aws-google 0.1.1 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03312ea0556bae7f422a1b33b26200316b1367c49c3953ee980595b8252417b3
-  data.tar.gz: e2df7bb3a34014e0d8ff13157b53d6834a39cc0c0fc15933245f56b09ecfcd1e
+  metadata.gz: 1ec086b6871d43a2064a99974bb55fd3f1cd6bc0dc5a749a560f3a41f3d1a9e6
+  data.tar.gz: 0ff2652d74bf6eb73076d146a9c4ab6c65a6a16dba54b7ce2d4d0d00b3c95c6d
 SHA512:
-  metadata.gz: ce872352fc5b0c54fe89cfceb87b94222e134cc8369d504302d8c0aa55a790cb03c9ffd281e7e70800ebba3bc18147f5ce39e856e3800c5969587170637ad156
-  data.tar.gz: b349a3bfd15fff12184eb70ba32082238f792532d7cf49bae7de33e47039a818d1d7dad2fd19f360d52fae5bc654dfc095021992d891b4cf4bb9f373072a334f
+  metadata.gz: 3e168070dc1cf75b2d74cddd96b1add3db9a9c37e613f3ed4bddb5d14ce969152f41c0fe75b1954e958129b6b6eee92c6fc9797c6bb2924c4a6a9e4fa87b94bc
+  data.tar.gz: 8ba6d8a8c01926516c53d9bf7477a080b8d853a6f7b76e670378012e5660729d63e59424d7c0b98bd28ab0f3a83d3c20a1e80b546189d74ff5a4ef9bc87547d2

data/README.md

@@ -21,8 +21,8 @@ Or install it yourself as:
 ## Usage
 
 - Visit the [Google API Console](https://console.developers.google.com/) to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
-- Create an AWS IAM Role with the desired IAM policies attached, and a 'trust relationship' (`AssumeRolePolicyDocument`) allowing the `sts:AssumeRoleWithWebIdentity` action to be permitted
-by your Google Client ID and a specific set of Google Account IDs:
+- Create an AWS IAM Role with the desired IAM policies attached, and a ['trust policy'](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy) ([`AssumeRolePolicyDocument`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html)) allowing the [`sts:AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) action with [Web Identity Federation condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif) authorizing
+your Google Client ID (`accounts.google.com:aud`) and a specific set of Google Account IDs (`accounts.google.com:sub`):
 
 ```json
 {
@@ -36,9 +36,7 @@ by your Google Client ID and a specific set of Google Account IDs:
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
         "StringEquals": {
-          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com"
-        },
-        "ForAnyValue:StringEquals": {
+          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com",
           "accounts.google.com:sub": [
             "000000000000000000000",
             "111111111111111111111"
@@ -50,35 +48,38 @@ by your Google Client ID and a specific set of Google Account IDs:
 }
 ```
 
-- In your Ruby code, construct an `Aws::Google` object by passing in the AWS role, client id and client secret:
+- In your Ruby code, construct an `Aws::Google` object by passing the AWS `role_arn`, Google `client_id` and `client_secret`, either as constructor arguments or via the `Aws::Google.config` global defaults:
 ```ruby
 require 'aws/google'
 
-aws_role = 'arn:aws:iam::[AccountID]:role/[Role]'
-client_id = '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com'
-client_secret = '01234567890abcdefghijklmn'
+options = {
+  aws_role: 'arn:aws:iam::[AccountID]:role/[Role]',
+  client_id: '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com',
+  client_secret: '01234567890abcdefghijklmn'
+}
 
-role_credentials = Aws::Google.new(
-  role_arn: aws_role,
-  google_client_id: client_id,
-  google_client_secret: client_secret
-)
+# Pass constructor arguments:
+credentials = Aws::Google.new(options)
+puts Aws::STS::Client.new(credentials: credentials).get_caller_identity
 
-puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
+# Set global defaults:
+Aws::Google.config = options
+puts Aws::STS::Client.new.get_caller_identity
 ```
 
-- Or, set `Aws::Google.config` hash to add Google auth to the default credential provider chain:
+- Or, add the properties to your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to use Google as the AWS credential provider without any changes to your application code:
 
-```ruby
-Aws::Google.config = {
-  role_arn: aws_role,
-  google_client_id: client_id,
-  google_client_secret: client_secret,
-}
-
-puts Aws::STS::Client.new.get_caller_identity
+```ini
+[my_profile]
+google =
+    role_arn = arn:aws:iam::[AccountID]:role/[Role]
+    client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+    client_secret = 01234567890abcdefghijklmn
+credential_process = aws-google
 ```
 
+The extra `credential_process` config line tells AWS to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html), in this case the `aws-google` script, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/aws-google.gemspec

@@ -23,11 +23,10 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'aws-sdk-core', '~> 3'
   spec.add_dependency 'google-api-client', '~> 0.23'
-  spec.add_dependency 'launchy', '~> 2' # Peer dependency of Google::APIClient::InstalledAppFlow
+  spec.add_dependency 'launchy', '~> 2'
 
   spec.add_development_dependency 'activesupport', '~> 5'
-  spec.add_development_dependency 'bundler', '~> 1'
-  spec.add_development_dependency 'minitest', '~> 5.10'
+  spec.add_development_dependency 'minitest', '~> 5.14.2'
   spec.add_development_dependency 'mocha', '~> 1.5'
   spec.add_development_dependency 'rake', '~> 12'
   spec.add_development_dependency 'timecop', '~> 0.8'

data/exe/aws-google

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby
+
+# CLI to retrieve AWS credentials in credential_process format.
+# Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
+
+require 'aws/google'
+require 'time'
+require 'json'
+
+google = ::Aws::STS::Client.new.config.credentials
+credentials = google.credentials
+output = {
+  Version: 1,
+  AccessKeyId: credentials.access_key_id,
+  SecretAccessKey: credentials.secret_access_key,
+  SessionToken: credentials.session_token,
+  Expiration: Time.at(google.expiration.to_i).iso8601
+}
+puts output.to_json

data/lib/aws/google.rb

@@ -1,6 +1,7 @@
 require_relative 'google/version'
 require 'aws-sdk-core'
 require_relative 'google/credential_provider'
+require_relative 'google/cached_credentials'
 
 require 'googleauth'
 require 'google/api_client/auth/storage'
@@ -23,51 +24,43 @@ module Aws
   # constructed.
   class Google
     include ::Aws::CredentialProvider
-    include ::Aws::RefreshingCredentials
+    include ::Aws::Google::CachedCredentials
 
     class << self
+      # Use `Aws::Google.config` to set default options for any instance of this provider.
       attr_accessor :config
     end
+    self.config = {}
 
     # @option options [required, String] :role_arn
     # @option options [String] :policy
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client STS::Client to use (default: create new client)
-    # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
     # @option options [String] :domain G Suite domain for account-selection hint
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
     # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
-    #                 Defaults to an out-of-band authentication process.
-    # @option options [::Google::Auth::ClientId] :google_id
+    #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
+    # @option options [String] :client_id Google client ID
+    # @option options [String] :client_secret Google client secret
     def initialize(options = {})
+      options = options.merge(self.class.config)
       @oauth_attempted = false
       @assume_role_params = options.slice(
         *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
           input.shape.member_names
       )
 
-      @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
       @google_id = ::Google::Auth::ClientId.new(
-        options[:google_client_id],
-        options[:google_client_secret]
+        options[:client_id],
+        options[:client_secret]
       )
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
-      @port = options[:port]
-
-      # Use existing AWS credentials stored in the shared config if available.
-      # If this is `nil` or expired, #refresh will be called on the first AWS API service call
-      # to generate AWS credentials derived from Google authentication.
-      @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
-      @mutex = Mutex.new
-      if near_expiration?
-        refresh!
-      else
-        @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
-      end
+      @port = options[:port] || 1234
+      super
     end
 
     private
@@ -105,8 +98,18 @@ module Aws
       credentials.tap(&storage.method(:write_credentials))
     end
 
+    def silence_output
+      outs = [$stdout, $stderr]
+      clones = outs.map(&:clone)
+      outs.each { |io| io.reopen '/dev/null'}
+      yield
+    ensure
+      outs.each_with_index { |io, i| io.reopen(clones[i]) }
+    end
+
     def get_oauth_code(client, options)
-      raise 'fallback' unless @port
+      raise 'fallback' unless @port && !@port.zero?
+
       require 'launchy'
       require 'webrick'
       code = nil
@@ -123,26 +126,29 @@ module Aws
       end
       trap('INT') { server.shutdown }
       client.redirect_uri = "http://localhost:#{@port}"
-      launchy = Launchy.open(client.authorization_uri(options).to_s)
-      server_thread = Thread.new do
-        begin
-          server.start
-        ensure server.shutdown
+      silence_output do
+        launchy = Launchy.open(client.authorization_uri(options).to_s)
+        server_thread = Thread.new do
+          begin
+            server.start
+          ensure server.shutdown
+          end
+        end
+        while server_thread.alive?
+          raise 'fallback' if !launchy.alive? && !launchy.value.success?
+
+          sleep 0.1
         end
-      end
-      while server_thread.alive?
-        raise 'fallback' if !launchy.alive? && !launchy.value.success?
-        sleep 0.1
       end
       code || raise('fallback')
     rescue StandardError
       trap('INT', 'DEFAULT')
       # Fallback to out-of-band authentication if browser launch failed.
       client.redirect_uri = 'oob'
-      url = client.authorization_uri(options)
-      print "\nOpen the following URL in a browser and enter the " \
-             "resulting code after authorization:\n#{url}\n> "
-      gets
+      return ENV['OAUTH_CODE'] if ENV['OAUTH_CODE']
+
+      raise RuntimeError, 'Open the following URL in a browser to get a code,' \
+             "export to $OAUTH_CODE and rerun:\n#{client.authorization_uri(options)}", []
     end
 
     def refresh
@@ -168,7 +174,7 @@ module Aws
             role_session_name: token_params['email']
           )
         )
-      rescue Signet::AuthorizationError => e
+      rescue Signet::AuthorizationError, Aws::STS::Errors::ExpiredTokenException
         retry if (@google_client = google_oauth)
         raise
       rescue Aws::STS::Errors::AccessDenied => e
@@ -176,7 +182,7 @@ module Aws
         raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
 Role: #{@assume_role_params[:role_arn]}
 Email: #{token_params['email']}
-Google ID: #{token_params['sub']}", e.backtrace
+Google ID: #{token_params['sub']}", []
       end
 
       c = assume_role.credentials
@@ -186,35 +192,8 @@ Google ID: #{token_params['sub']}", e.backtrace
         c.session_token
       )
       @expiration = c.expiration.to_i
-      write_credentials
-    end
-
-    # Write credentials and expiration to AWS credentials file.
-    def write_credentials
-      # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
-      return unless system('which aws >/dev/null 2>&1')
-      %w[
-        access_key_id
-        secret_access_key
-        session_token
-      ].map {|x| ["aws_#{x}", @credentials.send(x)]}.
-        to_h.
-        merge(expiration: @expiration).each do |key, value|
-        system("aws configure set #{key} #{value} --profile #{@profile}")
-      end
-    end
-  end
-
-  # Patch Aws::SharedConfig to allow fetching arbitrary keys from the shared config.
-  module SharedConfigGetKey
-    def get(key, opts = {})
-      profile = opts.delete(:profile) || @profile_name
-      if @parsed_config && (prof_config = @parsed_config[profile])
-        prof_config[key]
-      end
     end
   end
-  Aws::SharedConfig.prepend SharedConfigGetKey
 
   # Extend ::Google::APIClient::Storage to write {type: 'authorized_user'} to credentials,
   # as required by Google's default credentials loader.

data/lib/aws/google/cached_credentials.rb

@@ -0,0 +1,47 @@
+module Aws
+  class Google
+    Aws::SharedConfig.config_reader :expiration
+
+    # Mixin module extending `RefreshingCredentials` that caches temporary credentials
+    # in the credentials file, so a single session can be reused across multiple processes.
+    # The temporary credentials are saved to a separate profile with a '_session' suffix.
+    module CachedCredentials
+      include RefreshingCredentials
+
+      # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
+      def initialize(options = {})
+        # Use existing AWS credentials stored in the shared session config if available.
+        # If this is `nil` or expired, #refresh will be called on the first AWS API service call
+        # to generate AWS credentials derived from Google authentication.
+        @mutex = Mutex.new
+
+        @profile = options[:profile] || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+        @session_profile = @profile + '_session'
+        @expiration = Aws.shared_config.expiration(profile: @session_profile) rescue nil
+        @credentials = Aws.shared_config.credentials(profile: @session_profile) rescue nil
+        refresh_if_near_expiration
+      end
+
+      def refresh_if_near_expiration
+        if near_expiration?
+          @mutex.synchronize do
+            if near_expiration?
+              refresh
+              write_credentials
+            end
+          end
+        end
+      end
+
+      # Write credentials and expiration to AWS credentials file.
+      def write_credentials
+        # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
+        return unless system('which aws >/dev/null 2>&1')
+        Aws::SharedCredentials::KEY_MAP.transform_values(&@credentials.method(:send)).
+          merge(expiration: @expiration).each do |key, value|
+          system("aws configure set #{key} #{value} --profile #{@session_profile}")
+        end
+      end
+    end
+  end
+end

data/lib/aws/google/credential_provider.rb

@@ -3,16 +3,39 @@ module Aws
     # Inserts GoogleCredentials into the default AWS credential provider chain.
     # Google credentials will only be used if Aws::Google.config is set before initialization.
     module CredentialProvider
-      # Insert google_credentials as the second-to-last credentials provider
-      # (in front of instance profile, which makes an http request).
+      # Insert google_credentials as the third-to-last credentials provider
+      # (in front of process credentials and instance_profile credentials).
       def providers
-        super.insert(-2, [:google_credentials, {}])
+        super.insert(-3, [:google_credentials, {}])
       end
 
       def google_credentials(options)
-        (config = Google.config) && Google.new(options.merge(config))
+        profile_name = determine_profile_name(options)
+        if Aws.shared_config.config_enabled?
+          Aws.shared_config.google_credentials_from_config(profile: profile_name)
+        end
+      rescue Errors::NoSuchProfileError
+        nil
       end
     end
     ::Aws::CredentialProviderChain.prepend CredentialProvider
+
+    module GoogleSharedCredentials
+      def google_credentials_from_config(opts = {})
+        google_opts = {}
+        if @config_enabled && @parsed_config
+          p = opts[:profile] || @profile_name
+          google_opts.merge!(@parsed_config.
+            fetch(p, {}).fetch('google', {}).
+            transform_keys(&:to_sym)
+          )
+        end
+        google_opts.merge!(::Aws::Google.config)
+        if google_opts.has_key?(:role_arn)
+          Google.new(google_opts)
+        end
+      end
+    end
+    ::Aws::SharedConfig.prepend GoogleSharedCredentials
   end
 end

data/lib/aws/google/version.rb

@@ -1,5 +1,5 @@
 module Aws
   class Google
-    VERSION = '0.1.1'.freeze
+    VERSION = '0.1.7'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-google
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.7
 platform: ruby
 authors:
 - Will Jordan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-02-12 00:00:00.000000000 Z
+date: 2020-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -66,34 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.10'
+        version: 5.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.10'
+        version: 5.14.2
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -153,7 +139,8 @@ dependencies:
 description: Use Google OAuth as an AWS credential provider.
 email:
 - will@code.org
-executables: []
+executables:
+- aws-google
 extensions: []
 extra_rdoc_files: []
 files:
@@ -166,7 +153,9 @@ files:
 - aws-google.gemspec
 - bin/console
 - bin/setup
+- exe/aws-google
 - lib/aws/google.rb
+- lib/aws/google/cached_credentials.rb
 - lib/aws/google/credential_provider.rb
 - lib/aws/google/version.rb
 homepage: https://github.com/code-dot-org/aws-google
@@ -189,8 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.4
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Use Google OAuth as an AWS credential provider