Merge pull request #17 from iann0036/feature/proxy

Feature/proxy

Author: iann0036

NOTICE

@@ -47,3 +47,36 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
 ---
+
+3. https://github.com/elazarl/goproxy
+
+
+Copyright (c) 2012 Elazar Leibovich. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Elazar Leibovich. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+---

README.md

@@ -1,6 +1,6 @@
 # iamlive
 
-> Generate a basic IAM policy from AWS client-side monitoring (CSM)
+> Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy
 
 ![](https://raw.githubusercontent.com/iann0036/iamlive/assets/iamlive.gif)
 
@@ -30,27 +30,59 @@ To start the listener, simply run `iamlive` in a separate window to your CLI / S
 
 You can optionally also include the following arguments to the `iamlive` command:
 
-**--set-ini:** when set, the `.aws/config` file will be updated to use the CSM monitoring and removed when exiting (_default: false_)
+**--set-ini:** when set, the `.aws/config` file will be updated to use the CSM monitoring or CA bundle and removed when exiting (_default: false_)
 
 **--profile:** use the specified profile when combined with `--set-ini` (_default: default_)
 
-**--fails-only:** when set, only failed AWS calls will be added to the policy (_default: false_)
+**--fails-only:** when set, only failed AWS calls will be added to the policy, csm mode only (_default: false_)
 
 **--output-file:** specify a file that will be written to on SIGHUP or exit (_default: unset_)
 
 **--refresh-rate:** instead of flushing to console every API call, do it this number of seconds (_default: 0_)
 
 **--sort-alphabetical:** sort actions alphabetically (_default: false_)
 
-**--host:** host to listen on (_default: 127.0.0.1_)
+**--host:** host to listen on for CSM (_default: 127.0.0.1_)
 
-_Comprehensive Example_
+**--mode:** _[experimental]_ the listening mode (`csm`,`proxy`) (_default: csm_)
+
+**--bind-addr:** _[experimental]_ the bind address for proxy mode (_default: 127.0.0.1:10080_)
+
+**--ca-bundle:** _[experimental]_ the CA certificate bundle (PEM) to use for proxy mode (_default: ~/.iamlive/ca.pem_)
+
+**--ca-key:** _[experimental]_ the CA certificate key to use for proxy mode (_default: ~/.iamlive/ca.key_)
+
+**--account-id:** _[experimental]_ the AWS account ID to use in policy outputs within proxy mode (_default: 123456789012_)
+
+_Basic Example (CSM Mode)_
+
+```
+iamlive --set-ini
+```
+
+_Basic Example (Proxy Mode)_
+
+```
+iamlive --set-ini --mode proxy
+```
+
+_Comprehensive Example (CSM Mode)_
 
 ```
 iamlive --set-ini --profile myprofile --fails-only --output-file policy.json --refresh-rate 1 --sort-alphabetical --host 127.0.0.1
 ```
 
-### CSM Enabling
+_Comprehensive Example (Proxy Mode)_
+
+```
+iamlive --set-ini --mode proxy --profile myprofile --output-file policy.json --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --account-id 123456789012
+```
+
+The arguments may also be specified in an INI file located at `~/.iamlive/config`.
+
+### CSM Mode
+
+Client-side monitoring mode is the default behaviour and will use [metrics](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/metrics.html) delivered locally via UDP to capture policy statements with the `Action` key only (`Resource` is only available in proxy mode).
 
 #### CLI
 
@@ -76,16 +108,49 @@ export AWS_CSM_PORT=31000
 export AWS_CSM_HOST=127.0.0.1
 ```
 
+### Proxy Mode
+
+Proxy mode will serve a local HTTP(S) server (by default at `http://127.0.0.1:10080`) that will MITM requests sent to the AWS endpoints and generate IAM policy statements with both `Action` and `Resource` keys. The CA key/certificate pair will be automatically generated and stored within `~/.iamlive/` by default.
+
+#### CLI
+
+To set the appropriate CA bundle in the AWS CLI, you should either use the `--set-ini` option or add the following to the relevant profile in `.aws/config`:
+
+```
+ca_bundle = ~/.iamlive/ca.pem
+```
+
+Alternatively, you can run the following in the window executing your CLI commands:
+
+```
+export AWS_CA_BUNDLE=~/.iamlive/ca.pem
+```
+
+You must also set the proxy settings for your session by running the following in the window executing your CLI commands:
+
+```
+export HTTP_PROXY=http://127.0.0.1:10080
+export HTTPS_PROXY=http://127.0.0.1:10080
+```
+
+#### SDKs
+
+To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:
+
+```
+export HTTP_PROXY=http://127.0.0.1:10080
+export HTTPS_PROXY=http://127.0.0.1:10080
+export AWS_CA_BUNDLE=~/.iamlive/ca.pem
+```
+
+Check the [official docs](https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html) for further details on setting the CA bundle.
+
 ## FAQs
 
 _I get a message "package embed is not in GOROOT" when attempting to build myself_
 
 This project requires Go 1.16 or above to be built correctly (due to embedding feature).
 
-_Can we include specifics for the Resource and Condition fields?_
-
-No, the CSM protocol does not support it and cannot be changed.
-
 ## Acknowledgements
 
-This project makes heavy use of [Parliament](https://github.com/duo-labs/parliament) and was assisted by Scott Piper's [CSM explainer](https://summitroute.com/blog/2020/05/25/client_side_monitoring/).
+This project makes heavy use of [Parliament](https://github.com/duo-labs/parliament) and was assisted by Scott Piper's [CSM explainer](https://summitroute.com/blog/2020/05/25/client_side_monitoring/). Thanks also to Noam Dahan's [research](https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/) into missing `iam:PassRole` dependant actions.

csm.go

@@ -0,0 +1,157 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"os"
+	"os/signal"
+	"runtime/pprof"
+	"strings"
+	"syscall"
+
+	"github.com/mitchellh/go-homedir"
+	"gopkg.in/ini.v1"
+)
+
+func setINIConfigAndFileFlush() {
+	// set ini
+	if *setiniFlag {
+		cfgfile, err := homedir.Expand("~/.aws/config")
+		if err != nil {
+			return
+		}
+
+		cfg, err := ini.Load(cfgfile)
+		if err != nil {
+			return
+		}
+
+		if *profileFlag == "default" {
+			if *modeFlag == "csm" {
+				cfg.Section("default").Key("csm_enabled").SetValue("true")
+			} else if *modeFlag == "proxy" {
+				cfg.Section("default").Key("ca_bundle").SetValue(*caBundleFlag)
+			}
+		} else {
+			if *modeFlag == "csm" {
+				cfg.Section(fmt.Sprintf("profile %s", *profileFlag)).Key("csm_enabled").SetValue("true")
+			} else if *modeFlag == "proxy" {
+				cfg.Section(fmt.Sprintf("profile %s", *profileFlag)).Key("ca_bundle").SetValue(*caBundleFlag)
+			}
+		}
+
+		cfg.SaveTo(cfgfile)
+	}
+
+	// listen for exit, cleanup and flush
+	sigc := make(chan os.Signal, 1)
+	signal.Notify(sigc,
+		syscall.SIGHUP,
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGQUIT)
+	go func() {
+		for s := range sigc {
+			// flush to file
+			if *outputFileFlag != "" {
+				err := ioutil.WriteFile(*outputFileFlag, getPolicyDocument(), 0644)
+				if err != nil {
+					log.Fatalf("Error writing policy to %s", *outputFileFlag)
+				}
+			}
+
+			if s == syscall.SIGINT || s == syscall.SIGTERM || s == syscall.SIGQUIT {
+				if *setiniFlag {
+					// revert ini
+					cfgfile, err := homedir.Expand("~/.aws/config") // need to redeclare
+					if err != nil {
+						os.Exit(1)
+					}
+
+					cfg, err := ini.Load(cfgfile)
+					if err != nil {
+						os.Exit(1)
+					}
+
+					if *profileFlag == "default" {
+						if *modeFlag == "csm" {
+							cfg.Section("default").DeleteKey("csm_enabled")
+						} else if *modeFlag == "proxy" {
+							cfg.Section("default").DeleteKey("ca_bundle")
+						}
+					} else {
+						if *modeFlag == "csm" {
+							cfg.Section(fmt.Sprintf("profile %s", *profileFlag)).DeleteKey("csm_enabled")
+						} else if *modeFlag == "proxy" {
+							cfg.Section(fmt.Sprintf("profile %s", *profileFlag)).DeleteKey("ca_bundle")
+						}
+					}
+					cfg.SaveTo(cfgfile)
+				}
+
+				pprof.StopCPUProfile()
+
+				// exit
+				os.Exit(0)
+			}
+		}
+	}()
+}
+
+func listenForEvents() {
+	var iamMap iamMapBase
+
+	addr := net.UDPAddr{
+		Port: 31000,
+		IP:   net.ParseIP(*hostFlag),
+	}
+	conn, err := net.ListenUDP("udp", &addr)
+	if err != nil {
+		panic(err)
+	}
+	err = conn.SetReadBuffer(1048576)
+	if err != nil {
+		panic(err)
+	}
+	defer conn.Close()
+
+	err = json.Unmarshal(bIAMMap, &iamMap)
+	if err != nil {
+		panic(err)
+	}
+
+	var buf [1048576]byte
+	for {
+		rlen, _, err := conn.ReadFromUDP(buf[:])
+		if err != nil {
+			panic(err)
+		}
+
+		entries := strings.Split(string(buf[0:rlen]), "\n")
+
+	EntryLoop:
+		for _, entry := range entries {
+			var e Entry
+
+			err := json.Unmarshal([]byte(entry), &e)
+			if err != nil {
+				panic(err)
+			}
+
+			// checked if permissionless
+			for _, permissionlessAction := range iamMap.SDKPermissionlessActions {
+				if strings.ToLower(permissionlessAction) == fmt.Sprintf("%s.%s", strings.ToLower(e.Service), strings.ToLower(e.Method)) {
+					continue EntryLoop
+				}
+			}
+
+			if e.Type == "ApiCall" {
+				callLog = append(callLog, e)
+				handleLoggedCall()
+			}
+		}
+	}
+}

go.mod

@@ -4,6 +4,7 @@ go 1.16
 
 require (
 	github.com/buger/goterm v0.0.0-20200322175922-2f3e71b85129
+	github.com/elazarl/goproxy v0.0.0-20210110162100-a92cc753f88e
 	github.com/mitchellh/go-homedir v1.1.0
 	golang.org/dl v0.0.0-20210204224843-1557c60ec592 // indirect
 	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c // indirect

go.sum

@@ -1,7 +1,11 @@
 github.com/buger/goterm v0.0.0-20200322175922-2f3e71b85129 h1:gfAMKE626QEuKG3si0pdTRcr/YEbBoxY+3GOH3gWvl4=
 github.com/buger/goterm v0.0.0-20200322175922-2f3e71b85129/go.mod h1:u9UyCz2eTrSGy6fbupqJ54eY5c4IC8gREQ1053dK12U=
+github.com/elazarl/goproxy v0.0.0-20210110162100-a92cc753f88e h1:/cwV7t2xezilMljIftb7WlFtzGANRCnoOhPjtl2ifcs=
+github.com/elazarl/goproxy v0.0.0-20210110162100-a92cc753f88e/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 golang.org/dl v0.0.0-20210204224843-1557c60ec592 h1:GU5BB6jCTo/NbOo4bkZB5ZD2cRqqGbil8S7HfDcNSzo=
 golang.org/dl v0.0.0-20210204224843-1557c60ec592/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=