fleet/server/datastore/s3/s3.go

package s3

import (
	"context"
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/awserr"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/s3"
	"github.com/aws/aws-sdk-go/service/s3/s3manager"
	"github.com/fleetdm/fleet/v4/server/config"
)

const awsRegionHint = "us-east-1"

type s3store struct {
	s3client *s3.S3
	bucket   string
	prefix   string
}

// newS3store initializes an S3 Datastore
func newS3store(config config.S3Config) (*s3store, error) {
	conf := &aws.Config{}

	// Use default auth provire if no static credentials were provided
	if config.AccessKeyID != "" && config.SecretAccessKey != "" {
		conf.Credentials = credentials.NewStaticCredentials(
			config.AccessKeyID,
			config.SecretAccessKey,
			"",
		)
	}

	if config.EndpointURL != "" {
		conf.Endpoint = &config.EndpointURL
	}

	conf.DisableSSL = &config.DisableSSL
	conf.S3ForcePathStyle = &config.ForceS3PathStyle

	sess, err := session.NewSession(conf)
	if err != nil {
		return nil, fmt.Errorf("create S3 client: %w", err)
	}

	// Assume role if configured
	if config.StsAssumeRoleArn != "" {
		stscreds.NewCredentials(sess, config.StsAssumeRoleArn)
		creds := stscreds.NewCredentials(sess, config.StsAssumeRoleArn)
		conf.Credentials = creds
		sess, err = session.NewSession(conf)
		if err != nil {
			return nil, fmt.Errorf("create S3 client: %w", err)
		}
	}

	if len(config.Region) == 0 {
		region, err := s3manager.GetBucketRegion(context.TODO(), sess, config.Bucket, awsRegionHint)
		if err != nil {
			return nil, fmt.Errorf("create S3 client: %w", err)
		}
		config.Region = region
	}

	return &s3store{
		s3client: s3.New(sess, &aws.Config{Region: &config.Region}),
		bucket:   config.Bucket,
		prefix:   config.Prefix,
	}, nil
}

// CreateTestBucket creates a bucket with the provided name and a default
// bucket config. Only recommended for local testing.
func (s *s3store) CreateTestBucket(name string) error {
	_, err := s.s3client.CreateBucket(&s3.CreateBucketInput{
		Bucket:                    &name,
		CreateBucketConfiguration: &s3.CreateBucketConfiguration{},
	})

	// Don't error if the bucket already exists
	if aerr, ok := err.(awserr.Error); ok {
		switch aerr.Code() {
		case s3.ErrCodeBucketAlreadyExists, s3.ErrCodeBucketAlreadyOwnedByYou:
			return nil
		}
	}

	return err
}
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`package s3`

			`import (`
			`"context"`
Create errors with ctxerr, add the call to store them in redis (#2786) 2021-11-15 14:11:38 +00:00			`"fmt"`

Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`"github.com/aws/aws-sdk-go/aws"`
improve installerstore tool w/ better errors and bucket creation (#6685) This improves the installerstore CLI tool with: - The ability to create tests buckets for local development (otherwise you have to interact with another CLI or the MinIO UI) - Improved error handling and messaging. 2022-07-15 15:20:24 +00:00			`"github.com/aws/aws-sdk-go/aws/awserr"`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/aws/credentials/stscreds"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/s3"`
			`"github.com/aws/aws-sdk-go/service/s3/s3manager"`
Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/config"`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`)`

			`const awsRegionHint = "us-east-1"`

add a new S3 datastore to retrieve pre-built packages (#6631) Related to #6365, this extends the datastore/s3 package to retrieve installers from S3 according to the conventions listed in the parent issue. This also includes: - A minor refactor to decouple Carves-related functionality from the core S3 functionality - Set-up to run tests using minio (only enabled via the FILE_STORAGE_TEST env flag) 2022-07-14 17:14:24 +00:00			`type s3store struct {`
			`s3client *s3.S3`
			`bucket string`
			`prefix string`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`}`

add a new S3 datastore to retrieve pre-built packages (#6631) Related to #6365, this extends the datastore/s3 package to retrieve installers from S3 according to the conventions listed in the parent issue. This also includes: - A minor refactor to decouple Carves-related functionality from the core S3 functionality - Set-up to run tests using minio (only enabled via the FILE_STORAGE_TEST env flag) 2022-07-14 17:14:24 +00:00			`// newS3store initializes an S3 Datastore`
			`func newS3store(config config.S3Config) (*s3store, error) {`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`conf := &aws.Config{}`

			`// Use default auth provire if no static credentials were provided`
			`if config.AccessKeyID != "" && config.SecretAccessKey != "" {`
			`conf.Credentials = credentials.NewStaticCredentials(`
			`config.AccessKeyID,`
			`config.SecretAccessKey,`
			`"",`
			`)`
			`}`

add support for minio backend file carving (#2448) * add support for minio backend file carving * add changes file Co-authored-by: Zach Wasserman <zach@fleetdm.com> 2021-10-12 19:32:06 +00:00			`if config.EndpointURL != "" {`
			`conf.Endpoint = &config.EndpointURL`
			`}`

			`conf.DisableSSL = &config.DisableSSL`
			`conf.S3ForcePathStyle = &config.ForceS3PathStyle`

Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`sess, err := session.NewSession(conf)`
			`if err != nil {`
Create errors with ctxerr, add the call to store them in redis (#2786) 2021-11-15 14:11:38 +00:00			`return nil, fmt.Errorf("create S3 client: %w", err)`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`}`

			`// Assume role if configured`
			`if config.StsAssumeRoleArn != "" {`
			`stscreds.NewCredentials(sess, config.StsAssumeRoleArn)`
			`creds := stscreds.NewCredentials(sess, config.StsAssumeRoleArn)`
			`conf.Credentials = creds`
			`sess, err = session.NewSession(conf)`
			`if err != nil {`
Create errors with ctxerr, add the call to store them in redis (#2786) 2021-11-15 14:11:38 +00:00			`return nil, fmt.Errorf("create S3 client: %w", err)`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`}`
			`}`

add support for minio backend file carving (#2448) * add support for minio backend file carving * add changes file Co-authored-by: Zach Wasserman <zach@fleetdm.com> 2021-10-12 19:32:06 +00:00			`if len(config.Region) == 0 {`
			`region, err := s3manager.GetBucketRegion(context.TODO(), sess, config.Bucket, awsRegionHint)`
			`if err != nil {`
Create errors with ctxerr, add the call to store them in redis (#2786) 2021-11-15 14:11:38 +00:00			`return nil, fmt.Errorf("create S3 client: %w", err)`
add support for minio backend file carving (#2448) * add support for minio backend file carving * add changes file Co-authored-by: Zach Wasserman <zach@fleetdm.com> 2021-10-12 19:32:06 +00:00			`}`
			`config.Region = region`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`}`

add a new S3 datastore to retrieve pre-built packages (#6631) Related to #6365, this extends the datastore/s3 package to retrieve installers from S3 according to the conventions listed in the parent issue. This also includes: - A minor refactor to decouple Carves-related functionality from the core S3 functionality - Set-up to run tests using minio (only enabled via the FILE_STORAGE_TEST env flag) 2022-07-14 17:14:24 +00:00			`return &s3store{`
			`s3client: s3.New(sess, &aws.Config{Region: &config.Region}),`
			`bucket: config.Bucket,`
			`prefix: config.Prefix,`
Add AWS S3 as file carving backend (#126) This adds the option to set up an S3 bucket as the storage backend for file carving (partially solving #111). It works by using the multipart upload capabilities of S3 to maintain compatibility with the "upload in blocks" protocol that osquery uses. It does this basically replacing the carve_blocks table while still maintaining the metadata in the original place (it would probably be possible to rely completely on S3 by using object tagging at the cost of listing performance). To make this pluggable, I created a new field in the service struct dedicated to the CarveStore which, if no configuration for S3 is set up will be just a reference to the standard datastore, otherwise it will point to the S3 one (effectively this separation will allow in the future to add more backends). 2020-12-16 17:16:55 +00:00			`}, nil`
			`}`
improve installerstore tool w/ better errors and bucket creation (#6685) This improves the installerstore CLI tool with: - The ability to create tests buckets for local development (otherwise you have to interact with another CLI or the MinIO UI) - Improved error handling and messaging. 2022-07-15 15:20:24 +00:00
			`// CreateTestBucket creates a bucket with the provided name and a default`
			`// bucket config. Only recommended for local testing.`
			`func (s *s3store) CreateTestBucket(name string) error {`
			`_, err := s.s3client.CreateBucket(&s3.CreateBucketInput{`
			`Bucket: &name,`
			`CreateBucketConfiguration: &s3.CreateBucketConfiguration{},`
			`})`

			`// Don't error if the bucket already exists`
			`if aerr, ok := err.(awserr.Error); ok {`
			`switch aerr.Code() {`
			`case s3.ErrCodeBucketAlreadyExists, s3.ErrCodeBucketAlreadyOwnedByYou:`
			`return nil`
			`}`
			`}`

			`return err`
			`}`