Merge pull request #14 from micahhausler/iam-authenticator-update

Updated aws-iam-authenticator model
hyakuhei · Jul 23, 2021 · 67fcee6 · 67fcee6
2 parents e0e2564 + d5bc1ee
commit 67fcee6
Show file tree

Hide file tree

Showing 9 changed files with 110 additions and 85 deletions.
diff --git a/example_aws_iam_authenticator.py b/example_aws_iam_authenticator.py
@@ -1,52 +1,67 @@
-from fluentm import Actor, Boundary, Process, DataFlow, HTTP, SIGV4, TLS, Unknown, SIGV4, JWS, Internal
+from fluentm import (
+    Actor,
+    Boundary,
+    Process,
+    DataFlow,
+    Exec,
+    HTTP,
+    SIGV4,
+    TLS,
+    Unknown,
+    SIGV4,
+    Stdout,
+    Internal,
+)
 from fluentm import report
 
 scenes = {
     # Example using variables, which is fine for small things but gets hard with longer flows
-    "kubectl gets pre-signed URL":[
+    "kubectl gets pre-signed URL": [
         DataFlow(
             Process("kubectl").inBoundary("User Machine"),
             Process("aws-cli").inBoundary("User Machine"),
-            Internal("Exec aws-cli get-token"),
-            ),
+            Exec("Exec aws-cli get-token"),
+        ),
         DataFlow(
             Process("aws-cli"),
             Process("aws-cli"),
-            Internal("Sign URL using private key")
+            Internal("Sign URL using AWS IAM credentials"),
         ),
         DataFlow(
-            Process("aws-cli"), Process("kubectl"), Internal("STS PreSigned URL")
-        )
+            Process("aws-cli"), Process("kubectl"), Stdout("STS pre-signed URL")
+        ),
     ],
     "API traffic": [
         DataFlow(
             Process("kubectl"),
-            Process("k8s api").inBoundary("EKS Data Plane").inBoundary("EKS Cluster"),
-            TLS(HTTP("STS token in HTTP header")),
+            Process("Kubernetes API").inBoundary(
+                Boundary("EKS Cluster").inBoundary("AWS Cloud")
+            ),
+            TLS(HTTP("pre-signed URL as Bearer Token HTTP Header")),
         ),
         DataFlow(
-            Process("k8s api"),
-            Process("aws-iam-authenticator").inBoundary("EKS Data Plane"),
-            Unknown("STS Request from token"),
+            Process("Kubernetes API"),
+            Process("aws-iam-authenticator").inBoundary("EKS Cluster"),
+            TLS(HTTP("TokenReview request with pre-signed URL")),
         ),
         DataFlow(
             Process("aws-iam-authenticator"),
-            Process("AWS IAM"),
-            TLS(HTTP(SIGV4("STS Request"))),
-            response=Unknown("?"),
+            Process("AWS STS").inBoundary("AWS Cloud"),
+            TLS(HTTP(SIGV4("sts:GetCallerIdentity request"))),
+            response=TLS(HTTP("sts:GetCallerIdentity response")),
         ),
         DataFlow(
             Process("aws-iam-authenticator"),
-            Process("aws-auth").inBoundary("EKS Data Plane"),
-            Unknown("Config Map"),
+            Process("Kubernetes API").inBoundary("EKS Cluster"),
+            TLS(HTTP("TokenReview response with username")),
         ),
         DataFlow(
             Process("aws-iam-authenticator"),
-            Process("k8s api"),
-            TLS(HTTP(("Read Mapped usernames"))),
-            response=TLS(HTTP("Config Map")) 
-        )
-    ]
+            Process("Kubernetes API").inBoundary("EKS Cluster"),
+            TLS(HTTP(("Async Watch mapped aws-auth ConfigMap "))),
+            #response=TLS(HTTP("Config Map username mappings")),
+        ),
+    ],
 }
 
 if __name__ == "__main__":

diff --git a/examples/aws-iam-authenticator/API traffic-dfd b/examples/aws-iam-authenticator/API traffic-dfd
@@ -1,25 +1,23 @@
 digraph "API traffic" {
 	color=blue rankdir=LR
 	node [fontname=Arial fontsize=14]
-	"AWS IAM"
 	subgraph "cluster_User Machine" {
 		graph [color=red fontname=Arial fontsize=12 label="User Machine" line=dotted]
 		kubectl
 	}
-	subgraph "cluster_EKS Cluster" {
-		graph [color=red fontname=Arial fontsize=12 label="EKS Cluster" line=dotted]
-		"k8s api"
+	subgraph "cluster_AWS Cloud" {
+		graph [color=red fontname=Arial fontsize=12 label="AWS Cloud" line=dotted]
+		"AWS STS"
+		subgraph "cluster_EKS Cluster" {
+			graph [color=red fontname=Arial fontsize=12 label="EKS Cluster" line=dotted]
+			"Kubernetes API"
+			"aws-iam-authenticator"
+		}
 	}
-	subgraph "cluster_EKS Data Plane" {
-		graph [color=red fontname=Arial fontsize=12 label="EKS Data Plane" line=dotted]
-		"aws-iam-authenticator"
-		"aws-auth"
-	}
-	kubectl -> "k8s api" [label="(1) STS token in HTTP header"]
-	"k8s api" -> "aws-iam-authenticator" [label="(2) STS Request from token"]
-	"aws-iam-authenticator" -> "AWS IAM" [label="(3) STS Request"]
-	"AWS IAM" -> "aws-iam-authenticator" [label="(4) ?"]
-	"aws-iam-authenticator" -> "aws-auth" [label="(5) Config Map"]
-	"aws-iam-authenticator" -> "k8s api" [label="(6) Read Mapped usernames"]
-	"k8s api" -> "aws-iam-authenticator" [label="(7) Config Map"]
+	kubectl -> "Kubernetes API" [label="(1) pre-signed URL as Bearer Token HTTP Header"]
+	"Kubernetes API" -> "aws-iam-authenticator" [label="(2) TokenReview request with pre-signed URL"]
+	"aws-iam-authenticator" -> "AWS STS" [label="(3) sts:GetCallerIdentity request"]
+	"AWS STS" -> "aws-iam-authenticator" [label="(4) sts:GetCallerIdentity response"]
+	"aws-iam-authenticator" -> "Kubernetes API" [label="(5) TokenReview response with username"]
+	"aws-iam-authenticator" -> "Kubernetes API" [label="(6) Async Watch mapped aws-auth ConfigMap "]
 }
diff --git a/examples/aws-iam-authenticator/API traffic-dfd.png b/examples/aws-iam-authenticator/API traffic-dfd.png
diff --git a/examples/aws-iam-authenticator/AggregatedDfd-dfd b/examples/aws-iam-authenticator/AggregatedDfd-dfd
@@ -1,26 +1,23 @@
-digraph "Aggregated DFD" {
-	edge [dir=forward]
+digraph all {
 	color=blue rankdir=LR
 	node [fontname=Arial fontsize=14]
-	"AWS IAM"
 	subgraph "cluster_User Machine" {
 		graph [color=red fontname=Arial fontsize=12 label="User Machine" line=dotted]
 		kubectl
 		"aws-cli"
 	}
-	subgraph "cluster_EKS Cluster" {
-		graph [color=red fontname=Arial fontsize=12 label="EKS Cluster" line=dotted]
-		"k8s api"
+	subgraph "cluster_AWS Cloud" {
+		graph [color=red fontname=Arial fontsize=12 label="AWS Cloud" line=dotted]
+		"AWS STS"
+		subgraph "cluster_EKS Cluster" {
+			graph [color=red fontname=Arial fontsize=12 label="EKS Cluster" line=dotted]
+			"Kubernetes API"
+			"aws-iam-authenticator"
+		}
 	}
-	subgraph "cluster_EKS Data Plane" {
-		graph [color=red fontname=Arial fontsize=12 label="EKS Data Plane" line=dotted]
-		"aws-iam-authenticator"
-		"aws-auth"
-	}
-	kubectl -> "aws-cli"
-	"aws-cli" -> "aws-cli"
-	kubectl -> "k8s api"
-	"k8s api" -> "aws-iam-authenticator"
-	"aws-iam-authenticator" -> "AWS IAM"
-	"aws-iam-authenticator" -> "aws-auth"
+	kubectl -> "aws-cli" [dir=both]
+	"aws-cli" -> "aws-cli" [dir=forward]
+	kubectl -> "Kubernetes API" [dir=forward]
+	"Kubernetes API" -> "aws-iam-authenticator" [dir=both]
+	"aws-iam-authenticator" -> "AWS STS" [dir=both]
 }
diff --git a/examples/aws-iam-authenticator/AggregatedDfd-dfd.png b/examples/aws-iam-authenticator/AggregatedDfd-dfd.png
diff --git a/examples/aws-iam-authenticator/ThreatModel.html b/examples/aws-iam-authenticator/ThreatModel.html
@@ -66,7 +66,7 @@ <h2> kubectl gets pre-signed URL </h2>
 
                 <td>aws-cli</td>
 
-                <td>Internal( Exec aws-cli get-token )</td>
+                <td>Exec( Exec aws-cli get-token )</td>
 
                 </tr>
 
@@ -79,7 +79,7 @@ <h2> kubectl gets pre-signed URL </h2>
 
                 <td>aws-cli</td>
 
-                <td>Internal( Sign URL using private key )</td>
+                <td>Internal( Sign URL using AWS IAM credentials )</td>
 
                 </tr>
 
@@ -92,7 +92,7 @@ <h2> kubectl gets pre-signed URL </h2>
 
                 <td>kubectl</td>
 
-                <td>Internal( STS PreSigned URL )</td>
+                <td>Stdout( STS pre-signed URL )</td>
 
                 </tr>
 
@@ -123,9 +123,9 @@ <h2> API traffic </h2>
 
                 <td>kubectl</td>
 
-                <td>k8s api</td>
+                <td>Kubernetes API</td>
 
-                <td>TLS( HTTP( STS token in HTTP header ) )</td>
+                <td>TLS( HTTP( pre-signed URL as Bearer Token HTTP Header ) )</td>
 
                 </tr>
 
@@ -134,11 +134,11 @@ <h2> API traffic </h2>
 
                 <td>2</td>
 
-                <td>k8s api</td>
+                <td>Kubernetes API</td>
 
                 <td>aws-iam-authenticator</td>
 
-                <td>Unknown( STS Request from token )</td>
+                <td>TLS( HTTP( TokenReview request with pre-signed URL ) )</td>
 
                 </tr>
 
@@ -149,9 +149,9 @@ <h2> API traffic </h2>
 
                 <td>aws-iam-authenticator</td>
 
-                <td>AWS IAM</td>
+                <td>AWS STS</td>
 
-                <td>TLS( HTTP( SIGV4( STS Request ) ) )</td>
+                <td>TLS( HTTP( SIGV4( sts:GetCallerIdentity request ) ) )</td>
 
                 </tr>
 
@@ -160,11 +160,11 @@ <h2> API traffic </h2>
 
                 <td>4</td>
 
-                <td>AWS IAM</td>
+                <td>AWS STS</td>
 
                 <td>aws-iam-authenticator</td>
 
-                <td>Unknown( ? )</td>
+                <td>TLS( HTTP( sts:GetCallerIdentity response ) )</td>
 
                 </tr>
 
@@ -175,9 +175,9 @@ <h2> API traffic </h2>
 
                 <td>aws-iam-authenticator</td>
 
-                <td>aws-auth</td>
+                <td>Kubernetes API</td>
 
-                <td>Unknown( Config Map )</td>
+                <td>TLS( HTTP( TokenReview response with username ) )</td>
 
                 </tr>
 
@@ -188,22 +188,9 @@ <h2> API traffic </h2>
 
                 <td>aws-iam-authenticator</td>
 
-                <td>k8s api</td>
+                <td>Kubernetes API</td>
 
-                <td>TLS( HTTP( Read Mapped usernames ) )</td>
-
-                </tr>
-
-
-                <tr>
-
-                <td>7</td>
-
-                <td>k8s api</td>
-
-                <td>aws-iam-authenticator</td>
-
-                <td>TLS( HTTP( Config Map ) )</td>
+                <td>TLS( HTTP( Async Watch mapped aws-auth ConfigMap  ) )</td>
 
                 </tr>
 

diff --git a/examples/aws-iam-authenticator/kubectl gets pre-signed URL-dfd b/examples/aws-iam-authenticator/kubectl gets pre-signed URL-dfd
@@ -7,6 +7,6 @@ digraph "kubectl gets pre-signed URL" {
 		"aws-cli"
 	}
 	kubectl -> "aws-cli" [label="(1) Exec aws-cli get-token"]
-	"aws-cli" -> "aws-cli" [label="(2) Sign URL using private key"]
-	"aws-cli" -> kubectl [label="(3) STS PreSigned URL"]
+	"aws-cli" -> "aws-cli" [label="(2) Sign URL using AWS IAM credentials"]
+	"aws-cli" -> kubectl [label="(3) STS pre-signed URL"]
 }
diff --git a/examples/aws-iam-authenticator/kubectl gets pre-signed URL-dfd.png b/examples/aws-iam-authenticator/kubectl gets pre-signed URL-dfd.png
diff --git a/fluentm.py b/fluentm.py
@@ -100,6 +100,34 @@ def __init__(self, toWrap):
         super().__init__(toWrap)
 
 
+class Exec(WrappableProtocol):
+    def __init__(self, toWrap):
+        super().__init__(
+            toWrap,
+            encrypted=False,
+            signed=False,
+            serverAuthenticated=False,
+            clientAuthenticated=False,
+            serverCredential=None,  # TODO: Replace with a type? Would that be useful?
+            clientCredential=None,
+            version=None,
+        )
+
+
+class Stdout(WrappableProtocol):
+    def __init__(self, toWrap):
+        super().__init__(
+            toWrap,
+            encrypted=False,
+            signed=False,
+            serverAuthenticated=False,
+            clientAuthenticated=False,
+            serverCredential=None,  # TODO: Replace with a type? Would that be useful?
+            clientCredential=None,
+            version=None,
+        )
+
+
 class Internal(WrappableProtocol):
     def __init__(self, toWrap):
         super().__init__(