mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10590 Commits
17 Branches
Tree: c4deb97ed1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c4deb97ed1'
${ noResults }
gitea/vendor/github.com/minio/minio-go/v7/pkg/credentials/assume_role.go

assume_role.go 6.8KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214 
  1. /*

  2.  * MinIO Go Library for Amazon S3 Compatible Cloud Storage

  3.  * Copyright 2020 MinIO, Inc.

  4.  *

  5.  * Licensed under the Apache License, Version 2.0 (the "License");

  6.  * you may not use this file except in compliance with the License.

  7.  * You may obtain a copy of the License at

  8.  *

  9.  *     http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. 

  18. package credentials

  19. 

  20. import (

  21. 	"encoding/hex"

  22. 	"encoding/xml"

  23. 	"errors"

  24. 	"io"

  25. 	"io/ioutil"

  26. 	"net/http"

  27. 	"net/url"

  28. 	"strconv"

  29. 	"strings"

  30. 	"time"

  31. 

  32. 	"github.com/minio/minio-go/v7/pkg/signer"

  33. 	sha256 "github.com/minio/sha256-simd"

  34. )

  35. 

  36. // AssumeRoleResponse contains the result of successful AssumeRole request.

  37. type AssumeRoleResponse struct {

  38. 	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleResponse" json:"-"`

  39. 

  40. 	Result           AssumeRoleResult `xml:"AssumeRoleResult"`

  41. 	ResponseMetadata struct {

  42. 		RequestID string `xml:"RequestId,omitempty"`

  43. 	} `xml:"ResponseMetadata,omitempty"`

  44. }

  45. 

  46. // AssumeRoleResult - Contains the response to a successful AssumeRole

  47. // request, including temporary credentials that can be used to make

  48. // MinIO API requests.

  49. type AssumeRoleResult struct {

  50. 	// The identifiers for the temporary security credentials that the operation

  51. 	// returns.

  52. 	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`

  53. 

  54. 	// The temporary security credentials, which include an access key ID, a secret

  55. 	// access key, and a security (or session) token.

  56. 	//

  57. 	// Note: The size of the security token that STS APIs return is not fixed. We

  58. 	// strongly recommend that you make no assumptions about the maximum size. As

  59. 	// of this writing, the typical size is less than 4096 bytes, but that can vary.

  60. 	// Also, future updates to AWS might require larger sizes.

  61. 	Credentials struct {

  62. 		AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`

  63. 		SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`

  64. 		Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`

  65. 		SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`

  66. 	} `xml:",omitempty"`

  67. 

  68. 	// A percentage value that indicates the size of the policy in packed form.

  69. 	// The service rejects any policy with a packed size greater than 100 percent,

  70. 	// which means the policy exceeded the allowed space.

  71. 	PackedPolicySize int `xml:",omitempty"`

  72. }

  73. 

  74. // A STSAssumeRole retrieves credentials from MinIO service, and keeps track if

  75. // those credentials are expired.

  76. type STSAssumeRole struct {

  77. 	Expiry

  78. 

  79. 	// Required http Client to use when connecting to MinIO STS service.

  80. 	Client *http.Client

  81. 

  82. 	// STS endpoint to fetch STS credentials.

  83. 	STSEndpoint string

  84. 

  85. 	// various options for this request.

  86. 	Options STSAssumeRoleOptions

  87. }

  88. 

  89. // STSAssumeRoleOptions collection of various input options

  90. // to obtain AssumeRole credentials.

  91. type STSAssumeRoleOptions struct {

  92. 	// Mandatory inputs.

  93. 	AccessKey string

  94. 	SecretKey string

  95. 

  96. 	Location        string // Optional commonly needed with AWS STS.

  97. 	DurationSeconds int    // Optional defaults to 1 hour.

  98. 

  99. 	// Optional only valid if using with AWS STS

  100. 	RoleARN         string

  101. 	RoleSessionName string

  102. }

  103. 

  104. // NewSTSAssumeRole returns a pointer to a new

  105. // Credentials object wrapping the STSAssumeRole.

  106. func NewSTSAssumeRole(stsEndpoint string, opts STSAssumeRoleOptions) (*Credentials, error) {

  107. 	if stsEndpoint == "" {

  108. 		return nil, errors.New("STS endpoint cannot be empty")

  109. 	}

  110. 	if opts.AccessKey == "" || opts.SecretKey == "" {

  111. 		return nil, errors.New("AssumeRole credentials access/secretkey is mandatory")

  112. 	}

  113. 	return New(&STSAssumeRole{

  114. 		Client: &http.Client{

  115. 			Transport: http.DefaultTransport,

  116. 		},

  117. 		STSEndpoint: stsEndpoint,

  118. 		Options:     opts,

  119. 	}), nil

  120. }

  121. 

  122. const defaultDurationSeconds = 3600

  123. 

  124. // closeResponse close non nil response with any response Body.

  125. // convenient wrapper to drain any remaining data on response body.

  126. //

  127. // Subsequently this allows golang http RoundTripper

  128. // to re-use the same connection for future requests.

  129. func closeResponse(resp *http.Response) {

  130. 	// Callers should close resp.Body when done reading from it.

  131. 	// If resp.Body is not closed, the Client's underlying RoundTripper

  132. 	// (typically Transport) may not be able to re-use a persistent TCP

  133. 	// connection to the server for a subsequent "keep-alive" request.

  134. 	if resp != nil && resp.Body != nil {

  135. 		// Drain any remaining Body and then close the connection.

  136. 		// Without this closing connection would disallow re-using

  137. 		// the same connection for future uses.

  138. 		//  - http://stackoverflow.com/a/17961593/4465767

  139. 		io.Copy(ioutil.Discard, resp.Body)

  140. 		resp.Body.Close()

  141. 	}

  142. }

  143. 

  144. func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssumeRoleOptions) (AssumeRoleResponse, error) {

  145. 	v := url.Values{}

  146. 	v.Set("Action", "AssumeRole")

  147. 	v.Set("Version", STSVersion)

  148. 	if opts.RoleARN != "" {

  149. 		v.Set("RoleArn", opts.RoleARN)

  150. 	}

  151. 	if opts.RoleSessionName != "" {

  152. 		v.Set("RoleSessionName", opts.RoleSessionName)

  153. 	}

  154. 	if opts.DurationSeconds > defaultDurationSeconds {

  155. 		v.Set("DurationSeconds", strconv.Itoa(opts.DurationSeconds))

  156. 	} else {

  157. 		v.Set("DurationSeconds", strconv.Itoa(defaultDurationSeconds))

  158. 	}

  159. 

  160. 	u, err := url.Parse(endpoint)

  161. 	if err != nil {

  162. 		return AssumeRoleResponse{}, err

  163. 	}

  164. 	u.Path = "/"

  165. 

  166. 	postBody := strings.NewReader(v.Encode())

  167. 	hash := sha256.New()

  168. 	if _, err = io.Copy(hash, postBody); err != nil {

  169. 		return AssumeRoleResponse{}, err

  170. 	}

  171. 	postBody.Seek(0, 0)

  172. 

  173. 	req, err := http.NewRequest(http.MethodPost, u.String(), postBody)

  174. 	if err != nil {

  175. 		return AssumeRoleResponse{}, err

  176. 	}

  177. 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

  178. 	req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(hash.Sum(nil)))

  179. 	req = signer.SignV4STS(*req, opts.AccessKey, opts.SecretKey, opts.Location)

  180. 

  181. 	resp, err := clnt.Do(req)

  182. 	if err != nil {

  183. 		return AssumeRoleResponse{}, err

  184. 	}

  185. 	defer closeResponse(resp)

  186. 	if resp.StatusCode != http.StatusOK {

  187. 		return AssumeRoleResponse{}, errors.New(resp.Status)

  188. 	}

  189. 

  190. 	a := AssumeRoleResponse{}

  191. 	if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {

  192. 		return AssumeRoleResponse{}, err

  193. 	}

  194. 	return a, nil

  195. }

  196. 

  197. // Retrieve retrieves credentials from the MinIO service.

  198. // Error will be returned if the request fails.

  199. func (m *STSAssumeRole) Retrieve() (Value, error) {

  200. 	a, err := getAssumeRoleCredentials(m.Client, m.STSEndpoint, m.Options)

  201. 	if err != nil {

  202. 		return Value{}, err

  203. 	}

  204. 

  205. 	// Expiry window is set to 10secs.

  206. 	m.SetExpiration(a.Result.Credentials.Expiration, DefaultExpiryWindow)

  207. 

  208. 	return Value{

  209. 		AccessKeyID:     a.Result.Credentials.AccessKey,

  210. 		SecretAccessKey: a.Result.Credentials.SecretKey,

  211. 		SessionToken:    a.Result.Credentials.SessionToken,

  212. 		SignerType:      SignatureV4,

  213. 	}, nil

  214. }