cerberus_client 1.2.1

data/lib/cerberus/aws_role_credentials_provider.rb

@@ -0,0 +1,200 @@
+module Cerberus
+
+  require_relative('../cerberus_client/log')
+  require_relative('../cerberus_client/http')
+  require_relative('../cerberus_client')
+  require_relative('exception/no_value_error')
+  require_relative('exception/http_error')
+  require_relative('cerberus_client_token')
+  require_relative('aws_role_info')
+  require('aws-sdk')
+  require('net/http')
+  require('json')
+  require('base64')
+
+  ##
+  # The AWS IAM role credentials provider
+  ##
+  class AwsRoleCredentialsProvider
+
+    # AWS metadata instance URL
+    INSTANCE_METADATA_SVC_BASE_URL = "http://169.254.169.254/latest/meta-data"
+    # relative URI to look up AZ in AWS metadata svc
+    REGION_REL_URI = "/placement/availability-zone"
+    # relative URI to look up IAM role in AWS metadata svc
+    IAM_ROLE_INFO_REL_URI = "/iam/info"
+    # reference into the metadata data json we get to look up IAM role
+    IAM_ROLE_ARN_KEY = 'InstanceProfileArn'
+    # magic number is the index into a split role ARN to grab the acccount ID
+    ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM = 4
+    # magic number is the index into a split role ARN to grab the role name
+    ROLE_ARN_ARRAY_INDEX_OF_ROLENAME = 1
+    # relative URI to get encrypted auth data from Cerberus
+    ROLE_AUTH_REL_URI = "/v1/auth/iam-role"
+    # reference into the decrypted auth data json we get from Cerberus
+    CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY = "client_token"
+    CERBERUS_AUTH_DATA_LEASE_DURATION_KEY = "lease_duration"
+    CERBERUS_AUTH_DATA_POLICIES_KEY = "policies"
+
+    LOGGER = CerberusClient::Log.instance
+
+    ##
+    # Init AWS role provider - needs vault base url.  Instance metadata service url is optional to make unit tests
+    # easier and so we can provide a hook to set this via config as needed
+    ##
+    def initialize(vaultBaseUrl, instanceMdSvcBaseUrl = nil, roleName = nil, roleRegion = nil, roleAccountId = nil)
+      @vaultBaseUrl = vaultBaseUrl
+      @clientToken = nil
+      @role = get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
+
+      LOGGER.debug("AwsRoleCredentialsProvider initialized with vault base url #{@vaultBaseUrl}")
+    end
+
+    ##
+    # Get credentials using AWS IAM role
+    ##
+    def getClientToken
+
+      if (@clientToken == nil)
+        @clientToken = getCredentialsFromCerberus
+      end
+
+      # using two if statements here just to make the logging easier..
+      # the above we expect on startup, expiration is an interesting event worth a debug log all its own
+      if (@clientToken.expired?)
+        LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...")
+        @clientToken = getCredentialsFromCerberus
+      end
+
+      return @clientToken.authToken
+
+    end
+
+    private
+
+    def get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
+      if (should_assume_role(roleAccountId, roleName, roleRegion))
+        return get_role_from_provided_info(roleName, roleRegion, roleAccountId)
+      else
+        @instanceMdSvcBaseUrl = instanceMdSvcBaseUrl.nil? ? INSTANCE_METADATA_SVC_BASE_URL : instanceMdSvcBaseUrl
+
+        # collect instance MD we need to auth with Cerberus
+        return get_role_from_instance_metadata
+      end
+    end
+
+    def get_role_from_provided_info(roleName, roleRegion, roleAccountId)
+      role_creds = Aws::AssumeRoleCredentials.new(client: Aws::STS::Client.new(region: roleRegion), role_arn: "arn:aws:iam::#{roleAccountId}:role/#{roleName}", role_session_name: "hiera-cpe-build")
+
+      return AwsRoleInfo.new(roleName, roleRegion, roleAccountId, credentials: role_creds)
+    end
+
+    def get_role_from_instance_metadata
+      role_arn = getIAMRoleARN
+      region = getRegionFromAZ(getAvailabilityZone)
+      account_id = getAccountIdFromRoleARN(role_arn)
+      role_name = getRoleNameFromRoleARN(role_arn)
+
+      LOGGER.debug("roleARN #{role_arn}")
+      LOGGER.debug("region #{region}")
+      LOGGER.debug("accountId #{account_id}")
+      LOGGER.debug("roleName #{role_name}")
+
+      return AwsRoleInfo.new(role_name, region, account_id, nil)
+    end
+
+    def should_assume_role(roleAccountId, roleName, roleRegion)
+      !(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
+    end
+
+    ##
+    # Reach out to the Cerberus management service and get an auth token
+    ##
+    def getCredentialsFromCerberus
+      begin
+        authData = doAuthWithCerberus(@role.account_id, @role.name, @role.region)
+
+        LOGGER.debug("Got auth data from Cerberus. Attempting to decrypt...")
+
+        # decrypt the data we got from cerberus to get the vault token
+        kms = Aws::KMS::Client.new(region: @role.region, credentials: @role.credentials[:credentials])
+
+        decryptedAuthDataJson = JSON.parse(kms.decrypt(ciphertext_blob: Base64.decode64(authData)).plaintext)
+
+        LOGGER.debug("Decrypt successful.  Passing back Cerberus auth token.")
+        # pass back a credentials object that will allow us to reuse it until it expires
+        CerberusClientToken.new(decryptedAuthDataJson[CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY],
+                                decryptedAuthDataJson[CERBERUS_AUTH_DATA_LEASE_DURATION_KEY],
+                                decryptedAuthDataJson[CERBERUS_AUTH_DATA_POLICIES_KEY])
+
+      rescue Cerberus::Exception::HttpError
+        # catch http errors here and assert no value
+        # this may not actually be the case, there are legitimate reasons HTTP can fail when it "should" work
+        # but this is handled by logging - a warning is set in the log in during the HTTP call
+        raise Cerberus::Exception::NoValueError
+      end
+    end
+
+    ##
+    # Get the AWS account ID from the role ARN
+    # Expects formatting [some value]:[some value]:[some value]::[account id]
+    ##
+    def getAccountIdFromRoleARN(roleARN)
+      roleARN.split(':')[ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM]
+    end
+
+    ##
+    # Get the role name from the role ARN
+    # Expects formatting [some value]:[some value]:[some value]::[account id]
+    ##
+    def getRoleNameFromRoleARN(roleARN)
+      roleARN.split('/')[ROLE_ARN_ARRAY_INDEX_OF_ROLENAME]
+    end
+
+    ##
+    # Read the IAM role ARN from the instance metadata
+    # Will throw an HTTP exception if there is no IAM role associated with the instance
+    ##
+    def getIAMRoleARN
+      response = doHttpToMDService(IAM_ROLE_INFO_REL_URI)
+      jsonResponseBody = JSON.parse(response.body)
+      jsonResponseBody[IAM_ROLE_ARN_KEY]
+    end
+
+    ##
+    # Get the region from AWS instance metadata
+    ##
+    def getAvailabilityZone
+      doHttpToMDService(REGION_REL_URI).body
+    end
+
+    ##
+    # Get region from AZ
+    ##
+    def getRegionFromAZ(az)
+      az[0, az.length-1]
+    end
+
+    ##
+    # Call the instance metadata service with a relative URI and return the response if the call succeeds
+    # else throw an IOError for non-2xx responses and RuntimeError for any exceptions down the stack
+    ##
+    def doHttpToMDService(relUri)
+      url = URI(@instanceMdSvcBaseUrl + relUri)
+      CerberusClient::Http.new.doHttp(url, 'GET', false)
+    end
+
+    ##
+    #
+    ##
+    def doAuthWithCerberus(accountId, roleName, region)
+      postJsonData = JSON.generate({:account_id => accountId, :role_name => roleName, :region => region})
+      authUrl = URI(@vaultBaseUrl + ROLE_AUTH_REL_URI)
+      authResponse = CerberusClient::Http.new.doHttp(authUrl, 'POST', true, postJsonData)
+      # if we got this far, we should have a valid response with encrypted data
+      # send back the encrypted data
+      JSON.parse(authResponse.body)['auth_data']
+    end
+
+  end
+end

data/lib/cerberus/aws_role_info.rb

@@ -0,0 +1,15 @@
+module Cerberus
+  class AwsRoleInfo
+    attr_reader :name
+    attr_reader :region
+    attr_reader :credentials
+    attr_reader :account_id
+
+    def initialize(name, region, account_id, credentials = nil)
+      @name = name
+      @region = region
+      @account_id = account_id
+      @credentials = credentials
+    end
+  end
+end

data/lib/cerberus/cerberus_client_token.rb

@@ -0,0 +1,37 @@
+
+
+module Cerberus
+
+  require_relative('../cerberus_client/log')
+
+  ##
+  # Object to hold the Cerberus client token credentials and check for expiration and refresh
+  ##
+  class CerberusClientToken
+
+    attr_reader :authToken
+    attr_reader :cacheLifetimeSec
+
+    ##
+    # Init with an authToken.  Expired will be true approximately cacheLifetimeSec seconds from when new is called.
+    # Optionally, set the cache lifetime.  For now this is primarily used for testing.
+    ##
+    def initialize(authToken, cacheLifetimeSec, policiesArray)
+      @createTime = Time.now
+      @cacheLifetimeSec = cacheLifetimeSec
+      @policies = policiesArray
+      CerberusClient::Log.instance.debug("AwsCredentials cache lifetime set to #{@cacheLifetimeSec} seconds")
+      CerberusClient::Log.instance.debug("AwsCredentials policies: #{@policies.join(", ")}")
+      @authToken = authToken
+    end
+
+    ##
+    # Return true if cache lifetime has expired
+    # This object doesn't enforce expiration - someone else can worry about making sure the credentials are valid
+    ##
+    def expired?
+      ((@createTime + @cacheLifetimeSec) <=> Time.now) == -1
+    end
+
+  end
+end

data/lib/cerberus/default_credentials_provider_chain.rb

@@ -0,0 +1,44 @@
+require_relative('../cerberus_client')
+require_relative('../cerberus_client/log')
+require_relative('exception/no_value_error')
+require_relative('exception/no_valid_providers')
+require_relative('aws_role_credentials_provider')
+require_relative('env_credentials_provider')
+
+module Cerberus
+
+  ##
+  # Default credentials provider chain
+  ##
+  class DefaultCredentialsProviderChain
+
+    def initialize(urlResolver, instanceMdSvcBaseUrl = nil)
+      vaultBaseUrl = CerberusClient.getUrlFromResolver(urlResolver)
+
+      # return default array of providers
+      @providers = [Cerberus::EnvCredentialsProvider.new,
+                    Cerberus::AwsRoleCredentialsProvider.new(vaultBaseUrl, instanceMdSvcBaseUrl)]
+    end
+
+    ##
+    # Return the first provider in the default hierarchy that has a valid token
+    ##
+    def getCredentialsProvider
+      @providers.each { |p|
+        begin
+          # if token is assigned, that's the provider we want.
+          # providers must throw NoValueError so that we can fall to the next provider if necessary
+          CerberusClient.getCredentialsFromProvider(p)
+          return p
+
+        rescue Cerberus::Exception::NoValueError
+          next
+        end
+      }
+
+      # we should have found and returned a valid provider above, else there's a problem
+      CerberusClient::Log.instance.error(" could not find a valid provider")
+      raise Cerberus::Exception::NoValidProviders.new
+    end
+  end
+end

data/lib/cerberus/default_url_resolver.rb

@@ -0,0 +1,26 @@
+
+module Cerberus
+
+  require_relative('exception/no_value_error')
+
+  ##
+  # The default Vault URL resolver - looks for #{CERBERUS_VAULT_URL_ENV_KEY} in env vars
+  ##
+  class DefaultUrlResolver
+
+    CERBERUS_VAULT_URL_ENV_KEY = "CERBERUS_ADDR"
+
+    ##
+    # Look for the vault url in the env var
+    ##
+    def getUrl
+      urlOption = ENV[CERBERUS_VAULT_URL_ENV_KEY]
+
+      if(urlOption != nil)
+        return urlOption
+      else
+        raise Cerberus::Exception::NoValueError
+      end
+    end
+  end
+end

data/lib/cerberus/env_credentials_provider.rb

@@ -0,0 +1,29 @@
+
+
+module Cerberus
+
+  require_relative('exception/no_value_error')
+
+  ##
+  # The Environment variable credentials provider - looks for #{CERBERUS_VAULT_TOKEN_ENV_KEY} in env vars
+  ##
+  class EnvCredentialsProvider
+
+    CERBERUS_VAULT_TOKEN_ENV_KEY = "CERBERUS_TOKEN"
+
+    ##
+    # Look for the vault token in the env var
+    ##
+    def getClientToken
+
+      tokenOption = ENV[CERBERUS_VAULT_TOKEN_ENV_KEY]
+
+      if(tokenOption != nil)
+        return tokenOption
+      else
+        raise Cerberus::Exception::NoValueError
+      end
+    end
+
+  end
+end

data/lib/cerberus/exception/ambiguous_vault_bad_request.rb

@@ -0,0 +1,22 @@
+
+module Cerberus
+  module Exception
+
+    ##
+    # Custom exception raised when Vault sends us a bad request with a "permissions error"
+    #
+    # Since Vault wants to pass back 400 bad request for both paths we don't have access to
+    # and paths that don't actually exist at all, I'm sending back a specific error so that implementing clients
+    # can at least understand the situation they find themselves in
+    ##
+    class AmbiguousVaultBadRequest < RuntimeError
+
+      ##
+      #  Init with exception message
+      ##
+      def initialize()
+        super("Vault sent back 400, Bad Request 'permissions error'. This means that 1) the root path may not exist 2) the account used may not have access to the path or 3) you actually can't be authenticated.")
+      end
+    end
+  end
+end

data/lib/cerberus/exception/http_error.rb

@@ -0,0 +1,24 @@
+
+module Cerberus
+  module Exception
+
+    ##
+    # Custom exception raised when an HTTP exception is raised but we want to handle it differently
+    # than simply presenting it to the end-user
+    ##
+    class HttpError < StandardError
+
+      attr_reader :response
+
+      ##
+      #  Init with exception message and response object if one is available
+      ##
+      def initialize(httpMsg, responseObj = nil)
+
+        @response = responseObj
+        super("An error occurred executing the HTTP request: #{httpMsg}")
+
+      end
+    end
+  end
+end

data/lib/cerberus/exception/no_valid_providers.rb

@@ -0,0 +1,17 @@
+module Cerberus
+  module Exception
+
+    ##
+    # Custom exception raised when no credentials providers can be found
+    ##
+    class NoValidProviders < RuntimeError
+
+      ##
+      #  Init with exception message
+      ##
+      def initialize
+        super("No valid credentials providers could be found")
+      end
+    end
+  end
+end

data/lib/cerberus/exception/no_value_error.rb

@@ -0,0 +1,19 @@
+
+module Cerberus
+  module Exception
+
+    ##
+    # Custom exception raised when a provider can't successfully provide what is needed
+    # and this is likely an expected condition
+    ##
+    class NoValueError < RuntimeError
+
+      ##
+      #  Init with exception message
+      ##
+      def initialize
+        super("No value specified")
+      end
+    end
+  end
+end