auth/aws: AWS CodeCommit IAM authentication

auth/aws/provider.go

@@ -21,6 +21,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"net/http"
 	"os"
 	"regexp"
 	"strings"
@@ -32,14 +33,20 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
 	"github.com/aws/aws-sdk-go-v2/service/eks"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/smithy-go/aws-http-auth/credentials"
+	"github.com/aws/smithy-go/aws-http-auth/sigv4"
+	v4 "github.com/aws/smithy-go/aws-http-auth/v4"
 	"github.com/google/go-containerregistry/pkg/authn"
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/fluxcd/pkg/auth"
 )
 
 // ProviderName is the name of the AWS authentication provider.
-const ProviderName = "aws"
+const (
+	ProviderName                       = "aws"
+	codeCommitCanonicalTimestampFormat = "20060102T150405"
+)
 
 // Provider implements the auth.Provider interface for AWS authentication.
 type Provider struct{ Implementation }
@@ -396,3 +403,81 @@ func (p Provider) impl() Implementation {
 	}
 	return p.Implementation
 }
+
+type signerHeaderHostOnly struct{}
+
+func (signerHeaderHostOnly) IsSigned(h string) bool {
+	return h == "host"
+}
+
+// NewCodeCommitGitToken returns HTTPS Git credentials for AWS CodeCommit.
+func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []auth.Token, opts ...auth.Option) (string, string, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	gitURL := o.GitURL
+	if gitURL == nil {
+		return "", "", fmt.Errorf("Git URL must be specified for AWS CodeCommit authentication")
+	}
+	if !strings.EqualFold(gitURL.Scheme, "https") {
+		return "", "", fmt.Errorf("AWS CodeCommit authentication requires an HTTPS Git URL")
+	}
+
+	urlSplit := strings.Split(gitURL.Hostname(), ".")
+
+	// https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git
+	if len(urlSplit) < 4 ||
+		!(strings.HasPrefix(gitURL.Hostname(), "git-codecommit.") || strings.HasPrefix(gitURL.Hostname(), "git-codecommit-fips.")) ||
+		!(strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com") || strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com.cn")) {
+		return "", "", fmt.Errorf("invalid AWS CodeCommit Git URL: %s", gitURL.Host)
+	}
+
+	region := urlSplit[1]
+	if len(accessTokens) == 0 {
+		return "", "", fmt.Errorf("AWS access token is required for region %q", region)
+	}
+
+	creds, ok := accessTokens[0].(*Credentials)
+	if !ok {
+		return "", "", fmt.Errorf("failed to cast token to AWS token: %T", accessTokens[0])
+	}
+
+	req, err := http.NewRequest("GIT", gitURL.String(), nil)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to build CodeCommit signing request: %w", err)
+	}
+	req.Host = gitURL.Host
+
+	signingTime := time.Now().UTC()
+
+	signer := sigv4.New(func(o *v4.SignerOptions) {
+		o.HeaderRules = signerHeaderHostOnly{}
+		o.DisableUnsignedPayloadSentinel = true
+		o.CanonicalTimeFormat = codeCommitCanonicalTimestampFormat
+	})
+	signInput := &sigv4.SignRequestInput{
+		Request: req,
+		Service: "codecommit",
+		Region:  region,
+		Credentials: credentials.Credentials{
+			AccessKeyID:     *creds.AccessKeyId,
+			SecretAccessKey: *creds.SecretAccessKey,
+			SessionToken:    *creds.SessionToken,
+			Expires:         *creds.Expiration,
+		},
+		Time: signingTime,
+	}
+
+	if err := signer.SignRequest(signInput); err != nil {
+		return "", "", fmt.Errorf("failed to sign request: %w", err)
+	}
+
+	authHeader := req.Header.Get("Authorization")
+	sigStart := strings.Index(authHeader, "Signature=")
+	signature := authHeader[sigStart+10:]
+
+	username := strings.Join([]string{*creds.AccessKeyId, *creds.SessionToken}, "%")
+	password := signingTime.Format(codeCommitCanonicalTimestampFormat) + "Z" + signature
+
+	return username, password, nil
+}

auth/aws/provider_test.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/auth/aws"
+	"github.com/fluxcd/pkg/auth/generic"
 )
 
 func TestProvider_NewControllerToken(t *testing.T) {
@@ -536,3 +537,109 @@ func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
 
 	g.Expect(o.STSRegion).To(Equal("us-west-2"))
 }
+
+func TestProvider_NewCodeCommitGitCredentials(t *testing.T) {
+	invalidToken := &generic.Token{Token: "invalid", ExpiresAt: time.Now().Add(time.Hour)}
+	proxyUrl := url.URL{Scheme: "http", Host: "proxy.example.com"}
+	awsRegion := "us-east-1"
+	for _, tt := range []struct {
+		name             string
+		gitURL           string
+		getAccessToken   bool
+		accessTokens     []auth.Token
+		expectedUsername string
+		err              string
+	}{
+		{
+			name:             "valid CodeCommit URL",
+			gitURL:           "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken:   true,
+			expectedUsername: "access-key-id%session-token",
+		},
+		{
+			name:             "valid CodeCommit FIPS URL",
+			gitURL:           "https://git-codecommit-fips.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken:   true,
+			expectedUsername: "access-key-id%session-token",
+		},
+		{
+			name:             "valid CodeCommit China URL",
+			gitURL:           "https://git-codecommit.cn-north-1.amazonaws.com.cn/v1/repos/test-repo",
+			getAccessToken:   true,
+			expectedUsername: "access-key-id%session-token",
+		},
+		{
+			name:           "missing Git URL",
+			getAccessToken: true,
+			err:            "Git URL must be specified for AWS CodeCommit authentication",
+		},
+		{
+			name:           "non HTTPS URL",
+			gitURL:         "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken: true,
+			err:            "AWS CodeCommit authentication requires an HTTPS Git URL",
+		},
+		{
+			name:           "invalid CodeCommit URL",
+			gitURL:         "https://github.com/org/repo",
+			getAccessToken: true,
+			err:            "invalid AWS CodeCommit Git URL: github.com",
+		},
+		{
+			name:           "missing access token",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken: false,
+			accessTokens:   []auth.Token{},
+			err:            `AWS access token is required for region "us-east-1"`,
+		},
+		{
+			name:           "invalid access token type",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			getAccessToken: false,
+			accessTokens:   []auth.Token{invalidToken},
+			err:            "failed to cast token to AWS token: *generic.Token",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:           t,
+				argRegion:   awsRegion,
+				argProxyURL: &proxyUrl,
+				returnCreds: awssdk.Credentials{AccessKeyID: "access-key-id", SecretAccessKey: "secret-access-key", SessionToken: "session-token"},
+			}
+
+			opts := []auth.Option{}
+			if tt.gitURL != "" {
+				gitURL, err := url.Parse(tt.gitURL)
+				g.Expect(err).NotTo(HaveOccurred())
+				opts = append(opts, auth.WithGitURL(*gitURL))
+			}
+
+			provider := aws.Provider{Implementation: impl}
+			accessTokens := tt.accessTokens
+			if tt.getAccessToken {
+				accessToken, err := auth.GetAccessToken(context.Background(), provider,
+					auth.WithSTSRegion(awsRegion),
+					auth.WithProxyURL(proxyUrl),
+				)
+				g.Expect(err).NotTo(HaveOccurred())
+				accessTokens = []auth.Token{accessToken}
+			}
+
+			username, password, err := provider.NewCodeCommitGitCredentials(context.Background(), accessTokens, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(username).To(Equal(tt.expectedUsername))
+				g.Expect(password).To(MatchRegexp(`^[0-9]{8}T[0-9]{6}Z[0-9a-f]{64}$`))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(username).To(BeEmpty())
+				g.Expect(password).To(BeEmpty())
+			}
+		})
+	}
+}

auth/go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.9
 	github.com/aws/aws-sdk-go-v2/service/eks v1.77.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
+	github.com/aws/smithy-go/aws-http-auth v1.1.3
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/fluxcd/pkg/apis/meta v1.26.0
 	github.com/fluxcd/pkg/cache v0.13.0

auth/go.sum

@@ -56,6 +56,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ=
 github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
 github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/smithy-go/aws-http-auth v1.1.3 h1:8/T7/2n8x+x9sIAmi5h5mDKS8v7/u2GEpF6T6RrGMrc=
+github.com/aws/smithy-go/aws-http-auth v1.1.3/go.mod h1:KL46VTjVK9De3jurMqDLBkXCP9vrAvD03zQrmyzyrQ0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=

auth/options.go

@@ -42,6 +42,7 @@ type Options struct {
 	STSRegion               string
 	STSEndpoint             string
 	ProxyURL                *url.URL
+	GitURL                  *url.URL
 	CAData                  string
 	ClusterResource         string
 	ClusterAddress          string
@@ -122,6 +123,13 @@ func WithProxyURL(proxyURL url.URL) Option {
 	}
 }
 
+// WithGitURL sets the Git repository URL used by Git credential providers.
+func WithGitURL(gitURL url.URL) Option {
+	return func(o *Options) {
+		o.GitURL = &gitURL
+	}
+}
+
 // WithCAData sets the CA data for credentials that require a CA,
 // e.g. for Kubernetes REST config.
 func WithCAData(caData string) Option {

auth/utils/git.go

@@ -22,6 +22,7 @@ import (
 	"slices"
 
 	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/aws"
 	"github.com/fluxcd/pkg/auth/azure"
 )
 
@@ -46,6 +47,22 @@ func GetGitCredentials(ctx context.Context, providerName string, opts ...auth.Op
 		return &GitCredentials{
 			BearerToken: token.(*azure.Token).Token,
 		}, nil
+	case aws.ProviderName:
+		provider := aws.Provider{}
+		awsOpts := slices.Clone(opts)
+		token, err := auth.GetAccessToken(ctx, provider, awsOpts...)
+		if err != nil {
+			return nil, err
+		}
+
+		username, password, err := provider.NewCodeCommitGitCredentials(ctx, []auth.Token{token}, awsOpts...)
+		if err != nil {
+			return nil, err
+		}
+		return &GitCredentials{
+			Username: username,
+			Password: password,
+		}, nil
 	default:
 		return nil, fmt.Errorf("provider '%s' does not support Git credentials", providerName)
 	}

auth/utils/git_test.go

@@ -18,11 +18,14 @@ package utils_test
 
 import (
 	"context"
+	"fmt"
+	"net/url"
 	"testing"
 	"time"
 
 	. "github.com/onsi/gomega"
 
+	"github.com/fluxcd/pkg/auth"
 	authutils "github.com/fluxcd/pkg/auth/utils"
 )
 
@@ -44,4 +47,17 @@ func TestGetGitCredentials(t *testing.T) {
 		g.Expect(err.Error()).To(Equal("provider 'unknown' does not support Git credentials"))
 		g.Expect(p).To(BeNil())
 	})
+
+	t.Run("aws", func(t *testing.T) {
+		g := NewWithT(t)
+		region := "us-east-1"
+		t.Setenv("AWS_REGION", region)
+		u, err := url.Parse(fmt.Sprintf("https://git-codecommit.%s.amazonaws.com/v1/repos/repo-name", region))
+		g.Expect(err).ToNot(HaveOccurred())
+		opts := []auth.Option{auth.WithGitURL(*u)}
+		p, err := authutils.GetGitCredentials(context.Background(), "aws", opts...)
+		g.Expect(err).To(HaveOccurred())
+		g.Expect(err.Error()).To(ContainSubstring("failed to create provider access token"))
+		g.Expect(p).To(BeNil())
+	})
 }

tests/integration/Dockerfile

@@ -1,7 +1,7 @@
 # Using scratch base image results in `x509: certificate signed by unknown
 # authority` error.
 # Use alpine to include the necessary certificates.
-FROM alpine:3.16
+FROM alpine:3.23
 
 COPY app .
 

tests/integration/Makefile

@@ -21,6 +21,9 @@ test:
 test-aws:
 	$(MAKE) test PROVIDER_ARG="-provider aws"
 
+test-aws-git:
+	$(MAKE) test PROVIDER_ARG="-provider aws" GO_TEST_PREFIX="TestGit"
+
 test-azure:
 	$(MAKE) test PROVIDER_ARG="-provider azure"
 

tests/integration/README.md

@@ -49,7 +49,7 @@ metadata:
 ### Amazon Web Services
 
 - AWS account with access key ID and secret access key with permissions to
-    create EKS cluster and ECR repository.
+    create EKS cluster, ECR and a CodeCommit repositories.
 - AWS CLI v2.x, does not need to be configured with the AWS account.
 - Docker CLI for registry login.
 - kubectl for applying certain install manifests.
@@ -68,6 +68,13 @@ provisioning the infrastructure and running the tests:
             "Sid": "testinfra",
             "Effect": "Allow",
             "Action": [
+                "codecommit:CreateRepository",
+                "codecommit:DeleteRepository",
+                "codecommit:GetRepository",
+                "codecommit:TagResource",
+                "codecommit:UntagResource",
+                "codecommit:GitPull",
+                "codecommit:GitPush",
                 "ec2:AllocateAddress",
                 "ec2:AssociateRouteTable",
                 "ec2:AttachInternetGateway",
@@ -213,6 +220,13 @@ module "aws_gh_actions" {
   aws_policy_name        = "oci-e2e"
   aws_policy_description = "policy for OCI e2e tests"
   aws_provision_perms = [
+    "codecommit:CreateRepository",
+    "codecommit:DeleteRepository",
+    "codecommit:GetRepository",
+    "codecommit:TagResource",
+    "codecommit:UntagResource",
+    "codecommit:GitPull",
+    "codecommit:GitPush",
     "ec2:AllocateAddress",
     "ec2:AssociateRouteTable",
     "ec2:AttachInternetGateway",