aws-google 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29e2bac01a2d62b1b156badf3fda404596d56fef92f5b8de438095362abea600
-  data.tar.gz: d25ac4ca974f4991120814679678a923375ede8bbfd0b189917344596f0d79ec
+  metadata.gz: 0ea7ae0f33a7dafe59e62cb045d143ed0fdc0a0a017d3e2a17d380cf1f46a49e
+  data.tar.gz: b5bc47171255473122de1cf179828f869a32cd7d6fb5cf5343d85204e7e96c26
 SHA512:
-  metadata.gz: e2e26e77654e356c81c424dd76d679c09304f44a846bff66d6d204c845d9a918e0bac3dd99d6922c9e4cfb363d773dbcfd679c29f736e46eb52acccb5f4ba0f6
-  data.tar.gz: 9226a37c273473589a4f56ea3e49a7a9bb652d42b436e39f62f41124ccbd36bf101e4edbd6ee7d5a44e4138e91c135f72d5a6292f8149cc4e3f2272b809add19
+  metadata.gz: 7801674b5be60e16e4e32608162b5c79baa06b794ddc4c494f6c04a46b2ad630b6a0ef7d6a552ff9f56091a6f4079cd95942a28a8b35d1a337f7cf335d4a4ba3
+  data.tar.gz: 405d08b37bb3167508fc705d458a9472067ddb53c4dcd02fc831a8c33155623c11c414d7bd2181d93a68a5cad0443cd325ea27451f416eeefd2d6e395e47a740

data/README.md

@@ -65,28 +65,18 @@ role_credentials = Aws::Google.new(
 puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
 ```
 
-- Or, set `Aws::Google.config` hash to add Google auth to the default credential provider chain:
-
-```ruby
-Aws::Google.config = {
-  role_arn: aws_role,
-  google_client_id: client_id,
-  google_client_secret: client_secret,
-}
-
-puts Aws::STS::Client.new.get_caller_identity
+- Or, add the properties to your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to use Google as the AWS credential provider without any changes to your application code:
+
+```ini
+[my_profile]
+google =
+    role_arn = arn:aws:iam::[AccountID]:role/[Role]
+    client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+    client_secret = 01234567890abcdefghijklmn
+credential_process = aws-google
 ```
 
-- Or, set `credential_process` in your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to `aws-google` to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) without any change to your application code:
-
-```
-[profile my_google]
-credential_process = aws-google --profile my_google
-aws_role = arn:aws:iam::[AccountID]:role/[Role]
-google_client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
-google_client_secret = 01234567890abcdefghijklmn
-
-```
+The extra `credential_process` config line tells AWS to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html), in this case the `aws-google` script, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).
 
 ## Development
 

data/aws-google.gemspec

@@ -26,7 +26,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'launchy', '~> 2'
 
   spec.add_development_dependency 'activesupport', '~> 5'
-  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'minitest', '~> 5.14.2'
   spec.add_development_dependency 'mocha', '~> 1.5'
   spec.add_development_dependency 'rake', '~> 12'

data/exe/aws-google

@@ -6,61 +6,8 @@
 require 'aws/google'
 require 'time'
 require 'json'
-require 'optparse'
 
-def error(msg)
-  puts msg
-  exit 1
-end
-
-options = {}
-OptionParser.new do |opts|
-  opts.on('-p PROFILE', '--profile PROFILE', 'Profile') do |p|
-    options[:profile] = p
-  end
-  opts.on('-v', '--version', 'Version') do
-    require 'aws/google/version'
-    puts Aws::Google::VERSION
-    exit 0
-  end
-  opts.on('-r ROLE', '--role ROLE', 'AWS Role arn') do |r|
-    options[:role_arn] = r
-  end
-  opts.on('-i ID', '--client-id ID', 'Google Client ID') do |id|
-    options[:google_client_id] = id
-  end
-  opts.on('-s SECRET', '--client-secret SECRET', 'Google Client Secret') do |secret|
-    options[:google_client_secret] = secret
-  end
-  opts.on('-h DOMAIN', '--domain DOMAIN', 'Google Domain') do |hd|
-    options[:domain] = hd
-  end
-  opts.on('-d DURATION', '--duration DURATION', 'Duration in seconds') do |d|
-    options[:duration_seconds] = d.to_i
-  end
-  opts.on('--port PORT', 'Port number for local server') do |p|
-    options[:port] = p.to_i
-  end
-  opts.on('--online', 'Online authentication, no refresh token') do |o|
-    options[:online] = true
-  end
-end.parse!
-
-config = Aws.shared_config
-profile = options[:profile] || ENV['AWS_PROFILE'] || 'default'
-
-options[:role_arn] ||= config.get('aws_role', profile: profile) ||
-                   error('Missing config: aws_role')
-options[:google_client_id] ||= config.get('google_client_id', profile: profile) ||
-                        error('Missing config: google_client_id')
-options[:google_client_secret] ||= config.get('google_client_secret', profile: profile) ||
-                            error('Missing config: google_client_secret')
-
-# Cache temporary-session credentials in a separately-named profile.
-# Stored credentials take priority over credential_process,
-# so they would never be refreshed if stored in the same profile.
-options[:profile] += '_session'
-google = Aws::Google.new(options)
+google = ::Aws::STS::Client.new.config.credentials
 credentials = google.credentials
 output = {
   Version: 1,
@@ -69,5 +16,4 @@ output = {
   SessionToken: credentials.session_token,
   Expiration: Time.at(google.expiration.to_i).iso8601
 }
-require 'json'
 puts output.to_json

data/lib/aws/google.rb

@@ -1,6 +1,7 @@
 require_relative 'google/version'
 require 'aws-sdk-core'
 require_relative 'google/credential_provider'
+require_relative 'google/cached_credentials'
 
 require 'googleauth'
 require 'google/api_client/auth/storage'
@@ -23,7 +24,7 @@ module Aws
   # constructed.
   class Google
     include ::Aws::CredentialProvider
-    include ::Aws::RefreshingCredentials
+    include ::Aws::Google::CachedCredentials
 
     class << self
       attr_accessor :config
@@ -34,13 +35,13 @@ module Aws
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client STS::Client to use (default: create new client)
-    # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
     # @option options [String] :domain G Suite domain for account-selection hint
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
     # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
     #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
-    # @option options [::Google::Auth::ClientId] :google_id
+    # @option options [String] :client_id Google client ID
+    # @option options [String] :client_secret Google client secret
     def initialize(options = {})
       @oauth_attempted = false
       @assume_role_params = options.slice(
@@ -48,26 +49,15 @@ module Aws
           input.shape.member_names
       )
 
-      @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
       @google_id = ::Google::Auth::ClientId.new(
-        options[:google_client_id],
-        options[:google_client_secret]
+        options[:client_id],
+        options[:client_secret]
       )
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
       @port = options[:port] || 1234
-
-      # Use existing AWS credentials stored in the shared config if available.
-      # If this is `nil` or expired, #refresh will be called on the first AWS API service call
-      # to generate AWS credentials derived from Google authentication.
-      @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
-      @mutex = Mutex.new
-      if near_expiration?
-        refresh!
-      else
-        @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
-      end
+      super
     end
 
     private
@@ -199,35 +189,8 @@ Google ID: #{token_params['sub']}", []
         c.session_token
       )
       @expiration = c.expiration.to_i
-      write_credentials
-    end
-
-    # Write credentials and expiration to AWS credentials file.
-    def write_credentials
-      # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
-      return unless system('which aws >/dev/null 2>&1')
-      %w[
-        access_key_id
-        secret_access_key
-        session_token
-      ].map {|x| ["aws_#{x}", @credentials.send(x)]}.
-        to_h.
-        merge(expiration: @expiration).each do |key, value|
-        system("aws configure set #{key} #{value} --profile #{@profile}")
-      end
-    end
-  end
-
-  # Patch Aws::SharedConfig to allow fetching arbitrary keys from the shared config.
-  module SharedConfigGetKey
-    def get(key, opts = {})
-      profile = opts.delete(:profile) || @profile_name
-      if @parsed_config && (prof_config = @parsed_config[profile])
-        prof_config[key]
-      end
     end
   end
-  Aws::SharedConfig.prepend SharedConfigGetKey
 
   # Extend ::Google::APIClient::Storage to write {type: 'authorized_user'} to credentials,
   # as required by Google's default credentials loader.

data/lib/aws/google/cached_credentials.rb

@@ -0,0 +1,47 @@
+module Aws
+  class Google
+    Aws::SharedConfig.config_reader :expiration
+
+    # Mixin module extending `RefreshingCredentials` that caches temporary credentials
+    # in the credentials file, so a single session can be reused across multiple processes.
+    # The temporary credentials are saved to a separate profile with a '_session' suffix.
+    module CachedCredentials
+      include RefreshingCredentials
+
+      # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
+      def initialize(options = {})
+        # Use existing AWS credentials stored in the shared session config if available.
+        # If this is `nil` or expired, #refresh will be called on the first AWS API service call
+        # to generate AWS credentials derived from Google authentication.
+        @mutex = Mutex.new
+
+        @profile = options[:profile] || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+        @session_profile = @profile + '_session'
+        @expiration = Aws.shared_config.expiration(profile: @session_profile) rescue nil
+        @credentials = Aws.shared_config.credentials(profile: @session_profile) rescue nil
+        refresh_if_near_expiration
+      end
+
+      def refresh_if_near_expiration
+        if near_expiration?
+          @mutex.synchronize do
+            if near_expiration?
+              refresh
+              write_credentials
+            end
+          end
+        end
+      end
+
+      # Write credentials and expiration to AWS credentials file.
+      def write_credentials
+        # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
+        return unless system('which aws >/dev/null 2>&1')
+        Aws::SharedCredentials::KEY_MAP.transform_values(&@credentials.method(:send)).
+          merge(expiration: @expiration).each do |key, value|
+          system("aws configure set #{key} #{value} --profile #{@session_profile}")
+        end
+      end
+    end
+  end
+end

data/lib/aws/google/credential_provider.rb

@@ -3,16 +3,34 @@ module Aws
     # Inserts GoogleCredentials into the default AWS credential provider chain.
     # Google credentials will only be used if Aws::Google.config is set before initialization.
     module CredentialProvider
-      # Insert google_credentials as the second-to-last credentials provider
-      # (in front of instance profile, which makes an http request).
+      # Insert google_credentials as the third-to-last credentials provider
+      # (in front of process credentials and instance_profile credentials).
       def providers
-        super.insert(-2, [:google_credentials, {}])
+        super.insert(-3, [:google_credentials, {}])
       end
 
       def google_credentials(options)
-        (config = Google.config) && Google.new(options.merge(config))
+        profile_name = determine_profile_name(options)
+        if Aws.shared_config.config_enabled?
+          Aws.shared_config.google_credentials_from_config(profile: profile_name)
+        end
+      rescue Errors::NoSuchProfileError
+        nil
       end
     end
     ::Aws::CredentialProviderChain.prepend CredentialProvider
+
+    module GoogleSharedCredentials
+      def google_credentials_from_config(opts = {})
+        p = opts[:profile] || @profile_name
+        if @config_enabled && @parsed_config
+          entry = @parsed_config.fetch(p, {})
+          if (google_opts = entry['google'])
+            Google.new(google_opts.transform_keys(&:to_sym))
+          end
+        end
+      end
+    end
+    ::Aws::SharedConfig.prepend GoogleSharedCredentials
   end
 end

data/lib/aws/google/version.rb

@@ -1,5 +1,5 @@
 module Aws
   class Google
-    VERSION = '0.1.3'.freeze
+    VERSION = '0.1.5'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-google
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - Will Jordan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-02 00:00:00.000000000 Z
+date: 2020-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -66,20 +66,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -169,6 +155,7 @@ files:
 - bin/setup
 - exe/aws-google
 - lib/aws/google.rb
+- lib/aws/google/cached_credentials.rb
 - lib/aws/google/credential_provider.rb
 - lib/aws/google/version.rb
 homepage: https://github.com/code-dot-org/aws-google