aws-mfa-secure 0.1.0

data/lib/aws_mfa_secure/cli.rb

@@ -0,0 +1,38 @@
+module AwsMfaSecure
+  class CLI < Command
+    desc "session *ARGV", "Calls aws cli with a MFA secure session"
+    long_desc Help.text(:session)
+    def session(*argv)
+      Session.new(options, *argv).run
+    end
+
+    desc "exports", "Generate export statements that can be eval"
+    long_desc Help.text(:exports)
+    def exports
+      Exports.new(options).run
+    end
+
+    desc "unsets", "Generate unsets statements that can be eval"
+    long_desc Help.text(:unsets)
+    def unsets
+      Unsets.new(options).run
+    end
+
+    desc "completion *PARAMS", "Prints words for auto-completion."
+    long_desc Help.text("completion")
+    def completion(*params)
+      Completer.new(CLI, *params).run
+    end
+
+    desc "completion_script", "Generates a script that can be eval to setup auto-completion."
+    long_desc Help.text("completion_script")
+    def completion_script
+      Completer::Script.generate
+    end
+
+    desc "version", "prints version"
+    def version
+      puts VERSION
+    end
+  end
+end

data/lib/aws_mfa_secure/command.rb

@@ -0,0 +1,82 @@
+require "thor"
+
+# Override thor's long_desc identation behavior
+# https://github.com/erikhuda/thor/issues/398
+class Thor
+  module Shell
+    class Basic
+      def print_wrapped(message, options = {})
+        message = "\n#{message}" unless message[0] == "\n"
+        stdout.puts message
+      end
+    end
+  end
+end
+
+module AwsMfaSecure
+  class Command < Thor
+    class << self
+      def dispatch(m, args, options, config)
+        # Allow calling for help via:
+        #   aws-mfa-secure command help
+        #   aws-mfa-secure command -h
+        #   aws-mfa-secure command --help
+        #   aws-mfa-secure command -D
+        #
+        # as well thor's normal way:
+        #
+        #   aws-mfa-secure help command
+        help_flags = Thor::HELP_MAPPINGS + ["help"]
+        if args.length > 1 && !(args & help_flags).empty?
+          args -= help_flags
+          args.insert(-2, "help")
+        end
+
+        #   aws-mfa-secure version
+        #   aws-mfa-secure --version
+        #   aws-mfa-secure -v
+        version_flags = ["--version", "-v"]
+        if args.length == 1 && !(args & version_flags).empty?
+          args = ["version"]
+        end
+
+        super
+      end
+
+      # Override command_help to include the description at the top of the
+      # long_description.
+      def command_help(shell, command_name)
+        meth = normalize_command_name(command_name)
+        command = all_commands[meth]
+        alter_command_description(command)
+        super
+      end
+
+      def alter_command_description(command)
+        return unless command
+
+        # Add description to beginning of long_description
+        long_desc = if command.long_description
+            "#{command.description}\n\n#{command.long_description}"
+          else
+            command.description
+          end
+
+        # add reference url to end of the long_description
+        unless website.empty?
+          full_command = [command.ancestor_name, command.name].compact.join('-')
+          url = "#{website}/reference/aws-mfa-secure-#{full_command}"
+          long_desc += "\n\nHelp also available at: #{url}"
+        end
+
+        command.long_description = long_desc
+      end
+      private :alter_command_description
+
+      # meant to be overriden
+      def website
+        ""
+      end
+    end
+  end
+end

data/lib/aws_mfa_secure/completer.rb

@@ -0,0 +1,159 @@
+=begin
+Code Explanation:
+
+There are 3 types of things to auto-complete:
+
+  1. command: the command itself
+  2. parameters: command parameters.
+  3. options: command options
+
+Here's an example:
+
+  mycli hello name --from me
+
+  * command: hello
+  * parameters: name
+  * option: --from
+
+When command parameters are done processing, the remaining completion words will be options.  We can tell that the command params are completed based on the method arity.
+
+## Arity
+
+For example, say you had a method for a CLI command with the following form:
+
+  ufo scale service count --cluster development
+
+It's equivalent ruby method:
+
+  scale(service, count) = has an arity of 2
+
+So typing:
+
+  ufo scale service count [TAB] # there are 3 parameters including the "scale" command according to Thor's CLI processing.
+
+So the completion should only show options, something like this:
+
+  --noop --verbose --cluster
+
+## Splat Arguments
+
+When the ruby method has a splat argument, it's arity is negative.  Here are some example methods and their arities.
+
+   ship(service) = 1
+   scale(service, count) = 2
+   ships(*services) = -1
+   foo(example, *rest) = -2
+
+Fortunately, negative and positive arity values are processed the same way. So we take simply take the absolute value of the arity and process it the same.
+
+Here are some test cases, hit TAB after typing the command:
+
+  aws-mfa-secure completion
+  aws-mfa-secure completion hello
+  aws-mfa-secure completion hello name
+  aws-mfa-secure completion hello name --
+  aws-mfa-secure completion hello name --noop
+
+  aws-mfa-secure completion
+  aws-mfa-secure completion sub:goodbye
+  aws-mfa-secure completion sub:goodbye name
+
+## Subcommands and Thor::Group Registered Commands
+
+Sometimes the commands are not simple thor commands but are subcommands or Thor::Group commands. A good specific example is the ufo tool.
+
+  * regular command: ufo ship
+  * subcommand: ufo docker
+  * Thor::Group command: ufo init
+
+Auto-completion accounts for each of these type of commands.
+=end
+module AwsMfaSecure
+  class Completer
+    def initialize(command_class, *params)
+      @params = params
+      @current_command = @params[0]
+      @command_class = command_class # CLI initiall
+    end
+
+    def run
+      if subcommand?(@current_command)
+        subcommand_class = @command_class.subcommand_classes[@current_command]
+        @params.shift # destructive
+        Completer.new(subcommand_class, *@params).run # recursively use subcommand
+        return
+      end
+
+      # full command has been found!
+      unless found?(@current_command)
+        puts all_commands
+        return
+      end
+
+      # will only get to here if command aws found (above)
+      arity = @command_class.instance_method(@current_command).arity.abs
+      if @params.size > arity or thor_group_command?
+        puts options_completion
+      else
+        puts params_completion
+      end
+    end
+
+    def subcommand?(command)
+      @command_class.subcommands.include?(command)
+    end
+
+    # hacky way to detect that command is a registered Thor::Group command
+    def thor_group_command?
+      command_params(raw=true) == [[:rest, :args]]
+    end
+
+    def found?(command)
+      public_methods = @command_class.public_instance_methods(false)
+      command && public_methods.include?(command.to_sym)
+    end
+
+    # all top-level commands
+    def all_commands
+      commands = @command_class.all_commands.reject do |k,v|
+        v.is_a?(Thor::HiddenCommand)
+      end
+      commands.keys
+    end
+
+    def command_params(raw=false)
+      params = @command_class.instance_method(@current_command).parameters
+      # Example:
+      # >> Sub.instance_method(:goodbye).parameters
+      # => [[:req, :name]]
+      # >>
+      raw ? params : params.map!(&:last)
+    end
+
+    def params_completion
+      offset = @params.size - 1
+      offset_params = command_params[offset..-1]
+      command_params[offset..-1].first
+    end
+
+    def options_completion
+      used = ARGV.select { |a| a.include?('--') } # so we can remove used options
+
+      method_options = @command_class.all_commands[@current_command].options.keys
+      class_options = @command_class.class_options.keys
+
+      all_options = method_options + class_options + ['help']
+
+      all_options.map! { |o| "--#{o.to_s.gsub('_','-')}" }
+      filtered_options = all_options - used
+      filtered_options.uniq
+    end
+
+    # Useful for debugging. Using puts messes up completion.
+    def log(msg)
+      File.open("/tmp/complete.log", "a") do |file|
+        file.puts(msg)
+      end
+    end
+  end
+end

data/lib/aws_mfa_secure/completer/script.rb

@@ -0,0 +1,6 @@
+class AwsMfaSecure::Completer::Script
+  def self.generate
+    bash_script = File.expand_path("script.sh", File.dirname(__FILE__))
+    puts "source #{bash_script}"
+  end
+end

data/lib/aws_mfa_secure/completer/script.sh

@@ -0,0 +1,10 @@
+_aws-mfa-secure() {
+  COMPREPLY=()
+  local word="${COMP_WORDS[COMP_CWORD]}"
+  local words=("${COMP_WORDS[@]}")
+  unset words[0]
+  local completion=$(aws-mfa-secure completion ${words[@]})
+  COMPREPLY=( $(compgen -W "$completion" -- "$word") )
+}
+
+complete -F _aws-mfa-secure aws-mfa-secure

data/lib/aws_mfa_secure/credentials.rb

@@ -0,0 +1,35 @@
+# Useful for Ruby interfacing
+module AwsMfaSecure
+  class Credentials < Base
+    # Using Singleton as caching mechanism for speed
+    # The fetch_creds? is slow from shelling out to python for aws configure get.
+    include Singleton
+
+    attr_reader :data
+    def initialize
+      @aws_profile = aws_profile
+      setup
+    end
+
+    def setup
+      return unless iam_mfa?
+
+      if fetch_creds?
+        resp = get_session_token(shell: true)
+        save_creds(resp.credentials.to_h)
+      end
+
+      @data = credentials
+    end
+
+    def set?
+      !!@data
+    end
+
+    %w[access_key_id secret_access_key session_token].each do |name|
+      define_method name do
+        @data[name]
+      end
+    end
+  end
+end

data/lib/aws_mfa_secure/exports.rb

@@ -0,0 +1,30 @@
+module AwsMfaSecure
+  class Exports < Base
+    def initialize(options={})
+      @options = options
+      @aws_profile = aws_profile
+    end
+
+    def run
+      unless iam_mfa?
+        $stderr.puts "WARN: mfa_serial is not configured for this AWS_PROFILE=#{@aws_profile}"
+        return
+      end
+
+      if fetch_creds?
+        resp = get_session_token
+        save_creds(resp.credentials.to_h)
+      end
+
+      puts script
+    end
+
+    def script
+      <<~EOL
+        export AWS_ACCESS_KEY_ID=#{credentials["access_key_id"]}
+        export AWS_SECRET_ACCESS_KEY=#{credentials["secret_access_key"]}
+        export AWS_SESSION_TOKEN=#{credentials["session_token"]}
+      EOL
+    end
+  end
+end

data/lib/aws_mfa_secure/ext/aws.rb

@@ -0,0 +1,20 @@
+require "aws-sdk-core"
+
+module AwsMfaCredentials
+  def initialize(*)
+    credentials = AwsMfaSecure::Credentials.instance
+    if credentials.set?
+      @access_key_id = credentials.access_key_id
+      @secret_access_key = credentials.secret_access_key
+      @session_token = credentials.session_token
+    else
+      super
+    end
+  end
+end
+
+module Aws
+  class Credentials
+    prepend AwsMfaCredentials
+  end
+end

data/lib/aws_mfa_secure/help.rb

@@ -0,0 +1,9 @@
+module AwsMfaSecure::Help
+  class << self
+    def text(namespaced_command)
+      path = namespaced_command.to_s.gsub(':','/')
+      path = File.expand_path("../help/#{path}.md", __FILE__)
+      IO.read(path) if File.exist?(path)
+    end
+  end
+end

data/lib/aws_mfa_secure/help/completion.md

@@ -0,0 +1,20 @@
+## Examples
+
+    aws-mfa-secure completion
+
+Prints words for TAB auto-completion.
+
+    aws-mfa-secure completion
+    aws-mfa-secure completion hello
+    aws-mfa-secure completion hello name
+
+To enable, TAB auto-completion add the following to your profile:
+
+    eval $(aws-mfa-secure completion_script)
+
+Auto-completion example usage:
+
+    aws-mfa-secure [TAB]
+    aws-mfa-secure hello [TAB]
+    aws-mfa-secure hello name [TAB]
+    aws-mfa-secure hello name --[TAB]

data/lib/aws_mfa_secure/help/completion_script.md

@@ -0,0 +1,3 @@
+To use, add the following to your `~/.bashrc` or `~/.profile`
+
+    eval $(aws-mfa-secure completion_script)

data/lib/aws_mfa_secure/help/exports.md

@@ -0,0 +1,29 @@
+## Example
+
+    aws-mfa-secure exports
+
+## Example with Output
+
+    $ aws-mfa-secure exports
+    Please provide your MFA code: 147280
+    export AWS_ACCESS_KEY_ID=ASIAXZ6ODJLBCEXAMPLE
+    export AWS_SECRET_ACCESS_KEY=HgYHvNxacSsFSwls1FO9RoF5+tvYCFIABEXAMPLE
+    export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEJ3//////////wEaCXVzLWVhc3QtMSJGMEQCIGnuGzUr8aszNWMFlFXQvFVhIA6aGdx3DskqY1JaIZWVAiANfE3xA79vIMVTqLnds4F2LpDy/qUeNRr7e9g9VQoS9SqyAQi2//////////8BEAEaDDUzNjc2NjI3MDE3NyIMgDgauwgJ4FIOMRV+KoYBRKR/MnKFB9/Q0Isc6D8gpG404xGJWqStNfGS0sHNsB5vVP/ccaAj4MG54p0Pl+V0LuIMXy345ua/bxxQFDWqhG0ORsXFEOo3iD1IQ+YA/yougAUl/0hbyvK3Jnf3NEHDejdL95iFCluJhoR0zFlDv7GwwBSXLUxS9K96/vgA0MmgK9a7kaAwoYiZ7gU63wHVDNYa1myqIP16Mi6KZ2zm9inMofixNN1ea3JMyRW+chWW8kdjjW4R3MFecpwoIayE7g3QLanmjE3jzrlxjIJWnl8tiipV+jassiSdlxLL2j1IIFH2pNEqrn4hkHG5t7OG+qZCTl8AnQ4W5wusmBoSIavr5w0dOdyx2mdsBMFtO82ZXvHSryY1gbIM9JyUd7dJ9h/mkfGL2p0n0R/lya8s9j8P8/8if+2uQcF+/BGDxojJ67kYXgstgfLjM5j8pZgyYj6YUFyTpyiOkllbPk/AjyxJY1svxW25wbNO+c13
+    $
+
+Eval example:
+
+    $ eval `aws-mfa-secure exports`
+
+Note: Prompts write to stderr so eval-ing the exports works even if with the prompt.
+
+## Related
+
+You may also be interested in the `aws-mfa-secure unset` command. It provides a quick way to unset the AWS_* environment variables.  Example:
+
+    $ aws-mfa-secure unset # generates script
+    unset AWS_ACCESS_KEY_ID
+    unset AWS_SECRET_ACCESS_KEY
+    unset AWS_SESSION_TOKEN
+    $ eval `aws-mfa-secure unset` # to unset
+    $