aws-mfa-secure 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 373259274cc623e8bb6b7ca2e044be59ea2abaa6c09f268bdf5376518b04baff
+  data.tar.gz: 8a59132aa173779f10f17d7e5d9ce4eedcb50ae304b6c8624f8db3e37dd79bbe
+SHA512:
+  metadata.gz: 890158626d55398170a6904f1c2e19ce863a52caee43dd458f7d17967c9e73d0039676fcc3c0f36cd05658aee6ac6152fd568c80edb0b65e048812b98e379104
+  data.tar.gz: 9e09d81ad7ec37a89e4e4e5c0305c0e9f4367286ccc7d5664c90aa7aa6a3e38921b2f3b850442dfa4dd023920ff0d8dd77f516f6231b63b9029de31c8914684c

data/.gitignore

@@ -0,0 +1,16 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+_yardoc
+coverage
+doc/
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format documentation

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+
+## [0.1.0]
+- Initial release.

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+# Specify your gem dependencies in aws-mfa-secure.gemspec
+gemspec
+
+gem "codeclimate-test-reporter", group: :test, require: nil

data/Gemfile.lock

@@ -0,0 +1,82 @@
+PATH
+  remote: .
+  specs:
+    aws-mfa-secure (0.1.0)
+      activesupport
+      aws-sdk-core
+      memoist
+      rainbow
+      thor
+      zeitwerk
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (6.0.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2)
+    aws-eventstream (1.0.3)
+    aws-partitions (1.237.0)
+    aws-sdk-core (3.76.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.228.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    byebug (11.0.1)
+    cli_markdown (0.1.0)
+    codeclimate-test-reporter (1.0.9)
+      simplecov (<= 0.13)
+    concurrent-ruby (1.1.5)
+    diff-lcs (1.3)
+    docile (1.1.5)
+    i18n (1.7.0)
+      concurrent-ruby (~> 1.0)
+    jmespath (1.4.0)
+    json (2.2.0)
+    memoist (0.16.1)
+    minitest (5.13.0)
+    rainbow (3.0.0)
+    rake (13.0.0)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.0)
+    simplecov (0.13.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    zeitwerk (2.2.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  aws-mfa-secure!
+  bundler
+  byebug
+  cli_markdown
+  codeclimate-test-reporter
+  rake
+  rspec
+
+BUNDLED WITH
+   2.0.2

data/Guardfile

@@ -0,0 +1,19 @@
+guard "bundler", cmd: "bundle" do
+  watch("Gemfile")
+  watch(/^.+\.gemspec/)
+end
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2019 Tung Nguyen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,126 @@
+# AWS MFA Secure
+
+[![Gem Version](https://badge.fury.io/rb/aws-mfa-secure.png)](http://badge.fury.io/rb/aws-mfa-secure)
+
+Surprisingly, the [aws cli](https://docs.aws.amazon.com/cli/latest/reference/) does not yet support MFA for normal IAM users. See: https://github.com/boto/botocore/pull/1399  The aws-mfa-secure tool decorates the AWS CLI or API to handle MFA authentication.  The MFA prompt only activates if `mfa_serial` is configured.
+
+## Installation
+
+    gem install aws-mfa-secure
+
+Prerequisite: The [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/) is required. You can install the AWS CLI via pip.
+
+    pip install awscli --upgrade --user
+
+## Usage
+
+**Summary**:
+
+1. Configure `~/.aws/credentials` with `mfa_serial`
+2. Set up bash alias
+3. Use aws cli like normal
+
+### Configure ~/.aws/credentials with mfa_serial
+
+Set up `mfa_serial` in credentials file for the profile section that requires it. Example:
+
+~/.aws/credentials:
+
+    [mfa]
+    aws_access_key_id = BKCAXZ6ODJLQ1EXAMPLE
+    aws_secret_access_key = ABCDl4hXikfOHTvNqFAnb2Ea62bUuu/eUEXAMPLE
+    mfa_serial = arn:aws:iam::112233445566:mfa/MFAUser
+
+Note: AWS already supports `mfa_serial` assumed roles: [AWS Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).  The aws-mfa-secure tool does not decorate for assumed roles and lets the AWS CLI or SDK handle it.
+
+### Set up bash alias
+
+    alias aws="aws-mfa-secure session"
+
+You may want to add the alias to your `~/.bash_profile`
+
+Autocompletion still works with the alias.
+
+### Use aws cli like normal
+
+Call `aws` command like you usually would:
+
+    aws s3 ls
+
+### Example with Output
+
+    $ export AWS_PROFILE=mfa
+    $ aws s3 ls
+    Please provide your MFA code: 751888
+    2019-09-21 15:53:34 my-example-test-bucket
+    $ aws s3 ls
+    2019-09-21 15:53:34 my-example-test-bucket
+    $
+
+Expiration: You get prompted for the MFA token once, and the MFA secure session lasts for 12 hours. You can override the default expiration time with `AWS_MFA_TTL`. For example, `AWS_MFA_TTL=3600` means the session expires in 1 hour instead.
+
+## Calling Directly
+
+You can also call `aws-mfa-secure session` directly.
+
+    aws-mfa-secure session --version
+    aws-mfa-secure session s3 ls
+
+The arguments of `aws-mfa-secure session` are delegated to the `aws` command.  So:
+
+    aws-mfa-secure session s3 ls
+
+Is the same as:
+
+    aws s3 ls
+
+Except `aws-mfa-secure session` will use the temporary session environment `AWS_*` variables values.
+
+## Exports
+
+You can also generate the exports script.
+
+    $ aws-mfa-secure exports
+    Please provide your MFA code: 147280
+    export AWS_ACCESS_KEY_ID=ASIAXZ6ODJLBCEXAMPLE
+    export AWS_SECRET_ACCESS_KEY=HgYHvNxacSsFSwls1FO9RoF5+tvYCFIABEXAMPLE
+    export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEJ3//////////wEaCXVzLWVhc3QtMSJGMEQCIGnuGzUr8aszNWMFlFXQvFVhIA6aGdx3DskqY1JaIZWVAiANfE3xA79vIMVTqLnds4F2LpDy/qUeNRr7e9g9VQoS9SqyAQi2//////////8BEAEaDDUzNjc2NjI3MDE3NyIMgDgauwgJ4FIOMRV+KoYBRKR/MnKFB9/Q0Isc6D8gpG404xGJWqStNfGS0sHNsB5vVP/ccaAj4MG54p0Pl+V0LuIMXy345ua/bxxQFDWqhG0ORsXFEOo3iD1IQ+YA/yougAUl/0hbyvK3Jnf3NEHDejdL95iFCluJhoR0zFlDv7GwwBSXLUxS9K96/vgA0MmgK9a7kaAwoYiZ7gU63wHVDNYa1myqIP16Mi6KZ2zm9inMofixNN1ea3JMyRW+chWW8kdjjW4R3MFecpwoIayE7g3QLanmjE3jzrlxjIJWnl8tiipV+jassiSdlxLL2j1IIFH2pNEqrn4hkHG5t7OG+qZCTl8AnQ4W5wusmBoSIavr5w0dOdyx2mdsBMFtO82ZXvHSryY1gbIM9JyUd7dJ9h/mkfGL2p0n0R/lya8s9j8P8/8if+2uQcF+/BGDxojJ67kYXgstgfLjM5j8pZgyYj6YUFyTpyiOkllbPk/AjyxJY1svxW25wbNO+c13
+    $
+
+You can eval it to set the environment variables in one go. Note, the MFA code prompt is written to standard error so it won't affect the eval.
+
+    $ eval `aws-mfa-secure exports`
+
+If you're using the `aws-mfa-secure exports` command, the `aws-mfa-secure unsets` command is useful to unset the `AWS_*` env variables quickly.  For more info: `aws-mfa-secure unsets -h`.
+
+## AWS Extension
+
+You can also use `aws-mfa-secure` to add MFA support to Ruby libraries. Do so by requiring the `aws_mfa_secure/ext/aws`.
+
+```ruby
+require "aws_mfa_secure/ext/aws" # add MFA support
+```
+
+This patches the aws-sdk-ruby library and adds MFA support.
+
+## Setting MFA Info with Env Variables
+
+You can also set the MFA info with env variables. They take the highest precedence and override what's in `~/.aws/credentials`. Example:
+
+    AWS_MFA_TOKEN=112233 arn:aws:iam::112233445566:mfa/MFAUser aws s3 ls
+
+## How It Works
+
+docs: [How It Works](docs/how-it-works.md)
+
+## Related
+
+You may also be interested in [tongueroo/aws-rotate](https://github.com/tongueroo/aws-rotate). It's an easy way to rotate all your AWS keys in your `~/.aws/credentials`.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am "Add some feature"`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,14 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+RSpec::Core::RakeTask.new
+
+require_relative "lib/aws-mfa-secure"
+require "cli_markdown"
+desc "Generates cli reference docs as markdown"
+task :docs do
+  mkdir_p "docs/_includes"
+  CliMarkdown::Creator.create_all(cli_class: AwsMfaSecure::CLI, cli_name: "aws-mfa-secure")
+end

data/aws-mfa-secure.gemspec

@@ -0,0 +1,33 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "aws_mfa_secure/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "aws-mfa-secure"
+  spec.version       = AwsMfaSecure::VERSION
+  spec.authors       = ["Tung Nguyen"]
+  spec.email         = ["tongueroo@gmail.com"]
+  spec.summary       = "Adds MFA Support to AWS CLI and Ruby SDKs for normal IAM user"
+  spec.homepage      = "https://github.com/tongueroo/aws-mfa-secure"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport"
+  spec.add_dependency "aws-sdk-core"
+  spec.add_dependency "memoist"
+  spec.add_dependency "rainbow"
+  spec.add_dependency "thor"
+  spec.add_dependency "zeitwerk"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "byebug"
+  spec.add_development_dependency "cli_markdown"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

data/docs/how-it-works.md

@@ -0,0 +1,19 @@
+## How It Works
+
+The wrapper `aws-mfa-secure session` command uses [sts.get_session_token](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/STS/Client.html#get_session_token-instance_method) to fetch temporary session AWS access tokens.
+
+The tokens get saved to `~/.aws/aws-mfa-secure-sessions/AWS_PROFILE` and are then used to set the environment variables, which take the [higher precedence](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#config-settings-and-precedence).
+
+* AWS_ACCESS_KEY_ID
+* AWS_SECRET_ACCESS_KEY
+* AWS_SESSION_TOKEN
+
+The arguments are delegate the to the `aws` command.  So:
+
+    aws-mfa-secure session s3 ls
+
+Is the same as:
+
+    aws s3 ls
+
+Except using the session environment `AWS_*` variables values.

data/exe/aws-mfa-secure

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+# Trap ^C
+Signal.trap("INT") {
+  puts "\nCtrl-C detected. Exiting..."
+  sleep 0.1
+  exit
+}
+
+$:.unshift(File.expand_path("../../lib", __FILE__))
+require "aws-mfa-secure"
+require "aws_mfa_secure/cli"
+
+AwsMfaSecure::CLI.start(ARGV)

data/lib/aws-mfa-secure.rb

@@ -0,0 +1 @@
+require_relative "aws_mfa_secure"

data/lib/aws_mfa_secure.rb

@@ -0,0 +1,12 @@
+$:.unshift(File.expand_path("../", __FILE__))
+require "aws_mfa_secure/version"
+require "rainbow/ext/string"
+
+require "aws_mfa_secure/autoloader"
+AwsMfaSecure::Autoloader.setup
+
+module AwsMfaSecure
+  class Error < StandardError; end
+end
+
+require "#{Dir.pwd}/spec/monkey_patches" if ENV['AWS_MFA_SECURE_TEST']

data/lib/aws_mfa_secure/autoloader.rb

@@ -0,0 +1,22 @@
+require "zeitwerk"
+
+module AwsMfaSecure
+  class Autoloader
+    class Inflector < Zeitwerk::Inflector
+      def camelize(basename, _abspath)
+        map = { cli: "CLI", version: "VERSION" }
+        map[basename.to_sym] || super
+      end
+    end
+
+    class << self
+      def setup
+        loader = Zeitwerk::Loader.new
+        loader.inflector = Inflector.new
+        loader.push_dir(File.dirname(__dir__)) # lib
+        loader.ignore("#{File.dirname(__dir__)}/aws-mfa-secure.rb")
+        loader.setup
+      end
+    end
+  end
+end

data/lib/aws_mfa_secure/base.rb

@@ -0,0 +1,128 @@
+require "aws-sdk-core"
+require "fileutils"
+require "json"
+require "memoist"
+require "time"
+require "active_support/core_ext/string"
+require "active_support/core_ext/hash"
+
+module AwsMfaSecure
+  class MfaError < StandardError; end
+
+  class Base
+    extend Memoist
+
+    def iam_mfa?
+      return false unless mfa_serial
+
+      # The iam_mfa? check will only return true for the case when mfa_serial is set and access keys are used.
+      # This is because for assume role cases, the current aws cli tool supports mfa_serial already.
+      # Sending session AWS based access keys intefere with the current aws cli assume role mfa_serial support
+      aws_access_key_id = aws_configure_get(:aws_access_key_id)
+      aws_secret_access_key = aws_configure_get(:aws_secret_access_key)
+      source_profile = aws_configure_get(:source_profile)
+
+      aws_access_key_id && aws_secret_access_key && !source_profile
+    end
+
+    def fetch_creds?
+      !good_session_creds?
+    end
+
+    def good_session_creds?
+      return false unless File.exist?(session_creds_path)
+
+      expiration = Time.parse(credentials["expiration"])
+      Time.now.utc < expiration # not expired
+    end
+
+    def credentials
+      JSON.load(IO.read(session_creds_path))
+    end
+    memoize :credentials
+
+    def save_creds(credentials)
+      FileUtils.mkdir_p(File.dirname(session_creds_path))
+      IO.write(session_creds_path, JSON.pretty_generate(credentials))
+    end
+
+    def session_creds_path
+      "#{ENV['HOME']}/.aws/aws-mfa-secure-sessions/#{@aws_profile}"
+    end
+
+    def get_session_token(shell: false)
+      retries = 0
+      begin
+        token_code = mfa_prompt
+        options = {
+          serial_number: mfa_serial,
+          token_code: token_code,
+        }
+        options[:duration_seconds] = ENV['AWS_MFA_TTL'] if ENV['AWS_MFA_TTL']
+
+        if shell
+          shell_get_session_token(options, token_code) # mimic ruby sdk
+        else # ruby sdk
+          sts.get_session_token(options)
+        end
+      rescue Aws::STS::Errors::ValidationError, Aws::STS::Errors::AccessDenied, MfaError => e
+        $stderr.puts "#{e.class}: #{e.message}"
+        $stderr.puts "Incorrect MFA code.  Please try again."
+        retries += 1
+        if retries >= 3
+          $stderr.puts "Giving up after #{retries} retries."
+          exit 1
+        end
+        retry
+      end
+    end
+
+    def mfa_prompt
+      if ENV['AWS_MFA_TOKEN']
+        token_code = ENV.delete('AWS_MFA_TOKEN') # only use once, prompt afterwards if incorrect
+        return token_code
+      end
+
+      $stderr.print "Please provide your MFA code: "
+      $stdin.gets.strip
+    end
+
+    def shell_get_session_token(options, token_code)
+      args = options.map { |k,v| "--#{k.to_s.gsub('_','-')} #{v}" }.join(' ')
+      command = "aws sts get-session-token #{args} 2>&1"
+      # puts "=> #{command}" # uncomment for debugging
+      out = `#{command}`
+
+      unless out.include?("Credentials")
+        raise(MfaError, out.strip) # custom error
+      end
+
+      data = JSON.load(out)
+      resp = data.deep_transform_keys { |k| k.underscore }
+      # mimic ruby sdk resp
+      credentials = Aws::STS::Types::Credentials.new(resp["credentials"])
+      Aws::STS::Types::GetSessionTokenResponse.new(credentials: credentials)
+    end
+
+    def mfa_serial
+      ENV['AWS_MFA_SERIAL'] || aws_configure_get(:mfa_serial)
+    end
+
+    def sts
+      Aws::STS::Client.new
+    end
+    memoize :sts
+
+    # Note the strip
+    # Each aws configure get call has about a 300-400ms overhead so we memoize it.
+    def aws_configure_get(prop)
+      v = `aws configure get #{prop}`.strip
+      v unless v.empty?
+    end
+    memoize :aws_configure_get
+
+    def aws_profile
+      ENV['AWS_PROFILE'] || 'default'
+    end
+  end
+end