Merge pull request #350 from opscode/mcquin/chef-1558

Save IAM security credentials only if hint is present

4 files changed, 98 insertions, 28 deletions

diff --git a/lib/ohai/mixin/ec2_metadata.rb b/lib/ohai/mixin/ec2_metadata.rb
index 2672c199..d01d5cc1 100644
--- a/lib/ohai/mixin/ec2_metadata.rb
+++ b/lib/ohai/mixin/ec2_metadata.rb
@@ -122,6 +122,7 @@ module Ohai
       def fetch_metadata(id='', api_version=nil)
         api_version ||= best_api_version
         return Hash.new if api_version.nil?
+
         metadata = Hash.new
         retrieved_metadata = metadata_get(id, api_version)
         if retrieved_metadata
diff --git a/lib/ohai/plugins/ec2.rb b/lib/ohai/plugins/ec2.rb
index e7ab945d..af51819c 100644
--- a/lib/ohai/plugins/ec2.rb
+++ b/lib/ohai/plugins/ec2.rb
@@ -40,7 +40,7 @@ Ohai.plugin(:EC2) do
   end
 
   def looks_like_ec2?
-    # Try non-blocking connect so we don't "block" if 
+    # Try non-blocking connect so we don't "block" if
     # the Xen environment is *not* EC2
     hint?('ec2') || has_ec2_mac? && can_metadata_connect?(Ohai::Mixin::Ec2Metadata::EC2_METADATA_ADDR,80)
   end
@@ -49,7 +49,14 @@ Ohai.plugin(:EC2) do
     if looks_like_ec2?
       Ohai::Log.debug("looks_like_ec2? == true")
       ec2 Mash.new
-      fetch_metadata.each {|k, v| ec2[k] = v }
+      fetch_metadata.each do |k, v|
+        # fetch_metadata returns IAM security credentials, including the IAM user's
+        # secret access key. We'd rather not have ohai send this information
+        # to the server.
+        # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories
+        next if k == 'iam' && !hint?('iam')
+        ec2[k] = v
+      end
       ec2[:userdata] = self.fetch_userdata
     else
       Ohai::Log.debug("looks_like_ec2? == false")
diff --git a/lib/ohai/plugins/eucalyptus.rb b/lib/ohai/plugins/eucalyptus.rb
index c5fed2f0..8c7c918c 100644
--- a/lib/ohai/plugins/eucalyptus.rb
+++ b/lib/ohai/plugins/eucalyptus.rb
@@ -47,7 +47,7 @@ Ohai.plugin(:Eucalyptus) do
   end
 
   def looks_like_euca?
-    # Try non-blocking connect so we don't "block" if 
+    # Try non-blocking connect so we don't "block" if
     # the Xen environment is *not* EC2
     hint?('eucalyptus') || has_euca_mac? && can_metadata_connect?(Ohai::Mixin::Ec2Metadata::EC2_METADATA_ADDR,80)
   end
@@ -56,7 +56,17 @@ Ohai.plugin(:Eucalyptus) do
     if looks_like_euca?
       Ohai::Log.debug("looks_like_euca? == true")
       eucalyptus Mash.new
-      self.fetch_metadata.each {|k, v| eucalyptus[k] = v }
+      self.fetch_metadata.each do |k, v|
+        # Eucalyptus 3.4+ supports IAM roles and Instance Profiles much like AWS
+        # https://www.eucalyptus.com/blog/2013/10/15/iam-roles-and-instance-profiles-eucalyptus-34
+        #
+        # fetch_metadata returns IAM security credentials, including the IAM user's
+        # secret access key. We'd rather not have ohai send this information
+        # to the server.
+        # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html#instancedata-data-categories
+        next if k == 'iam' && !hint?('iam')
+        eucalyptus[k] = v
+      end
       eucalyptus[:userdata] = self.fetch_userdata
     else
       Ohai::Log.debug("looks_like_euca? == false")
diff --git a/spec/unit/plugins/ec2_spec.rb b/spec/unit/plugins/ec2_spec.rb
index 49a7c7d6..06fe1403 100644
--- a/spec/unit/plugins/ec2_spec.rb
+++ b/spec/unit/plugins/ec2_spec.rb
@@ -44,6 +44,7 @@ describe Ohai::System, "plugin ec2" do
       @http_client.should_receive(:get).
         with("/").twice.
         and_return(double("Net::HTTP Response", :body => "2012-01-12", :code => "200"))
+      File.stub(:exist?).and_return(false)
     end
 
     it "should recursively fetch all the ec2 metadata" do
@@ -64,6 +65,7 @@ describe Ohai::System, "plugin ec2" do
         and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200"))
 
       @plugin.run
+
       @plugin[:ec2].should_not be_nil
       @plugin[:ec2]['instance_type'].should == "c1.medium"
       @plugin[:ec2]['ami_id'].should == "ami-5d2dc934"
@@ -92,33 +94,80 @@ describe Ohai::System, "plugin ec2" do
       @http_client.should_receive(:get).
         with("/2012-01-12/user-data/").
         and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200"))
+
       @plugin.run
 
       @plugin[:ec2].should_not be_nil
       @plugin[:ec2]['network_interfaces_macs']['12:34:56:78:9a:bc']['public_hostname'].should eql('server17.opscode.com')
     end
 
-    it "should parse ec2 iam/ directory and its JSON files properly" do
-      @http_client.should_receive(:get).
-        with("/2012-01-12/meta-data/").
-        and_return(double("Net::HTTP Response", :body => "iam/", :code => "200"))
-      @http_client.should_receive(:get).
-        with("/2012-01-12/meta-data/iam/").
-        and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200"))
-      @http_client.should_receive(:get).
-        with("/2012-01-12/meta-data/iam/security-credentials/").
-        and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200"))
-      @http_client.should_receive(:get).
-        with("/2012-01-12/meta-data/iam/security-credentials/MyRole").
-        and_return(double("Net::HTTP Response", :body => "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"AAAAAAAA\",\n  \"SecretAccessKey\" : \"SSSSSSSS\",\n  \"Token\" : \"12345678\",\n  \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200"))
-      @http_client.should_receive(:get).
-        with("/2012-01-12/user-data/").
-        and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200"))
-      @plugin.run
+    context "with ec2_iam cloud file" do
+      before do
+        if windows?
+          File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(true)
+          File.stub(:read).with('C:\chef\ohai\hints/iam.json').and_return('')
+        else
+          File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(true)
+          File.stub(:read).with('/etc/chef/ohai/hints/iam.json').and_return('')
+        end
+      end
 
-      @plugin[:ec2].should_not be_nil
-      @plugin[:ec2]['iam']['security-credentials']['MyRole']['Code'].should eql 'Success'
-      @plugin[:ec2]['iam']['security-credentials']['MyRole']['Token'].should eql '12345678'
+      it "should parse ec2 iam/ directory and collect iam/security-credentials/" do
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/").
+          and_return(double("Net::HTTP Response", :body => "iam/", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/").
+          and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/security-credentials/").
+          and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/security-credentials/MyRole").
+          and_return(double("Net::HTTP Response", :body => "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"AAAAAAAA\",\n  \"SecretAccessKey\" : \"SSSSSSSS\",\n  \"Token\" : \"12345678\",\n  \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/user-data/").
+          and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200"))
+
+        @plugin.run
+
+        @plugin[:ec2].should_not be_nil
+        @plugin[:ec2]['iam']['security-credentials']['MyRole']['Code'].should eql 'Success'
+        @plugin[:ec2]['iam']['security-credentials']['MyRole']['Token'].should eql '12345678'
+      end
+    end
+
+    context "without ec2_iam cloud file" do
+      before do
+        if windows?
+          File.stub(:exist?).with('C:\chef\ohai\hints/iam.json').and_return(false)
+        else
+          File.stub(:exist?).with('/etc/chef/ohai/hints/iam.json').and_return(false)
+        end
+      end
+
+      it "should parse ec2 iam/ directory and NOT collect iam/security-credentials/" do
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/").
+          and_return(double("Net::HTTP Response", :body => "iam/", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/").
+          and_return(double("Net::HTTP Response", :body => "security-credentials/", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/security-credentials/").
+          and_return(double("Net::HTTP Response", :body => "MyRole", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/meta-data/iam/security-credentials/MyRole").
+          and_return(double("Net::HTTP Response", :body => "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2012-08-22T07:47:22Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"AAAAAAAA\",\n  \"SecretAccessKey\" : \"SSSSSSSS\",\n  \"Token\" : \"12345678\",\n  \"Expiration\" : \"2012-08-22T11:25:52Z\"\n}", :code => "200"))
+        @http_client.should_receive(:get).
+          with("/2012-01-12/user-data/").
+          and_return(double("Net::HTTP Response", :body => "By the pricking of my thumb...", :code => "200"))
+
+        @plugin.run
+
+        @plugin[:ec2].should_not be_nil
+        @plugin[:ec2]['iam'].should be_nil
+      end
     end
 
     it "should ignore \"./\" and \"../\" on ec2 metadata paths to avoid infinity loops" do
@@ -201,10 +250,13 @@ describe Ohai::System, "plugin ec2" do
     it_should_behave_like "ec2"
 
     before(:each) do
-      File.stub(:exist?).with('/etc/chef/ohai/hints/ec2.json').and_return(true)
-      File.stub(:read).with('/etc/chef/ohai/hints/ec2.json').and_return('')
-      File.stub(:exist?).with('C:\chef\ohai\hints/ec2.json').and_return(true)
-      File.stub(:read).with('C:\chef\ohai\hints/ec2.json').and_return('')
+      if windows?
+        File.should_receive(:exist?).with('C:\chef\ohai\hints/ec2.json').and_return(true)
+        File.stub(:read).with('C:\chef\ohai\hints/ec2.json').and_return('')
+      else
+        File.should_receive(:exist?).with('/etc/chef/ohai/hints/ec2.json').and_return(true)
+        File.stub(:read).with('/etc/chef/ohai/hints/ec2.json').and_return('')
+      end
     end
   end