-
Notifications
You must be signed in to change notification settings - Fork 0
/
credentials.go
86 lines (77 loc) · 2.73 KB
/
credentials.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
package gdnotify
import (
"context"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"io"
"strings"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ssm"
logx "github.com/mashiike/go-logx"
"google.golang.org/api/option"
)
type CredentialsBackend interface {
WithCredentialsClientOption(context.Context, []option.ClientOption) ([]option.ClientOption, error)
}
func NewCredentialsBackend(ctx context.Context, cfg *CredentialsBackendConfig, awsCfg aws.Config) (CredentialsBackend, error) {
switch cfg.BackendType {
case CredentialsBackendTypeNone:
return &NoneCredentialsBackend{}, nil
case CredentialsBackendTypeSSMParameterStore:
return NewSSMParameterStoreCredentialsBackend(ctx, cfg, awsCfg)
}
return nil, errors.New("unknown credentials backend type")
}
type NoneCredentialsBackend struct{}
func (b *NoneCredentialsBackend) WithCredentialsClientOption(_ context.Context, orig []option.ClientOption) ([]option.ClientOption, error) {
return orig, nil
}
type SSMParameterStoreCredentialsBackend struct {
client *ssm.Client
name string
base64Encoding bool
}
func NewSSMParameterStoreCredentialsBackend(ctx context.Context, cfg *CredentialsBackendConfig, awsCfg aws.Config) (*SSMParameterStoreCredentialsBackend, error) {
return &SSMParameterStoreCredentialsBackend{
client: ssm.NewFromConfig(awsCfg),
name: *cfg.ParameterName,
base64Encoding: cfg.Base64Encoding,
}, nil
}
func (cb *SSMParameterStoreCredentialsBackend) WithCredentialsClientOption(ctx context.Context, orig []option.ClientOption) ([]option.ClientOption, error) {
logx.Printf(ctx, "[debug] try get parameter name=%s", cb.name)
output, err := cb.client.GetParameter(ctx, &ssm.GetParameterInput{
Name: aws.String(cb.name),
WithDecryption: aws.Bool(true),
})
if err != nil {
logx.Printf(ctx, "[debug] failed get parameter name=%s:%s", cb.name, err.Error())
return orig, err
}
if output.Parameter == nil {
logx.Printf(ctx, "[warn] get parameter from ssm name=%s, but empty", cb.name)
return orig, err
}
var creds []byte
if cb.base64Encoding {
decoder := base64.NewDecoder(base64.RawStdEncoding, strings.NewReader(*output.Parameter.Value))
var err error
creds, err = io.ReadAll(decoder)
if err != nil {
logx.Printf(ctx, "[warn] credentials base64 decode failed:%s", err.Error())
return orig, err
}
}
if creds == nil {
creds = []byte(*output.Parameter.Value)
}
var temp interface{}
if err := json.Unmarshal(creds, &temp); err != nil {
logx.Printf(ctx, "[debug] credentials is not json:%s", err.Error())
return orig, fmt.Errorf("SSM Parameter `%s` loaded value is not json: %s", cb.name, err.Error())
}
ret := append(orig, option.WithCredentialsJSON(creds))
return ret, nil
}