Example #1
0
// GoIAMToConf is a convenience wrapper for callers using roles_files instantiation of the roles interface.
// First there is a blocking read on the roles files to get the initial roles information. Then the
// file notification watcher will run as a goroutine, and resetting conf c's roles
// values. If IAM Credentials are ready for use, the parameter chan `ready_chan` will receive a true
// value, otherwise false. A false value on this chan should indicate to a caller that another auth
// mechanism (for example, hardocded credentials) should be used.
func GoIAMToConf(c *conf.AWS_Conf, ready_chan chan bool) {
	if c == nil {
		log.Printf("conf_iam.GoIAMToConf: c is nil")
		ready_chan <- false
		return
	}
	use_iam := false
	c.ConfLock.RLock()
	use_iam = c.UseIAM
	c.ConfLock.RUnlock()
	if use_iam == true {
		rf := roles_files.NewRolesFiles()
		watching := false
		c.ConfLock.RLock()
		rf.BaseDir = c.IAM.File.BaseDir
		rf.AccessKeyFile = c.IAM.File.AccessKey
		rf.SecretFile = c.IAM.File.Secret
		rf.TokenFile = c.IAM.File.Token
		watching = c.IAM.Watch
		c.ConfLock.RUnlock()
		roles_read_err := ReadIAMToConf(rf, c)
		if roles_read_err != nil {
			e := fmt.Sprintf("conf_iam.GoIAMToConf:cannot perform initial roles read: %s",
				roles_read_err.Error())
			log.Printf(e)
			c.ConfLock.Lock()
			c.UseIAM = false
			c.ConfLock.Unlock()
			ready_chan <- false
			return
		}
		// signal to caller that iam roles are ready to use
		ready_chan <- true
		if watching == true {
			watch_err := make(chan error)
			go WatchIAMToConf(rf, c, watch_err)
			go func() {
				select {
				case err := <-watch_err:
					if err != nil {
						log.Printf(err.Error())
						// caller can fall back to hard-coded perms
						// or live with the panic
						c.ConfLock.Lock()
						c.UseIAM = false
						c.ConfLock.Unlock()
					}
				}
			}()
		}
	} else {
		// signal to the caller than iam roles are not selected as a auth mechanism
		e := fmt.Sprintf("conf_iam.GoIAMToConf: not using IAM")
		log.Printf(e)
		ready_chan <- false
	}
}
Example #2
0
// GoIAM is a convenience wrapper for callers using roles_files instantiation of the roles interface.
// First there is a blocking read on the roles files to get the initial roles information. Then the
// file notification watcher will run as a goroutine, and resetting the global conf.Vals roles
// values. If IAM Credentials are ready for use, the parameter chan `ready_chan` will receive a true
// value, otherwise false. A false value on this chan should indicate to a caller that another auth
// mechanism (for example, hardocded credentials) should be used.
func GoIAM(ready_chan chan bool) {
	use_iam := false
	conf.Vals.ConfLock.RLock()
	use_iam = conf.Vals.UseIAM
	conf.Vals.ConfLock.RUnlock()
	if use_iam == true {
		rf := roles_files.NewRolesFiles()
		watching := false
		conf.Vals.ConfLock.RLock()
		rf.BaseDir = conf.Vals.IAM.File.BaseDir
		rf.AccessKeyFile = conf.Vals.IAM.File.AccessKey
		rf.SecretFile = conf.Vals.IAM.File.Secret
		rf.TokenFile = conf.Vals.IAM.File.Token
		watching = conf.Vals.IAM.Watch
		conf.Vals.ConfLock.RUnlock()
		roles_read_err := ReadIAM(rf)
		if roles_read_err != nil {
			e := fmt.Sprintf("conf_iam.GoIAM:cannot perform initial roles read: %s",
				roles_read_err.Error())
			slog.SLog(syslog.LOG_ERR, e, true)
			conf.Vals.UseIAM = false
			ready_chan <- false
		}
		// signal to caller that iam roles are ready to use
		ready_chan <- true
		if watching == true {
			watch_err := make(chan error)
			go WatchIAM(rf, watch_err)
			go func() {
				select {
				case err := <-watch_err:
					if err != nil {
						slog.SLog(syslog.LOG_ERR, err.Error(), true)
						// caller can fall back to hard-coded perms
						// or live with the panic
						conf.Vals.UseIAM = false
					}
				}
			}()
		}
	} else {
		// signal to the caller than iam roles are selected as a auth mechanism
		ready_chan <- false
	}
}