Merge pull request #1518 from hashicorp/fix-bound-ami-id

Added bound_ami_id check in login procedure of aws-ec2
hashicorp · Jun 13, 2016 · 4f039d0 · 4f039d0
2 parents 117200c + e521894
commit 4f039d0
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/builtin/credential/aws-ec2/backend_test.go b/builtin/credential/aws-ec2/backend_test.go
@@ -1125,15 +1125,17 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
 	data := map[string]interface{}{
 		"policies":     "root",
 		"max_ttl":      "120s",
-		"bound_ami_id": amiID,
+		"bound_ami_id": "wrong_ami_id",
 	}
 
-	resp, err := b.HandleRequest(&logical.Request{
+	roleReq := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Path:      "role/" + roleName,
 		Storage:   storage,
 		Data:      data,
-	})
+	}
+
+	resp, err := b.HandleRequest(roleReq)
 	if resp != nil && resp.IsError() {
 		t.Fatalf("failed to create role")
 	}
@@ -1146,14 +1148,28 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
 		"nonce": "vault-client-nonce",
 	}
 
-	// perform the login operation.
+	// Perform the login operation with a AMI ID that is not matching
+	// the bound on the role.
 	loginRequest := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Path:      "login",
 		Storage:   storage,
 		Data:      loginInput,
 	}
 	resp, err = b.HandleRequest(loginRequest)
+	if err != nil || resp == nil || (resp != nil && !resp.IsError()) {
+		t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err)
+	}
+
+	// Place the correct AMI ID on the role
+	data["bound_ami_id"] = amiID
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
+	}
+
+	// Try to login after the role has a matching AMI ID
+	resp, err = b.HandleRequest(loginRequest)
 	if err != nil {
 		t.Fatal(err)
 	}

diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go
@@ -244,6 +244,13 @@ func (b *backend) pathLoginUpdate(
 		return logical.ErrorResponse("role entry not found"), nil
 	}
 
+	// Only 'bound_ami_id' constraint is supported on the role currently.
+	// Check if the AMI ID of the instance trying to login matches the
+	// AMI ID specified as a constraint on the role.
+	if identityDoc.AmiID != roleEntry.BoundAmiID {
+		return logical.ErrorResponse(fmt.Sprintf("AMI ID %s does not belong to role %s", identityDoc.AmiID, roleName)), nil
+	}
+
 	// Get the entry from the identity whitelist, if there is one.
 	storedIdentity, err := whitelistIdentityEntry(req.Storage, identityDoc.InstanceID)
 	if err != nil {