wip

Author: mheffner

src/aws_api/arn.rs

@@ -1,3 +1,4 @@
+use std::fmt::{Display, Formatter};
 use crate::aws_api::error::Error;
 use std::str::FromStr;
 
@@ -13,11 +14,11 @@ pub(crate) struct AwsArn {
 impl FromStr for AwsArn {
     type Err = Error;
 
-    // Note, this will only handle ARNs were the resource type is included and split with ':'
     fn from_str(s: &str) -> Result<Self, Self::Err> {
         // Split one more than we need to verify it's valid
-        let mut parts: Vec<String> = s.splitn(8, ":").map(|s| s.to_string()).collect();
-        if parts.len() != 7 {
+        let mut parts: Vec<String> = s.splitn(9, ":").map(|s| s.to_string()).collect();
+        let num_parts = parts.len();
+        if num_parts < 6 || num_parts >= 8 {
             return Err(Error::ArnParseError(s.to_string()));
         }
 
@@ -37,7 +38,9 @@ impl FromStr for AwsArn {
         };
 
         arn.resource_id = parts.pop().unwrap();
-        arn.resource_type = parts.pop().unwrap();
+        if num_parts == 7 {
+            arn.resource_type = parts.pop().unwrap();
+        }
         arn.account_id = parts.pop().unwrap();
         arn.region = parts.pop().unwrap();
         arn.service = parts.pop().unwrap();
@@ -51,6 +54,23 @@ impl FromStr for AwsArn {
     }
 }
 
+impl Display for AwsArn {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        let mut parts = Vec::with_capacity(7);
+        parts.push("arn");
+        parts.push(self.partition.as_str());
+        parts.push(self.service.as_str());
+        parts.push(self.region.as_str());
+        parts.push(self.account_id.as_str());
+        if self.resource_type != "" {
+            parts.push(self.resource_type.as_str());
+        }
+        parts.push(self.resource_id.as_str());
+
+        write!(f, "{}", parts.join(":"))
+    }
+}
+
 impl AwsArn {
     pub fn get_endpoint(&self) -> String {
         let domain = if self.region.starts_with("cn-") {
@@ -68,7 +88,7 @@ mod tests {
     use super::*;
 
     #[test]
-    fn test_parse_arn_valid() {
+    fn test_parse_secrets_arn_valid() {
         let input = "arn:aws:secretsmanager:us-east-2:891477334659:secret:test-ohio-secret-L86lpn";
 
         let arn = input.parse::<AwsArn>().unwrap();
@@ -81,6 +101,20 @@ mod tests {
         assert_eq!("test-ohio-secret-L86lpn", arn.resource_id);
     }
 
+    #[test]
+    fn test_parse_ssm_arn_valid() {
+        let input = "arn:aws:ssm:us-east-1:123377354456:parameter/ci-test-value";
+
+        let arn = input.parse::<AwsArn>().unwrap();
+
+        assert_eq!("aws", arn.partition);
+        assert_eq!("ssm", arn.service);
+        assert_eq!("us-east-1", arn.region);
+        assert_eq!("123377354456", arn.account_id);
+        assert_eq!("", arn.resource_type);
+        assert_eq!("parameter/ci-test-value", arn.resource_id);
+    }
+
     #[test]
     fn test_parse_arn_invalid() {
         assert!(

src/aws_api/auth.rs

@@ -13,6 +13,7 @@ pub trait Clock {
     fn now(&self) -> DateTime<Utc>;
 }
 
+#[derive(Default)]
 pub struct SystemClock;
 
 impl Clock for SystemClock {

src/aws_api/client.rs

@@ -13,6 +13,7 @@ use hyper_util::rt::{TokioExecutor, TokioTimer};
 use rustls::ClientConfig;
 use std::time::Duration;
 use tower::BoxError;
+use crate::aws_api::paramstore::ParameterStore;
 
 /// Main client for AWS services
 pub struct AwsClient {
@@ -32,6 +33,9 @@ impl AwsClient {
     pub fn secrets_manager(&self) -> SecretsManager {
         SecretsManager::new(self)
     }
+    
+    /// Get an instance of the ParameterStore service
+    pub fn parameter_store(&self) -> ParameterStore { ParameterStore::new(self) }
 
     pub async fn perform(&self, req: Request<Full<Bytes>>) -> Result<Bytes, Error> {
         let resp = self.client.request(req).await?;

src/aws_api/error.rs

@@ -13,6 +13,7 @@ pub enum Error {
     SignatureError(String),
     SerdeError(serde_json::Error),
     AwsError { code: String, message: String },
+    InvalidParameters(Vec<String>),
 }
 
 impl fmt::Display for Error {
@@ -27,6 +28,7 @@ impl fmt::Display for Error {
             Error::HttpResponseError(e) => write!(f, "Failed to parse HTTP response: {}", e),
             Error::HttpResponseErrorParse(e) => write!(f, "Failed to parse HTTP response: {}", e),
             Error::UriParseError(e) => write!(f, "Unable to parse endpoint url: {}", e),
+            Error::InvalidParameters(params) => write!(f, "Unable to lookup parameters: {:?}", params)
         }
     }
 }

src/aws_api/mod.rs

@@ -4,3 +4,5 @@ pub mod client;
 pub mod config;
 mod error;
 mod secretsmanager;
+mod paramstore;
+mod test_util;

src/aws_api/paramstore.rs

@@ -0,0 +1,208 @@
+use crate::aws_api::arn::AwsArn;
+use crate::aws_api::auth::{AwsRequestSigner, SystemClock};
+use crate::aws_api::client::AwsClient;
+use crate::aws_api::error::Error;
+use http::header::CONTENT_TYPE;
+use http::{HeaderMap, HeaderValue, Method, Uri};
+use serde::Deserialize;
+use serde_json::json;
+use std::collections::HashMap;
+use tracing::error;
+
+pub struct ParameterStore<'a> {
+    client: &'a AwsClient,
+    service_name: &'static str,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct GetParametersResponse {
+    /// The parameter object.
+    #[serde(rename = "Parameters")]
+    pub parameters: Vec<Parameter>,
+
+    #[serde(rename = "InvalidParameters")]
+    pub invalid_parameters: Vec<InvalidParameters>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct InvalidParameters {
+    #[serde(rename = "Name")]
+    pub name: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct Parameter {
+    /// The Amazon Resource Name (ARN) of the parameter.
+    #[serde(rename = "ARN")]
+    pub arn: Option<String>,
+
+    /// The data type of the parameter, such as text, aws:ec2:image, or aws:tag-specification.
+    #[serde(rename = "DataType")]
+    pub data_type: Option<String>,
+
+    /// The last modification date of the parameter.
+    #[serde(rename = "LastModifiedDate")]
+    pub last_modified_date: Option<f64>,
+
+    /// The name of the parameter.
+    #[serde(rename = "Name")]
+    pub name: String,
+
+    /// The unique identifier for the parameter version.
+    #[serde(rename = "Selector")]
+    pub selector: Option<String>,
+
+    /// The parameter source.
+    #[serde(rename = "SourceResult")]
+    pub source_result: Option<String>,
+
+    /// The parameter type.
+    #[serde(rename = "Type")]
+    pub type_: String,
+
+    /// The parameter value.
+    #[serde(rename = "Value")]
+    pub value: String,
+
+    /// The parameter version.
+    #[serde(rename = "Version")]
+    pub version: Option<i64>,
+
+    /// Tags associated with the parameter.
+    #[serde(rename = "Tags")]
+    pub tags: Option<HashMap<String, String>>,
+}
+
+impl<'a> ParameterStore<'a> {
+    pub(crate) fn new(client: &'a AwsClient) -> Self {
+        Self {
+            client,
+            service_name: "ssm",
+        }
+    }
+
+    pub async fn get_parameters(
+        &self,
+        param_arns: &[String],
+    ) -> Result<HashMap<String, Parameter>, Error> {
+        let mut arns_by_endpoint = HashMap::new();
+        for arn_str in param_arns {
+            let arn = arn_str.parse::<AwsArn>()?;
+            if arn.service != self.service_name {
+                return Err(Error::ArnParseError(arn_str.clone()));
+            }
+
+            arns_by_endpoint
+                .entry(arn.get_endpoint())
+                .or_insert_with(|| Vec::new())
+                .push(arn);
+        }
+
+        let mut res = HashMap::new();
+        for (endpoint, arns) in &arns_by_endpoint {
+            let endpoint = endpoint.parse::<Uri>()?;
+
+            let payload = json!({
+                "Names": arns.iter().map(|arn| arn.to_string()).collect::<Vec<String>>(),
+                "WithDecryption": true,
+            });
+
+            let payload_bytes = serde_json::to_vec(&payload)?;
+
+            let mut hdrs = HeaderMap::new();
+            hdrs.insert(
+                "X-Amz-Target",
+                HeaderValue::from_static("AmazonSSM.GetParameters"),
+            );
+            hdrs.insert(
+                CONTENT_TYPE,
+                HeaderValue::from_static("application/x-amz-json-1.1"),
+            );
+
+            // Sign the request
+            let signer = AwsRequestSigner::new(
+                self.service_name,
+                &arns[0].region,
+                &self.client.config.aws_access_key_id,
+                &self.client.config.aws_secret_access_key,
+                self.client.config.aws_session_token.as_deref(),
+                SystemClock,
+            );
+            let signed_request = signer.sign(endpoint, Method::POST, hdrs, payload_bytes)?;
+
+            // Send the request
+            let response = self.client.perform(signed_request).await?;
+
+            let result: GetParametersResponse = serde_json::from_slice(response.as_ref())?;
+
+            if !result.invalid_parameters.is_empty() {
+                return Err(Error::InvalidParameters(
+                    result
+                        .invalid_parameters
+                        .into_iter()
+                        .map(|i| i.name)
+                        .collect(),
+                ));
+            }
+
+            for param in result.parameters {
+                if param.arn.is_none() {
+                    error!(parameter = param.name, "Parameter was missing ARN");
+                    return Err(Error::InvalidParameters(vec![arns.into_iter().map(|arn|arn.to_string()).collect()]))
+                }
+                
+                let arn = param.arn.clone().unwrap();
+                res.insert(arn, param);
+            }
+        }
+
+        Ok(res)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::aws_api::config::AwsConfig;
+    use crate::aws_api::test_util::init_crypto;
+
+    #[tokio::test]
+    async fn test_basic_paramstore_retrieval() {
+        // TEST_PARAMSTORE_ARNS should be set to a comma-separated list of k=v pairs,
+        // where k is an ARN of a secret and v is the secret value to test against.
+        let test_paramstore_arns = std::env::var("TEST_PARAMSTORE_ARNS");
+        if !test_paramstore_arns.is_ok() {
+            println!("Skipping test_basic_paramstore_retrieval due to unset envvar");
+            return;
+        }
+
+        let test_arns: Vec<(String, String)> = test_paramstore_arns
+            .unwrap()
+            .split(",")
+            .filter(|s| !s.is_empty())
+            .filter_map(|pair| {
+                let parts: Vec<&str> = pair.splitn(2, '=').collect();
+                if parts.len() == 2 {
+                    Some((parts[0].trim().to_string(), parts[1].trim().to_string()))
+                } else {
+                    None // Skip malformed pairs that don't have an equals sign
+                }
+            })
+            .collect();
+
+        init_crypto();
+
+        let client = AwsClient::new(AwsConfig::from_env()).unwrap();
+
+        let ps = client.parameter_store();
+
+        let arn_values = test_arns.iter().map(|arn| arn.0.clone()).collect::<Vec<String>>();
+        let res = ps.get_parameters(&arn_values).await.unwrap();
+        
+        for test_arn in &test_arns {
+            let entry = res.get(&test_arn.0).unwrap();
+            
+            assert_eq!(test_arn.1, entry.value);
+        }
+    }
+}

src/aws_api/secretsmanager.rs

@@ -44,7 +44,7 @@ impl<'a> SecretsManager<'a> {
     ) -> Result<GetSecretValueResponse, Error> {
         let arn = secret_arn.parse::<AwsArn>()?;
 
-        if arn.service != self.service_name {
+        if arn.service != self.service_name || arn.resource_type != "secret" {
             return Err(Error::ArnParseError(secret_arn.to_string()));
         }
 
@@ -90,7 +90,7 @@ impl<'a> SecretsManager<'a> {
 mod tests {
     use super::*;
     use crate::aws_api::config::AwsConfig;
-    use std::sync::Once;
+    use crate::aws_api::test_util::init_crypto;
 
     #[tokio::test]
     async fn test_basic_secret_retrieval() {
@@ -129,12 +129,4 @@ mod tests {
         }
     }
 
-    static INIT_CRYPTO: Once = Once::new();
-    pub fn init_crypto() {
-        INIT_CRYPTO.call_once(|| {
-            rustls::crypto::aws_lc_rs::default_provider()
-                .install_default()
-                .unwrap()
-        });
-    }
 }

src/aws_api/test_util.rs

@@ -0,0 +1,13 @@
+use std::sync::Once;
+
+// used for testing
+#[allow(dead_code)]
+static INIT_CRYPTO: Once = Once::new();
+#[allow(dead_code)]
+pub fn init_crypto() {
+    INIT_CRYPTO.call_once(|| {
+        rustls::crypto::aws_lc_rs::default_provider()
+            .install_default()
+            .unwrap()
+    });
+}