// GoIAMToConf is a convenience wrapper for callers using roles_files instantiation of the roles interface.
// First there is a blocking read on the roles files to get the initial roles information. Then the
// file notification watcher will run as a goroutine, and resetting conf c's roles
// values. If IAM Credentials are ready for use, the parameter chan `ready_chan` will receive a true
// value, otherwise false. A false value on this chan should indicate to a caller that another auth
// mechanism (for example, hardocded credentials) should be used.
func GoIAMToConf(c *conf.AWS_Conf, ready_chan chan bool) {
if c == nil {
log.Printf("conf_iam.GoIAMToConf: c is nil")
ready_chan <- false
return
}
use_iam := false
c.ConfLock.RLock()
use_iam = c.UseIAM
c.ConfLock.RUnlock()
if use_iam == true {
rf := roles_files.NewRolesFiles()
watching := false
c.ConfLock.RLock()
rf.BaseDir = c.IAM.File.BaseDir
rf.AccessKeyFile = c.IAM.File.AccessKey
rf.SecretFile = c.IAM.File.Secret
rf.TokenFile = c.IAM.File.Token
watching = c.IAM.Watch
c.ConfLock.RUnlock()
roles_read_err := ReadIAMToConf(rf, c)
if roles_read_err != nil {
e := fmt.Sprintf("conf_iam.GoIAMToConf:cannot perform initial roles read: %s",
roles_read_err.Error())
log.Printf(e)
c.ConfLock.Lock()
c.UseIAM = false
c.ConfLock.Unlock()
ready_chan <- false
return
}
// signal to caller that iam roles are ready to use
ready_chan <- true
if watching == true {
watch_err := make(chan error)
go WatchIAMToConf(rf, c, watch_err)
go func() {
select {
case err := <-watch_err:
if err != nil {
log.Printf(err.Error())
// caller can fall back to hard-coded perms
// or live with the panic
c.ConfLock.Lock()
c.UseIAM = false
c.ConfLock.Unlock()
}
}
}()
}
} else {
// signal to the caller than iam roles are not selected as a auth mechanism
e := fmt.Sprintf("conf_iam.GoIAMToConf: not using IAM")
log.Printf(e)
ready_chan <- false
}
}
// GoIAM is a convenience wrapper for callers using roles_files instantiation of the roles interface.
// First there is a blocking read on the roles files to get the initial roles information. Then the
// file notification watcher will run as a goroutine, and resetting the global conf.Vals roles
// values. If IAM Credentials are ready for use, the parameter chan `ready_chan` will receive a true
// value, otherwise false. A false value on this chan should indicate to a caller that another auth
// mechanism (for example, hardocded credentials) should be used.
func GoIAM(ready_chan chan bool) {
use_iam := false
conf.Vals.ConfLock.RLock()
use_iam = conf.Vals.UseIAM
conf.Vals.ConfLock.RUnlock()
if use_iam == true {
rf := roles_files.NewRolesFiles()
watching := false
conf.Vals.ConfLock.RLock()
rf.BaseDir = conf.Vals.IAM.File.BaseDir
rf.AccessKeyFile = conf.Vals.IAM.File.AccessKey
rf.SecretFile = conf.Vals.IAM.File.Secret
rf.TokenFile = conf.Vals.IAM.File.Token
watching = conf.Vals.IAM.Watch
conf.Vals.ConfLock.RUnlock()
roles_read_err := ReadIAM(rf)
if roles_read_err != nil {
e := fmt.Sprintf("conf_iam.GoIAM:cannot perform initial roles read: %s",
roles_read_err.Error())
slog.SLog(syslog.LOG_ERR, e, true)
conf.Vals.UseIAM = false
ready_chan <- false
}
// signal to caller that iam roles are ready to use
ready_chan <- true
if watching == true {
watch_err := make(chan error)
go WatchIAM(rf, watch_err)
go func() {
select {
case err := <-watch_err:
if err != nil {
slog.SLog(syslog.LOG_ERR, err.Error(), true)
// caller can fall back to hard-coded perms
// or live with the panic
conf.Vals.UseIAM = false
}
}
}()
}
} else {
// signal to the caller than iam roles are selected as a auth mechanism
ready_chan <- false
}
}
