-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.go
66 lines (56 loc) · 1.42 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package maws
import (
"strings"
"github.com/aws/aws-sdk-go-v2/aws/arn"
"github.com/kayac/go-config"
"github.com/pkg/errors"
)
var DefaultAllowedCommandPrefixes = []string{
"list-",
"get-",
"describe-",
}
type Config struct {
Roles []string `yaml:"roles"`
AllowedCommandPrefixes []string `yaml:"allowed_command_prefixes"`
}
func LoadConfig(filename string) (*Config, error) {
var c Config
err := config.LoadWithEnv(&c, filename)
if err != nil {
return nil, errors.Wrap(err, "failed to load config file")
}
// validate roles
for _, role := range c.Roles {
an, err := arn.Parse(role)
if err != nil {
return nil, errors.Errorf("invalid ARN %s", role)
}
if an.Service != "iam" || !strings.HasPrefix(an.Resource, "role/") {
return nil, errors.Errorf("not a IAM role ARN %s", role)
}
}
if len(c.AllowedCommandPrefixes) == 0 {
c.AllowedCommandPrefixes = DefaultAllowedCommandPrefixes
}
return &c, err
}
func (c *Config) restrictCommand(commands []string) error {
if len(commands) < 2 {
return errors.New("insufficient commands")
}
// example: maws -- sts get-caller-identity
// commands[0]: sts
// commands[1]: get-caller-identity
for _, prefix := range c.AllowedCommandPrefixes {
if strings.HasPrefix(commands[1], prefix) {
return nil
}
}
return errors.Errorf(
"%s %s is restricted. allowed command prefixes are %v",
commands[0],
commands[1],
c.AllowedCommandPrefixes,
)
}