-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathbless.go
113 lines (90 loc) · 2.86 KB
/
bless.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package bless
import (
"bytes"
"encoding/json"
"fmt"
"io/ioutil"
"os"
"github.com/aws/aws-sdk-go/service/lambda/lambdaiface"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/lambda"
"github.com/pkg/errors"
)
var (
lambdaSvc lambdaiface.LambdaAPI = lambda.New(session.New())
debug = false
)
// Payload used to encode request payload for bless lambda
type Payload struct {
BastionUser string `json:"bastion_user"`
BastionUserIP string `json:"bastion_user_ip"`
RemoteUsernames string `json:"remote_usernames"`
BastionIps string `json:"bastion_ips"`
BastionCommand string `json:"command"`
PublicKeyToSign string `json:"public_key_to_sign"`
KmsAuthToken string `json:"kms_auth_token,omitempty"`
}
// Result used to decode response from bless lambda
type Result struct {
Certificate string `json:"certificate,omitempty"`
}
// ConfigureAws enable override of the default aws sdk configuration
func ConfigureAws(config *aws.Config) {
lambdaSvc = lambda.New(session.New(config))
}
// SetDebug enable or disable debugging
func SetDebug(enable bool) {
debug = enable
}
// LoadPublicKey load the public key from the supplied path
func LoadPublicKey(publicKey string) ([]byte, error) {
data, err := ioutil.ReadFile(publicKey)
if err != nil {
return nil, errors.Wrap(err, "Failed to load public key")
}
return data, nil
}
// ValidatePublicKey validate the public key
func ValidatePublicKey(publicKeyData []byte) (string, error) {
if len(publicKeyData) == 0 {
return "", errors.New("Empty public key supplied")
}
return string(publicKeyData), nil
}
// InvokeBlessLambda invoke the bless lambda function
func InvokeBlessLambda(region, lambdaFunctionName *string, payloadJSON []byte) (*Result, error) {
input := &lambda.InvokeInput{
FunctionName: lambdaFunctionName,
InvocationType: aws.String("RequestResponse"),
LogType: aws.String("None"),
Payload: payloadJSON,
}
res, err := lambdaSvc.Invoke(input)
if err != nil {
return nil, errors.Wrap(err, "Lambda invoke failed")
}
if aws.Int64Value(res.StatusCode) != 200 {
return nil, errors.Wrapf(err, "Lambda Invoke failed: %v", res)
}
resultPayload := &Result{}
err = json.Unmarshal(res.Payload, resultPayload)
if err != nil {
return nil, errors.Wrap(err, "Failed to deserialise JSON result")
}
return resultPayload, nil
}
// WriteCertificate write the generated certificate out to a file
func WriteCertificate(certificateFilename string, certificateContent string) error {
err := ioutil.WriteFile(certificateFilename, bytes.NewBufferString(certificateContent).Bytes(), 0600)
if err != nil {
return errors.Wrap(err, "Failed to write certificate file")
}
return nil
}
// Debug write debug messages if it is enabled
func Debug(message string, args ...interface{}) {
if debug {
fmt.Fprintf(os.Stderr, message, args...)
}
}