Class: InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControlCertVerifier

Inherits:

Object

• Object
• InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControlCertVerifier

Defined in:

lib/instance_agent/plugins/codedeploy/codedeploy_control.rb

Instance Method Summary

• #initialize(endpoint) ⇒ CodeDeployControlCertVerifier constructor

  A new instance of CodeDeployControlCertVerifier.

• #verify_cert ⇒ Object
• #verify_subject ⇒ Object

  Do minimal cert pinning.

Constructor Details

#initialize(endpoint) ⇒ CodeDeployControlCertVerifier

Returns a new instance of CodeDeployControlCertVerifier.

# File 'lib/instance_agent/plugins/codedeploy/codedeploy_control.rb', line 57

def initialize(endpoint)
  @endpoint = endpoint
  @region = ENV['AWS_REGION'] || InstanceMetadata.region
end

Instance Method Details

#verify_cert ⇒ Object

# File 'lib/instance_agent/plugins/codedeploy/codedeploy_control.rb', line 62

def verify_cert
  uri = URI(@endpoint)
  client = Net::HTTP.new(uri.host, uri.port)
  client.use_ssl = true
  client.verify_mode = OpenSSL::SSL::VERIFY_PEER
  client.ca_file = ENV['SSL_CERT_FILE']

  client.verify_callback = lambda do |preverify_ok, cert_store|
    return false unless preverify_ok
    @cert = cert_store.chain[0]
    verify_subject
  end

  response = client.get '/'
end

#verify_subject ⇒ Object

Do minimal cert pinning

# File 'lib/instance_agent/plugins/codedeploy/codedeploy_control.rb', line 79

def verify_subject
  InstanceAgent::Log.debug("#{self.class.to_s}: Actual certificate subject is '#{@cert.subject.to_s}'")

  case @region
  when 'us-east-1'
    @cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-commands.us-east-1.amazonaws.com"
  when 'us-west-2'
    @cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-commands.us-west-2.amazonaws.com"
  when 'eu-west-1'
    @cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-commands.eu-west-1.amazonaws.com"
  when 'ap-southeast-2'
    @cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-commands.ap-southeast-2.amazonaws.com"
  else
    InstanceAgent::Log.debug("#{self.class.to_s}: Unsupported region '#{@region}'")
    false
  end
end