poise-citadel 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ac4db946a9758cb875d6a5c848cfb1eca584b2ad
+  data.tar.gz: 7d4743151abeac769b03a99b2554aea6401b28e7
+SHA512:
+  metadata.gz: 630446d34747b6e1bf82ae814f938140760741c0fac1ec13070e6bcae8d013ac2503b5d9ee79a7b8a99f9963d2d5cee62054178e874845ec788d6d67de703c5c
+  data.tar.gz: 7351d0bd6f53362f5322ba9aa8d6ad73efb7eb46851ce1fb335734debec9dd3297159ed0731377292299ad6ffbc52ffcd905758cdf3581ffde933b961f3cfb8e

data/.gitignore

@@ -0,0 +1,11 @@
+Berksfile.lock
+Gemfile.lock
+test/gemfiles/*.lock
+.kitchen/
+.kitchen.local.yml
+test/docker/
+test/ec2/
+coverage/
+pkg/
+.yardoc/
+doc/

data/.kitchen.yml

@@ -0,0 +1,22 @@
+---
+#<% IO.read('test/ec2/env').split.map{|s| s.split(/=/)}.each{|(k, v)| ENV[k] = v} if ::File.exist?('test/ec2/env') %>
+#<% require 'poise_boiler' %>
+<%= PoiseBoiler.kitchen(platforms: %w{ubuntu-14.04}, driver: 'ec2') %>
+
+transport:
+  name: sftp
+  ssh_key: test/ec2/citadel-kitchen.key
+
+suites:
+- name: iam
+  run_list:
+  - recipe[citadel_test]
+  driver:
+    iam_profile_name: citadel-role
+- name: attr
+  run_list:
+  - recipe[citadel_test]
+  attributes:
+    citadel:
+      access_key_id: <%= ENV['CITADEL_ACCESS_KEY_ID'] %>
+      secret_access_key: <%= ENV['CITADEL_SECRET_ACCESS_KEY'] %>

data/.travis.yml

@@ -0,0 +1,33 @@
+sudo: false
+cache: bundler
+language: ruby
+rvm:
+- '2.2'
+env:
+  global:
+  - AWS_SECURITY_GROUP_ID=sg-accb7ad7
+  - AWS_SUBNET_ID=subnet-ca674af7
+  - AWS_SSH_KEY_ID=citadel-kitchen
+  - secure: G68O+EByjjbIZZmMVV2xQvYlAFqW8LHBj/j82E5mspvVxwhpqn5JdEUpPjR9GeD5Cjt2V13l0353hI9/KyZKwx2iuBR3lQQkyAZIb147bUpYT/yQuXLSYEmt7HxyPOrWCZ2aP0253WPGamKX+bK/OUh1PAbOq5EbTh+2qYvWXAE=
+  - secure: xXfMmQd6zQ7GUDH2+uGHukNW6ZvJQKIiDVi1rlqTF2IHCcgFzkKGR4Pb9JwEA2c8S0z/KSZ6+3F9o66735Oe53Yvoat18WfdFNrp7q8nPk68hZY2IVA6La7/g3SUhHXvija6d8ywRMwIH3ms6r3aVk2/vQnFxojRzbgxMf54XQg=
+  - secure: rwKhSzXKW1WAmofn+Z3Z9PfSQVU5/O84qjQjfVw0H3Cq7+vky4/ES+lnQqiMigY0E8MtxUHCidThPGMKE9rJzeLr/ARrJ+9D5xd927Pm5P+nnWsIdh8m38db914henn7AXDZzjbP+l+sbut5EdO2Hixl/qWgzoojSic276MSy9Q=
+  - secure: T0/zwIemVsXxxqhmIPqdp62TOH+ydZ1F/Fjvz2rEfal976UAfqAOZXnE3OHXOWYC2K/JIJmB+uaFh2Cv8M+lrYa/R3KjB5SYAVwdC6R55kYTRHz7m9XO0XToSoWRi7hjssbPaVsd/v2S3lO78sdn+Ormw6Ksr2IAl8pgxVzE/YI=
+  - secure: lvJZ2kkD32TPQg8loH5Jd5hGUzfBoL8WqfYdMyghYxe8+j+9915nz6xIiudQTEsxfh/KDvhbsR4xSqRvISsx8etTmzZ2M9HlNFFW0rHIQLrbvPNynlrOGZ88Tj2V1b7KgRXdXthLMi/fWwAmJMUsllUYE7i5QLLx2Ylf8iz1FEM=
+before_install: gem install bundler
+bundler_args: "--binstubs=$PWD/bin --jobs 3 --retry 3"
+script:
+- "openssl rsa -in test/ec2/citadel-kitchen.pem -passin env:KITCHEN_KEY_PASS -out test/ec2/citadel-kitchen.key"
+- "./bin/rake travis"
+gemfile:
+- test/gemfiles/chef-12.gemfile
+- test/gemfiles/chef-12.1.gemfile
+- test/gemfiles/chef-12.2.gemfile
+- test/gemfiles/chef-12.3.gemfile
+- test/gemfiles/chef-12.4.gemfile
+- test/gemfiles/chef-12.5.gemfile
+- test/gemfiles/chef-12.6.gemfile
+- test/gemfiles/chef-12.7.gemfile
+- test/gemfiles/chef-12.8.gemfile
+- test/gemfiles/chef-12.9.gemfile
+- test/gemfiles/chef-12.10.gemfile
+- test/gemfiles/master.gemfile

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Citadel Changelog
+
+## v1.1.0
+
+* Automatically retrieve IAM credentials if present.
+* Conversion to Halite-based gem.
+
+## v1.0.2
+
+* Improved error messages and HTTPS verification.
+
+## v1.0.0
+
+* Initial release!

data/Gemfile

@@ -0,0 +1,32 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+source 'https://rubygems.org/'
+
+gemspec path: File.expand_path('..', __FILE__)
+
+def dev_gem(name, path: File.join('..', name), github: nil)
+  path = File.expand_path(File.join('..', path), __FILE__)
+  if File.exist?(path)
+    gem name, path: path
+  elsif github
+    gem name, github: github
+  end
+end
+
+dev_gem 'halite'
+dev_gem 'poise-boiler', github: 'poise/poise-boiler'
+dev_gem 'poise-profiler'

data/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,179 @@
+# Citadel Cookbook
+
+[![Build Status](https://img.shields.io/travis/poise/citadel.svg)](https://travis-ci.org/poise/citadel)
+[![Gem Version](https://img.shields.io/gem/v/poise-citadel.svg)](https://rubygems.org/gems/poise-citadel)
+[![Cookbook Version](https://img.shields.io/cookbook/v/citadel.svg)](https://supermarket.chef.io/cookbooks/citadel)
+[![Coverage](https://img.shields.io/codecov/c/github/poise/citadel.svg)](https://codecov.io/github/poise/citadel)
+[![Gemnasium](https://img.shields.io/gemnasium/poise/citadel.svg)](https://gemnasium.com/poise/citadel)
+[![License](https://img.shields.io/badge/license-Apache_2-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
+Using a combination of IAM roles, S3 buckets, and EC2 it is possible to use AWS
+as a trusted-third-party for distributing secret or otherwise sensitive data.
+
+## Overview
+
+IAM roles allow specifying snippets of IAM policies in a way that can be used
+from an EC2 virtual machine. Combined with a private S3 bucket, this can be
+used to authorize specific hosts to specific files.
+
+IAM Roles can be created [in the AWS Console](https://console.aws.amazon.com/iam/home#roles).
+While the policies applied to a role can be changed later, the name cannot so
+be careful when choosing them.
+
+## Requirements
+
+This cookbook requires Chef 12 or newer. It also requires the EC2 ohai plugin
+to be active. If you are using a VPC, this may require setting the hint file
+depending on your version of Ohai/Chef:
+
+```bash
+$ mkdir -p /etc/chef/ohai/hints
+$ touch /etc/chef/ohai/hints/ec2.json
+```
+
+If you use knife-ec2 to start the instance, the hint file is already set for you.
+
+## IAM Policy
+
+By default, your role will not be able to access any files in your private S3
+bucket. You can create IAM policies that whitelist specific keys for each role:
+
+```json
+{
+  "Version": "2008-10-17",
+  "Id": "<policy name>",
+  "Statement": [
+    {
+      "Sid": "<statement name>",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<AWS account number>:role/<role name>"
+      },
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::<bucket name>/<key pattern>"
+    }
+  ]
+}
+```
+
+The key pattern can include `*` and `?` metacharacters, so for example
+`arn:aws:s3:::myapp.citadel/deploy_keys/*` to allow access to all files in the
+`deploy_keys` folder.
+
+This policy can be attached to either the IAM role or the S3 bucket with equal
+effect.
+
+## Limitations
+
+Each EC2 VM can only be assigned a single IAM role. This can complicate situations
+where some secrets need to be shared by overlapping subsets of your servers. A
+possible improvement to this would be to make a script to create all needed
+composite IAM roles, possibly driven by Chef roles or other metadata.
+
+## Attributes
+
+* `node['citadel']['bucket']` – The default S3 bucket to use.
+
+## Recipe Usage
+
+You can access secret data via the `citadel` method.
+
+```ruby
+file '/etc/secret' do
+  owner 'root'
+  group 'root'
+  mode '600'
+  content citadel['keys/secret.pem']
+end
+```
+
+By default the node attribute `node['citadel']['bucket']` is used to find the
+S3 bucket to query, however you can override this:
+
+```ruby
+template '/etc/secret' do
+  owner 'root'
+  group 'root'
+  mode '600'
+  variables secret: citadel('mybucket')['id_rsa']
+end
+```
+
+## Developing with Vagrant
+
+While developing in a local VM, you can use the node attributes
+`node['citadel']['access_key_id']` and `node['citadel']['secret_access_key']`
+to provide credentials. The recommended way to do this is via environment variables
+so that the Vagrantfile itself can still be kept in source control without
+leaking credentials:
+
+```ruby
+config.vm.provision :chef_solo do |chef|
+  chef.json = {
+    citadel: {
+      access_key_id: ENV['ACCESS_KEY_ID'],
+      secret_access_key: ENV['SECRET_ACCESS_KEY'],
+    },
+  }
+end
+```
+
+**WARNING:** Use of these attributes in production should be considered a likely
+security risk as they will end up visible in the node data, or in the role/environment/cookbook
+that sets them. This can be mitigated using Enterprise Chef ACLs, however such
+configurations are generally error-prone due to the defaults being wide open.
+
+### Testing with Test-Kitchen
+
+Similarly you can use the same attributes with Test-Kitchen
+
+```yaml
+provisioner:
+  name: chef_solo
+  attributes:
+    citadel:
+      access_key_id: <%= ENV['AWS_ACCESS_KEY_ID'] %>
+      secret_access_key: <%= ENV['AWS_SECRET_ACCESS_KEY'] %>
+```
+
+## Recommended S3 Layout
+
+Within your S3 bucket I recommend you create one folder for each group of
+secrets, and in your IAM policies have one statement per group. Each group of
+secrets is a set of data with identical security requirements. Many groups will
+start out only containing a single file, however having the flexibility to
+change this in the future allows for things like key rotation without rewriting
+all of your IAM policies.
+
+An example of an IAM policy resource would be:
+
+```
+"Resource": "arn:aws:s3:::mybucket/myfolder/*"
+```
+
+## Creating and Updating Secrets
+
+You can use any S3 client you prefer to manage your secrets, however make sure
+that new files are set to private (accessible only to the creating user) by
+default.
+
+## Sponsors
+
+The Poise test server infrastructure is sponsored by [Rackspace](https://rackspace.com/).
+
+## License
+
+Copyright 2013-2016, Balanced, Inc.
+Copyright 2016, Noah Kantrowitz
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.