forked from anchore/harbor-scanner-adapter
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
…hore#16) * Draft the codes of read credential from aws secret manager * Add more debug logs * Resolve conflict * Fix a typo * Apply the factory pattern to load the credential * fix import cycle * cleanup import * Fix typo * Fix the credential factory usage * Change the method name to LoadFromCredentialStore * Enable reading credential from aws secret manager
- Loading branch information
Showing
5 changed files
with
117 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package credential | ||
|
||
import ( | ||
"encoding/json" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/aws/aws-sdk-go/aws" | ||
"github.com/aws/aws-sdk-go/aws/awserr" | ||
"github.com/aws/aws-sdk-go/aws/session" | ||
"github.com/aws/aws-sdk-go/service/secretsmanager" | ||
log "github.com/sirupsen/logrus" | ||
) | ||
|
||
type AWSCredenitalLoader struct{} | ||
|
||
func (c *AWSCredenitalLoader) LoadFromCredentialStore(passwordConfig string) string { | ||
if strings.HasPrefix(passwordConfig, "aws:secretmanager") { | ||
log.Debug("Start to load password from AWS Secret Manager") | ||
value := getAWSSecret(passwordConfig) | ||
if value != "" { | ||
return value | ||
} | ||
} | ||
return passwordConfig | ||
} | ||
|
||
func getAWSSecret(configValue string) string { | ||
// The expected format is aws:secretmanager:<region>:<secret name>:<secret key> | ||
fileds := strings.Split(configValue, ":") | ||
region, name, key := fileds[2], fileds[3], fileds[4] | ||
|
||
log.WithFields(log.Fields{"region": region, "name": name, "key": key}).Debug("pass in secret manager parameters") | ||
|
||
//Create a Secrets Manager client | ||
svc := secretsmanager.New(session.New(), &aws.Config{Region: aws.String(region)}) | ||
input := &secretsmanager.GetSecretValueInput{ | ||
SecretId: aws.String(name), | ||
VersionStage: aws.String("AWSCURRENT"), // VersionStage defaults to AWSCURRENT if unspecified | ||
} | ||
|
||
result, err := svc.GetSecretValue(input) | ||
if err != nil { | ||
if aerr, ok := err.(awserr.Error); ok { | ||
switch aerr.Code() { | ||
case secretsmanager.ErrCodeDecryptionFailure: | ||
// Secrets Manager can't decrypt the protected secret text using the provided KMS key. | ||
fmt.Println(secretsmanager.ErrCodeDecryptionFailure, aerr.Error()) | ||
|
||
case secretsmanager.ErrCodeInternalServiceError: | ||
// An error occurred on the server side. | ||
fmt.Println(secretsmanager.ErrCodeInternalServiceError, aerr.Error()) | ||
|
||
case secretsmanager.ErrCodeInvalidParameterException: | ||
// You provided an invalid value for a parameter. | ||
fmt.Println(secretsmanager.ErrCodeInvalidParameterException, aerr.Error()) | ||
|
||
case secretsmanager.ErrCodeInvalidRequestException: | ||
// You provided a parameter value that is not valid for the current state of the resource. | ||
fmt.Println(secretsmanager.ErrCodeInvalidRequestException, aerr.Error()) | ||
|
||
case secretsmanager.ErrCodeResourceNotFoundException: | ||
// We can't find the resource that you asked for. | ||
fmt.Println(secretsmanager.ErrCodeResourceNotFoundException, aerr.Error()) | ||
} | ||
} else { | ||
// Print the error, cast err to awserr.Error to get the Code and | ||
// Message from an error. | ||
fmt.Println(err.Error()) | ||
} | ||
} else { | ||
// Decrypts secret using the associated KMS CMK. | ||
var secretString string | ||
if result.SecretString != nil { | ||
secretString = *result.SecretString | ||
// a map container to decode the JSON structure into | ||
kmap := make(map[string]string) | ||
json.Unmarshal([]byte(secretString), &kmap) | ||
return kmap[key] | ||
} | ||
} | ||
|
||
return "" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
package credential | ||
|
||
type DefaultCredenitalLoader struct{} | ||
|
||
func (c *DefaultCredenitalLoader) LoadFromCredentialStore(passwordConfig string) string { | ||
return passwordConfig | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package credential | ||
|
||
import ( | ||
"strings" | ||
) | ||
|
||
type CredentialLoader interface { | ||
LoadFromCredentialStore(passwordConfig string) string | ||
} | ||
|
||
func CreateCredentialLoader(passwordConfig string) CredentialLoader { | ||
if strings.HasPrefix(passwordConfig, "aws:secretmanager") { | ||
return &AWSCredenitalLoader{} | ||
} | ||
return &DefaultCredenitalLoader{} | ||
} |