Initial Commit

Author: sktan

.devcontainer/Dockerfile

@@ -0,0 +1,6 @@
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.18
+ENV EDITOR=vim
+
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive && \
+    apt-get install -y --no-install-recommends vim gnupg2 ripgrep && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*

.devcontainer/devcontainer.json

@@ -0,0 +1,43 @@
+{
+    "build": {
+        "dockerfile": "Dockerfile",
+    },
+    "extensions": [
+        "eamodio.gitlens",
+        "golang.Go",
+        "ms-python.python",
+        "ms-python.vscode-pylance",
+        "GitHub.copilot",
+    ],
+    "mounts": [
+        "source=${localEnv:HOME}${localEnv:USERPROFILE}/.aws/,target=/root/.aws,type=bind,consistency=cached"
+    ],
+    "remoteEnv": {
+        "AWS_DEFAULT_REGION": "ap-southeast-2",
+        "AWS_PROFILE": "sktansandbox",
+        "CODEARTIFACT_DOMAIN": "sktansandbox",
+        "CODEARTIFACT_REPO": "sandbox",
+    },
+    "features": {
+        // Used build and deploy docker containers
+        "docker-in-docker": {
+            "version": "latest",
+            "moby": true
+        },
+        // Used for AWS CLI (currently interferes with my gpg commits due to a bug)
+        // https://github.com/microsoft/vscode-dev-containers/pull/1391
+        // Comments will be removed once ^ has been merged
+        // "aws-cli": {
+        //     "version": "lts",
+        // },
+        // Testing out the proxy mechanism and for deploying via CDK
+        "python": {
+            "version": "lts",
+        },
+        "node": {
+            "version": "lts",
+            "nodeGypDependencies": true
+        }
+    },
+    "postCreateCommand": ".devcontainer/post_create.sh"
+}

.devcontainer/post_create.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# Install x86 or ARM version of awscliv2 based on current machine architecture
+if [[ "$(uname -m)" == "x86_64" ]]; then
+  curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/tmp/awscliv2.zip"
+else
+  curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "/tmp/awscliv2.zip"
+fi
+unzip /tmp/awscliv2.zip -d /tmp/awscliv2
+/tmp/awscliv2/aws/install && rm -rf /tmp/awscliv2*
+
+npm install -g aws-cdk
+pip install pre-commit

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0  # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+      # - id: no-commit-to-branch
+      #   name: Don't commit to master

Dockerfile

@@ -0,0 +1,16 @@
+FROM golang:1.18-alpine as app-builder
+WORKDIR /go/src/app
+
+COPY src .
+
+RUN CGO_ENABLED=0 go install -ldflags '-extldflags "-static"' -tags timetzdata
+
+# Build actual image with the compiled app
+FROM scratch
+
+LABEL maintainer="git@sktan.com"
+
+COPY --from=app-builder /go/bin/aws-codeartifact-proxy /aws-codeartifact-proxy
+COPY --from=app-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENTRYPOINT ["/aws-codeartifact-proxy"]

README.md

@@ -1,2 +1,68 @@
-# aws-codeartifact-proxy
-An AWS code artifact proxy to allow unauthenticated access to your code artifacts
+# AWS Code Artifact Proxy
+
+An AWS Code Artifact Proxy that allows you to point your package managers to Code Artifact without the need of managing credentials.
+## Why was this built?
+
+Not every user who pulls code from your private codeartifact repository needs AWS credentials:
+ - Users of CLI tooling you are deploying internally in your comapny
+ - Developers of applications that don't interact with AWS but rely on a private Python / Node library.
+ - Maybe you have firewalling requirements or want the ability to see which packages are being installed by your developers?
+
+## Features:
+
+Although I haven't been able to test them all (mostly because I don't use the languages), the proxy should support the following artifact types (replace `artifacts.example.com` with your deployed proxy hostname)
+
+| Repository Type | Tested | URL                                   |
+| --------------- | ------ | ------------------------------------- |
+| Pypi            | Yes    | https://artifacts.example.com/simple/ |
+| NPM             | Yes    | https://artifacts.example.com/        |
+| Maven           | No     | https://artifacts.example.com/        |
+| Nuget           | No     | https://artifacts.example.com/        |
+
+Currently we only support choosing a single repository at launch, athough maybe in the future I will look at auto-resovling the request and figure out which repository to use based on the useragent. This should simplify setup.
+
+## How to Use?
+
+You can run this in three easy ways.
+
+1. Download the release from the Github page, and run it on any linux server.
+2. Use the container `sktan/aws-codeartifact-proxy` and run it on any capable host (AWS ECS, AWS EC2, Linux / Windows VM)
+3. Use the pre-built CDK template found in the `cdk` directory and deploy it to your environment (requires Python)
+
+By default, the proxy will choose to use the Pypi as it's type. If you would like to use a separate registry type, set your `CODEARTIFACT_TYPE` environment variable to one of the following:
+- pypi
+- npm
+- maven
+- nuget
+
+Once you have started the proxy with valid AWS credentials (this uses the [default credential provider chain](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials)), you should receive similar output to this:
+
+```
+2022/04/03 04:41:53 Authenticating against CodeArtifact
+2022/04/03 04:41:53 Authorization successful
+2022/04/03 04:41:53 Requests will now be proxied to https://sktansandbox-1234567890.d.codeartifact.ap-southeast-2.amazonaws.com/pypi/sandbox/
+```
+
+And to test that it is working, using `pip` against the proxy should result in similar output:
+
+```
+## CLI Output
+root ➜ /workspaces/aws-codeartifact-proxy (master ✗) $ pip download --index-url="http://localhost:8080/simple" --no-deps boto3
+Looking in indexes: http://localhost:8080/simple
+Collecting boto3
+  Downloading http://localhost:8080/simple/boto3/1.21.32/boto3-1.21.32-py3-none-any.whl (132 kB)
+     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 132.4/132.4 KB 20.6 MB/s eta 0:00:00
+Saved ./boto3-1.21.32-py3-none-any.whl
+Successfully downloaded boto3
+
+## Proxy Output
+2022/04/03 04:52:44 REQ: 127.0.0.1:52066 GET "/simple/boto3/" "pip/22.0.4 ...."
+2022/04/03 04:52:44 Sending request to https://sktansandbox-1234567890.d.codeartifact.ap-southeast-2.amazonaws.com/pypi/sandbox/simple/boto3/
+2022/04/03 04:52:44 RES: 127.0.0.1:52066 "GET" 200 "/simple/boto3/" "pip/22.0.4 ...."
+```
+
+## Contributing
+
+If you'd like to contribute to this project, please feel free to raise a pull request. I would highly recommend using the devcontainer setup in this repo, as it will provide you a working development environment.
+
+If you find any bugs, please raise it as a Github issue and I will have a look at it.

src/go.mod

@@ -0,0 +1,21 @@
+module github.com/sktan/aws-codeartifact-proxy
+
+go 1.18
+
+require (
+	github.com/aws/aws-sdk-go-v2 v1.16.2
+	github.com/aws/aws-sdk-go-v2/config v1.15.3
+	github.com/aws/aws-sdk-go-v2/service/codeartifact v1.12.3
+)
+
+require (
+	github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 // indirect
+	github.com/aws/smithy-go v1.11.2 // indirect
+)

src/go.sum

@@ -0,0 +1,35 @@
+github.com/aws/aws-sdk-go-v2 v1.16.2 h1:fqlCk6Iy3bnCumtrLz9r3mJ/2gUT0pJ0wLFVIdWh+JA=
+github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
+github.com/aws/aws-sdk-go-v2/config v1.15.3 h1:5AlQD0jhVXlGzwo+VORKiUuogkG7pQcLJNzIzK7eodw=
+github.com/aws/aws-sdk-go-v2/config v1.15.3/go.mod h1:9YL3v07Xc/ohTsxFXzan9ZpFpdTOFl4X65BAKYaz8jg=
+github.com/aws/aws-sdk-go-v2/credentials v1.11.2 h1:RQQ5fzclAKJyY5TvF+fkjJEwzK4hnxQCLOu5JXzDmQo=
+github.com/aws/aws-sdk-go-v2/credentials v1.11.2/go.mod h1:j8YsY9TXTm31k4eFhspiQicfXPLZ0gYXA50i4gxPE8g=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 h1:LWPg5zjHV9oz/myQr4wMs0gi4CjnDN/ILmyZUFYXZsU=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3/go.mod h1:uk1vhHHERfSVCUnqSqz8O48LBYDSC+k6brng09jcMOk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 h1:onz/VaaxZ7Z4V+WIN9Txly9XLTmoOh1oJ8XcAC3pako=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 h1:9stUQR/u2KXU6HkFJYlqnZEjBnbgrVbG6I5HN09xZh0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 h1:by9P+oy3P/CwggN4ClnW2D4oL91QV7pBzBICi1chZvQ=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10/go.mod h1:8DcYQcz0+ZJaSxANlHIsbbi6S+zMwjwdDqwW3r9AzaE=
+github.com/aws/aws-sdk-go-v2/service/codeartifact v1.12.3 h1:0KKzUiM72Xp4iG52EvLGk7ULmstaSjZydOhsVlMQh+4=
+github.com/aws/aws-sdk-go-v2/service/codeartifact v1.12.3/go.mod h1:Uhp1Vx6ZJ5rbR+PFi1DxhPhcRKgS4euvqVF04x2X458=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 h1:Gh1Gpyh01Yvn7ilO/b/hr01WgNpaszfbKMUgqM186xQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3/go.mod h1:wlY6SVjuwvh3TVRpTqdy4I1JpBFLX4UGeKZdWntaocw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 h1:frW4ikGcxfAEDfmQqWgMLp+F1n4nRo9sF39OcIb5BkQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.3/go.mod h1:7UQ/e69kU7LDPtY40OyoHYgRmgfGM4mgsLYtcObdveU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 h1:cJGRyzCSVwZC7zZZ1xbx9m32UnrKydRYhOvcD1NYP9Q=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.3/go.mod h1:bfBj0iVmsUyUg4weDB4NxktD9rDGeKSVWnjTnwbx9b8=
+github.com/aws/smithy-go v1.11.2 h1:eG/N+CcUMAvsdffgMvjMKwfyDzIkjM6pfxMJ8Mzc6mE=
+github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
+github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

src/main.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	// Should this be called tools? There isn't really much going on here...
+	"github.com/sktan/aws-codeartifact-proxy/tools"
+)
+
+func main() {
+	// Do an initial authentication so that we can initialise the proxy properly
+	tools.Authenticate()
+
+	// Run a goroutine to check for reauthentication to the CodeArtifact Service
+	go tools.CheckReauth()
+
+	// Start the Proxy listener so that we can intercept the requests
+	tools.ProxyInit()
+}

src/tools/aws.go

@@ -0,0 +1,100 @@
+package tools
+
+import (
+	"context"
+	"log"
+	"os"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/codeartifact"
+	"github.com/aws/aws-sdk-go-v2/service/codeartifact/types"
+)
+
+type CodeArtifactAuthInfoStruct struct {
+	Url                string
+	AuthorizationToken string
+	LastAuth           time.Time
+}
+
+var CodeArtifactAuthInfo = &CodeArtifactAuthInfoStruct{}
+
+// Authenticate performs the authentication against CodeArtifact and caches the credentials
+func Authenticate() {
+	log.Printf("Authenticating against CodeArtifact")
+
+	// Authenticate against CodeArtifact
+	cfg, cfgErr := config.LoadDefaultConfig(context.TODO())
+	if cfgErr != nil {
+		log.Fatalf("unable to load SDK config, %v", cfgErr)
+	}
+	svc := codeartifact.NewFromConfig(cfg)
+
+	// TODO: auto-resolve these via Environment variables
+	codeArtDomain := aws.String(os.Getenv("CODEARTIFACT_DOMAIN"))
+	codeArtOwner, codeArtOwnerFound := os.LookupEnv("CODEARTIFACT_OWNER")
+	codeArtRepos := aws.String(os.Getenv("CODEARTIFACT_REPO"))
+
+	// Resolve Package Format from the environment variable (defaults to pypi)
+	codeArtTypeS, found := os.LookupEnv("CODEARTIFACT_TYPE")
+	if !found || codeArtTypeS == "" {
+		codeArtTypeS = "pypi"
+	}
+	var codeArtTypeT types.PackageFormat
+	if codeArtTypeS == "pypi" {
+		codeArtTypeT = types.PackageFormatPypi
+	} else if codeArtTypeS == "maven" {
+		codeArtTypeT = types.PackageFormatMaven
+	} else if codeArtTypeS == "npm" {
+		codeArtTypeT = types.PackageFormatNpm
+	} else if codeArtTypeS == "nuget" {
+		codeArtTypeT = types.PackageFormatNuget
+	}
+
+	// Create the input for the CodeArtifact API
+	authInput := &codeartifact.GetAuthorizationTokenInput{
+		DurationSeconds: aws.Int64(3600),
+		Domain:          codeArtDomain,
+	}
+	if codeArtOwnerFound {
+		authInput.DomainOwner = aws.String(codeArtOwner)
+	}
+	authResp, authErr := svc.GetAuthorizationToken(context.TODO(), authInput)
+	if authErr != nil {
+		log.Fatalf("unable to get authorization token, %v", authErr)
+	}
+	log.Printf("Authorization successful")
+	CodeArtifactAuthInfo.AuthorizationToken = *authResp.AuthorizationToken
+	CodeArtifactAuthInfo.LastAuth = time.Now()
+
+	// Get the URL for the CodeArtifact Service
+	urlInput := &codeartifact.GetRepositoryEndpointInput{
+		Domain:     codeArtDomain,
+		Format:     codeArtTypeT,
+		Repository: codeArtRepos,
+	}
+	if codeArtOwnerFound {
+		urlInput.DomainOwner = aws.String(codeArtOwner)
+	}
+
+	urlResp, urlErr := svc.GetRepositoryEndpoint(context.TODO(), urlInput)
+	if urlErr != nil {
+		log.Fatalf("unable to get repository endpoint, %v", urlErr)
+	}
+	CodeArtifactAuthInfo.Url = *urlResp.RepositoryEndpoint
+
+	log.Printf("Requests will now be proxied to %s", CodeArtifactAuthInfo.Url)
+}
+
+// CheckReauth checks if we have not yet authenticated, or need to authenticate within the next 15 minutes
+func CheckReauth() {
+	for {
+		if CodeArtifactAuthInfo.AuthorizationToken == "" || time.Now().Sub(CodeArtifactAuthInfo.LastAuth) > 45*time.Minute {
+			log.Printf("%d minutes until the CodeArtifact token expires, attempting a reauth.", time.Now().Sub(CodeArtifactAuthInfo.LastAuth)/time.Minute)
+			Authenticate()
+		}
+		// Sleep for 15 seconds for the next check
+		time.Sleep(15 * time.Second)
+	}
+}