poise-citadel 1.1.0

data/Rakefile

@@ -0,0 +1,17 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'poise_boiler/rakefile'

data/chef/attributes/default.rb

@@ -0,0 +1,24 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Default S3 bucket to use for Citadel data
+default['citadel']['bucket'] = nil
+default['citadel']['region'] = 'us-east-1'
+
+# Override these for use in Vagrant or other development environments
+default['citadel']['access_key_id'] = nil
+default['citadel']['secret_access_key'] = nil

data/lib/citadel.rb

@@ -0,0 +1,80 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/http'
+require 'chef/json_compat'
+
+
+# Helper to access files in a private S3 bucket using an interface like Chef
+# node attributes.
+#
+# @since 1.0.0
+# @example
+#   template '/etc/myapp.conf' do
+#     variables password: citadel['myapp/password']
+#   end
+class Citadel
+  autoload :ChefDSL, 'citadel/chef_dsl'
+  autoload :CitadelError, 'citadel/error'
+  autoload :S3, 'citadel/s3'
+  autoload :VERSION, 'citadel/version'
+
+  attr_reader :bucket, :region, :credentials
+
+  def initialize(node, bucket=nil, region=nil)
+    @node = node
+    @bucket = bucket || node['citadel']['bucket']
+    @region = region || node['citadel']['region']
+    @credentials = find_credentials
+  end
+
+  def find_credentials
+    if @node['citadel']['access_key_id']
+      {
+        access_key_id: @node['citadel']['access_key_id'],
+        secret_access_key: @node['citadel']['secret_access_key'],
+        token: @node['citadel']['token'],
+      }
+    elsif @node['ec2']
+      role_creds = if @node['ec2']['iam'] && @node['ec2']['iam']['security-credentials']
+        # Creds loaded from Ohai.
+        @node['ec2']['iam']['security-credentials'].values.first
+      else
+        metadata_service = Chef::HTTP.new('http://169.254.169.254')
+        iam_role = metadata_service.get('latest/meta-data/iam/security-credentials/')
+        if iam_role.nil? || iam_role.empty?
+          raise 'Unable to find IAM role for node from EC2 metadata'
+        else
+          creds_json = metadata_service.get("latest/meta-data/iam/security-credentials/#{iam_role}")
+          Chef::JSONCompat.parse(creds_json)
+        end
+      end
+      {
+        access_key_id: role_creds['AccessKeyId'],
+        secret_access_key: role_creds['SecretAccessKey'],
+        token: role_creds['Token'],
+      }
+    else
+      raise 'Unable to find S3 credentials'
+    end
+  end
+
+  def [](key)
+    Chef::Log.debug("citadel: Retrieving #{@bucket}/#{key}")
+    Citadel::S3.get(bucket: @bucket, path: key, region: @region, **@credentials).to_s
+  end
+end

data/lib/citadel/chef_dsl.rb

@@ -0,0 +1,29 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+class Citadel
+  # Helper module for the DSL extension.
+  #
+  # @since 1.0.0
+  # @api private
+  module ChefDSL
+    def citadel(bucket=nil, region=nil)
+      Citadel.new(node, bucket, region)
+    end
+  end
+end

data/lib/citadel/cheftie.rb

@@ -0,0 +1,37 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'citadel'
+require 'citadel/safe_node'
+
+
+# Patch our DSL extension into Chef.
+# @api private
+class Chef
+  class Recipe
+    include Citadel::ChefDSL
+  end
+
+  class Resource
+    include Citadel::ChefDSL
+  end
+
+  class Provider
+    include Citadel::ChefDSL
+  end
+end
+

data/lib/citadel/error.rb

@@ -0,0 +1,33 @@
+#
+# Copyright 2012-2016, Brandon Adams and other contributors.
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+class Citadel
+  # Base class for Citadell errors.
+  #
+  # @since 1.0.0
+  # @api private
+  class CitadelError < Exception
+  end
+end

data/lib/citadel/s3.rb

@@ -0,0 +1,84 @@
+#
+# Copyright 2012-2016, Brandon Adams and other contributors.
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require 'time'
+require 'openssl'
+require 'base64'
+
+require 'chef/http'
+
+require 'citadel/error'
+
+
+class Citadel
+  # Simple read-only S3 client.
+  #
+  # @since 1.0.0
+  # @api private
+  module S3
+    extend self
+
+    # Get an object from S3.
+    #
+    # @param bucket [String] Name of the bucket to use.
+    # @param path [String] Path to the object.
+    # @param access_key_id [String] AWS access key ID.
+    # @param secret_access_key [String] AWS secret access key.
+    # @param token [String, nil] AWS IAM token.
+    # @param region [String] S3 bucket region.
+    # @return [Net::HTTPResponse]
+    def get(bucket:, path:, access_key_id:, secret_access_key:, token: nil, region: nil)
+      region ||= 'us-east-1' # Most buckets.
+      path = path[1..-1] if path[0] == '/'
+      now = Time.now().utc.strftime('%a, %d %b %Y %H:%M:%S GMT')
+
+      string_to_sign = "GET\n\n\n#{now}\n"
+      string_to_sign << "x-amz-security-token:#{token}\n" if token
+      string_to_sign << "/#{bucket}/#{path}"
+
+      signed = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), secret_access_key, string_to_sign)
+      signed_base64 = Base64.encode64(signed)
+
+      headers = {
+        'date' => now,
+        'authorization' => "AWS #{access_key_id}:#{signed_base64}",
+      }
+      headers['x-amz-security-token'] = token if token
+
+      hostname = case region
+      when 'us-east-1'
+        's3.amazonaws.com'
+      else
+        "s3-#{region}.amazonaws.com"
+      end
+
+      begin
+        Chef::HTTP.new("https://#{hostname}").get("#{bucket}/#{path}", headers)
+      rescue Net::HTTPServerException => e
+        raise CitadelError.new("Unable to download #{path}: #{e}")
+      end
+    end
+
+  end
+end

data/lib/citadel/safe_node.rb

@@ -0,0 +1,41 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+# Block the IAM credentials from being stored to the Chef server.
+# @api private
+class Chef
+  class Node
+    old_save = instance_method(:save)
+
+    define_method(:save) do
+      security_credentials = nil
+      if automatic_attrs['ec2'] && automatic_attrs['ec2']['iam'] && automatic_attrs['ec2']['iam']['security-credentials']
+        security_credentials = automatic_attrs['ec2']['iam']['security-credentials']
+        automatic_attrs['ec2']['iam']['security-credentials'] = {}
+      end
+      begin
+        old_save.bind(self).call
+      ensure
+        unless security_credentials.nil?
+          automatic_attrs['ec2']['iam']['security-credentials'] = security_credentials
+        end
+      end
+    end
+
+  end
+end

data/lib/citadel/version.rb

@@ -0,0 +1,21 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+class Citadel
+  # Citadel gem version.
+  VERSION = '1.1.0'
+end

data/poise-citadel.gemspec

@@ -0,0 +1,41 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'citadel/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'poise-citadel'
+  spec.version = Citadel::VERSION
+  spec.authors = ['Noah Kantrowitz']
+  spec.email = %w{noah@coderanger.net}
+  spec.description = 'DSL for accessing secret data stored on S3 using IAM roles.'
+  spec.summary = spec.description
+  spec.homepage = 'https://github.com/poise/citadel'
+  spec.license = 'Apache 2.0'
+  spec.metadata['halite_name'] = 'citadel'
+
+  spec.files = `git ls-files`.split($/)
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = %w{lib}
+
+  spec.add_dependency 'halite', '~> 1.2'
+
+  spec.add_development_dependency 'poise-boiler', '~> 1.7'
+  spec.add_development_dependency 'kitchen-ec2', '~> 1.0'
+end

data/test/cookbooks/citadel_test/attributes/default.rb

@@ -0,0 +1,17 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+override['citadel']['bucket'] = 'citadel-kitchen'

data/test/cookbooks/citadel_test/metadata.rb

@@ -0,0 +1,20 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'citadel_test'
+
+depends 'citadel'