aws-msk-iam-sasl-signer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4c1a55e1e98d1cb058d624b31c02ecb16b661bfdf2f896e087a10bc84279e799
+  data.tar.gz: 52a0b1d7d1ff7cb6115551b69a4a6f396ce1682f65f855d603332026d6464783
+SHA512:
+  metadata.gz: 452a78478ed3b6677dc3cbd047b6296310b9005bbd2d618a3a436e960621a3213342ed98c2da012fc2ab2909ff99a3d844842bf7d21501759cc20f7f0b089250
+  data.tar.gz: b528420b2cef1f7bc66fe81a553de226f64ba18f933c336ec902cb58224147fd85e3e82f713e5f0a422b5d8e27515decf01f1363e9e24f61a5aef4a11a8cc340

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 bruce szalwinski
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,203 @@
+# aws-msk-iam-sasl-signer
+
+[![Gem Version](https://img.shields.io/gem/v/aws-msk-iam-sasl-signer)](https://rubygems.org/gems/aws-msk-iam-sasl-signer)
+[![Gem Downloads](https://img.shields.io/gem/dt/aws-msk-iam-sasl-signer)](https://www.ruby-toolbox.com/projects/aws-msk-iam-sasl-signer)
+[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby/ci.yml)](https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby/actions/workflows/ci.yml)
+[![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby)](https://codeclimate.com/github/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby)
+
+This is an Amazon MSK Library in Ruby. 
+This library provides a function to generates a base 64 encoded signed url to enable authentication/authorization with an MSK Cluster.
+The signed url is generated by using your IAM credentials.
+
+# Features
+
+- Provides a function to generate auth token using IAM credentials from the AWS default credentials chain.
+- Provides a function to generate auth token using IAM credentials from the AWS named profile.
+- Provides a function to generate auth token using assumed IAM role’s credentials.
+
+---
+
+- [Quick start](#quick-start)
+- [Support](#support)
+- [License](#license)
+- [Code of conduct](#code-of-conduct)
+- [Contribution guide](#contribution-guide)
+
+# Get Started
+
+## Installation
+
+To install aws-msk-iam-sasl-signer-ruby, run this command in your terminal.
+This is the preferred method to install aws-msk-iam-sasl-signer-ruby, as it will always install the most recent stable release.
+
+```bash
+gem install aws-msk-iam-sasl-signer
+```
+
+## Usage
+
+```ruby
+
+# frozen_string_literal: true
+require "aws-msk-iam-sasl-signer"
+require "json"
+require "rdkafka"
+
+KAFKA_TOPIC = ENV['KAFKA_TOPIC']
+KAFKA_BOOTSTRAP_SERVERS = ENV['KAFKA_BOOTSTRAP_SERVERS']
+
+kafka_config = {
+  "bootstrap.servers": KAFKA_BOOTSTRAP_SERVERS,
+  "security.protocol": 'sasl_ssl',
+  "sasl.mechanisms": 'OAUTHBEARER',
+  "client.id": 'ruby-producer',
+}
+
+def refresh_token(client, config)
+  signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
+  auth_token = signer.generate_auth_token
+
+  error_buffer = FFI::MemoryPointer.from_string(' ' * 256)
+  response = Rdkafka::Bindings.rd_kafka_oauthbearer_set_token(
+    client, auth_token.token, auth_token.expiration_time_ms, 'kafka-cluster', nil, 0, error_buffer, 256
+  )
+  return unless response != 0
+
+  Rdkafka::Bindings.rd_kafka_oauthbearer_set_token_failure(client,
+                                                           "Failed to set token: #{error_buffer.read_string}")
+
+end
+
+# set the token refresh callback
+Rdkafka::Config.oauthbearer_token_refresh_callback = method(:refresh_token)
+producer = Rdkafka::Config.new(kafka_config).producer
+
+# seed the token
+# events_poll will invoke all registered callbacks, of which oauthbearer_token_refresh_callback is one
+
+consumer = Rdkafka::Config.new(kafka_config).consumer
+consumer.events_poll
+
+# produce some messages
+
+Payload = Data.define(:device_id, :creation_timestamp, :temperature)
+
+loop do
+  payload = Payload.new(
+    device_id: '1234',
+    creation_timestamp: Time.now.to_i,
+    temperature: rand(0..100)
+  )
+
+  handle = producer.produce(
+    topic: KAFKA_TOPIC,
+    payload: payload.to_h.to_json,
+    key: "ruby-kafka-#{rand(0..999)}"
+  )
+  handle.wait(max_wait_timeout: 10)
+
+  sleep(10)
+end
+
+```
+
+In order to use a named profile to generate the token, replace the `generate_auth_token` function with code below:
+
+```ruby
+  signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
+  auth_token = signer.generate_auth_token_from_profile(
+    aws_profile: 'my-profile'
+  )
+```
+
+
+In order to use a role arn to generate the token, replace the `generate_auth_token` function with code below:
+
+```ruby
+    signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
+    auth_token = signer.generate_auth_token_from_role_arn(
+        role_arn: 'arn:aws:iam::1234567890:role/my-role'
+    )
+```
+
+In order to use a custom credentials provider, replace the `generate_auth_token` function with code below :
+
+```ruby
+    signer = AwsMskIamSaslSigner::MSKTokenProvider.new(region: 'us-east-1')
+    auth_token = signer.generate_auth_token_from_credentials_provider(
+      'your-credentials-provider'
+    )
+```
+
+## Running tests
+
+You can run tests in the currently configured Ruby version using `rake`.
+By default, it will run all the unit tests.
+
+```bash
+bundle exec rake test
+```
+
+To fix lint issues, run `rubocop`.
+
+```bash
+bundle exec rubocop -x
+```
+## Code Climate
+
+This project uses [code climate](https://github.com/marketplace/code-climate) to maintain code quality.
+Code Climate will be run on every pull request and will fail if the code quality is not maintained.
+Code climate can be run locally using the command below.
+
+```bash
+bundle exec rake codeclimate
+```
+
+## CLI
+
+You can generate a signed url using the CLI.
+
+```bash
+bundle exec signer --help               
+Commands:
+  signer generate                                         # Generate a token using credential provider chain
+  signer generate-from-profile --aws-profile=AWS_PROFILE  # Generate a token using aws profile
+  signer generate-from-role-arn --role-arn=ROLE_ARN       # Generate a token using role arn
+  signer help [COMMAND]                                   # Describe available commands or one specific command
+```
+
+## TroubleShooting
+
+### Finding out which identity is being used
+
+When using the token to authenticate against an MSK cluster, you may receive an Access denied error.
+There may be some doubt as to which credential is being exactly used.
+The credential may be sourced from a role ARN, EC2 instance profile, credential profile etc.
+When calling `generate_auth_token`, you can set `aws_debug` argument to `true`.
+
+```ruby
+MSKAuthTokenProvider.generate_auth_token(aws_debug: true)
+```
+
+`generate_auth_token` will return a third value, the caller identity:
+
+```ruby
+auth_token = MSKAuthTokenProvider.generate_auth_token(aws_debug: true)
+puts "Caller identity: #{auth_token.caller_identity}"
+```
+
+## Support
+
+If you want to report a bug, or have ideas, feedback or questions about the gem, [let me know via GitHub issues](https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby/issues/new) and I will do my best to provide a helpful answer. Happy hacking!
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).
+
+## Code of conduct
+
+Everyone interacting in this project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](CODE_OF_CONDUCT.md).
+
+## Contribution guide
+
+Pull requests are welcome!

data/exe/signer

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+require "aws_msk_iam_sasl_signer"
+AwsMskIamSaslSigner::CLI.start(ARGV)

data/lib/aws-msk-iam-sasl-signer/cli.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "thor"
+require "json"
+
+module AwsMskIamSaslSigner
+  class CLI < Thor
+    extend ThorExt::Start
+    map %w[-v --version] => "version"
+    desc "version", "Display signer version", hide: true
+    def version
+      say "signer/#{VERSION} #{RUBY_DESCRIPTION}"
+    end
+
+    desc "generate", "Generate a token using credential provider chain"
+    option :region, type: :string, default: "us-east-1", desc: "The AWS region"
+    option :aws_debug, type: :boolean, default: false, desc: "Log caller identity when using credential provider chain"
+    def generate
+      token_provider = MSKTokenProvider.new(region: options[:region])
+      token = token_provider.generate_auth_token(
+        aws_debug: options[:aws_debug]
+      )
+
+      puts "Token: #{token.token}"
+      puts "Expiration Time: #{token.expiration_time_ms}"
+      return unless options[:aws_debug]
+
+      puts "Caller Identity: #{token.caller_identity.to_h.to_json}"
+    end
+
+    desc "generate-from-profile", "Generate a token using aws-msk-iam-sasl-signer profile"
+    option :region, type: :string, default: "us-east-1", desc: "The AWS region"
+    option :aws_profile, type: :string, desc: "Name of the AWS profile", required: true
+    def generate_from_profile
+      token_provider = MSKTokenProvider.new(region: options[:region])
+
+      signed_url, expiration_time_ms = token_provider.generate_auth_token_from_profile(options[:aws_profile])
+      puts "Token: #{signed_url}"
+      puts "Expiration Time: #{expiration_time_ms}"
+    end
+
+    desc "generate-from-role-arn", "Generate a token using role arn"
+    option :region, type: :string, default: "us-east-1", desc: "The AWS region"
+    option :role_arn, type: :string, desc: "ARN of the role to assume", required: true
+    option :session_name, type: :string, default: nil, desc: "The session name to use when assuming a role"
+    def generate_from_role_arn
+      token_provider = MSKTokenProvider.new(region: options[:region])
+      signed_url, expiration_time_ms = token_provider.generate_auth_token_from_role_arn(
+        options[:role_arn],
+        options[:session_name]
+      )
+
+      puts "Token: #{signed_url}"
+      puts "Expiration Time: #{expiration_time_ms}"
+    end
+  end
+end

data/lib/aws-msk-iam-sasl-signer/credentials_resolver.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "aws-sigv4"
+
+module AwsMskIamSaslSigner
+  class CredentialsResolver
+    def from_credential_provider_chain(region)
+      client = Aws::Kafka::Client.new(region: region)
+      raise "No credentials found" unless client.config.credentials
+
+      client.config.credentials
+    end
+
+    def from_profile(profile)
+      Aws::SharedCredentials.new(profile_name: profile)
+    end
+
+    def from_role_arn(role_arn:, session_name:)
+      sts = Aws::STS::Client.new
+      sts.assume_role({ role_arn: role_arn, role_session_name: session_name })
+    end
+  end
+end

data/lib/aws-msk-iam-sasl-signer/msk_token_provider.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require "aws-sdk-kafka"
+require "aws-sigv4"
+require "base64"
+require "uri"
+
+module AwsMskIamSaslSigner
+  class MSKTokenProvider
+    ENDPOINT_URL_TEMPLATE = "kafka.{}.amazonaws.com"
+    DEFAULT_TOKEN_EXPIRY_SECONDS = 900
+    LIB_NAME = "aws-msk-iam-sasl-signer-msk-iam-sasl-signer-ruby"
+    USER_AGENT_KEY = "User-Agent"
+    SESSION_NAME = "MSKSASLDefaultSession"
+    CallerIdentity = Struct.new(:user_id, :account, :arn)
+    AuthToken = Struct.new(:token, :expiration_time_ms, :caller_identity)
+
+    def initialize(region:)
+      @region = region
+    end
+
+    def generate_auth_token(aws_debug: false)
+      credentials = CredentialsResolver.new.from_credential_provider_chain(@region)
+      caller_identity = caller_identity(credentials, @region) if aws_debug
+      url = presign(credentials, endpoint_url)
+      AuthToken.new(
+        urlsafe_encode64(user_agent(url)),
+        expiration_time_ms(url),
+        caller_identity
+      )
+    end
+
+    def generate_auth_token_from_profile(profile)
+      credentials = CredentialsResolver.new.from_profile(profile)
+      url = presign(credentials, endpoint_url)
+      AuthToken.new(
+        urlsafe_encode64(user_agent(url)),
+        expiration_time_ms(url)
+      )
+    end
+
+    def generate_auth_token_from_role_arn(role_arn, session_name=nil)
+      session_name ||= SESSION_NAME
+      credentials = CredentialsResolver.new.from_role_arn(
+        role_arn: role_arn,
+        session_name: session_name
+      )
+      url = presign(credentials, endpoint_url)
+      AuthToken.new(
+        urlsafe_encode64(user_agent(url)),
+        expiration_time_ms(url)
+      )
+    end
+
+    def generate_auth_token_from_credentials_provider(credentials_provider)
+      raise "Invalid credentials provider" unless credentials_provider.respond_to?(:credentials)
+
+      url = presign(credentials_provider, endpoint_url)
+      AuthToken.new(
+        urlsafe_encode64(user_agent(url)),
+        expiration_time_ms(url)
+      )
+    end
+
+    private
+
+    def endpoint_url
+      host = ENDPOINT_URL_TEMPLATE.gsub("{}", @region)
+      query_params = {
+        Action: "kafka-cluster:Connect"
+      }
+      URI::HTTPS.build(host: host, path: "/", query: URI.encode_www_form(query_params))
+    end
+
+    def presign(credentials_provider, url)
+      signer = Aws::Sigv4::Signer.new(
+        service: "kafka-cluster",
+        region: @region,
+        credentials_provider: credentials_provider
+      )
+      signer.presign_url(
+        http_method: "GET",
+        url: url,
+        expires_in: DEFAULT_TOKEN_EXPIRY_SECONDS
+      )
+    end
+
+    def user_agent(url)
+      new_query_ar = URI.decode_www_form(url.query) << [USER_AGENT_KEY, "#{LIB_NAME}/#{VERSION}"]
+      url.query = URI.encode_www_form(new_query_ar)
+      url.to_s
+    end
+
+    def urlsafe_encode64(url)
+      Base64.urlsafe_encode64(url, padding: false)
+    end
+
+    def expiration_time_ms(url)
+      params = URI.decode_www_form(String(url.query))
+      signing_date = params.find { |param| param[0] == "X-Amz-Date" }
+      signing_time = DateTime.strptime(signing_date[1], "%Y%m%dT%H%M%SZ")
+      1000 * (signing_time.to_time.to_i + DEFAULT_TOKEN_EXPIRY_SECONDS)
+    end
+
+    def caller_identity(credentials_provider, region)
+      sts = Aws::STS::Client.new(
+        region: region,
+        access_key_id: credentials_provider.credentials.access_key_id,
+        secret_access_key: credentials_provider.credentials.secret_access_key,
+        session_token: credentials_provider.credentials.session_token
+      )
+      CallerIdentity.new(
+        sts.get_caller_identity.user_id,
+        sts.get_caller_identity.account,
+        sts.get_caller_identity.arn
+      )
+    end
+  end
+end

data/lib/aws-msk-iam-sasl-signer/thor_ext.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module AwsMskIamSaslSigner
+  module ThorExt
+    # Configures Thor to behave more like a typical CLI, with better help and error handling.
+    #
+    # - Passing -h or --help to a command will show help for that command.
+    # - Unrecognized options will be treated as errors (instead of being silently ignored).
+    # - Error messages will be printed in red to stderr, without stack trace.
+    # - Full stack traces can be enabled by setting the VERBOSE environment variable.
+    # - Errors will cause Thor to exit with a non-zero status.
+    #
+    # To take advantage of this behavior, your CLI should subclass Thor and extend this module.
+    #
+    #   class CLI < Thor
+    #     extend ThorExt::Start
+    #   end
+    #
+    # Start your CLI with:
+    #
+    #   CLI.start
+    #
+    # In tests, prevent Kernel.exit from being called when an error occurs, like this:
+    #
+    #   CLI.start(args, exit_on_failure: false)
+    #
+    module Start
+      def self.extended(base)
+        super
+        base.check_unknown_options!
+      end
+
+      def start(given_args=ARGV, config={})
+        config[:shell] ||= Thor::Base.shell.new
+        handle_help_switches(given_args) do |args|
+          dispatch(nil, args, nil, config)
+        end
+      rescue StandardError => e
+        handle_exception_on_start(e, config)
+      end
+
+      private
+
+      def handle_help_switches(given_args)
+        yield(given_args.dup)
+      rescue Thor::UnknownArgumentError => e
+        retry_with_args = []
+
+        if given_args.first == "help"
+          retry_with_args = ["help"] if given_args.length > 1
+        elsif (e.unknown & %w[-h --help]).any?
+          retry_with_args = ["help", (given_args - e.unknown).first]
+        end
+        raise unless retry_with_args.any?
+
+        yield(retry_with_args)
+      end
+
+      def handle_exception_on_start(error, config)
+        return if error.is_a?(Errno::EPIPE)
+        raise if ENV["VERBOSE"] || !config.fetch(:exit_on_failure, true)
+
+        message = error.message.to_s.dup
+        message.prepend("[#{error.class}] ") if message.empty? || !error.is_a?(Thor::Error)
+
+        config[:shell]&.say_error(message, :red)
+        exit(false)
+      end
+    end
+  end
+end

data/lib/aws-msk-iam-sasl-signer/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module AwsMskIamSaslSigner
+  VERSION = "0.1.0"
+end

data/lib/aws_msk_iam_sasl_signer.rb

@@ -0,0 +1,12 @@
+require "aws-sdk-kafka"
+require "aws-sigv4"
+require "base64"
+require "uri"
+
+module AwsMskIamSaslSigner
+  autoload :MSKTokenProvider, "aws-msk-iam-sasl-signer/msk_token_provider"
+  autoload :CredentialsResolver, "aws-msk-iam-sasl-signer/credentials_resolver"
+  autoload :VERSION, "aws-msk-iam-sasl-signer/version"
+  autoload :CLI, "aws-msk-iam-sasl-signer/cli"
+  autoload :ThorExt, "aws-msk-iam-sasl-signer/thor_ext"
+end

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: aws-msk-iam-sasl-signer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- bruce szalwinski
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-03-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-kafka
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- bruce.szalwinski@hotelengine.com
+executables:
+- signer
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- exe/signer
+- lib/aws-msk-iam-sasl-signer/cli.rb
+- lib/aws-msk-iam-sasl-signer/credentials_resolver.rb
+- lib/aws-msk-iam-sasl-signer/msk_token_provider.rb
+- lib/aws-msk-iam-sasl-signer/thor_ext.rb
+- lib/aws-msk-iam-sasl-signer/version.rb
+- lib/aws_msk_iam_sasl_signer.rb
+homepage: https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby/issues
+  changelog_uri: https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby/releases
+  source_code_uri: https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby
+  homepage_uri: https://github.com/bruce-szalwinski-he/aws-msk-iam-sasl-signer-ruby
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.3
+signing_key:
+specification_version: 4
+summary: MSK Library in Ruby for SASL/OAUTHBEARER Auth
+test_files: []