AWS SSM (#1)

s12v · Dec 9, 2018 · 9d6c310 · 9d6c310
1 parent 234b976
commit 9d6c310
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 3 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Makefile b/Makefile
@@ -8,10 +8,10 @@ clean:
 	rm ./secure-exec || true
 
 test:
-	go test -v -tags awskms ./... -coverprofile=coverage.txt -covermode=atomic
+	go test -v -tags "awskms awsssm" ./... -coverprofile=coverage.txt -covermode=atomic
 
 build:
-	GOOS=linux GOARCH=amd64 go build -i -tags awskms -o secure-exec
+	GOOS=linux GOARCH=amd64 go build -i -tags 'awskms awsssm' -o secure-exec
 
 docker:
 	docker build -t secure-exec-example .
diff --git a/main.go b/main.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"github.com/s12v/secure-exec/provider"
 	_ "github.com/s12v/secure-exec/provider/awskms"
+	_ "github.com/s12v/secure-exec/provider/awsssm"
 	"os"
 	"syscall"
 )

diff --git a/provider/awsssm/awsssm.go b/provider/awsssm/awsssm.go
@@ -0,0 +1,57 @@
+// +build awsssm
+
+package awskms
+
+import (
+	"errors"
+	"fmt"
+	"github.com/aws/aws-sdk-go-v2/aws/external"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	"github.com/s12v/secure-exec/provider"
+	"strings"
+)
+
+type SsmProvider struct {
+	awsSSmClient *ssm.SSM
+}
+
+const prefix = "{aws-ssm}"
+
+var fetch func (awsSsmClient *ssm.SSM, input *ssm.GetParameterInput) (*ssm.GetParameterOutput, error)
+
+func init() {
+	cfg, err := external.LoadDefaultAWSConfig()
+	if err != nil {
+		panic("unable to load AWS-SDK config, " + err.Error())
+	}
+
+	fetch = awsFetch
+	provider.Register(&SsmProvider{ssm.New(cfg)})
+}
+
+func awsFetch(awsSsmClient *ssm.SSM, input *ssm.GetParameterInput) (*ssm.GetParameterOutput, error) {
+	if resp, err := awsSsmClient.GetParameterRequest(input).Send(); err != nil {
+		return nil, errors.New(fmt.Sprintf("SSM error: %v", err))
+	} else {
+		return resp, nil
+	}
+}
+
+func (p *SsmProvider) Match(val string) bool {
+	return strings.HasPrefix(val, prefix) && len(val) > len(prefix)
+}
+
+func (p *SsmProvider) Decode(val string) (string, error) {
+	name := val[len(prefix):]
+	var withEncryption = true
+	input := &ssm.GetParameterInput{Name: &name, WithDecryption: &withEncryption}
+	if err := input.Validate(); err != nil {
+		return "", err
+	}
+
+	if output, err := fetch(p.awsSSmClient, input); err != nil {
+		return "", err
+	} else {
+		return *output.Parameter.Value, nil
+	}
+}
diff --git a/provider/awsssm/awsssm_test.go b/provider/awsssm/awsssm_test.go
@@ -0,0 +1,48 @@
+// +build awsssm
+
+package awskms
+
+import (
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	"testing"
+)
+
+func TestSsmProvider_Match(t *testing.T) {
+	kmsProvider := SsmProvider{}
+
+	if kmsProvider.Match("{aws-ssm}something") != true {
+		t.Fatal("expected to match")
+	}
+
+	if kmsProvider.Match("https://example.com") != false {
+		t.Fatal("not expected to match")
+	}
+}
+
+func TestSsmProvider_Decode(t *testing.T) {
+	ssmProvider := SsmProvider{}
+
+	value := "boom"
+	fetch = func(awsSsmClient *ssm.SSM, input *ssm.GetParameterInput) (*ssm.GetParameterOutput, error) {
+		if *input.Name != "/foo/bar" {
+			t.Fatalf("unexpected name %v", input.Name)
+		}
+
+		return &ssm.GetParameterOutput{Parameter: &ssm.Parameter{Value: &value}}, nil
+	}
+
+	if r, _ := ssmProvider.Decode("{aws-ssm}/foo/bar"); r != "boom" {
+		t.Fatalf("unexpected plaintext %v", r)
+	}
+}
+
+func TestSsmProvider_DecodeInvalidInput(t *testing.T) {
+	ssmProvider := SsmProvider{}
+	r, err := ssmProvider.Decode("{aws-ssm}")
+	if err == nil {
+		t.Fatal("expected an error", r)
+	}
+	if r != "" {
+		t.Fatalf("unexpected result: '%v'", r)
+	}
+}
diff --git a/provider/awsssm/noop.go b/provider/awsssm/noop.go
@@ -0,0 +1,6 @@
+// +build !awsssm
+
+package awskms
+
+func init() {
+}