cfn-vpn 0.5.1 → 1.3.1

data/lib/cfnvpn/log.rb

@@ -1,38 +1,38 @@
 require 'logger'
 
 module CfnVpn
-  module Log
-
-    def self.colors
-      @colors ||= {
-        ERROR: 31, # red
-        WARN: 33, # yellow
-        INFO: 0,
-        DEBUG: 32 # grenn
-      }
-    end
+  module Log 
+    class << self
+      def colors
+        @colors ||= {
+          ERROR: 31, # red
+          WARN: 33, # yellow
+          INFO: 0,
+          DEBUG: 32 # grenn
+        }
+      end
 
-    def self.logger
-      if @logger.nil?
-        @logger = Logger.new(STDOUT)
-        @logger.level = Logger::INFO
-        @logger.formatter = proc do |severity, datetime, progname, msg|
-          "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+      def logger
+        if @logger.nil?
+          @logger = Logger.new(STDOUT)
+          @logger.level = Logger::INFO
+          @logger.formatter = proc do |severity, datetime, progname, msg|
+            "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+          end
         end
+        @logger
       end
-      @logger
-    end
 
-    def self.logger=(logger)
-      @logger = logger
-    end
+      def logger=(logger)
+        @logger = logger
+      end
 
-    levels = %w(debug info warn error fatal)
-    levels.each do |level|
-      define_method("#{level.to_sym}") do |msg|
-        self.logger.send(level, msg)
+      levels = %w(debug info warn error fatal)
+      levels.each do |level|
+        define_method("#{level.to_sym}") do |msg|
+          self.logger.send(level, msg)
+        end
       end
     end
-
   end
 end

data/lib/cfnvpn/s3.rb

@@ -14,7 +14,7 @@ module CfnVpn
     def store_object(file)
       body = File.open(file, 'rb').read
       file_name = file.split('/').last
-      Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
+      CfnVpn::Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
       @client.put_object({
         body: body,
         bucket: @bucket,
@@ -26,7 +26,7 @@ module CfnVpn
 
     def get_object(file)
       file_name = file.split('/').last
-      Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
+      CfnVpn::Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
       @client.get_object(
         response_target: file,
         bucket: @bucket,
@@ -34,7 +34,7 @@ module CfnVpn
     end
 
     def store_config(config)
-      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
+      CfnVpn::Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
       @client.put_object({
         body: config,
         bucket: @bucket,
@@ -54,7 +54,7 @@ module CfnVpn
     end
 
     def store_embedded_config(config, cn)
-      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}_#{cn}.config.ovpn")
+      CfnVpn::Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}_#{cn}.config.ovpn")
       @client.put_object({
         body: config,
         bucket: @bucket,
@@ -63,5 +63,35 @@ module CfnVpn
       })
     end
 
+    def create_bucket
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
   end
 end

data/lib/cfnvpn/s3_bucket.rb

@@ -0,0 +1,48 @@
+require 'aws-sdk-s3'
+require 'fileutils'
+require 'securerandom'
+
+module CfnVpn
+  class S3Bucket
+
+    def initialize(region, name)
+      @client = Aws::S3::Client.new(region: region)
+      @name = name
+    end
+
+    def generate_bucket_name
+      return "cfnvpn-#{@name}-#{SecureRandom.hex}"
+    end
+
+    def create_bucket(bucket)
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
+  end
+end

data/lib/cfnvpn/string.rb

@@ -0,0 +1,33 @@
+class String
+  def underscore
+    self.gsub(/::/, '/').
+    gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+    gsub(/([a-z\d])([A-Z])/,'\1_\2').
+    tr("-", "_").
+    downcase
+  end
+
+  def resource_safe
+    self.gsub(/[^a-zA-Z0-9]/, "").capitalize
+  end
+
+  def event_id_safe
+    self.gsub('*', 'wildcard').gsub(/[^\.\-_A-Za-z0-9]+/, "").downcase
+  end
+
+  def colorize(color_code)
+    "\e[#{color_code}m#{self}\e[0m"
+  end
+
+  def red
+    colorize(31)
+  end
+
+  def green
+    colorize(32)
+  end
+
+  def yellow
+    colorize(33)
+  end
+end

data/lib/cfnvpn/templates/helper.rb

@@ -0,0 +1,14 @@
+require 'aws-sdk-ec2'
+
+module CfnVpn
+  module Templates
+    class Helper
+      def self.get_auth_cidr(region, subnet_id)
+        client = Aws::EC2::Client.new(region: region)
+        subnets = client.describe_subnets({subnet_ids:[subnet_id]})
+        vpcs = client.describe_vpcs({vpc_ids:[subnets.subnets[0].vpc_id]})
+        return vpcs.vpcs[0].cidr_block
+      end
+    end
+  end
+end

data/lib/cfnvpn/templates/lambdas.rb

@@ -0,0 +1,35 @@
+require 'zip'
+require 'securerandom'
+require 'aws-sdk-s3'
+require 'cfnvpn/log'
+
+module CfnVpn
+  module Templates
+    class Lambdas
+
+      def self.package_lambda(name:, bucket:, func:, files:)
+        lambdas_dir = File.join(File.dirname(File.expand_path(__FILE__)), 'lambdas')
+        FileUtils.mkdir_p(lambdas_dir)
+
+        CfnVpn::Log.logger.debug "zipping lambda function #{func}"
+        zipfile_name = "#{func}-#{SecureRandom.hex}.zip"
+        zipfile_path = "#{CfnVpn.cfnvpn_path}/#{name}/lambdas"
+        FileUtils.mkdir_p(zipfile_path)
+        Zip::File.open("#{zipfile_path}/#{zipfile_name}", Zip::File::CREATE) do |zipfile|
+          files.each do |file|
+            zipfile.add(file, File.join("#{lambdas_dir}/#{func}", file))
+          end
+        end
+
+        bucket = Aws::S3::Bucket.new(bucket)
+        object = bucket.object("cfnvpn/lambdas/#{name}/#{zipfile_name}")
+        CfnVpn::Log.logger.debug "uploading #{zipfile_name} to s3://#{bucket}/#{object.key}"
+        object.upload_file("#{zipfile_path}/#{zipfile_name}")
+
+        return object.key
+      end
+      
+    end
+  end
+end
+

data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py

@@ -0,0 +1,175 @@
+import socket
+import boto3
+from botocore.exceptions import ClientError
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+
+def delete_route(client, vpn_endpoint, subnet, cidr):
+    client.delete_client_vpn_route(
+      ClientVpnEndpointId=vpn_endpoint,
+      TargetVpcSubnetId=subnet,
+      DestinationCidrBlock=cidr,
+    )
+
+  
+def create_route(client, event, cidr):
+  client.create_client_vpn_route(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    DestinationCidrBlock=cidr,
+    TargetVpcSubnetId=event['TargetSubnet'],
+    Description=f"cfnvpn auto generated route for endpoint {event['Record']}. {event['Description']}"
+  )
+
+
+def revoke_route_auth(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr
+  }
+  
+  if group is None:
+    args['RevokeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.revoke_client_vpn_ingress(**args)
+
+
+def authorize_route(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr,
+    'Description': f"cfnvpn auto generated authorization for endpoint {event['Record']}. {event['Description']}"
+  }
+  
+  if group is None:
+    args['AuthorizeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.authorize_client_vpn_ingress(**args)
+
+
+def get_routes(client, event):
+  response = client.describe_client_vpn_routes(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    Filters=[
+      {
+        'Name': 'origin',
+        'Values': ['add-route']
+      }
+    ]
+  )
+  
+  routes = [route for route in response['Routes'] if event['Record'] in route['Description']]
+  logger.info(f"found {len(routes)} exisiting routes for {event['Record']}")
+  return routes
+
+
+def get_rules(client, vpn_endpoint, cidr):
+  response = client.describe_client_vpn_authorization_rules(
+    ClientVpnEndpointId=vpn_endpoint,
+    Filters=[
+        {
+            'Name': 'destination-cidr',
+            'Values': [cidr]
+        }
+    ]
+  )
+  return response['AuthorizationRules']
+
+
+def handler(event,context):
+  
+  # DNS lookup on the dns record and return all IPS for the endpoint
+  try:
+    cidrs = [ ip + "/32" for ip in socket.gethostbyname_ex(event['Record'])[-1]]
+    logger.info(f"resolved endpoint {event['Record']} to {cidrs}")
+  except socket.gaierror as e:
+    logger.exception(f"failed to resolve record {event['Record']}")
+    return 'KO'
+  
+  client = boto3.client('ec2')
+  routes = get_routes(client, event)
+
+  for cidr in cidrs:
+    route = next((route for route in routes if route['DestinationCidr'] == cidr), None)
+    
+    # if there are no existing routes for the endpoint cidr create a new route
+    if route is None:
+      try:
+        create_route(client, event, cidr)
+        if 'Groups' in event:
+          for group in event['Groups']:
+            authorize_route(client, event, cidr, group)
+        else:
+          authorize_route(client, event, cidr)
+      except ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientVpnDuplicateRoute':
+          logger.error(f"route for CIDR {cidr} already exists with a different endpoint")
+          continue
+        raise e
+        
+    # if the route already exists
+    else:
+      
+      logger.info(f"route for cidr {cidr} is already in place")
+      
+      # if the target subnet has changed in the payload, recreate the routes to use the new subnet
+      if route['TargetSubnet'] != event['TargetSubnet']:
+        logger.info(f"target subnet for route for {cidr} has changed, recreating the route")
+        delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], cidr)
+        create_route(client, event, cidr)
+      
+      logger.info(f"checking authorization rules for the route")
+      
+      # check the rules match the payload
+      rules = get_rules(client, event['ClientVpnEndpointId'], cidr)
+      existing_groups = [rule['GroupId'] for rule in rules]
+      if 'Groups' in event:
+        # remove expired rules not defined in the payload anymore
+        expired_rules = [rule for rule in rules if rule['GroupId'] not in event['Groups']]
+        for rule in expired_rules:
+          logger.info(f"removing expired authorization rule for group {rule['GroupId']} for route {cidr}")
+          revoke_route_auth(client, event, cidr, rule['GroupId'])
+        # add new rules defined in the payload
+        new_rules =  [group for group in event['Groups'] if group not in existing_groups]
+        for group in new_rules:
+          logger.info(f"creating new authorization rule for group {rule['GroupId']} for route {cidr}")
+          authorize_route(client, event, cidr, group)
+      else:
+        # if amount of rules for the cidr is greater than 1 when no groups are specified in the payload 
+        # we'll assume that all groups have been removed from the payload so we'll remove all existing rules and add a rule for allow all 
+        if len(rules) > 1:
+          logger.info(f"creating an allow all rule for route {cidr}")
+          revoke_route_auth(client, event, cidr)
+          authorize_route(client, event, cidr)
+          
+      
+
+  
+  # clean up any expired routes when the ips for an endpoint change
+  expired_routes = [route for route in routes if route['DestinationCidr'] not in cidrs]
+  for route in expired_routes:
+    logger.info(f"removing expired route {route['DestinationCidr']} for endpoint {event['Record']}")
+    
+    try:
+      revoke_route_auth(client, event, route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnEndpointAuthorizationRuleNotFound':
+        pass
+      else:
+        raise e
+                          
+    try:
+      delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnRouteNotFound':
+        pass
+      else:
+        raise e
+  
+  return 'OK'