(config) + pcaClient, err := p.hooks.newClient(ctx, config) if err != nil { return nil, status.Errorf(codes.Internal, "failed to create client: %v", err) } // Perform a check for the presence of the CA p.log.Info("Looking up certificate authority from ACM", "certificate_authority_arn", config.CertificateAuthorityARN) - describeResponse, err := pcaClient.DescribeCertificateAuthorityWithContext(ctx, &acmpca.DescribeCertificateAuthorityInput{ + describeResponse, err := pcaClient.DescribeCertificateAuthority(ctx, &acmpca.DescribeCertificateAuthorityInput{ CertificateAuthorityArn: aws.String(config.CertificateAuthorityARN), }) if err != nil { @@ -127,7 +135,7 @@ func (p *PCAPlugin) Configure(ctx context.Context, req *configv1.ConfigureReques } // Ensure the CA is set to ACTIVE - caStatus := aws.StringValue(describeResponse.CertificateAuthority.Status) + caStatus := describeResponse.CertificateAuthority.Status if caStatus != "ACTIVE" { p.log.Warn("Certificate is in an invalid state for issuance", "certificate_authority_arn", config.CertificateAuthorityARN, @@ -138,7 +146,7 @@ func (p *PCAPlugin) Configure(ctx context.Context, req *configv1.ConfigureReques // Otherwise, fall back to the pre-configured value on the CA signingAlgorithm := config.SigningAlgorithm if signingAlgorithm == "" { - signingAlgorithm = aws.StringValue(describeResponse.CertificateAuthority.CertificateAuthorityConfiguration.SigningAlgorithm) + signingAlgorithm = string(describeResponse.CertificateAuthority.CertificateAuthorityConfiguration.SigningAlgorithm) p.log.Info("No signing algorithm specified, using the CA default", "signing_algorithm", signingAlgorithm) } @@ -186,13 +194,13 @@ func (p *PCAPlugin) MintX509CAAndSubscribe(request *upstreamauthorityv1.MintX509 p.log.Info("Submitting CSR to ACM", "signing_algorithm", config.signingAlgorithm) validityPeriod := time.Second * time.Duration(request.PreferredTtl) - issueResponse, err := p.pcaClient.IssueCertificateWithContext(ctx, &acmpca.IssueCertificateInput{ + issueResponse, err := p.pcaClient.IssueCertificate(ctx, &acmpca.IssueCertificateInput{ CertificateAuthorityArn: aws.String(config.certificateAuthorityArn), - SigningAlgorithm: aws.String(config.signingAlgorithm), + SigningAlgorithm: acmpcatypes.SigningAlgorithm(config.signingAlgorithm), Csr: csrBuf.Bytes(), TemplateArn: aws.String(config.caSigningTemplateArn), - Validity: &acmpca.Validity{ - Type: aws.String(acmpca.ValidityPeriodTypeAbsolute), + Validity: &acmpcatypes.Validity{ + Type: acmpcatypes.ValidityPeriodTypeAbsolute, Value: aws.Int64(p.hooks.clock.Now().Add(validityPeriod).Unix()), }, }) @@ -204,36 +212,36 @@ func (p *PCAPlugin) MintX509CAAndSubscribe(request *upstreamauthorityv1.MintX509 // the certificate has been issued certificateArn := issueResponse.CertificateArn - p.log.Info("Waiting for issuance from ACM", "certificate_arn", aws.StringValue(certificateArn)) + p.log.Info("Waiting for issuance from ACM", "certificate_arn", aws.ToString(certificateArn)) getCertificateInput := &acmpca.GetCertificateInput{ CertificateAuthorityArn: aws.String(config.certificateAuthorityArn), CertificateArn: certificateArn, } - err = p.pcaClient.WaitUntilCertificateIssuedWithContext(ctx, getCertificateInput) - if err != nil { + waiter := p.hooks.newCertificateIssuedWaiter(p.pcaClient) + if err := waiter.Wait(ctx, getCertificateInput, maxCertIssuanceWaitDur); err != nil { return status.Errorf(codes.Internal, "failed waiting for issuance: %v", err) } - p.log.Info("Certificate issued", "certificate_arn", aws.StringValue(certificateArn)) + p.log.Info("Certificate issued", "certificate_arn", aws.ToString(certificateArn)) // Finally get the certificate contents - p.log.Info("Retrieving certificate and chain from ACM", "certificate_arn", aws.StringValue(certificateArn)) - getResponse, err := p.pcaClient.GetCertificateWithContext(ctx, getCertificateInput) + p.log.Info("Retrieving certificate and chain from ACM", "certificate_arn", aws.ToString(certificateArn)) + getResponse, err := p.pcaClient.GetCertificate(ctx, getCertificateInput) if err != nil { return status.Errorf(codes.Internal, "failed to get cerficates: %v", err) } // Parse the cert from the response - cert, err := pemutil.ParseCertificate([]byte(aws.StringValue(getResponse.Certificate))) + cert, err := pemutil.ParseCertificate([]byte(aws.ToString(getResponse.Certificate))) if err != nil { return status.Errorf(codes.Internal, "failed to parse certificate from response: %v", err) } // Parse the chain from the response - certChain, err := pemutil.ParseCertificates([]byte(aws.StringValue(getResponse.CertificateChain))) + certChain, err := pemutil.ParseCertificates([]byte(aws.ToString(getResponse.CertificateChain))) if err != nil { return status.Errorf(codes.Internal, "failed to parse certificate chain from response: %v", err) } - p.log.Info("Certificate and chain received", "certificate_arn", aws.StringValue(certificateArn)) + p.log.Info("Certificate and chain received", "certificate_arn", aws.ToString(certificateArn)) // ACM's API outputs the certificate chain from a GetCertificate call in the following // order: A (signed by B) -> B (signed by ROOT) -> ROOT. diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go index 4e09f92c02..e8fdb7d264 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go @@ -1,49 +1,67 @@ package awspca import ( + "context" + "fmt" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/aws/request" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/acmpca" - "github.com/aws/aws-sdk-go/service/sts" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials/stscreds" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/sts" ) // PCAClient provides an interface which can be mocked to test // the functionality of the plugin. type PCAClient interface { - DescribeCertificateAuthorityWithContext(aws.Context, *acmpca.DescribeCertificateAuthorityInput, ...request.Option) (*acmpca.DescribeCertificateAuthorityOutput, error) - IssueCertificateWithContext(aws.Context, *acmpca.IssueCertificateInput, ...request.Option) (*acmpca.IssueCertificateOutput, error) - WaitUntilCertificateIssuedWithContext(aws.Context, *acmpca.GetCertificateInput, ...request.WaiterOption) error - GetCertificateWithContext(aws.Context, *acmpca.GetCertificateInput, ...request.Option) (*acmpca.GetCertificateOutput, error) + DescribeCertificateAuthority(context.Context, *acmpca.DescribeCertificateAuthorityInput, ...func(*acmpca.Options)) (*acmpca.DescribeCertificateAuthorityOutput, error) + IssueCertificate(context.Context, *acmpca.IssueCertificateInput, ...func(*acmpca.Options)) (*acmpca.IssueCertificateOutput, error) + GetCertificate(context.Context, *acmpca.GetCertificateInput, ...func(*acmpca.Options)) (*acmpca.GetCertificateOutput, error) } -func newPCAClient(config *Configuration) (PCAClient, error) { - awsConfig := &aws.Config{ - Region: aws.String(config.Region), - Endpoint: aws.String(config.Endpoint), +type certificateIssuedWaiter interface { + Wait(context.Context, *acmpca.GetCertificateInput, time.Duration, ...func(*acmpca.CertificateIssuedWaiterOptions)) error + WaitForOutput(context.Context, *acmpca.GetCertificateInput, time.Duration, ...func(*acmpca.CertificateIssuedWaiterOptions)) (*acmpca.GetCertificateOutput, error) +} + +func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) { + var endpointResolver aws.EndpointResolverWithOptions + if cfg.Endpoint != "" { + endpointResolver = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) { + if service == acmpca.ServiceID && region == cfg.Region { + return aws.Endpoint{ + PartitionID: "aws", + URL: cfg.Endpoint, + SigningRegion: region, + }, nil + } + + return aws.Endpoint{}, fmt.Errorf("unknown endpoint requested") + }) } - // Optional: Assuming role - if config.AssumeRoleARN != "" { - staticsess, err := session.NewSession(&aws.Config{Credentials: awsConfig.Credentials}) + var credsProvider aws.CredentialsProvider + switch { + case cfg.AssumeRoleARN != "": + stsClient := sts.NewFromConfig(aws.Config{}) + credsProvider = stscreds.NewAssumeRoleProvider(stsClient, cfg.AssumeRoleARN) + default: + awsCfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(cfg.Region), config.WithEndpointResolverWithOptions(endpointResolver)) if err != nil { return nil, err } - awsConfig.Credentials = credentials.NewCredentials(&stscreds.AssumeRoleProvider{ - Client: sts.New(staticsess), - RoleARN: config.AssumeRoleARN, - Duration: 15 * time.Minute, - }) - } - awsSession, err := session.NewSession(awsConfig) - if err != nil { - return nil, err + credsProvider = awsCfg.Credentials } - return acmpca.New(awsSession), nil + return acmpca.NewFromConfig(aws.Config{ + Region: cfg.Region, + EndpointResolverWithOptions: endpointResolver, + Credentials: credsProvider, + }), nil +} + +func newCertificateIssuedWaiter(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { + return acmpca.NewCertificateIssuedWaiter(client, optFns...) } diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go index 08d3720c45..caa7f5a4cd 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go @@ -1,11 +1,11 @@ package awspca import ( + "context" "testing" + "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/request" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/service/acmpca" "github.com/stretchr/testify/require" ) @@ -27,7 +27,7 @@ type pcaClientFake struct { waitUntilCertificateIssuedErr error } -func (f *pcaClientFake) DescribeCertificateAuthorityWithContext(ctx aws.Context, input *acmpca.DescribeCertificateAuthorityInput, option ...request.Option) (*acmpca.DescribeCertificateAuthorityOutput, error) { +func (f *pcaClientFake) DescribeCertificateAuthority(ctx context.Context, input *acmpca.DescribeCertificateAuthorityInput, optFns ...func(*acmpca.Options)) (*acmpca.DescribeCertificateAuthorityOutput, error) { require.Equal(f.t, f.expectedDescribeInput, input) if f.describeCertificateErr != nil { return nil, f.describeCertificateErr @@ -35,7 +35,7 @@ func (f *pcaClientFake) DescribeCertificateAuthorityWithContext(ctx aws.Context, return f.describeCertificateOutput, nil } -func (f *pcaClientFake) IssueCertificateWithContext(ctx aws.Context, input *acmpca.IssueCertificateInput, option ...request.Option) (*acmpca.IssueCertificateOutput, error) { +func (f *pcaClientFake) IssueCertificate(ctx context.Context, input *acmpca.IssueCertificateInput, optFns ...func(*acmpca.Options)) (*acmpca.IssueCertificateOutput, error) { require.Equal(f.t, f.expectedIssueInput, input) if f.issueCertifcateErr != nil { return nil, f.issueCertifcateErr @@ -43,16 +43,29 @@ func (f *pcaClientFake) IssueCertificateWithContext(ctx aws.Context, input *acmp return f.issueCertificateOutput, nil } -func (f *pcaClientFake) WaitUntilCertificateIssuedWithContext(ctx aws.Context, input *acmpca.GetCertificateInput, option ...request.WaiterOption) error { +func (f *pcaClientFake) GetCertificate(ctx context.Context, input *acmpca.GetCertificateInput, optFns ...func(*acmpca.Options)) (*acmpca.GetCertificateOutput, error) { + require.Equal(f.t, f.expectedGetCertificateInput, input) + if f.getCertificateErr != nil { + return nil, f.getCertificateErr + } + return f.getCertificateOutput, nil +} + +type fakeCertificateIssuedWaiter struct { + t testing.TB + expectedGetCertificateInput *acmpca.GetCertificateInput + waitUntilCertificateIssuedErr error + getCertificateOutput *acmpca.GetCertificateOutput +} + +func (f *fakeCertificateIssuedWaiter) Wait(ctx context.Context, input *acmpca.GetCertificateInput, maxWaitDur time.Duration, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) error { require.Equal(f.t, f.expectedGetCertificateInput, input) return f.waitUntilCertificateIssuedErr } -func (f *pcaClientFake) GetCertificateWithContext(ctx aws.Context, input *acmpca.GetCertificateInput, option ...request.Option) (*acmpca.GetCertificateOutput, error) { +func (f *fakeCertificateIssuedWaiter) WaitForOutput(ctx context.Context, input *acmpca.GetCertificateInput, maxWaitDur time.Duration, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) (*acmpca.GetCertificateOutput, error) { require.Equal(f.t, f.expectedGetCertificateInput, input) - if f.getCertificateErr != nil { - return nil, f.getCertificateErr - } - return f.getCertificateOutput, nil + return f.getCertificateOutput, f.waitUntilCertificateIssuedErr + } diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go index 99db14f194..7b7eaa72a7 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go @@ -6,14 +6,15 @@ import ( "crypto/x509" "encoding/pem" "errors" + "fmt" "io" "testing" "time" "github.com/andres-erbsen/clock" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/service/acmpca" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/acmpca" + acmpcatypes "github.com/aws/aws-sdk-go-v2/service/acmpca/types" "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/server/plugin/upstreamauthority" "github.com/spiffe/spire/proto/spire/common" @@ -120,7 +121,7 @@ func TestConfigure(t *testing.T) { }, { test: "Describe certificate fails", - expectDescribeErr: awserr.New("Internal", "some error", errors.New("oh no")), + expectDescribeErr: awsErr("Internal", "some error", errors.New("oh no")), region: validRegion, certificateAuthorityARN: validCertificateAuthorityARN, caSigningTemplateARN: validCASigningTemplateARN, @@ -174,7 +175,7 @@ badjson }, { test: "Fail to create client", - newClientErr: aws.ErrMissingEndpoint, + newClientErr: awsErr("MissingEndpoint", "'Endpoint' configuration is required for this service", nil), region: validRegion, certificateAuthorityARN: validCertificateAuthorityARN, caSigningTemplateARN: validCASigningTemplateARN, @@ -212,12 +213,16 @@ badjson p := new(PCAPlugin) p.hooks.clock = clock - p.hooks.newClient = func(config *Configuration) (PCAClient, error) { + p.hooks.newClient = newACMPCAClientFunc(func(ctx context.Context, config *Configuration) (PCAClient, error) { if tt.newClientErr != nil { return nil, tt.newClientErr } return client, nil - } + }) + p.hooks.newCertificateIssuedWaiter = newCertificateIssuedWaiterFunc(func(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { + return &fakeCertificateIssuedWaiter{} + }) + setupDescribeCertificateAuthority(client, tt.expectedDescribeStatus, tt.expectDescribeErr) plugintest.Load(t, builtin(p), nil, options...) @@ -293,7 +298,7 @@ func TestMintX509CA(t *testing.T) { expectTTL time.Duration }{ { - test: "Succesull mint", + test: "Successful mint", config: successConfig, csr: makeCSR("spiffe://example.com/foo"), preferredTTL: 300 * time.Second, @@ -324,16 +329,16 @@ func TestMintX509CA(t *testing.T) { config: successConfig, csr: makeCSR("spiffe://example.com/foo"), preferredTTL: 300 * time.Second, - issuedCertErr: awserr.New("Internal", "some error", errors.New("oh no")), + issuedCertErr: awsErr("Internal", "some error", errors.New("oh no")), expectCode: codes.Internal, expectMsgPrefix: "upstreamauthority(aws_pca): failed submitting CSR: Internal: some error\ncaused by: oh no", }, { - test: "Issueance wait fails", + test: "Issuance wait fails", config: successConfig, csr: makeCSR("spiffe://example.com/foo"), preferredTTL: 300 * time.Second, - waitCertErr: awserr.New("Internal", "some error", errors.New("oh no")), + waitCertErr: awsErr("Internal", "some error", errors.New("oh no")), expectCode: codes.Internal, expectMsgPrefix: "upstreamauthority(aws_pca): failed waiting for issuance: Internal: some error\ncaused by: oh no", }, @@ -342,12 +347,12 @@ func TestMintX509CA(t *testing.T) { config: successConfig, csr: makeCSR("spiffe://example.com/foo"), preferredTTL: 300 * time.Second, - getCertificateErr: awserr.New("Internal", "some error", errors.New("oh no")), + getCertificateErr: awsErr("Internal", "some error", errors.New("oh no")), expectCode: codes.Internal, expectMsgPrefix: "upstreamauthority(aws_pca): failed to get cerficates: Internal: some error\ncaused by: oh no", }, { - test: "Fails to parce certificate from GetCertificate", + test: "Fails to parse certificate from GetCertificate", config: successConfig, csr: makeCSR("spiffe://example.com/foo"), preferredTTL: 300 * time.Second, @@ -357,7 +362,7 @@ func TestMintX509CA(t *testing.T) { expectMsgPrefix: "upstreamauthority(aws_pca): failed to parse certificate from response: no PEM blocks", }, { - test: "Fails to parce certificate chain from GetCertificate", + test: "Fails to parse certificate chain from GetCertificate", config: successConfig, csr: makeCSR("spiffe://example.com/foo"), preferredTTL: 300 * time.Second, @@ -370,14 +375,18 @@ func TestMintX509CA(t *testing.T) { tt := tt t.Run(tt.test, func(t *testing.T) { client := &pcaClientFake{t: t} + certIssuedWaiter := &fakeCertificateIssuedWaiter{t: t} clk := clock.NewMock() // Configure plugin setupDescribeCertificateAuthority(client, "ACTIVE", nil) p := New() - p.hooks.newClient = func(config *Configuration) (PCAClient, error) { + p.hooks.newClient = func(ctx context.Context, config *Configuration) (PCAClient, error) { return client, nil } + p.hooks.newCertificateIssuedWaiter = newCertificateIssuedWaiterFunc(func(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { + return certIssuedWaiter + }) p.hooks.clock = clk ua := new(upstreamauthority.V1) @@ -392,7 +401,7 @@ func TestMintX509CA(t *testing.T) { // Setup expected responses and verify parameters to AWS client setupIssueCertificate(client, clk, expectPem, tt.issuedCertErr) - setupWaitUntilCertificateIssued(client, tt.waitCertErr) + setupWaitUntilCertificateIssued(certIssuedWaiter, tt.waitCertErr) setupGetCertificate(client, tt.getCertificateCert, tt.getCertificateCertChain, tt.getCertificateErr) x509CA, x509Authorities, stream, err := ua.MintX509CA(context.Background(), tt.csr, tt.preferredTTL) @@ -421,9 +430,12 @@ func TestPublishJWTKey(t *testing.T) { // Configure plugin setupDescribeCertificateAuthority(client, "ACTIVE", nil) p := New() - p.hooks.newClient = func(config *Configuration) (PCAClient, error) { + p.hooks.newClient = func(ctx context.Context, config *Configuration) (PCAClient, error) { return client, nil } + p.hooks.newCertificateIssuedWaiter = newCertificateIssuedWaiterFunc(func(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { + return &fakeCertificateIssuedWaiter{} + }) ua := new(upstreamauthority.V1) var err error @@ -456,13 +468,13 @@ func setupDescribeCertificateAuthority(client *pcaClientFake, status string, err client.describeCertificateErr = err client.describeCertificateOutput = &acmpca.DescribeCertificateAuthorityOutput{ - CertificateAuthority: &acmpca.CertificateAuthority{ - CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityConfiguration{ - SigningAlgorithm: aws.String("defaultSigningAlgorithm"), + CertificateAuthority: &acmpcatypes.CertificateAuthority{ + CertificateAuthorityConfiguration: &acmpcatypes.CertificateAuthorityConfiguration{ + SigningAlgorithm: acmpcatypes.SigningAlgorithm("defaultSigningAlgorithm"), }, // For all possible statuses, see: // https://docs.aws.amazon.com/cli/latest/reference/acm-pca/describe-certificate-authority.html - Status: aws.String(status), + Status: acmpcatypes.CertificateAuthorityStatus(status), }, } } @@ -470,11 +482,11 @@ func setupDescribeCertificateAuthority(client *pcaClientFake, status string, err func setupIssueCertificate(client *pcaClientFake, clk clock.Clock, csr []byte, err error) { client.expectedIssueInput = &acmpca.IssueCertificateInput{ CertificateAuthorityArn: aws.String(validCertificateAuthorityARN), - SigningAlgorithm: aws.String(validSigningAlgorithm), + SigningAlgorithm: acmpcatypes.SigningAlgorithm(validSigningAlgorithm), Csr: csr, TemplateArn: aws.String(validCASigningTemplateARN), - Validity: &acmpca.Validity{ - Type: aws.String(acmpca.ValidityPeriodTypeAbsolute), + Validity: &acmpcatypes.Validity{ + Type: acmpcatypes.ValidityPeriodType(acmpcatypes.ValidityPeriodTypeAbsolute), Value: aws.Int64(clk.Now().Add(time.Second * testTTL).Unix()), }, } @@ -484,7 +496,7 @@ func setupIssueCertificate(client *pcaClientFake, clk clock.Clock, csr []byte, e } } -func setupWaitUntilCertificateIssued(client *pcaClientFake, err error) { +func setupWaitUntilCertificateIssued(client *fakeCertificateIssuedWaiter, err error) { client.expectedGetCertificateInput = &acmpca.GetCertificateInput{ CertificateAuthorityArn: aws.String(validCertificateAuthorityARN), CertificateArn: aws.String("certificateArn"), @@ -528,3 +540,7 @@ func svidFixture(t *testing.T) (*x509.Certificate, *bytes.Buffer) { require.NoError(t, err) return cert, encodedCert } + +func awsErr(code, status string, err error) error { + return fmt.Errorf("%s: %s\ncaused by: %s", code, status, err) +} From 30a26abc58fd1530ac7614ac8e4b8049625da603 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 9 Feb 2022 03:24:10 +0000 Subject: [PATCH 2/8] Linter fixes Signed-off-by: Ryan Turner --- pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go | 3 --- pkg/server/plugin/upstreamauthority/awspca/pca_test.go | 4 ++-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go index caa7f5a4cd..cd3ef5466a 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go @@ -23,8 +23,6 @@ type pcaClientFake struct { expectedGetCertificateInput *acmpca.GetCertificateInput getCertificateOutput *acmpca.GetCertificateOutput getCertificateErr error - - waitUntilCertificateIssuedErr error } func (f *pcaClientFake) DescribeCertificateAuthority(ctx context.Context, input *acmpca.DescribeCertificateAuthorityInput, optFns ...func(*acmpca.Options)) (*acmpca.DescribeCertificateAuthorityOutput, error) { @@ -67,5 +65,4 @@ func (f *fakeCertificateIssuedWaiter) Wait(ctx context.Context, input *acmpca.Ge func (f *fakeCertificateIssuedWaiter) WaitForOutput(ctx context.Context, input *acmpca.GetCertificateInput, maxWaitDur time.Duration, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) (*acmpca.GetCertificateOutput, error) { require.Equal(f.t, f.expectedGetCertificateInput, input) return f.getCertificateOutput, f.waitUntilCertificateIssuedErr - } diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go index 7b7eaa72a7..065d726738 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go @@ -486,7 +486,7 @@ func setupIssueCertificate(client *pcaClientFake, clk clock.Clock, csr []byte, e Csr: csr, TemplateArn: aws.String(validCASigningTemplateARN), Validity: &acmpcatypes.Validity{ - Type: acmpcatypes.ValidityPeriodType(acmpcatypes.ValidityPeriodTypeAbsolute), + Type: acmpcatypes.ValidityPeriodTypeAbsolute, Value: aws.Int64(clk.Now().Add(time.Second * testTTL).Unix()), }, } @@ -542,5 +542,5 @@ func svidFixture(t *testing.T) (*x509.Certificate, *bytes.Buffer) { } func awsErr(code, status string, err error) error { - return fmt.Errorf("%s: %s\ncaused by: %s", code, status, err) + return fmt.Errorf("%s: %s\ncaused by: %w", code, status, err) } From c4dd9a6bdead454b4a29019438741efd978d750c Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 9 Feb 2022 03:25:38 +0000 Subject: [PATCH 3/8] Consolidate require blocks in go.mod Signed-off-by: Ryan Turner --- go.mod | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 22b0d11c23..3ce10dfd47 100644 --- a/go.mod +++ b/go.mod @@ -18,6 +18,7 @@ require ( github.com/aws/aws-sdk-go-v2 v1.13.0 github.com/aws/aws-sdk-go-v2/config v1.13.1 github.com/aws/aws-sdk-go-v2/credentials v1.8.0 + github.com/aws/aws-sdk-go-v2/service/acmpca v1.14.0 github.com/aws/aws-sdk-go-v2/service/kms v1.14.0 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0 github.com/aws/aws-sdk-go-v2/service/sts v1.14.0 @@ -76,8 +77,6 @@ require ( sigs.k8s.io/controller-runtime v0.11.0 ) -require github.com/aws/aws-sdk-go-v2/service/acmpca v1.14.0 - require ( cloud.google.com/go v0.100.2 // indirect cloud.google.com/go/compute v1.1.0 // indirect From 74e6dfdd39f559cb6fcfa67dec3ac53203853878 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Wed, 9 Feb 2022 17:56:30 +0000 Subject: [PATCH 4/8] Mock retry function rather than entire Waiter Signed-off-by: Ryan Turner --- .../plugin/upstreamauthority/awspca/pca.go | 25 +++++++++++++------ .../upstreamauthority/awspca/pca_client.go | 10 -------- .../awspca/pca_client_fake.go | 19 -------------- .../upstreamauthority/awspca/pca_test.go | 23 +++++++---------- 4 files changed, 26 insertions(+), 51 deletions(-) diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca.go b/pkg/server/plugin/upstreamauthority/awspca/pca.go index 7484c16970..41b5ecc491 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca.go @@ -37,7 +37,7 @@ const ( ) type newACMPCAClientFunc func(context.Context, *Configuration) (PCAClient, error) -type newCertificateIssuedWaiterFunc func(acmpca.GetCertificateAPIClient, ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter +type certificateIssuedWaitRetryFunc func(context.Context, *acmpca.GetCertificateInput, *acmpca.GetCertificateOutput, error) (bool, error) func BuiltIn() catalog.BuiltIn { return builtin(New()) @@ -73,9 +73,9 @@ type PCAPlugin struct { config *configuration hooks struct { - clock clock.Clock - newClient newACMPCAClientFunc - newCertificateIssuedWaiter newCertificateIssuedWaiterFunc + clock clock.Clock + newClient newACMPCAClientFunc + waitRetryFn certificateIssuedWaitRetryFunc } } @@ -88,14 +88,14 @@ type configuration struct { // New returns an instantiated plugin func New() *PCAPlugin { - return newPlugin(newPCAClient, newCertificateIssuedWaiter) + return newPlugin(newPCAClient, nil) } -func newPlugin(newClient newACMPCAClientFunc, newWaiter newCertificateIssuedWaiterFunc) *PCAPlugin { +func newPlugin(newClient newACMPCAClientFunc, waitRetryFn certificateIssuedWaitRetryFunc) *PCAPlugin { p := &PCAPlugin{} p.hooks.clock = clock.New() p.hooks.newClient = newClient - p.hooks.newCertificateIssuedWaiter = newWaiter + p.hooks.waitRetryFn = waitRetryFn return p } @@ -217,7 +217,16 @@ func (p *PCAPlugin) MintX509CAAndSubscribe(request *upstreamauthorityv1.MintX509 CertificateAuthorityArn: aws.String(config.certificateAuthorityArn), CertificateArn: certificateArn, } - waiter := p.hooks.newCertificateIssuedWaiter(p.pcaClient) + + var certIssuedWaitOptFns []func(*acmpca.CertificateIssuedWaiterOptions) + if p.hooks.waitRetryFn != nil { + retryableOption := func(opts *acmpca.CertificateIssuedWaiterOptions) { + opts.Retryable = p.hooks.waitRetryFn + } + certIssuedWaitOptFns = append(certIssuedWaitOptFns, retryableOption) + } + + waiter := acmpca.NewCertificateIssuedWaiter(p.pcaClient, certIssuedWaitOptFns...) if err := waiter.Wait(ctx, getCertificateInput, maxCertIssuanceWaitDur); err != nil { return status.Errorf(codes.Internal, "failed waiting for issuance: %v", err) } diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go index e8fdb7d264..1defa0d369 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go @@ -3,7 +3,6 @@ package awspca import ( "context" "fmt" - "time" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" @@ -20,11 +19,6 @@ type PCAClient interface { GetCertificate(context.Context, *acmpca.GetCertificateInput, ...func(*acmpca.Options)) (*acmpca.GetCertificateOutput, error) } -type certificateIssuedWaiter interface { - Wait(context.Context, *acmpca.GetCertificateInput, time.Duration, ...func(*acmpca.CertificateIssuedWaiterOptions)) error - WaitForOutput(context.Context, *acmpca.GetCertificateInput, time.Duration, ...func(*acmpca.CertificateIssuedWaiterOptions)) (*acmpca.GetCertificateOutput, error) -} - func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) { var endpointResolver aws.EndpointResolverWithOptions if cfg.Endpoint != "" { @@ -61,7 +55,3 @@ func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) { Credentials: credsProvider, }), nil } - -func newCertificateIssuedWaiter(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { - return acmpca.NewCertificateIssuedWaiter(client, optFns...) -} diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go index cd3ef5466a..d00119d571 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client_fake.go @@ -3,7 +3,6 @@ package awspca import ( "context" "testing" - "time" "github.com/aws/aws-sdk-go-v2/service/acmpca" "github.com/stretchr/testify/require" @@ -48,21 +47,3 @@ func (f *pcaClientFake) GetCertificate(ctx context.Context, input *acmpca.GetCer } return f.getCertificateOutput, nil } - -type fakeCertificateIssuedWaiter struct { - t testing.TB - expectedGetCertificateInput *acmpca.GetCertificateInput - waitUntilCertificateIssuedErr error - getCertificateOutput *acmpca.GetCertificateOutput -} - -func (f *fakeCertificateIssuedWaiter) Wait(ctx context.Context, input *acmpca.GetCertificateInput, maxWaitDur time.Duration, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) error { - require.Equal(f.t, f.expectedGetCertificateInput, input) - - return f.waitUntilCertificateIssuedErr -} - -func (f *fakeCertificateIssuedWaiter) WaitForOutput(ctx context.Context, input *acmpca.GetCertificateInput, maxWaitDur time.Duration, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) (*acmpca.GetCertificateOutput, error) { - require.Equal(f.t, f.expectedGetCertificateInput, input) - return f.getCertificateOutput, f.waitUntilCertificateIssuedErr -} diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go index 065d726738..9d03a1824b 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go @@ -219,9 +219,7 @@ badjson } return client, nil }) - p.hooks.newCertificateIssuedWaiter = newCertificateIssuedWaiterFunc(func(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { - return &fakeCertificateIssuedWaiter{} - }) + setupWaitUntilCertificateIssued(t, p, nil) setupDescribeCertificateAuthority(client, tt.expectedDescribeStatus, tt.expectDescribeErr) @@ -375,7 +373,6 @@ func TestMintX509CA(t *testing.T) { tt := tt t.Run(tt.test, func(t *testing.T) { client := &pcaClientFake{t: t} - certIssuedWaiter := &fakeCertificateIssuedWaiter{t: t} clk := clock.NewMock() // Configure plugin @@ -384,9 +381,6 @@ func TestMintX509CA(t *testing.T) { p.hooks.newClient = func(ctx context.Context, config *Configuration) (PCAClient, error) { return client, nil } - p.hooks.newCertificateIssuedWaiter = newCertificateIssuedWaiterFunc(func(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { - return certIssuedWaiter - }) p.hooks.clock = clk ua := new(upstreamauthority.V1) @@ -401,7 +395,7 @@ func TestMintX509CA(t *testing.T) { // Setup expected responses and verify parameters to AWS client setupIssueCertificate(client, clk, expectPem, tt.issuedCertErr) - setupWaitUntilCertificateIssued(certIssuedWaiter, tt.waitCertErr) + setupWaitUntilCertificateIssued(t, p, tt.waitCertErr) setupGetCertificate(client, tt.getCertificateCert, tt.getCertificateCertChain, tt.getCertificateErr) x509CA, x509Authorities, stream, err := ua.MintX509CA(context.Background(), tt.csr, tt.preferredTTL) @@ -433,9 +427,7 @@ func TestPublishJWTKey(t *testing.T) { p.hooks.newClient = func(ctx context.Context, config *Configuration) (PCAClient, error) { return client, nil } - p.hooks.newCertificateIssuedWaiter = newCertificateIssuedWaiterFunc(func(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { - return &fakeCertificateIssuedWaiter{} - }) + setupWaitUntilCertificateIssued(t, p, nil) ua := new(upstreamauthority.V1) var err error @@ -496,13 +488,16 @@ func setupIssueCertificate(client *pcaClientFake, clk clock.Clock, csr []byte, e } } -func setupWaitUntilCertificateIssued(client *fakeCertificateIssuedWaiter, err error) { - client.expectedGetCertificateInput = &acmpca.GetCertificateInput{ +func setupWaitUntilCertificateIssued(t testing.TB, p *PCAPlugin, err error) { + expectedGetCertificateInput := &acmpca.GetCertificateInput{ CertificateAuthorityArn: aws.String(validCertificateAuthorityARN), CertificateArn: aws.String("certificateArn"), } - client.waitUntilCertificateIssuedErr = err + p.hooks.waitRetryFn = certificateIssuedWaitRetryFunc(func(ctx context.Context, input *acmpca.GetCertificateInput, output *acmpca.GetCertificateOutput, innerErr error) (bool, error) { + require.Equal(t, expectedGetCertificateInput, input) + return false, err + }) } func setupGetCertificate(client *pcaClientFake, encodedCert string, encodedCertChain string, err error) { From f9ac2fb00d14b0e5fc6a374bfd64d2603cb7c2ae Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Fri, 1 Jul 2022 11:24:54 -0300 Subject: [PATCH 5/8] Update sts configuration on aws pca upstream authority Signed-off-by: Marcos Yacob --- .../upstreamauthority/awspca/pca_client.go | 43 ++++++++++++------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go index 1defa0d369..8fcc53aeda 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go @@ -20,9 +20,13 @@ type PCAClient interface { } func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) { - var endpointResolver aws.EndpointResolverWithOptions + var opts []func(*config.LoadOptions) error + if cfg.Region != "" { + opts = append(opts, config.WithRegion(cfg.Region)) + } + if cfg.Endpoint != "" { - endpointResolver = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) { + endpointResolver := aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) { if service == acmpca.ServiceID && region == cfg.Region { return aws.Endpoint{ PartitionID: "aws", @@ -33,25 +37,34 @@ func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) { return aws.Endpoint{}, fmt.Errorf("unknown endpoint requested") }) + opts = append(opts, config.WithEndpointResolverWithOptions(endpointResolver)) + } + + awsCfg, err := config.LoadDefaultConfig(ctx, opts...) + if err != nil { + return nil, err } - var credsProvider aws.CredentialsProvider - switch { - case cfg.AssumeRoleARN != "": - stsClient := sts.NewFromConfig(aws.Config{}) - credsProvider = stscreds.NewAssumeRoleProvider(stsClient, cfg.AssumeRoleARN) - default: - awsCfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(cfg.Region), config.WithEndpointResolverWithOptions(endpointResolver)) + if cfg.AssumeRoleARN != "" { + awsCfg, err = newAWSAssumeRoleConfig(ctx, cfg.Region, awsCfg, cfg.AssumeRoleARN) if err != nil { return nil, err } + } + + return acmpca.NewFromConfig(awsCfg), nil +} - credsProvider = awsCfg.Credentials +func newAWSAssumeRoleConfig(ctx context.Context, region string, awsConf aws.Config, assumeRoleArn string) (aws.Config, error) { + var opts []func(*config.LoadOptions) error + if region != "" { + opts = append(opts, config.WithRegion(region)) } - return acmpca.NewFromConfig(aws.Config{ - Region: cfg.Region, - EndpointResolverWithOptions: endpointResolver, - Credentials: credsProvider, - }), nil + stsClient := sts.NewFromConfig(awsConf) + opts = append(opts, config.WithCredentialsProvider(aws.NewCredentialsCache( + stscreds.NewAssumeRoleProvider(stsClient, assumeRoleArn))), + ) + + return config.LoadDefaultConfig(ctx, opts...) } From 54a8939aa012fd17c6f623dc8b6a6b1a1bf67f12 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Tue, 5 Jul 2022 21:04:54 +0000 Subject: [PATCH 6/8] Update AWS packages to latest versions Signed-off-by: Ryan Turner --- go.mod | 8 ++++---- go.sum | 8 ++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 9749282f17..5c6f867303 100644 --- a/go.mod +++ b/go.mod @@ -18,10 +18,10 @@ require ( github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 github.com/armon/go-metrics v0.4.0 github.com/aws/aws-sdk-go v1.44.0 - github.com/aws/aws-sdk-go-v2 v1.16.6 + github.com/aws/aws-sdk-go-v2 v1.16.7 github.com/aws/aws-sdk-go-v2/config v1.15.12 github.com/aws/aws-sdk-go-v2/credentials v1.12.7 - github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.4 + github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10 github.com/aws/aws-sdk-go-v2/service/kms v1.17.4 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.12 github.com/aws/aws-sdk-go-v2/service/sts v1.16.8 @@ -100,8 +100,8 @@ require ( github.com/agnivade/levenshtein v1.0.1 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.7 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.13 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.14 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.7 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.11.10 // indirect diff --git a/go.sum b/go.sum index e473bf4c20..ab981032e8 100644 --- a/go.sum +++ b/go.sum @@ -206,6 +206,8 @@ github.com/aws/aws-sdk-go v1.44.0/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4o github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU= github.com/aws/aws-sdk-go-v2 v1.16.6 h1:kzafGZYwkwVgLZ2zEX7P+vTwLli6uIMXF8aGjunN6UI= github.com/aws/aws-sdk-go-v2 v1.16.6/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= +github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns= +github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= github.com/aws/aws-sdk-go-v2/config v1.15.12 h1:D4mdf0cOSmZRgJe0DDOd1Qm6tkwHJ7r5i1lz0asa+AA= github.com/aws/aws-sdk-go-v2/config v1.15.12/go.mod h1:oxRNnH11J580bxDEXyfTqfB3Auo2fxzhV052LD4HnyA= github.com/aws/aws-sdk-go-v2/credentials v1.12.7 h1:e2DcCR0gP+T2zVj5eQPMQoRdxo+vd2p9BkpJ72BdyzA= @@ -215,13 +217,19 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.7/go.mod h1:81k6q0UUZj6AdQZ1 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.13 h1:WuQ1yGs3TMJgxpGVLspcsU/5q1omSA0SG6Cu0yZ4jkM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.13/go.mod h1:wLLesU+LdMZDM3U0PP9vZXJW39zmD/7L4nY2pSrYZ/g= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.7 h1:mCeDDYeDXp3loo/xKi7nkx34eeh7q3n1mUBtzptsj8c= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.7/go.mod h1:93Uot80ddyVzSl//xEJreNKMhxntr71WtR3v/A1cRYk= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.14 h1:bJv4Y9QOiW0GZPStgLgpGrpdfRDSR3XM4V4M3YCQRZo= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.14/go.mod h1:R1HF8ZDdcRFfAGF+13En4LSHi2IrrNuPQCaxgWCeGyY= github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.4 h1:Ak9DZvmn3WV82N44LKxFcUm3ez5bFR8i/RfQsHc+9Eo= github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.4/go.mod h1:r8ji32VqoMfwiY+pKhVuXZhKbRfGvRy0vcUTq6hhB/s= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10 h1:S0Vf3M6Y70WJ6Gb/ZkuGQ9C3ErODIkehSxXOu3bTUVQ= +github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10/go.mod h1:NU1zsuI+UaQZi+nw7n2pNp42mFX2xcxO6YgbGyEgP14= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.7 h1:M7/BzQNsu0XXiJRe3gUn8UA8tExF6kLMAfvo5PT/KJY= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.7/go.mod h1:HvVdEh/x4jsPBsjNvDy+MH3CDCPy4gTZEzFe2r4uJY8= github.com/aws/aws-sdk-go-v2/service/kms v1.17.4 h1:5NKN9OaBjXa6WiLaC7W2qRccJRE2D6rTzBRavswtae8= From eb599f974aa03a1d8bec9d32e77f80121f9799af Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Tue, 5 Jul 2022 21:21:53 +0000 Subject: [PATCH 7/8] make tidy Signed-off-by: Ryan Turner --- go.sum | 9 --------- 1 file changed, 9 deletions(-) diff --git a/go.sum b/go.sum index ab981032e8..e684c17a0d 100644 --- a/go.sum +++ b/go.sum @@ -203,8 +203,6 @@ github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo github.com/aws/aws-sdk-go v1.34.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.44.0 h1:jwtHuNqfnJxL4DKHBUVUmQlfueQqBW7oXP6yebZR/R0= github.com/aws/aws-sdk-go v1.44.0/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU= -github.com/aws/aws-sdk-go-v2 v1.16.6 h1:kzafGZYwkwVgLZ2zEX7P+vTwLli6uIMXF8aGjunN6UI= github.com/aws/aws-sdk-go-v2 v1.16.6/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns= github.com/aws/aws-sdk-go-v2 v1.16.7/go.mod h1:6CpKuLXg2w7If3ABZCl/qZ6rEgwtjZTn4eAf4RcEyuw= @@ -214,20 +212,14 @@ github.com/aws/aws-sdk-go-v2/credentials v1.12.7 h1:e2DcCR0gP+T2zVj5eQPMQoRdxo+v github.com/aws/aws-sdk-go-v2/credentials v1.12.7/go.mod h1:8b1nSHdDaKLho9VEK+K8WivifA/2K5pPm4sfI21NlQ8= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.7 h1:8yi2ORCwXpXEPnj0vP3DjYhejwDQD/5klgBoxXcKOxY= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.7/go.mod h1:81k6q0UUZj6AdQZ1E/VQ27cLrTUpJGraZR6/hVHRxjE= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.13 h1:WuQ1yGs3TMJgxpGVLspcsU/5q1omSA0SG6Cu0yZ4jkM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.13/go.mod h1:wLLesU+LdMZDM3U0PP9vZXJW39zmD/7L4nY2pSrYZ/g= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 h1:2C0pYHcUBmdzPj+EKNC4qj97oK6yjrUhc1KoSodglvk= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14/go.mod h1:kdjrMwHwrC3+FsKhNcCMJ7tUVj/8uSD5CZXeQ4wV6fM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.7 h1:mCeDDYeDXp3loo/xKi7nkx34eeh7q3n1mUBtzptsj8c= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.7/go.mod h1:93Uot80ddyVzSl//xEJreNKMhxntr71WtR3v/A1cRYk= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 h1:2J+jdlBJWEmTyAwC82Ym68xCykIvnSnIN18b8xHGlcc= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8/go.mod h1:ZIV8GYoC6WLBW5KGs+o4rsc65/ozd+eQ0L31XF5VDwk= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.14 h1:bJv4Y9QOiW0GZPStgLgpGrpdfRDSR3XM4V4M3YCQRZo= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.14/go.mod h1:R1HF8ZDdcRFfAGF+13En4LSHi2IrrNuPQCaxgWCeGyY= -github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.4 h1:Ak9DZvmn3WV82N44LKxFcUm3ez5bFR8i/RfQsHc+9Eo= -github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.4/go.mod h1:r8ji32VqoMfwiY+pKhVuXZhKbRfGvRy0vcUTq6hhB/s= github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10 h1:S0Vf3M6Y70WJ6Gb/ZkuGQ9C3ErODIkehSxXOu3bTUVQ= github.com/aws/aws-sdk-go-v2/service/acmpca v1.17.10/go.mod h1:NU1zsuI+UaQZi+nw7n2pNp42mFX2xcxO6YgbGyEgP14= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.7 h1:M7/BzQNsu0XXiJRe3gUn8UA8tExF6kLMAfvo5PT/KJY= @@ -240,7 +232,6 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.11.10 h1:icon5WWg9Yg5nkB0pJF6bfKw6M0 github.com/aws/aws-sdk-go-v2/service/sso v1.11.10/go.mod h1:UHxA35uPrCykRySBV5iSPZhZRlYnWSS2c/aaZVsoU94= github.com/aws/aws-sdk-go-v2/service/sts v1.16.8 h1:GLGfpqX+1bmjNvUJkwB1ZaDpNFXQwJ3z9RkQDA58OBY= github.com/aws/aws-sdk-go-v2/service/sts v1.16.8/go.mod h1:50YdFq1WIuxA0AGrygvYGucnNYrG24WYzu5fNp7lMgY= -github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0= github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= From ffd58a69de5759b40f858126b64a4da1922f3910 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Thu, 7 Jul 2022 17:28:36 +0000 Subject: [PATCH 8/8] Add service and region to error Signed-off-by: Ryan Turner --- pkg/server/plugin/upstreamauthority/awspca/pca_client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go index 8fcc53aeda..7086ffdfda 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_client.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_client.go @@ -35,7 +35,7 @@ func newPCAClient(ctx context.Context, cfg *Configuration) (PCAClient, error) { }, nil } - return aws.Endpoint{}, fmt.Errorf("unknown endpoint requested") + return aws.Endpoint{}, fmt.Errorf("unknown endpoint %s requested for region %s", service, region) }) opts = append(opts, config.WithEndpointResolverWithOptions(endpointResolver)) }