Class: Wonk::PolicyValidators::AwsEC2Validator

Inherits:
Validator
  • Object
show all
Defined in:
lib/wonk/policy_validators/aws_ec2_validator.rb

Constant Summary collapse

AWS_PUBLIC_CERTIFICATE = 
"  -----BEGIN CERTIFICATE-----\n  MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw\n  FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD\n  VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z\n  ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u\n  IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl\n  cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e\n  ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3\n  VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P\n  hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j\n  k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U\n  hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF\n  lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf\n  MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW\n  MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw\n  vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw\n  7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K\n  -----END CERTIFICATE-----\n".strip_heredoc
AWS_GOVCLOUD_CERTIFICATE = 
"  -----BEGIN CERTIFICATE-----\n  MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw\n  FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD\n  VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z\n  ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u\n  IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl\n  cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e\n  ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3\n  VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P\n  hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j\n  k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U\n  hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF\n  lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf\n  MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW\n  MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw\n  vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw\n  7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K\n  -----END CERTIFICATE-----\n".strip_heredoc
RULES_MAP = 
{
  'has-role-with' => Wonk::PolicyValidators::AwsEC2::HasRoleWithRule
}

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from Validator

#authenticate_from_submission

Constructor Details

#initialize(parameters) ⇒ AwsEC2Validator

Returns a new instance of AwsEC2Validator.



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 58

def initialize(parameters)
  raise "Wonk.aws_region must be set to use AwsEC2Validator." if Wonk.aws_region.nil?

  @identity_cert =
    case Wonk.aws_region
    when 'us-gov-west-1'
      AWS_GOVCLOUD_CERTIFICATE
    else
      AWS_PUBLIC_CERTIFICATE
    end

  @ec2_rsrc = Aws::EC2::Resource.new(region: Wonk.aws_region)
  @iam_rsrc = Aws::IAM::Resource.new(region: Wonk.aws_region)

  @rules =
    (parameters[:rules] || []).map do |rule_definition|
      rule_class = RULES_MAP[rule_definition[:type]]

      raise "no rule class for type '#{rule_definition[:type]}'" if rule_class.nil?

      rule_class.new(rule_definition[:parameters] || {})
    end.freeze
end

Instance Attribute Details

#rulesObject (readonly)

Returns the value of attribute rules.



56
57
58
 
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 56

def rules
  @rules
end

Instance Method Details

#do_authenticate(submission) ⇒ Object 



86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 86

def do_authenticate(submission)
  env = { captures: {} }

  success =
    [ :document, :signature ].each do |n|
      raise ValidatorError, "'#{n}' is required." unless submission.key?(n)
    end

    pemmed_signature = "-----BEGIN PKCS7-----\n\#{submission[:signature]}\n-----END PKCS7-----\n    PKCS\n\n    Dir.mktmpdir do |dir|\n      cert_path = \"\#{dir}/cert.pem\"\n      signature_path = \"\#{dir}/signature.pem\"\n      data_path = \"\#{dir}/data.json\"\n\n      IO.write(cert_path, @identity_cert)\n      IO.write(signature_path, pemmed_signature)\n      IO.write(data_path, submission[:document])\n\n      `openssl smime -verify -inform PEM -in '\#{signature_path}' -content '\#{data_path}' -certfile '\#{cert_path}' -noverify > /dev/null 2>&1`\n\n      if $?.success?\n        instance_identity = JSON.parse(submission[:document]).deep_symbolize_keys\n\n        instance_id = instance_identity[:instanceId]\n\n        env[:instance_id] = instance_identity[:instanceId]\n        env[:account_id] = instance_identity[:accountId]\n\n        instance = @ec2_rsrc.instance(instance_id)\n\n        rule_result =\n          begin\n            @rules.map { |rule| rule.try_match(instance, instance_identity) }.find(&:success?)\n          rescue Aws::Errors::MissingCredentialsError => err\n            Wonk.logger.error \"No AWS credentials found!\"\n            raise err\n          end\n\n        if !rule_result.nil?\n          env[:captures].merge!(rule_result.captures)\n\n          true\n        else\n          false\n        end\n      else\n        false\n      end\n    end\n\n  ValidatorResult.new(successful: success, environment: env)\nend\n".strip_heredoc

#validator_nameObject 



82
83
84
 
# File 'lib/wonk/policy_validators/aws_ec2_validator.rb', line 82

def validator_name
  'aws-ec2'
end