/
tools.go
83 lines (70 loc) · 2.75 KB
/
tools.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package tools
import (
"encoding/base64"
"encoding/json"
"errors"
"net/http"
"net/url"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth"
"github.com/aliyun/alibaba-cloud-sdk-go/services/sts"
)
// Generates the necessary data to send to the Vault server for generating a token.
// This is useful for other API clients to use.
// If "" is passed in for accessKeyID, accessKeySecret, and securityToken,
// attempts to use credentials set as env vars or available through instance metadata.
func GenerateLoginData(role string, creds auth.Credential, region string) (map[string]interface{}, error) {
config := sdk.NewConfig()
// This call always must be https but the config doesn't default to that.
config.Scheme = "https"
// Prepare to record the request using a proxy that will capture it and throw an error so it's not executed.
capturer := &RequestCapturer{}
transport := &http.Transport{}
transport.Proxy = capturer.Proxy
config.HttpTransport = transport
client, err := sts.NewClientWithOptions(region, config, creds)
if err != nil {
return nil, err
}
// This method returns a response and an error. We're ignoring both because the response
// will always be nil here, and the error will always be the error thrown by the Proxy
// method below. We don't care about either of them, we just care about firing the request
// so we can capture it on the way out and retrieve it for further use.
client.GetCallerIdentity(sts.CreateGetCallerIdentityRequest())
getCallerIdentityRequest, err := capturer.GetCapturedRequest()
if err != nil {
return nil, err
}
u := base64.StdEncoding.EncodeToString([]byte(getCallerIdentityRequest.URL.String()))
b, err := json.Marshal(getCallerIdentityRequest.Header)
if err != nil {
return nil, err
}
headers := base64.StdEncoding.EncodeToString(b)
return map[string]interface{}{
"role": role,
"identity_request_url": u,
"identity_request_headers": headers,
}, nil
}
/*
RequestCapturer fulfills the Proxy method of http.Transport, so can be used to replace
the Proxy method on any transport method to simply capture the request.
Its Proxy method always returns an error so the request won't actually be fired.
This is useful for quickly finding out what final request a client is sending.
*/
type RequestCapturer struct {
request *http.Request
}
func (r *RequestCapturer) Proxy(req *http.Request) (*url.URL, error) {
r.request = req
return nil, errors.New("throwing an error so we won't actually execute the request")
}
func (r *RequestCapturer) GetCapturedRequest() (*http.Request, error) {
if r.request == nil {
return nil, errors.New("no request captured")
}
return r.request, nil
}