2014-12-30 17:25:09 -05:00
|
|
|
module Fog
|
|
|
|
|
module AWS
|
|
|
|
|
class IAM < Fog::Service
|
|
|
|
|
extend Fog::AWS::CredentialFetcher::ServiceMethods
|
|
|
|
|
|
|
|
|
|
class EntityAlreadyExists < Fog::AWS::IAM::Error; end
|
|
|
|
|
class KeyPairMismatch < Fog::AWS::IAM::Error; end
|
|
|
|
|
class LimitExceeded < Fog::AWS::IAM::Error; end
|
|
|
|
|
class MalformedCertificate < Fog::AWS::IAM::Error; end
|
|
|
|
|
class ValidationError < Fog::AWS::IAM::Error; end
|
|
|
|
|
|
|
|
|
|
requires :aws_access_key_id, :aws_secret_access_key
|
2015-05-01 13:36:48 -04:00
|
|
|
recognizes :host, :path, :port, :scheme, :persistent, :instrumentor, :instrumentor_name, :aws_session_token, :use_iam_profile, :aws_credentials_expire_at, :region
|
2014-12-30 17:25:09 -05:00
|
|
|
|
|
|
|
|
request_path 'fog/aws/requests/iam'
|
|
|
|
|
request :add_user_to_group
|
|
|
|
|
request :add_role_to_instance_profile
|
2015-02-20 07:01:26 -05:00
|
|
|
request :attach_group_policy
|
|
|
|
|
request :attach_role_policy
|
|
|
|
|
request :attach_user_policy
|
2014-12-30 17:25:09 -05:00
|
|
|
request :create_access_key
|
|
|
|
|
request :create_account_alias
|
|
|
|
|
request :create_group
|
|
|
|
|
request :create_instance_profile
|
|
|
|
|
request :create_login_profile
|
2015-02-20 07:01:26 -05:00
|
|
|
request :create_policy
|
2014-12-30 17:25:09 -05:00
|
|
|
request :create_role
|
|
|
|
|
request :create_user
|
|
|
|
|
request :delete_access_key
|
2015-01-20 09:42:23 -05:00
|
|
|
request :delete_account_password_policy
|
2014-12-30 17:25:09 -05:00
|
|
|
request :delete_account_alias
|
|
|
|
|
request :delete_group
|
|
|
|
|
request :delete_group_policy
|
|
|
|
|
request :delete_instance_profile
|
|
|
|
|
request :delete_login_profile
|
2015-02-20 07:01:26 -05:00
|
|
|
request :delete_policy
|
2014-12-30 17:25:09 -05:00
|
|
|
request :delete_role
|
|
|
|
|
request :delete_role_policy
|
|
|
|
|
request :delete_server_certificate
|
|
|
|
|
request :delete_signing_certificate
|
|
|
|
|
request :delete_user
|
|
|
|
|
request :delete_user_policy
|
2015-02-20 07:01:26 -05:00
|
|
|
request :detach_group_policy
|
|
|
|
|
request :detach_role_policy
|
|
|
|
|
request :detach_user_policy
|
2014-12-30 17:25:09 -05:00
|
|
|
request :get_account_summary
|
|
|
|
|
request :get_account_password_policy
|
|
|
|
|
request :get_group
|
|
|
|
|
request :get_group_policy
|
|
|
|
|
request :get_instance_profile
|
|
|
|
|
request :get_role_policy
|
|
|
|
|
request :get_login_profile
|
|
|
|
|
request :get_server_certificate
|
|
|
|
|
request :get_role
|
|
|
|
|
request :get_user
|
|
|
|
|
request :get_user_policy
|
|
|
|
|
request :list_access_keys
|
|
|
|
|
request :list_account_aliases
|
|
|
|
|
request :list_group_policies
|
|
|
|
|
request :list_groups
|
|
|
|
|
request :list_groups_for_user
|
|
|
|
|
request :list_instance_profiles
|
|
|
|
|
request :list_instance_profiles_for_role
|
|
|
|
|
request :list_mfa_devices
|
2015-02-20 07:01:26 -05:00
|
|
|
request :list_policies
|
2014-12-30 17:25:09 -05:00
|
|
|
request :list_roles
|
|
|
|
|
request :list_role_policies
|
|
|
|
|
request :list_server_certificates
|
|
|
|
|
request :list_signing_certificates
|
|
|
|
|
request :list_user_policies
|
|
|
|
|
request :list_users
|
|
|
|
|
request :put_group_policy
|
|
|
|
|
request :put_role_policy
|
|
|
|
|
request :put_user_policy
|
|
|
|
|
request :remove_role_from_instance_profile
|
|
|
|
|
request :remove_user_from_group
|
|
|
|
|
request :update_access_key
|
|
|
|
|
request :update_group
|
|
|
|
|
request :update_login_profile
|
|
|
|
|
request :update_account_password_policy
|
|
|
|
|
request :update_server_certificate
|
|
|
|
|
request :update_signing_certificate
|
|
|
|
|
request :update_user
|
|
|
|
|
request :upload_server_certificate
|
|
|
|
|
request :upload_signing_certificate
|
|
|
|
|
|
|
|
|
|
model_path 'fog/aws/models/iam'
|
|
|
|
|
model :access_key
|
|
|
|
|
collection :access_keys
|
2015-05-21 12:30:27 -04:00
|
|
|
model :group
|
|
|
|
|
collection :groups
|
|
|
|
|
model :policy
|
|
|
|
|
collection :policies
|
2014-12-30 17:25:09 -05:00
|
|
|
model :role
|
|
|
|
|
collection :roles
|
2015-05-21 12:30:27 -04:00
|
|
|
model :user
|
|
|
|
|
collection :users
|
2014-12-30 17:25:09 -05:00
|
|
|
|
|
|
|
|
class Mock
|
|
|
|
|
def self.data
|
|
|
|
|
@data ||= Hash.new do |hash, key|
|
|
|
|
|
hash[key] = {
|
|
|
|
|
:owner_id => Fog::AWS::Mock.owner_id,
|
|
|
|
|
:server_certificates => {},
|
|
|
|
|
:access_keys => [{
|
|
|
|
|
"Status" => "Active",
|
|
|
|
|
"AccessKeyId" => key
|
|
|
|
|
}],
|
|
|
|
|
:devices => [{
|
|
|
|
|
:enable_date => Time.now,
|
|
|
|
|
:serial_number => 'R1234',
|
|
|
|
|
:user_name => 'Bob'
|
|
|
|
|
}],
|
|
|
|
|
:users => Hash.new do |uhash, ukey|
|
|
|
|
|
uhash[ukey] = {
|
|
|
|
|
:user_id => Fog::AWS::Mock.key_id,
|
|
|
|
|
:path => '/',
|
|
|
|
|
:arn => "arn:aws:iam::#{Fog::AWS::Mock.owner_id}:user/#{ukey}",
|
|
|
|
|
:access_keys => [],
|
|
|
|
|
:created_at => Time.now,
|
|
|
|
|
:policies => {}
|
|
|
|
|
}
|
|
|
|
|
end,
|
|
|
|
|
:groups => Hash.new do |ghash, gkey|
|
|
|
|
|
ghash[gkey] = {
|
|
|
|
|
:group_id => Fog::AWS::Mock.key_id,
|
|
|
|
|
:arn => "arn:aws:iam::#{Fog::AWS::Mock.owner_id}:group/#{gkey}",
|
|
|
|
|
:members => [],
|
|
|
|
|
:created_at => Time.now,
|
|
|
|
|
:policies => {}
|
|
|
|
|
}
|
2015-01-20 09:42:23 -05:00
|
|
|
end,
|
|
|
|
|
:roles => Hash.new do |rhash, rkey|
|
|
|
|
|
rhash[rkey] = {
|
|
|
|
|
:role_id => Fog::AWS::Mock.key_id,
|
|
|
|
|
:arn => "arn:aws:iam:#{Fog::AWS::Mock.owner_id}:role/#{rkey}",
|
|
|
|
|
:create_date => Time.now,
|
|
|
|
|
:assume_role_policy_document => {
|
|
|
|
|
"Version" => "2012-10-17",
|
|
|
|
|
"Statement" => [
|
|
|
|
|
{
|
|
|
|
|
"Effect" => "Allow",
|
|
|
|
|
"Principal" => {
|
|
|
|
|
"Service" => [
|
|
|
|
|
"ec2.amazonaws.com"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"Action" => ["sts:AssumeRole"]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
}
|
2014-12-30 17:25:09 -05:00
|
|
|
end
|
|
|
|
|
}
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def self.reset
|
|
|
|
|
@data = nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def self.server_certificate_id
|
|
|
|
|
Fog::Mock.random_hex(16)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def initialize(options={})
|
2015-05-18 18:04:05 -04:00
|
|
|
@use_iam_profile = options[:use_iam_profile]
|
2014-12-30 17:25:09 -05:00
|
|
|
@aws_credentials_expire_at = Time::now + 20
|
2015-05-18 18:04:05 -04:00
|
|
|
|
2014-12-30 17:25:09 -05:00
|
|
|
setup_credentials(options)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def data
|
|
|
|
|
self.class.data[@aws_access_key_id]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def reset_data
|
|
|
|
|
self.class.data.delete(@aws_access_key_id)
|
2015-05-18 18:04:05 -04:00
|
|
|
current_user
|
2014-12-30 17:25:09 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def setup_credentials(options)
|
|
|
|
|
@aws_access_key_id = options[:aws_access_key_id]
|
|
|
|
|
end
|
2015-05-18 18:04:05 -04:00
|
|
|
|
|
|
|
|
def current_user
|
2015-05-20 18:55:28 -04:00
|
|
|
unless self.data[:users].key?("root")
|
|
|
|
|
root = self.data[:users]["root"] # sets the hash
|
|
|
|
|
root[:arn].gsub!("user/", "") # root user doesn't have "user/" key prefix
|
|
|
|
|
end
|
|
|
|
|
|
2015-05-19 16:08:59 -04:00
|
|
|
self.data[:users]["root"]
|
2015-05-18 18:04:05 -04:00
|
|
|
end
|
2014-12-30 17:25:09 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class Real
|
|
|
|
|
include Fog::AWS::CredentialFetcher::ConnectionMethods
|
|
|
|
|
|
|
|
|
|
# Initialize connection to IAM
|
|
|
|
|
#
|
|
|
|
|
# ==== Notes
|
|
|
|
|
# options parameter must include values for :aws_access_key_id and
|
|
|
|
|
# :aws_secret_access_key in order to create a connection
|
|
|
|
|
#
|
|
|
|
|
# ==== Examples
|
|
|
|
|
# iam = IAM.new(
|
|
|
|
|
# :aws_access_key_id => your_aws_access_key_id,
|
|
|
|
|
# :aws_secret_access_key => your_aws_secret_access_key
|
|
|
|
|
# )
|
|
|
|
|
#
|
|
|
|
|
# ==== Parameters
|
|
|
|
|
# * options<~Hash> - config arguments for connection. Defaults to {}.
|
|
|
|
|
#
|
|
|
|
|
# ==== Returns
|
2015-01-02 12:34:40 -05:00
|
|
|
# * IAM object with connection to AWS.
|
2014-12-30 17:25:09 -05:00
|
|
|
def initialize(options={})
|
2015-05-18 18:04:05 -04:00
|
|
|
@use_iam_profile = options[:use_iam_profile]
|
|
|
|
|
@connection_options = options[:connection_options] || {}
|
|
|
|
|
@instrumentor = options[:instrumentor]
|
|
|
|
|
@instrumentor_name = options[:instrumentor_name] || 'fog.aws.iam'
|
2014-12-30 17:25:09 -05:00
|
|
|
|
|
|
|
|
@host = options[:host] || 'iam.amazonaws.com'
|
|
|
|
|
@path = options[:path] || '/'
|
|
|
|
|
@persistent = options[:persistent] || false
|
|
|
|
|
@port = options[:port] || 443
|
|
|
|
|
@scheme = options[:scheme] || 'https'
|
2015-05-01 13:36:48 -04:00
|
|
|
@region = options[:region] || "us-east-1"
|
2014-12-30 17:25:09 -05:00
|
|
|
@connection = Fog::XML::Connection.new("#{@scheme}://#{@host}:#{@port}#{@path}", @persistent, @connection_options)
|
|
|
|
|
|
|
|
|
|
setup_credentials(options)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def reload
|
|
|
|
|
@connection.reset
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def setup_credentials(options)
|
2015-05-18 18:04:05 -04:00
|
|
|
@aws_access_key_id = options[:aws_access_key_id]
|
|
|
|
|
@aws_secret_access_key = options[:aws_secret_access_key]
|
|
|
|
|
@aws_session_token = options[:aws_session_token]
|
2014-12-30 17:25:09 -05:00
|
|
|
@aws_credentials_expire_at = options[:aws_credentials_expire_at]
|
|
|
|
|
|
|
|
|
|
#global services that have no region are signed with the us-east-1 region
|
2015-05-01 13:37:54 -04:00
|
|
|
#the only exception is GovCloud, which requires the region to be explicitly specified as us-gov-west-1
|
2015-05-18 18:04:05 -04:00
|
|
|
@signer = Fog::AWS::SignatureV4.new(@aws_access_key_id, @aws_secret_access_key, @region, 'iam')
|
2014-12-30 17:25:09 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def request(params)
|
|
|
|
|
refresh_credentials_if_expired
|
|
|
|
|
idempotent = params.delete(:idempotent)
|
|
|
|
|
parser = params.delete(:parser)
|
|
|
|
|
|
|
|
|
|
body, headers = Fog::AWS.signed_params_v4(
|
|
|
|
|
params,
|
|
|
|
|
{ 'Content-Type' => 'application/x-www-form-urlencoded' },
|
|
|
|
|
{
|
|
|
|
|
:signer => @signer,
|
|
|
|
|
:aws_session_token => @aws_session_token,
|
|
|
|
|
:host => @host,
|
|
|
|
|
:path => @path,
|
|
|
|
|
:port => @port,
|
|
|
|
|
:version => '2010-05-08',
|
|
|
|
|
:method => 'POST'
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if @instrumentor
|
|
|
|
|
@instrumentor.instrument("#{@instrumentor_name}.request", params) do
|
|
|
|
|
_request(body, headers, idempotent, parser)
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
_request(body, headers, idempotent, parser)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def _request(body, headers, idempotent, parser)
|
|
|
|
|
@connection.request({
|
|
|
|
|
:body => body,
|
|
|
|
|
:expects => 200,
|
|
|
|
|
:idempotent => idempotent,
|
|
|
|
|
:headers => headers,
|
|
|
|
|
:method => 'POST',
|
|
|
|
|
:parser => parser
|
|
|
|
|
})
|
|
|
|
|
rescue Excon::Errors::HTTPStatusError => error
|
|
|
|
|
match = Fog::AWS::Errors.match_error(error)
|
|
|
|
|
raise if match.empty?
|
|
|
|
|
raise case match[:code]
|
|
|
|
|
when 'CertificateNotFound', 'NoSuchEntity'
|
|
|
|
|
Fog::AWS::IAM::NotFound.slurp(error, match[:message])
|
|
|
|
|
when 'EntityAlreadyExists', 'KeyPairMismatch', 'LimitExceeded', 'MalformedCertificate', 'ValidationError'
|
|
|
|
|
Fog::AWS::IAM.const_get(match[:code]).slurp(error, match[:message])
|
|
|
|
|
else
|
|
|
|
|
Fog::AWS::IAM::Error.slurp(error, "#{match[:code]} => #{match[:message]}")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
