trufflehog/pkg/engine/s3.go

package engine

import (
	"fmt"
	"runtime"

	"google.golang.org/protobuf/proto"
	"google.golang.org/protobuf/types/known/anypb"

	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/credentialspb"
	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
	"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
	"github.com/trufflesecurity/trufflehog/v3/pkg/sources/s3"
)

// ScanS3 scans S3 buckets.
func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) error {
	connection := &sourcespb.S3{
		Credential: &sourcespb.S3_Unauthenticated{},
	}
	if c.CloudCred {
		if len(c.Key) > 0 || len(c.Secret) > 0 || len(c.SessionToken) > 0 {
			return fmt.Errorf("cannot use cloud environment and static credentials together")
		}
		connection.Credential = &sourcespb.S3_CloudEnvironment{}
	}
	if len(c.Key) > 0 && len(c.Secret) > 0 {
		if len(c.SessionToken) > 0 {
			connection.Credential = &sourcespb.S3_SessionToken{
				SessionToken: &credentialspb.AWSSessionTokenSecret{
					Key:          c.Key,
					Secret:       c.Secret,
					SessionToken: c.SessionToken,
				},
			}
		} else {
			connection.Credential = &sourcespb.S3_AccessKey{
				AccessKey: &credentialspb.KeySecret{
					Key:    c.Key,
					Secret: c.Secret,
				},
			}
		}
	}
	if len(c.Buckets) > 0 {
		connection.Buckets = c.Buckets
	}

	if len(c.Roles) > 0 {
		connection.Roles = c.Roles
	}

	var conn anypb.Any
	err := anypb.MarshalFrom(&conn, connection, proto.MarshalOptions{})
	if err != nil {
		ctx.Logger().Error(err, "failed to marshal S3 connection")
		return err
	}

	sourceName := "trufflehog - s3"
	sourceID, jobID, _ := e.sourceManager.GetIDs(ctx, sourceName, s3.SourceType)

	s3Source := &s3.Source{}
	if err := s3Source.Init(ctx, sourceName, jobID, sourceID, true, &conn, runtime.NumCPU()); err != nil {
		return err
	}
	_, err = e.sourceManager.Run(ctx, sourceName, s3Source)
	return err
}
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`package engine`

			`import (`
			`"fmt"`
Refactor Engine to wait for workers in a Finish method (#581) * Refactor Engine to wait for workers in a Finish method This should allow the engine to run multiple concurrent scans if desired before shutting down. Additionally, this commit refactors some of the printing logic to the output package. * Fix tests 2022-05-25 16:35:44 +00:00			`"runtime"`

[Thog-371] Utilize config struct for engine scans (#700) * Use a config struct when scanning and engine source. * fix tests. * Move test_helpers to the sources pkg. * Handle ScanGit error in tests. * adderss comments. * Use functional options. * Remove temp var. * Add better var names for the setup functions for each config. * Remove unused var. * fix error logs. * fix error logs. * single line. * remove blank lines. 2022-08-10 17:11:13 +00:00			`"google.golang.org/protobuf/proto"`
			`"google.golang.org/protobuf/types/known/anypb"`

Add common sentry recover library and add into goroutines (#738) * Add common sentry recover library and add into goroutines * fix nits 2022-08-29 18:45:37 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/context"`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/pb/credentialspb"`
			`"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"`
[Thog-371] Utilize config struct for engine scans (#700) * Use a config struct when scanning and engine source. * fix tests. * Move test_helpers to the sources pkg. * Handle ScanGit error in tests. * adderss comments. * Use functional options. * Remove temp var. * Add better var names for the setup functions for each config. * Remove unused var. * fix error logs. * fix error logs. * single line. * remove blank lines. 2022-08-10 17:11:13 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/sources"`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/sources/s3"`
			`)`

[Thog-371] Utilize config struct for engine scans (#700) * Use a config struct when scanning and engine source. * fix tests. * Move test_helpers to the sources pkg. * Handle ScanGit error in tests. * adderss comments. * Use functional options. * Remove temp var. * Add better var names for the setup functions for each config. * Remove unused var. * fix error logs. * fix error logs. * single line. * remove blank lines. 2022-08-10 17:11:13 +00:00			`// ScanS3 scans S3 buckets.`
[chore] - Remove monolithic config struct (#1091) * REmove monolithic config struct. * fix broken test. 2023-02-10 20:43:00 +00:00			`func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) error {`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`connection := &sourcespb.S3{`
			`Credential: &sourcespb.S3_Unauthenticated{},`
			`}`
[Thog-371] Utilize config struct for engine scans (#700) * Use a config struct when scanning and engine source. * fix tests. * Move test_helpers to the sources pkg. * Handle ScanGit error in tests. * adderss comments. * Use functional options. * Remove temp var. * Add better var names for the setup functions for each config. * Remove unused var. * fix error logs. * fix error logs. * single line. * remove blank lines. 2022-08-10 17:11:13 +00:00			`if c.CloudCred {`
Resolve #1167 by adding support for the AWS_SESSION_TOKEN (#1170) * Resolve #1167 by adding support for the AWS_SESSION_TOKEN environment variable and adding a --session-token cli arg * fix error message --------- Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2023-04-03 21:56:43 +00:00			`if len(c.Key) > 0 \|\| len(c.Secret) > 0 \|\| len(c.SessionToken) > 0 {`
			`return fmt.Errorf("cannot use cloud environment and static credentials together")`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`}`
			`connection.Credential = &sourcespb.S3_CloudEnvironment{}`
			`}`
[Thog-371] Utilize config struct for engine scans (#700) * Use a config struct when scanning and engine source. * fix tests. * Move test_helpers to the sources pkg. * Handle ScanGit error in tests. * adderss comments. * Use functional options. * Remove temp var. * Add better var names for the setup functions for each config. * Remove unused var. * fix error logs. * fix error logs. * single line. * remove blank lines. 2022-08-10 17:11:13 +00:00			`if len(c.Key) > 0 && len(c.Secret) > 0 {`
Resolve #1167 by adding support for the AWS_SESSION_TOKEN (#1170) * Resolve #1167 by adding support for the AWS_SESSION_TOKEN environment variable and adding a --session-token cli arg * fix error message --------- Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2023-04-03 21:56:43 +00:00			`if len(c.SessionToken) > 0 {`
			`connection.Credential = &sourcespb.S3_SessionToken{`
			`SessionToken: &credentialspb.AWSSessionTokenSecret{`
			`Key: c.Key,`
			`Secret: c.Secret,`
			`SessionToken: c.SessionToken,`
			`},`
			`}`
			`} else {`
			`connection.Credential = &sourcespb.S3_AccessKey{`
			`AccessKey: &credentialspb.KeySecret{`
			`Key: c.Key,`
			`Secret: c.Secret,`
			`},`
			`}`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`}`
			`}`
[Thog-371] Utilize config struct for engine scans (#700) * Use a config struct when scanning and engine source. * fix tests. * Move test_helpers to the sources pkg. * Handle ScanGit error in tests. * adderss comments. * Use functional options. * Remove temp var. * Add better var names for the setup functions for each config. * Remove unused var. * fix error logs. * fix error logs. * single line. * remove blank lines. 2022-08-10 17:11:13 +00:00			`if len(c.Buckets) > 0 {`
			`connection.Buckets = c.Buckets`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`}`
add role assumption for s3 source (#1477) * add role assumption for s3 source * refactor role assumption to repeatable string user can pass array of roles to assume * refactor s3 chunks to handle passed roleARNs * add role-session name use timestamp to make dynamic * add docstring for rolearn strings() * make sure role ars are passed into source * refactor role assumption functionality break s3 bucket scanning into sep. function * add log check on assume role * fix role iteration - Make sure s3 struct is populated with roles - add separate new client instantiation for role-based access - iterates through each role * add comment * protobuf revert for merge * re-run make proto * lint cleanup * cleanup TODOs * drop redundant switch case in assumerole client * use less verbose 'ctx' designator * breakout functionality from Chunks - separate functions for: - enumerating buckets to scan - scanning objects within the buckets * remake protobuf defs * allow scan to continue on single bucket err * add readme docs * minor fixups 2023-08-18 00:30:20 +00:00
			`if len(c.Roles) > 0 {`
			`connection.Roles = c.Roles`
			`}`

Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`var conn anypb.Any`
			`err := anypb.MarshalFrom(&conn, connection, proto.MarshalOptions{})`
			`if err != nil {`
[chore] Remove logrus from engine package (#1085) 2023-02-09 22:55:19 +00:00			`ctx.Logger().Error(err, "failed to marshal S3 connection")`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`return err`
			`}`

Refactor SourceManager to remove Enrollment (#1740) * Refactor SourceManager to remove Enrollment Initializing the Source will be the responsibility of the caller. The SourceManager exposes a GetIDs method for getting a source and job ID. * Update tests * Update engine usage * Update apiClient interface to have one GetIDs method * Update SourceManager usage in engine 2023-09-12 23:58:38 +00:00			`sourceName := "trufflehog - s3"`
Add a SourceType constant to all source packages (#1768) 2023-09-13 00:23:25 +00:00			`sourceID, jobID, _ := e.sourceManager.GetIDs(ctx, sourceName, s3.SourceType)`
Refactor SourceManager to remove Enrollment (#1740) * Refactor SourceManager to remove Enrollment Initializing the Source will be the responsibility of the caller. The SourceManager exposes a GetIDs method for getting a source and job ID. * Update tests * Update engine usage * Update apiClient interface to have one GetIDs method * Update SourceManager usage in engine 2023-09-12 23:58:38 +00:00
			`s3Source := &s3.Source{}`
Update Source interface to use SourceID and JobID types (#1774) The previous implementation used int64 for both, which can be mixed up easily. Using distinct types adds a layer of type safety checked by the compiler. 2023-09-14 18:28:24 +00:00			`if err := s3Source.Init(ctx, sourceName, jobID, sourceID, true, &conn, runtime.NumCPU()); err != nil {`
Use SourceManager in engine (#1586) * Add SourceManager to Engine struct * Update Engine methods to use the SourceManager * Fix GCS test The original was testing that `Init()` errors weren't surfaced in `Finish()`, but the `SourceManager` changed that behavior. * JobProgress race fixes * Add contextual values * Remove unused code * Add debug logs * Rename WithConcurrency to WithConcurrentSources * Always forward chunks to the output chunks channel 2023-08-03 18:36:30 +00:00			`return err`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`}`
Refactor SourceManager to remove Enrollment (#1740) * Refactor SourceManager to remove Enrollment Initializing the Source will be the responsibility of the caller. The SourceManager exposes a GetIDs method for getting a source and job ID. * Update tests * Update engine usage * Update apiClient interface to have one GetIDs method * Update SourceManager usage in engine 2023-09-12 23:58:38 +00:00			`_, err = e.sourceManager.Run(ctx, sourceName, s3Source)`
Use SourceManager in engine (#1586) * Add SourceManager to Engine struct * Update Engine methods to use the SourceManager * Fix GCS test The original was testing that `Init()` errors weren't surfaced in `Finish()`, but the `SourceManager` changed that behavior. * JobProgress race fixes * Add contextual values * Remove unused code * Add debug logs * Rename WithConcurrency to WithConcurrentSources * Always forward chunks to the output chunks channel 2023-08-03 18:36:30 +00:00			`return err`
Add s3 support to CLI (#76) * Add s3 support to CLI * Clean up comments Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2022-03-15 00:07:07 +00:00			`}`