-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy patharn.go
97 lines (84 loc) · 2.09 KB
/
arn.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package alicloud
import (
"errors"
"fmt"
"strings"
)
func parseARN(a string) (*arn, error) {
if a == "" {
return nil, errors.New("no arn provided")
}
// Example: "acs:ram::5138828231865461:assumed-role/elk/vm-ram-i-rj978rorvlg76urhqh7q"
parsed := &arn{
Full: a,
}
outerFields := strings.Split(a, ":")
if len(outerFields) != 5 {
return nil, fmt.Errorf("unrecognized arn: contains %d colon-separated fields, expected 5", len(outerFields))
}
if outerFields[0] != "acs" {
return nil, errors.New(`unrecognized arn: does not begin with "acs:"`)
}
if outerFields[1] != "ram" {
return nil, fmt.Errorf("unrecognized service: %v, not ram", outerFields[1])
}
parsed.AccountNumber = outerFields[3]
roleFields := strings.Split(outerFields[4], "/")
if len(roleFields) < 2 {
return nil, fmt.Errorf("unrecognized arn: %q contains fewer than 2 slash-separated roleFields", outerFields[4])
}
entityType := roleFields[0]
switch entityType {
case "assumed-role":
parsed.Type = arnTypeAssumedRole
case "role":
parsed.Type = arnTypeRole
default:
return nil, fmt.Errorf("unsupported parsed type: %s", entityType)
}
parsed.RoleName = roleFields[1]
if len(roleFields) > 2 {
parsed.RoleAssumerName = roleFields[2]
}
return parsed, nil
}
type arnType int
func (t arnType) String() string {
switch t {
case arnTypeRole:
return "role"
case arnTypeAssumedRole:
return "assumed-role"
default:
return ""
}
}
const (
arnTypeRole arnType = iota
arnTypeAssumedRole
)
type arn struct {
AccountNumber string
Type arnType
RoleName string
RoleAssumerName string
Full string
}
func (a *arn) IsMemberOf(possibleParent *arn) bool {
if possibleParent.Type != arnTypeRole || a.Type != arnTypeAssumedRole {
// We currently only support the relationship between roles and assumed roles.
return false
}
if possibleParent.AccountNumber != a.AccountNumber {
return false
}
if possibleParent.RoleName != a.RoleName {
return false
}
return true
}
func (a *arn) String() string {
return a.Full
}