Skip to content

Commit

Permalink
Merge pull request #16483 from rifelpet/aws-sdk-go-v2-verifier
Browse files Browse the repository at this point in the history
Migrate AWS Verifier to aws-sdk-go-v2
  • Loading branch information
k8s-ci-robot authored May 5, 2024
2 parents 8fe0567 + 1e5ed58 commit 9582763
Show file tree
Hide file tree
Showing 9 changed files with 344 additions and 129 deletions.
2 changes: 1 addition & 1 deletion cmd/kops-controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ func main() {
var verifiers []bootstrap.Verifier
var err error
if opt.Server.Provider.AWS != nil {
verifier, err := awsup.NewAWSVerifier(opt.Server.Provider.AWS)
verifier, err := awsup.NewAWSVerifier(ctx, opt.Server.Provider.AWS)
if err != nil {
setupLog.Error(err, "unable to create verifier")
os.Exit(1)
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ require (
github.com/Masterminds/sprig/v3 v3.2.3
github.com/apparentlymart/go-cidr v1.1.0
github.com/aws/amazon-ec2-instance-selector/v2 v2.4.2-0.20231216170552-14d4dfcbaadf
github.com/aws/aws-sdk-go v1.52.1
github.com/aws/aws-sdk-go-v2 v1.26.1
github.com/aws/aws-sdk-go-v2/config v1.27.11
github.com/aws/aws-sdk-go-v2/credentials v1.17.11
Expand Down Expand Up @@ -111,6 +110,7 @@ require (
github.com/Microsoft/hcsshim v0.11.4 // indirect
github.com/armon/go-metrics v0.4.1 // indirect
github.com/atotto/clipboard v0.1.4 // indirect
github.com/aws/aws-sdk-go v1.52.1 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
Expand Down
2 changes: 1 addition & 1 deletion nodeup/pkg/model/bootstrap_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ func (b BootstrapClientBuilder) Build(c *fi.NodeupModelBuilderContext) error {

switch b.CloudProvider() {
case kops.CloudProviderAWS:
a, err := awsup.NewAWSAuthenticator(b.Cloud.Region())
a, err := awsup.NewAWSAuthenticator(c.Context(), b.Cloud.Region())
if err != nil {
return err
}
Expand Down
51 changes: 32 additions & 19 deletions upup/pkg/fi/cloudup/awsup/aws_authenticator.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,20 +22,19 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"net/http"

awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/endpoints"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/aws/aws-sdk-go-v2/service/sts"
smithyhttp "github.com/aws/smithy-go/transport/http"
"k8s.io/kops/pkg/bootstrap"
)

const AWSAuthenticationTokenPrefix = "x-aws-sts "

type awsAuthenticator struct {
sts *sts.STS
sts *sts.Client
}

var _ bootstrap.Authenticator = &awsAuthenticator{}
Expand All @@ -55,32 +54,46 @@ func RegionFromMetadata(ctx context.Context) (string, error) {
return resp.Region, nil
}

func NewAWSAuthenticator(region string) (bootstrap.Authenticator, error) {
config := aws.NewConfig().
WithCredentialsChainVerboseErrors(true).
WithRegion(region).
WithSTSRegionalEndpoint(endpoints.RegionalSTSEndpoint)
sess, err := session.NewSession(config)
func NewAWSAuthenticator(ctx context.Context, region string) (bootstrap.Authenticator, error) {
config, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(region))
if err != nil {
return nil, err
return nil, fmt.Errorf("failed to load aws config: %w", err)
}
return &awsAuthenticator{
sts: sts.New(sess, config),
sts: sts.NewFromConfig(config),
}, nil
}

type awsV2Token struct {
URL string `json:"url"`
Method string `json:"method"`
SignedHeader http.Header `json:"headers"`
}

func (a *awsAuthenticator) CreateToken(body []byte) (string, error) {
sha := sha256.Sum256(body)

stsRequest, _ := a.sts.GetCallerIdentityRequest(nil)
presignClient := sts.NewPresignClient(a.sts)

// Ensure the signature is only valid for this particular body content.
stsRequest.HTTPRequest.Header.Add("X-Kops-Request-SHA", base64.RawStdEncoding.EncodeToString(sha[:]))
stsRequest, err := presignClient.PresignGetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{}, func(po *sts.PresignOptions) {
po.ClientOptions = append(po.ClientOptions, func(o *sts.Options) {
o.APIOptions = append(o.APIOptions, smithyhttp.AddHeaderValue("X-Kops-Request-SHA", base64.RawStdEncoding.EncodeToString(sha[:])))
})
})
if err != nil {
return "", fmt.Errorf("building AWS STS presigned request: %w", err)
}

if err := stsRequest.Sign(); err != nil {
return "", err
awsV2Token := &awsV2Token{
URL: stsRequest.URL,
Method: stsRequest.Method,
SignedHeader: stsRequest.SignedHeader,
}
token, err := json.Marshal(awsV2Token)
if err != nil {
return "", fmt.Errorf("converting token to json: %w", err)
}

headers, _ := json.Marshal(stsRequest.HTTPRequest.Header)
return AWSAuthenticationTokenPrefix + base64.StdEncoding.EncodeToString(headers), nil
return AWSAuthenticationTokenPrefix + base64.StdEncoding.EncodeToString(token), nil
}
141 changes: 98 additions & 43 deletions upup/pkg/fi/cloudup/awsup/aws_authenticator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,30 +22,23 @@ import (
"encoding/json"
"fmt"
"net/http"
"net/url"
"strings"
"testing"

// "github.com/aws/aws-sdk-go-v2/aws"
// "github.com/aws/aws-sdk-go-v2/credentials"
// "github.com/aws/aws-sdk-go-v2/service/sts"

"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/sts"
)

func TestAWSPresign(t *testing.T) {
// mockSTSServer := &mockSTSServer{t: t}
// awsConfig := aws.Config{}
// awsConfig.Region = "us-east-1"
// awsConfig.Credentials = credentials.NewStaticCredentialsProvider("accesskey", "secretkey", "")
// awsConfig.HTTPClient = mockSTSServer
// sts := sts.NewFromConfig(awsConfig)

mySession := session.Must(session.NewSession())
mySession.Config.Credentials = credentials.NewStaticCredentials("accesskey", "secretkey", "")
sts := sts.New(mySession)
mySession.Config.HTTPClient = &http.Client{Transport: &mockHTTPTransport{}}
mockSTSServer := &mockHTTPClient{t: t}
awsConfig := aws.Config{}
awsConfig.Region = "us-east-1"
awsConfig.Credentials = credentials.NewStaticCredentialsProvider("fakeaccesskey", "fakesecretkey", "")
awsConfig.HTTPClient = mockSTSServer
sts := sts.NewFromConfig(awsConfig)

a := &awsAuthenticator{
sts: sts,
}
Expand All @@ -68,24 +61,29 @@ func TestAWSPresign(t *testing.T) {
if err != nil {
t.Fatalf("decoding token as base64: %v", err)
}
headers := make(map[string][]string)
if err := json.Unmarshal([]byte(data), &headers); err != nil {
decoded := &awsV2Token{}
if err := json.Unmarshal([]byte(data), &decoded); err != nil {
t.Fatalf("decoding token as json: %v", err)
}

t.Logf("headers: %+v", headers)
t.Logf("decoded: %+v", decoded)

amzSignature := ""
amzSignedHeaders := ""
amzDate := ""
amzAlgorithm := ""
amzCredential := ""

authorization := ""
for header, values := range headers {
for header, values := range decoded.SignedHeader {
got := strings.Join(values, "||")
switch header {
case "User-Agent":
// Ignore
// TODO: Should we (can we) override the useragent?
case "X-Amz-Date":
if len(got) < 10 {
t.Errorf("expected %q header of at least 10 characters, got %q", header, got)
}
amzDate = got

case "Content-Length":
if want := "43"; got != want {
t.Errorf("unexpected %q header: got %q, want %q", header, got, want)
Expand All @@ -95,6 +93,11 @@ func TestAWSPresign(t *testing.T) {
t.Errorf("unexpected %q header: got %q, want %q", header, got, want)
}

case "Host":
if want := "sts.us-east-1.amazonaws.com"; got != want {
t.Errorf("unexpected %q header: got %q, want %q", header, got, want)
}

case "X-Kops-Request-Sha":
if want := bodyHashBase64; got != want {
t.Errorf("unexpected %q header: got %q, want %q", header, got, want)
Expand All @@ -103,34 +106,86 @@ func TestAWSPresign(t *testing.T) {
// Validated more deeply below
authorization = got
default:
t.Errorf("unexpected header %q", header)
t.Errorf("unexpected header %q: %q", header, got)
}
}

if !strings.HasPrefix(authorization, "AWS4-HMAC-SHA256 ") {
t.Errorf("unexpected authorization prefix, got %q", authorization)
}
for _, token := range strings.Split(strings.TrimPrefix(authorization, "AWS4-HMAC-SHA256 "), ", ") {
kv := strings.SplitN(token, "=", 2)
got := kv[1]
switch kv[0] {
case "Signature":
if len(got) < 10 {
t.Errorf("expected %q Authorization value of at least 10 characters, got %q", kv[0], got)
// TODO: This is only aws-sdk-go V1
if authorization != "" {
if !strings.HasPrefix(authorization, "AWS4-HMAC-SHA256 ") {
t.Errorf("unexpected authorization prefix, got %q", authorization)
}

for _, token := range strings.Split(strings.TrimPrefix(authorization, "AWS4-HMAC-SHA256 "), ", ") {
kv := strings.SplitN(token, "=", 2)
if len(kv) == 1 {
t.Errorf("invalid token %q in authorization header", token)
continue
}
case "Credential":
if len(got) < 10 {
t.Errorf("expected %q Authorization value of at least 10 characters, got %q", kv[0], got)
got := kv[1]
switch kv[0] {
case "Signature":
amzSignature = got
case "Credential":
amzCredential = got
case "SignedHeaders":
amzSignedHeaders = got
default:
t.Errorf("unknown token %q in authorization header", token)
}
case "SignedHeaders":
if want := "content-length;content-type;host;x-amz-date;x-kops-request-sha"; got != want {
t.Errorf("unexpected %q Authorization value: got %q, want %q", kv[0], got, want)
}
}

u, err := url.Parse(decoded.URL)
if err != nil {
t.Errorf("error parsing url %q: %v", decoded.URL, err)
}
for k, values := range u.Query() {
got := strings.Join(values, "||")

switch k {
case "Action":
if want := "GetCallerIdentity"; got != want {
t.Errorf("unexpected %q query param: got %q, want %q", k, got, want)
}
case "Version":
if want := "2011-06-15"; got != want {
t.Errorf("unexpected %q query param: got %q, want %q", k, got, want)
}
case "X-Amz-Date":
amzDate = k
case "X-Amz-Signature":
amzSignature = k
case "X-Amz-Credential":
amzCredential = got
case "X-Amz-SignedHeaders":
amzSignedHeaders = got
case "X-Amz-Algorithm":
amzAlgorithm = got
default:
t.Errorf("unknown token %q in authorization header", token)
t.Errorf("unknown token %q=%q in query", k, got)
}
}

if len(amzCredential) < 10 {
t.Errorf("expected amzCredential value of at least 10 characters, got %q", amzCredential)
}

if len(amzDate) < 10 {
t.Errorf("expected amz-date of at least 10 characters, got %q", amzDate)
}

if len(amzSignature) < 10 {
t.Errorf("expected amzSignature value of at least 10 characters, got %q", amzSignature)
}

if want := "AWS4-HMAC-SHA256"; amzAlgorithm != want {
t.Errorf("unexpected amzAlgorithm: got %q, want %q", amzAlgorithm, want)
}

if want := "host;x-kops-request-sha"; amzSignedHeaders != want {
t.Errorf("unexpected amzSignedHeaders: got %q, want %q", amzSignedHeaders, want)
}
}

type mockHTTPClient struct {
Expand Down
3 changes: 1 addition & 2 deletions upup/pkg/fi/cloudup/awsup/aws_cloud.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ import (
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/route53"
"github.com/aws/aws-sdk-go-v2/service/sts"
ec2v1 "github.com/aws/aws-sdk-go/service/ec2"
"k8s.io/klog/v2"

v1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -2358,7 +2357,7 @@ func GetRolesInInstanceProfile(c AWSCloud, profileName string) ([]string, error)

// GetInstanceCertificateNames returns the instance hostname and addresses that should go into certificates.
// The first value is the node name and any additional values are the DNS name and IP addresses.
func GetInstanceCertificateNames(instances *ec2v1.DescribeInstancesOutput) (addrs []string, err error) {
func GetInstanceCertificateNames(instances *ec2.DescribeInstancesOutput) (addrs []string, err error) {
if len(instances.Reservations) != 1 {
return nil, fmt.Errorf("too many reservations returned for the single instance-id")
}
Expand Down
Loading

0 comments on commit 9582763

Please sign in to comment.