forked from kubernetes-sigs/aws-iam-authenticator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mapper.go
91 lines (76 loc) · 2.33 KB
/
mapper.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package file
import (
"fmt"
"strings"
"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
"sigs.k8s.io/aws-iam-authenticator/pkg/config"
"sigs.k8s.io/aws-iam-authenticator/pkg/mapper"
)
type FileMapper struct {
lowercaseRoleMap map[string]config.RoleMapping
lowercaseUserMap map[string]config.UserMapping
accountMap map[string]bool
}
var _ mapper.Mapper = &FileMapper{}
func NewFileMapper(cfg config.Config) (*FileMapper, error) {
fileMapper := &FileMapper{
lowercaseRoleMap: make(map[string]config.RoleMapping),
lowercaseUserMap: make(map[string]config.UserMapping),
accountMap: make(map[string]bool),
}
for _, m := range cfg.RoleMappings {
canonicalizedARN, err := arn.Canonicalize(strings.ToLower(m.RoleARN))
if err != nil {
return nil, fmt.Errorf("error canonicalizing ARN: %v", err)
}
fileMapper.lowercaseRoleMap[canonicalizedARN] = m
}
for _, m := range cfg.UserMappings {
canonicalizedARN, err := arn.Canonicalize(strings.ToLower(m.UserARN))
if err != nil {
return nil, fmt.Errorf("error canonicalizing ARN: %v", err)
}
fileMapper.lowercaseUserMap[canonicalizedARN] = m
}
for _, m := range cfg.AutoMappedAWSAccounts {
fileMapper.accountMap[m] = true
}
return fileMapper, nil
}
func NewFileMapperWithMaps(
lowercaseRoleMap map[string]config.RoleMapping,
lowercaseUserMap map[string]config.UserMapping,
accountMap map[string]bool) *FileMapper {
return &FileMapper{
lowercaseRoleMap: lowercaseRoleMap,
lowercaseUserMap: lowercaseUserMap,
accountMap: accountMap,
}
}
func (m *FileMapper) Name() string {
return mapper.ModeMountedFile
}
func (m *FileMapper) Start(_ <-chan struct{}) error {
return nil
}
func (m *FileMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
canonicalARN = strings.ToLower(canonicalARN)
if roleMapping, exists := m.lowercaseRoleMap[canonicalARN]; exists {
return &config.IdentityMapping{
IdentityARN: canonicalARN,
Username: roleMapping.Username,
Groups: roleMapping.Groups,
}, nil
}
if userMapping, exists := m.lowercaseUserMap[canonicalARN]; exists {
return &config.IdentityMapping{
IdentityARN: canonicalARN,
Username: userMapping.Username,
Groups: userMapping.Groups,
}, nil
}
return nil, mapper.ErrNotMapped
}
func (m *FileMapper) IsAccountAllowed(accountID string) bool {
return m.accountMap[accountID]
}