feat: basic implementation

Signed-off-by: Mike Nguyen <hey@mike.ee>

Author: mikeee

.build-tools/go.mod

@@ -1,6 +1,6 @@
 module github.com/dapr/components-contrib/build-tools
 
-go 1.24.1
+go 1.24.4
 
 require (
 	github.com/dapr/components-contrib v0.0.0

common/aws/auth/auth.go

@@ -0,0 +1,47 @@
+package auth
+
+import (
+	"context"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/dapr/kit/logger"
+)
+
+type ProviderType int
+
+const (
+	StaticProviderTypeStatic ProviderType = iota
+	StaticProviderTypeAssumeRole
+	X509ProviderType
+	ProviderTypeUnknown // Or default
+)
+
+type Options struct {
+	Logger     logger.Logger
+	Properties map[string]string
+
+	Region          string `json:"region" mapstructure:"region" mapstructurealiases:"awsRegion"`
+	AccessKey       string `json:"accessKey" mapstructure:"accessKey"`
+	SecretKey       string `json:"secretKey" mapstructure:"secretKey"`
+	SessionToken    string `json:"sessionToken" mapstructure:"sessionToken"`
+	AssumeRoleArn   string `json:"assumeRoleArn" mapstructure:"assumeRoleArn"`
+	TrustAnchorArn  string `json:"trustAnchorArn" mapstructure:"trustAnchorArn"`
+	TrustProfileArn string `json:"trustProfileArn" mapstructure:"trustProfileArn"`
+
+	Endpoint string `json:"endpoint" mapstructure:"endpoint"`
+}
+
+// CredentialProvider provides an interface for retrieving AWS credentials.
+type CredentialProvider interface {
+	Retrieve(ctx context.Context) (aws.Credentials, error)
+	Type() ProviderType
+}
+
+func NewCredentialProvider(ctx context.Context, opts Options, configOpts []func(*config.LoadOptions) error) (CredentialProvider,
+	error) {
+	// TODO: Refactor this to search the opts structure for the right fields rather than the metadata map
+	if isX509Auth(opts.Properties) {
+		return newAuthX509(ctx, opts)
+	}
+	return newAuthStatic(ctx, opts, configOpts)
+}

common/aws/auth/auth_static.go

@@ -0,0 +1,74 @@
+package auth
+
+import (
+	"context"
+	"errors"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/dapr/kit/logger"
+)
+
+type Static struct {
+	ProviderType  ProviderType
+	Logger        logger.Logger
+	AccessKey     string
+	SecretKey     string
+	SessionToken  string
+	Region        string
+	Endpoint      string
+	AssumeRoleArn string
+
+	CredentialProvider aws.CredentialsProvider
+}
+
+func (a *Static) Retrieve(ctx context.Context) (aws.Credentials, error) {
+	if a.CredentialProvider == nil {
+		return aws.Credentials{}, errors.New("credential provider is not set")
+	}
+	return a.CredentialProvider.Retrieve(ctx)
+}
+
+func (a *Static) Type() ProviderType {
+	return a.ProviderType
+}
+
+func newAuthStatic(ctx context.Context, opts Options, configOpts []func(*config.LoadOptions) error) (CredentialProvider, error) {
+	static := &Static{
+		Logger:        opts.Logger,
+		AccessKey:     opts.AccessKey,
+		SecretKey:     opts.SecretKey,
+		SessionToken:  opts.SessionToken,
+		Region:        opts.Region,
+		Endpoint:      opts.Endpoint,
+		AssumeRoleArn: opts.AssumeRoleArn,
+	}
+
+	switch {
+	case static.AccessKey != "" && static.SecretKey != "" && static.SessionToken != "":
+		static.ProviderType = StaticProviderTypeStatic
+		static.CredentialProvider = credentials.NewStaticCredentialsProvider(opts.AccessKey, opts.SecretKey,
+			opts.SessionToken)
+		static.Logger.Debug("using static credentials provider")
+
+	case static.AssumeRoleArn != "":
+		awsCfg, err := config.LoadDefaultConfig(ctx, configOpts...)
+		if err != nil {
+			return nil, err
+		}
+
+		stsSvc := sts.NewFromConfig(awsCfg)
+		stsProvider := stscreds.NewAssumeRoleProvider(stsSvc, static.AssumeRoleArn)
+		static.ProviderType = StaticProviderTypeAssumeRole
+		static.CredentialProvider = stsProvider
+		static.Logger.Debug("using AssumeRole credentials provider")
+
+	default:
+		static.Logger.Debug("using an undefined credentials provider, this may lead to unexpected behavior")
+		static.ProviderType = ProviderTypeUnknown
+	}
+
+	return static, nil
+}

common/aws/auth/auth_static_test.go

@@ -0,0 +1 @@
+package auth

common/aws/auth/auth_x509.go

@@ -0,0 +1,193 @@
+package auth
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"errors"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	cryptopem "github.com/dapr/kit/crypto/pem"
+	spiffecontext "github.com/dapr/kit/crypto/spiffe/context"
+	"github.com/dapr/kit/logger"
+	kitmd "github.com/dapr/kit/metadata"
+	"github.com/mikeee/aws_credential_helper"
+	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
+	"time"
+)
+
+func isX509Auth(m map[string]string) bool {
+	tp := m["trustProfileArn"]
+	ta := m["trustAnchorArn"]
+	ar := m["assumeRoleArn"]
+	return tp != "" && ta != "" && ar != ""
+}
+
+type X509 struct {
+	logger logger.Logger
+
+	x509Cert *x509.Certificate
+
+	region          *string
+	assumeRoleArn   *string
+	trustAnchorArn  *string
+	trustProfileArn *string
+
+	wrappedCredentialProvider *aws_credential_helper.CredentialProvider
+}
+
+func (x *X509) Type() ProviderType {
+	return X509ProviderType
+}
+
+func (x *X509) RefreshX509(ctx context.Context) error {
+	cert, _, signer, err := getCertAndSigner(ctx)
+	if err != nil {
+		return errors.New("failed to refresh X509 cert: " + err.Error())
+	}
+	x.x509Cert = cert
+	if x.wrappedCredentialProvider != nil {
+		if x.region == nil || x.assumeRoleArn == nil || x.trustAnchorArn == nil || x.trustProfileArn == nil {
+			return errors.New("missing required fields: Region, AssumeRoleArn, TrustAnchorArn, TrustProfileArn")
+		}
+
+		credentialProviderInput := aws_credential_helper.CredentialProviderInput{
+			Region:          *x.region,
+			TrustProfileArn: *x.trustProfileArn,
+			TrustAnchorArn:  *x.trustAnchorArn,
+			AssumeRoleArn:   *x.assumeRoleArn,
+			Signer:          *signer,
+		}
+
+		credentialProvider, err := aws_credential_helper.NewCredentialProvider(ctx, credentialProviderInput)
+		if err != nil {
+			return errors.New("failed to create new credential provider: " + err.Error())
+		}
+
+		x.wrappedCredentialProvider = credentialProvider
+	} else {
+		// change signer
+		x.wrappedCredentialProvider.ChangeSigner(*signer)
+	}
+
+	return nil
+}
+
+func (x *X509) Retrieve(ctx context.Context) (aws.Credentials, error) {
+	// Check cert/svid expiry, if expired then refresh
+	if isCertExpired(x.x509Cert) {
+		if err := x.RefreshX509(ctx); err != nil {
+			return aws.Credentials{}, errors.New("failed to refresh X509 cert: " + err.Error())
+		}
+	}
+	return x.wrappedCredentialProvider.Retrieve(ctx)
+}
+
+func getSpiffeX509Svid(ctx context.Context) (*x509svid.SVID, error) {
+	svid, ok := spiffecontext.X509From(ctx)
+	if !ok {
+		return nil, errors.New("invalid SVID: no certs found")
+	}
+
+	return svid.GetX509SVID()
+}
+
+func marshalSvid(svid *x509svid.SVID) ([]byte, []byte, error) {
+	if svid == nil {
+		return nil, nil, errors.New("nil SVID")
+	}
+
+	return svid.Marshal()
+}
+
+func getCertAndSigner(ctx context.Context) (*x509.Certificate, *ecdsa.PrivateKey, *aws_credential_helper.Signer,
+	error) {
+	// obtain certs from spiffe via context
+	x509Svid, err := getSpiffeX509Svid(ctx)
+	if err != nil {
+		panic("failed to get SPIFFE certs: " + err.Error())
+	}
+
+	chain, key, err := marshalSvid(x509Svid)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	certs, err := cryptopem.DecodePEMCertificatesChain(chain)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	pkey, err := cryptopem.DecodePEMPrivateKey(key)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	signer := aws_credential_helper.NewSigner(certs[0], pkey.(*ecdsa.PrivateKey))
+
+	return certs[0], pkey.(*ecdsa.PrivateKey), &signer, nil
+}
+
+func isCertExpired(cert *x509.Certificate) bool {
+	if cert == nil {
+		return true
+	}
+	now := time.Now()
+	return now.After(cert.NotAfter) || now.Before(cert.NotBefore)
+}
+
+type awsRAOpts struct {
+	AssumeRoleArn   *string `json:"assumeRoleArn" mapstructure:"assumeRoleArn"`
+	TrustAnchorArn  *string `json:"trustAnchorArn" mapstructure:"trustAnchorArn"`
+	TrustProfileArn *string `json:"trustProfileArn" mapstructure:"trustProfileArn"`
+}
+
+func newAuthX509(ctx context.Context, opts Options) (*X509, error) {
+	var authOpts awsRAOpts
+	if err := kitmd.DecodeMetadata(opts.Properties, &authOpts); err != nil {
+		return nil, errors.New("failed to decode metadata: " + err.Error())
+	}
+
+	switch {
+	case authOpts.AssumeRoleArn == nil:
+		return nil, errors.New("missing required field: AssumeRoleArn")
+	case authOpts.TrustAnchorArn == nil:
+		return nil, errors.New("missing required field: TrustAnchorArn")
+	case authOpts.TrustProfileArn == nil:
+		return nil, errors.New("missing required field: TrustProfileArn")
+	}
+
+	cert, _, signer, err := getCertAndSigner(ctx)
+	if err != nil {
+		return nil, errors.New("failed to get cert and signer: " + err.Error())
+	}
+
+	// create credential provider
+
+	authInput := aws_credential_helper.CredentialProviderInput{
+		Region: opts.Region,
+
+		AssumeRoleArn:   *authOpts.AssumeRoleArn,
+		TrustAnchorArn:  *authOpts.TrustAnchorArn,
+		TrustProfileArn: *authOpts.TrustProfileArn,
+
+		Signer: *signer,
+	}
+
+	credentialProvider, err := aws_credential_helper.NewCredentialProvider(ctx, authInput)
+
+	// test credentialprovider
+	cred, err := credentialProvider.Retrieve(ctx)
+	if err != nil {
+		return nil, errors.New("failed to retrieve credentials: " + err.Error())
+	}
+
+	if cred.Expires.Before(time.Now()) {
+		return nil, errors.New("credentials are not valid")
+	}
+
+	return &X509{
+		logger:                    nil,
+		x509Cert:                  cert,
+		wrappedCredentialProvider: credentialProvider,
+	}, nil
+}

common/aws/aws.go

@@ -0,0 +1 @@
+package aws

common/aws/config.go

@@ -0,0 +1,67 @@
+package aws
+
+import (
+	"context"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/dapr/components-contrib/common/aws/auth"
+)
+
+type ConfigOption func(*ConfigOptions)
+
+type ConfigOptions struct {
+	CredentialProvider aws.CredentialsProvider
+}
+
+// WithCredentialProvider allows for passing a custom credential provider,
+// this is not cached - wrap the credential provider with a NewCredentialCache if you wish.
+func WithCredentialProvider(provider aws.CredentialsProvider) func(*ConfigOptions) {
+	return func(opts *ConfigOptions) {
+		opts.CredentialProvider = provider
+	}
+}
+
+func loadConfigOptions(opts ...ConfigOption) *ConfigOptions {
+	options := &ConfigOptions{}
+	for _, opt := range opts {
+		opt(options)
+	}
+	return options
+}
+
+type ConfigLoadOptions []func(*config.LoadOptions) error
+
+func NewConfig(ctx context.Context, authOptions auth.Options, opts ...ConfigOption) (aws.Config, error) {
+	options := loadConfigOptions(opts...)
+
+	var configLoadOptions ConfigLoadOptions
+
+	// Deal with options
+	switch {
+	case authOptions.Endpoint != "":
+		configLoadOptions = append(
+			configLoadOptions,
+			config.WithBaseEndpoint(authOptions.Endpoint),
+		)
+
+	}
+
+	if options.CredentialProvider != nil {
+		configLoadOptions = append(
+			configLoadOptions,
+			config.WithCredentialsProvider(options.CredentialProvider),
+		)
+	} else {
+		credentialsProvider, err := auth.NewCredentialProvider(ctx, authOptions, configLoadOptions)
+		if err != nil {
+			return aws.Config{}, err
+		} else if credentialsProvider.Type() != auth.ProviderTypeUnknown {
+			configLoadOptions = append(
+				configLoadOptions,
+				config.WithCredentialsProvider(credentialsProvider),
+			)
+		}
+		// else use the sdk default external config if possible
+	}
+	return config.LoadDefaultConfig(ctx, configLoadOptions...)
+}

common/aws/doc.go

@@ -0,0 +1 @@
+package aws