aptible-auth 1.2.7 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ff939c12eccbed8e6f8408f1608fa8b07e036b7fd837cf230ac8da01db236bac
-  data.tar.gz: c323895a11c8b0713b2f295c0178536e43f2bd8c01b823b4f44f4f29217c73d9
+  metadata.gz: a41b77f6708abdde557d4763215fd5f6e18460716a25c94c29fdd15564588dc3
+  data.tar.gz: a74283bb27a4a0ac4b952b2c0dd7065f0e7b35640d6354af73ab01910101f4de
 SHA512:
-  metadata.gz: 5a4e952f3b63e0692210ec0a8c58517ec5878618fe6f4c3f47c7ae4b94f2c31a6344e67fe88447a2bd59cbdf25f5550f8dc6f6511405af21aa2e022d579ddf98
-  data.tar.gz: ee7c792b19ae8c8acafb20710c5b404b729a7a8e202cf50632a1d7a2e096245208dbca586f8bb84050dbdb73397aae75c665dc1f0d791bc12704222b96831750
+  metadata.gz: 9597770fc7f1a203eb2efbb0326a58e495912cc3fde1835737cb6d9850395ab1a0d341ccea701db3502137aef32cfdd6199ada643908048148690224f55d0614
+  data.tar.gz: 05e43ea50940aa25ba554db3b0eb78469d52c27e96ad9af0db46b6efb9803dc39e0fe916dbd3c0c608babc606dff23f4cd7804c436d87cedc6cdd8997a4aa2ae

data/.github/workflows/ci.yml

@@ -15,22 +15,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        RUBY_VERSION: [2.6, 2.7]
+        RUBY_VERSION: [2.3, 2.4, 2.5, 2.6, 2.7, 3.1, 3.2, 3.3, 3.4]
+    env:
+      RUBY_VERSION: ${{ matrix.RUBY_VERSION }}
     steps:
       - name: Check out code
         uses: actions/checkout@v4
 
-      - name: Install Ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: ${{ matrix.RUBY_VERSION }}
-          bundler: 1.17.3
-
-      - name: Bundle install
-        run: bundle install
-
       - name: Rubocop
-        run: bundle exec rake rubocop
+        run: make lint
 
       - name: Rspec
-        run: bundle exec rspec
+        run: make test

data/.gitignore

@@ -16,3 +16,4 @@ test/tmp
 test/version_tmp
 tmp
 .idea
+/docker/ruby-*/

data/Dockerfile

@@ -0,0 +1,20 @@
+ARG RUBY_VERSION=2.3.1
+FROM ruby:${RUBY_VERSION}
+
+ARG BUNDLER_VERSION=1.17.3
+ENV BUNDLER_VERSION=${BUNDLER_VERSION}
+RUN if [ "${BUNDLER_VERSION}" != "" ] ; then \
+      gem install bundler -v "${BUNDLER_VERSION}" ; \
+    fi
+
+WORKDIR /app
+COPY Gemfile /app/
+COPY aptible-auth.gemspec /app/
+RUN mkdir -p /app/lib/aptible/auth/
+COPY lib/aptible/auth/version.rb /app/lib/aptible/auth/
+
+RUN bundle install
+
+COPY . /app
+
+CMD ["bash"]

data/Makefile

@@ -0,0 +1,68 @@
+
+export COMPOSE_IGNORE_ORPHANS ?= true
+export RUBY_VERSION ?= 2.3.1
+RUBY_VERSION_MAJOR = $(word 1,$(subst ., ,$(RUBY_VERSION)))
+export BUNDLER_VERSION ?=
+ifeq ($(BUNDLER_VERSION),)
+ifeq ($(RUBY_VERSION_MAJOR),2)
+export BUNDLER_VERSION = 1.17.3
+endif
+endif
+PROJECT_NAME = $(shell ls *.gemspec | sed 's/\.gemspec//')
+export COMPOSE_PROJECT_NAME ?= $(PROJECT_NAME)-$(subst .,_,$(RUBY_VERSION))
+
+default: help
+
+## Show this help message
+help:
+	@echo "\n\033[1;34mAvailable targets:\033[0m\n"
+	@awk 'BEGIN {FS = ":"; prev = ""} \
+					/^## / {prev = substr($$0, 4); next} \
+					/^[a-zA-Z_-]+:/ {if (prev != "") printf "  \033[1;36m%-20s\033[0m %s\n", $$1, prev; prev = ""} \
+					{prev = ""}' $(MAKEFILE_LIST) | sort
+	@echo
+
+BUILD_ARGS ?=
+## Build and pull docker compose images
+build: gemfile-lock
+	docker compose build --pull $(BUILD_ARGS)
+
+## Create a Gemfile.lock specific to the container (i.e., for the ruby version)
+gemfile-lock:
+	mkdir -pv ./docker/ruby-$(RUBY_VERSION)/ && \
+	echo '' > ./docker/ruby-$(RUBY_VERSION)/Gemfile.lock
+
+## Open shell in a docker container, supports CMD=
+bash: build
+	$(MAKE) run CMD=bash
+
+CMD ?= bash
+## Run command in a docker container, supports CMD=
+run:
+	docker compose run --rm runner $(CMD)
+
+## Run tests in a docker container, supports ARGS=
+test: build
+	$(MAKE) test-direct ARGS="$(ARGS)"
+
+## Run tests in a docker container without building, supports ARGS=
+test-direct:
+	$(MAKE) run CMD="bundle exec rspec $(ARGS)"
+
+## Run rubocop in a docker container, supports ARGS=
+lint: build
+	$(MAKE) lint-direct ARGS="$(ARGS)"
+
+## Run rubocop in a docker container without building, supports ARGS=
+lint-direct:
+	$(MAKE) run CMD="bundle exec rake rubocop $(ARGS)"
+
+## Clean up docker compose resources
+clean: clean-gemfile-lock
+	docker compose down --remove-orphans --volumes
+
+## Clean up the container specific Gemfile.lock
+clean-gemfile-lock:
+	rm -v ./docker/ruby-$(RUBY_VERSION)/Gemfile.lock ||:
+
+.PHONY: build bash test

data/aptible-auth.gemspec

@@ -21,7 +21,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'aptible-resource', '~> 1.0'
-  spec.add_dependency 'concurrent-ruby', '1.3.4'
   spec.add_dependency 'gem_config'
   spec.add_dependency 'multipart-post', '2.1.1'
   spec.add_dependency 'oauth2', '2.0.9'
@@ -31,5 +30,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-its'
-  spec.add_development_dependency 'timecop', '~> 0.8.1'
+  spec.add_development_dependency 'timecop', '~> 0.9.10'
 end

data/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  runner:
+    build:
+      context: .
+      args:
+        RUBY_VERSION: ${RUBY_VERSION:-2.3.1}
+        BUNDLER_VERSION: ${BUNDLER_VERSION:-}
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+      - ./docker/ruby-${RUBY_VERSION}/Gemfile.lock:/app/Gemfile.lock

data/lib/aptible/auth/external_aws_oidc_token.rb

@@ -0,0 +1,24 @@
+module Aptible
+  module Auth
+    class ExternalAwsOidcToken
+      attr_reader :aws_web_identity_token_file_content, :aws_role_arn
+
+      def initialize(attributes = {})
+        @aws_web_identity_token_file_content =
+          attributes['aws_web_identity_token_file_content'] ||
+          attributes[:aws_web_identity_token_file_content]
+        @aws_role_arn =
+          attributes['aws_role_arn'] ||
+          attributes[:aws_role_arn]
+      end
+
+      def to_s
+        aws_web_identity_token_file_content.to_s
+      end
+
+      def token
+        aws_web_identity_token_file_content
+      end
+    end
+  end
+end

data/lib/aptible/auth/external_aws_role.rb

@@ -0,0 +1,30 @@
+module Aptible
+  module Auth
+    class ExternalAwsRole < Resource
+      belongs_to :organization
+
+      field :id
+      field :external_aws_account_id
+      field :aws_account_id
+      field :role_type
+      field :role_arn
+      field :last_verified_at, type: Time
+      field :created_at, type: Time
+      field :updated_at, type: Time
+
+      def external_aws_oidc_token!
+        response = HyperResource::Link.new(
+          self,
+          'href' => "#{href}/external_aws_oidc_token"
+        ).post(
+          self.class.normalize_params(
+            aws_account_id: attributes[:aws_account_id],
+            role_arn: attributes[:role_arn],
+            role_type: attributes[:role_type]
+          )
+        )
+        ExternalAwsOidcToken.new(response.body)
+      end
+    end
+  end
+end

data/lib/aptible/auth/organization.rb

@@ -5,6 +5,7 @@ module Aptible
       has_many :users
       has_many :invitations
       has_many :whitelist_memberships
+      has_many :external_aws_roles
       belongs_to :security_officer
 
       field :id

data/lib/aptible/auth/resource.rb

@@ -24,6 +24,8 @@ require 'aptible/auth/token'
 require 'aptible/auth/user'
 require 'aptible/auth/ssh_key'
 require 'aptible/auth/saml_configuration'
+require 'aptible/auth/external_aws_role'
+require 'aptible/auth/external_aws_oidc_token'
 require 'aptible/auth/whitelist_membership'
 require 'aptible/auth/reauthenticate_organization'
 require 'aptible/auth/ssh_key_pre_authorization'

data/lib/aptible/auth/token.rb

@@ -53,7 +53,7 @@ module Aptible
         # consistent API to consumers, we override it here
         expires_in = options.delete(:expires_in)
         options[:exp] = Time.now.utc.to_i + expires_in if expires_in
-        oauth_token = oauth.assertion.get_token({
+        oauth_token = oauth.assertion.get_token(**{
           iss: id,
           sub: subject
         }.merge(signing_params_from_secret(secret).merge(options)))

data/lib/aptible/auth/version.rb

@@ -1,5 +1,5 @@
 module Aptible
   module Auth
-    VERSION = '1.2.7'.freeze
+    VERSION = '1.4.0'.freeze
   end
 end

data/spec/aptible/auth/external_aws_oidc_token_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe Aptible::Auth::ExternalAwsOidcToken do
+  let(:token_content) { 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...' }
+  let(:role_arn) { 'arn:aws:iam::123456789012:role/MyRole' }
+
+  describe '#initialize' do
+    it 'should accept string keys' do
+      token = described_class.new(
+        'aws_web_identity_token_file_content' => token_content,
+        'aws_role_arn' => role_arn
+      )
+      expect(token.aws_web_identity_token_file_content).to eq token_content
+      expect(token.aws_role_arn).to eq role_arn
+    end
+
+    it 'should accept symbol keys' do
+      token = described_class.new(
+        aws_web_identity_token_file_content: token_content,
+        aws_role_arn: role_arn
+      )
+      expect(token.aws_web_identity_token_file_content).to eq token_content
+      expect(token.aws_role_arn).to eq role_arn
+    end
+  end
+
+  describe '#token' do
+    it 'should return the token content' do
+      token = described_class.new(
+        aws_web_identity_token_file_content: token_content
+      )
+      expect(token.token).to eq token_content
+    end
+  end
+
+  describe '#to_s' do
+    it 'should return the token content as a string' do
+      token = described_class.new(
+        aws_web_identity_token_file_content: token_content
+      )
+      expect(token.to_s).to eq token_content
+    end
+  end
+end

data/spec/aptible/auth/external_aws_role_spec.rb

@@ -0,0 +1,73 @@
+require 'spec_helper'
+
+describe Aptible::Auth::ExternalAwsRole do
+  it { should be_a Aptible::Auth::Resource }
+
+  describe '#organization' do
+    let(:organization) { double 'Aptible::Auth::Organization' }
+
+    it 'should return the organization' do
+      allow(subject).to receive(:organization) { organization }
+      expect(subject.organization).to eq organization
+    end
+  end
+
+  describe '#external_aws_oidc_token!' do
+    let(:token_content) { 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...' }
+    let(:role_arn) { 'arn:aws:iam::123456789012:role/MyRole' }
+    let(:aws_account_id) { '123456789012' }
+    let(:role_type) { 'deploy' }
+    let(:response) do
+      double(
+        'response',
+        body: {
+          'aws_web_identity_token_file_content' => token_content,
+          'aws_role_arn' => role_arn
+        }
+      )
+    end
+    let(:link) { double('HyperResource::Link') }
+
+    before do
+      allow(subject).to receive(:href) { 'https://auth.aptible.com/external_aws_roles/123' }
+      allow(subject).to receive(:attributes).and_return(
+        aws_account_id: aws_account_id,
+        role_arn: role_arn,
+        role_type: role_type
+      )
+      allow(HyperResource::Link).to receive(:new).and_return(link)
+      allow(link).to receive(:post).and_return(response)
+    end
+
+    it 'should create a link with the correct URL' do
+      expect(HyperResource::Link).to receive(:new).with(
+        subject,
+        'href' => 'https://auth.aptible.com/external_aws_roles/123/external_aws_oidc_token'
+      ).and_return(link)
+      subject.external_aws_oidc_token!
+    end
+
+    it 'should POST with the correct parameters' do
+      expect(link).to receive(:post).with(
+        hash_including(
+          aws_account_id: aws_account_id,
+          role_arn: role_arn,
+          role_type: role_type
+        )
+      ).and_return(response)
+      subject.external_aws_oidc_token!
+    end
+
+    it 'should return an ExternalAwsOidcToken' do
+      token = subject.external_aws_oidc_token!
+      expect(token).to be_a Aptible::Auth::ExternalAwsOidcToken
+      expect(token.token).to eq token_content
+    end
+
+    it 'should populate the returned token with response data' do
+      token = subject.external_aws_oidc_token!
+      expect(token.aws_web_identity_token_file_content).to eq token_content
+      expect(token.aws_role_arn).to eq role_arn
+    end
+  end
+end

data/spec/aptible/auth/organization_spec.rb

@@ -5,8 +5,44 @@ describe Aptible::Auth::Organization do
     let(:user) { double 'Aptible::Auth::User' }
 
     it 'should return the security officer' do
-      subject.stub(:security_officer) { user }
+      allow(subject).to receive(:security_officer) { user }
       expect(subject.security_officer).to eq user
     end
   end
+
+  describe '#external_aws_roles' do
+    let(:external_aws_role) { double 'Aptible::Auth::ExternalAwsRole' }
+
+    it 'should return the external_aws_roles' do
+      allow(subject).to receive(:external_aws_roles) { [external_aws_role] }
+      expect(subject.external_aws_roles).to eq [external_aws_role]
+    end
+  end
+
+  describe '#create_external_aws_role!' do
+    let(:params) do
+      {
+        aws_account_id: '123456789012',
+        role_arn: 'arn:aws:iam::123456789012:role/MyRole',
+        role_type: 'deploy'
+      }
+    end
+    let(:external_aws_role) { double('Aptible::Auth::ExternalAwsRole') }
+    let(:external_aws_roles_link) { double('HyperResource::Link') }
+
+    before do
+      allow(subject).to receive(:loaded) { true }
+      allow(subject).to receive(:links) { { external_aws_roles: external_aws_roles_link } }
+      allow(external_aws_roles_link).to receive(:create).and_return(external_aws_role)
+    end
+
+    it 'should call create on the external_aws_roles link' do
+      expect(external_aws_roles_link).to receive(:create).with(params)
+      subject.create_external_aws_role!(params)
+    end
+
+    it 'should return the created external_aws_role' do
+      expect(subject.create_external_aws_role!(params)).to eq external_aws_role
+    end
+  end
 end

data/spec/aptible/auth/resource_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Aptible::Auth::Resource do
   its(:namespace) { should eq 'Aptible::Auth' }
-  its(:root_url) { should eq 'https://auth.aptible.com' }
+  its(:root_url) { should eq ENV['APTIBLE_AUTH_ROOT_URL'] || 'https://auth.aptible.com' }
 
   describe '#bearer_token' do
     it 'should accept an Aptible::Auth::Token' do

data/spec/aptible/auth_spec.rb

@@ -6,12 +6,17 @@ describe Aptible::Auth do
   it 'should have a configurable root_url' do
     config = described_class.configuration
     expect(config).to be_a GemConfig::Configuration
-    expect(config.root_url).to eq 'https://auth.aptible.com'
+    set_env 'APTIBLE_AUTH_ROOT_URL', nil do
+      load 'aptible/auth.rb'
+      config.reset
+      expect(config.root_url).to eq 'https://auth.aptible.com'
+    end
   end
 
-  pending 'uses ENV["APTIBLE_AUTH_ROOT_URL"] if defined' do
+  it 'uses ENV["APTIBLE_AUTH_ROOT_URL"] if defined' do
     config = described_class.configuration
     set_env 'APTIBLE_AUTH_ROOT_URL', 'http://foobar.com' do
+      load 'aptible/auth.rb'
       config.reset
       expect(config.root_url).to eq 'http://foobar.com'
     end

data/spec/shared/set_env.rb

@@ -1,4 +1,4 @@
-def set_env(*args, _block)
+def set_env(*args, &_block)
   hash = args.first.is_a?(Hash) ? args.first : Hash[*args]
   old_values = Hash[hash.map { |k, _| [k, ENV[k]] }]
   begin

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aptible-auth
 version: !ruby/object:Gem::Version
-  version: 1.2.7
+  version: 1.4.0
 platform: ruby
 authors:
 - Frank Macreery
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-17 00:00:00.000000000 Z
+date: 2025-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aptible-resource
@@ -24,20 +24,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: concurrent-ruby
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.3.4
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.3.4
 - !ruby/object:Gem::Dependency
   name: gem_config
   requirement: !ruby/object:Gem::Requirement
@@ -156,14 +142,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.1
+        version: 0.9.10
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.1
+        version: 0.9.10
 description: Ruby client for auth.aptible.com
 email:
 - frank@macreery.com
@@ -175,16 +161,21 @@ files:
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
+- Dockerfile
 - Gemfile
 - LICENSE.md
+- Makefile
 - Procfile
 - README.md
 - Rakefile
 - SECURITY.md
 - aptible-auth.gemspec
+- docker-compose.yml
 - lib/aptible/auth.rb
 - lib/aptible/auth/agent.rb
 - lib/aptible/auth/client.rb
+- lib/aptible/auth/external_aws_oidc_token.rb
+- lib/aptible/auth/external_aws_role.rb
 - lib/aptible/auth/invitation.rb
 - lib/aptible/auth/membership.rb
 - lib/aptible/auth/organization.rb
@@ -201,6 +192,8 @@ files:
 - lib/aptible/auth/whitelist_membership.rb
 - lib/oauth2/strategy/token_exchange.rb
 - spec/aptible/auth/agent_spec.rb
+- spec/aptible/auth/external_aws_oidc_token_spec.rb
+- spec/aptible/auth/external_aws_role_spec.rb
 - spec/aptible/auth/organization_spec.rb
 - spec/aptible/auth/resource_spec.rb
 - spec/aptible/auth/token_spec.rb
@@ -228,12 +221,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Ruby client for auth.aptible.com
 test_files:
 - spec/aptible/auth/agent_spec.rb
+- spec/aptible/auth/external_aws_oidc_token_spec.rb
+- spec/aptible/auth/external_aws_role_spec.rb
 - spec/aptible/auth/organization_spec.rb
 - spec/aptible/auth/resource_spec.rb
 - spec/aptible/auth/token_spec.rb