Files
versitygw/iamapi/controller.go
T
niksis02 b590ac9eca feat: add AWS-compatible standalone IAM service
Closes #1640

Add a standalone AWS IAM Query API implementation for managing IAM users through standard AWS SDKs and the AWS CLI.

Server usage

Start the IAM server with internal file-backed storage:

    mkdir -p /tmp/versitygw-iam
    ./versitygw --port 127.0.0.1:7070 --access user --secret pass iam --dir /tmp/versitygw-iam

Start the IAM server with Vault KV v2 storage using AppRole:

    VGW_IAM_VAULT_ROLE_SECRET=<role-secret> ./versitygw --port 127.0.0.1:7070 --access user --secret pass iam --vault-endpoint-url http://127.0.0.1:8200 --vault-auth-method approle --vault-role-id <role-id> --vault-mount-path kv --vault-secret-storage-path iam

Vault authentication also supports root tokens, separate authentication and secret-storage namespaces, custom mount paths, server certificate validation, and mutual TLS client certificates.

Configure the AWS CLI credentials used by the IAM server:

    export AWS_ACCESS_KEY_ID=user
    export AWS_SECRET_ACCESS_KEY=pass
    export AWS_DEFAULT_REGION=us-east-1

Implemented IAM actions

CreateUser creates an IAM user with an AWS-compatible ARN, generated AIDA user ID, creation timestamp, optional path, and tags. It validates usernames, paths, tag limits, reserved tag prefixes, duplicate tag keys, and existing users.

    aws --endpoint-url http://127.0.0.1:7070 iam create-user --user-name bob

    aws --endpoint-url http://127.0.0.1:7070 iam create-user --user-name bob --path /engineering/ --tags Key=team,Value=storage

GetUser returns a stored user or the root identity when requested without a username through the IAM Query API.

    aws --endpoint-url http://127.0.0.1:7070 iam get-user --user-name bob

ListUsers returns users in deterministic username order and supports path filtering, marker-based pagination, and MaxItems limits.

    aws --endpoint-url http://127.0.0.1:7070 iam list-users

    aws --endpoint-url http://127.0.0.1:7070 iam list-users --path-prefix /engineering/ --max-items 100

UpdateUser updates the username and/or path, recalculates the user ARN, and rejects conflicts with existing users.

    aws --endpoint-url http://127.0.0.1:7070 iam update-user --user-name bob --new-user-name robert --new-path /platform/

DeleteUser permanently removes an IAM user and returns AWS-compatible errors for missing users.

    aws --endpoint-url http://127.0.0.1:7070 iam delete-user --user-name robert

IAM protocol and authentication

- Support the AWS IAM Query protocol version 2010-05-08 over GET and POST form requests.
- Return AWS-compatible XML responses, error documents, status codes, request IDs, user metadata, and pagination fields.
- Authenticate root credentials with AWS Signature Version 4 for the IAM service in us-east-1.
- Support both Authorization-header and query-string SigV4 authentication.
- Validate credential scope, signed headers, timestamps, clock skew, content length, signatures, and unsupported signature or session-token modes.
- Add IAM-specific validation and error mapping for malformed requests, invalid actions, duplicate entities, missing users, throttling, and internal failures.

Storage implementations

- Add an internal JSON-backed store using iam.json and iam.json.backup with atomic temporary-file replacement, concurrent access protection, stable ordering, pagination, and persistence across restarts.
- Add a Vault KV v2 store with one secret per user, CAS-based duplicate protection, permanent deletion, AppRole reauthentication, namespace support, configurable authentication and KV mounts, root-token authentication, and TLS/mTLS configuration.
- Introduce a common Storer interface and require exactly one storage backend to be configured.

Server and embedding support

- Register the new `versitygw iam` command with environment-variable and CLI configuration for both storage backends.
- Add `embedgw.RunIAMAPI` and `IAMConfig` for embedding the IAM service in Go applications.

Gateway-level internal packages

- Add `internal/iamstore` as a reusable generic file-backed IAM persistence engine and migrate the existing gateway internal IAM service to it.
- Add `internal/sigv4auth` for shared SigV4 header and presigned-query parsing, canonical request generation, signature verification, and structured authentication errors.
- Refactor the S3 authentication paths to use the shared SigV4 implementation while preserving S3-specific error responses.
- Add `internal/httpctx` for shared Fiber context keys and AWS-style request ID handling.
- Add `internal/routekit` for shared query, form, and header route matchers.
- Add `internal/netutil` for reusable certificate storage, hostname-aware listeners, multi-address serving, TLS listeners, and UNIX socket handling.
- Update the custom SigV4 signer to honor an explicitly supplied signed-header list so unrelated headers do not alter IAM signatures.

Testing and CI

- Add AWS IAM SDK-based integration coverage for all supported user actions, header authentication, query authentication, validation, errors, filtering, and pagination.
- Split standalone IAM tests into `versitygw test iam` and retain existing gateway IAM tests under `versitygw test gw-iam`.
- Add unit coverage for controllers, authentication, routing, storage, embedding, listeners, request matching, persistence, and signing behavior.
- Add `runiamtests.sh` to exercise internal storage over HTTP and HTTPS plus Vault storage through AppRole.
- Add a dedicated IAM functional-test workflow with a Vault service and merged runtime coverage reporting.
- Include the IAM test runner in shellcheck and add the AWS IAM SDK dependency.
2026-07-02 23:02:02 +04:00

236 lines
6.9 KiB
Go

// Copyright 2026 Versity Software
// This file is licensed under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package iamapi
import (
"errors"
"fmt"
"strconv"
"time"
"github.com/gofiber/fiber/v3"
"github.com/versity/versitygw/debuglogger"
"github.com/versity/versitygw/iamapi/iamerr"
"github.com/versity/versitygw/iamapi/internal/iamutil"
"github.com/versity/versitygw/iamapi/storage"
"github.com/versity/versitygw/iamapi/types"
)
type IAMApiController struct {
store storage.Storer
}
func NewController(store storage.Storer) IAMApiController {
return IAMApiController{store: store}
}
func (c IAMApiController) CreateUser(ctx fiber.Ctx) (*Response, error) {
userName, ok := iamutil.RequestParam(ctx, "UserName")
if !ok {
debuglogger.Logf("missing required CreateUser parameter: UserName")
return nil, iamerr.GetAPIError(iamerr.ErrMissingUserNameValue)
}
if err := iamutil.ValidateUserName("userName", userName, iamutil.MaxUserNameLen); err != nil {
return nil, err
}
path, ok := iamutil.RequestParam(ctx, "Path")
if !ok || path == "" {
path = iamutil.DefaultUserPath
}
if err := iamutil.ValidatePath("path", path); err != nil {
return nil, err
}
tags, err := iamutil.ParseTags(ctx)
if err != nil {
return nil, err
}
for range 3 {
userID, err := iamutil.GenerateUserID()
if err != nil {
return nil, err
}
user := types.User{
Path: path,
UserName: userName,
UserID: userID,
Arn: iamutil.BuildUserArn(iamutil.DefaultAccountID, path, userName),
CreateDate: time.Now().UTC().Truncate(time.Second),
Tags: tags,
}
stored, err := c.store.CreateUser(ctx.Context(), user)
if errors.Is(err, storage.ErrUserIDAlreadyExists) {
debuglogger.Logf("IAM user ID collision while creating user %q: %v", userName, err)
continue
}
if err != nil {
debuglogger.Logf("failed to create IAM user %q: %v", userName, err)
return nil, err
}
return &Response{Data: &types.CreateUserResponse{
Result: types.CreateUserResult{User: *stored},
}}, nil
}
err = fmt.Errorf("generate IAM user id: exhausted collision retries")
debuglogger.Logf("failed to create IAM user %q: %v", userName, err)
return nil, err
}
func (c IAMApiController) DeleteUser(ctx fiber.Ctx) (*Response, error) {
username, ok := iamutil.RequestParam(ctx, "UserName")
if !ok || username == "" {
debuglogger.Logf("missing required DeleteUser parameter: UserName")
return nil, iamerr.MissingParameter("UserName")
}
if err := iamutil.ValidateUserName("userName", username, iamutil.MaxUserLookupLen); err != nil {
return nil, err
}
if err := c.store.DeleteUser(ctx.Context(), username); err != nil {
debuglogger.Logf("failed to delete IAM user %q: %v", username, err)
return nil, err
}
return &Response{Data: &types.DeleteUserResponse{}}, nil
}
func (c IAMApiController) GetUser(ctx fiber.Ctx) (*Response, error) {
username, ok := iamutil.RequestParam(ctx, "UserName")
if !ok {
debuglogger.Logf("missing required GetUser parameter: UserName")
return nil, iamerr.MissingParameter("UserName")
}
if username == "" {
return &Response{Data: &types.GetUserResponse{
Result: types.GetUserResult{User: types.User{
UserID: iamutil.DefaultAccountID,
Arn: fmt.Sprintf("arn:aws:iam::%s:root", iamutil.DefaultAccountID),
}},
}}, nil
}
if err := iamutil.ValidateUserName("userName", username, iamutil.MaxUserLookupLen); err != nil {
return nil, err
}
user, err := c.store.GetUser(ctx.Context(), username)
if err != nil {
debuglogger.Logf("failed to get IAM user %q: %v", username, err)
return nil, err
}
return &Response{Data: &types.GetUserResponse{
Result: types.GetUserResult{User: *user},
}}, nil
}
func (c IAMApiController) ListUsers(ctx fiber.Ctx) (*Response, error) {
pathPrefix, ok := iamutil.RequestParam(ctx, "PathPrefix")
if !ok || pathPrefix == "" {
pathPrefix = iamutil.DefaultUserPath
}
if err := iamutil.ValidatePathPrefix(pathPrefix); err != nil {
return nil, err
}
maxItems := int32(iamutil.DefaultMaxItems)
if rawMaxItems, ok := iamutil.RequestParam(ctx, "MaxItems"); ok && rawMaxItems != "" {
parsed, err := strconv.ParseInt(rawMaxItems, 10, 32)
if err != nil || parsed < 1 || parsed > iamutil.MaxListItems {
debuglogger.Logf("invalid ListUsers MaxItems value %q: parse_error=%v", rawMaxItems, err)
return nil, iamerr.InvalidMaxItems(rawMaxItems)
}
maxItems = int32(parsed)
}
marker, _ := iamutil.RequestParam(ctx, "Marker")
out, err := c.store.ListUsers(ctx.Context(), storage.ListUsersInput{
PathPrefix: pathPrefix,
Marker: marker,
MaxItems: maxItems,
})
if err != nil {
debuglogger.Logf("failed to list IAM users: %v", err)
return nil, err
}
return &Response{Data: &types.ListUsersResponse{
Result: types.ListUsersResult{
Users: types.Users{Members: out.Users},
IsTruncated: out.IsTruncated,
Marker: out.Marker,
},
}}, nil
}
func (c IAMApiController) UpdateUser(ctx fiber.Ctx) (*Response, error) {
username, ok := iamutil.RequestParam(ctx, "UserName")
if !ok || username == "" {
debuglogger.Logf("missing required UpdateUser parameter: UserName")
return nil, iamerr.MissingParameter("UserName")
}
if err := iamutil.ValidateUserName("userName", username, iamutil.MaxUserLookupLen); err != nil {
return nil, err
}
newPath, _ := iamutil.RequestParam(ctx, "NewPath")
if newPath != "" {
if err := iamutil.ValidatePath("newPath", newPath); err != nil {
return nil, err
}
}
newUserName, _ := iamutil.RequestParam(ctx, "NewUserName")
if newUserName != "" {
if err := iamutil.ValidateUserName("newUserName", newUserName, iamutil.MaxUserNameLen); err != nil {
return nil, err
}
}
user, err := c.store.GetUser(ctx.Context(), username)
if err != nil {
debuglogger.Logf("failed to get IAM user %q for update: %v", username, err)
return nil, err
}
finalPath := user.Path
if newPath != "" {
finalPath = newPath
}
finalUserName := user.UserName
if newUserName != "" {
finalUserName = newUserName
}
updated, err := c.store.UpdateUser(ctx.Context(), storage.UpdateUserInput{
UserName: username,
NewPath: newPath,
NewUserName: newUserName,
NewArn: iamutil.BuildUserArn(iamutil.DefaultAccountID, finalPath, finalUserName),
})
if err != nil {
debuglogger.Logf("failed to update IAM user %q: %v", finalUserName, err)
return nil, err
}
return &Response{Data: &types.UpdateUserResponse{
Result: types.UpdateUserResult{User: updated},
}}, nil
}