Merge pull request #1142 from taraspos/taras/aws-codecommit

auth/aws: AWS CodeCommit IAM authentication

Author: stefanprodan

auth/aws/provider.go

@@ -21,6 +21,8 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"net/http"
+	"net/url"
 	"os"
 	"regexp"
 	"strings"
@@ -32,14 +34,20 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
 	"github.com/aws/aws-sdk-go-v2/service/eks"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/smithy-go/aws-http-auth/credentials"
+	"github.com/aws/smithy-go/aws-http-auth/sigv4"
+	v4 "github.com/aws/smithy-go/aws-http-auth/v4"
 	"github.com/google/go-containerregistry/pkg/authn"
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/fluxcd/pkg/auth"
 )
 
 // ProviderName is the name of the AWS authentication provider.
-const ProviderName = "aws"
+const (
+	ProviderName                       = "aws"
+	codeCommitCanonicalTimestampFormat = "20060102T150405"
+)
 
 // Provider implements the auth.Provider interface for AWS authentication.
 type Provider struct{ Implementation }
@@ -396,3 +404,88 @@ func (p Provider) impl() Implementation {
 	}
 	return p.Implementation
 }
+
+type signerHeaderHostOnly struct{}
+
+func (signerHeaderHostOnly) IsSigned(h string) bool {
+	return h == "host"
+}
+
+// GetRegionFromCodeCommitURL extracts the AWS region from a CodeCommit HTTPS
+// git URL (e.g. https://git-codecommit.us-east-1.amazonaws.com/...).
+// Returns an error if the URL is nil, not HTTPS, or not a valid CodeCommit URL.
+// https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git
+func GetRegionFromCodeCommitURL(gitURL *url.URL) (string, error) {
+	if gitURL == nil {
+		return "", fmt.Errorf("Git URL must be specified for AWS CodeCommit authentication")
+	}
+	if !strings.EqualFold(gitURL.Scheme, "https") {
+		return "", fmt.Errorf("AWS CodeCommit authentication requires an HTTPS Git URL")
+	}
+	urlSplit := strings.Split(gitURL.Hostname(), ".")
+	if len(urlSplit) < 4 ||
+		!(strings.HasPrefix(gitURL.Hostname(), "git-codecommit.") || strings.HasPrefix(gitURL.Hostname(), "git-codecommit-fips.")) ||
+		!(strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com") || strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com.cn")) {
+		return "", fmt.Errorf("invalid AWS CodeCommit Git URL: %s", gitURL.Host)
+	}
+	return urlSplit[1], nil
+}
+
+// NewCodeCommitGitToken returns HTTPS Git credentials for AWS CodeCommit.
+func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []auth.Token, opts ...auth.Option) (string, string, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	gitURL := o.GitURL
+	region, err := GetRegionFromCodeCommitURL(gitURL)
+	if err != nil {
+		return "", "", err
+	}
+	if len(accessTokens) == 0 {
+		return "", "", fmt.Errorf("AWS access token is required for region %q", region)
+	}
+
+	creds, ok := accessTokens[0].(*Credentials)
+	if !ok {
+		return "", "", fmt.Errorf("failed to cast token to AWS token: %T", accessTokens[0])
+	}
+
+	req, err := http.NewRequest("GIT", gitURL.String(), nil)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to build CodeCommit signing request: %w", err)
+	}
+	req.Host = gitURL.Host
+
+	signingTime := time.Now().UTC()
+
+	signer := sigv4.New(func(o *v4.SignerOptions) {
+		o.HeaderRules = signerHeaderHostOnly{}
+		o.DisableUnsignedPayloadSentinel = true
+		o.CanonicalTimeFormat = codeCommitCanonicalTimestampFormat
+	})
+	signInput := &sigv4.SignRequestInput{
+		Request: req,
+		Service: "codecommit",
+		Region:  region,
+		Credentials: credentials.Credentials{
+			AccessKeyID:     *creds.AccessKeyId,
+			SecretAccessKey: *creds.SecretAccessKey,
+			SessionToken:    *creds.SessionToken,
+			Expires:         *creds.Expiration,
+		},
+		Time: signingTime,
+	}
+
+	if err := signer.SignRequest(signInput); err != nil {
+		return "", "", fmt.Errorf("failed to sign request: %w", err)
+	}
+
+	authHeader := req.Header.Get("Authorization")
+	sigStart := strings.Index(authHeader, "Signature=")
+	signature := authHeader[sigStart+10:]
+
+	username := strings.Join([]string{*creds.AccessKeyId, *creds.SessionToken}, "%")
+	password := signingTime.Format(codeCommitCanonicalTimestampFormat) + "Z" + signature
+
+	return username, password, nil
+}

auth/aws/provider_test.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/auth/aws"
+	"github.com/fluxcd/pkg/auth/generic"
 )
 
 func TestProvider_NewControllerToken(t *testing.T) {
@@ -82,7 +83,7 @@ func TestProvider_NewControllerToken(t *testing.T) {
 			}
 
 			provider := aws.Provider{Implementation: impl}
-			token, err := provider.NewControllerToken(context.Background(), opts...)
+			token, err := provider.NewControllerToken(t.Context(), opts...)
 
 			if tt.err == "" {
 				g.Expect(err).NotTo(HaveOccurred())
@@ -536,3 +537,166 @@ func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
 
 	g.Expect(o.STSRegion).To(Equal("us-west-2"))
 }
+
+func TestGetRegionFromCodeCommitURL(t *testing.T) {
+	for _, tt := range []struct {
+		name           string
+		gitURL         string
+		expectedRegion string
+		err            string
+	}{
+		{
+			name:           "valid CodeCommit URL",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			expectedRegion: "us-east-1",
+		},
+		{
+			name:           "valid CodeCommit FIPS URL",
+			gitURL:         "https://git-codecommit-fips.us-west-2.amazonaws.com/v1/repos/test-repo",
+			expectedRegion: "us-west-2",
+		},
+		{
+			name:           "valid CodeCommit China URL",
+			gitURL:         "https://git-codecommit.cn-north-1.amazonaws.com.cn/v1/repos/test-repo",
+			expectedRegion: "cn-north-1",
+		},
+		{
+			name: "nil URL",
+			err:  "Git URL must be specified for AWS CodeCommit authentication",
+		},
+		{
+			name:   "non-HTTPS URL",
+			gitURL: "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			err:    "AWS CodeCommit authentication requires an HTTPS Git URL",
+		},
+		{
+			name:   "invalid CodeCommit URL",
+			gitURL: "https://github.com/org/repo",
+			err:    "invalid AWS CodeCommit Git URL: github.com",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			var parsedURL *url.URL
+			if tt.gitURL != "" {
+				var err error
+				parsedURL, err = url.Parse(tt.gitURL)
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+			region, err := aws.GetRegionFromCodeCommitURL(parsedURL)
+			if tt.err != "" {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(region).To(Equal(tt.expectedRegion))
+			}
+		})
+	}
+}
+
+func TestProvider_NewCodeCommitGitCredentials(t *testing.T) {
+	invalidToken := &generic.Token{Token: "invalid", ExpiresAt: time.Now().Add(time.Hour)}
+	proxyUrl := url.URL{Scheme: "http", Host: "proxy.example.com"}
+	awsRegion := "us-east-1"
+	for _, tt := range []struct {
+		name             string
+		gitURL           string
+		getAccessToken   bool
+		accessTokens     []auth.Token
+		expectedUsername string
+		err              string
+	}{
+		{
+			name:             "valid CodeCommit URL",
+			gitURL:           "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken:   true,
+			expectedUsername: "access-key-id%session-token",
+		},
+		{
+			name:             "valid CodeCommit FIPS URL",
+			gitURL:           "https://git-codecommit-fips.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken:   true,
+			expectedUsername: "access-key-id%session-token",
+		},
+		{
+			name:             "valid CodeCommit China URL",
+			gitURL:           "https://git-codecommit.cn-north-1.amazonaws.com.cn/v1/repos/test-repo",
+			getAccessToken:   true,
+			expectedUsername: "access-key-id%session-token",
+		},
+		{
+			name:           "missing Git URL",
+			getAccessToken: true,
+			err:            "Git URL must be specified for AWS CodeCommit authentication",
+		},
+		{
+			name:           "non HTTPS URL",
+			gitURL:         "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken: true,
+			err:            "AWS CodeCommit authentication requires an HTTPS Git URL",
+		},
+		{
+			name:           "invalid CodeCommit URL",
+			gitURL:         "https://github.com/org/repo",
+			getAccessToken: true,
+			err:            "invalid AWS CodeCommit Git URL: github.com",
+		},
+		{
+			name:           "missing access token",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken: false,
+			accessTokens:   []auth.Token{},
+			err:            `AWS access token is required for region "us-east-1"`,
+		},
+		{
+			name:           "invalid access token type",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken: false,
+			accessTokens:   []auth.Token{invalidToken},
+			err:            "failed to cast token to AWS token: *generic.Token",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:           t,
+				argRegion:   awsRegion,
+				argProxyURL: &proxyUrl,
+				returnCreds: awssdk.Credentials{AccessKeyID: "access-key-id", SecretAccessKey: "secret-access-key", SessionToken: "session-token"},
+			}
+
+			opts := []auth.Option{}
+			if tt.gitURL != "" {
+				gitURL, err := url.Parse(tt.gitURL)
+				g.Expect(err).NotTo(HaveOccurred())
+				opts = append(opts, auth.WithGitURL(*gitURL))
+			}
+
+			provider := aws.Provider{Implementation: impl}
+			accessTokens := tt.accessTokens
+			if tt.getAccessToken {
+				accessToken, err := auth.GetAccessToken(t.Context(), provider,
+					auth.WithSTSRegion(awsRegion),
+					auth.WithProxyURL(proxyUrl),
+				)
+				g.Expect(err).NotTo(HaveOccurred())
+				accessTokens = []auth.Token{accessToken}
+			}
+
+			username, password, err := provider.NewCodeCommitGitCredentials(t.Context(), accessTokens, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(username).To(Equal(tt.expectedUsername))
+				g.Expect(password).To(MatchRegexp(`^[0-9]{8}T[0-9]{6}Z[0-9a-f]{64}$`))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(username).To(BeEmpty())
+				g.Expect(password).To(BeEmpty())
+			}
+		})
+	}
+}

auth/go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.9
 	github.com/aws/aws-sdk-go-v2/service/eks v1.77.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
+	github.com/aws/smithy-go/aws-http-auth v1.1.3
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/fluxcd/pkg/apis/meta v1.26.0
 	github.com/fluxcd/pkg/cache v0.13.0

auth/go.sum

@@ -56,6 +56,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ=
 github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
 github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/smithy-go/aws-http-auth v1.1.3 h1:8/T7/2n8x+x9sIAmi5h5mDKS8v7/u2GEpF6T6RrGMrc=
+github.com/aws/smithy-go/aws-http-auth v1.1.3/go.mod h1:KL46VTjVK9De3jurMqDLBkXCP9vrAvD03zQrmyzyrQ0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=

auth/options.go

@@ -42,6 +42,7 @@ type Options struct {
 	STSRegion               string
 	STSEndpoint             string
 	ProxyURL                *url.URL
+	GitURL                  *url.URL
 	CAData                  string
 	ClusterResource         string
 	ClusterAddress          string
@@ -122,6 +123,13 @@ func WithProxyURL(proxyURL url.URL) Option {
 	}
 }
 
+// WithGitURL sets the Git repository URL used by Git credential providers.
+func WithGitURL(gitURL url.URL) Option {
+	return func(o *Options) {
+		o.GitURL = &gitURL
+	}
+}
+
 // WithCAData sets the CA data for credentials that require a CA,
 // e.g. for Kubernetes REST config.
 func WithCAData(caData string) Option {

auth/utils/git.go

@@ -22,6 +22,7 @@ import (
 	"slices"
 
 	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/aws"
 	"github.com/fluxcd/pkg/auth/azure"
 )
 
@@ -46,6 +47,34 @@ func GetGitCredentials(ctx context.Context, providerName string, opts ...auth.Op
 		return &GitCredentials{
 			BearerToken: token.(*azure.Token).Token,
 		}, nil
+	case aws.ProviderName:
+		provider := aws.Provider{}
+		awsOpts := slices.Clone(opts)
+
+		// Extract the region from the CodeCommit URL and inject it as STSRegion
+		// before calling GetAccessToken. This will ensure that it's possible to call AWS SDK
+		// even without AWS_REGION environment variable.
+		var o auth.Options
+		o.Apply(awsOpts...)
+		if o.STSRegion == "" && o.GitURL != nil {
+			if region, err := aws.GetRegionFromCodeCommitURL(o.GitURL); err == nil {
+				awsOpts = append(awsOpts, auth.WithSTSRegion(region))
+			}
+		}
+
+		token, err := auth.GetAccessToken(ctx, provider, awsOpts...)
+		if err != nil {
+			return nil, err
+		}
+
+		username, password, err := provider.NewCodeCommitGitCredentials(ctx, []auth.Token{token}, awsOpts...)
+		if err != nil {
+			return nil, err
+		}
+		return &GitCredentials{
+			Username: username,
+			Password: password,
+		}, nil
 	default:
 		return nil, fmt.Errorf("provider '%s' does not support Git credentials", providerName)
 	}