aws-creds 0.2.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 17f66b03fff9750104d21819f6df7676bb8746d1
+  data.tar.gz: 002899a2d52f2840844bcf7dc4bbd856776b1d80
+SHA512:
+  metadata.gz: c2eb68f8e7e8c38f1235fbedad7507418033426535842c4827cd204f5576a94a2f9161c98d44c33330c724d2b641169ebff8907985d7b32211545ada8a83db1b
+  data.tar.gz: 553e3648677f9a01855d650ecd6d61ff486626371a53eeaa81f6903c75d4239ef225670b4c969b0890d3c40996d4e93cb5685220554182c528a05d451103356b

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Airbnb
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+# AWS::Creds
+
+AWS::Creds exposes your AWS credentials through a command line utility and a Ruby API.
+
+## Why?
+
+There is plenty to get wrong when handling credentials:
+
+- When storing them on disk, only your user should be able to read it. awscreds will raise an exception if its permissions are too broad.
+- When passing it to programs, they shouldn't be passed through the command line, or other users can find them through ps.
+- When manipulating credentials in a language like Ruby, it should be as hard as possible to leak secrets through logs or traces.
+
+Using command-line AWS tools seemed to be painful as well:
+
+- There seemed to be no simple way to maintain a set of AWS credentials for multiple identities, and pick one quickly.
+- Different tools can use different environment variables, or offer different configuration file formats.
+
+We wanted to address this problem with:
+
+- A simple file format and well-known location, that could be easily reimplemented;
+- A simple yet flexible Ruby API, so future tools do not need to reinvent the wheel;
+- A command-line utility to easily pass the credentials of your choice to command line utilities.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'aws-creds'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install aws-creds
+
+## Usage
+
+### Storage
+
+Put your AWS credentials in `~/.awscreds`, one line per credentials, with the following colon-separated fields:
+
+- A name for your credentials (the magic name "default" will be picked unless specified otherwise)
+- The Access Key ID (20 characters, alphanumeric)
+- The Secret Access Key (40 characters)
+
+For example:
+
+    default:AKIAIOSFODNNDEADBEEF:WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcWp
+    admin:AKIAIOO432MG8BADF00D:T60q14wrbyxl3Ed13VOFA/2G+nvJR/jgHC42jIH1
+
+### Command-line utility
+
+`awc --help` should guide you.
+
+To list the available credentials, use `-l`:
+
+    $ awc -li admin
+     default
+    *admin
+
+To call `myscript put` and provide it with credentials, use:
+
+    $ awc myscript put
+
+Its effects can easily be inspected:
+
+    $ awc -i admin env | grep AWS
+    AWS_ACCESS_KEY=AKIAIOO432MG8BADF00D
+    AWSAccessKeyId=AKIAIOO432MG8BADF00D
+    AWS_ACCESS_KEY_ID=AKIAIOO432MG8BADF00D
+    AWS_SECRET_KEY=T60q14wrbyxl3Ed13VOFA/2G+nvJR/jgHC42jIH1
+    AWSSecretKey=T60q14wrbyxl3Ed13VOFA/2G+nvJR/jgHC42jIH1
+    AWS_SECRET_ACCESS_KEY=T60q14wrbyxl3Ed13VOFA/2G+nvJR/jgHC42jIH1
+
+### Ruby API
+
+The Ruby gem should be easy to use (feedback is obviously welcome).
+
+Documentation could be improved; in the meantime, here is a simple example:
+
+    require 'aws/creds'
+    require 'aws'
+    creds = AWS::Creds[:default]
+    STDERR.puts "Using access key #{creds.access_key_id}"
+    AWS.config creds.to_hash
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs = %w[lib test]
+  t.test_files = FileList['test/**/test*.rb']
+end
+
+desc 'Run tests'
+task :default => :test

data/aws-creds.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path '../lib', __FILE__
+$LOAD_PATH.unshift lib unless $LOAD_PATH.include? lib
+
+require 'aws/creds/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'aws-creds'
+  spec.version       = AWS::Creds::VERSION
+  spec.authors       = ['Pierre Carrier']
+  spec.email         = ['pierre@gcarrier.fr']
+  spec.description   = 'AWS credentials manager'
+  spec.summary       = 'AWSCreds exposes your AWS credentials through the command line or Ruby API'
+  spec.homepage      = 'https://github.com/airbnb/gem-aws-creds'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split $/
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename f }
+  spec.test_files    = spec.files.grep %r{^(test|spec|features)/}
+  spec.require_paths = %w[lib]
+
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'aws-sdk'
+
+  spec.add_dependency 'trollop', '~> 2.0'
+end

data/bin/awc

@@ -0,0 +1,64 @@
+#!/usr/bin/env ruby
+
+require 'trollop'
+require 'aws/creds'
+
+parser = Trollop::Parser.new do
+  banner 'AWS credentials exposer for command-line utilities'
+  opt :list, 'List available credentials', :short => '-l'
+  opt :verbose, 'Verbose (exposes secrets)', :short => '-v'
+  opt :identity, 'Identity', :type => :string, :short => '-i'
+  stop_on_unknown
+end
+
+opts = Trollop::with_standard_exception_handling parser do
+  raise Trollop::HelpNeeded if ARGV.empty?
+  parser.parse ARGV
+end
+
+def no_keytab path
+  STDERR.puts <<-EOH
+awc couldn't find a keytab at #{path}.
+
+Please create one with something like:
+
+default:AKIAIOSFODNNDEADBEEF:WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcWp
+admin:AKIAIOO432MG8BADF00D:T60q14wrbyxl3Ed13VOFA/2G+nvJR/jgHC42jIH1
+EOH
+  exit false
+end
+
+def list_keys store, verbose=false
+  store.each do |name, creds|
+    prefix = store.default?(name) ? '*' : ' '
+    if verbose
+      puts "#{prefix}#{name}\t#{creds.access_key_id}\t#{creds.secret_access_key}"
+    else
+      puts "#{prefix}#{name}"
+    end
+  end
+end
+
+# set all the environment variables that various AWS tools expect
+def update_env_for creds
+  %w[AWS_ACCESS_KEY AWSAccessKeyId AWS_ACCESS_KEY_ID].each do |var|
+    ENV[var] = creds.access_key_id
+  end
+
+  %w[AWS_SECRET_KEY AWSSecretKey AWS_SECRET_ACCESS_KEY].each do |var|
+    ENV[var] = creds.secret_access_key
+  end
+end
+
+begin
+  store = AWS::Creds::Store.new({:default => opts.identity})
+
+  if opts.list
+    list_keys store, opts.verbose
+  else
+    update_env_for store.default_keypair
+    exec(*ARGV)
+  end
+rescue AWS::Creds::MissingKeyTab => e
+  no_keytab e.path
+end

data/lib/aws/creds.rb

@@ -0,0 +1,14 @@
+require 'aws/creds/version'
+require 'aws/creds/store'
+require 'aws/creds/keypair'
+
+module AWS; module Creds
+  def self.method_missing name, *args, &block
+    @@root ||= Store.new
+    @@root.method(name).call(*args, &block)
+  end
+
+  def self.refresh
+    @@root = Store.new
+  end
+end; end

data/lib/aws/creds/keypair.rb

@@ -0,0 +1,32 @@
+module AWS; module Creds
+  class InvalidKeyPair < Exception; end
+  class InvalidAccessKeyId < InvalidKeyPair; end
+  class InvalidSecretAccessKey < InvalidKeyPair; end
+
+  class KeyPair
+    attr_reader :access_key_id, :secret_access_key
+
+    def initialize access_key_id, secret_access_key
+      @access_key_id, @secret_access_key = access_key_id, secret_access_key
+      validate
+    end
+
+    # For AWS-SDK compatibility
+    def to_hash
+      {:access_key_id => access_key_id, :secret_access_key => secret_access_key}
+    end
+
+    # Make it harder to leak secrets by accident
+    def to_s
+      "<#{self.class}: #{access_key_id[0..9]}...>"
+    end
+    alias_method :inspect, :to_s
+
+    private
+    def validate
+      raise InvalidAccessKeyId.new 'Incorrect length for Access Key ID' unless access_key_id.length == 20
+      raise InvalidAccessKeyId.new 'Access Key ID contains invalid characters' unless access_key_id =~ /^[A-Z0-9]{20}$/
+      raise InvalidSecretAccessKey.new 'Incorrect length for Secret Access Key' unless secret_access_key.length == 40
+    end
+  end
+end; end

data/lib/aws/creds/store.rb

@@ -0,0 +1,72 @@
+require 'aws/creds/keypair'
+
+module AWS; module Creds
+  class InvalidKeyTab < Exception
+    attr_accessor :path, :msg
+    def initialize path, msg=nil
+      @path, @msg = path, msg
+
+      def to_s
+        "#{path}: #{msg}"
+      end
+    end
+  end
+
+  class MissingKeyTab < InvalidKeyTab; end
+  class UnsafePerms   < InvalidKeyTab; end
+
+  class Store < Hash
+    def initialize opts={}
+      # :keytab => false to disable autoloading
+      keytab = opts[:keytab] || '~/.awscreds'
+      import_keytab keytab if keytab
+
+      @default = opts[:default]
+      @default ||= ENV['AWS_IDENTITY'] unless opts[:ignore_environment]
+      @default ||= 'default'
+    end
+
+    def identities
+      keys
+    end
+
+    def credentials
+      values
+    end
+
+    def [] name
+      super name.to_s
+    end
+
+    def default_keypair
+      self[@default]
+    end
+
+    def default? name
+      name == @default
+    end
+
+    def import_keytab path
+      read_config(path).lines.each do |line, idx|
+        fields = line.chomp.split ':'
+        raise InvalidKeyTab.new path, "missing fields line #{idx}" unless fields.length >= 3
+        self[fields[0]] = KeyPair.new fields[1], fields[2]
+      end
+      self
+    end
+
+    def read_config path
+      path = File.expand_path path
+
+      raise MissingKeyTab.new path, 'does not exist' unless File.exists? path
+
+      mode = File.stat(path).mode & 07777
+
+      unless mode & 07077 == 0
+        raise UnsafePerms.new path, "unsafe permissions (#{sprintf '%#04o', mode}); please chmod go= #{File.expand_path path}"
+      end
+
+      File.read path
+    end
+  end
+end; end

data/lib/aws/creds/version.rb

@@ -0,0 +1,3 @@
+module AWS; module Creds
+  VERSION = '0.2.2'
+end; end

data/test/test_keypairs.rb

@@ -0,0 +1,41 @@
+require 'test/unit'
+require 'aws/creds/keypair'
+require 'aws-sdk'
+
+class TestKeyPairs < Test::Unit::TestCase
+  INVALID_CASES = {
+    AWS::Creds::InvalidAccessKeyId => [
+      %w[AKIAIOSFODNNDEADBEE  WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcWp],
+      %w[AKIAIOSFODNNDEADBEEFF WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcWp],
+      %w[AKIAIOSFODNNDEADBEE$ WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcWp],
+    ],
+    AWS::Creds::InvalidSecretAccessKey => [
+      %w[AKIAIOSFODNNDEADBEEF WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcW],
+      %w[AKIAIOSFODNNDEADBEEF WT8ftNba7siVx5UOoGzJSyd82uNCZAC8LCllzcWpp],
+    ]
+  }
+
+  EXAMPLE = AWS::Creds::KeyPair.new 'F'*10 + '0'*10, '0'*40
+
+  def test_accessors
+    assert_instance_of String, EXAMPLE.access_key_id
+    assert_instance_of String, EXAMPLE.secret_access_key
+  end
+
+  def test_validation
+    INVALID_CASES.each do |e, list|
+      list.each do |pair|
+        assert_raise(e) {AWS::Creds::KeyPair.new(*pair)}
+      end
+    end
+  end
+
+  def test_leaks
+    reprs = [EXAMPLE.to_s, EXAMPLE.inspect]
+    assert_empty reprs.grep(/0/)
+  end
+
+  def test_aws_sdk
+    AWS.config EXAMPLE.to_hash
+  end
+end

metadata

@@ -0,0 +1,115 @@
+--- !ruby/object:Gem::Specification
+name: aws-creds
+version: !ruby/object:Gem::Version
+  version: 0.2.2
+platform: ruby
+authors:
+- Pierre Carrier
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: AWS credentials manager
+email:
+- pierre@gcarrier.fr
+executables:
+- awc
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws-creds.gemspec
+- bin/awc
+- lib/aws/creds.rb
+- lib/aws/creds/keypair.rb
+- lib/aws/creds/store.rb
+- lib/aws/creds/version.rb
+- test/test_keypairs.rb
+homepage: https://github.com/airbnb/gem-aws-creds
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.2
+signing_key: 
+specification_version: 4
+summary: AWSCreds exposes your AWS credentials through the command line or Ruby API
+test_files:
+- test/test_keypairs.rb
+has_rdoc: