RubyGems - cfn-vpn - Versions diffs - 0.5.1 → 1.3.1 - Mend

cfn-vpn 0.5.1 → 1.3.1

Files changed (46) hide show

checksums.yaml +4 -4
data/.github/workflows/build-gem.yml +25 -0
data/.github/workflows/release-gem.yml +34 -0
data/.github/workflows/release-image.yml +33 -0
data/Gemfile.lock +33 -39
data/README.md +1 -247
data/cfn-vpn.gemspec +4 -4
data/docs/README.md +44 -0
data/docs/certificate-users.md +89 -0
data/docs/getting-started.md +128 -0
data/docs/modifying.md +67 -0
data/docs/routes.md +98 -0
data/docs/scheduling.md +32 -0
data/docs/sessions.md +27 -0
data/lib/cfnvpn.rb +31 -27
data/lib/cfnvpn/{client.rb → actions/client.rb} +5 -6
data/lib/cfnvpn/{embedded.rb → actions/embedded.rb} +15 -15
data/lib/cfnvpn/actions/init.rb +144 -0
data/lib/cfnvpn/actions/modify.rb +169 -0
data/lib/cfnvpn/actions/params.rb +73 -0
data/lib/cfnvpn/{revoke.rb → actions/revoke.rb} +6 -6
data/lib/cfnvpn/actions/routes.rb +196 -0
data/lib/cfnvpn/{sessions.rb → actions/sessions.rb} +5 -5
data/lib/cfnvpn/{share.rb → actions/share.rb} +10 -10
data/lib/cfnvpn/actions/subnets.rb +78 -0
data/lib/cfnvpn/certificates.rb +5 -5
data/lib/cfnvpn/clientvpn.rb +49 -65
data/lib/cfnvpn/compiler.rb +23 -0
data/lib/cfnvpn/config.rb +34 -78
data/lib/cfnvpn/{cloudformation.rb → deployer.rb} +47 -19
data/lib/cfnvpn/log.rb +26 -26
data/lib/cfnvpn/s3.rb +34 -4
data/lib/cfnvpn/s3_bucket.rb +48 -0
data/lib/cfnvpn/string.rb +33 -0
data/lib/cfnvpn/templates/helper.rb +14 -0
data/lib/cfnvpn/templates/lambdas.rb +35 -0
data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +175 -0
data/lib/cfnvpn/templates/lambdas/scheduler/app.py +36 -0
data/lib/cfnvpn/templates/vpn.rb +449 -0
data/lib/cfnvpn/version.rb +1 -1
metadata +73 -23
data/lib/cfnvpn/cfhighlander.rb +0 -49
data/lib/cfnvpn/init.rb +0 -109
data/lib/cfnvpn/modify.rb +0 -103
data/lib/cfnvpn/routes.rb +0 -84
data/lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt +0 -27

data/lib/cfnvpn/certificates.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require 'cfnvpn/log'
 module CfnVpn
   class Certificates
-    include CfnVpn::Log
     def initialize(build_dir, cfnvpn_name, easyrsa_local = false)
       @cfnvpn_name = cfnvpn_name
@@ -44,7 +44,7 @@ module CfnVpn
         @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
         @docker_cmd << @easyrsa_image
         @docker_cmd << "sh -c 'create-ca'"
-        Log.logger.debug `#{@docker_cmd.join(' ')}`
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
       end
     end
@@ -59,7 +59,7 @@ module CfnVpn
         @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
         @docker_cmd << @easyrsa_image
         @docker_cmd << "sh -c 'create-client'"
-        Log.logger.debug `#{@docker_cmd.join(' ')}`
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
       end
     end
@@ -76,7 +76,7 @@ module CfnVpn
         @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
         @docker_cmd << @easyrsa_image
         @docker_cmd << "sh -c 'revoke-client'"
-        Log.logger.debug `#{@docker_cmd.join(' ')}`
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
       end
     end
@@ -84,7 +84,7 @@ module CfnVpn
       cn = cn.nil? ? cert : cn
       acm = CfnVpn::Acm.new(region, @cert_dir)
       arn = acm.import_certificate("#{cert}.crt", "#{cert}.key", "ca.crt")
-      Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
+      CfnVpn::Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
       acm.tag_certificate(arn,cn,type,@cfnvpn_name)
       return arn
     end

data/lib/cfnvpn/clientvpn.rb CHANGED Viewed

@@ -4,11 +4,12 @@ require 'netaddr'
 module CfnVpn
   class ClientVpn
-    include CfnVpn::Log
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
       @name = name
+      @endpoint_id = self.get_endpoint_id()
     end
     def get_endpoint()
@@ -16,7 +17,7 @@ module CfnVpn
         filters: [{ name: "tag:cfnvpn:name", values: [@name] }]
       })
       if resp.client_vpn_endpoints.empty?
-        Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
+        CfnVpn::Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
         raise "Unable to find client vpn"
       end
       return resp.client_vpn_endpoints.first
@@ -68,86 +69,69 @@ module CfnVpn
       })
     end
-    def get_target_networks(endpoint_id)
-      resp = @client.describe_client_vpn_target_networks({
-        client_vpn_endpoint_id: endpoint_id
-      })
-      return resp.client_vpn_target_networks.first
-    end
-    def add_route(cidr,description)
+    def get_routes()
       endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-      @client.create_client_vpn_route({
+      resp = @client.describe_client_vpn_routes({
         client_vpn_endpoint_id: endpoint_id,
-        destination_cidr_block: cidr,
-        target_vpc_subnet_id: subnet_id,
-        description: description
+        max_results: 20
       })
+      return resp.routes
+    end
-      resp = @client.authorize_client_vpn_ingress({
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr,
-        authorize_all_groups: true,
-        description: description
+    def get_groups_for_route(endpoint, cidr)
+      auth_resp = @client.describe_client_vpn_authorization_rules({
+        client_vpn_endpoint_id: endpoint,
+        filters: [
+          {
+            name: 'destination-cidr',
+            values: [cidr]
+          }
+        ]
       })
-      return resp.status
+      return auth_resp.authorization_rules.map {|rule| rule.group_id }
     end
-    def del_route(cidr)
-      endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-      revoke = @client.revoke_client_vpn_ingress({
-        revoke_all_groups: true,
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr
+    def get_associations(endpoint)
+      associations = []
+      resp = @client.describe_client_vpn_target_networks({
+        client_vpn_endpoint_id: endpoint
       })
-      route = @client.delete_client_vpn_route({
-        client_vpn_endpoint_id: endpoint_id,
-        target_vpc_subnet_id: subnet_id,
-        destination_cidr_block: cidr
-      })
+      resp.client_vpn_target_networks.each do |net|
+        subnet_resp = @client.describe_subnets({
+          subnet_ids: [net.target_network_id]
+        })
+        subnet = subnet_resp.subnets.first
+        groups = get_groups_for_route(endpoint, subnet.cidr_block)
+        associations.push({
+          association_id: net.association_id,
+          target_network_id: net.target_network_id,
+          status: net.status.code,
+          cidr: subnet.cidr_block,
+          az: subnet.availability_zone,
+          groups: groups.join(' ')
+        })
+      end
-      return route.status, revoke.status
+      return associations
     end
-    def get_routes()
-      endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
+    def delete_route(cidr, subnet)
+      @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_vpc_subnet_id: subnet,
+        destination_cidr_block: cidr
       })
-      return resp.routes
-    end
-    def route_exists?(cidr)
-      routes = get_routes()
-      resp = routes.select { |route| route if route.destination_cidr == cidr }
-      return resp.any?
     end
-    def get_routes()
+    def revoke_auth(cidr)
       endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
+      @client.revoke_client_vpn_ingress({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_network_cidr: cidr,
+        revoke_all_groups: true
       })
-      return resp.routes
-    end
-    def get_route_with_mask()
-      routes = get_routes()
-      routes
-        .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
-        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::IPv4Net.parse(r.destination_cidr).netmask.extended }}
-    end
-    def valid_cidr?(cidr)
-      return !(cidr =~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/).nil?
     end
   end

data/lib/cfnvpn/compiler.rb ADDED Viewed

@@ -0,0 +1,23 @@
+require 'cfnvpn/log'
+require 'cfnvpn/templates/vpn'
+module CfnVpn
+  class Compiler
+    def initialize(name, config)
+      @name = name
+      @config = config
+    end
+    def compile
+      CfnVpn::Log.logger.debug "Compiling cloudformation"
+      template = CfnVpn::Templates::Vpn.new()
+      template.render(@name, @config)
+      CfnVpn::Log.logger.debug "Validating cloudformation"
+      valid = template.validate
+      CfnVpn::Log.logger.debug "Clouformation Template\n\n#{JSON.parse(valid.to_json).to_yaml}"
+      return JSON.parse(valid.to_json).to_yaml
+    end
+  end
+end

data/lib/cfnvpn/config.rb CHANGED Viewed

@@ -1,89 +1,45 @@
-require 'cfnvpn/clientvpn'
-require 'cfnvpn/log'
-require 'cfnvpn/globals'
+require 'aws-sdk-ssm'
+require 'json'
+require 'cfnvpn/deployer'
 module CfnVpn
-  class Config < Thor::Group
-    include Thor::Actions
-    include CfnVpn::Log
-    argument :name
-    class_option :profile, desc: 'AWS Profile'
-    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
-    class_option :verbose, desc: 'set log level to debug', type: :boolean
-    class_option :bucket, required: true, desc: 's3 bucket'
-    class_option :client_cn, required: true, desc: "client certificates to download"
-    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
-    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
-    def self.source_root
-      File.dirname(__FILE__)
-    end
-    def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
-    end
-    def create_config_directory
-      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
-      @config_dir = "#{@build_dir}/config"
-      Log.logger.debug("Creating config directory #{@config_dir}")
-      FileUtils.mkdir_p(@config_dir)
-    end
-    def download_config
-      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      Log.logger.info "downloading client config for #{@endpoint_id}"
-      @config = vpn.get_config(@endpoint_id)
-    end
-    def download_certificates
-      download = true
-      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
-        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
-      end
-      if download
-        Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
-        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
-        Log.logger.debug cert.extract_certificate(@options['client_cn'])
+  class Config
+    def self.get_config(region, name)
+      client = Aws::SSM::Client.new(region: region)
+      begin
+        resp = client.get_parameter({name: "/cfnvpn/config/#{name}"})
+        return JSON.parse(resp.parameter.value, {:symbolize_names => true})
+      rescue Aws::SSM::Errors::ParameterNotFound => e
+        return self.get_config_from_parameter(region, name)
       end
     end
-    def alter_config
-      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
-      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
-      @config.concat("\n\ncert #{@config_dir}/#{@options['client_cn']}.crt")
-      @config.concat("\nkey #{@config_dir}/#{@options['client_cn']}.key\n")
+    # to support upgrade from <=0.5.1 to >1.0
+    def self.get_config_from_parameter(region, name)
+      deployer = CfnVpn::Deployer.new(region, name)
+      parameters = deployer.get_parameters_from_stack_hash()
+      {
+        type: 'certificate',
+        server_cert_arn: parameters[:ServerCertificateArn],
+        client_cert_arn: parameters[:ClientCertificateArn],
+        region: region,
+        subnet_ids: [parameters[:AssociationSubnetId]],
+        cidr: parameters[:ClientCidrBlock],
+        dns_servers: parameters[:DnsServers].split(','),
+        split_tunnel: parameters[:SplitTunnel] == "true",
+        internet_route: parameters[:InternetRoute] == "true" ? parameters[:AssociationSubnetId] : nil,
+        protocol: parameters[:Protocol],
+        routes: []
+      }
     end
-    def add_routes
-      if @options['ignore_routes']
-        Log.logger.debug "Ignoring routes pushed by the client vpn"
-        @config.concat("\nroute-nopull\n")
-        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-        routes = vpn.get_route_with_mask
-        Log.logger.debug "Found routes #{routes}"
-        routes.each do |r|
-          @config.concat("route #{r[:route]} #{r[:mask]}\n")
-        end
-        dns_servers = vpn.get_dns_servers()
-        if dns_servers.any?
-          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
-          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
-        end
-      end
+    def self.get_config_from_yaml_file(file)
+      YAML.load(File.read(file), symbolize_names: true)
     end
-    def write_config
-      config_file = "#{@config_dir}/#{@name}.ovpn"
-      File.write(config_file, @config)
-      Log.logger.info "downloaded client config #{config_file}"
+    def self.dump_config_to_yaml_file(name, params)
+      File.write(File.join(Dir.pwd, "cfnvpn.#{name}.yaml"), Hash[params.collect{|k,v| [k.to_s, v]}].to_yaml)
     end
   end
-end
+end

data/lib/cfnvpn/{cloudformation.rb → deployer.rb} RENAMED Viewed

@@ -2,10 +2,10 @@ require 'aws-sdk-cloudformation'
 require 'fileutils'
 require 'cfnvpn/version'
 require 'cfnvpn/log'
+require 'cfnvpn/string'
 module CfnVpn
-  class Cloudformation
-    include CfnVpn::Log
+  class Deployer
     def initialize(region,name)
       @name = name
@@ -29,28 +29,25 @@ module CfnVpn
       return does_cf_stack_exist() ? 'UPDATE' : 'CREATE'
     end
-    def create_change_set(template_path,parameters)
+    def create_change_set(template_body: nil, parameters: {})
       change_set_name = "#{@stack_name}-#{CfnVpn::CHANGE_SET_VERSION}-#{Time.now.utc.strftime("%Y%m%d%H%M%S")}"
       change_set_type = get_change_set_type()
-      if change_set_type == 'CREATE'
-        params = get_parameters_from_template(template_path)
+      if !template_body.nil?
+        params = get_parameters_from_template(template_body)
       else
         params = get_parameters_from_stack()
       end
       params.each do |param|
         if !parameters[param[:parameter_key]].nil?
           param[:parameter_value] = parameters[param[:parameter_key]]
           param[:use_previous_value] = false
         end
       end
-      template_body = File.read(template_path)
-      Log.logger.debug "Creating changeset"
-      change_set = @client.create_change_set({
+      changeset_args = {
         stack_name: @stack_name,
-        template_body: template_body,
         parameters: params,
         tags: [
           {
@@ -63,18 +60,28 @@ module CfnVpn
           }
         ],
         change_set_name: change_set_name,
-        change_set_type: change_set_type
-      })
+        change_set_type: change_set_type,
+        capabilities: ['CAPABILITY_IAM']
+      }
+      if !template_body.nil?
+        changeset_args[:template_body] = template_body
+      else
+        changeset_args[:use_previous_template] = true
+      end
+      CfnVpn::Log.logger.debug "Creating changeset"
+      change_set = @client.create_change_set(changeset_args)
       return change_set, change_set_type
     end
     def wait_for_changeset(change_set_id)
-      Log.logger.debug "Waiting for changeset to be created"
+      CfnVpn::Log.logger.debug "Waiting for changeset to be created"
       begin
         @client.wait_until :change_set_create_complete, change_set_name: change_set_id
       rescue Aws::Waiters::Errors::FailureStateError => e
         change_set = get_change_set(change_set_id)
-        Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
+        CfnVpn::Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
         exit 1
       end
     end
@@ -86,7 +93,7 @@ module CfnVpn
     end
     def execute_change_set(change_set_id)
-      Log.logger.debug "Executing the changeset"
+      CfnVpn::Log.logger.debug "Executing the changeset"
       stack = @client.execute_change_set({
         change_set_name: change_set_id
       })
@@ -94,7 +101,7 @@ module CfnVpn
     def wait_for_execute(change_set_type)
       waiter = change_set_type == 'CREATE' ? :stack_create_complete : :stack_update_complete
-      Log.logger.info "Waiting for changeset to #{change_set_type}"
+      CfnVpn::Log.logger.info "Waiting for changeset to #{change_set_type}"
       resp = @client.wait_until waiter, stack_name: @stack_name
     end
@@ -103,11 +110,32 @@ module CfnVpn
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, use_previous_value: true }  }
     end
-    def get_parameters_from_template(template_path)
-      template_body = File.read(template_path)
+    def get_parameters_from_template(template_body)
       resp = @client.get_template_summary({ template_body: template_body })
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, parameter_value: p.default_value }  }
     end
+    def get_parameter_value(parameter)
+      resp = @client.describe_stacks({ stack_name: @stack_name })
+      stack = resp.stacks.first
+      parameter = stack.parameters.detect {|p| p.parameter_key == parameter}
+      return parameter ? parameter.parameter_value : nil
+    end
+    def get_parameters_from_stack_hash()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.parameters.collect {|parameter| [parameter.parameter_key.to_sym, parameter.parameter_value]}]
+    end
+    def get_outputs_from_stack()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.outputs.collect {|output| [output.output_key.underscore.to_sym, output.output_value]}]
+    end
   end
 end