aptible-auth 1.2.6 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 91eb4ee95916762970bae2c1ddc260b9f0e5ffccebc5ca6479875aad3ca66ca5
-  data.tar.gz: 45db7f42ff6ca821dee7fef025e28c22bdf87b8601d97d7d637646b976fd7f56
+  metadata.gz: fa366e77caf944b6664bf9028ed18951244aa306db65267f4f7cd6abc5b186b6
+  data.tar.gz: f8142c1e9887387bf58187937b5f182396b83ff9f68f834811065b5606e33de0
 SHA512:
-  metadata.gz: 3aa579e5df97ad873dbd566322f2e6d8d6dcd3fee8e06bfdcb7d54e5a8eedff793d667266e6be5cf35427c3510046164b5ec4e3a12cad86006f031bc66734dc6
-  data.tar.gz: f978a956c1037c31f920f33646ad247af9048038fef96fc858ffc928983451de5ccb3bdb707aade59d83ac10088a753f1258cb31ac6af788c966400879fccb0e
+  metadata.gz: b8e25debb3cca514e6b6fd343d57f1010ca657e34640e7a5a188d45ff98d48a2c1946ff56ff9019d015c22d6f9d5b4b47ec6d927a4dd96f26727f020c778ef2a
+  data.tar.gz: 6e4947efb5abd53ea279f90be54d237c289d14d4f968ea5b49e2b7ba570828d6f51708a744ac8c6d7c7cdbadd47a071d0d4b55cc4a1c88d4c0ef27cc8e34678c

data/.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        RUBY_VERSION: [2.6, 2.7]
+        RUBY_VERSION: [2.6, 2.7, 3.3, 3.4]
     steps:
       - name: Check out code
         uses: actions/checkout@v4

data/.ruby-version

@@ -0,0 +1 @@
+3.4

data/lib/aptible/auth/external_aws_oidc_token.rb

@@ -0,0 +1,24 @@
+module Aptible
+  module Auth
+    class ExternalAwsOidcToken
+      attr_reader :aws_web_identity_token_file_content, :aws_role_arn
+
+      def initialize(attributes = {})
+        @aws_web_identity_token_file_content =
+          attributes['aws_web_identity_token_file_content'] ||
+          attributes[:aws_web_identity_token_file_content]
+        @aws_role_arn =
+          attributes['aws_role_arn'] ||
+          attributes[:aws_role_arn]
+      end
+
+      def to_s
+        aws_web_identity_token_file_content.to_s
+      end
+
+      def token
+        aws_web_identity_token_file_content
+      end
+    end
+  end
+end

data/lib/aptible/auth/external_aws_role.rb

@@ -0,0 +1,30 @@
+module Aptible
+  module Auth
+    class ExternalAwsRole < Resource
+      belongs_to :organization
+
+      field :id
+      field :external_aws_account_id
+      field :aws_account_id
+      field :role_type
+      field :role_arn
+      field :last_verified_at, type: Time
+      field :created_at, type: Time
+      field :updated_at, type: Time
+
+      def external_aws_oidc_token!
+        response = HyperResource::Link.new(
+          self,
+          'href' => "#{href}/external_aws_oidc_token"
+        ).post(
+          self.class.normalize_params(
+            aws_account_id: attributes[:aws_account_id],
+            role_arn: attributes[:role_arn],
+            role_type: attributes[:role_type]
+          )
+        )
+        ExternalAwsOidcToken.new(response.body)
+      end
+    end
+  end
+end

data/lib/aptible/auth/organization.rb

@@ -5,6 +5,7 @@ module Aptible
       has_many :users
       has_many :invitations
       has_many :whitelist_memberships
+      has_many :external_aws_roles
       belongs_to :security_officer
 
       field :id

data/lib/aptible/auth/resource.rb

@@ -24,6 +24,8 @@ require 'aptible/auth/token'
 require 'aptible/auth/user'
 require 'aptible/auth/ssh_key'
 require 'aptible/auth/saml_configuration'
+require 'aptible/auth/external_aws_role'
+require 'aptible/auth/external_aws_oidc_token'
 require 'aptible/auth/whitelist_membership'
 require 'aptible/auth/reauthenticate_organization'
 require 'aptible/auth/ssh_key_pre_authorization'

data/lib/aptible/auth/token.rb

@@ -1,5 +1,4 @@
 require 'oauth2'
-require 'oauth2/response_parser'
 require 'oauth2/strategy/token_exchange'
 
 module Aptible
@@ -54,7 +53,7 @@ module Aptible
         # consistent API to consumers, we override it here
         expires_in = options.delete(:expires_in)
         options[:exp] = Time.now.utc.to_i + expires_in if expires_in
-        oauth_token = oauth.assertion.get_token({
+        oauth_token = oauth.assertion.get_token(**{
           iss: id,
           sub: subject
         }.merge(signing_params_from_secret(secret).merge(options)))
@@ -78,6 +77,7 @@ module Aptible
         options = {
           site: root_url,
           token_url: '/tokens',
+          auth_scheme: :request_body,
           connection_opts: {
             headers: {
               'User-Agent' => Aptible::Resource.configuration.user_agent

data/lib/aptible/auth/version.rb

@@ -1,5 +1,5 @@
 module Aptible
   module Auth
-    VERSION = '1.2.6'.freeze
+    VERSION = '1.3.0'.freeze
   end
 end

data/spec/aptible/auth/external_aws_oidc_token_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe Aptible::Auth::ExternalAwsOidcToken do
+  let(:token_content) { 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...' }
+  let(:role_arn) { 'arn:aws:iam::123456789012:role/MyRole' }
+
+  describe '#initialize' do
+    it 'should accept string keys' do
+      token = described_class.new(
+        'aws_web_identity_token_file_content' => token_content,
+        'aws_role_arn' => role_arn
+      )
+      expect(token.aws_web_identity_token_file_content).to eq token_content
+      expect(token.aws_role_arn).to eq role_arn
+    end
+
+    it 'should accept symbol keys' do
+      token = described_class.new(
+        aws_web_identity_token_file_content: token_content,
+        aws_role_arn: role_arn
+      )
+      expect(token.aws_web_identity_token_file_content).to eq token_content
+      expect(token.aws_role_arn).to eq role_arn
+    end
+  end
+
+  describe '#token' do
+    it 'should return the token content' do
+      token = described_class.new(
+        aws_web_identity_token_file_content: token_content
+      )
+      expect(token.token).to eq token_content
+    end
+  end
+
+  describe '#to_s' do
+    it 'should return the token content as a string' do
+      token = described_class.new(
+        aws_web_identity_token_file_content: token_content
+      )
+      expect(token.to_s).to eq token_content
+    end
+  end
+end

data/spec/aptible/auth/external_aws_role_spec.rb

@@ -0,0 +1,73 @@
+require 'spec_helper'
+
+describe Aptible::Auth::ExternalAwsRole do
+  it { should be_a Aptible::Auth::Resource }
+
+  describe '#organization' do
+    let(:organization) { double 'Aptible::Auth::Organization' }
+
+    it 'should return the organization' do
+      allow(subject).to receive(:organization) { organization }
+      expect(subject.organization).to eq organization
+    end
+  end
+
+  describe '#external_aws_oidc_token!' do
+    let(:token_content) { 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...' }
+    let(:role_arn) { 'arn:aws:iam::123456789012:role/MyRole' }
+    let(:aws_account_id) { '123456789012' }
+    let(:role_type) { 'deploy' }
+    let(:response) do
+      double(
+        'response',
+        body: {
+          'aws_web_identity_token_file_content' => token_content,
+          'aws_role_arn' => role_arn
+        }
+      )
+    end
+    let(:link) { double('HyperResource::Link') }
+
+    before do
+      allow(subject).to receive(:href) { 'https://auth.aptible.com/external_aws_roles/123' }
+      allow(subject).to receive(:attributes).and_return(
+        aws_account_id: aws_account_id,
+        role_arn: role_arn,
+        role_type: role_type
+      )
+      allow(HyperResource::Link).to receive(:new).and_return(link)
+      allow(link).to receive(:post).and_return(response)
+    end
+
+    it 'should create a link with the correct URL' do
+      expect(HyperResource::Link).to receive(:new).with(
+        subject,
+        'href' => 'https://auth.aptible.com/external_aws_roles/123/external_aws_oidc_token'
+      ).and_return(link)
+      subject.external_aws_oidc_token!
+    end
+
+    it 'should POST with the correct parameters' do
+      expect(link).to receive(:post).with(
+        hash_including(
+          aws_account_id: aws_account_id,
+          role_arn: role_arn,
+          role_type: role_type
+        )
+      ).and_return(response)
+      subject.external_aws_oidc_token!
+    end
+
+    it 'should return an ExternalAwsOidcToken' do
+      token = subject.external_aws_oidc_token!
+      expect(token).to be_a Aptible::Auth::ExternalAwsOidcToken
+      expect(token.token).to eq token_content
+    end
+
+    it 'should populate the returned token with response data' do
+      token = subject.external_aws_oidc_token!
+      expect(token.aws_web_identity_token_file_content).to eq token_content
+      expect(token.aws_role_arn).to eq role_arn
+    end
+  end
+end

data/spec/aptible/auth/organization_spec.rb

@@ -5,8 +5,44 @@ describe Aptible::Auth::Organization do
     let(:user) { double 'Aptible::Auth::User' }
 
     it 'should return the security officer' do
-      subject.stub(:security_officer) { user }
+      allow(subject).to receive(:security_officer) { user }
       expect(subject.security_officer).to eq user
     end
   end
+
+  describe '#external_aws_roles' do
+    let(:external_aws_role) { double 'Aptible::Auth::ExternalAwsRole' }
+
+    it 'should return the external_aws_roles' do
+      allow(subject).to receive(:external_aws_roles) { [external_aws_role] }
+      expect(subject.external_aws_roles).to eq [external_aws_role]
+    end
+  end
+
+  describe '#create_external_aws_role!' do
+    let(:params) do
+      {
+        aws_account_id: '123456789012',
+        role_arn: 'arn:aws:iam::123456789012:role/MyRole',
+        role_type: 'deploy'
+      }
+    end
+    let(:external_aws_role) { double('Aptible::Auth::ExternalAwsRole') }
+    let(:external_aws_roles_link) { double('HyperResource::Link') }
+
+    before do
+      allow(subject).to receive(:loaded) { true }
+      allow(subject).to receive(:links) { { external_aws_roles: external_aws_roles_link } }
+      allow(external_aws_roles_link).to receive(:create).and_return(external_aws_role)
+    end
+
+    it 'should call create on the external_aws_roles link' do
+      expect(external_aws_roles_link).to receive(:create).with(params)
+      subject.create_external_aws_role!(params)
+    end
+
+    it 'should return the created external_aws_role' do
+      expect(subject.create_external_aws_role!(params)).to eq external_aws_role
+    end
+  end
 end

data/spec/aptible/auth/resource_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Aptible::Auth::Resource do
   its(:namespace) { should eq 'Aptible::Auth' }
-  its(:root_url) { should eq 'https://auth.aptible.com' }
+  its(:root_url) { should eq ENV['APTIBLE_AUTH_ROOT_URL'] || 'https://auth.aptible.com' }
 
   describe '#bearer_token' do
     it 'should accept an Aptible::Auth::Token' do

data/spec/aptible/auth_spec.rb

@@ -6,12 +6,17 @@ describe Aptible::Auth do
   it 'should have a configurable root_url' do
     config = described_class.configuration
     expect(config).to be_a GemConfig::Configuration
-    expect(config.root_url).to eq 'https://auth.aptible.com'
+    set_env 'APTIBLE_AUTH_ROOT_URL', nil do
+      load 'aptible/auth.rb'
+      config.reset
+      expect(config.root_url).to eq 'https://auth.aptible.com'
+    end
   end
 
-  pending 'uses ENV["APTIBLE_AUTH_ROOT_URL"] if defined' do
+  it 'uses ENV["APTIBLE_AUTH_ROOT_URL"] if defined' do
     config = described_class.configuration
     set_env 'APTIBLE_AUTH_ROOT_URL', 'http://foobar.com' do
+      load 'aptible/auth.rb'
       config.reset
       expect(config.root_url).to eq 'http://foobar.com'
     end

data/spec/shared/set_env.rb

@@ -1,4 +1,4 @@
-def set_env(*args, _block)
+def set_env(*args, &_block)
   hash = args.first.is_a?(Hash) ? args.first : Hash[*args]
   old_values = Hash[hash.map { |k, _| [k, ENV[k]] }]
   begin

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: aptible-auth
 version: !ruby/object:Gem::Version
-  version: 1.2.6
+  version: 1.3.0
 platform: ruby
 authors:
 - Frank Macreery
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-23 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aptible-resource
@@ -175,6 +174,7 @@ files:
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
+- ".ruby-version"
 - Gemfile
 - LICENSE.md
 - Procfile
@@ -185,6 +185,8 @@ files:
 - lib/aptible/auth.rb
 - lib/aptible/auth/agent.rb
 - lib/aptible/auth/client.rb
+- lib/aptible/auth/external_aws_oidc_token.rb
+- lib/aptible/auth/external_aws_role.rb
 - lib/aptible/auth/invitation.rb
 - lib/aptible/auth/membership.rb
 - lib/aptible/auth/organization.rb
@@ -199,9 +201,10 @@ files:
 - lib/aptible/auth/user.rb
 - lib/aptible/auth/version.rb
 - lib/aptible/auth/whitelist_membership.rb
-- lib/oauth2/response_parser.rb
 - lib/oauth2/strategy/token_exchange.rb
 - spec/aptible/auth/agent_spec.rb
+- spec/aptible/auth/external_aws_oidc_token_spec.rb
+- spec/aptible/auth/external_aws_role_spec.rb
 - spec/aptible/auth/organization_spec.rb
 - spec/aptible/auth/resource_spec.rb
 - spec/aptible/auth/token_spec.rb
@@ -214,7 +217,6 @@ homepage: https://github.com/aptible/aptible-auth-ruby
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -229,12 +231,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Ruby client for auth.aptible.com
 test_files:
 - spec/aptible/auth/agent_spec.rb
+- spec/aptible/auth/external_aws_oidc_token_spec.rb
+- spec/aptible/auth/external_aws_role_spec.rb
 - spec/aptible/auth/organization_spec.rb
 - spec/aptible/auth/resource_spec.rb
 - spec/aptible/auth/token_spec.rb

data/lib/oauth2/response_parser.rb

@@ -1,5 +0,0 @@
-# rubocop:disable all
-# NOTE: This code has been in oauth2 master since 2018 but is awaiting a 2.0 release of oauth2
-OAuth2::Response.register_parser(:json, ['application/json', 'text/javascript', 'application/hal+json', 'application/vnd.collection+json', 'application/vnd.api+json']) do |body|
-  MultiJson.load(body) rescue body # rubocop:disable RescueModifier
-end