Пример #1
0
func (creds Credentials) verifyUserAndAccount() error {
	// need to check both the username and the account alias for the
	// supplied creds match the passed-in username and account alias
	auth := aws.Auth{
		AccessKey: creds.Encryptions[0].decoded.KeyId,
		SecretKey: creds.Encryptions[0].decoded.SecretKey,
	}
	// Note: the region is irrelevant for IAM
	instance := iam.New(auth, aws.APSoutheast2)

	// Make sure the account is who we expect
	err := verify_account(creds.AccountAliasOrId, instance)
	if err != nil {
		return err
	}

	// Make sure the user is who we expect
	// If the username is the same as the account name, then it's the root user
	// and there's actually no username at all (oddly)
	if creds.IamUsername == creds.AccountAliasOrId {
		err = verify_user("", instance)
	} else {
		err = verify_user(creds.IamUsername, instance)
	}
	if err != nil {
		return err
	}

	return nil
}
func (s *AmazonClientSuite) SetUpSuite(c *C) {
	if !testutil.Amazon {
		c.Skip("AmazonClientSuite tests not enabled")
	}
	s.srv.SetUp(c)
	s.iam = iam.New(s.srv.auth, aws.USEast)
}
Пример #3
0
// Only delete the oldest key *if* the new key is valid; otherwise,
// delete the newest key
func (cred *Credential) deleteOneKey(username string) (err error) {
	auth := aws.Auth{
		AccessKey: cred.KeyId,
		SecretKey: cred.SecretKey,
	}
	instance := iam.New(auth, aws.APSoutheast2)

	allKeys, err := instance.AccessKeys(username)
	if err != nil {
		return err
	}

	// wtf?
	if len(allKeys.AccessKeys) == 0 {
		err = errors.New("Zero access keys found for this account -- cannot rotate")
		return err
	}

	// only one key
	if len(allKeys.AccessKeys) == 1 {
		return nil
	}

	// Find out which key to delete.
	var oldestId string
	var oldest int64

	for _, key := range allKeys.AccessKeys {
		t, err := time.Parse("2006-01-02T15:04:05Z", key.CreateDate)
		key_create_date := t.Unix()
		if err != nil {
			return err
		}
		// If we find an inactive one, just delete it
		if key.Status == "Inactive" {
			oldestId = key.Id
			break
		}
		if oldest == 0 || key_create_date < oldest {
			oldest = key_create_date
			oldestId = key.Id
		}
	}

	if oldestId == "" {
		err = errors.New("Cannot find oldest key for this account, will not rotate")
		return err
	}

	_, err = instance.DeleteAccessKey(oldestId, username)
	if err != nil {
		return err
	}

	return nil
}
Пример #4
0
func (cred *Credential) createNewAccessKey(username string) (err error) {
	auth := aws.Auth{
		AccessKey: cred.KeyId,
		SecretKey: cred.SecretKey,
	}
	instance := iam.New(auth, aws.APSoutheast2)

	resp, err := instance.CreateAccessKey(username)
	if err != nil {
		return err
	}

	cred.KeyId = resp.AccessKey.Id
	cred.SecretKey = resp.AccessKey.Secret
	return nil
}
Пример #5
0
func getAWSUsernameAndAlias(cred Credential) (username, alias string, err error) {
	auth := aws.Auth{
		AccessKey: cred.KeyId,
		SecretKey: cred.SecretKey,
	}
	// Note: the region is irrelevant for IAM
	instance := iam.New(auth, aws.APSoutheast2)
	username, err = getAWSUsername(instance)
	if err != nil {
		return "", "", err
	}

	alias, err = getAWSAccountAlias(instance)
	if err != nil {
		return "", "", err
	}

	return username, alias, nil
}
func (s *LocalServerSuite) SetUpSuite(c *C) {
	s.srv.SetUp(c)
	s.ClientTests.iam = iam.New(s.srv.auth, s.srv.region)
}
Пример #7
0
func (s *S) SetUpSuite(c *C) {
	testServer.Start()
	auth := aws.Auth{"abc", "123"}
	s.iam = iam.New(auth, aws.Region{IAMEndpoint: testServer.URL})
}
Пример #8
0
func SaveCredentials(data SaveData) (err error) {

	var key_create_date int64

	if data.force {
		key_create_date = time.Now().Unix()
	} else {
		auth := aws.Auth{AccessKey: data.cred.KeyId, SecretKey: data.cred.SecretKey}
		instance := iam.New(auth, aws.APSoutheast2)
		if data.username == "" {
			data.username, err = getAWSUsername(instance)
			if err != nil {
				return err
			}
		}
		if data.alias == "" {
			data.alias, err = getAWSAccountAlias(instance)
			if err != nil {
				return err
			}
		}

		date, _ := getKeyCreateDate(instance)
		t, err := time.Parse("2006-01-02T15:04:05Z", date)
		key_create_date = t.Unix()
		if err != nil {
			return err
		}
	}

	fmt.Printf("saving credentials for %s@%s\n", data.username, data.alias)
	plaintext, err := json.Marshal(data.cred)
	if err != nil {
		return err
	}

	enc_slice := []Encryption{}
	for _, pubkey := range data.pubkeys {
		encoded, err := CredulousEncode(string(plaintext), pubkey)
		if err != nil {
			return err
		}

		enc_slice = append(enc_slice, Encryption{
			Ciphertext:  encoded,
			Fingerprint: SSHFingerprint(pubkey),
		})
	}
	creds := Credentials{
		Version:          FORMAT_VERSION,
		AccountAliasOrId: data.alias,
		IamUsername:      data.username,
		CreateTime:       fmt.Sprintf("%d", key_create_date),
		Encryptions:      enc_slice,
		LifeTime:         data.lifetime,
	}

	filename := fmt.Sprintf("%v-%v.json", key_create_date, data.cred.KeyId[12:])
	err = creds.WriteToDisk(data.repo, filename)
	return err
}