class InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControlCertVerifier

Public Class Methods

new(endpoint) click to toggle source
# File lib/instance_agent/plugins/codedeploy/codedeploy_control.rb, line 62
def initialize(endpoint)
  @endpoint = endpoint
  @region = ENV['AWS_REGION'] || InstanceMetadata.region
end

Public Instance Methods

verify_cert() click to toggle source
# File lib/instance_agent/plugins/codedeploy/codedeploy_control.rb, line 67
def verify_cert
  uri = URI(@endpoint)
  client = Net::HTTP.new(uri.host, uri.port)
  client.use_ssl = true
  client.verify_mode = OpenSSL::SSL::VERIFY_PEER
  client.ca_file = ENV['SSL_CERT_FILE']

  if InstanceAgent::Config.config[:proxy_uri]
    proxy_uri = URI(InstanceAgent::Config.config[:proxy_uri])
    client.proxy_from_env = false # make sure proxy settings can be overridden
    client.proxy_address = proxy_uri.host
    client.proxy_port = proxy_uri.port
    client.proxy_user = proxy_uri.user if proxy_uri.user
    client.proxy_pass = proxy_uri.password if proxy_uri.password 
  end

  client.verify_callback = lambda do |preverify_ok, cert_store|
    return false unless preverify_ok
    @cert = cert_store.chain[0]
    verify_subject
  end

  response = client.get '/'
end
verify_subject() click to toggle source

Do minimal cert pinning

# File lib/instance_agent/plugins/codedeploy/codedeploy_control.rb, line 93
def verify_subject
  InstanceAgent::Log.debug("#{self.class.to_s}: Actual certificate subject is '#{@cert.subject.to_s}'")
  @cert.subject.to_s == "/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=codedeploy-commands."+@region+".amazonaws.com"
end