search

lyft / metadataproxy

A proxy for AWS's metadata service that gives out scoped IAM credentials from STS
Other
456 stars 69 forks source link

ensure all-or-nothing for ARN matching a role #87

Closed tedder closed 5 years ago

tedder commented 5 years ago

A string that starts with arn:aws would match the "oh, extract a role from an ARN" code, but would fail if the regex didn't match. Here's a sample fail:

  File "/srv/metadataproxy/metadataproxy/routes/mock.py", line 132, in get_security_credentials_slash
    role_params = roles.get_role_params_from_ip(request.remote_addr)
  File "/srv/metadataproxy/metadataproxy/roles.py", line 59, in timed
    result = method(*args, **kw)
  File "/srv/metadataproxy/metadataproxy/roles.py", line 198, in get_role_params_from_ip
    val = '{0}@{1}'.format(m.group(2), m.group(1))
AttributeError: 'NoneType' object has no attribute 'group'

This fixes that by making sure the regex matches, not just a substring that is kinda-sorta-similar to what the regex would do. A case where this might happen is if someone were to use a IAM policy instead of an IAM role.

Note this doesn't fix #85, though I can follow up with a PR if this one is accepted.

ryan-lane commented 5 years ago

This does indeed look like a saner way of approaching this.

ryan-lane commented 5 years ago

Thanks for the PR!