From e5218943a84cb0448fb620063478c8e6e95ab4f0 Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Mon, 13 Jun 2016 08:56:39 -0400
Subject: [PATCH] Added bound_ami_id check

---
 builtin/credential/aws-ec2/backend_test.go | 24 ++++++++++++++++++----
 builtin/credential/aws-ec2/path_login.go   |  7 +++++++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/builtin/credential/aws-ec2/backend_test.go b/builtin/credential/aws-ec2/backend_test.go
index 3be53d988e0e..5b0a6d61a74f 100644
--- a/builtin/credential/aws-ec2/backend_test.go
+++ b/builtin/credential/aws-ec2/backend_test.go
@@ -1125,15 +1125,17 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
 	data := map[string]interface{}{
 		"policies":     "root",
 		"max_ttl":      "120s",
-		"bound_ami_id": amiID,
+		"bound_ami_id": "wrong_ami_id",
 	}
 
-	resp, err := b.HandleRequest(&logical.Request{
+	roleReq := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Path:      "role/" + roleName,
 		Storage:   storage,
 		Data:      data,
-	})
+	}
+
+	resp, err := b.HandleRequest(roleReq)
 	if resp != nil && resp.IsError() {
 		t.Fatalf("failed to create role")
 	}
@@ -1146,7 +1148,8 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
 		"nonce": "vault-client-nonce",
 	}
 
-	// perform the login operation.
+	// Perform the login operation with a AMI ID that is not matching
+	// the bound on the role.
 	loginRequest := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Path:      "login",
@@ -1154,6 +1157,19 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
 		Data:      loginInput,
 	}
 	resp, err = b.HandleRequest(loginRequest)
+	if err != nil || resp == nil || (resp != nil && !resp.IsError()) {
+		t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err)
+	}
+
+	// Place the correct AMI ID on the role
+	data["bound_ami_id"] = amiID
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
+	}
+
+	// Try to login after the role has a matching AMI ID
+	resp, err = b.HandleRequest(loginRequest)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go
index 268e02f36935..ef14bf7062b9 100644
--- a/builtin/credential/aws-ec2/path_login.go
+++ b/builtin/credential/aws-ec2/path_login.go
@@ -244,6 +244,13 @@ func (b *backend) pathLoginUpdate(
 		return logical.ErrorResponse("role entry not found"), nil
 	}
 
+	// Only 'bound_ami_id' constraint is supported on the role currently.
+	// Check if the AMI ID of the instance trying to login matches the
+	// AMI ID specified as a constraint on the role.
+	if identityDoc.AmiID != roleEntry.BoundAmiID {
+		return logical.ErrorResponse(fmt.Sprintf("AMI ID %s does not belong to role %s", identityDoc.AmiID, roleName)), nil
+	}
+
 	// Get the entry from the identity whitelist, if there is one.
 	storedIdentity, err := whitelistIdentityEntry(req.Storage, identityDoc.InstanceID)
 	if err != nil {