cfn-vpn 0.4.1 → 1.1.1

data/docs/sessions.md

@@ -0,0 +1,27 @@
+# Managing Client-VPN Sessions
+
+## Show Sessions
+
+This is show a table of current connections on the vpn. You can then kill sessions by using the connection id.
+
+```sh
+cfn-vpn sessions [name]
+```
+
+The sessions are displayed in a table format
+
+```bash
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+| Common Name | Connected (UTC)     | Status | IP Address  | Connection ID                     | Ingress Bytes | Egress Bytes |
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+| user1       | 2019-06-28 04:58:19 | active | 10.250.0.98 | cvpn-connection-05bcc579cb3fdf9a3 | 3000          | 2679         |
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+```
+
+## Terminate a Session
+
+To terminate a Client-VPN session specify the `--kill` flag with the connection id to kill the session.
+
+```sh
+cfn-vpn sessions myvpn --kill cvpn-connection-05bcc579cb3fdf9a3
+```

data/lib/cfnvpn.rb

@@ -1,13 +1,15 @@
 require 'thor'
 require 'cfnvpn/version'
-require 'cfnvpn/init'
-require 'cfnvpn/modify'
-require 'cfnvpn/config'
-require 'cfnvpn/client'
-require 'cfnvpn/revoke'
-require 'cfnvpn/sessions'
-require 'cfnvpn/routes'
-require 'cfnvpn/share'
+require 'cfnvpn/actions/init'
+require 'cfnvpn/actions/modify'
+require 'cfnvpn/actions/client'
+require 'cfnvpn/actions/revoke'
+require 'cfnvpn/actions/sessions'
+require 'cfnvpn/actions/routes'
+require 'cfnvpn/actions/share'
+require 'cfnvpn/actions/embedded'
+require 'cfnvpn/actions/subnets'
+require 'cfnvpn/actions/params'
 
 module CfnVpn
   class Cli < Thor
@@ -18,29 +20,35 @@ module CfnVpn
       puts CfnVpn::VERSION
     end
 
-    register CfnVpn::Init, 'init', 'init [name]', 'Create a AWS Client VPN'
-    tasks["init"].options = CfnVpn::Init.class_options
+    register CfnVpn::Actions::Init, 'init', 'init [name]', 'Create a AWS Client VPN'
+    tasks["init"].options = CfnVpn::Actions::Init.class_options
 
-    register CfnVpn::Modify, 'modify', 'modify [name]', 'Modify your AWS Client VPN'
-    tasks["modify"].options = CfnVpn::Modify.class_options
+    register CfnVpn::Actions::Modify, 'modify', 'modify [name]', 'Modify your AWS Client VPN'
+    tasks["modify"].options = CfnVpn::Actions::Modify.class_options
 
-    register CfnVpn::Config, 'config', 'config [name]', 'Retrieve the config for the AWS Client VPN'
-    tasks["config"].options = CfnVpn::Config.class_options
+    register CfnVpn::Actions::Client, 'client', 'client [name]', 'Create a new client certificate'
+    tasks["client"].options = CfnVpn::Actions::Client.class_options
 
-    register CfnVpn::Client, 'client', 'client [name]', 'Create a new client certificate'
-    tasks["client"].options = CfnVpn::Client.class_options
+    register CfnVpn::Actions::Revoke, 'revoke', 'revoke [name]', 'Revoke a client certificate'
+    tasks["revoke"].options = CfnVpn::Actions::Revoke.class_options
 
-    register CfnVpn::Revoke, 'revoke', 'revoke [name]', 'Revoke a client certificate'
-    tasks["revoke"].options = CfnVpn::Revoke.class_options
+    register CfnVpn::Actions::Sessions, 'sessions', 'sessions [name]', 'List and kill current vpn connections'
+    tasks["sessions"].options = CfnVpn::Actions::Sessions.class_options
 
-    register CfnVpn::Sessions, 'sessions', 'sessions [name]', 'List and kill current vpn connections'
-    tasks["sessions"].options = CfnVpn::Sessions.class_options
+    register CfnVpn::Actions::Routes, 'routes', 'routes [name]', 'List, add or delete client vpn routes'
+    tasks["routes"].options = CfnVpn::Actions::Routes.class_options
 
-    register CfnVpn::Routes, 'routes', 'routes [name]', 'List, add or delete client vpn routes'
-    tasks["routes"].options = CfnVpn::Routes.class_options
+    register CfnVpn::Actions::Share, 'share', 'share [name]', 'Provide a user with a s3 signed download for certificates and config'
+    tasks["share"].options = CfnVpn::Actions::Share.class_options
 
-    register CfnVpn::Share, 'share', 'share [name]', 'Provide a user with a s3 signed download for certificates and config'
-    tasks["share"].options = CfnVpn::Share.class_options
+    register CfnVpn::Actions::Embedded, 'embedded', 'embedded [name]', 'Embed client certs into config and generate S3 presigned URL'
+    tasks["embedded"].options = CfnVpn::Actions::Embedded.class_options
+
+    register CfnVpn::Actions::Subnets, 'subnets', 'subnets [name]', 'Manage subnet associations for the client vpn'
+    tasks["subnets"].options = CfnVpn::Actions::Subnets.class_options
+
+    register CfnVpn::Actions::Params, 'params', 'params [name]', 'Display or dump to yaml the current cfnvpn params'
+    tasks["params"].options = CfnVpn::Actions::Params.class_options
 
   end
 end

data/lib/cfnvpn/{client.rb → actions/client.rb}

@@ -1,11 +1,12 @@
 require 'thor'
+require 'fileutils'
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
+require 'cfnvpn/globals'
 
-module CfnVpn
+module CfnVpn::Actions
   class Client < Thor::Group
-    include Thor::Actions
-    include CfnVpn::Log
+    include Thor::Actions  
 
     argument :name
 
@@ -15,26 +16,28 @@ module CfnVpn
 
     class_option :bucket, desc: 's3 bucket', required: true
     class_option :client_cn, desc: 'client certificate common name', required: true
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
 
     def self.source_root
       File.dirname(__FILE__)
     end
 
     def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
     end
 
     def set_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
       @cert_dir = "#{@build_dir}/certificates"
+      FileUtils.mkdir_p(@cert_dir)
     end
 
     def create_certificate
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
       s3.get_object("#{@cert_dir}/ca.tar.gz")
-      Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
-      cert = CfnVpn::Certificates.new(@build_dir,@name)
-      Log.logger.debug cert.generate_client(@options['client_cn'])
+      CfnVpn::Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
+      CfnVpn::Log.logger.debug cert.generate_client(@options['client_cn'])
       s3.store_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
     end
 

data/lib/cfnvpn/actions/embedded.rb

@@ -0,0 +1,110 @@
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+require 'cfnvpn/globals'
+
+module CfnVpn::Actions
+  class Embedded < Thor::Group
+    include Thor::Actions
+    
+
+    argument :name
+
+    class_option :profile, desc: 'AWS Profile'
+    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :bucket, required: true, desc: 'S3 bucket'
+    class_option :client_cn, required: true, default: false, desc: 'Client certificates to download'
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
+    class_option :ignore_routes, alias: :i, type: :boolean, desc: 'Ignore client VPN pushed routes and set routes in config file'
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def create_config_directory
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
+      @config_dir = "#{@build_dir}/config"
+      CfnVpn::Log.logger.debug("Creating config directory #{@config_dir}")
+      FileUtils.mkdir_p(@config_dir)
+    end
+
+    def download_certificates
+      download = true
+      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
+        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
+      end
+
+      if download
+        CfnVpn::Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
+        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
+        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
+        CfnVpn::Log.logger.debug cert.extract_certificate(@options['client_cn'])
+      end
+    end
+
+    def download_config
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      CfnVpn::Log.logger.debug "downloading client config for #{@endpoint_id}"
+      @config = vpn.get_config(@endpoint_id)
+      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
+      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
+    end
+
+    def add_routes
+      if @options['ignore_routes']
+        CfnVpn::Log.logger.debug "Ignoring routes pushed by the client vpn"
+        @config.concat("\nroute-nopull\n")
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        routes = vpn.get_route_with_mask
+        CfnVpn::Log.logger.debug "Found routes #{routes}"
+        routes.each do |r|
+          @config.concat("route #{r[:route]} #{r[:mask]}\n")
+        end
+        dns_servers = vpn.get_dns_servers()
+        if dns_servers.any?
+          CfnVpn::Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
+          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
+        end
+      end
+    end
+
+    def embed_certs
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
+      CfnVpn::Log.logger.debug cert.extract_certificate(@options['client_cn'])
+      CfnVpn::Log.logger.debug "Reading extracted certificate and private key"
+      key = File.read("#{@config_dir}/#{@options['client_cn']}.key")
+      crt = File.read("#{@config_dir}/#{@options['client_cn']}.crt")
+      CfnVpn::Log.logger.debug "Embedding certificate and private key into config"
+      @config.concat("\n<key>\n#{key}\n</key>\n")
+      @config.concat("\n<cert>\n#{crt}\n</cert>\n")
+    end
+
+    def upload_embedded_config
+      @s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      @s3.store_embedded_config(@config, @options['client_cn'])
+    end
+
+    def get_presigned_url
+      @cn = @options['client_cn']
+      @config_url = @s3.get_url("#{@name}_#{@cn}.config.ovpn")
+      CfnVpn::Log.logger.debug "Config presigned url: #{@config_url}"
+    end
+    
+    def display_url
+      CfnVpn::Log.logger.info "Share the below instructions with the user..."
+      say "\nDownload the embedded config from the below presigned URL which will expire in 1 hour."
+      say "\nConfig:\n"
+      say "\tcurl #{@config_url} > #{@name}_#{@cn}.config.ovpn", :cyan
+      say "\nOpen #{@name}_#{@cn}.config.ovpn with your favourite openvpn client."
+    end
+
+  end
+
+end

data/lib/cfnvpn/actions/init.rb

@@ -0,0 +1,130 @@
+require 'thor'
+require 'fileutils'
+require 'cfnvpn/deployer'
+require 'cfnvpn/certificates'
+require 'cfnvpn/compiler'
+require 'cfnvpn/log'
+require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
+
+module CfnVpn::Actions
+  class Init < Thor::Group
+    include Thor::Actions
+    
+
+    argument :name
+
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :server_cn, required: true, desc: 'server certificate common name'
+    class_option :client_cn, desc: 'client certificate common name'
+    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
+    class_option :bucket, desc: 's3 bucket'
+
+    class_option :subnet_ids, required: true, type: :array, desc: 'subnet id to associate your vpn with'
+    class_option :default_groups, default: [], type: :array, desc: 'groups to allow through the subnet associations when using federated auth'
+    class_option :cidr, default: '10.250.0.0/16', desc: 'cidr from which to assign client IP addresses'
+    class_option :dns_servers, default: [], type: :array, desc: 'DNS Servers to push to clients.'
+    
+    class_option :split_tunnel, type: :boolean, default: true, desc: 'only push routes to the client on the vpn endpoint'
+    class_option :internet_route, type: :string, desc: '[subnet-id] create a default route to the internet through a subnet'
+    class_option :protocol, type: :string, default: 'udp', enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
+
+    class_option :start, type: :string, desc: 'cloudwatch event cron schedule in UTC to associate subnets to the client vpn'
+    class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
+
+    class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def create_build_directory
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
+      CfnVpn::Log.logger.debug "creating directory #{@build_dir}"
+      FileUtils.mkdir_p(@build_dir)
+    end
+
+    def initialize_config
+      @config = {
+        region: @options['region'],
+        subnet_ids: @options['subnet_ids'],
+        cidr: @options['cidr'],
+        dns_servers: @options['dns_servers'],
+        split_tunnel: @options['split_tunnel'],
+        internet_route: @options['internet_route'],
+        protocol: @options['protocol'],
+        start: @options['start'],
+        stop: @options['stop'],
+        saml_arn: @options['saml_arn'],
+        routes: []
+      }
+    end
+
+    def set_type
+      @config[:type] = @options['saml_arn'] ? 'federated' : 'certificate'
+      @config[:default_groups] = @options['saml_arn'] ? @options['default_groups'] : []
+      CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
+    end
+
+    def conditional_options_check
+      if @config[:type] == 'certificate'
+        if !@options['bucket']
+          CfnVpn::Log.logger.error "--bucket option must be specified if creating a client vpn with certificate based authentication"
+          exit 1
+        end
+      end
+    end
+
+    def stack_exist
+      @deployer = CfnVpn::Deployer.new(@options['region'],@name)
+      if @deployer.does_cf_stack_exist()
+        CfnVpn::Log.logger.error "#{@name}-cfnvpn stack already exists in this account in region #{@options['region']}, use the modify command to alter the stack"
+        exit 1
+      end
+    end
+
+    # create certificates
+    def generate_server_certificates
+      CfnVpn::Log.logger.info "Generating certificates using openvpn easy-rsa"
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
+      @client_cn = @options['client_cn'] ? @options['client_cn'] : "client-vpn.#{@options['server_cn']}"
+      cert.generate_ca(@options['server_cn'],@client_cn)
+    end
+
+    def upload_certificates
+      cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
+      @config[:server_cert_arn] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
+      if @config[:type] == 'certificate'
+         # we only need the server certificate to ACM if it is a SAML federated client vpn
+        @config[:client_cert_arn] = cert.upload_certificates(@options['region'],@client_cn,'client')
+        # and only need to upload the certs to s3 if using certificate authenitcation
+        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
+      end
+    end
+
+    def deploy_vpn
+      compiler = CfnVpn::Compiler.new(@name, @config)
+      template_body = compiler.compile
+      CfnVpn::Log.logger.info "Launching cloudformation stack #{@name}-cfnvpn in #{@options['region']}"
+      change_set, change_set_type = @deployer.create_change_set(template_body: template_body)
+      @deployer.wait_for_changeset(change_set.id)
+      @deployer.execute_change_set(change_set.id)
+      @deployer.wait_for_execute(change_set_type)
+      CfnVpn::Log.logger.info "Changeset #{change_set_type} complete"
+    end
+
+    def finish
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      CfnVpn::Log.logger.info "Client VPN #{@endpoint_id} created. Run `cfn-vpn config #{@name}` to setup the client config"
+    end
+
+  end
+end

data/lib/cfnvpn/actions/modify.rb

@@ -0,0 +1,149 @@
+require 'thor'
+require 'fileutils'
+require 'terminal-table'
+require 'cfnvpn/deployer'
+require 'cfnvpn/certificates'
+require 'cfnvpn/compiler'
+require 'cfnvpn/log'
+require 'cfnvpn/clientvpn'
+require 'cfnvpn/globals'
+require 'cfnvpn/config'
+
+module CfnVpn::Actions
+  class Modify < Thor::Group
+    include Thor::Actions
+    
+
+    argument :name
+
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :subnet_ids, type: :array, desc: 'overwrite all subnet associations'
+    class_option :add_subnet_ids, type: :array, desc: 'add to existing subnet associations'
+    class_option :del_subnet_ids, type: :array, desc: 'delete subnet associations'
+
+    class_option :default_groups, type: :array, desc: 'groups to allow through the subnet associations when using federated auth'
+
+    class_option :dns_servers, type: :array, desc: 'DNS Servers to push to clients.'
+    class_option :no_dns_servers, type: :boolean, desc: 'Remove the DNS Servers from the client vpn'
+
+    class_option :cidr, desc: 'cidr from which to assign client IP addresses'
+    class_option :split_tunnel, type: :boolean, desc: 'only push routes to the client on the vpn endpoint'
+    class_option :internet_route, type: :string, desc: '[subnet-id] create a default route to the internet through a subnet'
+    class_option :protocol, type: :string, enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
+
+    class_option :start, type: :string, desc: 'cloudwatch event cron schedule in UTC to associate subnets to the client vpn'
+    class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
+
+    class_option :param_yaml, type: :string, desc: 'pass in cfnvpn params through YAML file'
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def create_build_directory
+      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
+      CfnVpn::Log.logger.debug "creating directory #{@build_dir}"
+      FileUtils.mkdir_p(@build_dir)
+    end
+
+    def stack_exist
+      @deployer = CfnVpn::Deployer.new(@options['region'],@name)
+      if !@deployer.does_cf_stack_exist()
+        CfnVpn::Log.logger.error "#{@name}-cfnvpn stack doesn't exists in this account in region #{@options['region']}\n Try running `cfn-vpn init #{@name}` to setup the stack"
+        exit 1
+      end
+    end
+
+    def initialize_config
+      @config = CfnVpn::Config.get_config(@options[:region], @name)
+
+      CfnVpn::Log.logger.debug "Current config:\n#{@config}"
+
+      if @options[:param_yaml]
+        CfnVpn::Log.logger.debug "Loading config from YAML file #{@options[:param_yaml]}"
+        @config = CfnVpn::Config.get_config_from_yaml_file(@options[:param_yaml])
+      else
+        CfnVpn::Log.logger.debug "Loading config from options"
+        @options.each do |key, value|
+          next if [:verbose].include? key
+          @config[key.to_sym] = value
+        end
+
+        if @options['add_subnet_ids']
+          @config[:subnet_ids].concat @options['add_subnet_ids']
+        end
+
+        if @options['del_subnet_ids']
+          @config[:subnet_ids].reject!{ |subnet| @options['del_subnet_ids'].include? subnet }
+        end
+
+        if @options['no_dns_servers']
+          @config[:dns_servers] = []
+        end
+      end
+
+      if @config[:saml_arn] && @options[:default_groups]
+        @config[:default_groups] = @options[:default_groups]
+      end
+
+      CfnVpn::Log.logger.debug "Modified config:\n#{@config}"
+    end
+
+    def deploy_vpn
+      compiler = CfnVpn::Compiler.new(@name, @config)
+      template_body = compiler.compile
+      CfnVpn::Log.logger.info "Creating cloudformation changeset for stack #{@name}-cfnvpn in #{@options['region']}"
+      change_set, change_set_type = @deployer.create_change_set(template_body: template_body)
+      @deployer.wait_for_changeset(change_set.id)
+      changeset_response = @deployer.get_change_set(change_set.id)
+
+      changes = {"Add" => [], "Modify" => [], "Remove" => []}
+      change_colours = {"Add" => "green", "Modify" => 'yellow', "Remove" => 'red'}
+
+      changeset_response.changes.each do |change|
+        action = change.resource_change.action
+        changes[action].push([
+          change.resource_change.logical_resource_id,
+          change.resource_change.resource_type,
+          change.resource_change.replacement ? change.resource_change.replacement : 'N/A',
+          change.resource_change.details.collect {|detail| detail.target.name }.join(' , ')
+        ])
+      end
+
+      changes.each do |type, rows|
+        next if !rows.any?
+        puts "\n"
+        table = Terminal::Table.new(
+          :title => type,
+          :headings => ['Logical Resource Id', 'Resource Type', 'Replacement', 'Changes'],
+          :rows => rows)
+        puts table.to_s.send(change_colours[type])
+      end
+
+      CfnVpn::Log.logger.info "Cloudformation changeset changes:"
+      puts "\n"
+      continue = yes? "Continue?", :green
+      if !continue
+        CfnVpn::Log.logger.info("Cancelled cfn-vpn modifiy #{@name}")
+        exit 1
+      end
+
+      @deployer.execute_change_set(change_set.id)
+      @deployer.wait_for_execute(change_set_type)
+      CfnVpn::Log.logger.info "Changeset #{change_set_type} complete"
+    end
+
+    def finish
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      CfnVpn::Log.logger.info "Client VPN #{@endpoint_id} modified."
+    end
+
+  end
+end