cfn-vpn 0.4.1 → 1.1.1

data/lib/cfnvpn/certificates.rb

@@ -1,51 +1,90 @@
 require 'fileutils'
+require 'mkmf'
 require 'cfnvpn/acm'
 require 'cfnvpn/s3'
 require 'cfnvpn/log'
 
 module CfnVpn
   class Certificates
-    include CfnVpn::Log
+    
 
-    def initialize(build_dir,cfnvpn_name)
+    def initialize(build_dir, cfnvpn_name, easyrsa_local = false)
       @cfnvpn_name = cfnvpn_name
+      @easyrsa_local = easyrsa_local
+      
+      if @easyrsa_local
+        unless which('easyrsa')
+          raise "Unable to find `easyrsa` in your path. Check your path or remove the `--easyrsa-local` flag to run from docker"
+        end
+      end
+      
+      @build_dir = build_dir
       @config_dir = "#{build_dir}/config"
       @cert_dir = "#{build_dir}/certificates"
+      @pki_dir = "#{build_dir}/pki"
       @docker_cmd = %w(docker run -it --rm)
-      @easyrsa_image = "base2/aws-client-vpn"
+      @easyrsa_image = " base2/aws-client-vpn"
       FileUtils.mkdir_p(@cert_dir)
+      FileUtils.mkdir_p(@pki_dir)
     end
 
     def generate_ca(server_cn,client_cn)
-      @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'create-ca'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_REQ_CN"] = server_cn
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("easyrsa init-pki")
+        system("easyrsa build-ca nopass")
+        system("easyrsa build-server-full server nopass")
+        system("easyrsa build-client-full #{client_cn} nopass")
+        FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
+        system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
+      else
+        @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'create-ca'"
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
 
     def generate_client(client_cn)
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'create-client'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("easyrsa build-client-full #{client_cn} nopass")
+        system("tar czfv #{@cert_dir}/#{client_cn}.tar.gz -C #{@build_dir} pki/issued/#{client_cn}.crt pki/private/#{client_cn}.key pki/reqs/#{client_cn}.req")
+      else
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'create-client'"
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
 
     def revoke_client(client_cn)
-      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      @docker_cmd << @easyrsa_image
-      @docker_cmd << "sh -c 'revoke-client'"
-      return `#{@docker_cmd.join(' ')}`
+      if @easyrsa_local
+        ENV["EASYRSA_PKI"] = @pki_dir
+        system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
+        system("tar xzfv #{@cert_dir}/#{client_cn}.tar.gz --directory #{@build_dir}")
+        system("easyrsa revoke #{client_cn}")
+        system("easyrsa gen-crl")
+        FileUtils.cp("#{@pki_dir}/crl.pem", @cert_dir)
+      else
+        @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+        @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+        @docker_cmd << @easyrsa_image
+        @docker_cmd << "sh -c 'revoke-client'"
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
+      end
     end
 
     def upload_certificates(region,cert,type,cn=nil)
       cn = cn.nil? ? cert : cn
       acm = CfnVpn::Acm.new(region, @cert_dir)
       arn = acm.import_certificate("#{cert}.crt", "#{cert}.key", "ca.crt")
-      Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
+      CfnVpn::Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
       acm.tag_certificate(arn,cn,type,@cfnvpn_name)
       return arn
     end
@@ -65,6 +104,17 @@ module CfnVpn
       `tar xzfv #{tar} -C #{@config_dir} --strip 2`
       File.delete(tar) if File.exist?(tar)
     end
+    
+    def which(cmd)
+      exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+      ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+        exts.each do |ext|
+          exe = File.join(path, "#{cmd}#{ext}")
+          return exe if File.executable?(exe) && !File.directory?(exe)
+        end
+      end
+      nil
+    end
 
   end
 end

data/lib/cfnvpn/clientvpn.rb

@@ -4,7 +4,7 @@ require 'netaddr'
 
 module CfnVpn
   class ClientVpn
-    include CfnVpn::Log
+    
 
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
@@ -16,7 +16,7 @@ module CfnVpn
         filters: [{ name: "tag:cfnvpn:name", values: [@name] }]
       })
       if resp.client_vpn_endpoints.empty?
-        Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
+        CfnVpn::Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
         raise "Unable to find client vpn"
       end
       return resp.client_vpn_endpoints.first
@@ -68,53 +68,6 @@ module CfnVpn
       })
     end
 
-    def get_target_networks(endpoint_id)
-      resp = @client.describe_client_vpn_target_networks({
-        client_vpn_endpoint_id: endpoint_id
-      })
-      return resp.client_vpn_target_networks.first
-    end
-
-    def add_route(cidr,description)
-      endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-
-      @client.create_client_vpn_route({
-        client_vpn_endpoint_id: endpoint_id,
-        destination_cidr_block: cidr,
-        target_vpc_subnet_id: subnet_id,
-        description: description
-      })
-
-      resp = @client.authorize_client_vpn_ingress({
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr,
-        authorize_all_groups: true,
-        description: description
-      })
-
-      return resp.status
-    end
-
-    def del_route(cidr)
-      endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-
-      revoke = @client.revoke_client_vpn_ingress({
-        revoke_all_groups: true,
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr
-      })
-
-      route = @client.delete_client_vpn_route({
-        client_vpn_endpoint_id: endpoint_id,
-        target_vpc_subnet_id: subnet_id,
-        destination_cidr_block: cidr
-      })
-
-      return route.status, revoke.status
-    end
-
     def get_routes()
       endpoint_id = get_endpoint_id()
       resp = @client.describe_client_vpn_routes({
@@ -124,30 +77,43 @@ module CfnVpn
       return resp.routes
     end
 
-    def route_exists?(cidr)
-      routes = get_routes()
-      resp = routes.select { |route| route if route.destination_cidr == cidr }
-      return resp.any?
+    def get_groups_for_route(endpoint, cidr)
+      auth_resp = @client.describe_client_vpn_authorization_rules({
+        client_vpn_endpoint_id: endpoint,
+        filters: [
+          {
+            name: 'destination-cidr',
+            values: [cidr]
+          }
+        ]
+      })
+      return auth_resp.authorization_rules.map {|rule| rule.group_id }
     end
 
-    def get_routes()
-      endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
+    def get_associations(endpoint)
+      associations = []
+      resp = @client.describe_client_vpn_target_networks({
+        client_vpn_endpoint_id: endpoint
       })
-      return resp.routes
-    end
 
-    def get_route_with_mask()
-      routes = get_routes()
-      routes
-        .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
-        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::IPv4Net.parse(r.destination_cidr).netmask.extended }}
-    end
+      resp.client_vpn_target_networks.each do |net|
+        subnet_resp = @client.describe_subnets({
+          subnet_ids: [net.target_network_id]
+        })
+        subnet = subnet_resp.subnets.first
+        groups = get_groups_for_route(endpoint, subnet.cidr_block)
+        
+        associations.push({
+          association_id: net.association_id,
+          target_network_id: net.target_network_id,
+          status: net.status.code,
+          cidr: subnet.cidr_block,
+          az: subnet.availability_zone,
+          groups: groups.join(' ')
+        })
+      end
 
-    def valid_cidr?(cidr)
-      return !(cidr =~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/).nil?
+      return associations
     end
 
   end

data/lib/cfnvpn/compiler.rb

@@ -0,0 +1,23 @@
+require 'cfnvpn/log'
+require 'cfnvpn/templates/vpn'
+
+module CfnVpn
+  class Compiler
+
+    def initialize(name, config)
+      @name = name
+      @config = config
+    end
+
+    def compile
+      CfnVpn::Log.logger.debug "Compiling cloudformation"
+      template = CfnVpn::Templates::Vpn.new()
+      template.render(@name, @config)
+      CfnVpn::Log.logger.debug "Validating cloudformation"
+      valid = template.validate
+      CfnVpn::Log.logger.debug "Clouformation Template\n\n#{JSON.parse(valid.to_json).to_yaml}"
+      return JSON.parse(valid.to_json).to_yaml
+    end
+
+  end
+end

data/lib/cfnvpn/config.rb

@@ -1,88 +1,45 @@
-require 'cfnvpn/clientvpn'
-require 'cfnvpn/log'
+require 'aws-sdk-ssm'
+require 'json'
+require 'cfnvpn/deployer'
 
 module CfnVpn
-  class Config < Thor::Group
-    include Thor::Actions
-    include CfnVpn::Log
-
-    argument :name
-
-    class_option :profile, desc: 'AWS Profile'
-    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
-    class_option :verbose, desc: 'set log level to debug', type: :boolean
-    class_option :bucket, required: true, desc: 's3 bucket'
-    class_option :client_cn, required: true, desc: "client certificates to download"
-
-    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
-
-    def self.source_root
-      File.dirname(__FILE__)
-    end
-
-    def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
-    end
-
-    def create_config_directory
-      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
-      @config_dir = "#{@build_dir}/config"
-      Log.logger.debug("Creating config directory #{@config_dir}")
-      FileUtils.mkdir_p(@config_dir)
-    end
-
-    def download_config
-      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      Log.logger.info "downloading client config for #{@endpoint_id}"
-      @config = vpn.get_config(@endpoint_id)
-    end
-
-    def download_certificates
-      download = true
-      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
-        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
-      end
-
-      if download
-        Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
-        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name)
-        Log.logger.debug cert.extract_certificate(@options['client_cn'])
+  class Config
+
+    def self.get_config(region, name)
+      client = Aws::SSM::Client.new(region: region)
+      begin
+        resp = client.get_parameter({name: "/cfnvpn/config/#{name}"})
+        return JSON.parse(resp.parameter.value, {:symbolize_names => true})
+      rescue Aws::SSM::Errors::ParameterNotFound => e
+        return self.get_config_from_parameter(region, name)
       end
     end
 
-    def alter_config
-      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
-      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
-      @config.concat("\n\ncert #{@config_dir}/#{@options['client_cn']}.crt")
-      @config.concat("\nkey #{@config_dir}/#{@options['client_cn']}.key\n")
+    # to support upgrade from <=0.5.1 to >1.0
+    def self.get_config_from_parameter(region, name)
+      deployer = CfnVpn::Deployer.new(region, name)
+      parameters = deployer.get_parameters_from_stack_hash()
+      {
+        type: 'certificate',
+        server_cert_arn: parameters[:ServerCertificateArn],
+        client_cert_arn: parameters[:ClientCertificateArn],
+        region: region,
+        subnet_ids: [parameters[:AssociationSubnetId]],
+        cidr: parameters[:ClientCidrBlock],
+        dns_servers: parameters[:DnsServers].split(','),
+        split_tunnel: parameters[:SplitTunnel] == "true",
+        internet_route: parameters[:InternetRoute] == "true" ? parameters[:AssociationSubnetId] : nil,
+        protocol: parameters[:Protocol],
+        routes: []
+      }
     end
 
-    def add_routes
-      if @options['ignore_routes']
-        Log.logger.debug "Ignoring routes pushed by the client vpn"
-        @config.concat("\nroute-nopull\n")
-        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-        routes = vpn.get_route_with_mask
-        Log.logger.debug "Found routes #{routes}"
-        routes.each do |r|
-          @config.concat("route #{r[:route]} #{r[:mask]}\n")
-        end
-        dns_servers = vpn.get_dns_servers()
-        if dns_servers.any?
-          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
-          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
-        end
-      end
+    def self.get_config_from_yaml_file(file)
+      YAML.load(File.read(file), symbolize_names: true)
     end
 
-    def write_config
-      config_file = "#{@config_dir}/#{@name}.ovpn"
-      File.write(config_file, @config)
-      Log.logger.info "downloaded client config #{config_file}"
+    def self.dump_config_to_yaml_file(name, params)
+      File.write(File.join(Dir.pwd, "cfnvpn.#{name}.yaml"), Hash[params.collect{|k,v| [k.to_s, v]}].to_yaml)
     end
-
   end
-end
+end

data/lib/cfnvpn/{cloudformation.rb → deployer.rb}

@@ -2,10 +2,10 @@ require 'aws-sdk-cloudformation'
 require 'fileutils'
 require 'cfnvpn/version'
 require 'cfnvpn/log'
+require 'cfnvpn/string'
 
 module CfnVpn
-  class Cloudformation
-    include CfnVpn::Log
+  class Deployer
 
     def initialize(region,name)
       @name = name
@@ -29,28 +29,25 @@ module CfnVpn
       return does_cf_stack_exist() ? 'UPDATE' : 'CREATE'
     end
 
-    def create_change_set(template_path,parameters)
+    def create_change_set(template_body: nil, parameters: {})
       change_set_name = "#{@stack_name}-#{CfnVpn::CHANGE_SET_VERSION}-#{Time.now.utc.strftime("%Y%m%d%H%M%S")}"
       change_set_type = get_change_set_type()
 
-      if change_set_type == 'CREATE'
-        params = get_parameters_from_template(template_path)
+      if !template_body.nil?
+        params = get_parameters_from_template(template_body)
       else
         params = get_parameters_from_stack()
       end
-
+      
       params.each do |param|
         if !parameters[param[:parameter_key]].nil?
-          param['parameter_value'] = parameters[param[:parameter_key]]
-          param['use_previous_value'] = false
+          param[:parameter_value] = parameters[param[:parameter_key]]
+          param[:use_previous_value] = false
         end
       end
 
-      template_body = File.read(template_path)
-      Log.logger.debug "Creating changeset"
-      change_set = @client.create_change_set({
+      changeset_args = {
         stack_name: @stack_name,
-        template_body: template_body,
         parameters: params,
         tags: [
           {
@@ -63,18 +60,28 @@ module CfnVpn
           }
         ],
         change_set_name: change_set_name,
-        change_set_type: change_set_type
-      })
+        change_set_type: change_set_type,
+        capabilities: ['CAPABILITY_IAM']
+      }
+
+      if !template_body.nil?
+        changeset_args[:template_body] = template_body
+      else
+        changeset_args[:use_previous_template] = true
+      end
+
+      CfnVpn::Log.logger.debug "Creating changeset"
+      change_set = @client.create_change_set(changeset_args)
       return change_set, change_set_type
     end
 
     def wait_for_changeset(change_set_id)
-      Log.logger.debug "Waiting for changeset to be created"
+      CfnVpn::Log.logger.debug "Waiting for changeset to be created"
       begin
         @client.wait_until :change_set_create_complete, change_set_name: change_set_id
       rescue Aws::Waiters::Errors::FailureStateError => e
         change_set = get_change_set(change_set_id)
-        Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
+        CfnVpn::Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
         exit 1
       end
     end
@@ -86,7 +93,7 @@ module CfnVpn
     end
 
     def execute_change_set(change_set_id)
-      Log.logger.debug "Executing the changeset"
+      CfnVpn::Log.logger.debug "Executing the changeset"
       stack = @client.execute_change_set({
         change_set_name: change_set_id
       })
@@ -94,7 +101,7 @@ module CfnVpn
 
     def wait_for_execute(change_set_type)
       waiter = change_set_type == 'CREATE' ? :stack_create_complete : :stack_update_complete
-      Log.logger.info "Waiting for changeset to #{change_set_type}"
+      CfnVpn::Log.logger.info "Waiting for changeset to #{change_set_type}"
       resp = @client.wait_until waiter, stack_name: @stack_name
     end
 
@@ -103,11 +110,32 @@ module CfnVpn
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, use_previous_value: true }  }
     end
 
-    def get_parameters_from_template(template_path)
-      template_body = File.read(template_path)
+    def get_parameters_from_template(template_body)
       resp = @client.get_template_summary({ template_body: template_body })
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, parameter_value: p.default_value }  }
     end
 
+    def get_parameter_value(parameter)
+      resp = @client.describe_stacks({ stack_name: @stack_name })
+      stack = resp.stacks.first
+      parameter = stack.parameters.detect {|p| p.parameter_key == parameter}
+      return parameter ? parameter.parameter_value : nil
+    end
+
+    def get_parameters_from_stack_hash()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.parameters.collect {|parameter| [parameter.parameter_key.to_sym, parameter.parameter_value]}]
+    end
+
+    def get_outputs_from_stack()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.outputs.collect {|output| [output.output_key.underscore.to_sym, output.output_value]}]
+    end
   end
 end