/
oidc_roles.go
122 lines (107 loc) · 2.89 KB
/
oidc_roles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package aws_config_server
import (
"context"
"net/url"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/iam/iamiface"
"github.com/chanzuckerberg/aws-oidc/pkg/okta"
"github.com/honeycombio/beeline-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
type oidcFederatedRoles struct {
roles map[okta.ClientID][]accountAndRole
}
func (o *oidcFederatedRoles) Add(clientID okta.ClientID, accountAndRoles ...accountAndRole) {
if o.roles == nil {
o.roles = map[okta.ClientID][]accountAndRole{}
}
existing, ok := o.roles[clientID]
if !ok {
o.roles[clientID] = accountAndRoles
return
}
o.roles[clientID] = append(existing, accountAndRoles...)
}
func (o *oidcFederatedRoles) Merge(others ...oidcFederatedRoles) {
for _, other := range others {
for clientID, accountAndRoles := range other.roles {
o.Add(clientID, accountAndRoles...)
}
}
}
func getOIDCFederatedRoles(
ctx context.Context,
oidcProvider string,
accountAndRoles []accountAndRole,
) (*oidcFederatedRoles, error) {
oidcFederatedRoles := &oidcFederatedRoles{}
identityProviderURL, err := url.Parse(oidcProvider)
if err != nil {
return nil, errors.Wrap(err, "Failed to parse OIDC Provider input as an URL")
}
oidcProviderHostname := identityProviderURL.Hostname()
for _, ar := range accountAndRoles {
role := ar.Role
if role == nil {
logrus.Debug("nil role")
continue
}
if role.AssumeRolePolicyDocument == nil {
continue // role doesn't have an assume role policy document
}
policyDoc, err := NewPolicyDocument(*role.AssumeRolePolicyDocument)
if err != nil {
return nil, err
}
for _, statement := range policyDoc.Statements {
clientIDs := statement.GetFederatedClientIDs(oidcProviderHostname)
for _, clientID := range clientIDs {
oidcFederatedRoles.Add(clientID, ar)
}
}
}
return oidcFederatedRoles, nil
}
func shouldSkipTags(tags []*iam.Tag) bool {
for _, tag := range tags {
if tag != nil && tag.Key != nil && *tag.Key == skipRolesTagKey {
return true
}
}
return false
}
// We can skip over roles with specific tags
func filterOIDCFederatedRoles(
ctx context.Context,
svc iamiface.IAMAPI,
federatedRoles *oidcFederatedRoles,
) (*oidcFederatedRoles, error) {
ctx, span := beeline.StartSpan(ctx, "filtering AWS roles")
defer span.Send()
filtered := &oidcFederatedRoles{}
for clientID, accountAndRoles := range federatedRoles.roles {
for _, accountAndRole := range accountAndRoles {
skip, err := skipOIDCFederatedRole(ctx, svc, accountAndRole)
if err != nil {
return nil, err
}
if skip {
continue
}
filtered.Add(clientID, accountAndRole)
}
}
return filtered, nil
}
func skipOIDCFederatedRole(
ctx context.Context,
svc iamiface.IAMAPI,
accountAndRole accountAndRole,
) (bool, error) {
tags, err := listRoleTags(ctx, svc, accountAndRole.Role.RoleName)
if err != nil {
return true, err
}
return shouldSkipTags(tags), nil
}