summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Jorgensen <ajorgens@amazon.com>2016-11-01 10:54:31 -0400
committerScott Moser <smoser@brickies.net>2017-01-20 13:48:08 -0500
commitb71592ce0e0a9f9f9f225315015ca57b312ad30d (patch)
tree785f47c903b57b5b32cc59f69a1eab4431da0d38
parent145410f81c144a46cf5ce0324ff4454fa9f54ad0 (diff)
downloadvyos-cloud-init-b71592ce0e0a9f9f9f225315015ca57b312ad30d.tar.gz
vyos-cloud-init-b71592ce0e0a9f9f9f225315015ca57b312ad30d.zip
EC2: Do not cache security credentials on disk
On EC2, instance metadata can include credentials that remain valid for as much as 6 hours. Reading these and allowing them to be pickled represents a potential vulnerability if a snapshot of the disk is taken and shared as part of an AMI. This skips security-credentials when walking the meta-data tree. LP: #1638312 Reviewed-by: Ian Weller <iweller@amazon.com> Reviewed-by: Ben Cressey <bcressey@amazon.com> Reported-by: Kyle Barnes <barnesky@amazon.com>
-rw-r--r--cloudinit/ec2_utils.py3
-rw-r--r--tests/unittests/test_ec2_util.py45
2 files changed, 48 insertions, 0 deletions
diff --git a/cloudinit/ec2_utils.py b/cloudinit/ec2_utils.py
index c656ef14..0c16ae47 100644
--- a/cloudinit/ec2_utils.py
+++ b/cloudinit/ec2_utils.py
@@ -82,6 +82,9 @@ class MetadataMaterializer(object):
field_name = get_name(field)
if not field or not field_name:
continue
+ # Don't materialize credentials
+ if field_name == 'security-credentials':
+ continue
if has_children(field):
if field_name not in children:
children.append(field_name)
diff --git a/tests/unittests/test_ec2_util.py b/tests/unittests/test_ec2_util.py
index 4a33d747..71c2009f 100644
--- a/tests/unittests/test_ec2_util.py
+++ b/tests/unittests/test_ec2_util.py
@@ -140,4 +140,49 @@ class TestEc2Util(helpers.HttprettyTestCase):
self.assertEqual(bdm['ami'], 'sdb')
self.assertEqual(bdm['ephemeral0'], 'sdc')
+ @hp.activate
+ def test_metadata_no_security_credentials(self):
+ base_url = 'http://169.254.169.254/%s/meta-data/' % (self.VERSION)
+ hp.register_uri(hp.GET, base_url, status=200,
+ body="\n".join(['instance-id',
+ 'iam/']))
+ hp.register_uri(hp.GET, uh.combine_url(base_url, 'instance-id'),
+ status=200, body='i-0123451689abcdef0')
+ hp.register_uri(hp.GET,
+ uh.combine_url(base_url, 'iam/'),
+ status=200,
+ body="\n".join(['info/', 'security-credentials/']))
+ hp.register_uri(hp.GET,
+ uh.combine_url(base_url, 'iam/info/'),
+ status=200,
+ body='LastUpdated')
+ hp.register_uri(hp.GET,
+ uh.combine_url(base_url, 'iam/info/LastUpdated'),
+ status=200, body='2016-10-27T17:29:39Z')
+ hp.register_uri(hp.GET,
+ uh.combine_url(base_url, 'iam/security-credentials/'),
+ status=200,
+ body='ReadOnly/')
+ hp.register_uri(hp.GET,
+ uh.combine_url(base_url,
+ 'iam/security-credentials/ReadOnly/'),
+ status=200,
+ body="\n".join(['LastUpdated', 'Expiration']))
+ hp.register_uri(hp.GET,
+ uh.combine_url(
+ base_url,
+ 'iam/security-credentials/ReadOnly/LastUpdated'),
+ status=200, body='2016-10-27T17:28:17Z')
+ hp.register_uri(hp.GET,
+ uh.combine_url(
+ base_url,
+ 'iam/security-credentials/ReadOnly/Expiration'),
+ status=200, body='2016-10-28T00:00:34Z')
+ md = eu.get_instance_metadata(self.VERSION, retries=0, timeout=0.1)
+ self.assertEqual(md['instance-id'], 'i-0123451689abcdef0')
+ iam = md['iam']
+ self.assertEqual(1, len(iam))
+ self.assertEqual(iam['info']['LastUpdated'], '2016-10-27T17:29:39Z')
+ self.assertNotIn('security-credentials', iam)
+
# vi: ts=4 expandtab