From 3f3fbf1111df1be61bd7e42f25d0a73fb7d98cd2 Mon Sep 17 00:00:00 2001
From: abhay084 <abhay.ganvir@harness.io>
Date: Thu, 19 Sep 2024 01:11:53 +0530
Subject: [PATCH 1/2] fix: [CI-14134]: fix cross account access

---
 plugin.go | 105 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 55 insertions(+), 50 deletions(-)

diff --git a/plugin.go b/plugin.go
index 4b461e7..9fdea61 100644
--- a/plugin.go
+++ b/plugin.go
@@ -99,7 +99,7 @@ type Plugin struct {
 	// set externalID for assume role
 	ExternalID string
 
-	// set OIDC ID Token to retrieve temporary credentials 
+	// set OIDC ID Token to retrieve temporary credentials
 	IdToken string
 }
 
@@ -434,55 +434,60 @@ func (p *Plugin) downloadS3Objects(client *s3.S3, sourceDir string) error {
 
 // createS3Client creates and returns an S3 client based on the plugin configuration
 func (p *Plugin) createS3Client() *s3.S3 {
-    conf := &aws.Config{
-        Region:           aws.String(p.Region),
-        Endpoint:         &p.Endpoint,
-        DisableSSL:       aws.Bool(strings.HasPrefix(p.Endpoint, "http://")),
-        S3ForcePathStyle: aws.Bool(p.PathStyle),
-    }
-
-    sess, err := session.NewSession(conf)
-    if err != nil {
-        log.Fatalf("failed to create AWS session: %v", err)
-    }
-
-    if p.Key != "" && p.Secret != "" {
-        conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
-    } else if p.IdToken != "" && p.AssumeRole != "" {
-        creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
-        if err != nil {
-            log.Fatalf("failed to assume role with web identity: %v", err)
-        }
-        conf.Credentials = creds
-    } else if p.AssumeRole != "" {
-        conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
-    } else {
-        log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
-    }
-
-    client := s3.New(sess, conf)
-
-    if len(p.UserRoleArn) > 0 {
-        confRoleArn := aws.Config{
-            Region:      aws.String(p.Region),
-            Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
-        }
-        client = s3.New(sess, &confRoleArn)
-    }
-
-    return client
+	conf := &aws.Config{
+		Region:           aws.String(p.Region),
+		Endpoint:         &p.Endpoint,
+		DisableSSL:       aws.Bool(strings.HasPrefix(p.Endpoint, "http://")),
+		S3ForcePathStyle: aws.Bool(p.PathStyle),
+	}
+
+	sess, err := session.NewSession(conf)
+	if err != nil {
+		log.Fatalf("failed to create AWS session: %v", err)
+	}
+
+	if p.Key != "" && p.Secret != "" {
+		conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
+	} else if p.IdToken != "" && p.AssumeRole != "" {
+		creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
+		if err != nil {
+			log.Fatalf("failed to assume role with web identity: %v", err)
+		}
+		conf.Credentials = creds
+	} else if p.AssumeRole != "" {
+		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
+	} else {
+		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
+	}
+
+	sess, err = session.NewSession(conf)
+	if err != nil {
+		log.Fatalf("failed to create AWS session: %v", err)
+	}
+
+	client := s3.New(sess, conf)
+
+	if len(p.UserRoleArn) > 0 {
+		confRoleArn := aws.Config{
+			Region:      aws.String(p.Region),
+			Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
+		}
+		client = s3.New(sess, &confRoleArn)
+	}
+
+	return client
 }
 
 func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName, idToken string) (*credentials.Credentials, error) {
-    svc := sts.New(sess)
-    input := &sts.AssumeRoleWithWebIdentityInput{
-        RoleArn:          aws.String(roleArn),
-        RoleSessionName:  aws.String(roleSessionName),
-        WebIdentityToken: aws.String(idToken),
-    }
-    result, err := svc.AssumeRoleWithWebIdentity(input)
-    if err != nil {
-        log.Fatalf("failed to assume role with web identity: %v", err)
-    }
-    return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
-}
\ No newline at end of file
+	svc := sts.New(sess)
+	input := &sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          aws.String(roleArn),
+		RoleSessionName:  aws.String(roleSessionName),
+		WebIdentityToken: aws.String(idToken),
+	}
+	result, err := svc.AssumeRoleWithWebIdentity(input)
+	if err != nil {
+		log.Fatalf("failed to assume role with web identity: %v", err)
+	}
+	return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
+}

From 4529172f8066c2fb5e966f8c41185cc8253cac28 Mon Sep 17 00:00:00 2001
From: abhay084 <abhay.ganvir@harness.io>
Date: Thu, 19 Sep 2024 01:13:10 +0530
Subject: [PATCH 2/2] fix: [CI-14134]: fix cross account access

---
 plugin.go | 100 +++++++++++++++++++++++++++---------------------------
 1 file changed, 50 insertions(+), 50 deletions(-)

diff --git a/plugin.go b/plugin.go
index 9fdea61..db5757e 100644
--- a/plugin.go
+++ b/plugin.go
@@ -99,7 +99,7 @@ type Plugin struct {
 	// set externalID for assume role
 	ExternalID string
 
-	// set OIDC ID Token to retrieve temporary credentials
+	// set OIDC ID Token to retrieve temporary credentials 
 	IdToken string
 }
 
@@ -434,60 +434,60 @@ func (p *Plugin) downloadS3Objects(client *s3.S3, sourceDir string) error {
 
 // createS3Client creates and returns an S3 client based on the plugin configuration
 func (p *Plugin) createS3Client() *s3.S3 {
-	conf := &aws.Config{
-		Region:           aws.String(p.Region),
-		Endpoint:         &p.Endpoint,
-		DisableSSL:       aws.Bool(strings.HasPrefix(p.Endpoint, "http://")),
-		S3ForcePathStyle: aws.Bool(p.PathStyle),
-	}
-
-	sess, err := session.NewSession(conf)
-	if err != nil {
-		log.Fatalf("failed to create AWS session: %v", err)
-	}
-
-	if p.Key != "" && p.Secret != "" {
-		conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
-	} else if p.IdToken != "" && p.AssumeRole != "" {
-		creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
-		if err != nil {
-			log.Fatalf("failed to assume role with web identity: %v", err)
-		}
-		conf.Credentials = creds
-	} else if p.AssumeRole != "" {
-		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
-	} else {
-		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
-	}
+    conf := &aws.Config{
+        Region:           aws.String(p.Region),
+        Endpoint:         &p.Endpoint,
+        DisableSSL:       aws.Bool(strings.HasPrefix(p.Endpoint, "http://")),
+        S3ForcePathStyle: aws.Bool(p.PathStyle),
+    }
+
+    sess, err := session.NewSession(conf)
+    if err != nil {
+        log.Fatalf("failed to create AWS session: %v", err)
+    }
+
+    if p.Key != "" && p.Secret != "" {
+        conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
+    } else if p.IdToken != "" && p.AssumeRole != "" {
+        creds, err := assumeRoleWithWebIdentity(sess, p.AssumeRole, p.AssumeRoleSessionName, p.IdToken)
+        if err != nil {
+            log.Fatalf("failed to assume role with web identity: %v", err)
+        }
+        conf.Credentials = creds
+    } else if p.AssumeRole != "" {
+        conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
+    } else {
+        log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
+    }
 
 	sess, err = session.NewSession(conf)
-	if err != nil {
-		log.Fatalf("failed to create AWS session: %v", err)
-	}
+    if err != nil {
+        log.Fatalf("failed to create AWS session: %v", err)
+    }
 
-	client := s3.New(sess, conf)
+    client := s3.New(sess, conf)
 
-	if len(p.UserRoleArn) > 0 {
-		confRoleArn := aws.Config{
-			Region:      aws.String(p.Region),
-			Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
-		}
-		client = s3.New(sess, &confRoleArn)
-	}
+    if len(p.UserRoleArn) > 0 {
+        confRoleArn := aws.Config{
+            Region:      aws.String(p.Region),
+            Credentials: stscreds.NewCredentials(sess, p.UserRoleArn),
+        }
+        client = s3.New(sess, &confRoleArn)
+    }
 
-	return client
+    return client
 }
 
 func assumeRoleWithWebIdentity(sess *session.Session, roleArn, roleSessionName, idToken string) (*credentials.Credentials, error) {
-	svc := sts.New(sess)
-	input := &sts.AssumeRoleWithWebIdentityInput{
-		RoleArn:          aws.String(roleArn),
-		RoleSessionName:  aws.String(roleSessionName),
-		WebIdentityToken: aws.String(idToken),
-	}
-	result, err := svc.AssumeRoleWithWebIdentity(input)
-	if err != nil {
-		log.Fatalf("failed to assume role with web identity: %v", err)
-	}
-	return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
-}
+    svc := sts.New(sess)
+    input := &sts.AssumeRoleWithWebIdentityInput{
+        RoleArn:          aws.String(roleArn),
+        RoleSessionName:  aws.String(roleSessionName),
+        WebIdentityToken: aws.String(idToken),
+    }
+    result, err := svc.AssumeRoleWithWebIdentity(input)
+    if err != nil {
+        log.Fatalf("failed to assume role with web identity: %v", err)
+    }
+    return credentials.NewStaticCredentials(*result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken), nil
+}
\ No newline at end of file