cerberus_client 1.5.1 → 2.0.0

data/lib/cerberus_utils/version.rb

@@ -0,0 +1,3 @@
+module CerberusUtils
+  VERSION = "2.0.0"
+end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: cerberus_client
 version: !ruby/object:Gem::Version
-  version: 1.5.1
+  version: 2.0.0
 platform: ruby
 authors:
+- Shaun Ford
 - Joe Teibel
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-08-25 00:00:00.000000000 Z
+date: 2017-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -52,13 +53,13 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.13'
-description: This is a Ruby based client library for communicating with Vault via
+description: This is a Ruby based client library for communicating with Cerberus via
   HTTP and enables authentication schemes specific to AWS and Cerberus. This client
   currently supports read-only operations (write operations are not yet implemented,
   feel free to open a pull request to implement write operations). To learn more about
   Cerberus, please visit the Cerberus website.
 email:
-- joe.teibel@nike.com
+- shaun.ford@nike.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -73,9 +74,10 @@ files:
 - README.md
 - cerberus_client.gemspec
 - lib/cerberus/assumed_role_credentials_provider_chain.rb
+- lib/cerberus/aws_assumed_role_credentials_provider.rb
 - lib/cerberus/aws_principal_credentials_provider.rb
-- lib/cerberus/aws_role_credentials_provider.rb
-- lib/cerberus/aws_role_info.rb
+- lib/cerberus/cerberus_auth_info.rb
+- lib/cerberus/cerberus_client.rb
 - lib/cerberus/cerberus_client_token.rb
 - lib/cerberus/default_credentials_provider_chain.rb
 - lib/cerberus/default_url_resolver.rb
@@ -84,12 +86,12 @@ files:
 - lib/cerberus/exception/http_error.rb
 - lib/cerberus/exception/no_valid_providers.rb
 - lib/cerberus/exception/no_value_error.rb
-- lib/cerberus/vault_client.rb
 - lib/cerberus_client.rb
-- lib/cerberus_client/default_logger.rb
-- lib/cerberus_client/http.rb
-- lib/cerberus_client/log.rb
-- lib/cerberus_client/version.rb
+- lib/cerberus_utils/default_logger.rb
+- lib/cerberus_utils/http.rb
+- lib/cerberus_utils/log.rb
+- lib/cerberus_utils/utils.rb
+- lib/cerberus_utils/version.rb
 homepage: https://github.com/Nike-Inc/cerberus-ruby-client
 licenses:
 - Apache License Version 2

data/lib/cerberus/aws_role_credentials_provider.rb

@@ -1,239 +0,0 @@
-module Cerberus
-
-  require_relative('../cerberus_client/log')
-  require_relative('../cerberus_client/http')
-  require_relative('../cerberus_client')
-  require_relative('exception/no_value_error')
-  require_relative('exception/http_error')
-  require_relative('cerberus_client_token')
-  require_relative('aws_role_info')
-  require('aws-sdk')
-  require('net/http')
-  require('json')
-  require('base64')
-
-  ##
-  # The AWS IAM role credentials provider
-  ##
-  class AwsRoleCredentialsProvider
-
-    # AWS metadata instance URL
-    INSTANCE_METADATA_SVC_BASE_URL = "http://169.254.169.254/latest/meta-data"
-    # relative URI to look up AZ in AWS metadata svc
-    REGION_REL_URI = "/placement/availability-zone"
-    # relative URI to look up IAM role in AWS metadata svc
-    IAM_ROLE_INFO_REL_URI = "/iam/info"
-    # reference into the metadata data json we get to look up IAM role
-    IAM_ROLE_ARN_KEY = 'InstanceProfileArn'
-    # magic number is the index into a split role ARN to grab the acccount ID
-    ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM = 4
-    # magic number is the index into a split role ARN to grab the role name
-    ROLE_ARN_ARRAY_INDEX_OF_ROLENAME = 1
-    # relative URI to get encrypted auth data from Cerberus
-    ROLE_AUTH_REL_URI = "/v1/auth/iam-role"
-    # reference into the decrypted auth data json we get from Cerberus
-    CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY = "client_token"
-    CERBERUS_AUTH_DATA_LEASE_DURATION_KEY = "lease_duration"
-    CERBERUS_AUTH_DATA_POLICIES_KEY = "policies"
-
-    LOGGER = CerberusClient::Log.instance
-
-    ##
-    # Init AWS role provider - needs vault base url.  Instance metadata service url is optional to make unit tests
-    # easier and so we can provide a hook to set this via config as needed
-    ##
-    def initialize(vaultBaseUrl, instanceMdSvcBaseUrl = nil, roleName = nil, roleRegion = nil, roleAccountId = nil)
-      @vaultBaseUrl = vaultBaseUrl
-      @clientToken = nil
-      @role = get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
-
-      LOGGER.debug("AwsRoleCredentialsProvider initialized with vault base url #{@vaultBaseUrl}")
-    end
-
-    ##
-    # Get credentials using AWS IAM role
-    ##
-    def getClientToken
-
-      if (@role.nil?)
-        raise Cerberus::Exception::NoValueError
-      end
-
-      if (@clientToken.nil?)
-        @clientToken = getCredentialsFromCerberus
-      end
-
-      # using two if statements here just to make the logging easier..
-      # the above we expect on startup, expiration is an interesting event worth a debug log all its own
-      if (@clientToken.expired?)
-        LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...")
-        @clientToken = getCredentialsFromCerberus
-      end
-
-      return @clientToken.authToken
-
-    end
-
-    ##
-    # Policy: if we are given these three pieces of data, we will assume a role to do auth
-    ##
-    def should_assume_role?(roleAccountId, roleName, roleRegion)
-      !(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
-    end
-
-    ##
-    # Policy: if we do not have an instance MD service URL and we can't assume a role, then this instance
-    # of the provider cannot use a role to provide credentials.  Primarily used for testing.
-    ##
-    def have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
-      (!instanceMdSvcBaseUrl.nil? || should_assume_role?(roleName, roleRegion, roleAccountId))
-    end
-
-    private
-
-    ##
-    # Uses provided data to determine how to construct the AwsRoleInfo use by this provider
-    ##
-    def get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
-
-      # if we have no metedata about how to auth, we do nothing
-      # this is used in unit testing primarily
-      if (!have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId))
-        return nil;
-      elsif (should_assume_role?(roleAccountId, roleName, roleRegion))
-        # we are assuming a role to do auth
-        return get_role_from_provided_info(roleName, roleRegion, roleAccountId)
-      else
-        # we are using a role that the instance has associated with it
-        @instanceMdSvcBaseUrl = instanceMdSvcBaseUrl.nil? ? INSTANCE_METADATA_SVC_BASE_URL : instanceMdSvcBaseUrl
-
-        # collect instance MD we need to auth with Cerberus
-        return get_role_from_instance_metadata
-      end
-    end
-
-
-    ##
-    # Get an AwsRoleInfo object from the provided data
-    ##
-    def get_role_from_provided_info(roleName, roleRegion, roleAccountId)
-
-      role_creds = Aws::AssumeRoleCredentials.new(
-          client: Aws::STS::Client.new(region: roleRegion),
-          role_arn: "arn:aws:iam::#{roleAccountId}:role/#{roleName}",
-          role_session_name: "hiera-cpe-build")
-
-      return AwsRoleInfo.new(roleName, roleRegion, roleAccountId, credentials: role_creds)
-    end
-
-    ##
-    # Use the instance metadata to extract the role information
-    # This function should only be called from an EC2 instance otherwise the http
-    # call will fail.
-    ##
-    def get_role_from_instance_metadata
-      role_arn = getIAMRoleARN
-      region = getRegionFromAZ(getAvailabilityZone)
-      account_id = getAccountIdFromRoleARN(role_arn)
-      role_name = getRoleNameFromRoleARN(role_arn)
-
-      LOGGER.debug("roleARN #{role_arn}")
-      LOGGER.debug("region #{region}")
-      LOGGER.debug("accountId #{account_id}")
-      LOGGER.debug("roleName #{role_name}")
-
-      return AwsRoleInfo.new(role_name, region, account_id, nil)
-    end
-
-    ##
-    # Reach out to the Cerberus management service and get an auth token
-    ##
-    def getCredentialsFromCerberus
-      begin
-        authData = doAuthWithCerberus(@role.account_id, @role.name, @role.region)
-
-        LOGGER.debug("Got auth data from Cerberus. Attempting to decrypt...")
-
-        # decrypt the data we got from cerberus to get the vault token
-        kms = Aws::KMS::Client.new(region: @role.region, credentials: @role.credentials[:credentials])
-
-        decryptedAuthDataJson = JSON.parse(kms.decrypt(ciphertext_blob: Base64.decode64(authData)).plaintext)
-
-        LOGGER.debug("Decrypt successful.  Passing back Cerberus auth token.")
-        # pass back a credentials object that will allow us to reuse it until it expires
-        CerberusClientToken.new(decryptedAuthDataJson[CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY],
-                                decryptedAuthDataJson[CERBERUS_AUTH_DATA_LEASE_DURATION_KEY],
-                                decryptedAuthDataJson[CERBERUS_AUTH_DATA_POLICIES_KEY])
-
-      rescue Cerberus::Exception::HttpError
-        # catch http errors here and assert no value
-        # this may not actually be the case, there are legitimate reasons HTTP can fail when it "should" work
-        # but this is handled by logging - a warning is set in the log in during the HTTP call
-        raise Cerberus::Exception::NoValueError
-      end
-    end
-
-    ##
-    # Get the AWS account ID from the role ARN
-    # Expects formatting [some value]:[some value]:[some value]::[account id]
-    ##
-    def getAccountIdFromRoleARN(roleARN)
-      roleARN.split(':')[ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM]
-    end
-
-    ##
-    # Get the role name from the role ARN
-    # Expects formatting [some value]:[some value]:[some value]::[account id]
-    ##
-    def getRoleNameFromRoleARN(roleARN)
-      roleARN.split('/')[ROLE_ARN_ARRAY_INDEX_OF_ROLENAME]
-    end
-
-    ##
-    # Read the IAM role ARN from the instance metadata
-    # Will throw an HTTP exception if there is no IAM role associated with the instance
-    ##
-    def getIAMRoleARN
-      response = doHttpToMDService(IAM_ROLE_INFO_REL_URI)
-      jsonResponseBody = JSON.parse(response.body)
-      jsonResponseBody[IAM_ROLE_ARN_KEY]
-    end
-
-    ##
-    # Get the region from AWS instance metadata
-    ##
-    def getAvailabilityZone
-      doHttpToMDService(REGION_REL_URI).body
-    end
-
-    ##
-    # Get region from AZ
-    ##
-    def getRegionFromAZ(az)
-      az[0, az.length-1]
-    end
-
-    ##
-    # Call the instance metadata service with a relative URI and return the response if the call succeeds
-    # else throw an IOError for non-2xx responses and RuntimeError for any exceptions down the stack
-    ##
-    def doHttpToMDService(relUri)
-      url = URI(@instanceMdSvcBaseUrl + relUri)
-      CerberusClient::Http.new.doHttp(url, 'GET', false)
-    end
-
-    ##
-    #
-    ##
-    def doAuthWithCerberus(accountId, roleName, region)
-      postJsonData = JSON.generate({:account_id => accountId, :role_name => roleName, :region => region})
-      authUrl = URI(@vaultBaseUrl + ROLE_AUTH_REL_URI)
-      useSSL = ! ("#{@vaultBaseUrl}".include? "localhost")
-      authResponse = CerberusClient::Http.new.doHttp(authUrl, 'POST', useSSL, postJsonData)
-      # if we got this far, we should have a valid response with encrypted data
-      # send back the encrypted data
-      JSON.parse(authResponse.body)['auth_data']
-    end
-
-  end
-end

data/lib/cerberus/aws_role_info.rb

@@ -1,15 +0,0 @@
-module Cerberus
-  class AwsRoleInfo
-    attr_reader :name
-    attr_reader :region
-    attr_reader :credentials
-    attr_reader :account_id
-
-    def initialize(name, region, account_id, credentials = nil)
-      @name = name
-      @region = region
-      @account_id = account_id
-      @credentials = credentials
-    end
-  end
-end

data/lib/cerberus/vault_client.rb

@@ -1,207 +0,0 @@
-
-
-module Cerberus
-
-  require_relative('../cerberus_client/log')
-  require_relative('exception/http_error')
-  require_relative('exception/ambiguous_vault_bad_request')
-  require_relative('default_credentials_provider_chain')
-  require('json')
-
-  ##
-  # Client for interacting with the Vault API
-  ##
-  class VaultClient
-
-    # relative path to the Vault secrets API
-    SECRET_PATH_PREFIX = "/v1/secret/"
-    SECRET_MAP_DATA_KEY = VAULT_LIST_DATA_KEY = "data"
-    VAULT_TOKEN_HEADER_KEY = 'X-Vault-Token'
-    VAULT_ERRORS_KEY = "errors"
-    VAULT_PERMISSION_DENIED_ERR = "permission denied"
-    VAULT_LIST_KEYS_KEY = "keys"
-    VAULT_LIST_PARAM_KEY = "list"
-    SLASH = "/"
-
-    attr_reader :vaultBaseUrl
-    attr_reader :credentialsProvider
-
-    ##
-    # Init with the base URL for vault
-    ##
-    def initialize(urlResolver, credentialsProviderChain)
-
-      require 'net/https'
-
-      @vaultBaseUrl = CerberusClient.getUrlFromResolver(urlResolver)
-      @credentialsProvider = credentialsProviderChain.getCredentialsProvider
-
-    end # initialize
-
-    ##
-    # Read operation for a specified path.
-    ##
-    def read(path)
-      begin
-        response = doVaultHttpGet(SECRET_PATH_PREFIX + path)
-        CerberusClient::Log.instance.debug("VaultClient::read(path) HTTP response: #{response.code}, #{response.message}")
-        response.body
-
-      rescue => ex
-        CerberusClient::Log.instance.error("VaultClient::read(#{path}) unhandled exception trying to read: #{ex.message}")
-        raise ex
-      end
-    end # read
-
-    ##
-    # Read operation for a specified path.
-    ##
-    def readKey(path, key)
-      begin
-        CerberusClient::Log.instance.error("VaultClient::read(#{path}, #{key})")
-
-        readPathAndIterateOnDataWithProc(path, &(Proc.new { |k, v| if(key == k); return v; end }) )
-
-        # else, we didn't find it
-        return nil
-
-      rescue => ex
-        CerberusClient::Log.instance.error("VaultClient::read(#{path}, #{key}) unhandled exception trying to read: #{ex.message}")
-        raise ex
-      end
-    end
-
-    ##
-    # Returns a list of key names at the specified location. Folders are suffixed with /.
-    # The input must be a folder; list on a file will return nil
-    ##
-    def list(path)
-      begin
-        response = doVaultHttpGet(SECRET_PATH_PREFIX + path + "?list=true")
-
-        CerberusClient::Log.instance.debug("VaultClient::list(#{path}) HTTP response: #{response.code}, #{response.message}")
-
-        jsonResonseBody = JSON.parse(response.body)
-        pathList = jsonResonseBody[VAULT_LIST_DATA_KEY][VAULT_LIST_KEYS_KEY]
-        CerberusClient::Log.instance.debug("VaultClient::list returning #{pathList.join(", ")} ")
-        pathList
-
-      rescue => ex
-
-        # check to see if we threw the Http error with a response object
-        response = (ex.instance_of?(Cerberus::Exception::HttpError)) ? ex.response : nil
-        if(!response.nil? && response.code.to_i == 404)
-          return nil
-        end
-
-        CerberusClient::Log.instance.error("VaultClient::list(#{path}) unhandled exception trying to read: #{ex.message}")
-        raise ex
-      end
-    end
-
-    ##
-    # This is potentially an expensive operation depending on the depth of the tree we're trying to parse
-    # It recursively walks 'path' and returns a hash of all child [path] => [array of keys] found under 'path'
-    # if 'path' is a folder, it must have a trailing slash ('/').  If 'path' is an "end node" or "vault file", then it
-    # should not have a trailing slash ('/')
-    ##
-    def describe!(path, resultHash = nil)
-
-      CerberusClient::Log.instance.debug("VaultClient::describe!(#{path})")
-
-      if(resultHash == nil)
-        resultHash = Hash.new()
-      end
-
-      curChildren = list(path)
-
-      # if curChildren is nil, it's possible there are no children or that we don't have access
-      # It's also possible it is the "end" of the path... what Vault calls "the file"
-      # in that case, we should send back the keys in that path so give it a shot
-      if(curChildren.nil?)
-        resultHash[path] = Array.new
-        readPathAndIterateOnDataWithProc(path, &(Proc.new { |key, value| resultHash[path] << key }) )
-        return resultHash
-      end
-
-      curChildren.each { |childNode|
-        curLocation = path + childNode
-        # if childNode ends with '/' then we have a directory we need to call into
-        if(childNode.end_with?(SLASH))
-          describe!(curLocation, resultHash)
-        else # it is a "directory" that contains keys
-          resultHash[curLocation] = Array.new
-          readPathAndIterateOnDataWithProc(curLocation, &(Proc.new { |key, value| resultHash[curLocation] << key }) )
-        end
-      }
-      return resultHash
-    end
-
-    private
-
-
-    ##
-    #  Attempts to execute the proc passed in on every key, value located in the 'data' element read at 'path'
-    ##
-    def readPathAndIterateOnDataWithProc(path, &p)
-      jsonResponseBody = JSON.parse(read(path))
-      jsonResponseBody[VAULT_LIST_DATA_KEY].each { |dataMapKey, dataMapValue|
-        p.call(dataMapKey, dataMapValue)
-      }
-    end
-
-    ##
-    # Do an http request to Vault using the relative URI passed in
-    ##
-    def doVaultHttpGet(relativeUri)
-
-      url = URI(@vaultBaseUrl + relativeUri)
-      useSSL = ! ("#{@vaultBaseUrl}".include? "localhost")
-
-      begin
-        response = CerberusClient::Http.new.doHttp(url,
-                                                 'GET', useSSL, nil,
-                                                 {VAULT_TOKEN_HEADER_KEY =>
-                                                      CerberusClient.getCredentialsFromProvider(@credentialsProvider)})
-
-      rescue Cerberus::Exception::HttpError => ex
-        # Since Vault wants to pass back 400 bad request for both paths we don't have access to
-        # and paths that don't actually exist at all, I'm sending back a specific error so that implementing clients
-        # can at least understand the situation they find themselves in
-        #
-        # This client could actually work around this problem by first getting a list of all paths we have access to and
-        # determining if the path exists in that list.  If not, 404 (which is more appropriate than 400).
-        # TODO: implement "list > check for path" work around <-- NOTE:  This is a relatively expensive operation
-
-        if(!ex.response.nil? && (ex.response.code.to_i == 400) && (hasPermissionErrors?(ex.response.body)))
-          raise Exception::AmbiguousVaultBadRequest.new
-        else
-          raise ex
-        end
-
-      end
-
-      response
-
-    end # doVaultHttp
-
-    ##
-    # Parse out the permission errors json
-    ##
-    def hasPermissionErrors?(jsonErrorsMsg)
-      begin
-        json = JSON.parse(jsonErrorsMsg)
-        json[VAULT_ERRORS_KEY].each { |err|
-          if(err == VAULT_PERMISSION_DENIED_ERR)
-            return true
-          end
-        }
-      rescue => ex
-        CerberusClient::Log.instance.warn(
-            "VaultClient::hasPermissionErrors? called and exception thrown parsing #{jsonErrorsMsg}: #{ex.message}")
-        return false
-      end
-    end
-
-  end
-end