diff options
author | Claire McQuin <claire@getchef.com> | 2014-07-01 11:09:36 -0700 |
---|---|---|
committer | Claire McQuin <claire@getchef.com> | 2014-07-02 10:59:08 -0700 |
commit | 048f7e4df2be1ecb05323e68c7f26ce61409957a (patch) | |
tree | d0ac290a9f6c4cb2020eda73d034a180e91f761f | |
parent | 97a25311e12125424e3f09a677579135910e9733 (diff) | |
download | ohai-048f7e4df2be1ecb05323e68c7f26ce61409957a.tar.gz |
Filter IAM from metadata unless 'iam' hint is present.
-rw-r--r-- | lib/ohai/mixin/ec2_metadata.rb | 22 | ||||
-rw-r--r-- | lib/ohai/plugins/ec2.rb | 17 | ||||
-rw-r--r-- | lib/ohai/plugins/eucalyptus.rb | 14 | ||||
-rw-r--r-- | spec/unit/plugins/ec2_spec.rb | 22 |
4 files changed, 33 insertions, 42 deletions
diff --git a/lib/ohai/mixin/ec2_metadata.rb b/lib/ohai/mixin/ec2_metadata.rb index cad312a1..d01d5cc1 100644 --- a/lib/ohai/mixin/ec2_metadata.rb +++ b/lib/ohai/mixin/ec2_metadata.rb @@ -48,12 +48,6 @@ module Ohai EC2_ARRAY_DIR = %w(network/interfaces/macs) EC2_JSON_DIR = %w(iam) - EC2_SECURITY_CREDENTIALS = %w(iam/security-credentials/) - - def collect_security_credentials(value = nil) - @value ||= value - end - def can_metadata_connect?(addr, port, timeout=2) t = Socket.new(Socket::Constants::AF_INET, Socket::Constants::SOCK_STREAM, 0) saddr = Socket.pack_sockaddr_in(port, addr) @@ -112,8 +106,6 @@ module Ohai # produces a 404 for some unknown reason. In that event, return # `nil` and continue the run instead of failing it. def metadata_get(id, api_version) - return nil unless fetch?(id) - path = "/#{api_version}/meta-data/#{id}" response = http_client.get(path) case response.code @@ -218,20 +210,6 @@ module Ohai key.gsub(/\-|\//, '_') end - # Should return true only if we have the permission to collect the metadata - # from this id. - def fetch?(id) - if credentials?(id) - collect_security_credentials - else - true - end - end - - def credentials?(id) - EC2_SECURITY_CREDENTIALS.include?(id) - end - end end end diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb index 5d4f141b..af51819c 100644 --- a/lib/ohai/plugins/ec2.rb +++ b/lib/ohai/plugins/ec2.rb @@ -48,16 +48,15 @@ Ohai.plugin(:EC2) do collect_data do if looks_like_ec2? Ohai::Log.debug("looks_like_ec2? == true") - - if hint?('ec2_iam') - Ohai::Log.debug("collecting iam security credentials") - collect_security_credentials(true) - else - collect_security_credentials(false) - end - ec2 Mash.new - fetch_metadata.each {|k, v| ec2[k] = v } + fetch_metadata.each do |k, v| + # fetch_metadata returns IAM security credentials, including the IAM user's + # secret access key. We'd rather not have ohai send this information + # to the server. + # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories + next if k == 'iam' && !hint?('iam') + ec2[k] = v + end ec2[:userdata] = self.fetch_userdata else Ohai::Log.debug("looks_like_ec2? == false") diff --git a/lib/ohai/plugins/eucalyptus.rb b/lib/ohai/plugins/eucalyptus.rb index c5fed2f0..8c7c918c 100644 --- a/lib/ohai/plugins/eucalyptus.rb +++ b/lib/ohai/plugins/eucalyptus.rb @@ -47,7 +47,7 @@ Ohai.plugin(:Eucalyptus) do end def looks_like_euca? - # Try non-blocking connect so we don't "block" if + # Try non-blocking connect so we don't "block" if # the Xen environment is *not* EC2 hint?('eucalyptus') || has_euca_mac? && can_metadata_connect?(Ohai::Mixin::Ec2Metadata::EC2_METADATA_ADDR,80) end @@ -56,7 +56,17 @@ Ohai.plugin(:Eucalyptus) do if looks_like_euca? Ohai::Log.debug("looks_like_euca? == true") eucalyptus Mash.new - self.fetch_metadata.each {|k, v| eucalyptus[k] = v } + self.fetch_metadata.each do |k, v| + # Eucalyptus 3.4+ supports IAM roles and Instance Profiles much like AWS + # https://www.eucalyptus.com/blog/2013/10/15/iam-roles-and-instance-profiles-eucalyptus-34 + # + # fetch_metadata returns IAM security credentials, including the IAM user's + # secret access key. We'd rather not have ohai send this information + # to the server. + # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories + next if k == 'iam' && !hint?('iam') + eucalyptus[k] = v + end eucalyptus[:userdata] = self.fetch_userdata else Ohai::Log.debug("looks_like_euca? == false") diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb index a112e0e8..06fe1403 100644 --- a/spec/unit/plugins/ec2_spec.rb +++ b/spec/unit/plugins/ec2_spec.rb @@ -104,11 +104,11 @@ describe Ohai::System, "plugin ec2" do context "with ec2_iam cloud file" do before do if windows? - File.stub(:exist?).with('C:\chef\ohai\hints/ec2_iam.json').and_return(true) - File.stub(:read).with('C:\chef\ohai\hints/ec2_iam.json').and_return('') + File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(true) + File.stub(:read).with('C:\chef\ohai\hints/iam.json').and_return('') else - File.stub(:exist?).with('/etc/chef/ohai/hints/ec2_iam.json').and_return(true) - File.stub(:read).with('/etc/chef/ohai/hints/ec2_iam.json').and_return('') + File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(true) + File.stub(:read).with('/etc/chef/ohai/hints/iam.json').and_return('') end end @@ -140,9 +140,9 @@ describe Ohai::System, "plugin ec2" do context "without ec2_iam cloud file" do before do if windows? - File.stub(:exist?).with('C:\chef\ohai\hints/ec2_iam.json').and_return(false) + File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(false) else - File.stub(:exist?).with('/etc/chef/ohai/hints/ec2_iam.json').and_return(false) + File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(false) end end @@ -153,8 +153,12 @@ describe Ohai::System, "plugin ec2" do @http_client.should_receive(:get). with("/2012-01-12/meta-data/iam/"). and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200")) - @http_client.should_not_receive(:get). - with("/2012-01-12/meta-data/iam/security-credentials/") + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/security-credentials/"). + and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/security-credentials/MyRole"). + and_return(double("Net::HTTP Response", :body => "{\n \"Code\" : \"Success\",\n \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n \"Type\" : \"AWS-HMAC\",\n \"AccessKeyId\" : \"AAAAAAAA\",\n \"SecretAccessKey\" : \"SSSSSSSS\",\n \"Token\" : \"12345678\",\n \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200")) @http_client.should_receive(:get). with("/2012-01-12/user-data/"). and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200")) @@ -162,7 +166,7 @@ describe Ohai::System, "plugin ec2" do @plugin.run @plugin[:ec2].should_not be_nil - @plugin[:ec2]['iam']['security-credentials'].should be_nil + @plugin[:ec2]['iam'].should be_nil end end |