Commit 6d19ed38 authored by Rucha Deshpande's avatar Rucha Deshpande
Browse files

Credentials API implementation

commit 17c1f924
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Jan 21 2021 14:18:02 GMT-0600 (Central Standard Time)

    Merge branch 'dev' into deshruch

commit 30b0d577
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Jan 21 2021 14:15:21 GMT-0600 (Central Standard Time)

    updates

commit 701d6a26
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Jan 21 2021 11:46:35 GMT-0600 (Central Standard Time)

    remove TEMP_CREDENTIALS_EXP_DURATION from env

commit 18f2bba1
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Jan 21 2021 11:44:16 GMT-0600 (Central Standard Time)

    Add exp duration as SSM parameter

commit b00dacae
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Jan 21 2021 11:34:43 GMT-0600 (Central Standard Time)

    Add credentials API

commit 1b01944d
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Thu Jan 21 2021 10:50:35 GMT-0600 (Central Standard Time)

    Implement credentials API

commit bbceae8f
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Wed Jan 20 2021 14:25:48 GMT-0600 (Central Standard Time)

    Added ssm and sts helper

commit 30b59346
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Tue Jan 19 2021 10:05:31 GMT-0600 (Central Standard Time)

    Merge branch 'dev' into deshruch

commit 0c6b62ec
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Fri Jan 15 2021 16:49:04 GMT-0600 (Central Standard Time)

    Merge branch 'dev' into deshruch

commit 084954a9
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Fri Jan 15 2021 16:47:11 GMT-0600 (Central Standard Time)

    Bug Fix: correct DES service paths

commit 916afd66
Author: Rucha Deshpande <deshruch@amazon.com>
Date: Fri Jan 15 2021 16:00:03 GMT-0600 (Central Standard Time)

    Add skeletons for provider interfaces
parent 3bc01115
......@@ -16,9 +16,16 @@ import { Config } from '../../../cloud';
import { Error, Utils } from '../../../shared';
import { AbstractCredentials, CredentialsFactory, IAccessTokenModel } from '../../credentials';
import { AWSConfig } from './config';
import {AWSSSMhelper} from './ssmhelper';
import {AWSSTShelper} from './stshelper';
@CredentialsFactory.register('aws')
export class AWSCredentials extends AbstractCredentials {
private awsSSMHelper = new AWSSSMhelper();
private awsSTSHelper = new AWSSTShelper();
getAudienceForImpCredentials(): string {
return '';
}
......@@ -36,7 +43,39 @@ export class AWSCredentials extends AbstractCredentials {
}
async getUserCredentials(subject: string): Promise<IAccessTokenModel> {
return undefined;
//subject = tenantName:subprojectName:1 ==> readOnly true
//subject = tenantName:subprojectName:0 ==> readOnly false
const s3bucket = await this.awsSSMHelper.getSSMParameter('/osdu/'+AWSConfig.AWS_ENVIRONMENT+'/seismic-store/seismic-s3-bucket-name')
const expDuration = await this.awsSSMHelper.getSSMParameter('/osdu/'+AWSConfig.AWS_ENVIRONMENT+'/seismic-store/temp-cred-expiration-duration')
const vars = subject.split(':')
const tenant = vars[0];
const subproject = vars[1];
const readOnly = vars[2];
var roleArn='';
var credentials='';
var flagUpload=true;
const keypath = tenant+'/'+subproject;
// tslint:disable-next-line:triple-equals
if(readOnly ==='1') { // readOnly True
roleArn = await this.awsSSMHelper.getSSMParameter('/osdu/' + AWSConfig.AWS_ENVIRONMENT + '/seismic-store/iam/download-role-arn')
flagUpload = false;
} else if (readOnly ==='0') // readOnly False
{
roleArn = await this.awsSSMHelper.getSSMParameter('/osdu/' + AWSConfig.AWS_ENVIRONMENT + '/seismic-store/iam/upload-role-arn')
flagUpload = true;
}
credentials = await this.awsSTSHelper.getCredentials(s3bucket,keypath,roleArn,flagUpload,expDuration);
const result = {
access_token: credentials,
expires_in: 3599,
token_type: 'STSToken',
};
return result;
}
// this will return serviceprincipal access token
......
// Copyright © 2020 Amazon Web Services
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
import AWS from 'aws-sdk/global';
import {AWSConfig} from './config';
import SSM from 'aws-sdk/clients/ssm';
export class AWSSSMhelper {
private ssm: SSM;
public constructor() {
AWS.config.update({ region: AWSConfig.AWS_REGION });
this.ssm = new SSM({apiVersion: '2014-11-06'});
}
public async getSSMParameter(paramName: string): Promise<string> {
const options = {
Name: paramName,
WithDecryption: true
};
try {
const data = await this.ssm.getParameter(options).promise();
// console.log(data.Parameter.Value);
return data.Parameter.Value;
} catch (err) {
console.log(err.code + ': ' + err.message);
}
}
}
\ No newline at end of file
// Copyright © 2020 Amazon Web Services
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
import AWS from 'aws-sdk/global';
import {AWSConfig} from './config';
import {STS} from 'aws-sdk';
export class AWSSTShelper {
private sts: STS;
public constructor() {
AWS.config.update({ region: AWSConfig.AWS_REGION });
this.sts = new STS({apiVersion: '2014-11-06'});
}
public async getCredentials(bucketName: string, keypath: string, roleArn: string, flagUpload: boolean, exp: string): Promise<string> {
var policy;
if(flagUpload === true)
policy = this.createUploadPolicy(bucketName,keypath);
else
policy = this.createDownloadPolicy(bucketName,keypath);
var expDuration: number = +exp;
let stsParams = {
ExternalId: "OSDUAWS",
Policy: policy,
RoleArn: roleArn,
RoleSessionName: "OSDUAWSAssumeRoleSession",
DurationSeconds: expDuration
};
const roleCreds = await this.sts.assumeRole(stsParams).promise();
const tempCreds= roleCreds.Credentials.AccessKeyId+':'+roleCreds.Credentials.SecretAccessKey+':'+roleCreds.Credentials.SessionToken;
return tempCreds;
}
public createUploadPolicy(bucketName: string, keypath: string): string {
var UploadPolicy = {
Version: "2012-10-17",
Statement: [
{
Sid: "One", // Statement 1: Allow Listing files at the file location
Effect: "Allow",
Action: [
"s3:ListBucketVersions",
"s3:ListBucket"
],
Resource: [
"arn:aws:s3:::"+bucketName
],
Condition: {
StringEquals: {
's3:prefix': keypath+'/'
}
}
},
{
Sid: "Two", //Statement 2: Allow Listing files under the file location
Effect: "Allow",
Action: [
"s3:*"
],
Resource: [
"arn:aws:s3:::"+bucketName
],
Condition: {
StringLike: {
's3:prefix': keypath+'/*'
}
}
},
{
Sid: "Three", //Statement 3: Allow Uploading files at the file location
Effect: "Allow",
Action: [
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
Resource: [
"arn:aws:s3:::"+bucketName+"/"+keypath+"/"
]
},
{
Sid: "Four", //Statement 4: Allow Uploading files under the file location
Effect: "Allow",
Action: [
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
Resource: [
"arn:aws:s3:::"+bucketName+"/"+keypath+"/*"
]
}
]
};
const policy = JSON.stringify(UploadPolicy);
return policy;
}
public createDownloadPolicy(bucketName: string, keypath: string): string {
var DownloadPolicy = {
Version: "2012-10-17",
Statement: [
{
Sid: "One", // Statement 1: Allow Listing files at the file location
Effect: "Allow",
Action: [
"s3:ListBucketVersions",
"s3:ListBucket"
],
Resource: [
"arn:aws:s3:::"+bucketName
],
Condition: {
StringEquals: {
's3:prefix': keypath+'/'
}
}
},
{
Sid: "Two", //Statement 2: Allow Listing files under the file location
Effect: "Allow",
Action: [
"s3:*"
],
Resource: [
"arn:aws:s3:::"+bucketName
],
Condition: {
StringLike: {
's3:prefix': keypath+'/*'
}
}
},
{
Sid: "Three", //Statement 3: Allow Downloading files at the file location
Effect: "Allow",
Action: [
"s3:GetObject",
"s3:GetObjectVersion"
],
Resource: [
"arn:aws:s3:::"+bucketName+"/"+keypath+"/"
]
},
{
Sid: "Four", //Statement 4: Allow Downloading files under the file location
Effect: "Allow",
Action: [
"s3:GetObject",
"s3:GetObjectVersion"
],
Resource: [
"arn:aws:s3:::"+bucketName+"/"+keypath+"/*"
]
}
]
};
const policy = JSON.stringify(DownloadPolicy);
return policy;
}
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment