go/integration/awskms/aws_kms_client.go

// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

package awskms

import (
	"encoding/csv"
	"errors"
	"fmt"
	"os"
	"regexp"
	"strings"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/kms"
	"github.com/google/tink/go/core/registry"
	"github.com/google/tink/go/tink"
)

const (
	awsPrefix = "aws-kms://"
)

var (
	errCred    = errors.New("invalid credential path")
	errBadFile = errors.New("cannot open credential path")
	errCredCSV = errors.New("malformed credential csv file")
)

// AWSClient represents a client that connects to the AWS KMS backend.
type AWSClient struct {
	keyURI string
	kms    *kms.KMS
	region string
}

var _ registry.KMSClient = (*AWSClient)(nil)

// NewAWSClient returns a new client to AWS KMS. It does not have an established session.
func NewAWSClient(URI string) (*AWSClient, error) {
	if !strings.HasPrefix(strings.ToLower(URI), awsPrefix) {
		return nil, fmt.Errorf("key URI must start with %s", awsPrefix)
	}
	r, err := getRegion(URI)
	if err != nil {
		return nil, err
	}
	return &AWSClient{
		keyURI: URI,
		region: r,
	}, nil

}

// Supported true if this client does support keyURI
func (g *AWSClient) Supported(keyURI string) bool {
	if (len(g.keyURI) > 0) && (strings.Compare(strings.ToLower(g.keyURI), strings.ToLower(keyURI)) == 0) {
		return true
	}
	return ((len(g.keyURI) == 0) && (strings.HasPrefix(strings.ToLower(keyURI), awsPrefix)))
}

// LoadCredentials loads the credentials in credentialPath.
func (g *AWSClient) LoadCredentials(credentialPath string) (*AWSClient, error) {
	var creds *credentials.Credentials
	if len(credentialPath) <= 0 {
		return nil, errCred
	}
	c, err := extractCredsCSV(credentialPath)
	switch err {
	case nil:
		creds = credentials.NewStaticCredentialsFromCreds(*c)
	case errBadFile, errCredCSV:
		return nil, err
	default:
		// fallback to load the credential path as .ini shared credentials.
		creds = credentials.NewSharedCredentials(credentialPath, "default")
	}
	session := session.Must(session.NewSession(&aws.Config{
		Credentials: creds,
		Region:      aws.String(g.region),
	}))

	g.kms = kms.New(session)
	return g, nil
}

// LoadDefaultCredentials loads with the default credentials.
func (g *AWSClient) LoadDefaultCredentials() (*AWSClient, error) {
	session := session.Must(session.NewSession(&aws.Config{
		Region: aws.String(g.region),
	}))
	g.kms = kms.New(session)
	return g, nil
}

// WithCredentials retrieves credentials using a provider.
func (g *AWSClient) WithCredentials(p *credentials.Credentials) (*AWSClient, error) {
	session := session.Must(session.NewSession(&aws.Config{
		Region:      aws.String(g.region),
		Credentials: p,
	}))
	g.kms = kms.New(session)
	return g, nil
}

// GetAEAD gets an AEAD backend by keyURI.
func (g *AWSClient) GetAEAD(keyURI string) (tink.AEAD, error) {
	if len(g.keyURI) > 0 && strings.Compare(strings.ToLower(g.keyURI), strings.ToLower(keyURI)) != 0 {
		return nil, fmt.Errorf("this client is bound to %s, cannot load keys bound to %s", g.keyURI, keyURI)
	}
	uri, err := validateTrimKMSPrefix(g.keyURI, awsPrefix)
	if err != nil {
		return nil, err
	}
	return NewAWSAEAD(uri, g.kms), nil
}

func validateKMSPrefix(keyURI, prefix string) bool {
	if len(keyURI) > 0 && strings.HasPrefix(strings.ToLower(keyURI), awsPrefix) {
		return true
	}
	return false
}

func validateTrimKMSPrefix(keyURI, prefix string) (string, error) {
	if !validateKMSPrefix(keyURI, prefix) {
		return "", fmt.Errorf("key URI must start with %s", prefix)
	}
	return strings.TrimPrefix(keyURI, prefix), nil
}

func extractCredsCSV(file string) (*credentials.Value, error) {
	f, err := os.Open(file)
	if err != nil {
		return nil, errBadFile
	}
	defer f.Close()

	lines, err := csv.NewReader(f).ReadAll()
	if err != nil {
		return nil, err
	}

	// It is possible that the file is an AWS .ini credential file, and it can be
	// parsed as 1-column CSV file as well. A real AWS credentials.csv is never 1 column.
	if len(lines) > 0 && len(lines[0]) == 1 {
		return nil, errors.New("not a valid CSV credential file")
	}

	// credentials.csv can be obtained when a AWS IAM user is created through IAM console.
	// The first line of the csv file is "User name,Password,Access key ID,Secret access key,Console login link"
	// The 2nd line of it contains 5 comma separated values.
	// Parse the file with a strict format assumption as follows:
	// 1. There must be at least 4 columns and 2 rows.
	// 2. The access key id and the secret access key must be on (0-based) column 2 and 3.
	if len(lines) < 2 {
		return nil, errCredCSV
	}

	if len(lines[1]) < 4 {
		return nil, errCredCSV
	}

	return &credentials.Value{
		AccessKeyID:     lines[1][2],
		SecretAccessKey: lines[1][3],
	}, nil

}

func getRegion(keyURI string) (string, error) {
	re1, err := regexp.Compile(`aws-kms://arn:aws:kms:([a-z0-9-]+):`)
	if err != nil {
		return "", err
	}
	r := re1.FindStringSubmatch(keyURI)
	if len(r) != 2 {
		return "", errors.New("extracting region from URI failed")
	}
	return r[1], nil
}