This repository has been archived by the owner on Nov 12, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
claimCredentials receives a RSA2048 signature of the identity document and returns the credentials for the worker. The document is validated according using the iid-verify [1] package. Informations about the instance, like instance-id and region are extracted from the identity document. The given instance must be in a running state, otherwise the endpoint will fail. As iid-verify requires node 10 or newer, we upgrade the required node version, as well as packages that fail to build with this node version. [1] https://www.npmjs.com/package/iid-verify
- Loading branch information
Wander Lairson Costa
committed
Aug 29, 2018
1 parent
5bcca65
commit 484b2ae
Showing
13 changed files
with
811 additions
and
91 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
const assert = require('assert'); | ||
let verify = require('iid-verify'); | ||
|
||
const AWS_PUBLIC_CERTIFICATE = | ||
`-----BEGIN CERTIFICATE----- | ||
MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw | ||
FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD | ||
VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z | ||
ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u | ||
IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl | ||
cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e | ||
ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3 | ||
VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P | ||
hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j | ||
k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U | ||
hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF | ||
lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf | ||
MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW | ||
MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw | ||
vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw | ||
7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K | ||
-----END CERTIFICATE-----`; | ||
|
||
// Returns the Identity Document if the signature is valid, null otherwise. | ||
// | ||
// References: | ||
// - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html | ||
// - http://www.pkiglobe.org/pkcs7.html | ||
// - https://tools.ietf.org/html/rfc2315 | ||
function validate(doc, signedData) { | ||
if (!verify(AWS_PUBLIC_CERTIFICATE, doc, signedData)) { | ||
throw new Error(`Document isn't valid. Document:\n${doc}\nSigned Data:\n${signedData}`); | ||
} | ||
}; | ||
|
||
module.exports = { | ||
validate, | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
$schema: http://json-schema.org/draft-04/schema# | ||
title: "Get Credentials Request" | ||
description: | | ||
An object with the Instance Identity Document and its corresponding signature | ||
type: object | ||
properties: | ||
signature: | ||
type: string | ||
description: | ||
The signature if the Identity Document, base64 encoded | ||
document: | ||
type: string | ||
description: | ||
The identity document | ||
additionalProperties: false | ||
required: | ||
- signature | ||
- document | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
$schema: http://json-schema.org/draft-04/schema# | ||
title: "Get Secret Response" | ||
description: | | ||
The temporary credentials for the worker | ||
type: object | ||
properties: | ||
clientId: | ||
type: string | ||
accessToken: | ||
type: string | ||
certificate: | ||
type: string | ||
additionalProperties: false | ||
required: | ||
- clientId | ||
- accessToken | ||
- certificate | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.