conjur-asset-aws 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ea322c8c7db7f4fbe2775a0846461dd36b4c6340
+  data.tar.gz: c189e975109d4507c840ee691e2b5db8780ba9bb
+SHA512:
+  metadata.gz: f2b9460bf903b4cfd20e480299c7fcda80916f702b7ff458343173e6531a8febf74e55884793e17bb20968caf66fe3332106eab1f9bd39b6f09f936d04738456
+  data.tar.gz: 48453f06fd3c80d83e337f82a80e8cb13a6ec2fc31b3f33942e17d54b73593e90b8b141df2b31153b0e9ee643e50f9697e693945ac1ab4f7474f50492ed26a30

data/.conjurrc

@@ -0,0 +1,3 @@
+plugins:
+- host-factory
+- aws

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.project

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>conjur-asset-aws</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>com.aptana.ide.core.unifiedBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>com.aptana.ruby.core.rubynature</nature>
+		<nature>com.aptana.projects.webnature</nature>
+	</natures>
+</projectDescription>

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in conjur-asset-aws.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Conjur Inc
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,31 @@
+# Conjur::Asset::AWS
+
+Conjur plugin for integrating with AWS.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'conjur-asset-aws'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install conjur-asset-aws
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/conjur-asset-aws/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/conjur-asset-aws.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'conjur-asset-aws-version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "conjur-asset-aws"
+  spec.version       = Conjur::Asset::AWS::VERSION
+  spec.authors       = ["Kevin Gilpin"]
+  spec.email         = ["kgilpin@conjur.net"]
+  spec.summary       = %q{Conjur plugin for integrating with AWS}
+  spec.homepage      = "https://github.com/conjurinc/conjur-asset-aws"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  
+  spec.add_dependency "conjur-api"
+  spec.add_dependency "conjur-asset-host-factory"
+  spec.add_dependency "aws-sdk-v1"
+
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rspec-its"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "conjur-cli"
+end

data/lib/conjur-asset-aws-version.rb

@@ -0,0 +1,7 @@
+module Conjur
+  module Asset
+    module AWS
+      VERSION = "0.1.0"
+    end
+  end
+end

data/lib/conjur-asset-aws.rb

@@ -0,0 +1 @@
+require "conjur-asset-aws-version"

data/lib/conjur/command/aws.rb

@@ -0,0 +1,69 @@
+require 'conjur/command'
+
+class Conjur::Command::AWS < Conjur::Command
+  desc "Manage AWS integration features"
+  command :aws do |aws|
+    aws.desc "Manage links between AWS IAM and the Conjur host factory."
+    aws.command :"token-link" do |roles|
+      roles.desc "Create an AWS IAM role with permission to read a Conjur host factory token stored in S3."
+      roles.command :create do |c|
+        c.desc "Host factory token"
+        c.arg_name "token"
+        c.flag [ :"host-factory-token" ]
+    
+        c.desc "AWS bucket to contain the metadata file(s) (will be created if missing)"
+        c.arg_name "bucket"
+        c.flag [ :bucket ]
+        
+        c.action do |global_options, options, args|
+          require "conjur-asset-host-factory"
+          
+          host_factory_token = options[:"host-factory-token"]
+          host_factory_token = api.show_host_factory_token(host_factory_token) if host_factory_token
+          bucket = options[:bucket]
+            
+          require "conjur/provisioner/aws"
+          
+          provisioner = Conjur::Provisioner::AWS::CreateRole.new
+          provisioner.host_factory_token = host_factory_token if host_factory_token
+          provisioner.bucket_name = bucket if bucket
+          
+          provisioner.validate
+          provisioner.perform
+          
+          puts "Created Conjur IAM link #{provisioner.role_name}"
+        end
+      end
+      
+      roles.desc "Delete the IAM role and token file"
+      roles.command :delete do |c|
+        c.desc "Host factory"
+        c.arg_name "id"
+        c.flag [ :"host-factory" ]
+    
+        c.desc "AWS bucket to contain the metadata file(s) (will be created if missing)"
+        c.arg_name "bucket"
+        c.flag [ :bucket ]
+        
+        c.action do |global_options, options, args|
+          require "conjur-asset-host-factory"
+          
+          host_factory = options[:"host-factory"]
+          host_factory = api.host_factory host_factory if host_factory
+          bucket = options[:bucket]
+            
+          require "conjur/provisioner/aws"
+          
+          provisioner = Conjur::Provisioner::AWS::DeleteRole.new
+          provisioner.host_factory = host_factory if host_factory
+          provisioner.bucket_name = bucket if bucket
+          
+          provisioner.validate
+          provisioner.perform
+          
+          puts "Deleted Conjur IAM link #{provisioner.role_name}"
+        end
+      end
+    end
+  end
+end

data/lib/conjur/provisioner/aws.rb

@@ -0,0 +1,172 @@
+module Conjur
+  module Provisioner
+    module AWS
+      require 'aws-sdk-v1'
+      
+      module RoleHelper
+        def validate
+        end
+
+        protected
+        
+        def aws_iam
+          @aws_iam ||= ::AWS::IAM.new
+        end
+        
+        def aws_role
+          aws_iam.role[role_name]
+        end
+      end
+      
+      module BucketHelper
+        attr_accessor :bucket_name
+        
+        def validate
+          raise "bucket_name is missing" unless bucket_name
+        end
+        
+        protected
+        
+        def aws_s3
+          @aws_s3 ||= ::AWS::S3.new
+        end
+      end
+      
+      class DeleteRole
+        include RoleHelper
+        include BucketHelper
+
+        attr_accessor :host_factory
+
+        def role_name
+          host_factory.id.parameterize
+        end
+        
+        def token_file_name
+          host_factory.id.parameterize
+        end
+        
+        def validate
+          super
+          
+          raise "host_factory is missing" unless host_factory
+        end
+        
+        def perform
+          delete_role
+          delete_s3_token_file
+        end
+        
+        protected
+        
+        def delete_role
+          remove_params = {
+            role_name: role_name,
+            instance_profile_name: role_name
+          }
+          role_params = {
+            role_name: role_name
+          }
+          instance_profile_params = {
+            instance_profile_name: role_name
+          }
+  
+          aws_iam.client.list_role_policies(role_params)[:policy_names].each do |policy|
+            delete_policy_params = {
+              role_name: role_name,
+              policy_name: policy
+            }
+            aws_iam.client.delete_role_policy delete_policy_params
+          end
+          
+          aws_iam.client.remove_role_from_instance_profile remove_params
+          aws_iam.client.delete_instance_profile instance_profile_params
+          aws_iam.client.delete_role role_params
+        end
+        
+        def delete_s3_token_file
+          bucket = aws_s3.buckets[bucket_name]
+          bucket.objects[token_file_name].delete
+        end
+      end
+      
+      class CreateRole
+        include RoleHelper
+        include BucketHelper
+        
+        attr_accessor :host_factory_token
+        
+        def validate
+          super
+          
+          raise "host_factory_token is missing" unless host_factory_token
+        end
+
+        def role_name
+          host_factory.id.parameterize
+        end
+        
+        def token_file_name
+          host_factory.id.parameterize
+        end
+        
+        # Creates an AWS IAM Role corresponding to the Layer. The Role can be assumed by EC2 instances.
+        # Creates a system user (deputy) and adds it to the layer.
+        # In S3, a file is created with the identity of the system user, along with other 
+        # information needed by Conjur chef-solo. The file is in chef-solo JSON format.
+        # It will be used by the [conjur-client Upstart job](https://github.com/conjur-cookbooks/conjur-client/blob/master/templates/default/conjur-bootstrap.conf.erb)
+        # to finish the server configuration.
+        def perform
+          create_role
+          create_s3_token_file
+        end
+      
+        def host_factory
+          host_factory_token.host_factory
+        end
+        
+        def create_s3_token_file
+          bucket = aws_s3.buckets[bucket_name]
+          bucket = aws_s3.buckets.create(bucket_name) unless bucket.exists?
+          
+          bucket.objects[token_file_name].write host_factory_token.token
+        end
+        
+        def create_role
+          policy = {
+            "Version" => "2012-10-17",
+            "Statement" => [
+              {
+                "Effect" => "Allow",
+                "Principal" => {
+                  "Service" => "ec2.amazonaws.com"
+                },
+                "Action" => "sts:AssumeRole"
+              }
+            ]
+          }
+          role_params = {
+            role_name: role_name,
+            assume_role_policy_document: JSON.pretty_generate(policy)
+          }
+          instance_profile_params = {
+            instance_profile_name: role_name
+          }
+  
+          role = aws_iam.client.create_role role_params
+          instance_profile = aws_iam.client.create_instance_profile instance_profile_params
+          aws_iam.client.add_role_to_instance_profile role_name: role_name, instance_profile_name: role_name
+          
+          aws_iam.client.put_role_policy role_name: role_name, policy_name: 'read-bootstrap-file', policy_document: JSON.pretty_generate({
+            "Statement" => [{
+              "Effect" =>  "Allow",
+              "Action" =>  "s3:GetObject",
+              "Resource" =>  ["arn:aws:s3:::#{bucket_name}/#{token_file_name}"]
+              }
+            ]            
+          })
+        end
+      end
+    end
+  end
+end

data/spec/aws_spec.rb

@@ -0,0 +1,90 @@
+#
+# Copyright (C) 2015 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'spec_helper'
+
+require 'conjur/provisioner/aws'
+
+describe Conjur::Provisioner::AWS::CreateRole do
+  let(:id) { 'org-1.0/the-factory' }
+  let(:token) { double(:token) }
+  let(:provisioner) {
+    Conjur::Provisioner::AWS::CreateRole.new.tap do |p|
+      p.host_factory_token = token
+      p.bucket_name = 'the-bucket'
+    end
+  }
+  
+  context "attributes" do
+    subject { provisioner }
+    its(:bucket_name) { should == "the-bucket" }
+    its(:role_name) { should == "org-1-0-the-factory" }
+    its(:bootstrap_file_name) { should == "org-1-0-the-factory.json" }
+  end
+  context "provision" do
+    let(:s3) { double(:s3) }
+    let(:iam) { double(:iam) }
+    before {
+      provisioner.stub(:aws_s3).and_return s3
+      provisioner.stub(:aws_iam).and_return iam
+    }
+    
+    describe "#provision" do
+      it "creates the role and bootstrap file" do
+        provisioner.should_receive :create_role
+        provisioner.should_receive :create_s3_bootstrap_file
+        provisioner.perform
+      end
+    end
+    
+    describe "#create_role" do
+      let(:role) { double(:role) }
+      it "creates the role" do
+        iam.stub_chain(:client, :create_role) do |args|
+          args[:role_name].should == "org-1-0-the-factory"
+          args[:assume_role_policy_document].should =~ /ec2.amazonaws.com/
+        end.and_return role
+        iam.stub_chain(:client, :create_instance_profile).with(instance_profile_name: "org-1-0-the-factory")
+        iam.stub_chain(:client, :add_role_to_instance_profile).with(role_name: "org-1-0-the-factory", instance_profile_name: "org-1-0-the-factory")
+        iam.stub_chain(:client, :put_role_policy) do |args|
+          args[:role_name].should == 'org-1-0-the-factory'
+          args[:policy_name].should == 'read-bootstrap-file'
+          args[:policy_document].should =~ /arn:aws:s3:::the-bucket\/org-1-0-the-factory/
+        end 
+        
+        provisioner.send :create_role
+      end
+    end
+    describe "#create_s3_bootstrap_file" do
+      let(:bucket) { double(:bucket) }
+      let(:host_id) { "org-1.0/the-factory/ec2_instance" }
+      let(:host) { double(:host, id: host_id, api_key: "the-api-key", roleid: "ci:host:#{host_id}") }
+      it "creates the bootstrap file" do
+        Conjur::API.any_instance.should_receive(:create_host).with(id: host_id).and_return host
+        s3.stub_chain(:buckets, :[]).and_return double(:bucket, exists?: false)
+        s3.stub_chain(:buckets, :create).with("the-bucket").and_return bucket
+        bucket.stub_chain(:objects, :[], :write).with(/the-api-key/)
+        provisioner.should_receive(:add_host).with host.roleid
+        
+        provisioner.send :create_s3_bootstrap_file
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,15 @@
+require 'rubygems'
+require 'simplecov'
+
+SimpleCov.start do
+  add_filter "/spec/"
+end
+
+require 'rspec'
+require 'rspec/its'
+
+Dir[File.expand_path(File.join(File.dirname(__FILE__),'support','**','*.rb'))].each {|f| require f}
+
+require 'conjur/api'
+require 'conjur-asset-aws'
+require 'conjur-asset-host-factory'

metadata

@@ -0,0 +1,186 @@
+--- !ruby/object:Gem::Specification
+name: conjur-asset-aws
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Kevin Gilpin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-01-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: conjur-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: conjur-asset-host-factory
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-v1
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: conjur-cli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- kgilpin@conjur.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .conjurrc
+- .gitignore
+- .project
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- conjur-asset-aws.gemspec
+- lib/conjur-asset-aws-version.rb
+- lib/conjur-asset-aws.rb
+- lib/conjur/command/aws.rb
+- lib/conjur/provisioner/aws.rb
+- spec/aws_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/conjurinc/conjur-asset-aws
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.3
+signing_key: 
+specification_version: 4
+summary: Conjur plugin for integrating with AWS
+test_files:
+- spec/aws_spec.rb
+- spec/spec_helper.rb