RubyGems - MovableInkAWS - Versions diffs - 2.6.0 → 2.6.3 - Mend

MovableInkAWS 2.6.0 → 2.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aee7128060ef1c160ab30f71a01ba8dc906b3cc19e600ebef7b48df7d0fd29d2
-  data.tar.gz: 36d923a0fca6ca5098f8e9dd4c12ee8257f9c0896853d56a2979e9bbe461ac5b
+  metadata.gz: 4e7ad037cd5628c4064e602e7818305adf691666f178b1cba16f967c17021b1d
+  data.tar.gz: 7f6fbc76c3c7669aadd15682cd806c2e3268f39cd74dd395913910aa01b826f7
 SHA512:
-  metadata.gz: f3328245aeb3822471f9a3c52f4e015c4cb60d0ae2950c5af09dff732081b66c0409607c8e4f3d21a676e6986ba8087f7509dc62a87862cfbbf3740af5d75f6a
-  data.tar.gz: a5decec040107d6b7240551412cc43827fdf78be921ae8eaae3fc61d419aa578d72a6af24851d8397f721e7674e03eda56cd662af8871eec9569e125a20a9199
+  metadata.gz: 73af21192d6d001442427ed83f21e18b7aee0e214243b6e8572d1ca51f2b9d15a562e14435f666737f6158651285c2a95ac59f3c7a38d8a7539404a4f24a2559
+  data.tar.gz: 0cc73c99406611d2d6482149eea67a8c235b7b5caa0dd7d366ac0e6256c5a2b8faae3de6e83350ff71a464cac40f2b518c6b7a5b72e80613af8a8ee8042352c3

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    MovableInkAWS (2.6.0)
+    MovableInkAWS (2.6.3)
       aws-sdk-athena (~> 1)
       aws-sdk-autoscaling (~> 1)
       aws-sdk-cloudwatch (~> 1)
@@ -9,6 +9,7 @@ PATH
       aws-sdk-ec2 (~> 1)
       aws-sdk-eks (~> 1)
       aws-sdk-elasticache (~> 1)
+      aws-sdk-iam (~> 1)
       aws-sdk-rds (~> 1)
       aws-sdk-route53 (~> 1)
       aws-sdk-s3 (~> 1)
@@ -48,6 +49,9 @@ GEM
     aws-sdk-elasticache (1.76.0)
       aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
+    aws-sdk-iam (1.68.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
+      aws-sigv4 (~> 1.1)
     aws-sdk-kms (1.55.0)
       aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
@@ -117,4 +121,4 @@ DEPENDENCIES
   webmock
 BUNDLED WITH
-   2.1.4
+   2.3.11

data/MovableInkAWS.gemspec CHANGED Viewed

@@ -16,6 +16,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'aws-sdk-ec2', '~> 1'
   s.add_runtime_dependency 'aws-sdk-eks', '~> 1'
   s.add_runtime_dependency 'aws-sdk-elasticache', '~> 1'
+  s.add_runtime_dependency 'aws-sdk-iam', '~> 1'
   s.add_runtime_dependency 'aws-sdk-rds', '~> 1'
   s.add_runtime_dependency 'aws-sdk-route53', '~> 1'
   s.add_runtime_dependency 'aws-sdk-s3', '~> 1'

data/lib/movable_ink/aws/iam.rb ADDED Viewed

@@ -0,0 +1,23 @@
+require 'aws-sdk-iam'
+module MovableInk
+  class AWS
+    module IAM
+      def is_arn_iam_user?(arn, username = nil)
+        # arn:aws:iam::account:user/user-name-with-path
+        !arn.match(/arn:aws:iam::\d+:user\/#{(username) ? username + '$' : ''}/).nil?
+      end
+      def is_arn_iam_role?(arn, rolename = nil)
+        # arn:aws:iam::account:role/role-name-with-path
+        !arn.match(/arn:aws:iam::\d+:role\/#{(rolename) ? rolename + '$' : ''}/).nil?
+      end
+      def is_arn_iam_assumed_role?(arn, rolename = nil, exact_match = true)
+        # arn:aws:sts::account:assumed-role/role-name/role-session-name
+        role_name_session_delimiter = (exact_match) ? '/' : ''
+        !arn.match(/arn:aws:sts::\d+:assumed\-role\/#{(rolename) ? rolename + role_name_session_delimiter : ''}/).nil?
+      end
+    end
+  end
+end

data/lib/movable_ink/aws/ssm.rb CHANGED Viewed

@@ -3,26 +3,48 @@ require 'aws-sdk-ssm'
 module MovableInk
   class AWS
     module SSM
-      def ssm_client
-        @ssm_client ||= Aws::SSM::Client.new(region: 'us-east-1')
+      SSM_DEFAULT_REGION = 'us-east-1'
+      SSM_DEFAULT_FAILOVER_REGION = 'us-west-2'
+      def mi_secrets_config_file_path
+        '/etc/movableink/secrets_config.json'
+      end
+      def mi_secrets_config
+        @mi_secrets_config ||= (File.exist?(mi_secrets_config_file_path)) ? JSON.parse(File.read(mi_secrets_config_file_path), :symbolize_names => true) : nil
+      end
+      def mi_ssm_clients_regions
+        default_regions = [SSM_DEFAULT_REGION, SSM_DEFAULT_FAILOVER_REGION]
+        return default_regions if !mi_secrets_config || !mi_secrets_config[:ssm_parameters_regions_map] || !mi_secrets_config[:ssm_parameters_regions_map].key?(my_region.to_sym)
+        my_region_map = mi_secrets_config[:ssm_parameters_regions_map][my_region.to_sym]
+        (my_region_map.keys == [:primary_region, :failover_region]) ? my_region_map.values : default_regions
+      end
+      def ssm_client(region = nil)
+        @ssm_clients_map ||= {}
+        @ssm_clients_map[region] ||= Aws::SSM::Client.new(region: (region.nil?) ? mi_ssm_clients_regions[0] : region)
       end
-      def ssm_client_failover
-        @ssm_client_failover ||= Aws::SSM::Client.new(region: 'us-west-2')
+      def ssm_client_failover(failregion = nil)
+        @ssm_failover_clients_map ||= {}
+        @ssm_failover_clients_map[failregion] ||= Aws::SSM::Client.new(region: (failregion.nil?) ? mi_ssm_clients_regions[1] : failregion)
       end
-      def run_with_backoff_and_client_fallback(&block)
+      def run_with_backoff_and_client_fallback(region = nil, failregion = nil, &block)
         run_with_backoff do
-          block.call(ssm_client)
+          block.call(ssm_client(region))
         end
       rescue MovableInk::AWS::Errors::FailedWithBackoff => e
         run_with_backoff(tries: 3) do
-          block.call(ssm_client_failover)
+          block.call(ssm_client_failover(failregion))
         end
       end
-      def get_secret(environment: mi_env, role:, attribute:)
-        run_with_backoff_and_client_fallback do |ssm|
+      def get_secret(environment: mi_env, role:, attribute:, region: nil, failregion: nil)
+        run_with_backoff_and_client_fallback(region, failregion) do |ssm|
           begin
             resp = ssm.get_parameter(
                       name: "/#{environment}/#{role}/#{attribute}",
@@ -35,9 +57,9 @@ module MovableInk
         end
       end
-      def get_role_secrets(environment: mi_env, role:)
+      def get_role_secrets(environment: mi_env, role:, region: nil, failregion: nil)
         path = "/#{environment}/#{role}"
-        run_with_backoff_and_client_fallback do |ssm|
+        run_with_backoff_and_client_fallback(region, failregion) do |ssm|
           ssm.get_parameters_by_path(
             path: path,
             with_decryption: true

data/lib/movable_ink/aws.rb CHANGED Viewed

@@ -7,13 +7,13 @@ require_relative 'aws/route53'
 require_relative 'aws/ssm'
 require_relative 'aws/athena'
 require_relative 'aws/s3'
+require_relative 'aws/iam'
 require_relative 'aws/eks'
 require_relative 'aws/elasticache'
 require_relative 'aws/api_gateway'
 require_relative 'consul/consul'
 require 'aws-sdk-cloudwatch'
 module MovableInk
   class AWS
     include Metadata
@@ -27,6 +27,7 @@ module MovableInk
     include ElastiCache
     include ApiGateway
     include EKS
+    include IAM
     class << self
       def regions
@@ -84,7 +85,10 @@ module MovableInk
                Aws::SSM::Errors::Http503Error,
                Aws::SSM::Errors::Http502Error,
                Aws::Athena::Errors::ThrottlingException,
-               MovableInk::AWS::Errors::NoEnvironmentTagError
+               MovableInk::AWS::Errors::NoEnvironmentTagError,
+               Aws::IAM::Errors::LimitExceededException,
+               Aws::IAM::Errors::RequestLimitExceeded,
+               Aws::IAM::Errors::Throttling
           sleep_time = (num+1)**2 + rand(10)
           if quiet
             (num >= tries - 1) ? notify_and_sleep(sleep_time, $!.class) : sleep(sleep_time)

data/lib/movable_ink/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module MovableInk
   class AWS
-    VERSION = '2.6.0'
+    VERSION = '2.6.3'
   end
 end

data/spec/iam_spec.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require_relative '../lib/movable_ink/aws'
+describe MovableInk::AWS::IAM do
+  let(:aws) { MovableInk::AWS.new }
+  describe 'is_arn_iam_user?' do
+    it 'matches user by arn type' do
+      expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk')).to eq true
+      expect(aws.is_arn_iam_user?('arn:aws:iam::123:role/anosulchyk')).to eq false
+    end
+    it 'matches user by arn type and name' do
+      expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk', 'anosulchyk')).to eq true
+      expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/this/is/user/too', 'this/is/user/too')).to eq true
+      expect(aws.is_arn_iam_user?('arn:aws:iam::123:user/anosulchyk', 'anosulchik11')).to eq false
+    end
+  end
+   describe 'is_arn_iam_role?' do
+    it 'matches role by arn type' do
+      expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk')).to eq true
+      expect(aws.is_arn_iam_role?('arn:aws:sts::123:role/anosulchyk')).to eq false
+    end
+    it 'matches role by arn type and name' do
+       expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk', 'anosulchyk')).to eq true
+      expect(aws.is_arn_iam_role?('arn:aws:iam::123:role/anosulchyk', 'anosulchik11')).to eq false
+    end
+  end
+  describe 'is_arn_iam_assumed_role?' do
+    it 'matches role by arn type' do
+      expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session')).to eq true
+      expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:role/anosulchyk')).to eq false
+    end
+    it 'matches role by arn type and name' do
+       expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session', 'anosulchyk')).to eq true
+      expect(aws.is_arn_iam_assumed_role?('arn:aws:sts::123:assumed-role/anosulchyk/session-name', '1anosulchyk1')).to eq false
+    end
+  end
+end

data/spec/ssm_spec.rb CHANGED Viewed

@@ -9,6 +9,8 @@ describe MovableInk::AWS::SSM do
       value: 'too-many-secrets'
     })
   }
+  let(:mi_secrets_config_file_path) { '/etc/movableink/secrets_config.json' }
+  let(:mi_secrets_config_file_mock) { "{\"ssm_parameters_regions_map\": { \"us-east-1\": {\"primary_region\": \"us-east-1\", \"failover_region\": \"us-east-2\"}}}" }
   let(:parameters) { ssm.stub_data(:get_parameters_by_path, parameters: [
       {
         name: '/test/zelda/Its',
@@ -68,6 +70,11 @@ describe MovableInk::AWS::SSM do
       expect(Aws::SSM::Client).to receive(:new).with({ region: 'us-east-1' })
       aws.ssm_client
     end
+    it 'Allows region to be defined as a parameter' do
+      expect(Aws::SSM::Client).to receive(:new).with({ region: 'us-east-2' })
+      aws.ssm_client('us-east-2')
+    end
   end
   describe 'ssm_client_failover' do
@@ -75,6 +82,11 @@ describe MovableInk::AWS::SSM do
       expect(Aws::SSM::Client).to receive(:new).with({ region: 'us-west-2' })
       aws.ssm_client_failover
     end
+    it 'fails over to parameter defined region' do
+      expect(Aws::SSM::Client).to receive(:new).with({ region: 'us-west-1' })
+      aws.ssm_client_failover('us-west-1')
+    end
   end
   describe 'run_with_backoff_and_client_fallback' do
@@ -103,4 +115,36 @@ describe MovableInk::AWS::SSM do
       expect(results).to include(1, 2)
     end
   end
+  describe 'mi_secrets_config_file_path' do
+    it 'returns string' do
+      expect(aws.mi_secrets_config_file_path).to eq mi_secrets_config_file_path
+    end
+  end
+  describe 'mi_secrets_config' do
+    it 'parses config file with symbols' do
+       allow(File).to receive(:read).with(mi_secrets_config_file_path).and_return(mi_secrets_config_file_mock)
+       allow(File).to receive(:exist?).with(mi_secrets_config_file_path).and_return(true)
+       config = aws.mi_secrets_config
+       expect(config.keys).to eq([:ssm_parameters_regions_map])
+       expect(config[:ssm_parameters_regions_map][:"us-east-1"][:primary_region]).to eq 'us-east-1'
+       expect(config[:ssm_parameters_regions_map][:"us-east-1"][:failover_region]).to eq 'us-east-2'
+    end
+  end
+  describe 'mi_ssm_clients_regions' do
+    it 'returns values from config' do
+      allow(aws).to receive(:mi_secrets_config).and_return(JSON.parse(mi_secrets_config_file_mock, :symbolize_names => true))
+      allow(aws).to receive(:my_region).and_return('us-east-1')
+      expect(aws.mi_ssm_clients_regions).to eq ['us-east-1', 'us-east-2']
+    end
+    it 'returns default values if config is missing' do
+      allow(aws).to receive(:mi_secrets_config).and_return(nil)
+      allow(aws).to receive(:my_region).and_return('us-east-1')
+      expect(aws.mi_ssm_clients_regions).to eq ['us-east-1', 'us-west-2']
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: MovableInkAWS
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.6.3
 platform: ruby
 authors:
 - Matt Chesler
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-04-06 00:00:00.000000000 Z
+date: 2022-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -108,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-rds
   requirement: !ruby/object:Gem::Requirement
@@ -241,6 +255,7 @@ files:
 - lib/movable_ink/aws/eks.rb
 - lib/movable_ink/aws/elasticache.rb
 - lib/movable_ink/aws/errors.rb
+- lib/movable_ink/aws/iam.rb
 - lib/movable_ink/aws/metadata.rb
 - lib/movable_ink/aws/route53.rb
 - lib/movable_ink/aws/s3.rb
@@ -253,6 +268,7 @@ files:
 - spec/consul_spec.rb
 - spec/ec2_spec.rb
 - spec/elasticache_spec.rb
+- spec/iam_spec.rb
 - spec/metadata_spec.rb
 - spec/route53_spec.rb
 - spec/s3_spec.rb