Filter IAM from metadata unless 'iam' hint is present.

author: Claire McQuin <claire@getchef.com> 2014-07-01 11:09:36 -0700
committer: Claire McQuin <claire@getchef.com> 2014-07-02 10:59:08 -0700
commit: 048f7e4df2be1ecb05323e68c7f26ce61409957a (patch)
tree: d0ac290a9f6c4cb2020eda73d034a180e91f761f
parent: 97a25311e12125424e3f09a677579135910e9733 (diff)
download: ohai-048f7e4df2be1ecb05323e68c7f26ce61409957a.tar.gz
4 files changed, 33 insertions, 42 deletions
diff --git a/lib/ohai/mixin/ec2_metadata.rb b/lib/ohai/mixin/ec2_metadata.rb
index cad312a1..d01d5cc1 100644
--- a/lib/ohai/mixin/ec2_metadata.rb
+++ b/lib/ohai/mixin/ec2_metadata.rb
@@ -48,12 +48,6 @@ module Ohai
       EC2_ARRAY_DIR    = %w(network/interfaces/macs)
       EC2_JSON_DIR     = %w(iam)
 
-      EC2_SECURITY_CREDENTIALS     = %w(iam/security-credentials/)
-
-      def collect_security_credentials(value = nil)
-        @value ||= value
-      end
-
       def can_metadata_connect?(addr, port, timeout=2)
         t = Socket.new(Socket::Constants::AF_INET, Socket::Constants::SOCK_STREAM, 0)
         saddr = Socket.pack_sockaddr_in(port, addr)
@@ -112,8 +106,6 @@ module Ohai
       #   produces a 404 for some unknown reason. In that event, return
       #   `nil` and continue the run instead of failing it.
       def metadata_get(id, api_version)
-        return nil unless fetch?(id)
-
         path = "/#{api_version}/meta-data/#{id}"
         response = http_client.get(path)
         case response.code
@@ -218,20 +210,6 @@ module Ohai
         key.gsub(/\-|\//, '_')
       end
 
-      # Should return true only if we have the permission to collect the metadata
-      # from this id.
-      def fetch?(id)
-        if credentials?(id)
-          collect_security_credentials
-        else
-          true
-        end
-      end
-
-      def credentials?(id)
-        EC2_SECURITY_CREDENTIALS.include?(id)
-      end
-
     end
   end
 end
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb
index 5d4f141b..af51819c 100644
--- a/lib/ohai/plugins/ec2.rb
+++ b/lib/ohai/plugins/ec2.rb
@@ -48,16 +48,15 @@ Ohai.plugin(:EC2) do
   collect_data do
     if looks_like_ec2?
       Ohai::Log.debug("looks_like_ec2? == true")
-
-      if hint?('ec2_iam')
-        Ohai::Log.debug("collecting iam security credentials")
-        collect_security_credentials(true)
-      else
-        collect_security_credentials(false)
-      end
-
       ec2 Mash.new
-      fetch_metadata.each {|k, v| ec2[k] = v }
+      fetch_metadata.each do |k, v|
+        # fetch_metadata returns IAM security credentials, including the IAM user's
+        # secret access key. We'd rather not have ohai send this information
+        # to the server.
+        # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories
+        next if k == 'iam' && !hint?('iam')
+        ec2[k] = v
+      end
       ec2[:userdata] = self.fetch_userdata
     else
       Ohai::Log.debug("looks_like_ec2? == false")
diff --git a/lib/ohai/plugins/eucalyptus.rb b/lib/ohai/plugins/eucalyptus.rb
index c5fed2f0..8c7c918c 100644
--- a/lib/ohai/plugins/eucalyptus.rb
+++ b/lib/ohai/plugins/eucalyptus.rb
@@ -47,7 +47,7 @@ Ohai.plugin(:Eucalyptus) do
   end
 
   def looks_like_euca?
-    # Try non-blocking connect so we don't "block" if 
+    # Try non-blocking connect so we don't "block" if
     # the Xen environment is *not* EC2
     hint?('eucalyptus') || has_euca_mac? && can_metadata_connect?(Ohai::Mixin::Ec2Metadata::EC2_METADATA_ADDR,80)
   end
@@ -56,7 +56,17 @@ Ohai.plugin(:Eucalyptus) do
     if looks_like_euca?
       Ohai::Log.debug("looks_like_euca? == true")
       eucalyptus Mash.new
-      self.fetch_metadata.each {|k, v| eucalyptus[k] = v }
+      self.fetch_metadata.each do |k, v|
+        # Eucalyptus 3.4+ supports IAM roles and Instance Profiles much like AWS
+        # https://www.eucalyptus.com/blog/2013/10/15/iam-roles-and-instance-profiles-eucalyptus-34
+        #
+        # fetch_metadata returns IAM security credentials, including the IAM user's
+        # secret access key. We'd rather not have ohai send this information
+        # to the server.
+        # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories
+        next if k == 'iam' && !hint?('iam')
+        eucalyptus[k] = v
+      end
       eucalyptus[:userdata] = self.fetch_userdata
     else
       Ohai::Log.debug("looks_like_euca? == false")
diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb
index a112e0e8..06fe1403 100644
--- a/spec/unit/plugins/ec2_spec.rb
+++ b/spec/unit/plugins/ec2_spec.rb
@@ -104,11 +104,11 @@ describe Ohai::System, "plugin ec2" do
     context "with ec2_iam cloud file" do
       before do
         if windows?
-          File.stub(:exist?).with('C:\chef\ohai\hints/ec2_iam.json').and_return(true)
-          File.stub(:read).with('C:\chef\ohai\hints/ec2_iam.json').and_return('')
+          File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(true)
+          File.stub(:read).with('C:\chef\ohai\hints/iam.json').and_return('')
         else
-          File.stub(:exist?).with('/etc/chef/ohai/hints/ec2_iam.json').and_return(true)
-          File.stub(:read).with('/etc/chef/ohai/hints/ec2_iam.json').and_return('')
+          File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(true)
+          File.stub(:read).with('/etc/chef/ohai/hints/iam.json').and_return('')
         end
       end
 
@@ -140,9 +140,9 @@ describe Ohai::System, "plugin ec2" do
     context "without ec2_iam cloud file" do
       before do
         if windows?
-          File.stub(:exist?).with('C:\chef\ohai\hints/ec2_iam.json').and_return(false)
+          File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(false)
         else
-          File.stub(:exist?).with('/etc/chef/ohai/hints/ec2_iam.json').and_return(false)
+          File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(false)
         end
       end
 
@@ -153,8 +153,12 @@ describe Ohai::System, "plugin ec2" do
         @http_client.should_receive(:get).
           with("/2012-01-12/meta-data/iam/").
           and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200"))
-        @http_client.should_not_receive(:get).
-          with("/2012-01-12/meta-data/iam/security-credentials/")
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/security-credentials/").
+          and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/security-credentials/MyRole").
+          and_return(double("Net::HTTP Response", :body => "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"AAAAAAAA\",\n  \"SecretAccessKey\" : \"SSSSSSSS\",\n  \"Token\" : \"12345678\",\n  \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200"))
         @http_client.should_receive(:get).
           with("/2012-01-12/user-data/").
           and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200"))
@@ -162,7 +166,7 @@ describe Ohai::System, "plugin ec2" do
         @plugin.run
 
         @plugin[:ec2].should_not be_nil
-        @plugin[:ec2]['iam']['security-credentials'].should be_nil
+        @plugin[:ec2]['iam'].should be_nil
       end
     end
author	Claire McQuin <claire@getchef.com>	2014-07-01 11:09:36 -0700
committer	Claire McQuin <claire@getchef.com>	2014-07-02 10:59:08 -0700
commit	048f7e4df2be1ecb05323e68c7f26ce61409957a (patch)
tree	d0ac290a9f6c4cb2020eda73d034a180e91f761f
parent	97a25311e12125424e3f09a677579135910e9733 (diff)
download	ohai-048f7e4df2be1ecb05323e68c7f26ce61409957a.tar.gz