func (creds Credentials) verifyUserAndAccount() error {
// need to check both the username and the account alias for the
// supplied creds match the passed-in username and account alias
auth := aws.Auth{
AccessKey: creds.Encryptions[0].decoded.KeyId,
SecretKey: creds.Encryptions[0].decoded.SecretKey,
}
// Note: the region is irrelevant for IAM
instance := iam.New(auth, aws.APSoutheast2)
// Make sure the account is who we expect
err := verify_account(creds.AccountAliasOrId, instance)
if err != nil {
return err
}
// Make sure the user is who we expect
// If the username is the same as the account name, then it's the root user
// and there's actually no username at all (oddly)
if creds.IamUsername == creds.AccountAliasOrId {
err = verify_user("", instance)
} else {
err = verify_user(creds.IamUsername, instance)
}
if err != nil {
return err
}
return nil
}
func (s *AmazonClientSuite) SetUpSuite(c *C) {
if !testutil.Amazon {
c.Skip("AmazonClientSuite tests not enabled")
}
s.srv.SetUp(c)
s.iam = iam.New(s.srv.auth, aws.USEast)
}
// Only delete the oldest key *if* the new key is valid; otherwise,
// delete the newest key
func (cred *Credential) deleteOneKey(username string) (err error) {
auth := aws.Auth{
AccessKey: cred.KeyId,
SecretKey: cred.SecretKey,
}
instance := iam.New(auth, aws.APSoutheast2)
allKeys, err := instance.AccessKeys(username)
if err != nil {
return err
}
// wtf?
if len(allKeys.AccessKeys) == 0 {
err = errors.New("Zero access keys found for this account -- cannot rotate")
return err
}
// only one key
if len(allKeys.AccessKeys) == 1 {
return nil
}
// Find out which key to delete.
var oldestId string
var oldest int64
for _, key := range allKeys.AccessKeys {
t, err := time.Parse("2006-01-02T15:04:05Z", key.CreateDate)
key_create_date := t.Unix()
if err != nil {
return err
}
// If we find an inactive one, just delete it
if key.Status == "Inactive" {
oldestId = key.Id
break
}
if oldest == 0 || key_create_date < oldest {
oldest = key_create_date
oldestId = key.Id
}
}
if oldestId == "" {
err = errors.New("Cannot find oldest key for this account, will not rotate")
return err
}
_, err = instance.DeleteAccessKey(oldestId, username)
if err != nil {
return err
}
return nil
}
func (cred *Credential) createNewAccessKey(username string) (err error) {
auth := aws.Auth{
AccessKey: cred.KeyId,
SecretKey: cred.SecretKey,
}
instance := iam.New(auth, aws.APSoutheast2)
resp, err := instance.CreateAccessKey(username)
if err != nil {
return err
}
cred.KeyId = resp.AccessKey.Id
cred.SecretKey = resp.AccessKey.Secret
return nil
}
func getAWSUsernameAndAlias(cred Credential) (username, alias string, err error) {
auth := aws.Auth{
AccessKey: cred.KeyId,
SecretKey: cred.SecretKey,
}
// Note: the region is irrelevant for IAM
instance := iam.New(auth, aws.APSoutheast2)
username, err = getAWSUsername(instance)
if err != nil {
return "", "", err
}
alias, err = getAWSAccountAlias(instance)
if err != nil {
return "", "", err
}
return username, alias, nil
}
func (s *LocalServerSuite) SetUpSuite(c *C) {
s.srv.SetUp(c)
s.ClientTests.iam = iam.New(s.srv.auth, s.srv.region)
}
func (s *S) SetUpSuite(c *C) {
testServer.Start()
auth := aws.Auth{"abc", "123"}
s.iam = iam.New(auth, aws.Region{IAMEndpoint: testServer.URL})
}
func SaveCredentials(data SaveData) (err error) {
var key_create_date int64
if data.force {
key_create_date = time.Now().Unix()
} else {
auth := aws.Auth{AccessKey: data.cred.KeyId, SecretKey: data.cred.SecretKey}
instance := iam.New(auth, aws.APSoutheast2)
if data.username == "" {
data.username, err = getAWSUsername(instance)
if err != nil {
return err
}
}
if data.alias == "" {
data.alias, err = getAWSAccountAlias(instance)
if err != nil {
return err
}
}
date, _ := getKeyCreateDate(instance)
t, err := time.Parse("2006-01-02T15:04:05Z", date)
key_create_date = t.Unix()
if err != nil {
return err
}
}
fmt.Printf("saving credentials for %s@%s\n", data.username, data.alias)
plaintext, err := json.Marshal(data.cred)
if err != nil {
return err
}
enc_slice := []Encryption{}
for _, pubkey := range data.pubkeys {
encoded, err := CredulousEncode(string(plaintext), pubkey)
if err != nil {
return err
}
enc_slice = append(enc_slice, Encryption{
Ciphertext: encoded,
Fingerprint: SSHFingerprint(pubkey),
})
}
creds := Credentials{
Version: FORMAT_VERSION,
AccountAliasOrId: data.alias,
IamUsername: data.username,
CreateTime: fmt.Sprintf("%d", key_create_date),
Encryptions: enc_slice,
LifeTime: data.lifetime,
}
filename := fmt.Sprintf("%v-%v.json", key_create_date, data.cred.KeyId[12:])
err = creds.WriteToDisk(data.repo, filename)
return err
}
