Split the functionality in node/mounter into smaller packages

cmd/install-mp/main.go

@@ -6,7 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/awslabs/aws-s3-csi-driver/pkg/driver"
+	"github.com/awslabs/aws-s3-csi-driver/pkg/util"
 )
 
 const (
@@ -49,7 +49,7 @@ func installFiles(binDir string, installDir string) error {
 		destFile := filepath.Join(installDir, name)
 
 		// First copy to a temporary location then rename to handle replacing running binaries
-		err = driver.ReplaceFile(destFile, filepath.Join(binDir, name), 0755)
+		err = util.ReplaceFile(destFile, filepath.Join(binDir, name), 0755)
 		if err != nil {
 			return fmt.Errorf("Failed to copy file %s: %w", name, err)
 		}

pkg/driver/driver.go

@@ -19,15 +19,14 @@ package driver
 import (
 	"context"
 	"fmt"
-	"io"
-	"io/fs"
 	"net"
 	"os"
 	"time"
 
 	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node"
 	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/mounter"
 	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/version"
+	"github.com/awslabs/aws-s3-csi-driver/pkg/util"
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"google.golang.org/grpc"
 	"k8s.io/client-go/kubernetes"
@@ -154,7 +153,7 @@ func (d *Driver) Stop() {
 func tokenFileTender(ctx context.Context, sourcePath string, destPath string) {
 	for {
 		timer := time.After(10 * time.Second)
-		err := ReplaceFile(destPath, sourcePath, 0600)
+		err := util.ReplaceFile(destPath, sourcePath, 0600)
 		if err != nil {
 			klog.Infof("Failed to sync AWS web token file: %v", err)
 		}
@@ -167,37 +166,6 @@ func tokenFileTender(ctx context.Context, sourcePath string, destPath string) {
 	}
 }
 
-// replaceFile safely replaces a file with a new file by copying to a temporary location first
-// then renaming.
-func ReplaceFile(destPath string, sourcePath string, perm fs.FileMode) error {
-	tmpDest := destPath + ".tmp"
-
-	sourceFile, err := os.Open(sourcePath)
-	if err != nil {
-		return err
-	}
-	defer sourceFile.Close()
-
-	destFile, err := os.OpenFile(tmpDest, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
-	if err != nil {
-		return err
-	}
-	defer destFile.Close()
-
-	buf := make([]byte, 64*1024)
-	_, err = io.CopyBuffer(destFile, sourceFile, buf)
-	if err != nil {
-		return err
-	}
-
-	err = os.Rename(tmpDest, destPath)
-	if err != nil {
-		return fmt.Errorf("Failed to rename file %s: %w", destPath, err)
-	}
-
-	return nil
-}
-
 func kubernetesVersion(clientset *kubernetes.Clientset) (string, error) {
 	version, err := clientset.ServerVersion()
 	if err != nil {

pkg/driver/node/credentialprovider/awsprofile/aws_profile.go

@@ -0,0 +1,115 @@
+// Package awsprofile provides utilities for creating and deleting AWS Profile (i.e., credentials & config files).
+package awsprofile
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+	"unicode"
+
+	"github.com/google/renameio"
+)
+
+const (
+	awsProfileName                = "s3-csi"
+	awsProfileConfigFilename      = "s3-csi-config"
+	awsProfileCredentialsFilename = "s3-csi-credentials"
+)
+
+// ErrInvalidCredentials is returned when given AWS Credentials contains invalid characters.
+var ErrInvalidCredentials = errors.New("aws-profile: Invalid AWS Credentials")
+
+// An AWSProfile represents an AWS profile with it's credentials and config files.
+type AWSProfile struct {
+	Name                string
+	ConfigFilename      string
+	CredentialsFilename string
+}
+
+// CreateAWSProfile creates an AWS Profile with credentials and config files from given credentials.
+// Created credentials and config files can be clean up with `CleanupAWSProfile`.
+func CreateAWSProfile(basepath string, accessKeyID string, secretAccessKey string, sessionToken string, filePerm fs.FileMode) (AWSProfile, error) {
+	if !isValidCredential(accessKeyID) || !isValidCredential(secretAccessKey) || !isValidCredential(sessionToken) {
+		return AWSProfile{}, ErrInvalidCredentials
+	}
+
+	name := awsProfileName
+
+	configPath := filepath.Join(basepath, awsProfileConfigFilename)
+	err := writeAWSProfileFile(configPath, configFileContents(name), filePerm)
+	if err != nil {
+		return AWSProfile{}, fmt.Errorf("aws-profile: Failed to create config file %s: %v", configPath, err)
+	}
+
+	credentialsPath := filepath.Join(basepath, awsProfileCredentialsFilename)
+	err = writeAWSProfileFile(credentialsPath, credentialsFileContents(name, accessKeyID, secretAccessKey, sessionToken), filePerm)
+	if err != nil {
+		return AWSProfile{}, fmt.Errorf("aws-profile: Failed to create credentials file %s: %v", credentialsPath, err)
+	}
+
+	return AWSProfile{
+		Name:                name,
+		ConfigFilename:      awsProfileConfigFilename,
+		CredentialsFilename: awsProfileCredentialsFilename,
+	}, nil
+}
+
+// CleanupAWSProfile cleans up credentials and config files created in given `basepath` via `CreateAWSProfile`.
+func CleanupAWSProfile(basepath string) error {
+	configPath := filepath.Join(basepath, awsProfileConfigFilename)
+	if err := os.Remove(configPath); err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return fmt.Errorf("aws-profile: Failed to remove config file %s: %v", configPath, err)
+		}
+	}
+
+	credentialsPath := filepath.Join(basepath, awsProfileCredentialsFilename)
+	if err := os.Remove(credentialsPath); err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return fmt.Errorf("aws-profile: Failed to remove credentials file %s: %v", credentialsPath, err)
+		}
+	}
+
+	return nil
+}
+
+func writeAWSProfileFile(path string, content string, filePerm os.FileMode) error {
+	return renameio.WriteFile(path, []byte(content), filePerm)
+}
+
+func credentialsFileContents(profile string, accessKeyID string, secretAccessKey string, sessionToken string) string {
+	var b strings.Builder
+	b.Grow(128)
+	b.WriteRune('[')
+	b.WriteString(profile)
+	b.WriteRune(']')
+	b.WriteRune('\n')
+
+	b.WriteString("aws_access_key_id=")
+	b.WriteString(accessKeyID)
+	b.WriteRune('\n')
+
+	b.WriteString("aws_secret_access_key=")
+	b.WriteString(secretAccessKey)
+	b.WriteRune('\n')
+
+	if sessionToken != "" {
+		b.WriteString("aws_session_token=")
+		b.WriteString(sessionToken)
+		b.WriteRune('\n')
+	}
+
+	return b.String()
+}
+
+func configFileContents(profile string) string {
+	return fmt.Sprintf("[profile %s]\n", profile)
+}
+
+// isValidCredential checks whether given credential file contains any non-printable characters.
+func isValidCredential(s string) bool {
+	return !strings.ContainsFunc(s, func(r rune) bool { return !unicode.IsPrint(r) })
+}

pkg/driver/node/credentialprovider/awsprofile/aws_profile_test.go

@@ -0,0 +1,100 @@
+package awsprofile_test
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/credentialprovider/awsprofile"
+	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/credentialprovider/awsprofile/awsprofiletest"
+	"github.com/awslabs/aws-s3-csi-driver/pkg/util/testutil/assert"
+)
+
+const testAccessKeyId = "test-access-key-id"
+const testSecretAccessKey = "test-secret-access-key"
+const testSessionToken = "test-session-token"
+const testFilePerm = fs.FileMode(0600)
+
+func TestCreatingAWSProfile(t *testing.T) {
+	t.Run("create config and credentials files", func(t *testing.T) {
+		basepath := t.TempDir()
+		profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, testSessionToken, testFilePerm)
+		assert.NoError(t, err)
+		assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, testSessionToken)
+	})
+
+	t.Run("create config and credentials files with empty session token", func(t *testing.T) {
+		basepath := t.TempDir()
+		profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, "", testFilePerm)
+		assert.NoError(t, err)
+		assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, "")
+	})
+
+	t.Run("ensure config and credentials files are created with correct permissions", func(t *testing.T) {
+		basepath := t.TempDir()
+		profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, testSessionToken, testFilePerm)
+		assert.NoError(t, err)
+		assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, testSessionToken)
+
+		configStat, err := os.Stat(filepath.Join(basepath, profile.ConfigFilename))
+		assert.NoError(t, err)
+		assert.Equals(t, testFilePerm, configStat.Mode())
+
+		credentialsStat, err := os.Stat(filepath.Join(basepath, profile.CredentialsFilename))
+		assert.NoError(t, err)
+		assert.Equals(t, testFilePerm, credentialsStat.Mode())
+	})
+
+	t.Run("fail if credentials contains non-ascii characters", func(t *testing.T) {
+		t.Run("access key ID", func(t *testing.T) {
+			_, err := awsprofile.CreateAWSProfile(t.TempDir(), testAccessKeyId+"\n\t\r credential_process=exit", testSecretAccessKey, testSessionToken, testFilePerm)
+			assert.Equals(t, true, errors.Is(err, awsprofile.ErrInvalidCredentials))
+		})
+		t.Run("secret access key", func(t *testing.T) {
+			_, err := awsprofile.CreateAWSProfile(t.TempDir(), testAccessKeyId, testSecretAccessKey+"\n", testSessionToken, testFilePerm)
+			assert.Equals(t, true, errors.Is(err, awsprofile.ErrInvalidCredentials))
+		})
+		t.Run("session token", func(t *testing.T) {
+			_, err := awsprofile.CreateAWSProfile(t.TempDir(), testAccessKeyId, testSecretAccessKey, testSessionToken+"\n\r", testFilePerm)
+			assert.Equals(t, true, errors.Is(err, awsprofile.ErrInvalidCredentials))
+		})
+	})
+}
+
+func TestCleaningUpAWSProfile(t *testing.T) {
+	t.Run("clean config and credentials files", func(t *testing.T) {
+		basepath := t.TempDir()
+
+		profile, err := awsprofile.CreateAWSProfile(basepath, testAccessKeyId, testSecretAccessKey, testSessionToken, testFilePerm)
+		assert.NoError(t, err)
+		assertCredentialsFromAWSProfile(t, basepath, profile, testAccessKeyId, testSecretAccessKey, testSessionToken)
+
+		err = awsprofile.CleanupAWSProfile(basepath)
+		assert.NoError(t, err)
+
+		_, err = os.Stat(filepath.Join(basepath, profile.ConfigFilename))
+		assert.Equals(t, true, errors.Is(err, fs.ErrNotExist))
+
+		_, err = os.Stat(filepath.Join(basepath, profile.CredentialsFilename))
+		assert.Equals(t, true, errors.Is(err, fs.ErrNotExist))
+	})
+
+	t.Run("cleaning non-existent config and credentials files should not be an error", func(t *testing.T) {
+		err := awsprofile.CleanupAWSProfile(t.TempDir())
+		assert.NoError(t, err)
+	})
+}
+
+func assertCredentialsFromAWSProfile(t *testing.T, basepath string, profile awsprofile.AWSProfile, accessKeyID string, secretAccessKey string, sessionToken string) {
+	awsprofiletest.AssertCredentialsFromAWSProfile(
+		t,
+		profile.Name,
+		filepath.Join(basepath, profile.ConfigFilename),
+		filepath.Join(basepath, profile.CredentialsFilename),
+		accessKeyID,
+		secretAccessKey,
+		sessionToken,
+	)
+}

pkg/driver/node/credentialprovider/awsprofile/awsprofiletest/aws_profile.go

@@ -0,0 +1,30 @@
+// Package awsprofiletest provides testing utilities for AWS Profiles.
+package awsprofiletest
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+
+	"github.com/awslabs/aws-s3-csi-driver/pkg/util/testutil/assert"
+)
+
+func AssertCredentialsFromAWSProfile(t *testing.T, profileName, configFile, credentialsFile, accessKeyID, secretAccessKey, sessionToken string) {
+	t.Helper()
+
+	credentials := parseAWSProfile(t, profileName, configFile, credentialsFile)
+	assert.Equals(t, accessKeyID, credentials.AccessKeyID)
+	assert.Equals(t, secretAccessKey, credentials.SecretAccessKey)
+	assert.Equals(t, sessionToken, credentials.SessionToken)
+}
+
+func parseAWSProfile(t *testing.T, profileName, configFile, credentialsFile string) aws.Credentials {
+	sharedConfig, err := config.LoadSharedConfigProfile(context.Background(), profileName, func(c *config.LoadSharedConfigOptions) {
+		c.ConfigFiles = []string{configFile}
+		c.CredentialsFiles = []string{credentialsFile}
+	})
+	assert.NoError(t, err)
+	return sharedConfig.Credentials
+}

pkg/driver/node/credentialprovider/credentials.go

@@ -0,0 +1,28 @@
+package credentialprovider
+
+import (
+	"io/fs"
+
+	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/envprovider"
+)
+
+// CredentialFilePerm is the default permissions to be used for credential files.
+// It's only readable and writeable by the owner.
+const CredentialFilePerm = fs.FileMode(0600)
+
+// CredentialDirPerm is the default permissions to be used for credential directories.
+// It's only readable, listable (execute bit), and writeable by the owner.
+const CredentialDirPerm = fs.FileMode(0700)
+
+// Credentials is the interface implemented by credential providers.
+type Credentials interface {
+	// Source returns the source of these credentials.
+	Source() AuthenticationSource
+
+	// Dump dumps credentials into `writePath` and returns environment variables
+	// relative to `envPath` to pass to Mountpoint during mount.
+	//
+	// The environment variables will only passed to Mountpoint once during mount operation,
+	// in subsequent calls, this method will update previously written credentials on disk.
+	Dump(writePath string, envPath string) (envprovider.Environment, error)
+}

pkg/driver/node/credentialprovider/credentials_long_term.go

@@ -0,0 +1,38 @@
+package credentialprovider
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/credentialprovider/awsprofile"
+	"github.com/awslabs/aws-s3-csi-driver/pkg/driver/node/envprovider"
+)
+
+type longTermCredentials struct {
+	source AuthenticationSource
+
+	accessKeyID     string
+	secretAccessKey string
+	sessionToken    string
+}
+
+func (c *longTermCredentials) Source() AuthenticationSource {
+	return c.source
+}
+
+func (c *longTermCredentials) Dump(writePath string, envPath string) (envprovider.Environment, error) {
+	awsProfile, err := awsprofile.CreateAWSProfile(writePath, c.accessKeyID, c.secretAccessKey, c.sessionToken, CredentialFilePerm)
+	if err != nil {
+		return nil, fmt.Errorf("credentialprovider: long-term: failed to create aws profile: %w", err)
+	}
+
+	profile := awsProfile.Name
+	configFile := filepath.Join(envPath, awsProfile.ConfigFilename)
+	credentialsFile := filepath.Join(envPath, awsProfile.CredentialsFilename)
+
+	return envprovider.Environment{
+		envprovider.Format(envprovider.EnvProfile, profile),
+		envprovider.Format(envprovider.EnvConfigFile, configFile),
+		envprovider.Format(envprovider.EnvSharedCredentialsFile, credentialsFile),
+	}, nil
+}