Example #1
0
class EC2InstanceAdmin(AbstractBaseInstanceAdmin):

    def __init__(self, region = None):
        self.__cfg = ConfigMgr()
        self.__conn = boto.ec2.connect_to_region(region)

    def create_secure_instance(self, image_id, instance_type, instance_name):
        script_path = self.__cfg.get_parameter("Instances", "CloudInitScriptPath")
        production_security_group_id = self.__cfg.get_parameter("Instances", "RemediationSecurityGroupId")
        production_subnet_id = self.__cfg.get_parameter("Instances", "ProductionSubnetId")
        key_name = self.__cfg.get_parameter("Instances", "EC2KeyName")
        with open(script_path, "r") as script_file:
            cloud_init_script = script_file.read()
            iam_role = IAMAdmin()
            instance_profile = iam_role.create_dynamic_role()
            new_reservation = self.__try_create_instance(image_id, key_name, instance_profile, instance_type,
                                                         production_subnet_id, production_security_group_id,
                                                         cloud_init_script)
            instance = new_reservation.instances[0]
            self.__conn.create_tags([instance.id], {"Name": instance_name})
            message = "An instance created with id {}".format(instance.id)
            Logger.log("info", message)
            return message

    def get_all_running_instance_names(self):
        instances_list = []
        instances = self.__conn.get_all_instances()
        for instance in instances:
            if instance.instances[0].state == "running":
                instance_hostname =  instance.instances[0].private_dns_name.split('.')[0]
                instances_list.append(instance_hostname)
        return instances_list

    def __try_create_instance(self, ami_id, key_name, profile_name, instance_type, subnet_id,
                              security_group_id, user_data):
        try:
            new_reservation = self.__conn.run_instances(ami_id, key_name=key_name,
                                                        instance_profile_name=profile_name, instance_type=instance_type,
                                                        subnet_id=subnet_id, security_group_ids=[security_group_id],
                                                        user_data=user_data)
            return new_reservation
        except:
            Logger.log("warning", "Could not create instance first time. Waiting another few seconds before retrying")
            time.sleep(30)
            Logger.log("warning", "Retrying to create instance")
            try:
                new_reservation = self.__conn.run_instances(ami_id, key_name=key_name,
                                                            instance_profile_name=profile_name,
                                                            instance_type=instance_type,
                                                            subnet_id=subnet_id, security_group_ids=[security_group_id],
                                                            user_data=user_data)
                return new_reservation
            except Exception as ex:
                message = "Cannot create new instance: {}".format(ex.message)
                raise GenericException(message)
class IAM(AbstractBaseIDM):
    def __init__(self):
        self.__cfg = ConfigMgr()
        self.__iam_strict_policy_path = self.__cfg.get_parameter("Instances", "IAMStrictPolicyPath")
        self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
        credentials = EnvironmentVariables.get_instance_credentials().split(" ")
        self.__conn = IAMConnection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
        self.__iam_policy_name = "cloud-sec-policy"

    def strict_dynamic_role(self, iam_role_name):
        with open(self.__iam_strict_policy_path, "r") as policy_file:
            bucket_unique_id = EnvironmentVariables.get_storage_unique_id(self.__prefix_name)
            iam_policy_document = policy_file.read().replace("BUCKETNAME", bucket_unique_id)
            self.__conn.put_role_policy(iam_role_name, self.__iam_policy_name, iam_policy_document)
Example #3
0
class S3Storage(AbstractBaseStorage):

    def __init__(self):
        self.__cfg = ConfigMgr()
        self.__bucket_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
        self.__bucket_unique_id = EnvironmentVariables.get_storage_unique_id(self.__bucket_name)
        self.__bucket_policy_path = self.__cfg.get_parameter("Instances", "BucketPolicyPath")
        self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
        credentials = EnvironmentVariables.get_instance_credentials().split(" ")
        self.__s3 = S3Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])

    def generate_and_store_encryption_key(self):
        bucket = self.__s3.create_bucket(self.__bucket_unique_id)
        bucket.set_policy(self.__get_bucket_policy)
        from boto.s3.key import Key
        key_object = Key(bucket)
        key_object.key = "key"
        encryption_key = self.__generate_encryption_key()
        key_object.set_contents_from_string(encryption_key, {"Referer": self.__get_referer_unique_id()}, True)
        expires_in_seconds = 1800
        key_object.generate_url(expires_in_seconds)
        Logger.log("info", "Encryption key uploaded to S3 bucket named {}".format(self.__bucket_unique_id))

    def get_encryption_key(self):
        bucket = self.__s3.get_bucket(self.__bucket_unique_id)
        key = bucket.get_key("key", {"Referer": self.__get_referer_unique_id()})
        response = key.get_contents_as_string({"Referer": self.__get_referer_unique_id()})
        Logger.log("info", "Encryption key downloaded")
        return response

    def __get_referer_unique_id(self):
        unique_string = "{}{}".format(EnvironmentVariables.get_current_instance_mac(), self.__current_instance_name)
        uppercase_result = hashlib.sha512(unique_string).hexdigest()
        return uppercase_result.lower()

    def __generate_encryption_key(self):
        from strgen import StringGenerator as SG
        return SG("[\l\d]{100}&[\p]").render()

    @property
    def __get_bucket_policy(self):
        referer_name = self.__get_referer_unique_id()
        bucket_name = EnvironmentVariables.get_storage_unique_id(self.__bucket_name)
        canonical_user = self.__cfg.get_parameter("Instances", "CanonicalUserId")
        with open(self.__bucket_policy_path, "r") as policy_file:
            bucket_policy = policy_file.read().replace('\n', '').replace('\t', '').replace('BUCKETNAME',
                bucket_name).replace('REFERERNAME', referer_name).replace("CANONICALUSER",canonical_user)
            return bucket_policy
 def __init__(self):
     self.__cfg = ConfigMgr()
     self.__iam_strict_policy_path = self.__cfg.get_parameter("Instances", "IAMStrictPolicyPath")
     self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
     credentials = EnvironmentVariables.get_instance_credentials().split(" ")
     self.__conn = IAMConnection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
     self.__iam_policy_name = "cloud-sec-policy"
Example #5
0
 def __init__(self):
     self.__cfg = ConfigMgr()
     self.__bucket_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
     self.__bucket_unique_id = EnvironmentVariables.get_storage_unique_id(self.__bucket_name)
     self.__bucket_policy_path = self.__cfg.get_parameter("Instances", "BucketPolicyPath")
     self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
     credentials = EnvironmentVariables.get_instance_credentials().split(" ")
     self.__s3 = S3Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
class IAMAdmin(AbstractBaseIDMAdmin):
    def __init__(self):
        self.__cfg = ConfigMgr()
        self.__iam_basic_policy_path = self.__cfg.get_parameter("Instances", "IAMBasicPolicyPath")
        self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
        self.__iam_policy_name = "cloud-sec-policy"
        self.__conn = boto.connect_iam()

    def create_dynamic_role(self):
        random_id = uuid.uuid4().get_hex()
        with open(self.__iam_basic_policy_path, "r") as policy_file:
            iam_role_name = "{}-{}".format(self.__prefix_name, random_id)
            iam_policy_document = policy_file.read().replace("BUCKETNAME", "{}*".format(self.__prefix_name))
            self.__conn.create_role(iam_role_name)
            self.__conn.create_instance_profile(iam_role_name)
            self.__conn.add_role_to_instance_profile(iam_role_name, iam_role_name)
            self.__conn.put_role_policy(iam_role_name, self.__iam_policy_name, iam_policy_document)
            Logger.log("info", "Created a dynamic role named {}".format(iam_role_name))
            return iam_role_name
Example #7
0
class EC2Instance(AbstractBaseInstance):

    def __init__(self):
        self.__cfg = ConfigMgr()
        credentials = EnvironmentVariables.get_instance_credentials().split(" ")
        self.__conn = boto.ec2.EC2Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
        self.__conn.region = EnvironmentVariables.get_current_instance_region()
        self.__current_instance_name = EnvironmentVariables.get_current_instance_name()

    def attach_new_storage_to_current_instance(self):
        inst = self.get_instance_object_by_instance_id(self.__current_instance_name)
        vol = self.__conn.create_volume(1,self.__conn.region)
        time.sleep(30)
        curr_vol = self.__conn.get_all_volumes([vol.id])[0]
        while curr_vol.status != 'available':
            time.sleep(10)
            Logger.logger("info", "pending to make volume available")
        self.__conn.attach_volume (vol.id, inst.id, "/dev/sdf")
        Logger.log("info", "The volume {} attached to this instance".format(vol.id))

    def move_current_instance_to_production_group(self):
        production_group_id = self.__cfg.get_parameter("Instances", "ProductionSecurityGroupId")
        instance = self.get_instance_object_by_instance_id(self.__current_instance_name)
        self.__conn.modify_instance_attribute(self.__current_instance_name,
                                              "groupSet", [production_group_id])
        Logger.log("info", "This instance moved to the production subnet {}".format(production_group_id))

    def strict_current_instance_role_permissions(self):
        iam = IAM()
        current_role_name = EnvironmentVariables.get_current_instance_profile()
        iam.strict_dynamic_role(current_role_name)
        Logger.log("info", "Changed the IAM role to be more strict")

    def get_instance_object_by_instance_id(self, instance_id):
        reservations = self.__conn.get_all_instances(instance_ids=[instance_id])
        for instance in reservations[0].instances:
            if instance.id == self.__current_instance_name:
                return instance
        return None
 def __init__(self):
     self.__cfg = ConfigMgr()
     self.__iam_basic_policy_path = self.__cfg.get_parameter("Instances", "IAMBasicPolicyPath")
     self.__prefix_name = self.__cfg.get_parameter("Instances", "NamingPrefix")
     self.__iam_policy_name = "cloud-sec-policy"
     self.__conn = boto.connect_iam()
 def __init__(self):
     cfg = ConfigMgr()
     url = cfg.get_parameter("Chef","ServerURL")
     key_path = cfg.get_parameter("Chef","KeyFilePath")
     client_name = cfg.get_parameter("Chef","ValidationClientName")
     self.__chef_client = ChefAPI(url,key_path,client_name)
Example #10
0
 def __init__(self):
     self.__cfg = ConfigMgr()
     credentials = EnvironmentVariables.get_instance_credentials().split(" ")
     self.__conn = boto.ec2.EC2Connection(aws_access_key_id=credentials[0], aws_secret_access_key=credentials[1], security_token=credentials[2])
     self.__conn.region = EnvironmentVariables.get_current_instance_region()
     self.__current_instance_name = EnvironmentVariables.get_current_instance_name()
Example #11
0
 def __init__(self, region = None):
     self.__cfg = ConfigMgr()
     self.__conn = boto.ec2.connect_to_region(region)