diff --git a/.github/workflows/lint_test.yml b/.github/workflows/lint_test.yml index 3fda0c9..090d69a 100644 --- a/.github/workflows/lint_test.yml +++ b/.github/workflows/lint_test.yml @@ -9,6 +9,28 @@ on: pull_request: jobs: + aws-lint: + name: aws-lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run golangci-lint + uses: golangci/golangci-lint-action@v4 + with: + working-directory: aws + + aws-test: + name: aws-test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.22' + - name: Run Unit tests + run: make test + working-directory: ./aws + azure-lint: name: azure-lint runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7bcc7a6..f08a7ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,11 @@ on: jobs: goreleaser: runs-on: ubuntu-latest + strategy: + matrix: + providers: + - aws + - azure steps: - name: Checkout @@ -29,7 +34,7 @@ jobs: with: version: latest args: release --clean --debug - workdir: ./azure + workdir: ./${{ matrix.providers }} env: KAFKACTL_VERSION: v5.0.6 # create personal access token: https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line diff --git a/aws/.golangci.yml b/aws/.golangci.yml new file mode 100644 index 0000000..e070a7e --- /dev/null +++ b/aws/.golangci.yml @@ -0,0 +1,223 @@ +# config is based on https://gist.github.com/maratori/47a4d00457a92aa426dbd48a18776322 + +# This file contains only configs which differ from defaults. +# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml + +run: + # Timeout for analysis, e.g. 30s, 5m. + # Default: 1m + timeout: 3m + skip-files: + - ".*generated.go" + +linters-settings: + cyclop: + # The maximal code complexity to report. + # Default: 10 + max-complexity: 30 + # The maximal average package complexity. + # If it's higher than 0.0 (float) the check is enabled + # Default: 0.0 + package-average: 10.0 + + errcheck: + # Report about not checking of errors in type assertions: `a := b.(MyStruct)`. + # Such cases aren't reported by default. + # Default: false + check-type-assertions: true + + exhaustive: + # Program elements to check for exhaustiveness. + # Default: [ switch ] + check: + - switch + - map + + exhaustruct: + # List of regular expressions to exclude struct packages and names from check. + # Default: [] + exclude: + # std libs + - "^net/http.Client$" + - "^net/http.Cookie$" + - "^net/http.Request$" + - "^net/http.Response$" + - "^net/http.Server$" + - "^net/http.Transport$" + - "^net/url.URL$" + - "^os/exec.Cmd$" + - "^reflect.StructField$" + # public libs + - "^github.com/Shopify/sarama.Config$" + - "^github.com/Shopify/sarama.ProducerMessage$" + - "^github.com/mitchellh/mapstructure.DecoderConfig$" + - "^github.com/prometheus/client_golang/.+Opts$" + - "^github.com/spf13/cobra.Command$" + - "^github.com/spf13/cobra.CompletionOptions$" + - "^github.com/stretchr/testify/mock.Mock$" + - "^github.com/testcontainers/testcontainers-go.+Request$" + - "^github.com/testcontainers/testcontainers-go.FromDockerfile$" + - "^golang.org/x/tools/go/analysis.Analyzer$" + - "^google.golang.org/protobuf/.+Options$" + - "^gopkg.in/yaml.v3.Node$" + + funlen: + # Checks the number of lines in a function. + # If lower than 0, disable the check. + # Default: 60 + lines: 100 + # Checks the number of statements in a function. + # If lower than 0, disable the check. + # Default: 40 + statements: 50 + + gocognit: + # Minimal code complexity to report. + # Default: 30 (but we recommend 10-20) + min-complexity: 20 + + gocritic: + # Settings passed to gocritic. + # The settings key is the name of a supported gocritic checker. + # The list of supported checkers can be find in https://go-critic.github.io/overview. + settings: + captLocal: + # Whether to restrict checker to params only. + # Default: true + paramsOnly: false + underef: + # Whether to skip (*x).method() calls where x is a pointer receiver. + # Default: true + skipRecvDeref: false + + gomnd: + # List of function patterns to exclude from analysis. + # Values always ignored: `time.Date`, + # `strconv.FormatInt`, `strconv.FormatUint`, `strconv.FormatFloat`, + # `strconv.ParseInt`, `strconv.ParseUint`, `strconv.ParseFloat`. + # Default: [] + ignored-functions: + - os.Chmod + - os.Mkdir + - os.MkdirAll + - os.OpenFile + - os.WriteFile + - prometheus.ExponentialBuckets + - prometheus.ExponentialBucketsRange + - prometheus.LinearBuckets + + gomoddirectives: + # Allow local `replace` directives. Default is false. + replace-local: true + + govet: + # Enable all analyzers. + # Default: false + enable-all: true + # Disable analyzers by name. + # Run `go tool vet help` to see all analyzers. + # Default: [] + disable: + - fieldalignment # too strict + # Settings per analyzer. + settings: + shadow: + # Whether to be strict about shadowing; can be noisy. + # Default: false + strict: true + + nakedret: + # Make an issue if func has more lines of code than this setting, and it has naked returns. + # Default: 30 + max-func-lines: 0 + + nolintlint: + # Exclude following linters from requiring an explanation. + # Default: [] + allow-no-explanation: [ funlen, gocognit, lll ] + # Enable to require an explanation of nonzero length after each nolint directive. + # Default: false + require-explanation: true + # Enable to require nolint directives to mention the specific linter being suppressed. + # Default: false + require-specific: true + + tenv: + # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures. + # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked. + # Default: false + all: true + + +linters: + disable-all: true + enable: + ## enabled by default + - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases + #- gosimple # specializes in simplifying a code + #- govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string + - ineffassign # detects when assignments to existing variables are not used + #- staticcheck # is a go vet on steroids, applying a ton of static analysis checks + #- typecheck # like the front-end of a Go compiler, parses and type-checks Go code + - unused # checks for unused constants, variables, functions and types + ## disabled by default + - asciicheck # checks that your code does not contain non-ASCII identifiers + - bidichk # checks for dangerous unicode character sequences + - bodyclose # checks whether HTTP response body is closed successfully + - cyclop # checks function and package cyclomatic complexity + - dupl # tool for code clone detection + - durationcheck # checks for two durations multiplied together + - errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error + - errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13 + #- exhaustive # checks exhaustiveness of enum switch statements + - exportloopref # checks for pointers to enclosing loop variables + - forbidigo # forbids identifiers + - funlen # tool for detection of long functions + - gochecknoinits # checks that no init functions are present in Go code + - gocognit # computes and checks the cognitive complexity of functions + - goconst # finds repeated strings that could be replaced by a constant + - gocritic # provides diagnostics that check for bugs, performance and style issues + - gocyclo # computes and checks the cyclomatic complexity of functions + - godot # checks if comments end in a period + - goimports # in addition to fixing imports, goimports also formats your code in the same style as gofmt + - gomnd # detects magic numbers + - gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod + - goprintffuncname # checks that printf-like functions are named with f at the end + - gosec # inspects source code for security problems + - lll # reports long lines + - makezero # finds slice declarations with non-zero initial length + - nakedret # finds naked returns in functions greater than a specified function length + - nestif # reports deeply nested if statements + - nilerr # finds the code that returns nil even if it checks that the error is not nil + - nilnil # checks that there is no simultaneous return of nil error and an invalid value + - noctx # finds sending http request without context.Context + - nolintlint # reports ill-formed or insufficient nolint directives + - predeclared # finds code that shadows one of Go's predeclared identifiers + - promlinter # checks Prometheus metrics naming via promlint + - revive # fast, configurable, extensible, flexible, and beautiful linter for Go, drop-in replacement of golint + - tenv # detects using os.Setenv instead of t.Setenv since Go1.17 + - tparallel # detects inappropriate usage of t.Parallel() method in your Go test codes + - unconvert # removes unnecessary type conversions + - unparam # reports unused function parameters + - wastedassign # finds wasted assignment statements + +issues: + # Maximum count of issues with the same text. + # Set to 0 to disable. + # Default: 3 + max-same-issues: 50 + + exclude-rules: + - source: "(noinspection|TODO)" + linters: [ godot ] + - source: "//noinspection" + linters: [ gocritic ] + - path: "_test\\.go" + linters: + - bodyclose + - dupl + - funlen + - goconst + - gosec + - noctx + - wrapcheck diff --git a/aws/.goreleaser.yml b/aws/.goreleaser.yml new file mode 100644 index 0000000..2ad9704 --- /dev/null +++ b/aws/.goreleaser.yml @@ -0,0 +1,101 @@ +project_name: kafkactl-aws-plugin + +before: + hooks: + - go mod download +builds: + - env: + - CGO_ENABLED=0 + ldflags: + - -s -w -X main.Version={{.Tag}} -X main.GitCommit={{.ShortCommit}} -X main.BuildTime={{.Date}} + goos: + - darwin + - linux + - windows + +archives: + - id: default + format_overrides: + - goos: windows + format: zip + files: + - LICENSE.md + - CHANGELOG.md + +checksum: + name_template: "checksums.txt" +nfpms: + - id: default + vendor: Device Insight GmbH + homepage: https://www.device-insight.com/ + maintainer: Dirk Wilden <[dirk.wilden@device-insight.com]> + description: AWS Plugin for kafkactl + license: Apache 2.0 + + formats: + - deb + - rpm + +release: + disable: false + draft: false + +brews: + - tap: + owner: deviceinsight + name: homebrew-packages + + commit_author: + name: goreleaserbot + email: goreleaser@device-insight.com + + folder: Formula + + homepage: https://www.device-insight.com/ + + dependencies: + - name: kafkactl + + description: aws Plugin for kafkactl + skip_upload: false + +winget: + - name: kafkactl-aws-plugin + publisher: deviceinsight + short_description: AWS Plugin for kafkactl + license: Apache-2.0 + publisher_support_url: https://github.com/deviceinsight/kafkactl-plugins/issues + package_identifier: deviceinsight.kafkactl-aws-plugin + homepage: https://www.device-insight.com/ + repository: + owner: deviceinsight + name: winget-pkgs + branch: "kafkactl-aws-plugin-{{.Version}}" + pull_request: + enabled: true + base: + owner: microsoft + name: winget-pkgs + branch: master + +dockers: + - skip_push: false + dockerfile: Dockerfile.Ubuntu + build_flag_templates: + - "--build-arg=KAFKACTL_VERSION={{ .Env.KAFKACTL_VERSION }}" + image_templates: + - "deviceinsight/kafkactl-aws:latest-{{ .Env.KAFKACTL_VERSION }}-ubuntu" + - "deviceinsight/kafkactl-aws:{{ .Tag }}-{{ .Env.KAFKACTL_VERSION }}-ubuntu" + - skip_push: false + dockerfile: Dockerfile.Scratch + build_flag_templates: + - "--build-arg=KAFKACTL_VERSION={{ .Env.KAFKACTL_VERSION }}" + image_templates: + - "deviceinsight/kafkactl-aws:latest-{{ .Env.KAFKACTL_VERSION }}-scratch" + - "deviceinsight/kafkactl-aws:{{ .Tag }}-{{ .Env.KAFKACTL_VERSION }}-scratch" +#publishers: +# - name: aur-aws +# env: +# - AUR_SSH_PRIVATE_KEY={{ .Env.AUR_SSH_PRIVATE_KEY }} +# cmd: | +# .github/aur/aws/publish.sh {{ .Version }} diff --git a/aws/CHANGELOG.md b/aws/CHANGELOG.md new file mode 100644 index 0000000..f3d3e70 --- /dev/null +++ b/aws/CHANGELOG.md @@ -0,0 +1,12 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## 1.0.0 - 2024-07-31 + +### Added + +Initial Release diff --git a/aws/Dockerfile.Scratch b/aws/Dockerfile.Scratch new file mode 100644 index 0000000..35eb414 --- /dev/null +++ b/aws/Dockerfile.Scratch @@ -0,0 +1,4 @@ +ARG KAFKACTL_VERSION +FROM deviceinsight/kafkactl:${KAFKACTL_VERSION}-scratch +COPY kafkactl-aws-plugin /usr/local/bin +ENTRYPOINT ["/kafkactl"] diff --git a/aws/Dockerfile.Ubuntu b/aws/Dockerfile.Ubuntu new file mode 100644 index 0000000..5b8bd7b --- /dev/null +++ b/aws/Dockerfile.Ubuntu @@ -0,0 +1,4 @@ +ARG KAFKACTL_VERSION +FROM deviceinsight/kafkactl:${KAFKACTL_VERSION}-ubuntu +COPY kafkactl-aws-plugin /usr/local/bin +ENTRYPOINT ["/kafkactl"] diff --git a/aws/LICENSE.md b/aws/LICENSE.md new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/aws/LICENSE.md @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/aws/Makefile b/aws/Makefile new file mode 100644 index 0000000..77fed91 --- /dev/null +++ b/aws/Makefile @@ -0,0 +1,65 @@ +BUILD_TS := $(shell date -Iseconds --utc) +COMMIT_SHA := $(shell git rev-parse HEAD) +VERSION := $(shell git describe --abbrev=0 --tags || echo "latest") + +export CGO_ENABLED=0 +export GOOS=linux +export GO111MODULE=on + +program=kafkactl-aws-plugin +ld_flags := "-X main.Version=$(VERSION) -X main.GitCommit=$(COMMIT_SHA) -X main.BuildTime=$(BUILD_TS)" + +FILES := $(shell find . -name '*.go' -type f -not -name '*.pb.go' -not -name '*_generated.go' -not -name '*_test.go') +TESTS := $(shell find . -name '*.go' -type f -not -name '*.pb.go' -not -name '*_generated.go' -name '*_test.go') + +.DEFAULT_GOAL := all +.PHONY: all +all: fmt lint cve-check test build + +fmt: + gofmt -s -l -w $(FILES) $(TESTS) + goimports -l -w $(FILES) $(TESTS) + +.PHONY: update-dependencies +update-dependencies: # update dependencies to latest MINOR.PATCH + go get -t -u ./... + +lint: + golangci-lint run + +.PHONY: cve-check +cve-check: + echo WARNING: govulncheck is disabled because it segfaults + #govulncheck ./... + +.PHONY: test +test: + rm -f test.log + go test -v -short ./... + +.PHONY: build +build: + go build -ldflags $(ld_flags) -o $(program) + +.PHONY: clean +clean: + rm -f $(program) + go clean -testcache + +# usage make version=1.0.0 release +# +# manually executing goreleaser: +# export GITHUB_TOKEN=xyz +# export AUR_SSH_PRIVATE_KEY=$(cat /path/to/id_aur) +# export KAFKACTL_VERSION=v5.0.6 +# docker login +# goreleaser --clean (--skip-validate) +# +.PHONY: release +release: + current_date=`date "+%Y-%m-%d"`; eval "sed -i 's/## \[Unreleased\].*/## [Unreleased]\n\n## $$version - $$current_date/g' CHANGELOG.md" + git add "CHANGELOG.md" + git commit -m "releases $(version)" + git tag -a v$(version) -m "release v$(version)" + git push origin + git push origin v$(version) \ No newline at end of file diff --git a/aws/README.adoc b/aws/README.adoc new file mode 100644 index 0000000..38427f4 --- /dev/null +++ b/aws/README.adoc @@ -0,0 +1,145 @@ += AWS Plugin + +The kafkactl aws plugin allows to configure kafkactl to use an AWS oauth credential flow for login. +This allows to perform passwordless logins with AWS IAMs. + +== Installation + +You can install the pre-compiled binary or compile from source. + +=== Install the pre-compiled binary + +*homebrew*: + +[,bash] +---- +# install tap repository once +brew tap deviceinsight/packages +# install +brew kafkactl-aws-plugin +# upgrade +brew upgrade kafkactl-aws-plugin +---- + +*winget*: +[,bash] +---- +winget install kafkactl-aws-plugin +---- + +*deb/rpm*: + +Download the .deb or .rpm from the https://github.com/deviceinsight/kafkactl-plugins/releases[releases page] and install with dpkg -i and rpm -i respectively. + +*manually*: + +Download the pre-compiled binaries from the https://github.com/deviceinsight/kafkactl-plugins/releases[releases page] and copy to the desired location. + +=== Compiling from source + +[,bash] +---- +go get -u github.com/deviceinsight/kafkactl-plugins/aws +---- + +== Configuration + +=== Minimal + +The minimal kafkactl configuration needed to use this plugin looks as follows: + +[source,yaml] +---- +contexts: + my-context: + brokers: + - b-1.my-cluster.xxxxxxx.xxx.kafka.eu-west-1.amazonaws.com:9098 + - b-2.my-cluster.xxxxxxx.xxx.kafka.eu-west-1.amazonaws.com:9098 + sasl: + enabled: true + mechanism: oauth + tokenprovider: + plugin: aws + region: eu-west-1 + tls: + enabled: true +---- + +Note that you will need to access port `9098` on the brokers or `9198` for public access. + +=== EKS Cluster with IAM roles for service accounts (IRSA) + +When using an EKS cluster with IAM roles for service accounts (IRSA), please follow [this guide](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) +and setup the necessary roles and policies. + +Then you can configure kafkactl as follows: + +[source,yaml] +---- +contexts: + my-context-k8s: + brokers: + - b-1.my-cluster.xxxxxxx.xxx.kafka.eu-west-1.amazonaws.com:9098 + - b-2.my-cluster.xxxxxxx.xxx.kafka.eu-west-1.amazonaws.com:9098 + kubernetes: + enabled: true + image: deviceinsight/kafkactl-azure:latest-v5.0.6 + kubecontext: my-eks-cluster + namespace: eks-namespace + serviceaccount: irsa + sasl: + enabled: true + mechanism: oauth + tokenprovider: + plugin: aws + options: + region: eu-west-1 + tls: + enabled: true +---- + +== Options + + +|=== +|Option | Type | Description + +|debug +|boolean +|Debug the credential flow + +|region +|string +|Region of the cluster + +|role +|string +|IAM role to use for authentication + +|profile +|string +|Profile to use for authentication + +|stsSessionName +|string +|Name of the STS session + +Example with all options configured: + +[source,yaml] +---- +contexts: + my-context: + brokers: + - b-1.my-cluster.xxxxxxx.xxx.kafka.eu-west-1.amazonaws.com:9098 + - b-2.my-cluster.xxxxxxx.xxx.kafka.eu-west-1.amazonaws.com:9098 + sasl: + enabled: true + mechanism: oauth + tokenprovider: + plugin: aws + options: + region: eu-west-1 + tls: + enabled: true +---- diff --git a/aws/go.mod b/aws/go.mod new file mode 100644 index 0000000..5182776 --- /dev/null +++ b/aws/go.mod @@ -0,0 +1,42 @@ +module github.com/deviceinsight/kafkactl-aws-plugin + +go 1.22.1 + +require ( + github.com/aws/aws-msk-iam-sasl-signer-go v1.0.0 + github.com/deviceinsight/kafkactl/v5 v5.0.6 + github.com/hashicorp/go-hclog v1.6.2 + github.com/hashicorp/go-plugin v1.6.0 +) + +require ( + github.com/aws/aws-sdk-go-v2 v1.19.0 // indirect + github.com/aws/aws-sdk-go-v2/config v1.18.28 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.27 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.36 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.29 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.12.13 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.13 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.19.3 // indirect + github.com/aws/smithy-go v1.13.5 // indirect + github.com/fatih/color v1.16.0 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/hashicorp/yamux v0.1.1 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mitchellh/go-testing-interface v1.14.1 // indirect + github.com/oklog/run v1.1.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/stretchr/testify v1.9.0 // indirect + golang.org/x/net v0.24.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 // indirect + google.golang.org/grpc v1.62.1 // indirect + google.golang.org/protobuf v1.33.0 // indirect +) + +//replace github.com/deviceinsight/kafkactl/v5 v5.0.6 => ../../kafkactl diff --git a/aws/go.sum b/aws/go.sum new file mode 100644 index 0000000..29c7e6c --- /dev/null +++ b/aws/go.sum @@ -0,0 +1,95 @@ +github.com/aws/aws-msk-iam-sasl-signer-go v1.0.0 h1:UyjtGmO0Uwl/K+zpzPwLoXzMhcN9xmnR2nrqJoBrg3c= +github.com/aws/aws-msk-iam-sasl-signer-go v1.0.0/go.mod h1:TJAXuFs2HcMib3sN5L0gUC+Q01Qvy3DemvA55WuC+iA= +github.com/aws/aws-sdk-go-v2 v1.19.0 h1:klAT+y3pGFBU/qVf1uzwttpBbiuozJYWzNLHioyDJ+k= +github.com/aws/aws-sdk-go-v2 v1.19.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2/config v1.18.28 h1:TINEaKyh1Td64tqFvn09iYpKiWjmHYrG1fa91q2gnqw= +github.com/aws/aws-sdk-go-v2/config v1.18.28/go.mod h1:nIL+4/8JdAuNHEjn/gPEXqtnS02Q3NXB/9Z7o5xE4+A= +github.com/aws/aws-sdk-go-v2/credentials v1.13.27 h1:dz0yr/yR1jweAnsCx+BmjerUILVPQ6FS5AwF/OyG1kA= +github.com/aws/aws-sdk-go-v2/credentials v1.13.27/go.mod h1:syOqAek45ZXZp29HlnRS/BNgMIW6uiRmeuQsz4Qh2UE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.5 h1:kP3Me6Fy3vdi+9uHd7YLr6ewPxRL+PU6y15urfTaamU= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.5/go.mod h1:Gj7tm95r+QsDoN2Fhuz/3npQvcZbkEf5mL70n3Xfluc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35 h1:hMUCiE3Zi5AHrRNGf5j985u0WyqI6r2NULhUfo0N/No= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35/go.mod h1:ipR5PvpSPqIqL5Mi82BxLnfMkHVbmco8kUwO2xrCi0M= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29 h1:yOpYx+FTBdpk/g+sBU6Cb1H0U/TLEcYYp66mYqsPpcc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29/go.mod h1:M/eUABlDbw2uVrdAn+UsI6M727qp2fxkp8K0ejcBDUY= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.36 h1:8r5m1BoAWkn0TDC34lUculryf7nUF25EgIMdjvGCkgo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.36/go.mod h1:Rmw2M1hMVTwiUhjwMoIBFWFJMhvJbct06sSidxInkhY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.29 h1:IiDolu/eLmuB18DRZibj77n1hHQT7z12jnGO7Ze3pLc= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.29/go.mod h1:fDbkK4o7fpPXWn8YAPmTieAMuB9mk/VgvW64uaUqxd4= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.13 h1:sWDv7cMITPcZ21QdreULwxOOAmE05JjEsT6fCDtDA9k= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.13/go.mod h1:DfX0sWuT46KpcqbMhJ9QWtxAIP1VozkDWf8VAkByjYY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.13 h1:BFubHS/xN5bjl818QaroN6mQdjneYQ+AOx44KNXlyH4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.13/go.mod h1:BzqsVVFduubEmzrVtUFQQIQdFqvUItF8XUq2EnS8Wog= +github.com/aws/aws-sdk-go-v2/service/sts v1.19.3 h1:e5mnydVdCVWxP+5rPAGi2PYxC7u2OZgH1ypC114H04U= +github.com/aws/aws-sdk-go-v2/service/sts v1.19.3/go.mod h1:yVGZA1CPkmUhBdA039jXNJJG7/6t+G+EBWmFq23xqnY= +github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= +github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/bufbuild/protocompile v0.9.0 h1:DI8qLG5PEO0Mu1Oj51YFPqtx6I3qYXUAhJVJ/IzAVl0= +github.com/bufbuild/protocompile v0.9.0/go.mod h1:s89m1O8CqSYpyE/YaSGtg1r1YFMF5nLTwh4vlj6O444= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deviceinsight/kafkactl/v5 v5.0.6 h1:htXb5ggNm7iZS93OY76Op/ke+ziINwi9vMm1gzl+R+E= +github.com/deviceinsight/kafkactl/v5 v5.0.6/go.mod h1:rM/EQE5k06wD/UgBQ5iuxLdIgz6q+YvbZw+k9DCHy7A= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I= +github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-plugin v1.6.0 h1:wgd4KxHJTVGGqWBq4QPB1i5BZNEx9BR8+OFmHDmTk8A= +github.com/hashicorp/go-plugin v1.6.0/go.mod h1:lBS5MtSSBZk0SHc66KACcjjlU6WzEVP/8pwz68aMkCI= +github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= +github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/jhump/protoreflect v1.15.6 h1:WMYJbw2Wo+KOWwZFvgY0jMoVHM6i4XIvRs2RcBj5VmI= +github.com/jhump/protoreflect v1.15.6/go.mod h1:jCHoyYQIJnaabEYnbGwyo9hUqfyUMTbJw/tAut5t97E= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= +github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= +github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= +github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 h1:IR+hp6ypxjH24bkMfEJ0yHR21+gwPWdV+/IBrPQyn3k= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/aws/main.go b/aws/main.go new file mode 100644 index 0000000..1089406 --- /dev/null +++ b/aws/main.go @@ -0,0 +1,160 @@ +package main + +import ( + "context" + "encoding/base64" + "fmt" + "net/url" + "os" + "strconv" + "time" + + "github.com/hashicorp/go-plugin" + + "github.com/aws/aws-msk-iam-sasl-signer-go/signer" + "github.com/deviceinsight/kafkactl/v5/pkg/plugins/auth" + "github.com/hashicorp/go-hclog" +) + +var Version = "latest" +var BuildTime string +var GitCommit string + +type tokenProvider struct { + logger hclog.Logger + region string + role string + profile string + stsSessionName string + token string +} + +// Init initializes the tokenProvider with the provided clientID and clientSecret. +// The provided tokenURL is used to perform the 2 legged client credentials flow. +func (t *tokenProvider) Init(options map[string]any, brokers []string) (err error) { + + t.logger.Debug("init", "options", options) + + if v, ok := options["debug"].(bool); ok && v { + signer.AwsDebugCreds = v + } + + if r, ok := options["region"].(string); ok { + t.region = r + } + + if r, ok := options["role"].(string); ok { + t.role = r + } + + if p, ok := options["profile"].(string); ok { + t.profile = p + } + + if n, ok := options["stsSessionName"].(string); ok { + t.stsSessionName = n + } + + t.logger.Debug("plugin initialized") + return nil +} + +// Token returns a new accessToken or an error as appropriate. +func (t *tokenProvider) Token() (string, error) { + + expired := true + var err error + + if t.token != "" { + expired, err = t.isTokenExpired() + if err != nil { + return "", fmt.Errorf("failed to check if token is expired: %w", err) + } + } + + if expired { + switch { + case t.role != "": + t.logger.Debug("fetching new token", "region", t.region, "role", t.role, "stsSessionName", t.stsSessionName) + t.token, _, err = signer.GenerateAuthTokenFromRole(context.Background(), t.region, t.role, t.stsSessionName) + case t.profile != "": + t.logger.Debug("fetching new token", "role", t.role, "profile", t.profile) + t.token, _, err = signer.GenerateAuthTokenFromProfile(context.Background(), t.region, t.profile) + default: + t.logger.Debug("fetching new token", "region", t.region) + t.token, _, err = signer.GenerateAuthToken(context.Background(), t.region) + } + + if err != nil { + return "", fmt.Errorf("failed to generate token: %w", err) + } + + t.logger.Debug("fetched new token") + return t.token, nil + } + + t.logger.Debug("reusing cached token") + return t.token, nil +} + +// isTokenExpired checks if the token is expired by decoding the token and checking the 'X-Amz-Expires' param of the token. +// Inspired by https://github.com/aws/aws-msk-iam-sasl-signer-go/blob/896b3e826e770470727dc53d8154cbf148a07aad/signer/msk_auth_token_provider.go#L227-L251 +func (t *tokenProvider) isTokenExpired() (bool, error) { + + b, err := base64.RawURLEncoding.DecodeString(t.token) + if err != nil { + return true, fmt.Errorf("failed to base64 decode the token: %w", err) + } + + parsedURL, err := url.Parse(string(b)) + if err != nil { + return true, fmt.Errorf("failed to parse the signed url: %w", err) + } + + params := parsedURL.Query() + d := params.Get("X-Amz-Date") + if d == "" { + return true, nil + } + + signedAt, err := time.Parse("20060102T150405Z", d) + if err != nil { + return false, fmt.Errorf("failed to parse the 'X-Amz-Date' param from signed url: %w", err) + } + + e := params.Get(signer.ExpiresQueryKey) + if e == "" { + return true, nil + } + expires, err := strconv.ParseInt(e, 10, 64) + if err != nil { + return true, fmt.Errorf("failed to parse the '%s' param from signed url: %w", signer.ExpiresQueryKey, err) + } + + // expire the token a bit earlier, just to be safe + expiresAt := signedAt.Add(time.Duration(expires) * time.Second).Add(time.Minute * 1) + + return expiresAt.Before(time.Now()), nil +} + +func main() { + + logger := hclog.New(&hclog.LoggerOptions{ + Level: hclog.Trace, + Output: os.Stderr, + JSONFormat: true, + }) + + tokenProvider := &tokenProvider{ + logger: logger, + } + + logger.Debug("aws plugin started", "version", Version, "buildTime", BuildTime, "gitCommit", GitCommit) + + plugin.Serve(&plugin.ServeConfig{ + HandshakeConfig: auth.TokenProviderPluginSpec.Handshake, + Plugins: map[string]plugin.Plugin{ + auth.TokenProviderPluginSpec.InterfaceIdentifier: &auth.TokenProviderPlugin{Impl: tokenProvider}, + }, + }) +} diff --git a/aws/main_test.go b/aws/main_test.go new file mode 100644 index 0000000..cdff964 --- /dev/null +++ b/aws/main_test.go @@ -0,0 +1,46 @@ +package main + +import ( + "encoding/base64" + "testing" +) + +func TestToken_IsTokenExpired(t *testing.T) { + type testcase struct { + expired bool + name string + token string + } + + tcs := []testcase{ + { + name: "expired", + token: base64.RawURLEncoding.EncodeToString([]byte("https://kafka.us-west-2.amazonaws.com/?Action=kafka-cluster:Connect&User-Agent=aws-msk-iam-sasl-signer-go/1.0.0/go1.22.2&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=MOCK-ACCESS-KEY/19700101/us-west-2/kafka-cluster/aws4_request&X-Amz-Date=19700101T000000Z&X-Amz-Expires=900&X-Amz-Security-Token=MOCK-SESSION-TOKEN&X-Amz-Signature=1fa6dbb97390db03591f0f3af836d27b68e5fac024a126b688a2177eba2cd587&X-Amz-SignedHeaders=host%")), + expired: true, + }, + { + name: "valid", + token: base64.RawURLEncoding.EncodeToString([]byte("https://kafka.us-west-2.amazonaws.com/?Action=kafka-cluster:Connect&User-Agent=aws-msk-iam-sasl-signer-go/1.0.0/go1.22.2&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=MOCK-ACCESS-KEY/19700101/us-west-2/kafka-cluster/aws4_request&X-Amz-Date=99991231T234459Z&X-Amz-Expires=900&X-Amz-Security-Token=MOCK-SESSION-TOKEN&X-Amz-Signature=1fa6dbb97390db03591f0f3af836d27b68e5fac024a126b688a2177eba2cd587&X-Amz-SignedHeaders=host%")), + expired: false, + }, + } + + for _, tc := range tcs { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + p := &tokenProvider{ + token: tc.token, + } + + got, err := p.isTokenExpired() + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + + if got != tc.expired { + t.Errorf("got: %v, want: %v", got, tc.expired) + } + }) + } +}