Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding IAM roles to the cred chain #85

Closed
wants to merge 23 commits into from
Closed

Adding IAM roles to the cred chain #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
02bc2a6
Adding chain credential provider for S3
jduv Dec 28, 2018
29ebeca
Oops, shadowed a variable
jduv Dec 28, 2018
dc0b4ac
Not doing so well at this coding thing.
jduv Dec 28, 2018
33c1d8a
Adding default credential chain, better way of solving this problem.
jduv Dec 29, 2018
f243c15
Adding logging to see what creds we're using
jduv Dec 30, 2018
0790ed0
Default creds were the wrong thing to do, trying this per AWS docs.
jduv Dec 30, 2018
c3c7d49
Tried this three ways, let's try this way next
jduv Dec 30, 2018
ac87048
Adding logging to prove I'm not insane
jduv Dec 30, 2018
7b9a063
Using builder for aws config
jduv Dec 30, 2018
1786c59
Reverting to a previous image that worked better
jduv Dec 30, 2018
d03af6e
Adding debug around the error from git passphrase
jduv Jan 7, 2019
d3f3522
Reformatting logging to be correct
jduv Jan 8, 2019
38605c3
Adding debug to private key access
jduv Jan 8, 2019
d1c03d1
Running a CHMOD every time. Eww.
jduv Jan 10, 2019
74781eb
Even though the problem is fixed locally it's not in concourse
jduv Jan 10, 2019
bb278e5
Debug build, do not use
jduv Jan 10, 2019
86e2a82
Debug build
jduv Jan 10, 2019
cde79ea
Fixing the build
jduv Jan 10, 2019
e8bcd84
Adding more debug
jduv Jan 17, 2019
45fef5e
Fixing a stupid import I didn't remove
jduv Jan 17, 2019
759a526
More debug
jduv Jan 17, 2019
34b763e
Updating docker version
jduv Jan 17, 2019
514b957
Adding echo for newlines into private key
jduv Jan 18, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
built-*
assets
.idea
.DS_Store
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:alpine as builder
FROM golang:1.11.4-alpine3.8 as builder
COPY . /go/src/github.com/concourse/semver-resource
ENV CGO_ENABLED 0
RUN go build -o /assets/in github.com/concourse/semver-resource/in
Expand All @@ -9,7 +9,7 @@ RUN set -e; for pkg in $(go list ./...); do \
go test -o "/tests/$(basename $pkg).test" -c $pkg; \
done

FROM alpine:edge AS resource
FROM alpine:3.8 AS resource
RUN apk add --no-cache bash tzdata ca-certificates git jq openssh
RUN git config --global user.email "git@localhost"
RUN git config --global user.name "git"
Expand Down
41 changes: 20 additions & 21 deletions driver/driver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ package driver
import (
"crypto/tls"
"fmt"
"github.com/aws/aws-sdk-go/aws/credentials"
"net/http"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/blang/semver"
Expand Down Expand Up @@ -37,13 +37,6 @@ func FromSource(source models.Source) (Driver, error) {

switch source.Driver {
case models.DriverUnspecified, models.DriverS3:
var creds *credentials.Credentials

if source.AccessKeyID == "" && source.SecretAccessKey == "" {
creds = credentials.AnonymousCredentials
} else {
creds = credentials.NewStaticCredentials(source.AccessKeyID, source.SecretAccessKey, "")
}

regionName := source.RegionName
if len(regionName) == 0 {
Expand All @@ -61,7 +54,6 @@ func FromSource(source models.Source) (Driver, error) {

awsConfig := &aws.Config{
Region: aws.String(regionName),
Credentials: creds,
S3ForcePathStyle: aws.Bool(true),
MaxRetries: aws.Int(maxRetries),
DisableSSL: aws.Bool(source.DisableSSL),
Expand All @@ -72,15 +64,23 @@ func FromSource(source models.Source) (Driver, error) {
awsConfig.Endpoint = aws.String(source.Endpoint)
}

svc := s3.New(session.New(awsConfig))
sess := session.Must(session.NewSession())
if source.AccessKeyID != "" && source.SecretAccessKey != "" {
// If nothing is provided use the default cred chain.
creds := credentials.NewStaticCredentials(source.AccessKeyID, source.SecretAccessKey, "")
awsConfig.Credentials = creds
} else {
println("Using default credential chain for authentication.")
}

svc := s3.New(sess, awsConfig)

if source.UseV2Signing {
setv2Handlers(svc)
}

return &S3Driver{
InitialVersion: initialVersion,

InitialVersion: initialVersion,
Svc: svc,
BucketName: source.Bucket,
Key: source.Key,
Expand All @@ -90,15 +90,14 @@ func FromSource(source models.Source) (Driver, error) {
case models.DriverGit:
return &GitDriver{
InitialVersion: initialVersion,

URI: source.URI,
Branch: source.Branch,
PrivateKey: source.PrivateKey,
Username: source.Username,
Password: source.Password,
File: source.File,
GitUser: source.GitUser,
CommitMessage: source.CommitMessage,
URI: source.URI,
Branch: source.Branch,
PrivateKey: source.PrivateKey,
Username: source.Username,
Password: source.Password,
File: source.File,
GitUser: source.GitUser,
CommitMessage: source.CommitMessage,
}, nil

case models.DriverSwift:
Expand Down
26 changes: 22 additions & 4 deletions driver/git.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ var gitRepoDir string
var privateKeyPath string
var netRcPath string

var ErrEncryptedKey = errors.New("private keys with passphrases are not supported")
var ErrKey = errors.New("unable to process private key, is it password protected?")

func init() {
gitRepoDir = filepath.Join(os.TempDir(), "semver-git-repo")
Expand Down Expand Up @@ -214,16 +214,34 @@ func (driver *GitDriver) setUpKey() error {
}

if isPrivateKeyEncrypted(privateKeyPath) {
return ErrEncryptedKey
return ErrKey
}

return os.Setenv("GIT_SSH_COMMAND", "ssh -o StrictHostKeyChecking=no -i "+privateKeyPath)
}

func isPrivateKeyEncrypted(path string) bool {
chmod := exec.Command("chmod", "400", path)
_, err := chmod.CombinedOutput()

if err != nil {
return false
}

cleanup := exec.Command("echo", "''", ">>", path )
_, err = cleanup.CombinedOutput()

if err != nil {
return false
}

passphrase := ``
cmd := exec.Command(`ssh-keygen`, `-y`, `-f`, path, `-P`, passphrase)
err := cmd.Run()
cmd := exec.Command("ssh-keygen", "-y", "-f", path, "-P", passphrase)
err = cmd.Run()

if err != nil {
println("Error attempting to access private key. ", err.Error())
}

return err != nil
}
Expand Down