aws-google 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 76723a29a160f6d7326a3329e08e6316da4e8e224013ef400321cd7780e46340
+  data.tar.gz: 2cac963af78ade133bccdafa257bb8bc691a794afa0f1f0172f920ecd5c335a9
+SHA512:
+  metadata.gz: 4a2aa252e1108cd54bc562ab4cf2f5c54732f9a66ce86b57fbfd96c43a799c9792d9adb38661488cf00667959a47b091def2a47fc72af55fa2e5d66bd2b9ebf3
+  data.tar.gz: 457f3dadbf5bb0b00059576ebc19daeb93a4ddd55867f49d6dab121a17a7041dc87c86fb46b8cc65d77115dbe27cb1a387340344204be7c804c01a82008f9459

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/.idea/

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.14.6

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright 2019 Code.org
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,92 @@
+# Aws::Google [![Build Status](https://travis-ci.com/code-dot-org/aws-google.svg?branch=master)](https://travis-ci.com/code-dot-org/aws-google)
+
+Use Google OAuth as an AWS Credential Provider.
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'aws-google'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install aws-google
+
+## Usage
+
+- Visit the [Google API Console](https://console.developers.google.com/) to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
+- Create an AWS IAM Role with the desired IAM policies attached, and a 'trust relationship' (`AssumeRolePolicyDocument`) allowing the `sts:AssumeRoleWithWebIdentity` action to be permitted
+by your Google Client ID and a specific set of Google Account IDs:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "accounts.google.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com"
+        },
+        "ForAnyValue:StringEquals": {
+          "accounts.google.com:sub": [
+            "000000000000000000000",
+            "111111111111111111111"
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+- In your Ruby code, construct an `Aws::Google` object by passing in the AWS role, client id and client secret:
+```ruby
+aws_role = 'arn:aws:iam::[AccountID]:role/[Role]'
+client_id = '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com'
+client_secret = '01234567890abcdefghijklmn'
+
+role_credentials = Aws::Google.new(
+  role_arn: aws_role,
+  google_client_id: client_id,
+  google_client_secret: client_secret
+)
+
+puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
+```
+
+- Or, set `Aws::Google.config` hash to add Google auth to the default credential provider chain:
+
+```ruby
+Aws::Google.config = {
+  role_arn: aws_role,
+  google_client_id: client_id,
+  google_client_secret: client_secret,
+}
+
+puts Aws::STS::Client.new.get_caller_identity
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/code-dot-org/aws-google.
+
+## License
+
+The gem is available as open source under the terms of the [Apache 2.0 License](http://opensource.org/licenses/apache-2.0).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

data/aws-google.gemspec

@@ -0,0 +1,35 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'aws/google/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'aws-google'
+  spec.version       = Aws::Google::VERSION
+  spec.authors       = ['Will Jordan']
+  spec.email         = ['will@code.org']
+
+  spec.summary       = 'Use Google OAuth as an AWS credential provider'
+  spec.description   = 'Use Google OAuth as an AWS credential provider.'
+  spec.homepage      = 'https://github.com/code-dot-org/aws-google'
+  spec.license       = 'Apache-2.0'
+
+  spec.metadata['allowed_push_host'] = 'https://rubygems.org'
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'aws-sdk-core', '~> 3'
+  spec.add_dependency 'google-api-client', '~> 0.23'
+  spec.add_dependency 'launchy', '~> 2' # Peer dependency of Google::APIClient::InstalledAppFlow
+
+  spec.add_development_dependency 'activesupport', '~> 5'
+  spec.add_development_dependency 'bundler', '~> 1'
+  spec.add_development_dependency 'minitest', '~> 5.10'
+  spec.add_development_dependency 'mocha', '~> 1.5'
+  spec.add_development_dependency 'rake', '~> 12'
+  spec.add_development_dependency 'timecop', '~> 0.8'
+  spec.add_development_dependency 'webmock', '~> 3.3'
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'aws/google'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/aws/google.rb

@@ -0,0 +1,193 @@
+require_relative 'google/version'
+require 'aws-sdk-core'
+require_relative 'google/credential_provider'
+
+require 'googleauth'
+require 'google/api_client/auth/storage'
+require 'google/api_client/auth/storages/file_store'
+
+module Aws
+  # An auto-refreshing credential provider that works by assuming
+  # a role via {Aws::STS::Client#assume_role_with_web_identity},
+  # using an ID token derived from a Google refresh token.
+  #
+  #   role_credentials = Aws::Google.new(
+  #     role_arn: aws_role,
+  #     google_client_id: client_id,
+  #     google_client_secret: client_secret
+  #   )
+  #
+  #   ec2 = Aws::EC2::Client.new(credentials: role_credentials)
+  #
+  # If you omit `:client` option, a new {Aws::STS::Client} object will be
+  # constructed.
+  class Google
+    include ::Aws::CredentialProvider
+    include ::Aws::RefreshingCredentials
+
+    class << self
+      attr_accessor :config
+    end
+
+    # @option options [required, String] :role_arn
+    # @option options [String] :policy
+    # @option options [Integer] :duration_seconds
+    # @option options [String] :external_id
+    # @option options [STS::Client] :client STS::Client to use (default: create new client)
+    # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
+    # @option options [String] :domain G Suite domain for account-selection hint
+    # @option options [String] :online if `true` only a temporary access token will be provided,
+    #                 a long-lived refresh token will not be created and stored on the filesystem.
+    # @option options [::Google::Auth::ClientId] :google_id
+    def initialize(options = {})
+      @oauth_attempted = false
+      @assume_role_params = options.slice(
+        *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
+          input.shape.member_names
+      )
+
+      @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+      @google_id = ::Google::Auth::ClientId.new(
+        options[:google_client_id],
+        options[:google_client_secret]
+      )
+      @client = options[:client] || Aws::STS::Client.new(credentials: nil)
+      @domain = options[:domain]
+      @online = options[:online]
+
+      # Use existing AWS credentials stored in the shared config if available.
+      # If this is `nil` or expired, #refresh will be called on the first AWS API service call
+      # to generate AWS credentials derived from Google authentication.
+      @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
+      @mutex = Mutex.new
+      if near_expiration?
+        refresh!
+      else
+        @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
+      end
+    end
+
+    private
+
+    # Use cached Application Default Credentials if available,
+    # otherwise fallback to creating new Google credentials through browser login.
+    def google_client
+      @google_client ||= (::Google::Auth.get_application_default rescue nil) || google_oauth
+    end
+
+    # Create an OAuth2 Client using Google's default browser-based OAuth InstalledAppFlow.
+    # Store cached credentials to the standard Google Application Default Credentials location.
+    # Ref: http://goo.gl/IUuyuX
+    # @return [Signet::OAuth2::Client]
+    def google_oauth
+      return nil if @oauth_attempted
+      @oauth_attempted = true
+
+      path = "#{ENV['HOME']}/.config/#{::Google::Auth::CredentialsLoader::WELL_KNOWN_PATH}"
+      FileUtils.mkdir_p(File.dirname(path))
+      storage = GoogleStorage.new(::Google::APIClient::FileStore.new(path))
+
+      options = {
+        client_id: @google_id.id,
+        client_secret: @google_id.secret,
+        scope: %w[openid email]
+      }
+      uri_options = {include_granted_scopes: true}
+      uri_options[:hd] = @domain if @domain
+      uri_options[:access_type] = 'online' if @online
+
+      require 'google/api_client/auth/installed_app'
+      if defined?(Launchy) && Launchy::Application::Browser.new.app_list.any?
+        ::Google::APIClient::InstalledAppFlow.new(options).authorize(storage, uri_options)
+      else
+        credentials = ::Google::Auth::UserRefreshCredentials.new(
+          options.merge(redirect_uri: 'urn:ietf:wg:oauth:2.0:oob')
+        )
+        url = credentials.authorization_uri(uri_options)
+        print 'Open the following URL in the browser and enter the ' \
+             "resulting code after authorization:\n#{url}\n> "
+        credentials.code = gets
+        credentials.fetch_access_token!
+        credentials.tap(&storage.method(:write_credentials))
+      end
+    end
+
+    def refresh
+      assume_role = begin
+        client = google_client
+        return unless client
+
+        begin
+          tries ||= 2
+          id_token = client.id_token
+          # Decode the JWT id_token to use the Google email as the AWS role session name.
+          token_params = JWT.decode(id_token, nil, false).first
+        rescue JWT::DecodeError, JWT::ExpiredSignature
+          # Refresh and retry once if token is expired or invalid.
+          client.refresh!
+          raise if (tries -= 1).zero?
+          retry
+        end
+
+        @client.assume_role_with_web_identity(
+          @assume_role_params.merge(
+            web_identity_token: id_token,
+            role_session_name: token_params['email']
+          )
+        )
+      rescue Signet::AuthorizationError => e
+        retry if (@google_client = google_oauth)
+        raise
+      rescue Aws::STS::Errors::AccessDenied => e
+        retry if (@google_client = google_oauth)
+        raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
+Role: #{@assume_role_params[:role_arn]}
+Email: #{token_params['email']}
+Google ID: #{token_params['sub']}", e.backtrace
+      end
+
+      c = assume_role.credentials
+      @credentials = Aws::Credentials.new(
+        c.access_key_id,
+        c.secret_access_key,
+        c.session_token
+      )
+      @expiration = c.expiration.to_i
+      write_credentials
+    end
+
+    # Write credentials and expiration to AWS credentials file.
+    def write_credentials
+      # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
+      return unless system('which aws >/dev/null 2>&1')
+      %w[
+        access_key_id
+        secret_access_key
+        session_token
+      ].map {|x| ["aws_#{x}", @credentials.send(x)]}.
+        to_h.
+        merge(expiration: @expiration).each do |key, value|
+        system("aws configure set #{key} #{value} --profile #{@profile}")
+      end
+    end
+  end
+
+  # Patch Aws::SharedConfig to allow fetching arbitrary keys from the shared config.
+  module SharedConfigGetKey
+    def get(key, opts = {})
+      profile = opts.delete(:profile) || @profile_name
+      if @parsed_config && (prof_config = @parsed_config[profile])
+        prof_config[key]
+      end
+    end
+  end
+  Aws::SharedConfig.prepend SharedConfigGetKey
+
+  # Extend ::Google::APIClient::Storage to write {type: 'authorized_user'} to credentials,
+  # as required by Google's default credentials loader.
+  class GoogleStorage < ::Google::APIClient::Storage
+    def credentials_hash
+      super.merge(type: 'authorized_user')
+    end
+  end
+end

data/lib/aws/google/credential_provider.rb

@@ -0,0 +1,18 @@
+module Aws
+  class Google
+    # Inserts GoogleCredentials into the default AWS credential provider chain.
+    # Google credentials will only be used if Aws::Google.config is set before initialization.
+    module CredentialProvider
+      # Insert google_credentials as the second-to-last credentials provider
+      # (in front of instance profile, which makes an http request).
+      def providers
+        super.insert(-2, [:google_credentials, {}])
+      end
+
+      def google_credentials(options)
+        (config = Google.config) && Google.new(options.merge(config))
+      end
+    end
+    ::Aws::CredentialProviderChain.prepend CredentialProvider
+  end
+end

data/lib/aws/google/version.rb

@@ -0,0 +1,5 @@
+module Aws
+  class Google
+    VERSION = '0.1.0'.freeze
+  end
+end

metadata

@@ -0,0 +1,197 @@
+--- !ruby/object:Gem::Specification
+name: aws-google
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Will Jordan
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-02-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: google-api-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.23'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.23'
+- !ruby/object:Gem::Dependency
+  name: launchy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.10'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+description: Use Google OAuth as an AWS credential provider.
+email:
+- will@code.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws-google.gemspec
+- bin/console
+- bin/setup
+- lib/aws/google.rb
+- lib/aws/google/credential_provider.rb
+- lib/aws/google/version.rb
+homepage: https://github.com/code-dot-org/aws-google
+licenses:
+- Apache-2.0
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.4
+signing_key: 
+specification_version: 4
+summary: Use Google OAuth as an AWS credential provider
+test_files: []