RubyGems - cfn-vpn - Versions diffs - 0.5.1 → 1.3.1 - Mend

cfn-vpn 0.5.1 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

checksums.yaml +4 -4
data/.github/workflows/build-gem.yml +25 -0
data/.github/workflows/release-gem.yml +34 -0
data/.github/workflows/release-image.yml +33 -0
data/Gemfile.lock +33 -39
data/README.md +1 -247
data/cfn-vpn.gemspec +4 -4
data/docs/README.md +44 -0
data/docs/certificate-users.md +89 -0
data/docs/getting-started.md +128 -0
data/docs/modifying.md +67 -0
data/docs/routes.md +98 -0
data/docs/scheduling.md +32 -0
data/docs/sessions.md +27 -0
data/lib/cfnvpn.rb +31 -27
data/lib/cfnvpn/{client.rb → actions/client.rb} +5 -6
data/lib/cfnvpn/{embedded.rb → actions/embedded.rb} +15 -15
data/lib/cfnvpn/actions/init.rb +144 -0
data/lib/cfnvpn/actions/modify.rb +169 -0
data/lib/cfnvpn/actions/params.rb +73 -0
data/lib/cfnvpn/{revoke.rb → actions/revoke.rb} +6 -6
data/lib/cfnvpn/actions/routes.rb +196 -0
data/lib/cfnvpn/{sessions.rb → actions/sessions.rb} +5 -5
data/lib/cfnvpn/{share.rb → actions/share.rb} +10 -10
data/lib/cfnvpn/actions/subnets.rb +78 -0
data/lib/cfnvpn/certificates.rb +5 -5
data/lib/cfnvpn/clientvpn.rb +49 -65
data/lib/cfnvpn/compiler.rb +23 -0
data/lib/cfnvpn/config.rb +34 -78
data/lib/cfnvpn/{cloudformation.rb → deployer.rb} +47 -19
data/lib/cfnvpn/log.rb +26 -26
data/lib/cfnvpn/s3.rb +34 -4
data/lib/cfnvpn/s3_bucket.rb +48 -0
data/lib/cfnvpn/string.rb +33 -0
data/lib/cfnvpn/templates/helper.rb +14 -0
data/lib/cfnvpn/templates/lambdas.rb +35 -0
data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +175 -0
data/lib/cfnvpn/templates/lambdas/scheduler/app.py +36 -0
data/lib/cfnvpn/templates/vpn.rb +449 -0
data/lib/cfnvpn/version.rb +1 -1
metadata +73 -23
data/lib/cfnvpn/cfhighlander.rb +0 -49
data/lib/cfnvpn/init.rb +0 -109
data/lib/cfnvpn/modify.rb +0 -103
data/lib/cfnvpn/routes.rb +0 -84
data/lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt +0 -27

data/lib/cfnvpn/certificates.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require 'cfnvpn/log'
 module CfnVpn
   class Certificates
-    include CfnVpn::Log
     def initialize(build_dir, cfnvpn_name, easyrsa_local = false)
       @cfnvpn_name = cfnvpn_name
@@ -44,7 +44,7 @@ module CfnVpn
         @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
         @docker_cmd << @easyrsa_image
         @docker_cmd << "sh -c 'create-ca'"
-        Log.logger.debug `#{@docker_cmd.join(' ')}`
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
       end
     end
@@ -59,7 +59,7 @@ module CfnVpn
         @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
         @docker_cmd << @easyrsa_image
         @docker_cmd << "sh -c 'create-client'"
-        Log.logger.debug `#{@docker_cmd.join(' ')}`
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
       end
     end
@@ -76,7 +76,7 @@ module CfnVpn
         @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
         @docker_cmd << @easyrsa_image
         @docker_cmd << "sh -c 'revoke-client'"
-        Log.logger.debug `#{@docker_cmd.join(' ')}`
+        CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
       end
     end
@@ -84,7 +84,7 @@ module CfnVpn
       cn = cn.nil? ? cert : cn
       acm = CfnVpn::Acm.new(region, @cert_dir)
       arn = acm.import_certificate("#{cert}.crt", "#{cert}.key", "ca.crt")
-      Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
+      CfnVpn::Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
       acm.tag_certificate(arn,cn,type,@cfnvpn_name)
       return arn
     end

data/lib/cfnvpn/clientvpn.rb CHANGED Viewed

@@ -4,11 +4,12 @@ require 'netaddr'
 module CfnVpn
   class ClientVpn
-    include CfnVpn::Log
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
       @name = name
+      @endpoint_id = self.get_endpoint_id()
     end
     def get_endpoint()
@@ -16,7 +17,7 @@ module CfnVpn
         filters: [{ name: "tag:cfnvpn:name", values: [@name] }]
       })
       if resp.client_vpn_endpoints.empty?
-        Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
+        CfnVpn::Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
         raise "Unable to find client vpn"
       end
       return resp.client_vpn_endpoints.first
@@ -68,86 +69,69 @@ module CfnVpn
       })
     end
-    def get_target_networks(endpoint_id)
-      resp = @client.describe_client_vpn_target_networks({
-        client_vpn_endpoint_id: endpoint_id
-      })
-      return resp.client_vpn_target_networks.first
-    end
-    def add_route(cidr,description)
+    def get_routes()
       endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-      @client.create_client_vpn_route({
+      resp = @client.describe_client_vpn_routes({
         client_vpn_endpoint_id: endpoint_id,
-        destination_cidr_block: cidr,
-        target_vpc_subnet_id: subnet_id,
-        description: description
+        max_results: 20
       })
+      return resp.routes
+    end
-      resp = @client.authorize_client_vpn_ingress({
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr,
-        authorize_all_groups: true,
-        description: description
+    def get_groups_for_route(endpoint, cidr)
+      auth_resp = @client.describe_client_vpn_authorization_rules({
+        client_vpn_endpoint_id: endpoint,
+        filters: [
+          {
+            name: 'destination-cidr',
+            values: [cidr]
+          }
+        ]
       })
-      return resp.status
+      return auth_resp.authorization_rules.map {|rule| rule.group_id }
     end
-    def del_route(cidr)
-      endpoint_id = get_endpoint_id()
-      subnet_id = get_target_networks(endpoint_id).target_network_id
-      revoke = @client.revoke_client_vpn_ingress({
-        revoke_all_groups: true,
-        client_vpn_endpoint_id: endpoint_id,
-        target_network_cidr: cidr
+    def get_associations(endpoint)
+      associations = []
+      resp = @client.describe_client_vpn_target_networks({
+        client_vpn_endpoint_id: endpoint
       })
-      route = @client.delete_client_vpn_route({
-        client_vpn_endpoint_id: endpoint_id,
-        target_vpc_subnet_id: subnet_id,
-        destination_cidr_block: cidr
-      })
+      resp.client_vpn_target_networks.each do |net|
+        subnet_resp = @client.describe_subnets({
+          subnet_ids: [net.target_network_id]
+        })
+        subnet = subnet_resp.subnets.first
+        groups = get_groups_for_route(endpoint, subnet.cidr_block)
+        associations.push({
+          association_id: net.association_id,
+          target_network_id: net.target_network_id,
+          status: net.status.code,
+          cidr: subnet.cidr_block,
+          az: subnet.availability_zone,
+          groups: groups.join(' ')
+        })
+      end
-      return route.status, revoke.status
+      return associations
     end
-    def get_routes()
-      endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
+    def delete_route(cidr, subnet)
+      @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_vpc_subnet_id: subnet,
+        destination_cidr_block: cidr
       })
-      return resp.routes
-    end
-    def route_exists?(cidr)
-      routes = get_routes()
-      resp = routes.select { |route| route if route.destination_cidr == cidr }
-      return resp.any?
     end
-    def get_routes()
+    def revoke_auth(cidr)
       endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
+      @client.revoke_client_vpn_ingress({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_network_cidr: cidr,
+        revoke_all_groups: true
       })
-      return resp.routes
-    end
-    def get_route_with_mask()
-      routes = get_routes()
-      routes
-        .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
-        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::IPv4Net.parse(r.destination_cidr).netmask.extended }}
-    end
-    def valid_cidr?(cidr)
-      return !(cidr =~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/).nil?
     end
   end

data/lib/cfnvpn/compiler.rb ADDED Viewed

@@ -0,0 +1,23 @@
+require 'cfnvpn/log'
+require 'cfnvpn/templates/vpn'
+module CfnVpn
+  class Compiler
+    def initialize(name, config)
+      @name = name
+      @config = config
+    end
+    def compile
+      CfnVpn::Log.logger.debug "Compiling cloudformation"
+      template = CfnVpn::Templates::Vpn.new()
+      template.render(@name, @config)
+      CfnVpn::Log.logger.debug "Validating cloudformation"
+      valid = template.validate
+      CfnVpn::Log.logger.debug "Clouformation Template\n\n#{JSON.parse(valid.to_json).to_yaml}"
+      return JSON.parse(valid.to_json).to_yaml
+    end
+  end
+end

data/lib/cfnvpn/config.rb CHANGED Viewed

@@ -1,89 +1,45 @@
-require 'cfnvpn/clientvpn'
-require 'cfnvpn/log'
-require 'cfnvpn/globals'
+require 'aws-sdk-ssm'
+require 'json'
+require 'cfnvpn/deployer'
 module CfnVpn
-  class Config < Thor::Group
-    include Thor::Actions
-    include CfnVpn::Log
-    argument :name
-    class_option :profile, desc: 'AWS Profile'
-    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
-    class_option :verbose, desc: 'set log level to debug', type: :boolean
-    class_option :bucket, required: true, desc: 's3 bucket'
-    class_option :client_cn, required: true, desc: "client certificates to download"
-    class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
-    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
-    def self.source_root
-      File.dirname(__FILE__)
-    end
-    def set_loglevel
-      Log.logger.level = Logger::DEBUG if @options['verbose']
-    end
-    def create_config_directory
-      @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
-      @config_dir = "#{@build_dir}/config"
-      Log.logger.debug("Creating config directory #{@config_dir}")
-      FileUtils.mkdir_p(@config_dir)
-    end
-    def download_config
-      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      Log.logger.info "downloading client config for #{@endpoint_id}"
-      @config = vpn.get_config(@endpoint_id)
-    end
-    def download_certificates
-      download = true
-      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
-        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
-      end
-      if download
-        Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
-        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
-        cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
-        Log.logger.debug cert.extract_certificate(@options['client_cn'])
+  class Config
+    def self.get_config(region, name)
+      client = Aws::SSM::Client.new(region: region)
+      begin
+        resp = client.get_parameter({name: "/cfnvpn/config/#{name}"})
+        return JSON.parse(resp.parameter.value, {:symbolize_names => true})
+      rescue Aws::SSM::Errors::ParameterNotFound => e
+        return self.get_config_from_parameter(region, name)
       end
     end
-    def alter_config
-      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
-      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
-      @config.concat("\n\ncert #{@config_dir}/#{@options['client_cn']}.crt")
-      @config.concat("\nkey #{@config_dir}/#{@options['client_cn']}.key\n")
+    # to support upgrade from <=0.5.1 to >1.0
+    def self.get_config_from_parameter(region, name)
+      deployer = CfnVpn::Deployer.new(region, name)
+      parameters = deployer.get_parameters_from_stack_hash()
+      {
+        type: 'certificate',
+        server_cert_arn: parameters[:ServerCertificateArn],
+        client_cert_arn: parameters[:ClientCertificateArn],
+        region: region,
+        subnet_ids: [parameters[:AssociationSubnetId]],
+        cidr: parameters[:ClientCidrBlock],
+        dns_servers: parameters[:DnsServers].split(','),
+        split_tunnel: parameters[:SplitTunnel] == "true",
+        internet_route: parameters[:InternetRoute] == "true" ? parameters[:AssociationSubnetId] : nil,
+        protocol: parameters[:Protocol],
+        routes: []
+      }
     end
-    def add_routes
-      if @options['ignore_routes']
-        Log.logger.debug "Ignoring routes pushed by the client vpn"
-        @config.concat("\nroute-nopull\n")
-        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-        routes = vpn.get_route_with_mask
-        Log.logger.debug "Found routes #{routes}"
-        routes.each do |r|
-          @config.concat("route #{r[:route]} #{r[:mask]}\n")
-        end
-        dns_servers = vpn.get_dns_servers()
-        if dns_servers.any?
-          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
-          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
-        end
-      end
+    def self.get_config_from_yaml_file(file)
+      YAML.load(File.read(file), symbolize_names: true)
     end
-    def write_config
-      config_file = "#{@config_dir}/#{@name}.ovpn"
-      File.write(config_file, @config)
-      Log.logger.info "downloaded client config #{config_file}"
+    def self.dump_config_to_yaml_file(name, params)
+      File.write(File.join(Dir.pwd, "cfnvpn.#{name}.yaml"), Hash[params.collect{|k,v| [k.to_s, v]}].to_yaml)
     end
   end
-end
+end

data/lib/cfnvpn/{cloudformation.rb → deployer.rb} RENAMED Viewed

@@ -2,10 +2,10 @@ require 'aws-sdk-cloudformation'
 require 'fileutils'
 require 'cfnvpn/version'
 require 'cfnvpn/log'
+require 'cfnvpn/string'
 module CfnVpn
-  class Cloudformation
-    include CfnVpn::Log
+  class Deployer
     def initialize(region,name)
       @name = name
@@ -29,28 +29,25 @@ module CfnVpn
       return does_cf_stack_exist() ? 'UPDATE' : 'CREATE'
     end
-    def create_change_set(template_path,parameters)
+    def create_change_set(template_body: nil, parameters: {})
       change_set_name = "#{@stack_name}-#{CfnVpn::CHANGE_SET_VERSION}-#{Time.now.utc.strftime("%Y%m%d%H%M%S")}"
       change_set_type = get_change_set_type()
-      if change_set_type == 'CREATE'
-        params = get_parameters_from_template(template_path)
+      if !template_body.nil?
+        params = get_parameters_from_template(template_body)
       else
         params = get_parameters_from_stack()
       end
       params.each do |param|
         if !parameters[param[:parameter_key]].nil?
           param[:parameter_value] = parameters[param[:parameter_key]]
           param[:use_previous_value] = false
         end
       end
-      template_body = File.read(template_path)
-      Log.logger.debug "Creating changeset"
-      change_set = @client.create_change_set({
+      changeset_args = {
         stack_name: @stack_name,
-        template_body: template_body,
         parameters: params,
         tags: [
           {
@@ -63,18 +60,28 @@ module CfnVpn
           }
         ],
         change_set_name: change_set_name,
-        change_set_type: change_set_type
-      })
+        change_set_type: change_set_type,
+        capabilities: ['CAPABILITY_IAM']
+      }
+      if !template_body.nil?
+        changeset_args[:template_body] = template_body
+      else
+        changeset_args[:use_previous_template] = true
+      end
+      CfnVpn::Log.logger.debug "Creating changeset"
+      change_set = @client.create_change_set(changeset_args)
       return change_set, change_set_type
     end
     def wait_for_changeset(change_set_id)
-      Log.logger.debug "Waiting for changeset to be created"
+      CfnVpn::Log.logger.debug "Waiting for changeset to be created"
       begin
         @client.wait_until :change_set_create_complete, change_set_name: change_set_id
       rescue Aws::Waiters::Errors::FailureStateError => e
         change_set = get_change_set(change_set_id)
-        Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
+        CfnVpn::Log.logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
         exit 1
       end
     end
@@ -86,7 +93,7 @@ module CfnVpn
     end
     def execute_change_set(change_set_id)
-      Log.logger.debug "Executing the changeset"
+      CfnVpn::Log.logger.debug "Executing the changeset"
       stack = @client.execute_change_set({
         change_set_name: change_set_id
       })
@@ -94,7 +101,7 @@ module CfnVpn
     def wait_for_execute(change_set_type)
       waiter = change_set_type == 'CREATE' ? :stack_create_complete : :stack_update_complete
-      Log.logger.info "Waiting for changeset to #{change_set_type}"
+      CfnVpn::Log.logger.info "Waiting for changeset to #{change_set_type}"
       resp = @client.wait_until waiter, stack_name: @stack_name
     end
@@ -103,11 +110,32 @@ module CfnVpn
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, use_previous_value: true }  }
     end
-    def get_parameters_from_template(template_path)
-      template_body = File.read(template_path)
+    def get_parameters_from_template(template_body)
       resp = @client.get_template_summary({ template_body: template_body })
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, parameter_value: p.default_value }  }
     end
+    def get_parameter_value(parameter)
+      resp = @client.describe_stacks({ stack_name: @stack_name })
+      stack = resp.stacks.first
+      parameter = stack.parameters.detect {|p| p.parameter_key == parameter}
+      return parameter ? parameter.parameter_value : nil
+    end
+    def get_parameters_from_stack_hash()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.parameters.collect {|parameter| [parameter.parameter_key.to_sym, parameter.parameter_value]}]
+    end
+    def get_outputs_from_stack()
+      resp = @client.describe_stacks({
+        stack_name: @stack_name,
+      })
+      stack = resp.stacks.first
+      return Hash[stack.outputs.collect {|output| [output.output_key.underscore.to_sym, output.output_value]}]
+    end
   end
 end