Use Vault for IAM users

4 files changed, 59 insertions, 14 deletions

diff --git a/app/controllers/api_account.go b/app/controllers/api_account.go
index 815daf4..cecd334 100644
--- a/app/controllers/api_account.go
+++ b/app/controllers/api_account.go
@@ -2,14 +2,12 @@ package controllers
 
 import (
         "context"
-        "fmt"
         "net/http"
         "time"
 
         "code.crute.us/mcrute/cloud-identity-broker/app"
         "code.crute.us/mcrute/cloud-identity-broker/app/middleware"
         "code.crute.us/mcrute/cloud-identity-broker/app/models"
-        "code.crute.us/mcrute/cloud-identity-broker/cloud/aws"
 
         glecho "code.crute.us/mcrute/golib/echo"
         "code.crute.us/mcrute/golib/echo/controller"
@@ -90,7 +88,7 @@ func (h *APIAccountHandler) HandleGet(c echo.Context) error {
         // details about the account so they should only be visible to users who
         // can administer the account.
         if !a.CanBeModifiedBy(p) {
-                a.VaultMaterial = ""
+                a.AdminVaultMaterial = ""
                 a.Users = nil
         }
 
@@ -136,7 +134,7 @@ func (h *APIAccountHandler) HandlePut(c echo.Context) error {
         a.AccountNumber = in.AccountNumber
         a.Name = in.Name
         a.ConsoleSessionDuration = in.ConsoleSessionDuration
-        a.VaultMaterial = in.VaultMaterial
+        a.AdminVaultMaterial = in.AdminVaultMaterial
         a.DefaultRegion = in.DefaultRegion
         a.Users = in.Users
 
@@ -181,12 +179,14 @@ func (h *APIAccountHandler) HandlePost(c echo.Context) error {
                 }
         }
 
+        /* TODO: Validate that the vault material exists
         if err := aws.ValidateVaultMaterial(in.VaultMaterial); err != nil {
                 return &echo.HTTPError{
                         Code:    http.StatusBadRequest,
                         Message: fmt.Sprintf("Unable to access Vault material: %s", err),
                 }
         }
+        */
 
         if err := h.Store.Put(context.Background(), &in); err != nil {
                 return echo.ErrInternalServerError
diff --git a/app/controllers/aws.go b/app/controllers/aws.go
index 5b1765d..4f32942 100644
--- a/app/controllers/aws.go
+++ b/app/controllers/aws.go
@@ -2,11 +2,14 @@ package controllers
 
 import (
         "context"
+        "sync"
 
         "code.crute.us/mcrute/cloud-identity-broker/app/middleware"
         "code.crute.us/mcrute/cloud-identity-broker/app/models"
         "code.crute.us/mcrute/cloud-identity-broker/cloud/aws"
 
+        "code.crute.us/mcrute/golib/secrets"
+
         "github.com/labstack/echo/v4"
 )
 
@@ -20,7 +23,49 @@ type requestContext struct {
 // This capability does common permission checks and populates a request
 // context with user, account, and AWS API information.
 type AWSAPI struct {
-        Store models.AccountStore
+        Store   models.AccountStore
+        Secrets secrets.Client
+        cache   sync.Map // of aws.AWSClient
+}
+
+func (h *AWSAPI) getClientFor(ctx context.Context, a *models.Account) (aws.AWSClient, error) {
+        var client aws.AWSClient
+
+        if cv, ok := h.cache.Load(a.ShortName); !ok {
+                client, err := aws.NewAWSClientFromAccount(ctx, a, h.Secrets)
+                if err != nil {
+                        return nil, err
+                }
+
+                cv, _ = h.cache.LoadOrStore(a.ShortName, client)
+                client = cv.(aws.AWSClient)
+        } else {
+                client = cv.(aws.AWSClient)
+        }
+
+        return client, nil
+}
+
+// Preload enumerates all managed accounts and pre-loads all of the
+// clients into the cache.
+//
+// This exists because there is replication delay of around 5-10 seconds
+// for IAM users into other regions so these should be created as early
+// in the process lifecycle as possible.
+func (h *AWSAPI) Preload(ctx context.Context) []error {
+        accounts, err := h.Store.List(ctx)
+        if err != nil {
+                return []error{err}
+        }
+
+        errors := []error{}
+        for _, a := range accounts {
+                _, err = h.getClientFor(ctx, a)
+                if err != nil {
+                        errors = append(errors, err)
+                }
+        }
+        return errors
 }
 
 // GetContext checks that the user is authenticated and is authorized to access
@@ -38,7 +83,7 @@ func (h *AWSAPI) GetContext(c echo.Context) (*requestContext, error) {
                 return nil, echo.NotFoundHandler(c)
         }
 
-        ac, err := aws.NewAWSClientFromAccount(account)
+        client, err := h.getClientFor(c.Request().Context(), account)
         if err != nil {
                 c.Logger().Errorf("Error building AWS client: %w", err)
                 return nil, echo.ErrInternalServerError
@@ -47,6 +92,6 @@ func (h *AWSAPI) GetContext(c echo.Context) (*requestContext, error) {
         return &requestContext{
                 Account:   account,
                 Principal: principal,
-                AWS:       ac,
+                AWS:       client,
         }, nil
 }
diff --git a/app/models/account.go b/app/models/account.go
index af29c3e..346354c 100644
--- a/app/models/account.go
+++ b/app/models/account.go
@@ -25,8 +25,9 @@ type Account struct {
         AccountType            string        `json:"account_type"`
         AccountNumber          int           `json:"account_number"`
         Name                   string        `json:"name"`
-        ConsoleSessionDuration time.Duration `json:"console_session_duration, omitempty"`
-        VaultMaterial          string        `json:"vault_material,omitempty"`
+        ConsoleSessionDuration time.Duration `json:"console_session_duration,omitempty"`
+        AdminVaultMaterial     string        `json:"admin_vault_material,omitempty"`
+        AssumedRoleARN         string        `json:"assumed_role_arn"`
         DefaultRegion          string        `json:"default_region"`
         Users                  []string      `json:"users,omitempty"`
         Deleted                *time.Time    `json:"deleted,omitempty" bson:"deleted,omitempty"`
@@ -43,10 +44,9 @@ func (a *Account) CanBeModifiedBy(u *User) bool {
 type MongoDbAccountStore struct {
         Db *mongodb.Mongo
 
-        // ReturnDeleted will allow all methods to return deleted items. By default
-        // items where the Deleted field is set will not be returned. This should
-        // be the common cast for most code using this store but in some Admin
-        // use-cases it would be useful to show deleted accounts.
+        // ReturnDeleted will allow all methods to return deleted items. items
+        // where the Deleted field is set will not be returned. Non-admin
+        // use-cases should leave this set to false.
         ReturnDeleted bool
 }
 
diff --git a/app/models/session_key.go b/app/models/session_key.go
index c8b327e..b75d6c4 100644
--- a/app/models/session_key.go
+++ b/app/models/session_key.go
@@ -52,7 +52,7 @@ type SessionKey struct {
         NotBefore               *time.Time
         PublicKey               crypto.PublicKey
         PrivateKey              *ecdsa.PrivateKey
-        ExposePrivateKeysInJSON bool `"-" json:"-" bson:"-"`
+        ExposePrivateKeysInJSON bool `json:"-" bson:"-"`
 }
 
 func GenerateSessionKey(ttl time.Duration) (*SessionKey, error) {