diff options
author | Serdar Sutay <serdar@opscode.com> | 2014-07-02 14:44:20 -0700 |
---|---|---|
committer | Serdar Sutay <serdar@opscode.com> | 2014-07-02 14:44:20 -0700 |
commit | fd7b5a1f8b653af938642f354216523bd3e3e3b9 (patch) | |
tree | d0ac290a9f6c4cb2020eda73d034a180e91f761f | |
parent | 2e3f98d70fb678cbf1226f8bde63df0d7f015375 (diff) | |
parent | 048f7e4df2be1ecb05323e68c7f26ce61409957a (diff) | |
download | ohai-fd7b5a1f8b653af938642f354216523bd3e3e3b9.tar.gz |
Merge pull request #350 from opscode/mcquin/chef-1558
Save IAM security credentials only if hint is present
-rw-r--r-- | lib/ohai/mixin/ec2_metadata.rb | 1 | ||||
-rw-r--r-- | lib/ohai/plugins/ec2.rb | 11 | ||||
-rw-r--r-- | lib/ohai/plugins/eucalyptus.rb | 14 | ||||
-rw-r--r-- | spec/unit/plugins/ec2_spec.rb | 100 |
4 files changed, 98 insertions, 28 deletions
diff --git a/lib/ohai/mixin/ec2_metadata.rb b/lib/ohai/mixin/ec2_metadata.rb index 2672c199..d01d5cc1 100644 --- a/lib/ohai/mixin/ec2_metadata.rb +++ b/lib/ohai/mixin/ec2_metadata.rb @@ -122,6 +122,7 @@ module Ohai def fetch_metadata(id='', api_version=nil) api_version ||= best_api_version return Hash.new if api_version.nil? + metadata = Hash.new retrieved_metadata = metadata_get(id, api_version) if retrieved_metadata diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb index e7ab945d..af51819c 100644 --- a/lib/ohai/plugins/ec2.rb +++ b/lib/ohai/plugins/ec2.rb @@ -40,7 +40,7 @@ Ohai.plugin(:EC2) do end def looks_like_ec2? - # Try non-blocking connect so we don't "block" if + # Try non-blocking connect so we don't "block" if # the Xen environment is *not* EC2 hint?('ec2') || has_ec2_mac? && can_metadata_connect?(Ohai::Mixin::Ec2Metadata::EC2_METADATA_ADDR,80) end @@ -49,7 +49,14 @@ Ohai.plugin(:EC2) do if looks_like_ec2? Ohai::Log.debug("looks_like_ec2? == true") ec2 Mash.new - fetch_metadata.each {|k, v| ec2[k] = v } + fetch_metadata.each do |k, v| + # fetch_metadata returns IAM security credentials, including the IAM user's + # secret access key. We'd rather not have ohai send this information + # to the server. + # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories + next if k == 'iam' && !hint?('iam') + ec2[k] = v + end ec2[:userdata] = self.fetch_userdata else Ohai::Log.debug("looks_like_ec2? == false") diff --git a/lib/ohai/plugins/eucalyptus.rb b/lib/ohai/plugins/eucalyptus.rb index c5fed2f0..8c7c918c 100644 --- a/lib/ohai/plugins/eucalyptus.rb +++ b/lib/ohai/plugins/eucalyptus.rb @@ -47,7 +47,7 @@ Ohai.plugin(:Eucalyptus) do end def looks_like_euca? - # Try non-blocking connect so we don't "block" if + # Try non-blocking connect so we don't "block" if # the Xen environment is *not* EC2 hint?('eucalyptus') || has_euca_mac? && can_metadata_connect?(Ohai::Mixin::Ec2Metadata::EC2_METADATA_ADDR,80) end @@ -56,7 +56,17 @@ Ohai.plugin(:Eucalyptus) do if looks_like_euca? Ohai::Log.debug("looks_like_euca? == true") eucalyptus Mash.new - self.fetch_metadata.each {|k, v| eucalyptus[k] = v } + self.fetch_metadata.each do |k, v| + # Eucalyptus 3.4+ supports IAM roles and Instance Profiles much like AWS + # https://www.eucalyptus.com/blog/2013/10/15/iam-roles-and-instance-profiles-eucalyptus-34 + # + # fetch_metadata returns IAM security credentials, including the IAM user's + # secret access key. We'd rather not have ohai send this information + # to the server. + # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories + next if k == 'iam' && !hint?('iam') + eucalyptus[k] = v + end eucalyptus[:userdata] = self.fetch_userdata else Ohai::Log.debug("looks_like_euca? == false") diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb index 49a7c7d6..06fe1403 100644 --- a/spec/unit/plugins/ec2_spec.rb +++ b/spec/unit/plugins/ec2_spec.rb @@ -44,6 +44,7 @@ describe Ohai::System, "plugin ec2" do @http_client.should_receive(:get). with("/").twice. and_return(double("Net::HTTP Response", :body => "2012-01-12", :code => "200")) + File.stub(:exist?).and_return(false) end it "should recursively fetch all the ec2 metadata" do @@ -64,6 +65,7 @@ describe Ohai::System, "plugin ec2" do and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200")) @plugin.run + @plugin[:ec2].should_not be_nil @plugin[:ec2]['instance_type'].should == "c1.medium" @plugin[:ec2]['ami_id'].should == "ami-5d2dc934" @@ -92,33 +94,80 @@ describe Ohai::System, "plugin ec2" do @http_client.should_receive(:get). with("/2012-01-12/user-data/"). and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200")) + @plugin.run @plugin[:ec2].should_not be_nil @plugin[:ec2]['network_interfaces_macs']['12:34:56:78:9a:bc']['public_hostname'].should eql('server17.opscode.com') end - it "should parse ec2 iam/ directory and its JSON files properly" do - @http_client.should_receive(:get). - with("/2012-01-12/meta-data/"). - and_return(double("Net::HTTP Response", :body => "iam/", :code => "200")) - @http_client.should_receive(:get). - with("/2012-01-12/meta-data/iam/"). - and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200")) - @http_client.should_receive(:get). - with("/2012-01-12/meta-data/iam/security-credentials/"). - and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200")) - @http_client.should_receive(:get). - with("/2012-01-12/meta-data/iam/security-credentials/MyRole"). - and_return(double("Net::HTTP Response", :body => "{\n \"Code\" : \"Success\",\n \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n \"Type\" : \"AWS-HMAC\",\n \"AccessKeyId\" : \"AAAAAAAA\",\n \"SecretAccessKey\" : \"SSSSSSSS\",\n \"Token\" : \"12345678\",\n \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200")) - @http_client.should_receive(:get). - with("/2012-01-12/user-data/"). - and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200")) - @plugin.run + context "with ec2_iam cloud file" do + before do + if windows? + File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(true) + File.stub(:read).with('C:\chef\ohai\hints/iam.json').and_return('') + else + File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(true) + File.stub(:read).with('/etc/chef/ohai/hints/iam.json').and_return('') + end + end - @plugin[:ec2].should_not be_nil - @plugin[:ec2]['iam']['security-credentials']['MyRole']['Code'].should eql 'Success' - @plugin[:ec2]['iam']['security-credentials']['MyRole']['Token'].should eql '12345678' + it "should parse ec2 iam/ directory and collect iam/security-credentials/" do + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/"). + and_return(double("Net::HTTP Response", :body => "iam/", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/"). + and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/security-credentials/"). + and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/security-credentials/MyRole"). + and_return(double("Net::HTTP Response", :body => "{\n \"Code\" : \"Success\",\n \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n \"Type\" : \"AWS-HMAC\",\n \"AccessKeyId\" : \"AAAAAAAA\",\n \"SecretAccessKey\" : \"SSSSSSSS\",\n \"Token\" : \"12345678\",\n \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/user-data/"). + and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200")) + + @plugin.run + + @plugin[:ec2].should_not be_nil + @plugin[:ec2]['iam']['security-credentials']['MyRole']['Code'].should eql 'Success' + @plugin[:ec2]['iam']['security-credentials']['MyRole']['Token'].should eql '12345678' + end + end + + context "without ec2_iam cloud file" do + before do + if windows? + File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(false) + else + File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(false) + end + end + + it "should parse ec2 iam/ directory and NOT collect iam/security-credentials/" do + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/"). + and_return(double("Net::HTTP Response", :body => "iam/", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/"). + and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/security-credentials/"). + and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/meta-data/iam/security-credentials/MyRole"). + and_return(double("Net::HTTP Response", :body => "{\n \"Code\" : \"Success\",\n \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n \"Type\" : \"AWS-HMAC\",\n \"AccessKeyId\" : \"AAAAAAAA\",\n \"SecretAccessKey\" : \"SSSSSSSS\",\n \"Token\" : \"12345678\",\n \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200")) + @http_client.should_receive(:get). + with("/2012-01-12/user-data/"). + and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200")) + + @plugin.run + + @plugin[:ec2].should_not be_nil + @plugin[:ec2]['iam'].should be_nil + end end it "should ignore \"./\" and \"../\" on ec2 metadata paths to avoid infinity loops" do @@ -201,10 +250,13 @@ describe Ohai::System, "plugin ec2" do it_should_behave_like "ec2" before(:each) do - File.stub(:exist?).with('/etc/chef/ohai/hints/ec2.json').and_return(true) - File.stub(:read).with('/etc/chef/ohai/hints/ec2.json').and_return('') - File.stub(:exist?).with('C:\chef\ohai\hints/ec2.json').and_return(true) - File.stub(:read).with('C:\chef\ohai\hints/ec2.json').and_return('') + if windows? + File.should_receive(:exist?).with('C:\chef\ohai\hints/ec2.json').and_return(true) + File.stub(:read).with('C:\chef\ohai\hints/ec2.json').and_return('') + else + File.should_receive(:exist?).with('/etc/chef/ohai/hints/ec2.json').and_return(true) + File.stub(:read).with('/etc/chef/ohai/hints/ec2.json').and_return('') + end end end |