Add ArnLike wildcard support

.gitignore

@@ -1,3 +1,5 @@
+aws-iam-authenticator
+
 /dist
 /_output
 

cmd/aws-iam-authenticator/root.go

@@ -107,6 +107,9 @@ func getConfig() (config.Config, error) {
 	if err := viper.UnmarshalKey("server.mapUsers", &cfg.UserMappings); err != nil {
 		logrus.WithError(err).Fatal("invalid server user mappings")
 	}
+	if err := viper.UnmarshalKey("server.mapARNLikes", &cfg.ARNLikeMappings); err != nil {
+		logrus.WithError(err).Fatal("invalid server user mappings")
+	}
 	if err := viper.UnmarshalKey("server.mapAccounts", &cfg.AutoMappedAWSAccounts); err != nil {
 		logrus.WithError(err).Fatal("invalid server account mappings")
 	}

go.mod

@@ -5,6 +5,7 @@ go 1.16
 require (
 	github.com/aws/aws-sdk-go v1.38.49
 	github.com/gofrs/flock v0.7.0
+	github.com/logandavies181/arnlike v1.0.0
 	github.com/manifoldco/promptui v0.8.0
 	github.com/prometheus/client_golang v1.11.0
 	github.com/sirupsen/logrus v1.8.1

go.sum

@@ -145,6 +145,8 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh
 github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gofrs/flock v0.7.0 h1:pGFUjl501gafK9HBt1VGL1KCOd/YhIooID+xgyJCf3g=
 github.com/gofrs/flock v0.7.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -278,6 +280,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/logandavies181/arnlike v1.0.0 h1:mUsxauiVvX5VRh1jpvosbsKgWrIQxpPlUklZKV491BQ=
+github.com/logandavies181/arnlike v1.0.0/go.mod h1:HUt6lX41r8Co5e1TUCvU8y3MYohVm3Hr8PwwbJ9EIdU=
 github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a h1:weJVJJRzAJBFRlAiJQROKQs8oC9vOxvm4rZmBBk0ONw=
 github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=

pkg/config/types.go

@@ -68,6 +68,21 @@ type UserMapping struct {
 	Groups []string `json:"groups"`
 }
 
+// ARNLikeMapping is a dynamic mapping of a matching AWS IAM ARNs to a
+// Kubernetes username and a list of Kubernetes groups
+type ARNLikeMapping struct {
+	// ARNLike is a string used to match AWS ARNs with globs. (e.g., "arn:aws:iam::000000000000:role/Kubernetes*")
+	ARNLike string `json:"arnLike"`
+
+	// Username is the username pattern that principals matching this
+	// string will have in Kubernetes.
+	Username string `json:"username"`
+
+	// Groups is a list of Kubernetes groups principals matching this string will
+	// authenticate as (e.g., `system:masters`)
+	Groups []string `json:"groups"`
+}
+
 // Config specifies the configuration for a aws-iam-authenticator server
 type Config struct {
 	// PartitionID is the AWS partition tokens are valid in. See
@@ -108,6 +123,10 @@ type Config struct {
 	// Kubernetes username + groups.
 	UserMappings []UserMapping
 
+	// ARNLikeMappings is a list of mappings from AWS principals that match an
+	// ARNLike string to Kubernetes username + groups.
+	ARNLikeMappings []ARNLikeMapping
+
 	// AutoMappedAWSAccounts is a list of AWS accounts that are allowed without an explicit user/role mapping.
 	// IAM ARN from these accounts automatically maps to the Kubernetes username.
 	AutoMappedAWSAccounts []string

pkg/mapper/configmap/client/client.go

@@ -47,17 +47,24 @@ func (cli *client) AddRole(role *config.RoleMapping) (*core_v1.ConfigMap, error)
 	if role == nil {
 		return nil, errors.New("empty role")
 	}
-	return cli.add(role, nil)
+	return cli.add(role, nil, nil)
 }
 
 func (cli *client) AddUser(user *config.UserMapping) (*core_v1.ConfigMap, error) {
 	if user == nil {
 		return nil, errors.New("empty user")
 	}
-	return cli.add(nil, user)
+	return cli.add(nil, user, nil)
 }
 
-func (cli *client) add(role *config.RoleMapping, user *config.UserMapping) (cm *core_v1.ConfigMap, err error) {
+func (cli *client) AddARNLikeMapping(arnLikeMapping *config.ARNLikeMapping) (*core_v1.ConfigMap, error) {
+	if arnLikeMapping == nil {
+		return nil, errors.New("empty arnLikeMapping")
+	}
+	return cli.add(nil, nil, arnLikeMapping)
+}
+
+func (cli *client) add(role *config.RoleMapping, user *config.UserMapping, arnLikeMapping *config.ARNLikeMapping) (cm *core_v1.ConfigMap, err error) {
 	if role == nil && user == nil {
 		return nil, errors.New("empty role/user")
 	}
@@ -72,7 +79,7 @@ func (cli *client) add(role *config.RoleMapping, user *config.UserMapping) (cm *
 
 		data := cm.Data
 
-		userMappings, roleMappings, awsAccounts, err := configmap.ParseMap(data)
+		userMappings, roleMappings, arnLikeMappings, awsAccounts, err := configmap.ParseMap(data)
 		if err != nil {
 			return fmt.Errorf("failed to parse configmap %v", err)
 		}
@@ -95,6 +102,16 @@ func (cli *client) add(role *config.RoleMapping, user *config.UserMapping) (cm *
 			userMappings = append(userMappings, *user)
 		}
 
+		if arnLikeMapping != nil {
+			for _, a := range arnLikeMappings {
+				if a.ARNLike == arnLikeMapping.ARNLike {
+					return fmt.Errorf("cannot add duplicate ARN mapping pattern %q", arnLikeMapping.ARNLike)
+				}
+			}
+			roleMappings = append(roleMappings, *role)
+
+		}
+
 		data, err = configmap.EncodeMap(userMappings, roleMappings, awsAccounts)
 		if err != nil {
 			return err

pkg/mapper/configmap/client/client_test.go

@@ -23,7 +23,7 @@ func TestAddUser(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	u, _, _, err := configmap.ParseMap(cm.Data)
+	u, _, _, _, err := configmap.ParseMap(cm.Data)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -50,7 +50,7 @@ func TestAddRole(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, r, _, err := configmap.ParseMap(cm.Data)
+	_, r, _, _, err := configmap.ParseMap(cm.Data)
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/mapper/configmap/configmap.go

@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/logandavies181/arnlike"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
 	core_v1 "k8s.io/api/core/v1"
@@ -25,9 +26,10 @@ import (
 )
 
 type MapStore struct {
-	mutex sync.RWMutex
-	users map[string]config.UserMapping
-	roles map[string]config.RoleMapping
+	mutex           sync.RWMutex
+	users           map[string]config.UserMapping
+	roles           map[string]config.RoleMapping
+	arnLikeMappings []config.ARNLikeMapping
 	// Used as set.
 	awsAccounts map[string]interface{}
 	configMap   v1.ConfigMapInterface
@@ -78,20 +80,21 @@ func (ms *MapStore) startLoadConfigMap(stopCh <-chan struct{}) {
 						logrus.Info("Resetting configmap on delete")
 						userMappings := make([]config.UserMapping, 0)
 						roleMappings := make([]config.RoleMapping, 0)
+						arnLikeMappings := make([]config.ARNLikeMapping, 0)
 						awsAccounts := make([]string, 0)
-						ms.saveMap(userMappings, roleMappings, awsAccounts)
+						ms.saveMap(userMappings, roleMappings, arnLikeMappings, awsAccounts)
 					case watch.Added, watch.Modified:
 						switch cm := r.Object.(type) {
 						case *core_v1.ConfigMap:
 							if cm.Name != "aws-auth" {
 								break
 							}
 							logrus.Info("Received aws-auth watch event")
-							userMappings, roleMappings, awsAccounts, err := ParseMap(cm.Data)
+							userMappings, roleMappings, arnLikeMappings, awsAccounts, err := ParseMap(cm.Data)
 							if err != nil {
 								logrus.Errorf("There was an error parsing the config maps.  Only saving data that was good, %+v", err)
 							}
-							ms.saveMap(userMappings, roleMappings, awsAccounts)
+							ms.saveMap(userMappings, roleMappings, arnLikeMappings, awsAccounts)
 							if err != nil {
 								logrus.Error(err)
 							}
@@ -113,7 +116,7 @@ func (err ErrParsingMap) Error() string {
 	return fmt.Sprintf("error parsing config map: %v", err.errors)
 }
 
-func ParseMap(m map[string]string) (userMappings []config.UserMapping, roleMappings []config.RoleMapping, awsAccounts []string, err error) {
+func ParseMap(m map[string]string) (userMappings []config.UserMapping, roleMappings []config.RoleMapping, arnLikeMappings []config.ARNLikeMapping, awsAccounts []string, err error) {
 	errs := make([]error, 0)
 	userMappings = make([]config.UserMapping, 0)
 	if userData, ok := m["mapUsers"]; ok {
@@ -141,6 +144,19 @@ func ParseMap(m map[string]string) (userMappings []config.UserMapping, roleMappi
 		}
 	}
 
+	arnLikeMappings = make([]config.ARNLikeMapping, 0)
+	if arnLikeData, ok := m["mapARNLikes"]; ok {
+		arnLikeJson, err := utilyaml.ToJSON([]byte(arnLikeData))
+		if err != nil {
+			errs = append(errs, err)
+		} else {
+			err = json.Unmarshal(arnLikeJson, &arnLikeMappings)
+			if err != nil {
+				errs = append(errs, err)
+			}
+		}
+	}
+
 	awsAccounts = make([]string, 0)
 	if accountsData, ok := m["mapAccounts"]; ok {
 		err := yaml.Unmarshal([]byte(accountsData), &awsAccounts)
@@ -153,7 +169,7 @@ func ParseMap(m map[string]string) (userMappings []config.UserMapping, roleMappi
 		logrus.Warnf("Errors parsing configmap: %+v", errs)
 		err = ErrParsingMap{errors: errs}
 	}
-	return userMappings, roleMappings, awsAccounts, err
+	return userMappings, roleMappings, arnLikeMappings, awsAccounts, err
 }
 
 func EncodeMap(userMappings []config.UserMapping, roleMappings []config.RoleMapping, awsAccounts []string) (m map[string]string, err error) {
@@ -186,11 +202,12 @@ func EncodeMap(userMappings []config.UserMapping, roleMappings []config.RoleMapp
 	return m, nil
 }
 
-func (ms *MapStore) saveMap(userMappings []config.UserMapping, roleMappings []config.RoleMapping, awsAccounts []string) {
+func (ms *MapStore) saveMap(userMappings []config.UserMapping, roleMappings []config.RoleMapping, arnLikeMappings []config.ARNLikeMapping, awsAccounts []string) {
 	ms.mutex.Lock()
 	defer ms.mutex.Unlock()
 	ms.users = make(map[string]config.UserMapping)
 	ms.roles = make(map[string]config.RoleMapping)
+	ms.arnLikeMappings = arnLikeMappings
 	ms.awsAccounts = make(map[string]interface{})
 
 	for _, user := range userMappings {
@@ -210,6 +227,9 @@ var UserNotFound = errors.New("User not found in configmap")
 // RoleNotFound is the error returned when the role is not found in the config map.
 var RoleNotFound = errors.New("Role not found in configmap")
 
+// ARNNotMatched is the error returned when the role is not found in the config map.
+var ARNNotMatched = errors.New("ARN not matched in configmap")
+
 func (ms *MapStore) UserMapping(arn string) (config.UserMapping, error) {
 	ms.mutex.RLock()
 	defer ms.mutex.RUnlock()
@@ -230,6 +250,24 @@ func (ms *MapStore) RoleMapping(arn string) (config.RoleMapping, error) {
 	}
 }
 
+func (ms *MapStore) ARNLikeMapping(arn string) (config.ARNLikeMapping, error) {
+	ms.mutex.RLock()
+	defer ms.mutex.RUnlock()
+
+	for _, arnLikeMapping := range ms.arnLikeMappings {
+		matched, err := arnlike.ArnLike(arn, arnLikeMapping.ARNLike)
+		if err != nil {
+			return config.ARNLikeMapping{}, err
+		}
+
+		if matched {
+			return arnLikeMapping, nil
+		}
+	}
+
+	return config.ARNLikeMapping{}, ARNNotMatched
+}
+
 func (ms *MapStore) AWSAccount(id string) bool {
 	ms.mutex.RLock()
 	defer ms.mutex.RUnlock()

pkg/mapper/configmap/configmap_test.go

@@ -266,7 +266,7 @@ func TestParseMap(t *testing.T) {
 	}
 	accounts := []string{}
 
-	u, r, a, err := ParseMap(m1)
+	u, r, _, a, err := ParseMap(m1)
 	if err != nil {
 		t.Fatal(err)
 	}

pkg/mapper/configmap/mapper.go

@@ -53,6 +53,15 @@ func (m *ConfigMapMapper) Map(canonicalARN string) (*config.IdentityMapping, err
 		}, nil
 	}
 
+	alm, err := m.ARNLikeMapping(canonicalARN)
+	if err == nil {
+		return &config.IdentityMapping{
+			IdentityARN: canonicalARN,
+			Username:    alm.Username,
+			Groups:      alm.Groups,
+		}, nil
+	}
+
 	return nil, mapper.ErrNotMapped
 }
 

pkg/mapper/crd/apis/iamauthenticator/v1alpha1/types.go

@@ -35,9 +35,10 @@ type IAMIdentityMapping struct {
 
 // IAMIdentityMappingSpec is the spec for a IAMIdentityMapping resource
 type IAMIdentityMappingSpec struct {
-	ARN      string   `json:"arn"`
-	Username string   `json:"username"`
-	Groups   []string `json:"groups"`
+	ARN         string   `json:"arn"`
+	Username    string   `json:"username"`
+	ARNPatterns string   `json:"arnPatterns"`
+	Groups      []string `json:"groups"`
 }
 
 // IAMIdentityMappingStatus is the status for a IAMIdentityMapping resource

pkg/mapper/file/mapper.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/logandavies181/arnlike"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/mapper"
@@ -12,6 +13,7 @@ import (
 type FileMapper struct {
 	lowercaseRoleMap map[string]config.RoleMapping
 	lowercaseUserMap map[string]config.UserMapping
+	arnLikeList      []config.ARNLikeMapping
 	accountMap       map[string]bool
 }
 
@@ -38,6 +40,14 @@ func NewFileMapper(cfg config.Config) (*FileMapper, error) {
 		}
 		fileMapper.lowercaseUserMap[canonicalizedARN] = m
 	}
+	for _, m := range cfg.ARNLikeMappings {
+		// TODO: canonicalize or validate the ARNLike strings
+		if fileMapper.arnLikeList == nil {
+			fileMapper.arnLikeList = []config.ARNLikeMapping{m}
+		} else {
+			fileMapper.arnLikeList = append(fileMapper.arnLikeList, m)
+		}
+	}
 	for _, m := range cfg.AutoMappedAWSAccounts {
 		fileMapper.accountMap[m] = true
 	}
@@ -83,6 +93,22 @@ func (m *FileMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
 		}, nil
 	}
 
+	for _, arnLikeMapping := range m.arnLikeList {
+		//g := glob.MustCompile(arnLikeMapping.ARNLike)
+		matched, err := arnlike.ArnLike(canonicalARN, arnLikeMapping.ARNLike)
+		if err != nil {
+			return nil, err
+		}
+
+		if matched {
+			return &config.IdentityMapping{
+				IdentityARN: canonicalARN,
+				Username:    arnLikeMapping.Username,
+				Groups:      arnLikeMapping.Groups,
+			}, nil
+		}
+	}
+
 	return nil, mapper.ErrNotMapped
 }