mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-11-13 00:17:18 +00:00
64dd49f9ce
* add role assumption for s3 source * refactor role assumption to repeatable string user can pass array of roles to assume * refactor s3 chunks to handle passed roleARNs * add role-session name use timestamp to make dynamic * add docstring for rolearn strings() * make sure role ars are passed into source * refactor role assumption functionality break s3 bucket scanning into sep. function * add log check on assume role * fix role iteration - Make sure s3 struct is populated with roles - add separate new client instantiation for role-based access - iterates through each role * add comment * protobuf revert for merge * re-run make proto * lint cleanup * cleanup TODOs * drop redundant switch case in assumerole client * use less verbose 'ctx' designator * breakout functionality from Chunks - separate functions for: - enumerating buckets to scan - scanning objects within the buckets * remake protobuf defs * allow scan to continue on single bucket err * add readme docs * minor fixups
74 lines
2 KiB
Go
74 lines
2 KiB
Go
package engine
|
|
|
|
import (
|
|
"fmt"
|
|
"runtime"
|
|
|
|
"google.golang.org/protobuf/proto"
|
|
"google.golang.org/protobuf/types/known/anypb"
|
|
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/context"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/credentialspb"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/sources/s3"
|
|
)
|
|
|
|
// ScanS3 scans S3 buckets.
|
|
func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) error {
|
|
connection := &sourcespb.S3{
|
|
Credential: &sourcespb.S3_Unauthenticated{},
|
|
}
|
|
if c.CloudCred {
|
|
if len(c.Key) > 0 || len(c.Secret) > 0 || len(c.SessionToken) > 0 {
|
|
return fmt.Errorf("cannot use cloud environment and static credentials together")
|
|
}
|
|
connection.Credential = &sourcespb.S3_CloudEnvironment{}
|
|
}
|
|
if len(c.Key) > 0 && len(c.Secret) > 0 {
|
|
if len(c.SessionToken) > 0 {
|
|
connection.Credential = &sourcespb.S3_SessionToken{
|
|
SessionToken: &credentialspb.AWSSessionTokenSecret{
|
|
Key: c.Key,
|
|
Secret: c.Secret,
|
|
SessionToken: c.SessionToken,
|
|
},
|
|
}
|
|
} else {
|
|
connection.Credential = &sourcespb.S3_AccessKey{
|
|
AccessKey: &credentialspb.KeySecret{
|
|
Key: c.Key,
|
|
Secret: c.Secret,
|
|
},
|
|
}
|
|
}
|
|
}
|
|
if len(c.Buckets) > 0 {
|
|
connection.Buckets = c.Buckets
|
|
}
|
|
|
|
if len(c.Roles) > 0 {
|
|
connection.Roles = c.Roles
|
|
}
|
|
|
|
var conn anypb.Any
|
|
err := anypb.MarshalFrom(&conn, connection, proto.MarshalOptions{})
|
|
if err != nil {
|
|
ctx.Logger().Error(err, "failed to marshal S3 connection")
|
|
return err
|
|
}
|
|
|
|
handle, err := e.sourceManager.Enroll(ctx, "trufflehog - s3", new(s3.Source).Type(),
|
|
func(ctx context.Context, jobID, sourceID int64) (sources.Source, error) {
|
|
s3Source := s3.Source{}
|
|
if err := s3Source.Init(ctx, "trufflehog - s3", jobID, sourceID, true, &conn, runtime.NumCPU()); err != nil {
|
|
return nil, err
|
|
}
|
|
return &s3Source, nil
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = e.sourceManager.ScheduleRun(ctx, handle)
|
|
return err
|
|
}
|