/
sts.go
54 lines (43 loc) · 1.29 KB
/
sts.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package common
import (
"encoding/xml"
"errors"
"net/url"
"time"
"github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/hakobe/paranoidhttp"
)
func STSGetIdentityURL(stsClient *sts.STS) (string, error) {
request, _ := stsClient.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{})
return request.Presign(10)
}
func STSFetchIdentityURL(identityURL string, maxAge time.Duration) (*sts.GetCallerIdentityOutput, error) {
url, err := url.Parse(identityURL)
if err != nil {
return nil, err
}
query := url.Query()
date, err := time.Parse("20060102T150405Z", query.Get("X-Amz-Date"))
if err != nil {
return nil, err
}
if url.Host != "sts.amazonaws.com" || query.Get("Action") != "GetCallerIdentity" || url.Scheme != "https" {
return nil, errors.New("url is not a valid sts:GetCallerIdentity call")
}
if time.Now().UTC().Sub(date) > maxAge {
return nil, errors.New("url signature is too old")
}
res, err := paranoidhttp.DefaultClient.Get(identityURL)
if err != nil {
return nil, err
}
defer res.Body.Close()
decoder := xml.NewDecoder(res.Body)
identity := &sts.GetCallerIdentityOutput{}
err = xmlutil.UnmarshalXML(identity, decoder, "GetCallerIdentityResult")
if err != nil {
return nil, err
}
return identity, nil
}