-
Notifications
You must be signed in to change notification settings - Fork 272
/
oidc.go
127 lines (103 loc) Β· 3.89 KB
/
oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package e2e
import (
"fmt"
"path/filepath"
"regexp"
"github.com/go-logr/logr"
"github.com/aws/eks-anywhere/internal/pkg/oidc"
"github.com/aws/eks-anywhere/internal/pkg/s3"
"github.com/aws/eks-anywhere/internal/pkg/ssm"
e2etests "github.com/aws/eks-anywhere/test/framework"
)
const (
openIDConfPath = "oidc/.well-known/openid-configuration"
keysPath = "oidc/keys.json"
saSignerPath = "oidc/sa-signer.key"
)
func (e *E2ESession) setupOIDC(testRegex string) error {
re := regexp.MustCompile(`^.*OIDC.*$`)
if !re.MatchString(testRegex) {
e.logger.V(2).Info("Not running OIDC tests, skipping setup")
return nil
}
e.logger.V(2).Info("Creating OIDC server for the instance.")
folder := fmt.Sprintf("%s/%s", e.jobId, "generated-artifacts")
bucketUrl := s3.GetBucketPublicURL(e.session, e.storageBucket)
issuerURL := fmt.Sprintf("%s/%s/%s", bucketUrl, folder, "oidc")
e.logger.V(1).Info("OIDC test found. Checking if OIDC folder present in bucket")
oidcPresent, err := s3.ObjectPresent(e.session, filepath.Join(folder, keysPath), e.storageBucket)
if err != nil {
return fmt.Errorf("checking if oidc is present in bucket: %v", err)
}
if !oidcPresent {
e.logger.V(1).Info("OIDC not present in bucket, creating necessary files")
err = e.createOIDCFiles(issuerURL, folder)
if err != nil {
return err
}
} else {
e.logger.V(1).Info("OIDC already present in bucket, skipping setup")
}
e.logger.V(1).Info("Getting key id from s3 bucket")
keyID, err := e.getKeyID(folder)
if err != nil {
return err
}
keyPath, err := e.downloadSignerKeyInInstance(folder)
if err != nil {
return err
}
e.testEnvVars[e2etests.OIDCIssuerUrlVar] = issuerURL
e.testEnvVars[e2etests.OIDCClientIdVar] = keyID
e.testEnvVars[e2etests.OIDCKidVar] = keyID
e.testEnvVars[e2etests.OIDCKeyFileVar] = keyPath
return nil
}
func (e *E2ESession) createOIDCFiles(issuerURL, folder string) error {
provider, err := oidc.GenerateMinimalProvider(issuerURL)
if err != nil {
return fmt.Errorf("setting up generating oidc provider for s3: %v", err)
}
e.logger.V(2).Info("Uploading OIDC discovery file to S3")
discoveryKey := filepath.Join(folder, openIDConfPath)
err = s3.Upload(e.session, provider.Discovery, discoveryKey, e.storageBucket, s3.WithPublicRead())
if err != nil {
return fmt.Errorf("uploading oidc openid-configuration to s3: %v", err)
}
e.logger.V(2).Info("Uploading OIDC keys file to S3")
keysKey := filepath.Join(folder, keysPath)
err = s3.Upload(e.session, provider.Keys, keysKey, e.storageBucket, s3.WithPublicRead())
if err != nil {
return fmt.Errorf("uploading oidc keys.json to s3: %v", err)
}
e.logger.V(2).Info("Uploading OIDC signer key to S3")
saSignerKey := filepath.Join(folder, saSignerPath)
err = s3.Upload(e.session, provider.PrivateKey, saSignerKey, e.storageBucket)
if err != nil {
return fmt.Errorf("uploading oidc sa-signer.key to s3: %v", err)
}
return nil
}
func (e *E2ESession) getKeyID(folder string) (string, error) {
keysKey := filepath.Join(folder, keysPath)
e.logger.V(2).Info("Downloading keys.json file from s3")
keysBytes, err := s3.Download(e.session, keysKey, e.storageBucket)
if err != nil {
return "", fmt.Errorf("downloading keys.json to get kid: %v", err)
}
keyID, err := oidc.GetKeyID(keysBytes)
if err != nil {
return "", fmt.Errorf("getting kid from s3: %v", err)
}
return keyID, nil
}
func (e *E2ESession) downloadSignerKeyInInstance(folder string) (pathInInstance string, err error) {
saSignerKey := filepath.Join(folder, saSignerPath)
e.logger.V(1).Info("Downloading from s3 in instance", "key", saSignerKey)
command := fmt.Sprintf("aws s3 cp s3://%s/%s ./%s", e.storageBucket, saSignerKey, saSignerPath)
if err = ssm.Run(e.session, logr.Discard(), e.instanceId, command); err != nil {
return "", fmt.Errorf("downloading signer key in instance: %v", err)
}
e.logger.V(1).Info("Successfully downloaded signer key")
return saSignerPath, nil
}