frostfs-s3-gw/cmd/s3-authmate/modules/generate-presigned-url.go

package modules

import (
	"encoding/json"
	"fmt"
	"os"
	"time"

	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/spf13/cobra"
	"github.com/spf13/viper"
)

var generatePresignedURLCmd = &cobra.Command{
	Use:   "generate-presigned-url",
	Short: "Generate presigned url using AWS credentials",
	Long: `Generate presigned url using AWS credentials.Credentials must be placed in ~/.aws/credentials.
You provide profile to load using --profile flag or explicitly provide credentials and region using
--aws-access-key-id, --aws-secret-access-key, --region.
Note to override credentials you must provide both access key and secret key.`,
	Example: `frostfs-s3-authmate generate-presigned-url --method put --bucket my-bucket --object my-object --endpoint http://localhost:8084 --lifetime 12h --region ru --aws-access-key-id ETaA2CadPcA7bAkLsML2PbTudXY8uRt2PDjCCwkvRv9s0FDCxWDXYc1SA1vKv8KbyCNsLY2AmAjJ92Vz5rgvsFCy --aws-secret-access-key c2d65ef2980f03f4f495bdebedeeae760496697880d61d106bb9a4e5cd2e0607`,
	RunE:    runGeneratePresignedURLCmd,
}

const defaultPresignedLifetime = 12 * time.Hour

const (
	endpointFlag           = "endpoint"
	bucketFlag             = "bucket"
	objectFlag             = "object"
	methodFlag             = "method"
	profileFlag            = "profile"
	regionFlag             = "region"
	awsAccessKeyIDFlag     = "aws-access-key-id"
	awsSecretAccessKeyFlag = "aws-secret-access-key"
)

func initGeneratePresignedURLCmd() {
	generatePresignedURLCmd.Flags().Duration(lifetimeFlag, defaultPresignedLifetime, "Lifetime of presigned URL. For example 50h30m (note: max time unit is an hour so to set a day you should use 24h).\nIt will be ceil rounded to the nearest amount of epoch.")
	generatePresignedURLCmd.Flags().String(endpointFlag, "", "S3 gateway endpoint")
	generatePresignedURLCmd.Flags().String(bucketFlag, "", "Bucket name to perform action")
	generatePresignedURLCmd.Flags().String(objectFlag, "", "Object name to perform action")
	generatePresignedURLCmd.Flags().String(methodFlag, "", "HTTP method to perform action")
	generatePresignedURLCmd.Flags().String(profileFlag, "", "AWS profile to load")
	generatePresignedURLCmd.Flags().String(regionFlag, "", "AWS region to use in signature (default is taken from ~/.aws/config)")
	generatePresignedURLCmd.Flags().String(awsAccessKeyIDFlag, "", "AWS access key id to sign the URL (default is taken from ~/.aws/credentials)")
	generatePresignedURLCmd.Flags().String(awsSecretAccessKeyFlag, "", "AWS secret access key to sign the URL (default is taken from ~/.aws/credentials)")

	_ = generatePresignedURLCmd.MarkFlagRequired(endpointFlag)
	_ = generatePresignedURLCmd.MarkFlagRequired(bucketFlag)
	_ = generatePresignedURLCmd.MarkFlagRequired(objectFlag)
}

func runGeneratePresignedURLCmd(*cobra.Command, []string) error {
	var cfg aws.Config

	if region := viper.GetString(regionFlag); region != "" {
		cfg.Region = &region
	}
	accessKeyID := viper.GetString(awsAccessKeyIDFlag)
	secretAccessKey := viper.GetString(awsSecretAccessKeyFlag)

	if accessKeyID != "" && secretAccessKey != "" {
		cfg.Credentials = credentials.NewStaticCredentialsFromCreds(credentials.Value{
			AccessKeyID:     accessKeyID,
			SecretAccessKey: secretAccessKey,
		})
	}

	sess, err := session.NewSessionWithOptions(session.Options{
		Config:            cfg,
		Profile:           viper.GetString(profileFlag),
		SharedConfigState: session.SharedConfigEnable,
	})
	if err != nil {
		return wrapPreparationError(fmt.Errorf("couldn't get aws credentials: %w", err))
	}

	reqData := auth.RequestData{
		Method:   viper.GetString(methodFlag),
		Endpoint: viper.GetString(endpointFlag),
		Bucket:   viper.GetString(bucketFlag),
		Object:   viper.GetString(objectFlag),
	}
	presignData := auth.PresignData{
		Service:  "s3",
		Region:   *sess.Config.Region,
		Lifetime: viper.GetDuration(lifetimeFlag),
		SignTime: time.Now().UTC(),
	}

	req, err := auth.PresignRequest(sess.Config.Credentials, reqData, presignData)
	if err != nil {
		return wrapBusinessLogicError(err)
	}

	res := &struct{ URL string }{
		URL: req.URL.String(),
	}

	enc := json.NewEncoder(os.Stdout)
	enc.SetIndent("", "  ")
	enc.SetEscapeHTML(false)
	err = enc.Encode(res)
	if err != nil {
		return wrapBusinessLogicError(err)
	}
	return nil
}
[#131] authmate: Add generate-presigned-url cobra cmd Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-23 13:11:57 +00:00			`package modules`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"os"`
			`"time"`

			`"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"`
			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/spf13/cobra"`
			`"github.com/spf13/viper"`
			`)`

			`var generatePresignedURLCmd = &cobra.Command{`
			`Use: "generate-presigned-url",`
			`Short: "Generate presigned url using AWS credentials",`
			Long: `Generate presigned url using AWS credentials.Credentials must be placed in ~/.aws/credentials.
			`You provide profile to load using --profile flag or explicitly provide credentials and region using`
			`--aws-access-key-id, --aws-secret-access-key, --region.`
			Note to override credentials you must provide both access key and secret key.`,
			Example: `frostfs-s3-authmate generate-presigned-url --method put --bucket my-bucket --object my-object --endpoint http://localhost:8084 --lifetime 12h --region ru --aws-access-key-id ETaA2CadPcA7bAkLsML2PbTudXY8uRt2PDjCCwkvRv9s0FDCxWDXYc1SA1vKv8KbyCNsLY2AmAjJ92Vz5rgvsFCy --aws-secret-access-key c2d65ef2980f03f4f495bdebedeeae760496697880d61d106bb9a4e5cd2e0607`,
			`RunE: runGeneratePresignedURLCmd,`
			`}`

			`const defaultPresignedLifetime = 12 * time.Hour`

			`const (`
			`endpointFlag = "endpoint"`
			`bucketFlag = "bucket"`
			`objectFlag = "object"`
			`methodFlag = "method"`
			`profileFlag = "profile"`
			`regionFlag = "region"`
			`awsAccessKeyIDFlag = "aws-access-key-id"`
			`awsSecretAccessKeyFlag = "aws-secret-access-key"`
			`)`

			`func initGeneratePresignedURLCmd() {`
			`generatePresignedURLCmd.Flags().Duration(lifetimeFlag, defaultPresignedLifetime, "Lifetime of presigned URL. For example 50h30m (note: max time unit is an hour so to set a day you should use 24h).\nIt will be ceil rounded to the nearest amount of epoch.")`
			`generatePresignedURLCmd.Flags().String(endpointFlag, "", "S3 gateway endpoint")`
			`generatePresignedURLCmd.Flags().String(bucketFlag, "", "Bucket name to perform action")`
			`generatePresignedURLCmd.Flags().String(objectFlag, "", "Object name to perform action")`
			`generatePresignedURLCmd.Flags().String(methodFlag, "", "HTTP method to perform action")`
			`generatePresignedURLCmd.Flags().String(profileFlag, "", "AWS profile to load")`
			`generatePresignedURLCmd.Flags().String(regionFlag, "", "AWS region to use in signature (default is taken from ~/.aws/config)")`
			`generatePresignedURLCmd.Flags().String(awsAccessKeyIDFlag, "", "AWS access key id to sign the URL (default is taken from ~/.aws/credentials)")`
			`generatePresignedURLCmd.Flags().String(awsSecretAccessKeyFlag, "", "AWS secret access key to sign the URL (default is taken from ~/.aws/credentials)")`

			`_ = generatePresignedURLCmd.MarkFlagRequired(endpointFlag)`
			`_ = generatePresignedURLCmd.MarkFlagRequired(bucketFlag)`
			`_ = generatePresignedURLCmd.MarkFlagRequired(objectFlag)`
			`}`

			`func runGeneratePresignedURLCmd(*cobra.Command, []string) error {`
			`var cfg aws.Config`

			`if region := viper.GetString(regionFlag); region != "" {`
			`cfg.Region = &region`
			`}`
			`accessKeyID := viper.GetString(awsAccessKeyIDFlag)`
			`secretAccessKey := viper.GetString(awsSecretAccessKeyFlag)`

			`if accessKeyID != "" && secretAccessKey != "" {`
			`cfg.Credentials = credentials.NewStaticCredentialsFromCreds(credentials.Value{`
			`AccessKeyID: accessKeyID,`
			`SecretAccessKey: secretAccessKey,`
			`})`
			`}`

			`sess, err := session.NewSessionWithOptions(session.Options{`
			`Config: cfg,`
			`Profile: viper.GetString(profileFlag),`
			`SharedConfigState: session.SharedConfigEnable,`
			`})`
			`if err != nil {`
[#152] authmate: Add basic error types and exit codes Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-09-04 18:01:56 +00:00			`return wrapPreparationError(fmt.Errorf("couldn't get aws credentials: %w", err))`
[#131] authmate: Add generate-presigned-url cobra cmd Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-23 13:11:57 +00:00			`}`

			`reqData := auth.RequestData{`
			`Method: viper.GetString(methodFlag),`
			`Endpoint: viper.GetString(endpointFlag),`
			`Bucket: viper.GetString(bucketFlag),`
			`Object: viper.GetString(objectFlag),`
			`}`
			`presignData := auth.PresignData{`
			`Service: "s3",`
			`Region: *sess.Config.Region,`
			`Lifetime: viper.GetDuration(lifetimeFlag),`
			`SignTime: time.Now().UTC(),`
			`}`

			`req, err := auth.PresignRequest(sess.Config.Credentials, reqData, presignData)`
			`if err != nil {`
[#152] authmate: Add basic error types and exit codes Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-09-04 18:01:56 +00:00			`return wrapBusinessLogicError(err)`
[#131] authmate: Add generate-presigned-url cobra cmd Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-23 13:11:57 +00:00			`}`

			`res := &struct{ URL string }{`
			`URL: req.URL.String(),`
			`}`

			`enc := json.NewEncoder(os.Stdout)`
			`enc.SetIndent("", " ")`
			`enc.SetEscapeHTML(false)`
[#152] authmate: Add basic error types and exit codes Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-09-04 18:01:56 +00:00			`err = enc.Encode(res)`
			`if err != nil {`
			`return wrapBusinessLogicError(err)`
			`}`
			`return nil`
[#131] authmate: Add generate-presigned-url cobra cmd Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-23 13:11:57 +00:00			`}`