From 5187e7eae24c1cefd10238f722c811612183e1b9 Mon Sep 17 00:00:00 2001 From: Nicolas JUHEL Date: Fri, 28 Oct 2022 15:16:53 +0200 Subject: [PATCH] Package AWS : - User : Add/update policy managment (list, walk, attach, detach) - Group : Add/update policy managment (list, walk, attach, detach) - Role : Add/update policy managment (list, walk, attach, detach) - Policy : add capability to not list default verison policy --- aws/group/interface.go | 43 ++++++++++-------- aws/group/policy.go | 96 +++++++++++++++++++++++++++++++++------- aws/policy/interface.go | 2 +- aws/policy/policies.go | 2 +- aws/policy/versions.go | 6 ++- aws/role/interface.go | 39 ++++++++-------- aws/role/policy.go | 98 ++++++++++++++++++++++++++++++++++------- aws/user/interface.go | 5 +++ aws/user/policy.go | 97 +++++++++++++++++++++++++++++++++++----- 9 files changed, 302 insertions(+), 86 deletions(-) diff --git a/aws/group/interface.go b/aws/group/interface.go index 98331743..9795a266 100644 --- a/aws/group/interface.go +++ b/aws/group/interface.go @@ -28,36 +28,41 @@ package group import ( "context" - "github.com/aws/aws-sdk-go-v2/service/iam" - "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/nabbar/golib/aws/helper" - "github.com/nabbar/golib/errors" + sdkiam "github.com/aws/aws-sdk-go-v2/service/iam" + sdktps "github.com/aws/aws-sdk-go-v2/service/iam/types" + sdksss "github.com/aws/aws-sdk-go-v2/service/s3" + awshlp "github.com/nabbar/golib/aws/helper" + liberr "github.com/nabbar/golib/errors" ) type client struct { - helper.Helper - iam *iam.Client - s3 *s3.Client + awshlp.Helper + iam *sdkiam.Client + s3 *sdksss.Client } +type PoliciesWalkFunc func(err liberr.Error, pol sdktps.AttachedPolicy) liberr.Error + type Group interface { - UserList(username string) ([]string, errors.Error) - UserCheck(username, groupName string) (errors.Error, bool) - UserAdd(username, groupName string) errors.Error - UserRemove(username, groupName string) errors.Error + UserList(username string) ([]string, liberr.Error) + UserCheck(username, groupName string) (liberr.Error, bool) + UserAdd(username, groupName string) liberr.Error + UserRemove(username, groupName string) liberr.Error - List() (map[string]string, errors.Error) - Add(groupName string) errors.Error - Remove(groupName string) errors.Error + List() (map[string]string, liberr.Error) + Add(groupName string) liberr.Error + Remove(groupName string) liberr.Error - PolicyList(groupName string) (map[string]string, errors.Error) - PolicyAttach(groupName, polArn string) errors.Error - PolicyDetach(groupName, polArn string) errors.Error + PolicyList(groupName string) (map[string]string, liberr.Error) + PolicyAttach(groupName, polArn string) liberr.Error + PolicyDetach(groupName, polArn string) liberr.Error + PolicyAttachedList(groupName, marker string) ([]sdktps.AttachedPolicy, string, liberr.Error) + PolicyAttachedWalk(groupName string, fct PoliciesWalkFunc) liberr.Error } -func New(ctx context.Context, bucket, region string, iam *iam.Client, s3 *s3.Client) Group { +func New(ctx context.Context, bucket, region string, iam *sdkiam.Client, s3 *sdksss.Client) Group { return &client{ - Helper: helper.New(ctx, bucket, region), + Helper: awshlp.New(ctx, bucket, region), iam: iam, s3: s3, } diff --git a/aws/group/policy.go b/aws/group/policy.go index 9337b693..78db5e9e 100644 --- a/aws/group/policy.go +++ b/aws/group/policy.go @@ -26,22 +26,21 @@ package group import ( - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/iam" - "github.com/nabbar/golib/errors" + sdkaws "github.com/aws/aws-sdk-go-v2/aws" + sdkiam "github.com/aws/aws-sdk-go-v2/service/iam" + sdktps "github.com/aws/aws-sdk-go-v2/service/iam/types" + liberr "github.com/nabbar/golib/errors" ) -func (cli *client) PolicyList(groupName string) (map[string]string, errors.Error) { - out, err := cli.iam.ListAttachedGroupPolicies(cli.GetContext(), &iam.ListAttachedGroupPoliciesInput{ - GroupName: aws.String(groupName), - }) +func (cli *client) PolicyList(groupName string) (map[string]string, liberr.Error) { + out, _, err := cli.PolicyAttachedList(groupName, "") if err != nil { - return nil, cli.GetError(err) + return nil, err } else { var res = make(map[string]string) - for _, p := range out.AttachedPolicies { + for _, p := range out { res[*p.PolicyName] = *p.PolicyArn } @@ -49,20 +48,83 @@ func (cli *client) PolicyList(groupName string) (map[string]string, errors.Error } } -func (cli *client) PolicyAttach(groupName, polArn string) errors.Error { - _, err := cli.iam.AttachGroupPolicy(cli.GetContext(), &iam.AttachGroupPolicyInput{ - GroupName: aws.String(groupName), - PolicyArn: aws.String(polArn), +func (cli *client) PolicyAttach(groupName, polArn string) liberr.Error { + _, err := cli.iam.AttachGroupPolicy(cli.GetContext(), &sdkiam.AttachGroupPolicyInput{ + GroupName: sdkaws.String(groupName), + PolicyArn: sdkaws.String(polArn), }) return cli.GetError(err) } -func (cli *client) PolicyDetach(groupName, polArn string) errors.Error { - _, err := cli.iam.DetachGroupPolicy(cli.GetContext(), &iam.DetachGroupPolicyInput{ - GroupName: aws.String(groupName), - PolicyArn: aws.String(polArn), +func (cli *client) PolicyDetach(groupName, polArn string) liberr.Error { + _, err := cli.iam.DetachGroupPolicy(cli.GetContext(), &sdkiam.DetachGroupPolicyInput{ + GroupName: sdkaws.String(groupName), + PolicyArn: sdkaws.String(polArn), }) return cli.GetError(err) } + +func (cli *client) PolicyAttachedList(groupName, marker string) ([]sdktps.AttachedPolicy, string, liberr.Error) { + in := &sdkiam.ListAttachedGroupPoliciesInput{ + GroupName: sdkaws.String(groupName), + MaxItems: sdkaws.Int32(1000), + } + + if marker != "" { + in.Marker = sdkaws.String(marker) + } + + lst, err := cli.iam.ListAttachedGroupPolicies(cli.GetContext(), in) + + if err != nil { + return nil, "", cli.GetError(err) + } else if lst == nil || lst.AttachedPolicies == nil { + return nil, "", nil + } else if lst.IsTruncated && lst.Marker != nil { + return lst.AttachedPolicies, *lst.Marker, nil + } else { + return lst.AttachedPolicies, "", nil + } +} + +func (cli *client) PolicyAttachedWalk(groupName string, fct PoliciesWalkFunc) liberr.Error { + var m *string + + in := &sdkiam.ListAttachedGroupPoliciesInput{ + GroupName: sdkaws.String(groupName), + MaxItems: sdkaws.Int32(1000), + } + + for { + if m != nil { + in.Marker = m + } else { + in.Marker = nil + } + + lst, err := cli.iam.ListAttachedGroupPolicies(cli.GetContext(), in) + + if err != nil { + return cli.GetError(err) + } else if lst == nil || lst.AttachedPolicies == nil { + return nil + } + + var e liberr.Error + for _, p := range lst.AttachedPolicies { + e = fct(e, p) + } + + if e != nil { + return e + } + + if lst.IsTruncated && lst.Marker != nil { + m = lst.Marker + } else { + return nil + } + } +} diff --git a/aws/policy/interface.go b/aws/policy/interface.go index 5b7e092f..00183865 100644 --- a/aws/policy/interface.go +++ b/aws/policy/interface.go @@ -49,7 +49,7 @@ type Policy interface { Update(polArn, polContents string) liberr.Error Delete(polArn string) liberr.Error - VersionList(arn string, maxItem int32) (map[string]string, liberr.Error) + VersionList(arn string, maxItem int32, noDefaultVersion bool) (map[string]string, liberr.Error) VersionGet(arn string, vers string) (*types.PolicyVersion, liberr.Error) VersionAdd(arn string, doc string) liberr.Error VersionDel(arn string, vers string) liberr.Error diff --git a/aws/policy/policies.go b/aws/policy/policies.go index d0509f13..b09badeb 100644 --- a/aws/policy/policies.go +++ b/aws/policy/policies.go @@ -86,7 +86,7 @@ func (cli *client) Update(polArn, polContents string) liberr.Error { if pol, err = cli.Get(polArn); err != nil { return err - } else if lst, err = cli.VersionList(polArn, 0); err != nil { + } else if lst, err = cli.VersionList(polArn, 0, false); err != nil { return err } else if len(lst) > 0 { for v := range lst { diff --git a/aws/policy/versions.go b/aws/policy/versions.go index b01e6389..91802cf1 100644 --- a/aws/policy/versions.go +++ b/aws/policy/versions.go @@ -40,7 +40,7 @@ import ( const maxItemList int32 = 1000 -func (cli *client) VersionList(arn string, maxItem int32) (map[string]string, liberr.Error) { +func (cli *client) VersionList(arn string, maxItem int32, noDefaultVersion bool) (map[string]string, liberr.Error) { if arn == "" { //nolint #goerr113 return nil, libhlp.ErrorParamsEmpty.ErrorParent(fmt.Errorf("arn is empty")) @@ -80,6 +80,10 @@ func (cli *client) VersionList(arn string, maxItem int32) (map[string]string, li return nil, nil } + if noDefaultVersion && v.IsDefaultVersion { + continue + } + if v.VersionId == nil || len(*v.VersionId) < 1 { continue } diff --git a/aws/role/interface.go b/aws/role/interface.go index dd288ece..9dc21c86 100644 --- a/aws/role/interface.go +++ b/aws/role/interface.go @@ -28,34 +28,37 @@ package role import ( "context" - "github.com/aws/aws-sdk-go-v2/service/iam" - "github.com/aws/aws-sdk-go-v2/service/iam/types" - "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/nabbar/golib/aws/helper" - "github.com/nabbar/golib/errors" + sdkiam "github.com/aws/aws-sdk-go-v2/service/iam" + sdktps "github.com/aws/aws-sdk-go-v2/service/iam/types" + sdksss "github.com/aws/aws-sdk-go-v2/service/s3" + libhlp "github.com/nabbar/golib/aws/helper" + liberr "github.com/nabbar/golib/errors" ) type client struct { - helper.Helper - iam *iam.Client - s3 *s3.Client + libhlp.Helper + iam *sdkiam.Client + s3 *sdksss.Client } -type Role interface { - List() ([]types.Role, errors.Error) - Check(name string) (string, errors.Error) - Add(name, role string) (string, errors.Error) - Delete(roleName string) errors.Error +type PoliciesWalkFunc func(err liberr.Error, pol sdktps.AttachedPolicy) liberr.Error - PolicyAttach(policyARN, roleName string) errors.Error - PolicyDetach(policyARN, roleName string) errors.Error +type Role interface { + List() ([]sdktps.Role, liberr.Error) + Check(name string) (string, liberr.Error) + Add(name, role string) (string, liberr.Error) + Delete(roleName string) liberr.Error - PolicyListAttached(roleName string) ([]types.AttachedPolicy, errors.Error) + PolicyAttach(policyARN, roleName string) liberr.Error + PolicyDetach(policyARN, roleName string) liberr.Error + PolicyListAttached(roleName string) ([]sdktps.AttachedPolicy, liberr.Error) + PolicyAttachedList(roleName, marker string) ([]sdktps.AttachedPolicy, string, liberr.Error) + PolicyAttachedWalk(roleName string, fct PoliciesWalkFunc) liberr.Error } -func New(ctx context.Context, bucket, region string, iam *iam.Client, s3 *s3.Client) Role { +func New(ctx context.Context, bucket, region string, iam *sdkiam.Client, s3 *sdksss.Client) Role { return &client{ - Helper: helper.New(ctx, bucket, region), + Helper: libhlp.New(ctx, bucket, region), iam: iam, s3: s3, } diff --git a/aws/role/policy.go b/aws/role/policy.go index c8bcac8e..10e4284c 100644 --- a/aws/role/policy.go +++ b/aws/role/policy.go @@ -26,38 +26,102 @@ package role import ( - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/iam" - "github.com/aws/aws-sdk-go-v2/service/iam/types" - "github.com/nabbar/golib/errors" + sdkaws "github.com/aws/aws-sdk-go-v2/aws" + sdkiam "github.com/aws/aws-sdk-go-v2/service/iam" + sdktps "github.com/aws/aws-sdk-go-v2/service/iam/types" + liberr "github.com/nabbar/golib/errors" ) -func (cli *client) PolicyListAttached(roleName string) ([]types.AttachedPolicy, errors.Error) { - out, err := cli.iam.ListAttachedRolePolicies(cli.GetContext(), &iam.ListAttachedRolePoliciesInput{ - RoleName: aws.String(roleName), - }) +/* +@DEPRECATED: PolicyAttachedList +*/ +func (cli *client) PolicyListAttached(roleName string) ([]sdktps.AttachedPolicy, liberr.Error) { + out, _, err := cli.PolicyAttachedList(roleName, "") if err != nil { return nil, cli.GetError(err) } else { - return out.AttachedPolicies, nil + return out, nil } } -func (cli *client) PolicyAttach(policyARN, roleName string) errors.Error { - _, err := cli.iam.AttachRolePolicy(cli.GetContext(), &iam.AttachRolePolicyInput{ - PolicyArn: aws.String(policyARN), - RoleName: aws.String(roleName), +func (cli *client) PolicyAttach(policyARN, roleName string) liberr.Error { + _, err := cli.iam.AttachRolePolicy(cli.GetContext(), &sdkiam.AttachRolePolicyInput{ + PolicyArn: sdkaws.String(policyARN), + RoleName: sdkaws.String(roleName), }) return cli.GetError(err) } -func (cli *client) PolicyDetach(policyARN, roleName string) errors.Error { - _, err := cli.iam.DetachRolePolicy(cli.GetContext(), &iam.DetachRolePolicyInput{ - PolicyArn: aws.String(policyARN), - RoleName: aws.String(roleName), +func (cli *client) PolicyDetach(policyARN, roleName string) liberr.Error { + _, err := cli.iam.DetachRolePolicy(cli.GetContext(), &sdkiam.DetachRolePolicyInput{ + PolicyArn: sdkaws.String(policyARN), + RoleName: sdkaws.String(roleName), }) return cli.GetError(err) } + +func (cli *client) PolicyAttachedList(roleName, marker string) ([]sdktps.AttachedPolicy, string, liberr.Error) { + in := &sdkiam.ListAttachedRolePoliciesInput{ + RoleName: sdkaws.String(roleName), + MaxItems: sdkaws.Int32(1000), + } + + if marker != "" { + in.Marker = sdkaws.String(marker) + } + + lst, err := cli.iam.ListAttachedRolePolicies(cli.GetContext(), in) + + if err != nil { + return nil, "", cli.GetError(err) + } else if lst == nil || lst.AttachedPolicies == nil { + return nil, "", nil + } else if lst.IsTruncated && lst.Marker != nil { + return lst.AttachedPolicies, *lst.Marker, nil + } else { + return lst.AttachedPolicies, "", nil + } +} + +func (cli *client) PolicyAttachedWalk(roleName string, fct PoliciesWalkFunc) liberr.Error { + var m *string + + in := &sdkiam.ListAttachedRolePoliciesInput{ + RoleName: sdkaws.String(roleName), + MaxItems: sdkaws.Int32(1000), + } + + for { + if m != nil { + in.Marker = m + } else { + in.Marker = nil + } + + lst, err := cli.iam.ListAttachedRolePolicies(cli.GetContext(), in) + + if err != nil { + return cli.GetError(err) + } else if lst == nil || lst.AttachedPolicies == nil { + return nil + } + + var e liberr.Error + for _, p := range lst.AttachedPolicies { + e = fct(e, p) + } + + if e != nil { + return e + } + + if lst.IsTruncated && lst.Marker != nil { + m = lst.Marker + } else { + return nil + } + } +} diff --git a/aws/user/interface.go b/aws/user/interface.go index b3ae279c..5edde227 100644 --- a/aws/user/interface.go +++ b/aws/user/interface.go @@ -41,6 +41,8 @@ type client struct { s3 *sdksss.Client } +type PoliciesWalkFunc func(err liberr.Error, pol sdktps.AttachedPolicy) liberr.Error + type User interface { List() (map[string]string, liberr.Error) Get(username string) (*sdktps.User, liberr.Error) @@ -49,6 +51,9 @@ type User interface { PolicyPut(policyDocument, policyName, username string) liberr.Error PolicyAttach(policyARN, username string) liberr.Error + PolicyDetach(policyARN, username string) liberr.Error + PolicyAttachedList(username, marker string) ([]sdktps.AttachedPolicy, string, liberr.Error) + PolicyAttachedWalk(username string, fct PoliciesWalkFunc) liberr.Error LoginCheck(username string) liberr.Error LoginCreate(username, password string) liberr.Error diff --git a/aws/user/policy.go b/aws/user/policy.go index 843563f6..c902b57a 100644 --- a/aws/user/policy.go +++ b/aws/user/policy.go @@ -26,25 +26,98 @@ package user import ( - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/iam" - "github.com/nabbar/golib/errors" + sdkaws "github.com/aws/aws-sdk-go-v2/aws" + sdkiam "github.com/aws/aws-sdk-go-v2/service/iam" + sdktps "github.com/aws/aws-sdk-go-v2/service/iam/types" + liberr "github.com/nabbar/golib/errors" ) -func (cli *client) PolicyPut(policyDocument, policyName, username string) errors.Error { - _, err := cli.iam.PutUserPolicy(cli.GetContext(), &iam.PutUserPolicyInput{ - PolicyDocument: aws.String(policyDocument), - PolicyName: aws.String(policyName), - UserName: aws.String(username), +func (cli *client) PolicyPut(policyDocument, policyName, username string) liberr.Error { + _, err := cli.iam.PutUserPolicy(cli.GetContext(), &sdkiam.PutUserPolicyInput{ + PolicyDocument: sdkaws.String(policyDocument), + PolicyName: sdkaws.String(policyName), + UserName: sdkaws.String(username), }) return cli.GetError(err) } -func (cli *client) PolicyAttach(policyARN, username string) errors.Error { - _, err := cli.iam.AttachUserPolicy(cli.GetContext(), &iam.AttachUserPolicyInput{ - PolicyArn: aws.String(policyARN), - UserName: aws.String(username), +func (cli *client) PolicyAttachedList(username, marker string) ([]sdktps.AttachedPolicy, string, liberr.Error) { + in := &sdkiam.ListAttachedUserPoliciesInput{ + UserName: sdkaws.String(username), + MaxItems: sdkaws.Int32(1000), + } + + if marker != "" { + in.Marker = sdkaws.String(marker) + } + + lst, err := cli.iam.ListAttachedUserPolicies(cli.GetContext(), in) + + if err != nil { + return nil, "", cli.GetError(err) + } else if lst == nil || lst.AttachedPolicies == nil { + return nil, "", nil + } else if lst.IsTruncated && lst.Marker != nil { + return lst.AttachedPolicies, *lst.Marker, nil + } else { + return lst.AttachedPolicies, "", nil + } +} + +func (cli *client) PolicyAttachedWalk(username string, fct PoliciesWalkFunc) liberr.Error { + var m *string + + in := &sdkiam.ListAttachedUserPoliciesInput{ + UserName: sdkaws.String(username), + MaxItems: sdkaws.Int32(1000), + } + + for { + if m != nil { + in.Marker = m + } else { + in.Marker = nil + } + + lst, err := cli.iam.ListAttachedUserPolicies(cli.GetContext(), in) + + if err != nil { + return cli.GetError(err) + } else if lst == nil || lst.AttachedPolicies == nil { + return nil + } + + var e liberr.Error + for _, p := range lst.AttachedPolicies { + e = fct(e, p) + } + + if e != nil { + return e + } + + if lst.IsTruncated && lst.Marker != nil { + m = lst.Marker + } else { + return nil + } + } +} + +func (cli *client) PolicyAttach(policyARN, username string) liberr.Error { + _, err := cli.iam.AttachUserPolicy(cli.GetContext(), &sdkiam.AttachUserPolicyInput{ + PolicyArn: sdkaws.String(policyARN), + UserName: sdkaws.String(username), + }) + + return cli.GetError(err) +} + +func (cli *client) PolicyDetach(policyARN, username string) liberr.Error { + _, err := cli.iam.DetachUserPolicy(cli.GetContext(), &sdkiam.DetachUserPolicyInput{ + PolicyArn: sdkaws.String(policyARN), + UserName: sdkaws.String(username), }) return cli.GetError(err)