cfn-vpn 0.5.1 → 1.3.1

data/lib/cfnvpn/actions/params.rb

@@ -0,0 +1,73 @@
+require 'yaml'
+require 'cfnvpn/config'
+require 'cfnvpn/log'
+
+module CfnVpn::Actions
+  class Params < Thor::Group
+    include Thor::Actions
+    
+
+    argument :name
+
+    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :dump, type: :boolean, desc: 'dump config to yaml file'
+    class_option :diff_yaml, desc: 'diff yaml file with deployed config'
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def get_config
+      @config = CfnVpn::Config.get_config(@options[:region], @name)
+    end
+
+    def dump
+      CfnVpn::Config.dump_config_to_yaml_file(name, @config) if @options[:dump]
+    end
+
+    def setup_display
+      @headings = ['Param', 'Deployed Value']
+      @rows = []
+    end
+
+    def diff
+      if @options[:diff_yaml]
+        yaml_params = CfnVpn::Config.get_config_from_yaml_file(@options[:diff_yaml])
+
+        @headings << 'YAML Value'
+        @config.each do |key, value|
+          row = [key, value]
+          if yaml_params.has_key? key
+            row << yaml_params[key]
+          else
+            row << nil
+          end
+
+          if row[1] != row[2]
+            row[1] = row[1].to_s.red
+            row[2] = row[2].to_s.red
+          end
+
+          @rows << row
+        end
+      else
+        @rows = @config.to_a
+      end
+    end
+
+    def display
+      table = Terminal::Table.new(
+        :title => 'Params',
+        :headings => @headings,
+        :rows => @rows)
+      puts table
+    end
+
+  end
+end

data/lib/cfnvpn/{revoke.rb → actions/revoke.rb}

@@ -3,10 +3,10 @@ require 'cfnvpn/log'
 require 'cfnvpn/s3'
 require 'cfnvpn/globals'
 
-module CfnVpn
+module CfnVpn::Actions
   class Revoke < Thor::Group
     include Thor::Actions
-    include CfnVpn::Log
+    
 
     argument :name
 
@@ -23,7 +23,7 @@ module CfnVpn
     end
 
     def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
     end
 
     def set_directory
@@ -36,15 +36,15 @@ module CfnVpn
       s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
       s3.get_object("#{@cert_dir}/ca.tar.gz")
       s3.get_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
-      Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
-      Log.logger.debug cert.revoke_client(@options['client_cn'])
+      CfnVpn::Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
+      CfnVpn::Log.logger.debug cert.revoke_client(@options['client_cn'])
     end
 
     def apply_rekocation_list
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
       endpoint_id = vpn.get_endpoint_id()
       vpn.put_revoke_list(endpoint_id,"#{@cert_dir}/crl.pem")
-      Log.logger.info("revoked client #{@options['client_cn']} from #{endpoint_id}")
+      CfnVpn::Log.logger.info("revoked client #{@options['client_cn']} from #{endpoint_id}")
     end
 
   end

data/lib/cfnvpn/actions/routes.rb

@@ -0,0 +1,196 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+require 'cfnvpn/globals'
+
+module CfnVpn::Actions
+  class Routes < Thor::Group
+    include Thor::Actions
+
+    argument :name
+
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :cidr, desc: 'cidr range'
+    class_option :dns, desc: 'dns record to auto lookup ip'
+    class_option :subnet, desc: 'the target vpc subnet to route through, if none is supplied the default subnet is used'
+    class_option :desc, desc: 'description of the route'
+
+    class_option :groups, type: :array, desc: 'override all authorised groups on thr route'
+    class_option :add_groups, type: :array, desc: 'add authorised groups to an existing route'
+    class_option :del_groups, type: :array, desc: 'remove authorised groups from an existing route'
+
+    class_option :delete, type: :boolean, desc: 'delete the route from the client vpn'
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def set_config
+      @config = CfnVpn::Config.get_config(@options[:region], @name)
+
+      if @options[:cidr] && @options[:dns]
+        CfnVpn::Log.logger.error "only one of --dns or --cidr can be set"
+        exit 1
+      end
+
+      if @options[:dns]
+        if @options[:dns].include?("*")
+          CfnVpn::Log.logger.error("wild card DNS resolution is not supported, use a record that will be resolved by the wild card instead")
+          exit 1
+        end
+        @route = @config[:routes].detect {|route| route[:dns] == @options[:dns]}      
+      elsif @options[:cidr]
+        @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+      end
+    end
+
+    def set_route
+      @skip_update = false
+      @dns_route_cleanup = nil
+      if @route && @options[:delete]
+        if @options[:dns]
+          CfnVpn::Log.logger.info "deleting auto lookup route for endpoint #{@options[:dns]}"
+          @config[:routes].reject! {|route| route[:dns] == @options[:dns]}
+          @dns_route_cleanup = @options[:dns]
+        elsif @options[:cidr]
+          CfnVpn::Log.logger.info "deleting route #{@options[:cidr]}"
+          @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        end
+      elsif @route
+        CfnVpn::Log.logger.info "existing route for #{@options[:cidr] ? @options[:cidr] : @options[:dns]} found"
+        if @options[:groups]
+          CfnVpn::Log.logger.info "replacing groups #{@route[:groups]} with new #{@options[:groups]} for route authorization rule"
+          @route[:groups] = @options[:groups]
+        end
+
+        if @options[:add_groups]
+          CfnVpn::Log.logger.info "adding new group(s) #{@options[:add_groups]} to route authorization rule" 
+          @route[:groups].concat(@options[:add_groups]).uniq!
+        end
+
+        if @options[:del_groups]
+          CfnVpn::Log.logger.info "removing new group(s) #{@options[:del_groups]} to route authorization rule" 
+          @route[:groups].reject! {|group| @options[:del_groups].include? group}
+        end
+
+        if @options[:desc]
+          CfnVpn::Log.logger.warn "description for this route cannot be updated in place. To alter delete the route and add with the new description"
+        end
+
+        if @options[:subnet]
+          CfnVpn::Log.logger.warn "the target subnet for this route cannot be updated in place. To alter delete the route and add with the new target subnet"
+        end
+      elsif !@route && @options[:cidr]
+        CfnVpn::Log.logger.info "adding new route for #{@options[:cidr]}"
+        @config[:routes] << {
+          cidr: @options[:cidr],
+          desc: @options.fetch(:desc, ""),
+          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
+        }
+      elsif !@route && @options[:dns]
+        CfnVpn::Log.logger.info "adding new route lookup for dns record #{@options[:dns]}"
+        @config[:routes] << {
+          dns: @options[:dns],
+          desc: @options.fetch(:desc, ""),
+          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
+        }
+      else
+        @skip_update = true
+      end
+
+      CfnVpn::Log.logger.debug "CONFIG: #{@config}"
+    end
+
+    def create_bucket_if_bucket_not_set
+      if !@config.has_key?(:bucket)
+        CfnVpn::Log.logger.error "no bucket found in the config, run the cfn-vpn modify #{name} command to add a bucket"
+        exit 1
+      end
+    end
+
+    def deploy_vpn
+      unless @skip_update
+        compiler = CfnVpn::Compiler.new(@name, @config)
+        template_body = compiler.compile
+        CfnVpn::Log.logger.info "Creating cloudformation changeset for stack #{@name}-cfnvpn in #{@options['region']}"
+        @deployer = CfnVpn::Deployer.new(@options['region'],@name)
+        change_set, change_set_type = @deployer.create_change_set(template_body: template_body)
+        @deployer.wait_for_changeset(change_set.id)
+        changeset_response = @deployer.get_change_set(change_set.id)
+
+        changes = {"Add" => [], "Modify" => [], "Remove" => []}
+        change_colours = {"Add" => "green", "Modify" => 'yellow', "Remove" => 'red'}
+
+        changeset_response.changes.each do |change|
+          action = change.resource_change.action
+          changes[action].push([
+            change.resource_change.logical_resource_id,
+            change.resource_change.resource_type,
+            change.resource_change.replacement ? change.resource_change.replacement : 'N/A',
+            change.resource_change.details.collect {|detail| detail.target.name }.join(' , ')
+          ])
+        end
+
+        changes.each do |type, rows|
+          next if !rows.any?
+          puts "\n"
+          table = Terminal::Table.new(
+            :title => type,
+            :headings => ['Logical Resource Id', 'Resource Type', 'Replacement', 'Changes'],
+            :rows => rows)
+          puts table.to_s.send(change_colours[type])
+        end
+
+        CfnVpn::Log.logger.info "Cloudformation changeset changes:"
+        puts "\n"
+        continue = yes? "Continue?", :green
+        if !continue
+          CfnVpn::Log.logger.info("Cancelled cfn-vpn modifiy #{@name}")
+          exit 1
+        end
+
+        @deployer.execute_change_set(change_set.id)
+        @deployer.wait_for_execute(change_set_type)
+        CfnVpn::Log.logger.info "Changeset #{change_set_type} complete"
+      end
+    end
+
+    def cleanup_dns_routes
+      @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      unless @dns_route_cleanup.nil?
+        routes = @vpn.get_routes()
+        CfnVpn::Log.logger.info("Cleaning up expired routes for #{@dns_route_cleanup}")
+        expired_routes = routes.select {|route| route.description.include?(@dns_route_cleanup) }
+        expired_routes.each do |route|
+          @vpn.delete_route(route.destination_cidr, route.target_subnet)
+          @vpn.revoke_auth(route.destination_cidr)
+        end
+      end
+    end
+
+    def get_routes
+      @endpoint = @vpn.get_endpoint_id()
+      @routes = @vpn.get_routes()
+    end
+
+    def display_routes
+      rows = @routes.collect do |s|
+        groups = @vpn.get_groups_for_route(@endpoint, s.destination_cidr)
+        [ s.destination_cidr, s.description, s.status.code, s.target_subnet, s.type, s.origin, (!groups.join("").empty? ? groups.join(' ') : 'AllowAll') ]
+      end
+      table = Terminal::Table.new(
+        :headings => ['Route', 'Description', 'Status', 'Target', 'Type', 'Origin', 'Groups'],
+        :rows => rows)
+      puts table
+    end
+
+  end
+end

data/lib/cfnvpn/{sessions.rb → actions/sessions.rb}

@@ -4,10 +4,10 @@ require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
 
-module CfnVpn
+module CfnVpn::Actions
   class Sessions < Thor::Group
     include Thor::Actions
-    include CfnVpn::Log
+    
 
     argument :name
 
@@ -22,7 +22,7 @@ module CfnVpn
     end
 
     def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
     end
 
     def set_directory
@@ -41,11 +41,11 @@ module CfnVpn
         if session.any? && session.status.code == "active"
           terminate = yes? "Terminate connection #{@options['kill']} for #{session.common_name}?", :yellow
           if terminate
-            Log.logger.info "Terminating connection #{@options['kill']} for #{session.common_name}"
+            CfnVpn::Log.logger.info "Terminating connection #{@options['kill']} for #{session.common_name}"
             @vpn.kill_session(@endpoint_id,@options['kill'])
           end
         else
-          Log.logger.error "Connection id #{@options['kill']} doesn't exist or is not active"
+          CfnVpn::Log.logger.error "Connection id #{@options['kill']} doesn't exist or is not active"
         end
       end
     end

data/lib/cfnvpn/{share.rb → actions/share.rb}

@@ -1,10 +1,10 @@
 require 'cfnvpn/log'
 require 'cfnvpn/s3'
 
-module CfnVpn
+module CfnVpn::Actions
   class Share < Thor::Group
     include Thor::Actions
-    include CfnVpn::Log
+    
 
     argument :name
 
@@ -21,13 +21,13 @@ module CfnVpn
     end
 
     def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
     end
 
     def copy_config_to_s3
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
       @endpoint_id = vpn.get_endpoint_id()
-      Log.logger.debug "downloading client config for #{@endpoint_id}"
+      CfnVpn::Log.logger.debug "downloading client config for #{@endpoint_id}"
       @config = vpn.get_config(@endpoint_id)
       string = (0...8).map { (65 + rand(26)).chr.downcase }.join
       @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
@@ -35,17 +35,17 @@ module CfnVpn
 
     def add_routes
       if @options['ignore_routes']
-        Log.logger.debug "Ignoring routes pushed by the client vpn"
+        CfnVpn::Log.logger.debug "Ignoring routes pushed by the client vpn"
         @config.concat("\nroute-nopull\n")
         vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
         routes = vpn.get_route_with_mask
-        Log.logger.debug "Found routes #{routes}"
+        CfnVpn::Log.logger.debug "Found routes #{routes}"
         routes.each do |r|
           @config.concat("route #{r[:route]} #{r[:mask]}\n")
         end
         dns_servers = vpn.get_dns_servers()
         if dns_servers.any?
-          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
+          CfnVpn::Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
           @config.concat("dhcp-option DNS #{dns_servers.first}\n")
         end
       end
@@ -58,16 +58,16 @@ module CfnVpn
 
     def get_certificate_url
       @certificate_url = @s3.get_url("#{@options['client_cn']}.tar.gz")
-      Log.logger.debug "Certificate presigned url: #{@certificate_url}"
+      CfnVpn::Log.logger.debug "Certificate presigned url: #{@certificate_url}"
     end
 
     def get_config_url
       @config_url = @s3.get_url("#{@name}.config.ovpn")
-      Log.logger.debug "Config presigned url: #{@config_url}"
+      CfnVpn::Log.logger.debug "Config presigned url: #{@config_url}"
     end
 
     def display_instructions
-      Log.logger.info "Share the bellow instruction with the user..."
+      CfnVpn::Log.logger.info "Share the bellow instruction with the user..."
       say "\nDownload the certificates and config from the bellow presigned URLs which will expire in 1 hour."
       say "\nCertificate:"
       say "\tcurl #{@certificate_url} > #{@options['client_cn']}.tar.gz", :cyan

data/lib/cfnvpn/actions/subnets.rb

@@ -0,0 +1,78 @@
+require 'thor'
+require 'fileutils'
+require 'cfnvpn/log'
+
+module CfnVpn::Actions
+  class Subnets < Thor::Group
+    include Thor::Actions
+    
+
+    argument :name
+
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :associate, aliases: :a, desc: 'associate all subnets with the client vpn', type: :boolean
+    class_option :disassociate, aliases: :d, desc: 'disassociate all subnets with the client vpn', type: :boolean
+
+    def set_loglevel
+      CfnVpn::Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def stack_exist
+      @deployer = CfnVpn::Deployer.new(@options['region'],@name)
+      if !@deployer.does_cf_stack_exist()
+        CfnVpn::Log.logger.error "#{@name}-cfnvpn stack doesn't exists in this account and region #{@options['region']}"
+        exit 1
+      end
+    end
+
+    def associated?
+      @associated = @deployer.get_parameter_value('AssociateSubnets') == 'true'
+    end
+
+    def associate
+      if @options[:associate]
+        if !@associated
+          CfnVpn::Log.logger.info "Associating subnets ..."
+          change_set, change_set_type = @deployer.create_change_set(parameters: {"AssociateSubnets" => 'true'})
+          @deployer.wait_for_changeset(change_set.id)
+          @deployer.execute_change_set(change_set.id)
+          @deployer.wait_for_execute(change_set_type)
+          CfnVpn::Log.logger.info "Association complete"
+        else
+          CfnVpn::Log.logger.warn "Client-VPN #{name} subnets are already associated"
+        end
+      end
+    end
+
+    def disassociate
+      if @options[:disassociate]
+        if @associated
+          CfnVpn::Log.logger.info "Disassociating subnets ..."
+          change_set, change_set_type = @deployer.create_change_set(parameters: {"AssociateSubnets" => 'false'})
+          @deployer.wait_for_changeset(change_set.id)
+          @deployer.execute_change_set(change_set.id)
+          @deployer.wait_for_execute(change_set_type)
+          CfnVpn::Log.logger.info "Disassociation complete"
+        else
+          CfnVpn::Log.logger.warn "Client-VPN #{name} subnets are already disassociated"
+        end
+      end
+    end
+
+    def get_endpoint
+      @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = @vpn.get_endpoint_id()
+    end
+
+    def associations
+      associations = @vpn.get_associations(@endpoint_id)
+      table = Terminal::Table.new(
+        :headings => ['ID', 'Subnet', 'Status', 'CIDR', 'AZ', 'Groups'],
+        :rows => associations.map {|ass| ass.values})
+      puts table
+    end
+
+  end
+end