Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added bound_ami_id check in login procedure of aws-ec2 #1518

Merged
merged 1 commit into from Jun 13, 2016
Merged

Added bound_ami_id check in login procedure of aws-ec2 #1518

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 20 additions & 4 deletions builtin/credential/aws-ec2/backend_test.go
View file
Open in desktop
Expand Up @@ -1125,15 +1125,17 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
data := map[string]interface{}{
"policies": "root",
"max_ttl": "120s",
"bound_ami_id": amiID,
"bound_ami_id": "wrong_ami_id",
}

resp, err := b.HandleRequest(&logical.Request{
roleReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "role/" + roleName,
Storage: storage,
Data: data,
})
}

resp, err := b.HandleRequest(roleReq)
if resp != nil && resp.IsError() {
t.Fatalf("failed to create role")
}
Expand All @@ -1146,14 +1148,28 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
"nonce": "vault-client-nonce",
}

// perform the login operation.
// Perform the login operation with a AMI ID that is not matching
// the bound on the role.
loginRequest := &logical.Request{
Operation: logical.UpdateOperation,
Path: "login",
Storage: storage,
Data: loginInput,
}
resp, err = b.HandleRequest(loginRequest)
if err != nil || resp == nil || (resp != nil && !resp.IsError()) {
t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err)
}

// Place the correct AMI ID on the role
data["bound_ami_id"] = amiID
resp, err = b.HandleRequest(roleReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
}

// Try to login after the role has a matching AMI ID
resp, err = b.HandleRequest(loginRequest)
if err != nil {
t.Fatal(err)
}
Expand Down
7 changes: 7 additions & 0 deletions builtin/credential/aws-ec2/path_login.go
View file
Open in desktop
Expand Up @@ -244,6 +244,13 @@ func (b *backend) pathLoginUpdate(
return logical.ErrorResponse("role entry not found"), nil
}

// Only 'bound_ami_id' constraint is supported on the role currently.
// Check if the AMI ID of the instance trying to login matches the
// AMI ID specified as a constraint on the role.
if identityDoc.AmiID != roleEntry.BoundAmiID {
return logical.ErrorResponse(fmt.Sprintf("AMI ID %s does not belong to role %s", identityDoc.AmiID, roleName)), nil
}

// Get the entry from the identity whitelist, if there is one.
storedIdentity, err := whitelistIdentityEntry(req.Storage, identityDoc.InstanceID)
if err != nil {
Expand Down