Class: Wonk::PolicyValidators::AwsEC2Validator
- Inherits:
-
Validator
- Object
- Validator
- Wonk::PolicyValidators::AwsEC2Validator
show all
- Defined in:
- lib/wonk/policy_validators/aws_ec2_validator.rb
Constant Summary
collapse
- AWS_PUBLIC_CERTIFICATE =
<<-PKCS.strip_heredoc
-----BEGIN CERTIFICATE-----
MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw
FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD
VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z
ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u
IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl
cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e
ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3
VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P
hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j
k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U
hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF
lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf
MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW
MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw
vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw
7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K
-----END CERTIFICATE-----
PKCS
- AWS_GOVCLOUD_CERTIFICATE =
<<-PKCS.strip_heredoc
-----BEGIN CERTIFICATE-----
MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw
FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD
VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z
ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u
IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl
cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e
ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3
VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P
hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j
k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U
hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF
lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf
MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW
MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw
vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw
7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K
-----END CERTIFICATE-----
PKCS
- RULES_MAP =
{
'has-role-with' => Wonk::PolicyValidators::AwsEC2::HasRoleWithRule
}
Instance Attribute Summary collapse
Instance Method Summary
collapse
Methods inherited from Validator
#authenticate_from_submission
Constructor Details
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 58
def initialize(parameters)
raise "Wonk.aws_region must be set to use AwsEC2Validator." if Wonk.aws_region.nil?
@identity_cert =
case Wonk.aws_region
when 'us-gov-west-1'
AWS_GOVCLOUD_CERTIFICATE
else
AWS_PUBLIC_CERTIFICATE
end
@ec2_rsrc = Aws::EC2::Resource.new(region: Wonk.aws_region)
@iam_rsrc = Aws::IAM::Resource.new(region: Wonk.aws_region)
@rules =
(parameters[:rules] || []).map do |rule_definition|
rule_class = RULES_MAP[rule_definition[:type]]
raise "no rule class for type '#{rule_definition[:type]}'" if rule_class.nil?
rule_class.new(rule_definition[:parameters] || {})
end.freeze
end
|
Instance Attribute Details
#rules ⇒ Object
Returns the value of attribute rules.
56
57
58
|
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 56
def rules
@rules
end
|
Instance Method Details
#do_authenticate(submission) ⇒ Object
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 86
def do_authenticate(submission)
env = { captures: {} }
success =
[ :document, :signature ].each do |n|
raise ValidatorError, "'#{n}' is required." unless submission.key?(n)
end
pemmed_signature = <<-PKCS.strip_heredoc
-----BEGIN PKCS7-----
#{submission[:signature]}
-----END PKCS7-----
PKCS
Dir.mktmpdir do |dir|
cert_path = "#{dir}/cert.pem"
signature_path = "#{dir}/signature.pem"
data_path = "#{dir}/data.json"
IO.write(cert_path, @identity_cert)
IO.write(signature_path, pemmed_signature)
IO.write(data_path, submission[:document])
`openssl smime -verify -inform PEM -in '#{signature_path}' -content '#{data_path}' -certfile '#{cert_path}' -noverify > /dev/null 2>&1`
if $?.success?
instance_identity = JSON.parse(submission[:document]).deep_symbolize_keys
instance_id = instance_identity[:instanceId]
env[:instance_id] = instance_identity[:instanceId]
env[:account_id] = instance_identity[:accountId]
instance = @ec2_rsrc.instance(instance_id)
rule_result =
begin
@rules.map { |rule| rule.try_match(instance, instance_identity) }.find(&:success?)
rescue Aws::Errors::MissingCredentialsError => err
Wonk.logger.error "No AWS credentials found!"
raise err
end
if !rule_result.nil?
env[:captures].merge!(rule_result.captures)
true
else
false
end
else
false
end
end
ValidatorResult.new(successful: success, environment: env)
end
|
#validator_name ⇒ Object
82
83
84
|
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 82
def validator_name
'aws-ec2'
end
|