package processcreds import ( "bytes" "context" "encoding/json" "fmt" "io" "os" "os/exec" "runtime" "time" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/internal/sdkio" ) const ( // ProviderName is the name this credentials provider will label any // returned credentials Value with. ProviderName = `ProcessProvider` // DefaultTimeout default limit on time a process can run. DefaultTimeout = time.Duration(1) * time.Minute ) // ProviderError is an error indicating failure initializing or executing the // process credentials provider type ProviderError struct { Err error } // Error returns the error message. func (e *ProviderError) Error() string { return fmt.Sprintf("process provider error: %v", e.Err) } // Unwrap returns the underlying error the provider error wraps. func (e *ProviderError) Unwrap() error { return e.Err } // Provider satisfies the credentials.Provider interface, and is a // client to retrieve credentials from a process. type Provider struct { // Provides a constructor for exec.Cmd that are invoked by the provider for // retrieving credentials. Use this to provide custom creation of exec.Cmd // with things like environment variables, or other configuration. // // The provider defaults to the DefaultNewCommand function. commandBuilder NewCommandBuilder options Options } // Options is the configuration options for configuring the Provider. type Options struct { // Timeout limits the time a process can run. Timeout time.Duration } // NewCommandBuilder provides the interface for specifying how command will be // created that the Provider will use to retrieve credentials with. type NewCommandBuilder interface { NewCommand(context.Context) (*exec.Cmd, error) } // NewCommandBuilderFunc provides a wrapper type around a function pointer to // satisfy the NewCommandBuilder interface. type NewCommandBuilderFunc func(context.Context) (*exec.Cmd, error) // NewCommand calls the underlying function pointer the builder was initialized with. func (fn NewCommandBuilderFunc) NewCommand(ctx context.Context) (*exec.Cmd, error) { return fn(ctx) } // DefaultNewCommandBuilder provides the default NewCommandBuilder // implementation used by the provider. It takes a command and arguments to // invoke. The command will also be initialized with the current process // environment variables, stderr, and stdin pipes. type DefaultNewCommandBuilder struct { Args []string } // NewCommand returns an initialized exec.Cmd with the builder's initialized // Args. The command is also initialized current process environment variables, // stderr, and stdin pipes. func (b DefaultNewCommandBuilder) NewCommand(ctx context.Context) (*exec.Cmd, error) { var cmdArgs []string if runtime.GOOS == "windows" { cmdArgs = []string{"cmd.exe", "/C"} } else { cmdArgs = []string{"sh", "-c"} } if len(b.Args) == 0 { return nil, &ProviderError{ Err: fmt.Errorf("failed to prepare command: command must not be empty"), } } cmdArgs = append(cmdArgs, b.Args...) cmd := exec.CommandContext(ctx, cmdArgs[0], cmdArgs[1:]...) cmd.Env = os.Environ() cmd.Stderr = os.Stderr // display stderr on console for MFA cmd.Stdin = os.Stdin // enable stdin for MFA return cmd, nil } // NewProvider returns a pointer to a new Credentials object wrapping the // Provider. // // The provider defaults to the DefaultNewCommandBuilder for creating command // the Provider will use to retrieve credentials with. func NewProvider(command string, options ...func(*Options)) *Provider { var args []string // Ensure that the command arguments are not set if the provided command is // empty. This will error out when the command is executed since no // arguments are specified. if len(command) > 0 { args = []string{command} } commanBuilder := DefaultNewCommandBuilder{ Args: args, } return NewProviderCommand(commanBuilder, options...) } // NewProviderCommand returns a pointer to a new Credentials object with the // specified command, and default timeout duration. Use this to provide custom // creation of exec.Cmd for options like environment variables, or other // configuration. func NewProviderCommand(builder NewCommandBuilder, options ...func(*Options)) *Provider { p := &Provider{ commandBuilder: builder, options: Options{ Timeout: DefaultTimeout, }, } for _, option := range options { option(&p.options) } return p } // A CredentialProcessResponse is the AWS credentials format that must be // returned when executing an external credential_process. type CredentialProcessResponse struct { // As of this writing, the Version key must be set to 1. This might // increment over time as the structure evolves. Version int // The access key ID that identifies the temporary security credentials. AccessKeyID string `json:"AccessKeyId"` // The secret access key that can be used to sign requests. SecretAccessKey string // The token that users must pass to the service API to use the temporary credentials. SessionToken string // The date on which the current credentials expire. Expiration *time.Time } // Retrieve executes the credential process command and returns the // credentials, or error if the command fails. func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) { out, err := p.executeCredentialProcess(ctx) if err != nil { return aws.Credentials{Source: ProviderName}, err } // Serialize and validate response resp := &CredentialProcessResponse{} if err = json.Unmarshal(out, resp); err != nil { return aws.Credentials{Source: ProviderName}, &ProviderError{ Err: fmt.Errorf("parse failed of process output: %s, error: %w", out, err), } } if resp.Version != 1 { return aws.Credentials{Source: ProviderName}, &ProviderError{ Err: fmt.Errorf("wrong version in process output (not 1)"), } } if len(resp.AccessKeyID) == 0 { return aws.Credentials{Source: ProviderName}, &ProviderError{ Err: fmt.Errorf("missing AccessKeyId in process output"), } } if len(resp.SecretAccessKey) == 0 { return aws.Credentials{Source: ProviderName}, &ProviderError{ Err: fmt.Errorf("missing SecretAccessKey in process output"), } } creds := aws.Credentials{ Source: ProviderName, AccessKeyID: resp.AccessKeyID, SecretAccessKey: resp.SecretAccessKey, SessionToken: resp.SessionToken, } // Handle expiration if resp.Expiration != nil { creds.CanExpire = true creds.Expires = *resp.Expiration } return creds, nil } // executeCredentialProcess starts the credential process on the OS and // returns the results or an error. func (p *Provider) executeCredentialProcess(ctx context.Context) ([]byte, error) { if p.options.Timeout >= 0 { var cancelFunc func() ctx, cancelFunc = context.WithTimeout(ctx, p.options.Timeout) defer cancelFunc() } cmd, err := p.commandBuilder.NewCommand(ctx) if err != nil { return nil, err } // get creds json on process's stdout output := bytes.NewBuffer(make([]byte, 0, int(8*sdkio.KibiByte))) if cmd.Stdout != nil { cmd.Stdout = io.MultiWriter(cmd.Stdout, output) } else { cmd.Stdout = output } execCh := make(chan error, 1) go executeCommand(cmd, execCh) select { case execError := <-execCh: if execError == nil { break } select { case <-ctx.Done(): return output.Bytes(), &ProviderError{ Err: fmt.Errorf("credential process timed out: %w", execError), } default: return output.Bytes(), &ProviderError{ Err: fmt.Errorf("error in credential_process: %w", execError), } } } out := output.Bytes() if runtime.GOOS == "windows" { // windows adds slashes to quotes out = bytes.ReplaceAll(out, []byte(`\"`), []byte(`"`)) } return out, nil } func executeCommand(cmd *exec.Cmd, exec chan error) { // Start the command err := cmd.Start() if err == nil { err = cmd.Wait() } exec <- err }