From 7d3ce4ab9493778edeabf4f85ae9cdc2bdb8444a Mon Sep 17 00:00:00 2001 From: "Loughnane, Gary" Date: Wed, 20 Aug 2025 06:33:42 -0700 Subject: [PATCH] Use aws-sdk-go-v2 Fix GO-2022-0635 and GO-2022-0646. --- aws-sm-proxy/cmd/proxy/main.go | 25 +++++++++--------- aws-sm-proxy/internal/handler.go | 15 ++++++----- aws-sm-proxy/internal/handler_test.go | 15 +++++------ charts/aws-sm-proxy/Chart.yaml | 4 +-- go.mod | 17 +++++++++--- go.sum | 37 ++++++++++++++++++++------- 6 files changed, 73 insertions(+), 40 deletions(-) diff --git a/aws-sm-proxy/cmd/proxy/main.go b/aws-sm-proxy/cmd/proxy/main.go index 5b4b31fb..32990097 100644 --- a/aws-sm-proxy/cmd/proxy/main.go +++ b/aws-sm-proxy/cmd/proxy/main.go @@ -5,6 +5,7 @@ package main import ( + "context" "errors" "flag" "fmt" @@ -13,9 +14,8 @@ import ( "os" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/secretsmanager" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager" "github.com/open-edge-platform/orch-utils/aws-sm-proxy/internal" ) @@ -29,20 +29,21 @@ func main() { fmt.Println("Missing required -region flag") os.Exit(1) } - awsConfig := &aws.Config{ - Region: aws.String(region), + + ctx := context.Background() + cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(region)) + if err != nil { + fmt.Printf("not able to setup aws config: %v", err) + os.Exit(1) } + if proxy := os.Getenv("HTTPS_PROXY"); proxy != "" { log.Printf("https proxy value is: %s", proxy) log.Printf("no proxy value is: %s", os.Getenv("NO_PROXY")) - awsConfig.HTTPClient = &http.Client{Timeout: 15 * time.Second} - } - sess, err := session.NewSession(awsConfig) - if err != nil { - fmt.Printf("not able to setup aws session: %v", err) - os.Exit(1) + cfg.HTTPClient = &http.Client{Timeout: 15 * time.Second} } - svc := secretsmanager.New(sess) + + svc := secretsmanager.NewFromConfig(cfg) http.HandleFunc("/aws-secret", internal.NewProxyAWSHandler(svc)) http.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) { diff --git a/aws-sm-proxy/internal/handler.go b/aws-sm-proxy/internal/handler.go index 5b0d1785..2cfcd1e6 100644 --- a/aws-sm-proxy/internal/handler.go +++ b/aws-sm-proxy/internal/handler.go @@ -5,16 +5,19 @@ package internal import ( + "context" "fmt" "log" "net/http" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/secretsmanager" - "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager" ) -func NewProxyAWSHandler(svc secretsmanageriface.SecretsManagerAPI) func(w http.ResponseWriter, r *http.Request) { +type SecretsManagerAPI interface { + GetSecretValue(ctx context.Context, params *secretsmanager.GetSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error) +} + +func NewProxyAWSHandler(svc SecretsManagerAPI) func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) { secretName := r.URL.Query().Get("name") if secretName == "" { @@ -24,10 +27,10 @@ func NewProxyAWSHandler(svc secretsmanageriface.SecretsManagerAPI) func(w http.R } log.Println("handling request for secret:", secretName) input := &secretsmanager.GetSecretValueInput{ - SecretId: aws.String(secretName), + SecretId: &secretName, } - result, err := svc.GetSecretValue(input) + result, err := svc.GetSecretValue(context.Background(), input) if err != nil { w.WriteHeader(http.StatusInternalServerError) fmt.Fprintln(w, err) diff --git a/aws-sm-proxy/internal/handler_test.go b/aws-sm-proxy/internal/handler_test.go index 2f8aba08..d66c49db 100644 --- a/aws-sm-proxy/internal/handler_test.go +++ b/aws-sm-proxy/internal/handler_test.go @@ -5,6 +5,7 @@ package internal_test import ( + "context" "fmt" "net/http" "net/http/httptest" @@ -12,21 +13,17 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/secretsmanager" - "github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager" "github.com/stretchr/testify/mock" "github.com/open-edge-platform/orch-utils/aws-sm-proxy/internal" ) type mockSMClient struct { - secretsmanageriface.SecretsManagerAPI mock.Mock } -func (m *mockSMClient) GetSecretValue(_ *secretsmanager.GetSecretValueInput, -) (*secretsmanager.GetSecretValueOutput, error) { +func (m *mockSMClient) GetSecretValue(ctx context.Context, params *secretsmanager.GetSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error) { args := m.Called() return args.Get(0).(*secretsmanager.GetSecretValueOutput), args.Error(1) } @@ -40,9 +37,10 @@ var _ = Describe("AWS Secrets Manager", func() { }) Context("Secrets manager", func() { It("should return the secret", func() { + secretString := "mockSecret" client.On("GetSecretValue").Return( &secretsmanager.GetSecretValueOutput{ - SecretString: aws.String("mockSecret"), + SecretString: &secretString, }, nil) req, err := http.NewRequest("GET", "/aws-secret?name=mockName", nil) Expect(err).ToNot(HaveOccurred()) @@ -56,9 +54,10 @@ var _ = Describe("AWS Secrets Manager", func() { }) It("should return error when no secret name specified", func() { + secretString := "mockSecret" client.On("GetSecretValue").Return( &secretsmanager.GetSecretValueOutput{ - SecretString: aws.String("mockSecret"), + SecretString: &secretString, }, nil) req, err := http.NewRequest("GET", "/aws-secret?xyz=bad-param", nil) Expect(err).ToNot(HaveOccurred()) diff --git a/charts/aws-sm-proxy/Chart.yaml b/charts/aws-sm-proxy/Chart.yaml index ae3f370a..d3b7a445 100644 --- a/charts/aws-sm-proxy/Chart.yaml +++ b/charts/aws-sm-proxy/Chart.yaml @@ -17,9 +17,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.3 +version: 0.4.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.8.1" +appVersion: "1.8.2" diff --git a/go.mod b/go.mod index 95e211e1..b9e05a3f 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,9 @@ module github.com/open-edge-platform/orch-utils go 1.24.6 require ( - github.com/aws/aws-sdk-go v1.55.6 + github.com/aws/aws-sdk-go-v2 v1.27.1 + github.com/aws/aws-sdk-go-v2/config v1.27.17 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.29.1 github.com/bitfield/script v0.24.1 github.com/golang-jwt/jwt/v5 v5.2.2 github.com/hashicorp/vault/api v1.16.0 @@ -38,6 +40,17 @@ require ( ) require ( + github.com/aws/aws-sdk-go-v2/credentials v1.17.17 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 // indirect + github.com/aws/smithy-go v1.20.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.12.2 // indirect @@ -66,7 +79,6 @@ require ( github.com/hashicorp/hcl v1.0.1-vault-7 // indirect github.com/itchyny/gojq v0.12.17 // indirect github.com/itchyny/timefmt-go v0.1.6 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.9.0 // indirect @@ -94,7 +106,6 @@ require ( google.golang.org/protobuf v1.36.6 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect diff --git a/go.sum b/go.sum index c74daa0c..d8010b62 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,31 @@ -github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk= -github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.27.1 h1:xypCL2owhog46iFxBKKpBcw+bPTX/RJzwNj8uSilENw= +github.com/aws/aws-sdk-go-v2 v1.27.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.17 h1:L0JZN7Gh7pT6u5CJReKsLhGKparqNKui+mcpxMXjDZc= +github.com/aws/aws-sdk-go-v2/config v1.27.17/go.mod h1:MzM3balLZeaafYcPz8IihAmam/aCz6niPQI0FdprxW0= +github.com/aws/aws-sdk-go-v2/credentials v1.17.17 h1:b3Dk9uxQByS9sc6r0sc2jmxsJKO75eOcb9nNEiaUBLM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.17/go.mod h1:e4khg9iY08LnFK/HXQDWMf9GDaiMari7jWPnXvKAuBU= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 h1:0cSfTYYL9qiRcdi4Dvz+8s3JUgNR2qvbgZkXcwPEEEk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4/go.mod h1:Wjn5O9eS7uSi7vlPKt/v0MLTncANn9EMmoDvnzJli6o= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 h1:RnLB7p6aaFMRfyQkD6ckxR7myCC9SABIqSz4czYUUbU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8/go.mod h1:XH7dQJd+56wEbP1I4e4Duo+QhSMxNArE8VP7NuUOTeM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 h1:jzApk2f58L9yW9q1GEab3BMMFWUkkiZhyrRUtbwUbKU= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8/go.mod h1:WqO+FftfO3tGePUtQxPXM6iODVfqMwsVMgTbG/ZXIdQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 h1:7kZqP7akv0enu6ykJhb9OYlw16oOrSy+Epus8o/VqMY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10/go.mod h1:gYVF3nM1ApfTRDj9pvdhootBb8WbiIejuqn4w8ruMes= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.29.1 h1:NSWsFzdHN41mJ5I/DOFzxgkKSYNHQADHn7Mu+lU/AKw= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.29.1/go.mod h1:5mMk0DgUgaHlcqtN65fNyZI0ZDX3i9Cw+nwq75HKB3U= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 h1:ItKVmFwbyb/ZnCWf+nu3XBVmUirpO9eGEQd7urnBA0s= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.10/go.mod h1:5XKooCTi9VB/xZmJDvh7uZ+v3uQ7QdX6diOyhvPA+/w= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 h1:QMSCYDg3Iyls0KZc/dk3JtS2c1lFfqbmYO10qBPPkJk= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4/go.mod h1:MZ/PVYU/mRbmSF6WK3ybCYHjA2mig8utVokDEVLDgE0= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 h1:HYS0csS7UJxdYRoG+bGgUYrSwVnV3/ece/wHm90TApM= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.11/go.mod h1:QXnthRM35zI92048MMwfFChjFmoufTdhtHmouwNfhhU= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/bitfield/script v0.24.1 h1:D4ZWu72qWL/at0rXFF+9xgs17VwyrpT6PkkBTdEz9xU= github.com/bitfield/script v0.24.1/go.mod h1:fv+6x4OzVsRs6qAlc7wiGq8fq1b5orhtQdtW0dwjUHI= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= @@ -79,10 +105,6 @@ github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg= github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY= github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q= github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -220,9 +242,6 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=