cfn-vpn 0.5.1 → 1.1.0

data/lib/cfnvpn/clientvpn.rb

@@ -4,7 +4,7 @@ require 'netaddr'
 
 module CfnVpn
   class ClientVpn
-    include CfnVpn::Log
+    
 
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
@@ -16,7 +16,7 @@ module CfnVpn
         filters: [{ name: "tag:cfnvpn:name", values: [@name] }]
       })
       if resp.client_vpn_endpoints.empty?
-        Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
+        CfnVpn::Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
         raise "Unable to find client vpn"
       end
       return resp.client_vpn_endpoints.first
@@ -68,53 +68,6 @@ module CfnVpn
       })
     end
 
-    def get_target_networks(endpoint_id)
-      resp = @client.describe_client_vpn_target_networks({
-        client_vpn_endpoint_id: endpoint_id
-      })
-      return resp.client_vpn_target_networks.first
-    end
-
-    def add_route(cidr,description)
-      endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-
-      @client.create_client_vpn_route({
-        client_vpn_endpoint_id: endpoint_id,
-        destination_cidr_block: cidr,
-        target_vpc_subnet_id: subnet_id,
-        description: description
-      })
-
-      resp = @client.authorize_client_vpn_ingress({
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr,
-        authorize_all_groups: true,
-        description: description
-      })
-
-      return resp.status
-    end
-
-    def del_route(cidr)
-      endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-
-      revoke = @client.revoke_client_vpn_ingress({
-        revoke_all_groups: true,
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr
-      })
-
-      route = @client.delete_client_vpn_route({
-        client_vpn_endpoint_id: endpoint_id,
-        target_vpc_subnet_id: subnet_id,
-        destination_cidr_block: cidr
-      })
-
-      return route.status, revoke.status
-    end
-
     def get_routes()
       endpoint_id = get_endpoint_id()
       resp = @client.describe_client_vpn_routes({
@@ -124,30 +77,43 @@ module CfnVpn
       return resp.routes
     end
 
-    def route_exists?(cidr)
-      routes = get_routes()
-      resp = routes.select { |route| route if route.destination_cidr == cidr }
-      return resp.any?
+    def get_groups_for_route(endpoint, cidr)
+      auth_resp = @client.describe_client_vpn_authorization_rules({
+        client_vpn_endpoint_id: endpoint,
+        filters: [
+          {
+            name: 'destination-cidr',
+            values: [cidr]
+          }
+        ]
+      })
+      return auth_resp.authorization_rules.map {|rule| rule.group_id }
     end
 
-    def get_routes()
-      endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
+    def get_associations(endpoint)
+      associations = []
+      resp = @client.describe_client_vpn_target_networks({
+        client_vpn_endpoint_id: endpoint
       })
-      return resp.routes
-    end
 
-    def get_route_with_mask()
-      routes = get_routes()
-      routes
-        .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
-        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::IPv4Net.parse(r.destination_cidr).netmask.extended }}
-    end
+      resp.client_vpn_target_networks.each do |net|
+        subnet_resp = @client.describe_subnets({
+          subnet_ids: [net.target_network_id]
+        })
+        subnet = subnet_resp.subnets.first
+        groups = get_groups_for_route(endpoint, subnet.cidr_block)
+        
+        associations.push({
+          association_id: net.association_id,
+          target_network_id: net.target_network_id,
+          status: net.status.code,
+          cidr: subnet.cidr_block,
+          az: subnet.availability_zone,
+          groups: groups.join(' ')
+        })
+      end
 
-    def valid_cidr?(cidr)
-      return !(cidr =~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/).nil?
+      return associations
     end
 
   end

data/lib/cfnvpn/compiler.rb

@@ -0,0 +1,23 @@
+require 'cfnvpn/log'
+require 'cfnvpn/templates/vpn'
+
+module CfnVpn
+  class Compiler
+
+    def initialize(name, config)
+      @name = name
+      @config = config
+    end
+
+    def compile
+      CfnVpn::Log.logger.debug "Compiling cloudformation"
+      template = CfnVpn::Templates::Vpn.new()
+      template.render(@name, @config)
+      CfnVpn::Log.logger.debug "Validating cloudformation"
+      valid = template.validate
+      CfnVpn::Log.logger.debug "Clouformation Template\n\n#{JSON.parse(valid.to_json).to_yaml}"
+      return JSON.parse(valid.to_json).to_yaml
+    end
+
+  end
+end

data/lib/cfnvpn/config.rb

@@ -1,89 +1,45 @@
-require 'cfnvpn/clientvpn'
-require 'cfnvpn/log'
-require 'cfnvpn/globals'
+require 'aws-sdk-ssm'
+require 'json'
+require 'cfnvpn/deployer'
 
 module CfnVpn
-  class Config < Thor::Group
-    include Thor::Actions
-    include CfnVpn::Log
-
-    argument :name
-
-    class_option :profile, desc: 'AWS Profile'
-    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
-    class_option :verbose, desc: 'set log level to debug', type: :boolean
-    class_option :bucket, required: true, desc: 's3 bucket'
-    class_option :client_cn, required: true, desc: "client certificates to download"
-    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
-    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
-
-    def self.source_root
-      File.dirname(__FILE__)
-    end
-
-    def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
-    end
-
-    def create_config_directory
-      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
-      @config_dir = "#{@build_dir}/config"
-      Log.logger.debug("Creating config directory #{@config_dir}")
-      FileUtils.mkdir_p(@config_dir)
-    end
-
-    def download_config
-      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      Log.logger.info "downloading client config for #{@endpoint_id}"
-      @config = vpn.get_config(@endpoint_id)
-    end
-
-    def download_certificates
-      download = true
-      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
-        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
-      end
-
-      if download
-        Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
-        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
-        Log.logger.debug cert.extract_certificate(@options['client_cn'])
+  class Config
+
+    def self.get_config(region, name)
+      client = Aws::SSM::Client.new(region: region)
+      begin
+        resp = client.get_parameter({name: "/cfnvpn/config/#{name}"})
+        return JSON.parse(resp.parameter.value, {:symbolize_names => true})
+      rescue Aws::SSM::Errors::ParameterNotFound => e
+        return self.get_config_from_parameter(region, name)
       end
     end
 
-    def alter_config
-      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
-      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
-      @config.concat("\n\ncert #{@config_dir}/#{@options['client_cn']}.crt")
-      @config.concat("\nkey #{@config_dir}/#{@options['client_cn']}.key\n")
+    # to support upgrade from <=0.5.1 to >1.0
+    def self.get_config_from_parameter(region, name)
+      deployer = CfnVpn::Deployer.new(region, name)
+      parameters = deployer.get_parameters_from_stack_hash()
+      {
+        type: 'certificate',
+        server_cert_arn: parameters[:ServerCertificateArn],
+        client_cert_arn: parameters[:ClientCertificateArn],
+        region: region,
+        subnet_ids: [parameters[:AssociationSubnetId]],
+        cidr: parameters[:ClientCidrBlock],
+        dns_servers: parameters[:DnsServers].split(','),
+        split_tunnel: parameters[:SplitTunnel] == "true",
+        internet_route: parameters[:InternetRoute] == "true" ? parameters[:AssociationSubnetId] : nil,
+        protocol: parameters[:Protocol],
+        routes: []
+      }
     end
 
-    def add_routes
-      if @options['ignore_routes']
-        Log.logger.debug "Ignoring routes pushed by the client vpn"
-        @config.concat("\nroute-nopull\n")
-        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-        routes = vpn.get_route_with_mask
-        Log.logger.debug "Found routes #{routes}"
-        routes.each do |r|
-          @config.concat("route #{r[:route]} #{r[:mask]}\n")
-        end
-        dns_servers = vpn.get_dns_servers()
-        if dns_servers.any?
-          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
-          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
-        end
-      end
+    def self.get_config_from_yaml_file(file)
+      YAML.load(File.read(file), symbolize_names: true)
     end
 
-    def write_config
-      config_file = "#{@config_dir}/#{@name}.ovpn"
-      File.write(config_file, @config)
-      Log.logger.info "downloaded client config #{config_file}"
+    def self.dump_config_to_yaml_file(name, params)
+      File.write(File.join(Dir.pwd, "cfnvpn.#{name}.yaml"), Hash[params.collect{|k,v| [k.to_s, v]}].to_yaml)
     end
-
   end
-end
+end

data/lib/cfnvpn/{cloudformation.rb → deployer.rb}

@@ -2,10 +2,10 @@ require 'aws-sdk-cloudformation'
 require 'fileutils'
 require 'cfnvpn/version'
 require 'cfnvpn/log'
+require 'cfnvpn/string'
 
 module CfnVpn
-  class Cloudformation
-    include CfnVpn::Log
+  class Deployer
 
     def initialize(region,name)
       @name = name
@@ -29,28 +29,25 @@ module CfnVpn
       return does_cf_stack_exist() ? 'UPDATE' : 'CREATE'
     end
 
-    def create_change_set(template_path,parameters)
+    def create_change_set(template_body: nil, parameters: {})
       change_set_name = "#{@stack_name}-#{CfnVpn::CHANGE_SET_VERSION}-#{Time.now.utc.strftime("%Y%m%d%H%M%S")}"
       change_set_type = get_change_set_type()
 
-      if change_set_type == 'CREATE'
-        params = get_parameters_from_template(template_path)
+      if !template_body.nil?
+        params = get_parameters_from_template(template_body)
       else
         params = get_parameters_from_stack()
       end
-
+      
       params.each do |param|
         if !parameters[param[:parameter_key]].nil?
           param[:parameter_value] = parameters[param[:parameter_key]]
           param[:use_previous_value] = false
         end
       end
-      
-      template_body = File.read(template_path)
-      Log.logger.debug "Creating changeset"
-      change_set = @client.create_change_set({
+
+      changeset_args = {
         stack_name: @stack_name,
-        template_body: template_body,
         parameters: params,
         tags: [
           {
@@ -63,18 +60,28 @@ module CfnVpn
           }
         ],
         change_set_name: change_set_name,
-        change_set_type: change_set_type
-      })
+        change_set_type: change_set_type,
+        capabilities: ['CAPABILITY_IAM']
+      }
+
+      if !template_body.nil?
+        changeset_args[:template_body] = template_body
+      else
+        changeset_args[:use_previous_template] = true
+      end
+
+      CfnVpn::Log.logger.debug "Creating changeset"
+      change_set = @client.create_change_set(changeset_args)
       return change_set, change_set_type
     end
 
     def wait_for_changeset(change_set_id)
-      Log.logger.debug "Waiting for changeset to be created"
+      CfnVpn::Log.logger.debug "Waiting for changeset to be created"
       begin
         @client.wait_until :change_set_create_complete, change_set_name: change_set_id
       rescue Aws::Waiters::Errors::FailureStateError => e
         change_set = get_change_set(change_set_id)
-        Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
+        CfnVpn::Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
         exit 1
       end
     end
@@ -86,7 +93,7 @@ module CfnVpn
     end
 
     def execute_change_set(change_set_id)
-      Log.logger.debug "Executing the changeset"
+      CfnVpn::Log.logger.debug "Executing the changeset"
       stack = @client.execute_change_set({
         change_set_name: change_set_id
       })
@@ -94,7 +101,7 @@ module CfnVpn
 
     def wait_for_execute(change_set_type)
       waiter = change_set_type == 'CREATE' ? :stack_create_complete : :stack_update_complete
-      Log.logger.info "Waiting for changeset to #{change_set_type}"
+      CfnVpn::Log.logger.info "Waiting for changeset to #{change_set_type}"
       resp = @client.wait_until waiter, stack_name: @stack_name
     end
 
@@ -103,11 +110,32 @@ module CfnVpn
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, use_previous_value: true }  }
     end
 
-    def get_parameters_from_template(template_path)
-      template_body = File.read(template_path)
+    def get_parameters_from_template(template_body)
       resp = @client.get_template_summary({ template_body: template_body })
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, parameter_value: p.default_value }  }
     end
 
+    def get_parameter_value(parameter)
+      resp = @client.describe_stacks({ stack_name: @stack_name })
+      stack = resp.stacks.first
+      parameter = stack.parameters.detect {|p| p.parameter_key == parameter}
+      return parameter ? parameter.parameter_value : nil
+    end
+
+    def get_parameters_from_stack_hash()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.parameters.collect {|parameter| [parameter.parameter_key.to_sym, parameter.parameter_value]}]
+    end
+
+    def get_outputs_from_stack()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.outputs.collect {|output| [output.output_key.underscore.to_sym, output.output_value]}]
+    end
   end
 end

data/lib/cfnvpn/log.rb

@@ -1,38 +1,38 @@
 require 'logger'
 
 module CfnVpn
-  module Log
-
-    def self.colors
-      @colors ||= {
-        ERROR: 31, # red
-        WARN: 33, # yellow
-        INFO: 0,
-        DEBUG: 32 # grenn
-      }
-    end
+  module Log 
+    class << self
+      def colors
+        @colors ||= {
+          ERROR: 31, # red
+          WARN: 33, # yellow
+          INFO: 0,
+          DEBUG: 32 # grenn
+        }
+      end
 
-    def self.logger
-      if @logger.nil?
-        @logger = Logger.new(STDOUT)
-        @logger.level = Logger::INFO
-        @logger.formatter = proc do |severity, datetime, progname, msg|
-          "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+      def logger
+        if @logger.nil?
+          @logger = Logger.new(STDOUT)
+          @logger.level = Logger::INFO
+          @logger.formatter = proc do |severity, datetime, progname, msg|
+            "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+          end
         end
+        @logger
       end
-      @logger
-    end
 
-    def self.logger=(logger)
-      @logger = logger
-    end
+      def logger=(logger)
+        @logger = logger
+      end
 
-    levels = %w(debug info warn error fatal)
-    levels.each do |level|
-      define_method("#{level.to_sym}") do |msg|
-        self.logger.send(level, msg)
+      levels = %w(debug info warn error fatal)
+      levels.each do |level|
+        define_method("#{level.to_sym}") do |msg|
+          self.logger.send(level, msg)
+        end
       end
     end
-
   end
 end