Extract AWS credentials from secret

pkg/secrets/aws.go

@@ -0,0 +1,72 @@
+package secrets
+
+import (
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+)
+
+const (
+	// AWSSecretType represents the secret type for AWS credentials.
+	AWSSecretType string = "secrets.kanister.io/aws"
+
+	// AWSAccessKeyID is the key for AWS access key ID.
+	AWSAccessKeyID string = "access_key_id"
+	// AWSSecretAccessKey is the key for AWS secret access key.
+	AWSSecretAccessKey string = "secret_access_key"
+	// AWSSessionToken is the key for optional AWS session token.
+	AWSSessionToken string = "session_token"
+)
+
+// ValidateAWSCredentials validates secret has all necessary information
+// for AWS credentials. It also checks the secret doesn't have unnnecessary
+// information.
+//
+// Required fields:
+// - access_key_id
+// - secret_access_key
+//
+// Optional field:
+// - session_token
+func ValidateAWSCredentials(secret *v1.Secret) error {
+	if string(secret.Type) != AWSSecretType {
+		return errors.New("Secret is not AWS secret")
+	}
+	if _, ok := secret.Data[AWSAccessKeyID]; !ok {
+		return errors.New("awsAccessKeyID is a required field")
+	}
+	if _, ok := secret.Data[AWSSecretAccessKey]; !ok {
+		return errors.New("awsSecretAccessKey is a required field")
+	}
+	count := 2
+	if _, ok := secret.Data[AWSSessionToken]; ok {
+		count++
+	}
+	if len(secret.Data) > count {
+		return errors.New("Secret has an unknown field")
+	}
+	return nil
+}
+
+// ExtractAWSCredentials extracts AWS credential values from the given secret.
+//
+// Extracted values from the secrets are:
+// - access_key_id (required)
+// - secret_access_key (required)
+// - session_token (optional)
+//
+// If the type of the secret is not "secret.kanister.io/aws", it returns an error.
+// If the required types are not avaialable in the secrets, it returns an errror.
+func ExtractAWSCredentials(secret *v1.Secret) (*credentials.Value, error) {
+	if err := ValidateAWSCredentials(secret); err != nil {
+		return nil, err
+	}
+	accessKeyID := secret.Data[AWSAccessKeyID]
+	secretAccessKey := secret.Data[AWSSecretAccessKey]
+	sessionToken := secret.Data[AWSSessionToken]
+	return &credentials.Value{
+		AccessKeyID:     string(accessKeyID),
+		SecretAccessKey: string(secretAccessKey),
+		SessionToken:    string(sessionToken),
+	}, nil
+}

pkg/secrets/aws_test.go

@@ -0,0 +1,94 @@
+package secrets
+
+import (
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	. "gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
+)
+
+type AWSSecretSuite struct{}
+
+var _ = Suite(&AWSSecretSuite{})
+
+func (s *AWSSecretSuite) TestExtractAWSCredentials(c *C) {
+	tcs := []struct {
+		secret     *v1.Secret
+		expected   *credentials.Value
+		errChecker Checker
+	}{
+		{
+			secret: &v1.Secret{
+				Type: v1.SecretType(AWSSecretType),
+				Data: map[string][]byte{
+					AWSAccessKeyID:     []byte("key_id"),
+					AWSSecretAccessKey: []byte("secret_key"),
+				},
+			},
+			expected: &credentials.Value{
+				AccessKeyID:     "key_id",
+				SecretAccessKey: "secret_key",
+			},
+			errChecker: IsNil,
+		},
+		{
+			secret: &v1.Secret{
+				Type: v1.SecretType(AWSSecretType),
+				Data: map[string][]byte{
+					AWSAccessKeyID:     []byte("key_id"),
+					AWSSecretAccessKey: []byte("secret_key"),
+					AWSSessionToken:    []byte("session_token"),
+				},
+			},
+			expected: &credentials.Value{
+				AccessKeyID:     "key_id",
+				SecretAccessKey: "secret_key",
+				SessionToken:    "session_token",
+			},
+			errChecker: IsNil,
+		},
+		{
+			secret: &v1.Secret{
+				Type: "Opaque",
+			},
+			expected:   nil,
+			errChecker: NotNil,
+		},
+		{
+			secret: &v1.Secret{
+				Type: v1.SecretType(AWSSecretType),
+				Data: map[string][]byte{
+					AWSSecretAccessKey: []byte("secret_key"),
+				},
+			},
+			expected:   nil,
+			errChecker: NotNil,
+		},
+		{
+			secret: &v1.Secret{
+				Type: v1.SecretType(AWSSecretType),
+				Data: map[string][]byte{
+					AWSAccessKeyID: []byte("key_id"),
+				},
+			},
+			expected:   nil,
+			errChecker: NotNil,
+		},
+		{
+			secret: &v1.Secret{
+				Type: v1.SecretType(AWSSecretType),
+				Data: map[string][]byte{
+					AWSAccessKeyID:     []byte("key_id"),
+					AWSSecretAccessKey: []byte("secret_key"),
+					"ExtraField":       []byte("extra_value"),
+				},
+			},
+			expected:   nil,
+			errChecker: NotNil,
+		},
+	}
+	for _, tc := range tcs {
+		creds, err := ExtractAWSCredentials(tc.secret)
+		c.Check(creds, DeepEquals, tc.expected)
+		c.Check(err, tc.errChecker)
+	}
+}

pkg/secrets/secrets_test.go

@@ -0,0 +1,9 @@
+package secrets
+
+import (
+	"testing"
+
+	. "gopkg.in/check.v1"
+)
+
+func Test(t *testing.T) { TestingT(t) }