hiera-cfn-metadata 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 079405345d2b1e39e29713feafb802b754eece8f
+  data.tar.gz: 97a40eb65e8b7324f48ef1d419d8eb8f8c2adbbe
+SHA512:
+  metadata.gz: de917f50c270aa0ae32fcc342e3697d55624afdb14536fe5fc88a7867ca62f0b37390cca3d1931f7b924d1534215c7b8d799f2cdd36e033202c19d7449e828d5
+  data.tar.gz: f1c9548b28d2c524d42a045f3b630b6eada42b7930e4354f608bde40432e096cc9f68599dbfc48c56b99e5ebdedf11c6b64d263d067335611d554684915196eb

data/lib/aws-sdk-core/instance_identity_credentials.rb

@@ -0,0 +1,110 @@
+require 'base64'
+require 'net/http'
+require 'time'
+
+module Aws
+  class InstanceIdentityCredentials
+
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @api private
+    class Non200Response < RuntimeError; end
+
+    # These are the errors we trap when attempting to talk to the
+    # instance metadata service.  Any of these imply the service
+    # is not present, no responding or some other non-recoverable
+    # error.
+    # @api private
+    FAILURES = [
+      Errno::EHOSTUNREACH,
+      Errno::ECONNREFUSED,
+      Errno::EHOSTDOWN,
+      Errno::ENETUNREACH,
+      SocketError,
+      Timeout::Error,
+      Non200Response,
+    ]
+
+    # @param [Hash] options
+    # @option options [Integer] :retries (5) Number of times to retry
+    #   when retrieving credentials.
+    # @option options [String] :ip_address ('169.254.169.254')
+    # @option options [Integer] :port (80)
+    # @option options [Float] :http_open_timeout (5)
+    # @option options [Float] :http_read_timeout (5)
+    # @option options [Numeric, Proc] :delay By default, failures are retried
+    #   with exponential back-off, i.e. `sleep(1.2 ** num_failures)`. You can
+    #   pass a number of seconds to sleep between failed attempts, or
+    #   a Proc that accepts the number of failures.
+    # @option options [IO] :http_debug_output (nil) HTTP wire
+    #   traces are sent to this object.  You can specify something
+    #   like $stdout.
+    def initialize options = {}
+      @from_identity = true
+      @retries = options[:retries] || 5
+      @ip_address = options[:ip_address] || '169.254.169.254'
+      @port = options[:port] || 80
+      @http_open_timeout = options[:http_open_timeout] || 5
+      @http_read_timeout = options[:http_read_timeout] || 5
+      @http_debug_output = options[:http_debug_output]
+      super
+    end
+
+    # @return [Integer] The number of times to retry failed atttempts to
+    #   fetch credentials from the instance metadata service. Defaults to 0.
+    attr_reader :retries
+
+    attr_reader :from_identity
+
+    private
+
+    def refresh
+      doc = get_instance_identity('document')
+      sig = get_instance_identity('signature')
+      @credentials = Credentials.new(
+        Base64.encode64(doc),
+        sig.delete("\n")
+      )
+      # Pretend that it expires in an hour
+      @expiration = Time.now + 60 * 60
+    end
+
+    def get_instance_identity(path)
+      failed_attempts = 0
+      begin
+        open_connection do |conn|
+          path = "/latest/dynamic/instance-identity/#{path}"
+          profile_name = http_get(conn, path).lines.first.strip
+          http_get(conn, path + profile_name)
+        end
+      rescue *FAILURES
+        if failed_attempts < @retries
+          failed_attempts += 1
+          retry
+        else
+          '{}'
+        end
+      end
+    end
+
+    def open_connection
+      http = Net::HTTP.new(@ip_address, @port, nil)
+      http.open_timeout = @http_open_timeout
+      http.read_timeout = @http_read_timeout
+      http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.start
+      yield(http).tap { http.finish }
+    end
+
+    def http_get(connection, path)
+      response = connection.request(Net::HTTP::Get.new(path))
+      if response.code.to_i == 200
+        response.body
+      else
+        raise Non200Response
+      end
+    end
+
+  end
+end

data/lib/aws-sdk-core/plugins/cfn_request_signer.rb

@@ -0,0 +1,35 @@
+module Aws
+  module Plugins
+    class CfnRequestSigner < Seahorse::Client::Plugin
+
+      option(:signature_version) do |cfg|
+        cfg.api.metadata['signatureVersion']
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          if cfn_request?(context) and using_instance_identity?(context)
+            context.config.signature_version = 'cfn_v1'
+          end
+          @handler.call(context)
+        end
+
+        private
+
+        def cfn_request?(context)
+          context.config.api.metadata['endpointPrefix'] == 'cloudformation'
+        end
+
+        def using_instance_identity?(context)
+          context.config.credentials.respond_to? :from_identity
+        end
+
+      end
+
+      def add_handlers(handlers, config)
+        handlers.add(Handler, step: :sign)
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-core/signers/cfn_v1.rb

@@ -0,0 +1,27 @@
+require "time"
+require "openssl"
+
+module Aws
+  module Signers
+    class CfnV1 < Base
+      def sign(http_request)
+        http_request.headers["Authorization"] = authorization()
+        http_request
+      end
+
+      private
+
+      def authorization
+        return "CFN_V1 #{document}:#{signature}"
+      end
+
+      def document
+        @credentials.access_key_id
+      end
+
+      def signature
+        @credentials.secret_access_key
+      end
+    end
+  end
+end

data/lib/hiera/backend/cfn_metadata_backend.rb

@@ -0,0 +1,77 @@
+# Vault backend for Hiera
+class Hiera
+  module Backend
+    class Cfn_metadata_backend
+
+      def initialize()
+        require 'aws-sdk-core'
+        require 'hiera-cfn-metadata'
+
+        @config = Config[:cfn_metadata]
+        stack = @config[:stack] || ENV['CFN_STACK']
+        resource = @config[:resource] || ENV['CFN_RESOURCE']
+
+        begin
+          cfn = Aws::CloudFormation::Client.new(
+            region: @config[:region] || ENV['AWS_REGION'],
+            credentials: Aws::InstanceIdentityCredentials.new(),
+          )
+
+          resp = cfn.describe_stack_resource({
+            stack_name: stack,
+            logical_resource_id: resource
+          })
+          raise resp.error if !resp.successful?
+
+          metadata = resp.stack_resource_detail.metadata
+
+          @datasources = JSON.parse(metadata)
+          p @datasources
+
+        rescue Exception => e
+          @datasources = nil
+          Hiera.warn("[hiera-cfn-metadata] Skipping backend. Configuration error: #{e}")
+        end
+      end
+
+      def lookup(key, scope, order_override, resolution_type, context)
+        answer = nil
+        found = false
+
+        Hiera.debug("[hiera-cfn-metadata] Looking up #{key}")
+
+        Backend.datasources(scope, order_override) do |source|
+          Hiera.debug("[hiera-cfn-metadata] Looking for data source #{source}")
+
+          data = @datasources[source]
+          next if section.nil? or data.empty?
+          next unless data.include?(key)
+          found = true
+
+          # for array resolution we just append to the array whatever
+          # we find, we then goes onto the next file and keep adding to
+          # the array
+          #
+          # for priority searches we break after the first found data item
+          new_answer = Backend.parse_answer(data[key], scope, {}, context)
+          case resolution_type.is_a?(Hash) ? :hash : resolution_type
+          when :array
+            raise Exception, "[hiera-cfn-metadata] Hiera type mismatch for key '#{key}': expected Array and got #{new_answer.class}" unless new_answer.kind_of? Array or new_answer.kind_of? String
+            answer ||= []
+            answer << new_answer
+          when :hash
+            raise Exception, "[hiera-cfn-metadata] Hiera type mismatch for key '#{key}': expected Hash and got #{new_answer.class}" unless new_answer.kind_of? Hash
+            answer ||= {}
+            answer = Backend.merge_answer(new_answer, answer, resolution_type)
+          else
+            answer = new_answer
+            break
+          end
+        end
+        throw :no_such_key unless found
+        return answer
+      end
+
+    end
+  end
+end

data/lib/hiera-cfn-metadata.rb

@@ -0,0 +1,15 @@
+require "aws-sdk-core"
+require_relative "aws-sdk-core/instance_identity_credentials"
+require_relative "aws-sdk-core/signers/cfn_v1"
+require_relative "aws-sdk-core/plugins/cfn_request_signer"
+
+# Add the CFN_V1 signer to the built-in list
+default_signers = Aws::Plugins::RequestSigner::Handler.const_get(:SIGNERS)
+default_signers['cfn_v1'] = Aws::Signers::CfnV1
+Aws::Plugins::RequestSigner::Handler.const_set(:SIGNERS, default_signers)
+
+# Insert the CFN request signer plugin before the standard request signer
+# so we can alter the signature version in time
+plugins = Aws::CloudFormation::Client.plugins.dup
+plugins.insert(plugins.index(Aws::Plugins::RequestSigner), Aws::Plugins::CfnRequestSigner)
+Aws::CloudFormation::Client.set_plugins(plugins)

metadata

@@ -0,0 +1,63 @@
+--- !ruby/object:Gem::Specification
+name: hiera-cfn-metadata
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jonathan Sokolowski
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-07-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+description: Hiera backend for retrieving CloudFormation resource metadata and parsing
+  it as a JSON data source
+email: jonathan.sokolowski@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/aws-sdk-core/instance_identity_credentials.rb
+- lib/aws-sdk-core/plugins/cfn_request_signer.rb
+- lib/aws-sdk-core/signers/cfn_v1.rb
+- lib/hiera-cfn-metadata.rb
+- lib/hiera/backend/cfn_metadata_backend.rb
+homepage: http://github.com/jsok/hiera-cfn-metadata
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Module for using CloudFormation resource metadata as a hiera backend
+test_files: []