aws-google 0.1.0 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76723a29a160f6d7326a3329e08e6316da4e8e224013ef400321cd7780e46340
-  data.tar.gz: 2cac963af78ade133bccdafa257bb8bc691a794afa0f1f0172f920ecd5c335a9
+  metadata.gz: 00e6b5cf021f6b08503bc04f4359fa58028ebd227d0e12e66308af77f5613ba4
+  data.tar.gz: 971a4987281b9e2971574b590edba32a8522f061997cc20098ffa83e42216dac
 SHA512:
-  metadata.gz: 4a2aa252e1108cd54bc562ab4cf2f5c54732f9a66ce86b57fbfd96c43a799c9792d9adb38661488cf00667959a47b091def2a47fc72af55fa2e5d66bd2b9ebf3
-  data.tar.gz: 457f3dadbf5bb0b00059576ebc19daeb93a4ddd55867f49d6dab121a17a7041dc87c86fb46b8cc65d77115dbe27cb1a387340344204be7c804c01a82008f9459
+  metadata.gz: 71812e0486feddadacbff23840630334a9fb29466427542c0da9d2fd36184e3694bea4681ac708c2822fcf43c2ce1829adc530311ede86523359a96c78519205
+  data.tar.gz: d14acf9b9493d55e4ef4b10465a17f6e9cda6fd0bdaef5886a757e078a434ccac9f3faef51689bdc037cb8b5828a947788f0f24640e18039f4365597d1a2805a

data/README.md

@@ -21,8 +21,8 @@ Or install it yourself as:
 ## Usage
 
 - Visit the [Google API Console](https://console.developers.google.com/) to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
-- Create an AWS IAM Role with the desired IAM policies attached, and a 'trust relationship' (`AssumeRolePolicyDocument`) allowing the `sts:AssumeRoleWithWebIdentity` action to be permitted
-by your Google Client ID and a specific set of Google Account IDs:
+- Create an AWS IAM Role with the desired IAM policies attached, and a ['trust policy'](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy) ([`AssumeRolePolicyDocument`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html)) allowing the [`sts:AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) action with [Web Identity Federation condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif) authorizing
+your Google Client ID (`accounts.google.com:aud`) and a specific set of Google Account IDs (`accounts.google.com:sub`):
 
 ```json
 {
@@ -36,9 +36,7 @@ by your Google Client ID and a specific set of Google Account IDs:
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
         "StringEquals": {
-          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com"
-        },
-        "ForAnyValue:StringEquals": {
+          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com",
           "accounts.google.com:sub": [
             "000000000000000000000",
             "111111111111111111111"
@@ -50,33 +48,38 @@ by your Google Client ID and a specific set of Google Account IDs:
 }
 ```
 
-- In your Ruby code, construct an `Aws::Google` object by passing in the AWS role, client id and client secret:
+- In your Ruby code, construct an `Aws::Google` object by passing the AWS `role_arn`, Google `client_id` and `client_secret`, either as constructor arguments or via the `Aws::Google.config` global defaults:
 ```ruby
-aws_role = 'arn:aws:iam::[AccountID]:role/[Role]'
-client_id = '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com'
-client_secret = '01234567890abcdefghijklmn'
+require 'aws/google'
 
-role_credentials = Aws::Google.new(
-  role_arn: aws_role,
-  google_client_id: client_id,
-  google_client_secret: client_secret
-)
+options = {
+  aws_role: 'arn:aws:iam::[AccountID]:role/[Role]',
+  client_id: '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com',
+  client_secret: '01234567890abcdefghijklmn'
+}
 
-puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
-```
+# Pass constructor arguments:
+credentials = Aws::Google.new(options)
+puts Aws::STS::Client.new(credentials: credentials).get_caller_identity
 
-- Or, set `Aws::Google.config` hash to add Google auth to the default credential provider chain:
+# Set global defaults:
+Aws::Google.config = options
+puts Aws::STS::Client.new.get_caller_identity
+```
 
-```ruby
-Aws::Google.config = {
-  role_arn: aws_role,
-  google_client_id: client_id,
-  google_client_secret: client_secret,
-}
+- Or, add the properties to your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to use Google as the AWS credential provider without any changes to your application code:
 
-puts Aws::STS::Client.new.get_caller_identity
+```ini
+[my_profile]
+google =
+    role_arn = arn:aws:iam::[AccountID]:role/[Role]
+    client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+    client_secret = 01234567890abcdefghijklmn
+credential_process = aws-google
 ```
 
+The extra `credential_process` config line tells AWS to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html), in this case the `aws-google` script, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/aws-google.gemspec

@@ -23,11 +23,10 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'aws-sdk-core', '~> 3'
   spec.add_dependency 'google-api-client', '~> 0.23'
-  spec.add_dependency 'launchy', '~> 2' # Peer dependency of Google::APIClient::InstalledAppFlow
+  spec.add_dependency 'launchy', '~> 2'
 
   spec.add_development_dependency 'activesupport', '~> 5'
-  spec.add_development_dependency 'bundler', '~> 1'
-  spec.add_development_dependency 'minitest', '~> 5.10'
+  spec.add_development_dependency 'minitest', '~> 5.14.2'
   spec.add_development_dependency 'mocha', '~> 1.5'
   spec.add_development_dependency 'rake', '~> 12'
   spec.add_development_dependency 'timecop', '~> 0.8'

data/exe/aws-google

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby
+
+# CLI to retrieve AWS credentials in credential_process format.
+# Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
+
+require 'aws/google'
+require 'time'
+require 'json'
+
+google = ::Aws::STS::Client.new.config.credentials
+credentials = google.credentials
+output = {
+  Version: 1,
+  AccessKeyId: credentials.access_key_id,
+  SecretAccessKey: credentials.secret_access_key,
+  SessionToken: credentials.session_token,
+  Expiration: Time.at(google.expiration.to_i).iso8601
+}
+puts output.to_json

data/lib/aws/google.rb

@@ -1,6 +1,7 @@
 require_relative 'google/version'
 require 'aws-sdk-core'
 require_relative 'google/credential_provider'
+require_relative 'google/cached_credentials'
 
 require 'googleauth'
 require 'google/api_client/auth/storage'
@@ -23,48 +24,43 @@ module Aws
   # constructed.
   class Google
     include ::Aws::CredentialProvider
-    include ::Aws::RefreshingCredentials
+    include ::Aws::Google::CachedCredentials
 
     class << self
+      # Use `Aws::Google.config` to set default options for any instance of this provider.
       attr_accessor :config
     end
+    self.config = {}
 
     # @option options [required, String] :role_arn
     # @option options [String] :policy
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client STS::Client to use (default: create new client)
-    # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
     # @option options [String] :domain G Suite domain for account-selection hint
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
-    # @option options [::Google::Auth::ClientId] :google_id
+    # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
+    #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
+    # @option options [String] :client_id Google client ID
+    # @option options [String] :client_secret Google client secret
     def initialize(options = {})
+      options = options.merge(self.class.config)
       @oauth_attempted = false
       @assume_role_params = options.slice(
         *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
           input.shape.member_names
       )
 
-      @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
       @google_id = ::Google::Auth::ClientId.new(
-        options[:google_client_id],
-        options[:google_client_secret]
+        options[:client_id],
+        options[:client_secret]
       )
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
-
-      # Use existing AWS credentials stored in the shared config if available.
-      # If this is `nil` or expired, #refresh will be called on the first AWS API service call
-      # to generate AWS credentials derived from Google authentication.
-      @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
-      @mutex = Mutex.new
-      if near_expiration?
-        refresh!
-      else
-        @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
-      end
+      @port = options[:port] || 1234
+      super
     end
 
     private
@@ -96,20 +92,63 @@ module Aws
       uri_options[:hd] = @domain if @domain
       uri_options[:access_type] = 'online' if @online
 
-      require 'google/api_client/auth/installed_app'
-      if defined?(Launchy) && Launchy::Application::Browser.new.app_list.any?
-        ::Google::APIClient::InstalledAppFlow.new(options).authorize(storage, uri_options)
-      else
-        credentials = ::Google::Auth::UserRefreshCredentials.new(
-          options.merge(redirect_uri: 'urn:ietf:wg:oauth:2.0:oob')
-        )
-        url = credentials.authorization_uri(uri_options)
-        print 'Open the following URL in the browser and enter the ' \
-             "resulting code after authorization:\n#{url}\n> "
-        credentials.code = gets
-        credentials.fetch_access_token!
-        credentials.tap(&storage.method(:write_credentials))
+      credentials = ::Google::Auth::UserRefreshCredentials.new(options)
+      credentials.code = get_oauth_code(credentials, uri_options)
+      credentials.fetch_access_token!
+      credentials.tap(&storage.method(:write_credentials))
+    end
+
+    def silence_output
+      outs = [$stdout, $stderr]
+      clones = outs.map(&:clone)
+      outs.each { |io| io.reopen '/dev/null'}
+      yield
+    ensure
+      outs.each_with_index { |io, i| io.reopen(clones[i]) }
+    end
+
+    def get_oauth_code(client, options)
+      raise 'fallback' unless @port && !@port.zero?
+
+      require 'launchy'
+      require 'webrick'
+      code = nil
+      server = WEBrick::HTTPServer.new(
+        Port: @port,
+        Logger: WEBrick::Log.new(STDOUT, 0),
+        AccessLog: []
+      )
+      server.mount_proc '/' do |req, res|
+        code = req.query['code']
+        res.status = 202
+        res.body = 'Login successful, you may close this browser window.'
+        server.stop
+      end
+      trap('INT') { server.shutdown }
+      client.redirect_uri = "http://localhost:#{@port}"
+      silence_output do
+        launchy = Launchy.open(client.authorization_uri(options).to_s)
+        server_thread = Thread.new do
+          begin
+            server.start
+          ensure server.shutdown
+          end
+        end
+        while server_thread.alive?
+          raise 'fallback' if !launchy.alive? && !launchy.value.success?
+
+          sleep 0.1
+        end
       end
+      code || raise('fallback')
+    rescue StandardError
+      trap('INT', 'DEFAULT')
+      # Fallback to out-of-band authentication if browser launch failed.
+      client.redirect_uri = 'oob'
+      return ENV['OAUTH_CODE'] if ENV['OAUTH_CODE']
+
+      raise RuntimeError, 'Open the following URL in a browser to get a code,' \
+             "export to $OAUTH_CODE and rerun:\n#{client.authorization_uri(options)}", []
     end
 
     def refresh
@@ -135,7 +174,7 @@ module Aws
             role_session_name: token_params['email']
           )
         )
-      rescue Signet::AuthorizationError => e
+      rescue Signet::AuthorizationError, Aws::STS::Errors::ExpiredTokenException
         retry if (@google_client = google_oauth)
         raise
       rescue Aws::STS::Errors::AccessDenied => e
@@ -143,7 +182,7 @@ module Aws
         raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
 Role: #{@assume_role_params[:role_arn]}
 Email: #{token_params['email']}
-Google ID: #{token_params['sub']}", e.backtrace
+Google ID: #{token_params['sub']}", []
       end
 
       c = assume_role.credentials
@@ -153,35 +192,8 @@ Google ID: #{token_params['sub']}", e.backtrace
         c.session_token
       )
       @expiration = c.expiration.to_i
-      write_credentials
-    end
-
-    # Write credentials and expiration to AWS credentials file.
-    def write_credentials
-      # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
-      return unless system('which aws >/dev/null 2>&1')
-      %w[
-        access_key_id
-        secret_access_key
-        session_token
-      ].map {|x| ["aws_#{x}", @credentials.send(x)]}.
-        to_h.
-        merge(expiration: @expiration).each do |key, value|
-        system("aws configure set #{key} #{value} --profile #{@profile}")
-      end
-    end
-  end
-
-  # Patch Aws::SharedConfig to allow fetching arbitrary keys from the shared config.
-  module SharedConfigGetKey
-    def get(key, opts = {})
-      profile = opts.delete(:profile) || @profile_name
-      if @parsed_config && (prof_config = @parsed_config[profile])
-        prof_config[key]
-      end
     end
   end
-  Aws::SharedConfig.prepend SharedConfigGetKey
 
   # Extend ::Google::APIClient::Storage to write {type: 'authorized_user'} to credentials,
   # as required by Google's default credentials loader.

data/lib/aws/google/cached_credentials.rb

@@ -0,0 +1,47 @@
+module Aws
+  class Google
+    Aws::SharedConfig.config_reader :expiration
+
+    # Mixin module extending `RefreshingCredentials` that caches temporary credentials
+    # in the credentials file, so a single session can be reused across multiple processes.
+    # The temporary credentials are saved to a separate profile with a '_session' suffix.
+    module CachedCredentials
+      include RefreshingCredentials
+
+      # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
+      def initialize(options = {})
+        # Use existing AWS credentials stored in the shared session config if available.
+        # If this is `nil` or expired, #refresh will be called on the first AWS API service call
+        # to generate AWS credentials derived from Google authentication.
+        @mutex = Mutex.new
+
+        @profile = options[:profile] || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+        @session_profile = @profile + '_session'
+        @expiration = Aws.shared_config.expiration(profile: @session_profile) rescue nil
+        @credentials = Aws.shared_config.credentials(profile: @session_profile) rescue nil
+        refresh_if_near_expiration
+      end
+
+      def refresh_if_near_expiration
+        if near_expiration?
+          @mutex.synchronize do
+            if near_expiration?
+              refresh
+              write_credentials
+            end
+          end
+        end
+      end
+
+      # Write credentials and expiration to AWS credentials file.
+      def write_credentials
+        # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
+        return unless system('which aws >/dev/null 2>&1')
+        Aws::SharedCredentials::KEY_MAP.transform_values(&@credentials.method(:send)).
+          merge(expiration: @expiration).each do |key, value|
+          system("aws configure set #{key} #{value} --profile #{@session_profile}")
+        end
+      end
+    end
+  end
+end

data/lib/aws/google/credential_provider.rb

@@ -3,16 +3,36 @@ module Aws
     # Inserts GoogleCredentials into the default AWS credential provider chain.
     # Google credentials will only be used if Aws::Google.config is set before initialization.
     module CredentialProvider
-      # Insert google_credentials as the second-to-last credentials provider
-      # (in front of instance profile, which makes an http request).
+      # Insert google_credentials as the third-to-last credentials provider
+      # (in front of process credentials and instance_profile credentials).
       def providers
-        super.insert(-2, [:google_credentials, {}])
+        super.insert(-3, [:google_credentials, {}])
       end
 
       def google_credentials(options)
-        (config = Google.config) && Google.new(options.merge(config))
+        profile_name = determine_profile_name(options)
+        if Aws.shared_config.config_enabled?
+          Aws.shared_config.google_credentials_from_config(profile: profile_name)
+        end
+      rescue Errors::NoSuchProfileError
+        nil
       end
     end
     ::Aws::CredentialProviderChain.prepend CredentialProvider
+
+    module GoogleSharedCredentials
+      def google_credentials_from_config(opts = {})
+        p = opts[:profile] || @profile_name
+        if @config_enabled && @parsed_config
+          google_opts = @parsed_config.
+            fetch(p, {}).fetch('google', {}).
+            transform_keys(&:to_sym)
+          if google_opts.merge(::Aws::Google.config).has_key?(:role_arn)
+            Google.new(google_opts)
+          end
+        end
+      end
+    end
+    ::Aws::SharedConfig.prepend GoogleSharedCredentials
   end
 end

data/lib/aws/google/version.rb

@@ -1,5 +1,5 @@
 module Aws
   class Google
-    VERSION = '0.1.0'.freeze
+    VERSION = '0.1.6'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-google
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.6
 platform: ruby
 authors:
 - Will Jordan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-02-07 00:00:00.000000000 Z
+date: 2020-10-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -66,34 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.10'
+        version: 5.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.10'
+        version: 5.14.2
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -153,7 +139,8 @@ dependencies:
 description: Use Google OAuth as an AWS credential provider.
 email:
 - will@code.org
-executables: []
+executables:
+- aws-google
 extensions: []
 extra_rdoc_files: []
 files:
@@ -166,7 +153,9 @@ files:
 - aws-google.gemspec
 - bin/console
 - bin/setup
+- exe/aws-google
 - lib/aws/google.rb
+- lib/aws/google/cached_credentials.rb
 - lib/aws/google/credential_provider.rb
 - lib/aws/google/version.rb
 homepage: https://github.com/code-dot-org/aws-google
@@ -189,8 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.4
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Use Google OAuth as an AWS credential provider