Split the functionality in node/mounter into smaller packages
#328
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,50 +9,51 @@ import ( | |
| "path/filepath" | ||
| "strings" | ||
| "unicode" | ||
|
|
||
| "github.com/google/renameio" | ||
| ) | ||
|
|
||
| const ( | ||
| awsProfileName = "s3-csi" | ||
| awsProfileConfigFilename = "s3-csi-config" | ||
| awsProfileCredentialsFilename = "s3-csi-credentials" | ||
| ) | ||
|
|
||
| // ErrInvalidCredentials is returned when given AWS Credentials contains invalid characters. | ||
| var ErrInvalidCredentials = errors.New("aws-profile: Invalid AWS Credentials") | ||
|
|
||
| // An AWSProfile represents an AWS profile with it's credentials and config files. | ||
| type AWSProfile struct { | ||
| Name string | ||
| ConfigFilename string | ||
| CredentialsFilename string | ||
| } | ||
|
|
||
| // CreateAWSProfile creates an AWS Profile with credentials and config files from given credentials. | ||
| // Created credentials and config files can be clean up with `CleanupAWSProfile`. | ||
| func CreateAWSProfile(basepath string, accessKeyID string, secretAccessKey string, sessionToken string, filePerm fs.FileMode) (AWSProfile, error) { | ||
| if !isValidCredential(accessKeyID) || !isValidCredential(secretAccessKey) || !isValidCredential(sessionToken) { | ||
| return AWSProfile{}, ErrInvalidCredentials | ||
| } | ||
|
|
||
| name := awsProfileName | ||
|
|
||
| configPath := filepath.Join(basepath, awsProfileConfigFilename) | ||
| err := writeAWSProfileFile(configPath, configFileContents(name), filePerm) | ||
| if err != nil { | ||
| return AWSProfile{}, fmt.Errorf("aws-profile: Failed to create config file %s: %v", configPath, err) | ||
| } | ||
|
|
||
| credentialsPath := filepath.Join(basepath, awsProfileCredentialsFilename) | ||
| err = writeAWSProfileFile(credentialsPath, credentialsFileContents(name, accessKeyID, secretAccessKey, sessionToken), filePerm) | ||
| if err != nil { | ||
| return AWSProfile{}, fmt.Errorf("aws-profile: Failed to create credentials file %s: %v", credentialsPath, err) | ||
| } | ||
|
|
||
| return AWSProfile{ | ||
| Name: name, | ||
| ConfigFilename: awsProfileConfigFilename, | ||
| CredentialsFilename: awsProfileCredentialsFilename, | ||
| }, nil | ||
| } | ||
|
|
||
|
|
@@ -75,14 +76,8 @@ func CleanupAWSProfile(basepath string) error { | |
| return nil | ||
| } | ||
|
|
||
|
Comment on lines
-83
to
-85
There was a problem hiding this comment.
|
||
| func writeAWSProfileFile(path string, content string, filePerm os.FileMode) error { | ||
| return renameio.WriteFile(path, []byte(content), filePerm) | ||
| } | ||
|
|
||
| func credentialsFileContents(profile string, accessKeyID string, secretAccessKey string, sessionToken string) string { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| package awsprofile_test | ||
|
|
||
| import ( | ||
| "errors" | ||
| "io/fs" | ||
| "os" | ||
| "path/filepath" | ||
| "testing" | ||
|
|
||
| "github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/credentialprovider/awsprofile" | ||
| "github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/credentialprovider/awsprofile/awsprofiletest" | ||
| "github.com/awslabs/aws-s3-csi-driver/pkg/util/testutil/assert" | ||
| ) | ||
|
|
||
| const testAccessKeyId = "test-access-key-id" | ||
| const testSecretAccessKey = "test-secret-access-key" | ||
| const testSessionToken = "test-session-token" | ||
| const testFilePerm = fs.FileMode(0600) | ||
|
|
||
| func TestCreatingAWSProfile(t *testing.T) { | ||
| t.Run("create config and credentials files", func(t *testing.T) { | ||
| basepath := t.TempDir() | ||
| profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, testSessionToken, testFilePerm) | ||
| assert.NoError(t, err) | ||
| assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, testSessionToken) | ||
| }) | ||
|
|
||
| t.Run("create config and credentials files with empty session token", func(t *testing.T) { | ||
| basepath := t.TempDir() | ||
| profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, "", testFilePerm) | ||
| assert.NoError(t, err) | ||
| assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, "") | ||
| }) | ||
|
|
||
| t.Run("ensure config and credentials files are created with correct permissions", func(t *testing.T) { | ||
| basepath := t.TempDir() | ||
| profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, testSessionToken, testFilePerm) | ||
| assert.NoError(t, err) | ||
| assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, testSessionToken) | ||
|
|
||
| configStat, err := os.Stat(filepath.Join(basepath, profile.ConfigFilename)) | ||
| assert.NoError(t, err) | ||
| assert.Equals(t, testFilePerm, configStat.Mode()) | ||
|
|
||
| credentialsStat, err := os.Stat(filepath.Join(basepath, profile.CredentialsFilename)) | ||
| assert.NoError(t, err) | ||
| assert.Equals(t, testFilePerm, credentialsStat.Mode()) | ||
| }) | ||
|
|
||
| t.Run("fail if credentials contains non-ascii characters", func(t *testing.T) { | ||
| t.Run("access key ID", func(t *testing.T) { | ||
| _, err := awsprofile.CreateAWSProfile(t.TempDir(), testAccessKeyId+"\n\t\r credential_process=exit", testSecretAccessKey, testSessionToken, testFilePerm) | ||
| assert.Equals(t, true, errors.Is(err, awsprofile.ErrInvalidCredentials)) | ||
| }) | ||
| t.Run("secret access key", func(t *testing.T) { | ||
| _, err := awsprofile.CreateAWSProfile(t.TempDir(), testAccessKeyId, testSecretAccessKey+"\n", testSessionToken, testFilePerm) | ||
| assert.Equals(t, true, errors.Is(err, awsprofile.ErrInvalidCredentials)) | ||
| }) | ||
| t.Run("session token", func(t *testing.T) { | ||
| _, err := awsprofile.CreateAWSProfile(t.TempDir(), testAccessKeyId, testSecretAccessKey, testSessionToken+"\n\r", testFilePerm) | ||
| assert.Equals(t, true, errors.Is(err, awsprofile.ErrInvalidCredentials)) | ||
| }) | ||
| }) | ||
| } | ||
|
|
||
| func TestCleaningUpAWSProfile(t *testing.T) { | ||
| t.Run("clean config and credentials files", func(t *testing.T) { | ||
| basepath := t.TempDir() | ||
|
|
||
| profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, testSessionToken, testFilePerm) | ||
| assert.NoError(t, err) | ||
| assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, testSessionToken) | ||
|
|
||
| err = awsprofile.CleanupAWSProfile(basepath) | ||
| assert.NoError(t, err) | ||
|
|
||
| _, err = os.Stat(filepath.Join(basepath, profile.ConfigFilename)) | ||
| assert.Equals(t, true, errors.Is(err, fs.ErrNotExist)) | ||
|
|
||
| _, err = os.Stat(filepath.Join(basepath, profile.CredentialsFilename)) | ||
| assert.Equals(t, true, errors.Is(err, fs.ErrNotExist)) | ||
| }) | ||
|
|
||
| t.Run("cleaning non-existent config and credentials files should not be an error", func(t *testing.T) { | ||
| err := awsprofile.CleanupAWSProfile(t.TempDir()) | ||
| assert.NoError(t, err) | ||
| }) | ||
| } | ||
|
|
||
| func assertCredentialsFromAWSProfile(t *testing.T, basepath string, profile awsprofile.AWSProfile, accessKeyID string, secretAccessKey string, sessionToken string) { | ||
| awsprofiletest.AssertCredentialsFromAWSProfile( | ||
| t, | ||
| profile.Name, | ||
| filepath.Join(basepath, profile.ConfigFilename), | ||
| filepath.Join(basepath, profile.CredentialsFilename), | ||
| accessKeyID, | ||
| secretAccessKey, | ||
| sessionToken, | ||
| ) | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This logic has been moved to credentials_sts_web_identity.go. Since we enabled
requiresRepublishas part of Pod-level identity support, Kubernetes will callNodePublishVolumeperiodically to update existing service account tokens before they expire, and the credential provider will be called as part of this method. Another reason for this change is that, this assumes a single location for service account tokens for Driver-level identity, but with containerization this won't be the case. See the note regarding credential provider in the original PR description for more context.