1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
|
module Fog
module AWS
class IAM < Fog::Service
extend Fog::AWS::CredentialFetcher::ServiceMethods
class EntityAlreadyExists < Fog::AWS::IAM::Error; end
class KeyPairMismatch < Fog::AWS::IAM::Error; end
class LimitExceeded < Fog::AWS::IAM::Error; end
class MalformedCertificate < Fog::AWS::IAM::Error; end
class ValidationError < Fog::AWS::IAM::Error; end
requires :aws_access_key_id, :aws_secret_access_key
recognizes :host, :path, :port, :scheme, :persistent, :instrumentor, :instrumentor_name, :aws_session_token, :use_iam_profile, :aws_credentials_expire_at, :region
request_path 'fog/aws/requests/iam'
request :add_user_to_group
request :add_role_to_instance_profile
request :attach_group_policy
request :attach_role_policy
request :attach_user_policy
request :create_access_key
request :create_account_alias
request :create_group
request :create_instance_profile
request :create_login_profile
request :create_policy
request :create_policy_version
request :create_role
request :create_user
request :delete_access_key
request :delete_account_password_policy
request :delete_account_alias
request :delete_group
request :delete_group_policy
request :delete_instance_profile
request :delete_login_profile
request :delete_policy
request :delete_policy_version
request :delete_role
request :delete_role_policy
request :delete_server_certificate
request :delete_signing_certificate
request :delete_user
request :delete_user_policy
request :detach_group_policy
request :detach_role_policy
request :detach_user_policy
request :get_account_password_policy
request :get_account_summary
request :get_group
request :get_group_policy
request :get_instance_profile
request :get_login_profile
request :get_policy
request :get_policy_version
request :get_role
request :get_role_policy
request :get_server_certificate
request :get_user
request :get_user_policy
request :list_access_keys
request :list_account_aliases
request :list_attached_group_policies
request :list_attached_role_policies
request :list_attached_user_policies
request :list_group_policies
request :list_groups
request :list_groups_for_user
request :list_instance_profiles
request :list_instance_profiles_for_role
request :list_mfa_devices
request :list_policies
request :list_policy_versions
request :list_role_policies
request :list_roles
request :list_server_certificates
request :list_signing_certificates
request :list_user_policies
request :list_users
request :put_group_policy
request :put_role_policy
request :put_user_policy
request :remove_role_from_instance_profile
request :remove_user_from_group
request :set_default_policy_version
request :update_access_key
request :update_group
request :update_login_profile
request :update_account_password_policy
request :update_assume_role_policy
request :update_server_certificate
request :update_signing_certificate
request :update_user
request :upload_server_certificate
request :upload_signing_certificate
model_path 'fog/aws/models/iam'
model :access_key
collection :access_keys
model :group
collection :groups
model :instance_profile
collection :instance_profiles
model :managed_policy
collection :managed_policies
model :policy
collection :policies
model :role
collection :roles
model :user
collection :users
require 'fog/aws/iam/default_policies'
class Mock
def self.data
@data ||= Hash.new do |hash, key|
owner_id = Fog::AWS::Mock.owner_id
hash[key] = {
:owner_id => owner_id,
:instance_profiles => {},
:server_certificates => {},
:access_keys => [{
"Status" => "Active",
"AccessKeyId" => key
}],
:devices => [{
:enable_date => Time.now,
:serial_number => 'R1234',
:user_name => 'Bob'
}],
:markers => Hash.new { |mhash, mkey| mhash[mkey] = [] },
:managed_policies => Fog::AWS::IAM::Mock.default_policies.inject({}) { |r,p|
r.merge(p['Arn'] => p)
},
:managed_policy_versions => Fog::AWS::IAM::Mock.default_policy_versions.inject({}) { |r,(arn,pv)|
r.merge(arn => {pv["VersionId"] => pv})
},
:users => Hash.new do |uhash, ukey|
uhash[ukey] = {
:access_keys => [],
:arn => "arn:aws:iam::#{owner_id}:user/#{ukey}",
:attached_policies => [],
:created_at => Time.now,
:path => '/',
:policies => {},
:user_id => Fog::AWS::Mock.key_id
}
end,
:groups => Hash.new do |ghash, gkey|
ghash[gkey] = {
:arn => "arn:aws:iam::#{owner_id}:group/#{gkey}",
:attached_policies => [],
:created_at => Time.now,
:group_id => Fog::AWS::Mock.key_id,
:members => [],
:policies => {}
}
end,
:roles => Hash.new do |rhash, rkey|
rhash[rkey] = {
:role_id => Fog::AWS::Mock.key_id,
:arn => "arn:aws:iam:#{owner_id}:role/#{rkey}",
:create_date => Time.now,
:assume_role_policy_document => {
"Version" => "2012-10-17",
"Statement" => [
{
"Effect" => "Allow",
"Principal" => {
"Service" => [
"ec2.amazonaws.com"
]
},
"Action" => ["sts:AssumeRole"]
}
]
},
}
end
}
end
end
def self.reset
@data = nil
end
def self.server_certificate_id
Fog::Mock.random_hex(16)
end
attr_reader :current_user_name
def initialize(options={})
@use_iam_profile = options[:use_iam_profile]
@aws_credentials_expire_at = Time::now + 20
setup_credentials(options)
end
def data
self.class.data[@root_access_key_id]
end
def account_id
self.data[:owner_id]
end
def reset_data
self.class.data.delete(@root_access_key_id)
current_user
end
def setup_credentials(options)
@aws_access_key_id = options[:aws_access_key_id]
existing_user = nil
@root_access_key_id, _ = self.class.data.find { |_, d|
d[:users].find { |_, user|
existing_user = user[:access_keys].find { |key|
key["AccessKeyId"] == @aws_access_key_id
}
}
}
@root_access_key_id ||= @aws_access_key_id
@current_user_name = existing_user ? existing_user["UserName"] : "root"
end
def current_user
unless self.data[:users].key?("root")
root = self.data[:users]["root"] # sets the hash
root[:arn].gsub!("user/", "") # root user doesn't have "user/" key prefix
end
self.data[:users][self.current_user_name]
end
end
class Real
include Fog::AWS::CredentialFetcher::ConnectionMethods
# Initialize connection to IAM
#
# ==== Notes
# options parameter must include values for :aws_access_key_id and
# :aws_secret_access_key in order to create a connection
#
# ==== Examples
# iam = IAM.new(
# :aws_access_key_id => your_aws_access_key_id,
# :aws_secret_access_key => your_aws_secret_access_key
# )
#
# ==== Parameters
# * options<~Hash> - config arguments for connection. Defaults to {}.
#
# ==== Returns
# * IAM object with connection to AWS.
def initialize(options={})
@use_iam_profile = options[:use_iam_profile]
@connection_options = options[:connection_options] || {}
@instrumentor = options[:instrumentor]
@instrumentor_name = options[:instrumentor_name] || 'fog.aws.iam'
@host = options[:host] || 'iam.amazonaws.com'
@path = options[:path] || '/'
@persistent = options[:persistent] || false
@port = options[:port] || 443
@scheme = options[:scheme] || 'https'
@region = options[:region] || "us-east-1"
@connection = Fog::XML::Connection.new("#{@scheme}://#{@host}:#{@port}#{@path}", @persistent, @connection_options)
setup_credentials(options)
end
def reload
@connection.reset
end
private
def setup_credentials(options)
@aws_access_key_id = options[:aws_access_key_id]
@aws_secret_access_key = options[:aws_secret_access_key]
@aws_session_token = options[:aws_session_token]
@aws_credentials_expire_at = options[:aws_credentials_expire_at]
#global services that have no region are signed with the us-east-1 region
#the only exception is GovCloud, which requires the region to be explicitly specified as us-gov-west-1
@signer = Fog::AWS::SignatureV4.new(@aws_access_key_id, @aws_secret_access_key, @region, 'iam')
end
def request(params)
refresh_credentials_if_expired
idempotent = params.delete(:idempotent)
parser = params.delete(:parser)
body, headers = Fog::AWS.signed_params_v4(
params,
{ 'Content-Type' => 'application/x-www-form-urlencoded' },
{
:signer => @signer,
:aws_session_token => @aws_session_token,
:host => @host,
:path => @path,
:port => @port,
:version => '2010-05-08',
:method => 'POST'
}
)
if @instrumentor
@instrumentor.instrument("#{@instrumentor_name}.request", params) do
_request(body, headers, idempotent, parser)
end
else
_request(body, headers, idempotent, parser)
end
end
def _request(body, headers, idempotent, parser)
@connection.request({
:body => body,
:expects => 200,
:idempotent => idempotent,
:headers => headers,
:method => 'POST',
:parser => parser
})
rescue Excon::Errors::HTTPStatusError => error
match = Fog::AWS::Errors.match_error(error)
raise if match.empty?
raise case match[:code]
when 'CertificateNotFound', 'NoSuchEntity'
Fog::AWS::IAM::NotFound.slurp(error, match[:message])
when 'EntityAlreadyExists', 'KeyPairMismatch', 'LimitExceeded', 'MalformedCertificate', 'ValidationError'
Fog::AWS::IAM.const_get(match[:code]).slurp(error, match[:message])
else
Fog::AWS::IAM::Error.slurp(error, "#{match[:code]} => #{match[:message]}")
end
end
end
end
end
end
|
