Merge pull request #1 from aws/verify_bucket_owner

fix: validate bucket owner identity
aws · Apr 16, 2024 · c4b0935 · c4b0935
2 parents 39aeb63 + b317c94
commit c4b0935
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 26 deletions.
diff --git a/api/CMakeLists.txt b/api/CMakeLists.txt
@@ -9,7 +9,7 @@ get_filename_component(credentialsfetcher_proto_path "${credentialsfetcher_proto
 message(${credentialsfetcher_proto})
 set(AWSSDK_INSTALL_LIBDIR /usr/lib64)
 
-set(SERVICE_COMPONENTS s3 secretsmanager)
+set(SERVICE_COMPONENTS s3 secretsmanager sts)
 
 if(${DISTRO_ID} MATCHES "amzn")
     find_package(AWSSDK REQUIRED COMPONENTS ${SERVICE_COMPONENTS})

diff --git a/api/src/gmsa_service.cpp b/api/src/gmsa_service.cpp
@@ -14,12 +14,15 @@
 #if AMAZON_LINUX_DISTRO
 #include <aws/core/Aws.h>
 #include <aws/s3/S3Client.h>
+#include <aws/sts/STSClient.h>
 #include <aws/s3/model/GetObjectRequest.h>
 #include <aws/s3/model/HeadObjectRequest.h>
 #include <aws/core/utils/logging/LogLevel.h>
 #include <aws/core/auth/AWSCredentialsProviderChain.h>
 #include <aws/secretsmanager/SecretsManagerClient.h>
 #include <aws/secretsmanager/model/GetSecretValueRequest.h>
+#include <aws/sts/model/GetCallerIdentityRequest.h>
+#include <aws/sts/model/GetAccessKeyInfoRequest.h>
 #endif
 
 
@@ -2480,6 +2483,53 @@ Aws::Auth::AWSCredentials get_credentials(std::string accessKeyId, std::string s
     return credentials;
 }
 
+// get caller id (accountid)
+std::string get_caller_id(std::string region,
+                         Aws::Auth::AWSCredentials credentials)
+{
+    std::string callerId = "";
+    Aws::SDKOptions options;
+    try {
+        Aws::InitAPI(options);
+        {
+            Aws::Client::ClientConfiguration clientConfig;
+            clientConfig.region = region;
+            auto provider = Aws::MakeShared<Aws::Auth::SimpleAWSCredentialsProvider>("alloc-tag", credentials);
+            auto creds = provider->GetAWSCredentials();
+            if (creds.IsEmpty()) {
+                std::cout << getCurrentTime() << '\t' << "ERROR: Failed authentication invalid creds" << std::endl;
+                return std::string("");
+            }
+            std::smatch arn_match;
+
+            Aws::STS::STSClient stsClient (credentials,Aws::MakeShared<Aws::STS::STSEndpointProvider>
+                                        (Aws::STS::STSClient::ALLOCATION_TAG), clientConfig);
+            Aws::STS::Model::GetCallerIdentityRequest request;
+
+            auto outcome = stsClient.GetCallerIdentity(request);
+
+            if (!outcome.IsSuccess())
+            {
+                const Aws::STS::STSError &err = outcome.GetError();
+                std::cout << getCurrentTime() << '\t' << "ERROR: retrieving caller info failed:"
+                          << err.GetExceptionName() << ": " <<
+                    err.GetMessage() << std::endl;
+                return std::string("");
+            }
+            callerId =  outcome.GetResult().GetAccount();
+        }
+    }
+    catch ( ... )
+    {
+        std::cout << getCurrentTime() << '\t' << "ERROR: retrieving caller id "
+                                                 "failed" << std::endl;
+        return std::string("");
+    }
+    std::cout << getCurrentTime() << '\t' << "INFO: successfully retrieved callerId" <<
+        std::endl;
+    return callerId;
+}
+
 // check file size s3
 // example : arn:aws:s3:::gmsacredspec/gmsa-cred-spec.json
 bool check_file_size_s3(std::string s3_arn, std::string region,
@@ -2584,7 +2634,7 @@ std::string retrieve_credspec_from_s3(std::string s3_arn, std::string region, Aw
 
             // regex for callerId
             std::regex callerIdRegex("^\\d{12}$");
-            std::string callerId = GetCallerIdentity();
+            std::string callerId = get_caller_id(region, creds);
             if(callerId.empty() &&  !std::regex_match( callerId, callerIdRegex))
             {
                 std::cout << getCurrentTime() << '\t' << "ERROR: Unable to get caller information"

diff --git a/auth/kerberos/src/krb.cpp b/auth/kerberos/src/krb.cpp
@@ -1228,26 +1228,4 @@ void clearString(std::string& str) {
     }
     // Clear the string content
     str.clear();
-}
-
-
-// get caller identity - accountId
-std::string GetCallerIdentity()
-{
-    std::string command =
-        install_path_for_aws_cli + " sts get-caller-identity --query Account";
-    // /usr/bin/aws aws sts get-caller-identity --query Account
-    std::pair<int, std::string> result = exec_shell_cmd( command );
-
-    std::string callerId = result.second;
-    ltrim( callerId );
-    rtrim( callerId );
-
-    // remove quotes if they are present
-    if ( callerId.front() == '"' ) {
-        callerId.erase( 0, 1 ); // erase the first character
-        callerId.erase( callerId.size() - 1 ); // erase the last character
-    }
-
-    return callerId;
 }
diff --git a/common/daemon.h b/common/daemon.h
@@ -223,12 +223,12 @@ std::string generate_lease_id();
 
 void clearString(std::string& str);
 
-std::string GetCallerIdentity();
-
 #if AMAZON_LINUX_DISTRO
 std::string retrieve_credspec_from_s3(std::string s3_arn, std::string region, Aws::Auth::AWSCredentials credentials,  bool test);
 bool check_file_size_s3(std::string s3_arn, std::string region,
                          Aws::Auth::AWSCredentials credentials, bool test);
+std::string get_caller_id(std::string region,
+                           Aws::Auth::AWSCredentials credentials);
 std::tuple<std::string, std::string,
            std::string> retrieve_credspec_from_secrets_manager(std::string sm_arn, std::string region, Aws::Auth::AWSCredentials credentials);