mod_audit*: modules for audit logging in prosody
These are to be seen as proof-of-concept for now.
local http = require "net.http";
local json = require "util.json";
local parse_timestamp = require "util.datetime".parse;
module:set_global();
local current_credentials = module:shared("/*/aws_profile/credentials");
local function get_role_credentials(role_name, cb)
http.request("http://169.254.169.254/latest/meta-data/iam/security-credentials/"..role_name, nil, function (credentials_json)
local credentials = credentials_json and json.decode(credentials_json);
if not credentials or not (credentials.AccessKeyId and credentials.SecretAccessKey) then
module:log("warn", "Failed to fetch credentials for %q", role_name);
cb(nil);
return;
end
local expiry = parse_timestamp(credentials.Expiration);
local ttl = os.difftime(expiry, os.time());
cb({
access_key = credentials.AccessKeyId;
secret_key = credentials.SecretAccessKey;
ttl = ttl;
expiry = expiry;
});
end);
end
local function get_credentials(cb)
http.request("http://169.254.169.254/latest/meta-data/iam/security-credentials", nil, function (role_name)
role_name = role_name and role_name:match("%S+");
if not role_name then
module:log("warn", "Unable to discover role name");
cb(nil);
return;
end
get_role_credentials(role_name, cb);
end);
end
function refresh_credentials(force)
if not force and current_credentials.expiry and current_credentials.expiry - os.time() > 300 then
return;
end
get_credentials(function (credentials)
if not credentials then
module:log("warn", "Failed to refresh credentials!");
return;
end
current_credentials.access_key = credentials.access_key;
current_credentials.secret_key = credentials.secret_key;
current_credentials.expiry = credentials.expiry;
module:timer(credentials.ttl or 240, refresh_credentials);
module:fire_event("aws_profile/credentials-refreshed", current_credentials);
end);
end
function module.load()
refresh_credentials(true);
end