Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove AWS SDK V1 references #52990

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Remove AWS SDK V1 references #52990

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c91d89a
refactor: remove references to aws sdk v1
gabrielcorado Mar 12, 2025
9ba673e
refactor(aws): remove legacy error conversion for s3
gabrielcorado Mar 12, 2025
621f3f4
refactor(awsoidc): remove unused clientv1
gabrielcorado Mar 12, 2025
6f80f34
refactor: code review suggestions
gabrielcorado Mar 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.15 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.70.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.0 // indirect
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -926,6 +926,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91Liq
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
github.com/aws/aws-sdk-go-v2/service/kms v1.38.0 h1:+2/0Cq0R/audJhwM1GpJMg8X1TTrMKDFRLO5RMaNRU0=
github.com/aws/aws-sdk-go-v2/service/kms v1.38.0/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
github.com/aws/aws-sdk-go-v2/service/lambda v1.70.1 h1:EabaKQAptxXAeSL0sXKqfupPe/CpH965wqoloUK0aMM=
github.com/aws/aws-sdk-go-v2/service/lambda v1.70.1/go.mod h1:c27kk10S36lBYgbG1jR3opn4OAS5Y/4wjJa1GiHK/X4=
github.com/aws/aws-sdk-go-v2/service/memorydb v1.26.0 h1:nO9RCZnfAIF5q43IDLWtf7vu/l16RKzeTkv5GObkyME=
github.com/aws/aws-sdk-go-v2/service/memorydb v1.26.0/go.mod h1:pfuDC5zBwunXdE44WT1PRbtzuXWGohKFcFLtv+ezI6k=
github.com/aws/aws-sdk-go-v2/service/opensearch v1.46.0 h1:eR65kYpNlKpGkkvg+A83hc0hpk2CHappaz1JAUCcxVs=
Expand Down
12 changes: 6 additions & 6 deletions lib/events/fips.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
package events

import (
"github.com/aws/aws-sdk-go/aws/endpoints"
"github.com/aws/aws-sdk-go-v2/aws"

"github.com/gravitational/teleport/api/types"
)
Expand All @@ -31,14 +31,14 @@ const (
)

var (
fipsToAWS = map[types.ClusterAuditConfigSpecV2_FIPSEndpointState]endpoints.FIPSEndpointState{
types.ClusterAuditConfigSpecV2_FIPS_UNSET: endpoints.FIPSEndpointStateUnset,
types.ClusterAuditConfigSpecV2_FIPS_ENABLED: endpoints.FIPSEndpointStateEnabled,
types.ClusterAuditConfigSpecV2_FIPS_DISABLED: endpoints.FIPSEndpointStateDisabled,
fipsToAWS = map[types.ClusterAuditConfigSpecV2_FIPSEndpointState]aws.FIPSEndpointState{
types.ClusterAuditConfigSpecV2_FIPS_UNSET: aws.FIPSEndpointStateUnset,
types.ClusterAuditConfigSpecV2_FIPS_ENABLED: aws.FIPSEndpointStateEnabled,
types.ClusterAuditConfigSpecV2_FIPS_DISABLED: aws.FIPSEndpointStateDisabled,
}
)

// FIPSProtoStateToAWSState converts a FIPS proto state to an aws endpoints.FIPSEndpointState
func FIPSProtoStateToAWSState(state types.ClusterAuditConfigSpecV2_FIPSEndpointState) endpoints.FIPSEndpointState {
func FIPSProtoStateToAWSState(state types.ClusterAuditConfigSpecV2_FIPSEndpointState) aws.FIPSEndpointState {
return fipsToAWS[state]
}
2 changes: 1 addition & 1 deletion lib/integrations/externalauditstorage/configurator_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ import (
"testing"
"time"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/sts"
ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
"github.com/aws/aws-sdk-go/aws"
"github.com/google/uuid"
"github.com/jonboulle/clockwork"
"github.com/stretchr/testify/assert"
Expand Down
104 changes: 60 additions & 44 deletions lib/srv/alpnproxy/aws_local_proxy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,13 @@
package alpnproxy

import (
"context"
"encoding/xml"
"net/http"
"net/http/httptest"
"testing"
"time"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/sts"
ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
"github.com/stretchr/testify/require"

Expand All @@ -39,20 +36,19 @@ func TestAWSAccessMiddleware(t *testing.T) {
t.Parallel()

assumedRoleARN := "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
localProxyCred := credentials.NewStaticCredentialsProvider("local-proxy", "local-proxy-secret", "")
assumedRoleCred := credentials.NewStaticCredentialsProvider("assumed-role", "assumed-role-secret", "assumed-role-token")
localCred := aws.Credentials{AccessKeyID: "local-proxy", SecretAccessKey: "local-proxy-secret"}
assumedRoleCred := aws.Credentials{AccessKeyID: "assumed-role", SecretAccessKey: "assumed-role-secret", SessionToken: "assumed-role-token"}

m := &AWSAccessMiddleware{
AWSCredentialsProvider: credentials.NewStaticCredentialsProvider("local-proxy", "local-proxy-secret", ""),
}
require.NoError(t, m.CheckAndSetDefaults())

stsRequestByLocalProxyCred := httptest.NewRequest(http.MethodPost, "http://sts.us-east-2.amazonaws.com", nil)

awsutils.NewSignerV2(localProxyCred, "sts").Sign(stsRequestByLocalProxyCred, nil, "sts", "us-west-1", time.Now())
awsutils.NewSignerV2("sts").SignHTTP(t.Context(), localCred, stsRequestByLocalProxyCred, awsutils.EmptyPayloadHash, "sts", "us-west-1", time.Now())

requestByAssumedRole := httptest.NewRequest(http.MethodGet, "http://s3.amazonaws.com", nil)
awsutils.NewSignerV2(assumedRoleCred, "s3").Sign(requestByAssumedRole, nil, "s3", "us-west-1", time.Now())
awsutils.NewSignerV2("s3").SignHTTP(t.Context(), assumedRoleCred, requestByAssumedRole, awsutils.EmptyPayloadHash, "s3", "us-west-1", time.Now())

t.Run("request no authorization", func(t *testing.T) {
recorder := httptest.NewRecorder()
Expand Down Expand Up @@ -99,56 +95,76 @@ func TestAWSAccessMiddleware(t *testing.T) {
})
}

func assumeRoleResponse(t *testing.T, roleARN string, provider aws.CredentialsProvider) *http.Response {
t.Helper()
// IdentityResult represents the identitiy result of an AWS response.
type IdentityResult struct {
ARN string `xml:"Arn"`
}

credValue, err := provider.Retrieve(context.Background())
require.NoError(t, err)
// ResponseMetadata contains the metadata of a AWS response.
type ResponseMetadata struct {
RequestID string `xml:"RequestID"`
StatusCode int `xml:"StatusCode"`
}

body, err := awsutils.MarshalXML(
xml.Name{
Local: "AssumeRoleResponse",
Space: "https://sts.amazonaws.com/doc/2011-06-15/",
},
map[string]any{
"AssumeRoleResult": sts.AssumeRoleOutput{
AssumedRoleUser: &ststypes.AssumedRoleUser{
Arn: aws.String(roleARN),
},
Credentials: &ststypes.Credentials{
AccessKeyId: aws.String(credValue.AccessKeyID),
SecretAccessKey: aws.String(credValue.SecretAccessKey),
SessionToken: aws.String(credValue.SessionToken),
},
// AssumeRoleResult contains the assume role result.
type AssumeRoleResult struct {
// AssumedRoleUser is the assumed user.
AssumedRoleUser IdentityResult `xml:"AssumedRoleUser"`
// Credentials is the generated credentials.
Credentials ststypes.Credentials `xml:"Credentials"`
}

// AssumeRoleResponse is the response of assume role.
type AssumeRoleResponse struct {
// AssumeRoleResult is the resulting response from assume role.
AssumeRoleResult AssumeRoleResult `xml:"AssumeRoleResult"`
// Response is the response metadata.
Response ResponseMetadata `xml:"ResponseMetadata"`
}

// GetCallerIdentityResponse is the response of get caller identity call.
type GetCallerIdentityResponse struct {
// AssumeRoleResult is the resulting response from assume role.
GetCallerIdentityResult IdentityResult `xml:"GetCallerIdentityResult"`
// Response is the response metadata.
Response ResponseMetadata `xml:"ResponseMetadata"`
}

func assumeRoleResponse(t *testing.T, roleARN string, creds aws.Credentials) *http.Response {
t.Helper()

body, err := awsutils.MarshalXML("AssumeRoleResponse", "https://sts.amazonaws.com/doc/2011-06-15/", AssumeRoleResponse{
AssumeRoleResult: AssumeRoleResult{
AssumedRoleUser: IdentityResult{
ARN: roleARN,
},
"ResponseMetadata": map[string]any{
"StatusCode": http.StatusOK,
"RequestID": "22222222-3333-3333-3333-333333333333",
Credentials: ststypes.Credentials{
AccessKeyId: aws.String(creds.AccessKeyID),
SecretAccessKey: aws.String(creds.SecretAccessKey),
SessionToken: aws.String(creds.SessionToken),
},
},
)
Response: ResponseMetadata{
StatusCode: http.StatusOK,
RequestID: "22222222-3333-3333-3333-333333333333",
},
})
require.NoError(t, err)
return fakeHTTPResponse(http.StatusOK, body)
}

func getCallerIdentityResponse(t *testing.T, roleARN string) *http.Response {
t.Helper()

body, err := awsutils.MarshalXML(
xml.Name{
Local: "GetCallerIdentityResponse",
Space: "https://sts.amazonaws.com/doc/2011-06-15/",
body, err := awsutils.MarshalXML("GetCallerIdentityResponse", "https://sts.amazonaws.com/doc/2011-06-15/", GetCallerIdentityResponse{
GetCallerIdentityResult: IdentityResult{
ARN: roleARN,
},
map[string]any{
"GetCallerIdentityResult": sts.GetCallerIdentityOutput{
Arn: aws.String(roleARN),
},
"ResponseMetadata": map[string]any{
"StatusCode": http.StatusOK,
"RequestID": "22222222-3333-3333-3333-333333333333",
},
Response: ResponseMetadata{
StatusCode: http.StatusOK,
RequestID: "22222222-3333-3333-3333-333333333333",
},
)
})
require.NoError(t, err)
return fakeHTTPResponse(http.StatusOK, body)
}
Expand Down
12 changes: 6 additions & 6 deletions lib/srv/app/aws/endpoints_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,28 +19,28 @@
package aws

import (
"bytes"
"net/http"
"testing"
"time"

"github.com/aws/aws-sdk-go/aws/credentials"
v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/aws/aws-sdk-go-v2/aws"
v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
"github.com/stretchr/testify/require"

awsutils "github.com/gravitational/teleport/lib/utils/aws"
)

func TestResolveEndpoints(t *testing.T) {
signer := v4.NewSigner(credentials.NewStaticCredentials("fakeClientKeyID", "fakeClientSecret", ""))
creds := aws.Credentials{AccessKeyID: "fakeClientKeyID", SecretAccessKey: "fakeClientSecret"}
signer := v4.NewSigner()
region := "us-east-1"
now := time.Now()

t.Run("unsupported SDK resolver", func(t *testing.T) {
req, err := http.NewRequest("GET", "http://localhost", nil)
require.NoError(t, err)

_, err = signer.Sign(req, bytes.NewReader(nil), "ecr", "us-east-1", now)
err = signer.SignHTTP(t.Context(), creds, req, awsutils.EmptyPayloadHash, "ecr", "us-east-1", now)
require.NoError(t, err)

_, err = resolveEndpoint(req, awsutils.AuthorizationHeader)
Expand All @@ -52,7 +52,7 @@ func TestResolveEndpoints(t *testing.T) {
require.NoError(t, err)
req.Header.Set("X-Forwarded-Host", "some-service.us-east-1.amazonaws.com")

_, err = signer.Sign(req, bytes.NewReader(nil), "some-service", region, now)
err = signer.SignHTTP(t.Context(), creds, req, awsutils.EmptyPayloadHash, "some-service", region, now)
require.NoError(t, err)

endpoint, err := resolveEndpoint(req, awsutils.AuthorizationHeader)
Expand Down
7 changes: 6 additions & 1 deletion lib/srv/app/aws/handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,11 @@ func (s *signerHandler) serveCommonRequest(sessCtx *common.SessionContext, w htt
return trace.Wrap(err)
}

reqCloneForAudit, err := cloneRequest(unsignedReq)
if err != nil {
return trace.Wrap(err)
}

awsCfg, err := s.AWSConfigProvider.GetConfig(s.closeContext, re.SigningRegion,
awsconfig.WithDetailedAssumeRole(awsconfig.AssumeRole{
RoleARN: sessCtx.Identity.RouteToApp.AWSRoleARN,
Expand All @@ -189,7 +194,7 @@ func (s *signerHandler) serveCommonRequest(sessCtx *common.SessionContext, w htt
}
recorder := httplib.NewResponseStatusRecorder(w)
s.fwd.ServeHTTP(recorder, signedReq)
s.emitAudit(sessCtx, unsignedReq, uint32(recorder.Status()), re)
s.emitAudit(sessCtx, reqCloneForAudit, uint32(recorder.Status()), re)
return nil
}

Expand Down
Loading
Loading