Feature/aws profile auth

collector/aws/auth.go

@@ -6,29 +6,87 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	log "github.com/sirupsen/logrus"
+
+	"finala/collector/config"
 )
 
-// CreateAuthConfiguration return aws auth configuration
-func CreateAuthConfiguration(accessKey, secretKey, sessionToken, role, region string) (*session.Session, *awsClient.Config) {
-	var credentialsAWS *credentials.Credentials
+// AuthDescriptor is an interface defining the aws auth logic
+type AuthDescriptor interface {
+	Login(region string) (*session.Session, *awsClient.Config)
+}
+
+// Auth will hold the aws auth struct
+type Auth struct {
+	account config.AWSAccount
+}
+
+// NewAuth creates new Finala aws authenticator
+func NewAuth(account config.AWSAccount) *Auth {
+
+	return &Auth{
+		account: account,
+	}
+}
+
+// Login to AWS account.
+// Application hierarchy login:
+// 1. checks first if static credentials defind (accessKey/ secret key and session token (optional) )
+// 2. checks if profile exists in yaml file
+// 3. checks if role exists in yaml file
+// else login without any specific creds and give aws logic. for more details: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html
+func (au *Auth) Login(region string) (*session.Session, *awsClient.Config) {
 
-	// Use separate call for AWS credentials defined in config.yaml
-	// Otherwise environment variables will be used
-	if accessKey != "" && secretKey != "" {
-		log.Info("Using AccessKey or SecretKey defined in config.yaml")
-		credentialsAWS = credentials.NewStaticCredentials(accessKey, secretKey, sessionToken)
+	if au.account.AccessKey != "" && au.account.SecretKey != "" {
+		return au.withStaticCredentials(au.account.AccessKey, au.account.SecretKey, au.account.SessionToken, region)
+	} else if au.account.Profile != "" {
+		return au.withProfile(au.account.Profile, region)
+	} else if au.account.Role != "" {
+		return au.withRole(au.account.Role, region)
 	}
 
+	log.WithField("region", region).Info("auth: using default AWS auth client")
 	config := &awsClient.Config{
 		Region:      &region,
-		Credentials: credentialsAWS,
+		Credentials: &credentials.Credentials{},
 	}
 
 	sess := session.Must(session.NewSession(config))
+	return sess, config
+}
+
+// withStaticCredentials login with static credentials
+func (au *Auth) withStaticCredentials(accessKey, secretKey, sessionToken, region string) (*session.Session, *awsClient.Config) {
 
-	if role != "" {
-		log.WithField("role", role).Info("assume role provided")
-		config.Credentials = stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {})
+	log.WithField("region", region).Info("auth: using aws static credentials")
+
+	config := &awsClient.Config{
+		Region:      &region,
+		Credentials: credentials.NewStaticCredentials(accessKey, secretKey, sessionToken),
 	}
+	sess := session.Must(session.NewSession(config))
+	return sess, config
+}
+
+// withProfile login with profile
+func (au *Auth) withProfile(profile, region string) (*session.Session, *awsClient.Config) {
+
+	log.WithField("region", region).Info("auth: using aws profile")
+	config := &awsClient.Config{
+		Region:      &region,
+		Credentials: credentials.NewSharedCredentials("", profile),
+	}
+	sess := session.Must(session.NewSession(config))
+	return sess, config
+}
+
+// withRole login with role
+func (au *Auth) withRole(role, region string) (*session.Session, *awsClient.Config) {
+
+	log.WithField("region", region).Info("auth: using aws role")
+	config := &awsClient.Config{
+		Region: &region,
+	}
+	sess := session.Must(session.NewSession(config))
+	config.Credentials = stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {})
 	return sess, config
 }

collector/aws/detector.go

@@ -32,6 +32,7 @@ const (
 
 // DetectorManager describe tje detector manager
 type DetectorManager struct {
+	awsAuth          AuthDescriptor
 	collector        collector.CollectorDescriber
 	cloudWatchClient *cloudwatch.CloudwatchManager
 	#          *#.#Manager
@@ -43,16 +44,17 @@ type DetectorManager struct {
 }
 
 // NewDetectorManager create new instance of detector manager
-func NewDetectorManager(collector collector.CollectorDescriber, account config.AWSAccount, stsManager *STSManager, global map[string]struct{}, region string) *DetectorManager {
+func NewDetectorManager(awsAuth AuthDescriptor, collector collector.CollectorDescriber, account config.AWSAccount, stsManager *STSManager, global map[string]struct{}, region string) *DetectorManager {
 
-	priceSession, _ := CreateAuthConfiguration(account.AccessKey, account.SecretKey, account.SessionToken, account.Role, defaultRegionPrice)
+	priceSession, _ := awsAuth.Login(defaultRegionPrice)
 	#Manager := #.New#Manager(aws#.New(priceSession), defaultRegionPrice)
 
-	regionSession, regionConfig := CreateAuthConfiguration(account.AccessKey, account.SecretKey, account.SessionToken, account.Role, region)
+	regionSession, regionConfig := awsAuth.Login(region)
 	cloudWatchCLient := cloudwatch.NewCloudWatchManager(awsCloudwatch.New(regionSession, regionConfig))
 
 	callerIdentityOutput, _ := stsManager.client.GetCallerIdentity(&sts.GetCallerIdentityInput{})
 	return &DetectorManager{
+		awsAuth:          awsAuth,
 		collector:        collector,
 		cloudWatchClient: cloudWatchCLient,
 		#:          #Manager,

collector/aws/detector_test.go

@@ -5,9 +5,22 @@ import (
 	collectorTestutils "finala/collector/testutils"
 	"testing"
 
+	awsClient "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
 )
 
+type mockAuth struct {
+}
+
+func (ma *mockAuth) Login(region string) (*session.Session, *awsClient.Config) {
+
+	config := &awsClient.Config{Region: &region}
+
+	sess := session.Must(session.NewSession(config))
+	return sess, config
+}
+
 type MockSTS struct{}
 
 func NewMockSTS() *STSManager {
@@ -38,10 +51,11 @@ func TestDetector(t *testing.T) {
 		SessionToken: "session",
 		Regions:      []string{"bar"},
 	}
+	mockAuth := &mockAuth{}
 	mockSTS := NewMockSTS()
 	collector := collectorTestutils.NewMockCollector()
 	global := make(map[string]struct{})
-	detector := NewDetectorManager(collector, account, mockSTS, global, region)
+	detector := NewDetectorManager(mockAuth, collector, account, mockSTS, global, region)
 
 	if detector.GetRegion() != region {
 		t.Fatalf("unexpected collector region, got %s expected %s", detector.GetRegion(), region)

collector/aws/run.go

@@ -38,11 +38,12 @@ func (app *Analyze) All() {
 
 	for _, account := range app.awsAccounts {
 
-		globalsession, globalConfig := CreateAuthConfiguration(account.AccessKey, account.SecretKey, account.SessionToken, account.Role, "")
+		awsAuth := NewAuth(account)
+		globalsession, globalConfig := awsAuth.Login("")
 		stsManager := NewSTSManager(sts.New(globalsession, globalConfig))
 
 		for _, region := range account.Regions {
-			resourcesDetection := NewDetectorManager(app.cl, account, stsManager, app.global, region)
+			resourcesDetection := NewDetectorManager(awsAuth, app.cl, account, stsManager, app.global, region)
 			for resourceType, resourceDetector := range register.GetResources() {
 
 				resource, err := resourceDetector(resourcesDetection, nil)

collector/config/config.go

@@ -16,6 +16,7 @@ type AWSAccount struct {
 	AccessKey    string   `yaml:"access_key"`
 	SecretKey    string   `yaml:"secret_key"`
 	Role         string   `yaml:"role"`
+	Profile      string   `yaml:"profile"`
 	SessionToken string   `yaml:"session_token"`
 	Regions      []string `yaml:"regions"`
 }

configuration/collector.yaml

@@ -12,6 +12,7 @@ providers:
         # access_key: <access_key>
         # secret_key: <secret_key>
         # role: 
+        # profile: 
         regions:
           - us-east-1
           - us-west-2