[WIP] S3 access method for OCM

docs/reference/ocm_credentials_get.md

@@ -23,6 +23,7 @@ For the following usage contexts with matchers and standard identity matchers ex
 
   - <code>OCIRegistry</code>: OCI registry credential matcher
   - <code>exact</code>: exact match of given pattern set
+  - <code>hostpath</code>: Host and path based credential matcher
   - <code>partial</code>: complete match of given pattern ignoring additional attributes
 
 The used matcher is derived from the consumer attribute <code>type</code>.

docs/reference/ocm_get_credentials.md

@@ -23,6 +23,7 @@ For the following usage contexts with matchers and standard identity matchers ex
 
   - <code>OCIRegistry</code>: OCI registry credential matcher
   - <code>exact</code>: exact match of given pattern set
+  - <code>hostpath</code>: Host and path based credential matcher
   - <code>partial</code>: complete match of given pattern ignoring additional attributes
 
 The used matcher is derived from the consumer attribute <code>type</code>.

go.mod

@@ -29,11 +29,17 @@ require (
 
 require (
 	github.com/Masterminds/semver/v3 v3.1.1
+	github.com/aws/aws-sdk-go-v2 v1.16.8
+	github.com/aws/aws-sdk-go-v2/config v1.15.15
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.10
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.21
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2
 	github.com/containerd/containerd v1.6.6
 	github.com/containers/image/v5 v5.20.0
 	github.com/docker/go-connections v0.4.0
 	github.com/drone/envsubst v1.0.3
 	github.com/golang/mock v1.6.0
+	github.com/google/go-github/v45 v45.2.0
 	github.com/klauspost/compress v1.14.4
 	github.com/klauspost/pgzip v1.2.5
 	github.com/mandelsoft/vfs v0.0.0-20220401225935-42c25028b498
@@ -43,6 +49,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	github.com/ulikunitz/xz v0.5.10
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
+	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f
 	golang.org/x/text v0.3.7
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.8.2
@@ -51,6 +58,19 @@ require (
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.10 // indirect
+	github.com/aws/smithy-go v1.12.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a // indirect
@@ -65,10 +85,12 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
@@ -92,6 +114,7 @@ require (
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
 	google.golang.org/grpc v1.43.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect

pkg/contexts/credentials/const.go

@@ -19,11 +19,14 @@ import (
 )
 
 const (
-	CONSUMER_ATTR_TYPE  = core.CONSUMER_ATTR_TYPE
-	ATTR_TYPE           = core.ATTR_TYPE
-	ATTR_USERNAME       = core.ATTR_USERNAME
-	ATTR_PASSWORD       = core.ATTR_PASSWORD
-	ATTR_SERVER_ADDRESS = core.ATTR_SERVER_ADDRESS
-	ATTR_IDENTITY_TOKEN = core.ATTR_IDENTITY_TOKEN
-	ATTR_REGISTRY_TOKEN = core.ATTR_REGISTRY_TOKEN
+	CONSUMER_ATTR_TYPE         = core.CONSUMER_ATTR_TYPE
+	ATTR_TYPE                  = core.ATTR_TYPE
+	ATTR_USERNAME              = core.ATTR_USERNAME
+	ATTR_PASSWORD              = core.ATTR_PASSWORD
+	ATTR_SERVER_ADDRESS        = core.ATTR_SERVER_ADDRESS
+	ATTR_IDENTITY_TOKEN        = core.ATTR_IDENTITY_TOKEN
+	ATTR_REGISTRY_TOKEN        = core.ATTR_REGISTRY_TOKEN
+	ATTR_TOKEN                 = core.ATTR_TOKEN
+	ATTR_AWS_ACCESS_KEY_ID     = core.ATTR_AWS_ACCESS_KEY_ID
+	ATTR_AWS_SECRET_ACCESS_KEY = core.ATTR_AWS_SECRET_ACCESS_KEY
 )

pkg/contexts/credentials/core/const.go

@@ -15,11 +15,14 @@
 package core
 
 const (
-	CONSUMER_ATTR_TYPE  = ATTR_TYPE
-	ATTR_TYPE           = "type"
-	ATTR_USERNAME       = "username"
-	ATTR_PASSWORD       = "password"
-	ATTR_SERVER_ADDRESS = "serverAddress"
-	ATTR_IDENTITY_TOKEN = "identityToken"
-	ATTR_REGISTRY_TOKEN = "registryToken"
+	CONSUMER_ATTR_TYPE         = ATTR_TYPE
+	ATTR_TYPE                  = "type"
+	ATTR_USERNAME              = "username"
+	ATTR_PASSWORD              = "password"
+	ATTR_SERVER_ADDRESS        = "serverAddress"
+	ATTR_IDENTITY_TOKEN        = "identityToken"
+	ATTR_REGISTRY_TOKEN        = "registryToken"
+	ATTR_TOKEN                 = "token"
+	ATTR_AWS_ACCESS_KEY_ID     = "awsAccessKeyID"
+	ATTR_AWS_SECRET_ACCESS_KEY = "awsSecretAccessKey"
 )

pkg/contexts/credentials/identity/hostpath/id_test.go

@@ -0,0 +1,165 @@
+// Copyright 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package hostpath_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/open-component-model/ocm/pkg/contexts/credentials"
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/core"
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/identity/hostpath"
+)
+
+func IdentityMatcher(pattern, cur, id core.ConsumerIdentity) bool {
+	return hostpath.IdentityMatcher("OCIRegistry")(pattern, cur, id)
+}
+
+var _ = Describe("ctf management", func() {
+
+	Context("with path", func() {
+		pat := credentials.ConsumerIdentity{
+			hostpath.ID_HOSTNAME:   "host",
+			hostpath.ID_PATHPREFIX: "a/b",
+			hostpath.ID_PORT:       "4711",
+		}
+
+		It("complete", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PATHPREFIX: "a/b",
+				hostpath.ID_PORT:       "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeTrue())
+			Expect(IdentityMatcher(pat, id, id)).To(BeFalse())
+		})
+
+		It("path prefix", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PATHPREFIX: "a",
+				hostpath.ID_PORT:       "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeTrue())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("different prefix", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PATHPREFIX: "b",
+				hostpath.ID_PORT:       "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("longer prefix", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PATHPREFIX: "a/b/c",
+				hostpath.ID_PORT:       "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("missing path", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME: "host",
+				hostpath.ID_PORT:     "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeTrue())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("missing port", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PATHPREFIX: "a/b",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeTrue())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+
+			Expect(IdentityMatcher(id, nil, pat)).To(BeTrue()) // accept additional port as fallback
+			Expect(IdentityMatcher(id, id, pat)).To(BeFalse()) // but not to replace more general match
+		})
+		It("different port", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PATHPREFIX: "a/b",
+				hostpath.ID_PORT:       "0815",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+
+		It("different host", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "other",
+				hostpath.ID_PATHPREFIX: "a/b",
+				hostpath.ID_PORT:       "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("no host", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_PATHPREFIX: "a/b",
+				hostpath.ID_PORT:       "4711",
+			}
+			Expect(IdentityMatcher(id, nil, pat)).To(BeTrue())
+			Expect(IdentityMatcher(pat, id, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, id, pat)).To(BeTrue())
+		})
+	})
+
+	Context("without path", func() {
+		pat := credentials.ConsumerIdentity{
+			hostpath.ID_HOSTNAME: "host",
+			hostpath.ID_PORT:     "4711",
+		}
+
+		It("complete", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME: "host",
+				hostpath.ID_PORT:     "4711",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeTrue())
+			Expect(IdentityMatcher(pat, id, id)).To(BeFalse())
+		})
+
+		It("different prefix", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME:   "host",
+				hostpath.ID_PORT:       "4711",
+				hostpath.ID_PATHPREFIX: "b",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("missing port", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME: "host",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeTrue())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+		It("different port", func() {
+			id := credentials.ConsumerIdentity{
+				hostpath.ID_HOSTNAME: "host",
+				hostpath.ID_PORT:     "0815",
+			}
+			Expect(IdentityMatcher(pat, nil, id)).To(BeFalse())
+			Expect(IdentityMatcher(pat, pat, id)).To(BeFalse())
+		})
+	})
+
+})

pkg/contexts/credentials/identity/hostpath/identity.go

@@ -0,0 +1,93 @@
+// Copyright 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package hostpath
+
+import (
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/core"
+	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
+	"strings"
+)
+
+// IDENTITY_TYPE is the identity of this matcher.
+const IDENTITY_TYPE = "hostpath"
+
+// ID_HOSTNAME is a hostname.
+const ID_HOSTNAME = "hostname"
+
+// ID_PORT is a port.
+const ID_PORT = "port"
+
+// ID_PATHPREFIX is the path prefix below the host.
+const ID_PATHPREFIX = "pathprefix"
+
+func init() {
+	cpi.RegisterIdentityMatcher(IDENTITY_TYPE, IdentityMatcher(""), "Host and path based credential matcher")
+}
+
+func IdentityMatcher(identityType string) cpi.IdentityMatcher {
+	return func(pattern, cur, id core.ConsumerIdentity) bool {
+		if identityType != "" && pattern[identityType] != "" && id[identityType] != "" && pattern[identityType] != id[identityType] {
+			return false
+		}
+		if pattern[ID_HOSTNAME] != "" && pattern[ID_HOSTNAME] != id[ID_HOSTNAME] {
+			return false
+		}
+
+		if pattern[ID_PORT] != "" {
+			if id[ID_PORT] != "" && id[ID_PORT] != pattern[ID_PORT] {
+				return false
+			}
+		}
+
+		if pattern[ID_PATHPREFIX] != "" {
+			if id[ID_PATHPREFIX] != "" {
+				if len(id[ID_PATHPREFIX]) > len(pattern[ID_PATHPREFIX]) {
+					return false
+				}
+				pcomps := strings.Split(pattern[ID_PATHPREFIX], "/")
+				icomps := strings.Split(id[ID_PATHPREFIX], "/")
+				if len(icomps) > len(pcomps) {
+					return false
+				}
+				for i := range icomps {
+					if pcomps[i] != icomps[i] {
+						return false
+					}
+				}
+			}
+		} else {
+			if id[ID_PATHPREFIX] != "" {
+				return false
+			}
+		}
+
+		// ok now it basically matches, check against current match
+		if len(cur) == 0 {
+			return true
+		}
+
+		if cur[ID_HOSTNAME] == "" && id[ID_HOSTNAME] != "" {
+			return true
+		}
+		if cur[ID_PORT] == "" && (id[ID_PORT] != "" && pattern[ID_PORT] != "") {
+			return true
+		}
+
+		if len(cur[ID_PATHPREFIX]) < len(id[ID_PATHPREFIX]) {
+			return true
+		}
+		return false
+	}
+}