Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckCloudCredCreation

func CheckCloudCredCreation(awsClient Client, logger log.FieldLogger) (bool, error)

    CheckCloudCredCreation will see whether we have enough permissions to create new sub-creds

    func CheckCloudCredPassthrough

    func CheckCloudCredPassthrough(awsClient Client, params *SimulateParams, logger log.FieldLogger) (bool, error)

      CheckCloudCredPassthrough will see if the provided creds are good enough to pass through to other components as-is based on the static list of permissions needed by the various users of CredentialsRequests TODO: move away from static list (to dynamic passthrough validation?)

      func CheckPermissionsAgainstActions

      func CheckPermissionsAgainstActions(awsClient Client, actionList []string, params *SimulateParams, logger log.FieldLogger) (bool, error)

        CheckPermissionsAgainstActions will take the static list of Actions to check whether the provided awsClient creds have sufficient permissions to perform the actions. Will return true/false indicating whether the permissions are sufficient.

        func CheckPermissionsAgainstStatementList

        func CheckPermissionsAgainstStatementList(awsClient Client, statementEntries []minterv1.StatementEntry,
        	params *SimulateParams, logger log.FieldLogger) (bool, error)

          CheckPermissionsAgainstStatementList will test to see whether the list of actions in the provided list of StatementEntries can work with the credentials used by the passed-in awsClient

          func CheckPermissionsUsingQueryClient

          func CheckPermissionsUsingQueryClient(queryClient, targetClient Client, statementEntries []minterv1.StatementEntry,
          	params *SimulateParams, logger log.FieldLogger) (bool, error)

            CheckPermissionsUsingQueryClient will use queryClient to query whether the credentials in targetClient can perform the actions listed in the statementEntries. queryClient will need iam:GetUser and iam:SimulatePrincipalPolicy

            Types

            type Client

            type Client interface {
            	//IAM
            	CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
            	CreateOpenIDConnectProvider(*iam.CreateOpenIDConnectProviderInput) (*iam.CreateOpenIDConnectProviderOutput, error)
            	CreateRole(*iam.CreateRoleInput) (*iam.CreateRoleOutput, error)
            	CreateUser(*iam.CreateUserInput) (*iam.CreateUserOutput, error)
            	DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
            	DeleteUser(*iam.DeleteUserInput) (*iam.DeleteUserOutput, error)
            	DeleteUserPolicy(*iam.DeleteUserPolicyInput) (*iam.DeleteUserPolicyOutput, error)
            	GetOpenIDConnectProvider(input *iam.GetOpenIDConnectProviderInput) (*iam.GetOpenIDConnectProviderOutput, error)
            	GetRole(input *iam.GetRoleInput) (*iam.GetRoleOutput, error)
            	ListRoles(input *iam.ListRolesInput) (*iam.ListRolesOutput, error)
            	DeleteRole(input *iam.DeleteRoleInput) (*iam.DeleteRoleOutput, error)
            	ListRolePolicies(input *iam.ListRolePoliciesInput) (*iam.ListRolePoliciesOutput, error)
            	DeleteRolePolicy(input *iam.DeleteRolePolicyInput) (*iam.DeleteRolePolicyOutput, error)
            	GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)
            	GetUserPolicy(*iam.GetUserPolicyInput) (*iam.GetUserPolicyOutput, error)
            	ListAccessKeys(*iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
            	ListOpenIDConnectProviders(*iam.ListOpenIDConnectProvidersInput) (*iam.ListOpenIDConnectProvidersOutput, error)
            	DeleteOpenIDConnectProvider(input *iam.DeleteOpenIDConnectProviderInput) (*iam.DeleteOpenIDConnectProviderOutput, error)
            	ListUserPolicies(*iam.ListUserPoliciesInput) (*iam.ListUserPoliciesOutput, error)
            	PutRolePolicy(*iam.PutRolePolicyInput) (*iam.PutRolePolicyOutput, error)
            	PutUserPolicy(*iam.PutUserPolicyInput) (*iam.PutUserPolicyOutput, error)
            	SimulatePrincipalPolicy(*iam.SimulatePrincipalPolicyInput) (*iam.SimulatePolicyResponse, error)
            	SimulatePrincipalPolicyPages(*iam.SimulatePrincipalPolicyInput, func(*iam.SimulatePolicyResponse, bool) bool) error
            	TagOpenIDConnectProvider(*iam.TagOpenIDConnectProviderInput) (*iam.TagOpenIDConnectProviderOutput, error)
            	TagUser(*iam.TagUserInput) (*iam.TagUserOutput, error)
            	UpdateAssumeRolePolicy(*iam.UpdateAssumeRolePolicyInput) (*iam.UpdateAssumeRolePolicyOutput, error)
            
            	//S3
            	CreateBucket(*s3.CreateBucketInput) (*s3.CreateBucketOutput, error)
            	PutBucketTagging(*s3.PutBucketTaggingInput) (*s3.PutBucketTaggingOutput, error)
            	GetBucketTagging(input *s3.GetBucketTaggingInput) (*s3.GetBucketTaggingOutput, error)
            	DeleteBucket(input *s3.DeleteBucketInput) (*s3.DeleteBucketOutput, error)
            	PutObject(*s3.PutObjectInput) (*s3.PutObjectOutput, error)
            	ListObjects(input *s3.ListObjectsInput) (*s3.ListObjectsOutput, error)
            	GetObjectTagging(input *s3.GetObjectTaggingInput) (*s3.GetObjectTaggingOutput, error)
            	DeleteObject(input *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error)
            }

              Client is a wrapper object for actual AWS SDK clients to allow for easier testing.

              func NewClient

              func NewClient(accessKeyID, secretAccessKey []byte, params *ClientParams) (Client, error)

                NewClient creates our client wrapper object for the actual AWS clients we use.

                func NewClientFromSession

                func NewClientFromSession(sess *session.Session) Client

                  NewClientFromSession will return a basic Client using only the provided awsSession

                  type ClientParams

                  type ClientParams struct {
                  	InfraName string
                  	Region    string
                  	Endpoint  string
                  	CABundle  string
                  }

                    ClientParams holds the various optional tunables that can be used to modify the AWS client that will be used for API calls.

                    type SimulateParams

                    type SimulateParams struct {
                    	Region string
                    }

                      SimulateParams captures any additional details that should be used when simulating permissions.

                      Source Files

                      Directories

                      Path Synopsis
                      Package mock is a generated GoMock package.
                      Package mock is a generated GoMock package.