RubyGems - cfn-vpn - Versions diffs - 1.3.1 → 1.3.3 - Mend

cfn-vpn 1.3.1 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 672ae92015c16fcc2ce33e05a22ca651b4974d4669d91115c2f5d49b36aa4062
-  data.tar.gz: 3e595961778b5d67112b6219d690cd589e8523813f22e7a3a196dfab6d77d59d
+  metadata.gz: c46ffdf0579ffd7c1fd42efadc969bbd095f9f789dfcb5b9e3e2aef7f85e959c
+  data.tar.gz: 7a6e1a34fa32b2246a8998e8645381635e8c5adf7a6bf978c241ea4d7e4ee217
 SHA512:
-  metadata.gz: fee3ea79a3c51a77aaa5b6be535fc950ecfd32de121e6aadd363ef4def0af7fe201b414624036d9553f8a7158cb9e6fe16189972b599bcfd8df688c0dec09051
-  data.tar.gz: 4bcc5243d2365706f57d07bf2c0cbad79debde39952d8535407cd58fb26d5d1e77857cedbf0170d726c8a56c7f70a2a90a26349991a0c3a7bf51fd824eae2bb4
+  metadata.gz: 6aa8e34eab7fe87a36128e299a3603f6e2cad58bf55cc9a2ff4f3847306a0ce92ba20c6a9471f7356c43eee85ccd6a362bed7bf7feb14df2a97cb54cc0af546d
+  data.tar.gz: 5aefb22f6d9ea925877f0811897fdd3e4a47286769cb106e19a46df6ccd7d2ce29d30bdc93ea2c87c4fb686609a33c009186057b248af9b33645b15d72d8f22c

data/docs/getting-started.md CHANGED Viewed

@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
 The following command and required option will launch a new federated based Client-VPN
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --saml-arn [identity providor arn]
 ```
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
+```diff
+! Group id's must be used if creating authorisation rules.
+! Each SAML providor will have different group id's and means of retrieving them.
+```
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --default-groups [list of group ids]
 ```
 **AWS SSO**
 If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
+If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
+```sh
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --saml-self-service-arn [self service identity provider arn] \
+  --default-groups [list of group ids]
+```
 ### AWS Directory Services Authenticated VPN
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
 The following command and required option will launch a new directory service based Client-VPN
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id]
 ```
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id] \
+  --default-groups [list of group ids]
 ```
 See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
@@ -104,25 +128,27 @@ When using a federated ClientVPN you can modify the default auth to only allow s
 ```
 Options:
-  r, [--region=REGION]                         # AWS Region
-                                               # Default: ap-southeast-2
-      [--verbose], [--no-verbose]              # set log level to debug
-      --server-cn=SERVER_CN                    # server certificate common name
-      [--client-cn=CLIENT_CN]                  # client certificate common name
-      [--easyrsa-local], [--no-easyrsa-local]  # run the easyrsa executable from your local rather than from docker
-      [--bucket=BUCKET]                        # s3 bucket
-      --subnet-ids=one two three               # subnet id to associate your vpn with
-      [--default-groups=one two three]         # groups to allow through the subnet associations when using federated auth
-      [--cidr=CIDR]                            # cidr from which to assign client IP addresses
-                                               # Default: 10.250.0.0/16
-      [--dns-servers=one two three]            # DNS Servers to push to clients.
-      [--split-tunnel], [--no-split-tunnel]    # only push routes to the client on the vpn endpoint
-                                               # Default: true
-      [--internet-route=INTERNET_ROUTE]        # [subnet-id] create a default route to the internet through a subnet
-      [--protocol=PROTOCOL]                    # set the protocol for the vpn connections
-                                               # Default: udp
-                                               # Possible values: udp, tcp
-      [--start=START]                          # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
-      [--stop=STOP]                            # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
-      [--saml-arn=SAML_ARN]                    # IAM SAML idenditiy providor arn if using SAML federated authentication
-```
+  r, [--region=REGION]                                 # AWS Region
+                                                       # Default: ap-southeast-2
+      [--verbose], [--no-verbose]                      # set log level to debug
+      --server-cn=SERVER_CN                            # server certificate common name
+      [--client-cn=CLIENT_CN]                          # client certificate common name
+      [--easyrsa-local], [--no-easyrsa-local]          # run the easyrsa executable from your local rather than from docker
+      [--bucket=BUCKET]                                # s3 bucket, if not set one will be generated for you
+      --subnet-ids=one two three                       # subnet id to associate your vpn with
+      [--default-groups=one two three]                 # groups to allow through the subnet associations when using federated auth
+      [--cidr=CIDR]                                    # cidr from which to assign client IP addresses
+                                                       # Default: 10.250.0.0/16
+      [--dns-servers=one two three]                    # DNS Servers to push to clients.
+      [--split-tunnel], [--no-split-tunnel]            # only push routes to the client on the vpn endpoint
+                                                       # Default: true
+      [--internet-route=INTERNET_ROUTE]                # [subnet-id] create a default route to the internet through a subnet
+      [--protocol=PROTOCOL]                            # set the protocol for the vpn connections
+                                                       # Default: udp
+                                                       # Possible values: udp, tcp
+      [--start=START]                                  # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
+      [--stop=STOP]                                    # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
+      [--saml-arn=SAML_ARN]                            # IAM SAML idenditiy providor arn if using SAML federated authentication
+      [--saml-self-service-arn=SAML_SELF_SERVICE_ARN]  # IAM SAML idenditiy providor arn for the self service portal
+      [--directory-id=DIRECTORY_ID]                    # AWS Directory Service directory id if using Active Directory authentication
+```

data/lib/cfnvpn/actions/init.rb CHANGED Viewed

@@ -36,6 +36,7 @@ module CfnVpn::Actions
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
     class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+    class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
     class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
     def self.source_root
@@ -64,6 +65,7 @@ module CfnVpn::Actions
         start: @options['start'],
         stop: @options['stop'],
         saml_arn: @options['saml_arn'],
+        saml_self_service_arn: @options['saml_self_service_arn'],
         directory_id: @options['directory_id'],
         routes: []
       }

data/lib/cfnvpn/templates/vpn.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module CfnVpn
             {
               FederatedAuthentication: {
                 SAMLProviderArn: config[:saml_arn],
-                SelfServiceSAMLProviderArn: config[:saml_arn]
+                SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
               },
               Type: 'federated-authentication'
             }

data/lib/cfnvpn/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.3.1".freeze
+  VERSION = "1.3.3".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.3.3
 platform: ruby
 authors:
 - Guslington
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-04 00:00:00.000000000 Z
+date: 2021-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor