aws-rotate 0.1.0

data/lib/aws_rotate/cache_key.rb

@@ -0,0 +1,3 @@
+module AwsRotate
+  CacheKey = Struct.new(:old_key_id, :access_key_id, :secret_access_key)
+end

data/lib/aws_rotate/cli.rb

@@ -0,0 +1,47 @@
+module AwsRotate
+  class CLI < Command
+    class_option :verbose, type: :boolean
+    class_option :noop, type: :boolean
+
+    desc "list", "list profiles in ~/.aws"
+    long_desc Help.text(:list)
+    def list
+      List.new(options).run
+    end
+
+    desc "key", "rotate key for AWS_PROFILE profile"
+    long_desc Help.text(:key)
+    option :backup, type: :boolean, default: true, desc: "Enable backup"
+    def key
+      Backup.new(options).run
+      Key.new(options).run
+    end
+
+    desc "keys", "rotate keys for all profiles in ~/.aws/credentials"
+    long_desc Help.text(:keys)
+    option :select, aliases: :s, type: :array, desc: "Select filter. List of patterns to select profiles for updating"
+    option :reject, aliases: :r, type: :array, desc: "Reject filter. List of patterns to reject profiles for updating"
+    option :backup, type: :boolean, default: true, desc: "Enable backup"
+    def keys
+      Backup.new(options).run
+      Keys.new(options).run
+    end
+
+    desc "completion *PARAMS", "Prints words for auto-completion."
+    long_desc Help.text("completion")
+    def completion(*params)
+      Completer.new(CLI, *params).run
+    end
+
+    desc "completion_script", "Generates a script that can be eval to setup auto-completion."
+    long_desc Help.text("completion_script")
+    def completion_script
+      Completer::Script.generate
+    end
+
+    desc "version", "prints version"
+    def version
+      puts VERSION
+    end
+  end
+end

data/lib/aws_rotate/command.rb

@@ -0,0 +1,82 @@
+require "thor"
+
+# Override thor's long_desc identation behavior
+# https://github.com/erikhuda/thor/issues/398
+class Thor
+  module Shell
+    class Basic
+      def print_wrapped(message, options = {})
+        message = "\n#{message}" unless message[0] == "\n"
+        stdout.puts message
+      end
+    end
+  end
+end
+
+module AwsRotate
+  class Command < Thor
+    class << self
+      def dispatch(m, args, options, config)
+        # Allow calling for help via:
+        #   aws-rotate command help
+        #   aws-rotate command -h
+        #   aws-rotate command --help
+        #   aws-rotate command -D
+        #
+        # as well thor's normal way:
+        #
+        #   aws-rotate help command
+        help_flags = Thor::HELP_MAPPINGS + ["help"]
+        if args.length > 1 && !(args & help_flags).empty?
+          args -= help_flags
+          args.insert(-2, "help")
+        end
+
+        #   aws-rotate version
+        #   aws-rotate --version
+        #   aws-rotate -v
+        version_flags = ["--version", "-v"]
+        if args.length == 1 && !(args & version_flags).empty?
+          args = ["version"]
+        end
+
+        super
+      end
+
+      # Override command_help to include the description at the top of the
+      # long_description.
+      def command_help(shell, command_name)
+        meth = normalize_command_name(command_name)
+        command = all_commands[meth]
+        alter_command_description(command)
+        super
+      end
+
+      def alter_command_description(command)
+        return unless command
+
+        # Add description to beginning of long_description
+        long_desc = if command.long_description
+            "#{command.description}\n\n#{command.long_description}"
+          else
+            command.description
+          end
+
+        # add reference url to end of the long_description
+        unless website.empty?
+          full_command = [command.ancestor_name, command.name].compact.join('-')
+          url = "#{website}/reference/aws-rotate-#{full_command}"
+          long_desc += "\n\nHelp also available at: #{url}"
+        end
+
+        command.long_description = long_desc
+      end
+      private :alter_command_description
+
+      # meant to be overriden
+      def website
+        ""
+      end
+    end
+  end
+end

data/lib/aws_rotate/completer.rb

@@ -0,0 +1,159 @@
+=begin
+Code Explanation:
+
+There are 3 types of things to auto-complete:
+
+  1. command: the command itself
+  2. parameters: command parameters.
+  3. options: command options
+
+Here's an example:
+
+  mycli hello name --from me
+
+  * command: hello
+  * parameters: name
+  * option: --from
+
+When command parameters are done processing, the remaining completion words will be options.  We can tell that the command params are completed based on the method arity.
+
+## Arity
+
+For example, say you had a method for a CLI command with the following form:
+
+  ufo scale service count --cluster development
+
+It's equivalent ruby method:
+
+  scale(service, count) = has an arity of 2
+
+So typing:
+
+  ufo scale service count [TAB] # there are 3 parameters including the "scale" command according to Thor's CLI processing.
+
+So the completion should only show options, something like this:
+
+  --noop --verbose --cluster
+
+## Splat Arguments
+
+When the ruby method has a splat argument, it's arity is negative.  Here are some example methods and their arities.
+
+   ship(service) = 1
+   scale(service, count) = 2
+   ships(*services) = -1
+   foo(example, *rest) = -2
+
+Fortunately, negative and positive arity values are processed the same way. So we take simply take the absolute value of the arity and process it the same.
+
+Here are some test cases, hit TAB after typing the command:
+
+  aws-rotate completion
+  aws-rotate completion hello
+  aws-rotate completion hello name
+  aws-rotate completion hello name --
+  aws-rotate completion hello name --noop
+
+  aws-rotate completion
+  aws-rotate completion sub:goodbye
+  aws-rotate completion sub:goodbye name
+
+## Subcommands and Thor::Group Registered Commands
+
+Sometimes the commands are not simple thor commands but are subcommands or Thor::Group commands. A good specific example is the ufo tool.
+
+  * regular command: ufo ship
+  * subcommand: ufo docker
+  * Thor::Group command: ufo init
+
+Auto-completion accounts for each of these type of commands.
+=end
+module AwsRotate
+  class Completer
+    def initialize(command_class, *params)
+      @params = params
+      @current_command = @params[0]
+      @command_class = command_class # CLI initiall
+    end
+
+    def run
+      if subcommand?(@current_command)
+        subcommand_class = @command_class.subcommand_classes[@current_command]
+        @params.shift # destructive
+        Completer.new(subcommand_class, *@params).run # recursively use subcommand
+        return
+      end
+
+      # full command has been found!
+      unless found?(@current_command)
+        puts all_commands
+        return
+      end
+
+      # will only get to here if command aws found (above)
+      arity = @command_class.instance_method(@current_command).arity.abs
+      if @params.size > arity or thor_group_command?
+        puts options_completion
+      else
+        puts params_completion
+      end
+    end
+
+    def subcommand?(command)
+      @command_class.subcommands.include?(command)
+    end
+
+    # hacky way to detect that command is a registered Thor::Group command
+    def thor_group_command?
+      command_params(raw=true) == [[:rest, :args]]
+    end
+
+    def found?(command)
+      public_methods = @command_class.public_instance_methods(false)
+      command && public_methods.include?(command.to_sym)
+    end
+
+    # all top-level commands
+    def all_commands
+      commands = @command_class.all_commands.reject do |k,v|
+        v.is_a?(Thor::HiddenCommand)
+      end
+      commands.keys
+    end
+
+    def command_params(raw=false)
+      params = @command_class.instance_method(@current_command).parameters
+      # Example:
+      # >> Sub.instance_method(:goodbye).parameters
+      # => [[:req, :name]]
+      # >>
+      raw ? params : params.map!(&:last)
+    end
+
+    def params_completion
+      offset = @params.size - 1
+      offset_params = command_params[offset..-1]
+      command_params[offset..-1].first
+    end
+
+    def options_completion
+      used = ARGV.select { |a| a.include?('--') } # so we can remove used options
+
+      method_options = @command_class.all_commands[@current_command].options.keys
+      class_options = @command_class.class_options.keys
+
+      all_options = method_options + class_options + ['help']
+
+      all_options.map! { |o| "--#{o.to_s.gsub('_','-')}" }
+      filtered_options = all_options - used
+      filtered_options.uniq
+    end
+
+    # Useful for debugging. Using puts messes up completion.
+    def log(msg)
+      File.open("/tmp/complete.log", "a") do |file|
+        file.puts(msg)
+      end
+    end
+  end
+end

data/lib/aws_rotate/completer/script.rb

@@ -0,0 +1,6 @@
+class AwsRotate::Completer::Script
+  def self.generate
+    bash_script = File.expand_path("script.sh", File.dirname(__FILE__))
+    puts "source #{bash_script}"
+  end
+end

data/lib/aws_rotate/completer/script.sh

@@ -0,0 +1,10 @@
+_aws-rotate() {
+  COMPREPLY=()
+  local word="${COMP_WORDS[COMP_CWORD]}"
+  local words=("${COMP_WORDS[@]}")
+  unset words[0]
+  local completion=$(aws-rotate completion ${words[@]})
+  COMPREPLY=( $(compgen -W "$completion" -- "$word") )
+}
+
+complete -F _aws-rotate aws-rotate

data/lib/aws_rotate/help.rb

@@ -0,0 +1,9 @@
+module AwsRotate::Help
+  class << self
+    def text(namespaced_command)
+      path = namespaced_command.to_s.gsub(':','/')
+      path = File.expand_path("../help/#{path}.md", __FILE__)
+      IO.read(path) if File.exist?(path)
+    end
+  end
+end

data/lib/aws_rotate/help/completion.md

@@ -0,0 +1,22 @@
+Example:
+
+    aws-rotate completion
+
+Prints words for TAB auto-completion.
+
+Examples:
+
+    aws-rotate completion
+    aws-rotate completion hello
+    aws-rotate completion hello name
+
+To enable, TAB auto-completion add the following to your profile:
+
+    eval $(aws-rotate completion_script)
+
+Auto-completion example usage:
+
+    aws-rotate [TAB]
+    aws-rotate hello [TAB]
+    aws-rotate hello name [TAB]
+    aws-rotate hello name --[TAB]

data/lib/aws_rotate/help/completion_script.md

@@ -0,0 +1,3 @@
+To use, add the following to your `~/.bashrc` or `~/.profile`
+
+    eval $(aws-rotate completion_script)

data/lib/aws_rotate/help/key.md

@@ -0,0 +1,4 @@
+## Examples
+
+    aws-rotate key
+    AWS_PROFILE=my-profile aws-rotate key

data/lib/aws_rotate/help/keys.md

@@ -0,0 +1,16 @@
+## Examples
+
+    aws-rotate keys
+    AWS_PROFILE=my-profile aws-rotate keys
+
+## Select Filter Option
+
+    aws-rotate keys --select dev-
+    aws-rotate keys -s dev- # shorthand
+    aws-rotate keys -s ^dev- ^test- # multiple patterns
+
+## Reject Filter Option
+
+    aws-rotate keys --reject prod-
+    aws-rotate keys -r prod- # shorthand
+    aws-rotate keys -r ^prod- ^production- # multiple patterns

data/lib/aws_rotate/help/list.md

@@ -0,0 +1,3 @@
+## Examples
+
+    aws-rotate list

data/lib/aws_rotate/key.rb

@@ -0,0 +1,150 @@
+module AwsRotate
+  class Key < Base
+    class MaxKeysError < StandardError; end
+    class GetIamUserError < StandardError; end
+
+    def run
+      # Note: It is nice to always call get_iam_user first as it'll check access. We rescue exceptions
+      # and report errors early on. The noop check happens after this initial check.
+      # Also with this we can filter for only the keys thats that have associated users and will be updated.
+      # Only the profiles with IAM users will be shown as "Updating..."
+      @user = get_iam_user # will only rotate keys that belong to an actual IAM user
+      return unless @user
+
+      check_max_keys_limit
+      message = "Updating access key for AWS_PROFILE=#{@profile}"
+      message = "NOOP: #{message}" if @options[:noop]
+      puts message.color(:green)
+      return false if @options[:noop]
+
+      key = cache_access_key || create_access_key
+      update_aws_credentials_file(key.access_key_id, key.secret_access_key)
+      delete_old_access_key
+      patience_message
+      aws_environment_variables_warning
+      true
+    end
+
+    # Returns IAM username.
+    # Returns nil unless this profile is actually associated with an user.
+    # Skips assume role profiles.
+    def get_iam_user
+      resp = sts.get_caller_identity
+      arn = resp.arn
+      # Example arns:
+      #
+      #    arn:aws:iam::112233445566:user/tung - iam user
+      #    arn arn:aws:sts::112233445566:assumed-role/Admin/default_session - assume role
+      #
+      if arn.include?(':user/')
+        arn.split('/').last
+      end
+    rescue Aws::Errors::MissingRegionError => e
+      puts "The AWS_PROFILE=#{@profile} may not exist. Please double check it.".color(:red)
+      puts "#{e.class} #{e.message}"
+      raise GetIamUserError
+    rescue Aws::STS::Errors::InvalidClientTokenId => e
+      puts "The AWS_PROFILE=#{@profile} profile does not have access to IAM. Please double check it.".color(:red)
+      puts "#{e.class} #{e.message}"
+      raise GetIamUserError
+    rescue Aws::STS::Errors::SignatureDoesNotMatch => e
+      puts "The AWS_PROFILE=#{@profile} profile seems to have invalid secret keys. Please double check it.".color(:red)
+      puts "#{e.class} #{e.message}"
+      raise GetIamUserError
+    end
+
+    # Check if there are 2 keys, cannot rotate if there are 2 keys already.
+    # Raise error if there are 2 keys.
+    MAX_KEYS = 2
+    def check_max_keys_limit!
+      resp = iam.list_access_keys(user_name: @user)
+      return if resp.access_key_metadata.size < MAX_KEYS
+      raise MaxKeysError
+    end
+
+    # Check if there are 2 keys, cannot rotate if there are 2 keys already.
+    # Display info message for user to reduce it to 1 key.
+    def check_max_keys_limit
+      check_max_keys_limit!
+    rescue MaxKeysError
+      puts <<~EOL.color(:red)
+        This user #{@user} in the AWS_PROFILE=#{@profile} has 2 access keys. This is the max number of keys allowed.
+        Please remove at least one of the keys so aws-rotate can rotate the key.
+      EOL
+      exit 1
+    end
+
+    @@cache = {}
+    def cache_access_key
+      old_key_id = aws_configure_get(:aws_access_key_id)
+      return unless old_key_id
+      @@cache[old_key_id]
+    end
+
+    # Returns:
+    #
+    #   #<struct Aws::IAM::Types::AccessKey
+    #     user_name="tung",
+    #     access_key_id="AKIAXZ6ODJLQUU6O3FD2",
+    #     status="Active",
+    #     secret_access_key="8eEnLLdR7gQE9fkFiDVuemi3qPf3mBMXxEXAMPLE",
+    #     create_date=2019-08-13 21:14:35 UTC>>
+    #
+    def create_access_key
+      resp = iam.create_access_key
+      key = resp.access_key
+
+      # store in cache to help with multiple profiles using the same aws access key
+      old_key_id = aws_configure_get(:aws_access_key_id)
+      @@cache[old_key_id] = CacheKey.new(old_key_id, key.access_key_id, key.secret_access_key)
+
+      puts "Created new access key: #{key.access_key_id}"
+      key
+    end
+
+    def update_aws_credentials_file(aws_access_key_id, aws_secret_access_key)
+      aws_configure_set(aws_access_key_id: aws_access_key_id)
+      aws_configure_set(aws_secret_access_key: aws_secret_access_key)
+      puts "Updated profile #{@profile} in #{@credentials_path} with new key: #{aws_access_key_id}"
+    end
+
+    def delete_old_access_key
+      resp = iam.list_access_keys
+      access_keys = resp.access_key_metadata
+      # Important: only delete if there are keys 2.  The reason this is possible is because multiple profiles can use
+      # the same aws_access_key_id. In this case, an additional key is not created but we use the key from the @@cache
+      return if access_keys.size <= 1
+
+      old_key = access_keys.sort_by(&:create_date).first
+      iam.delete_access_key(access_key_id: old_key.access_key_id)
+      puts "Old access key deleted: #{old_key.access_key_id}"
+    end
+
+    def patience_message
+      puts "Please note, it sometimes take a few seconds or even minutes before the new IAM access key is usable."
+    end
+
+    def aws_environment_variables_warning
+      return unless ENV['AWS_ACCESS_KEY_ID'] || ENV['AWS_SECRET_ACCESS_KEY']
+
+      puts <<~EOL
+        WARN: The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are also set in your shell.
+        You must update those yourself. This tool only updates thethe keys in ~/.aws.
+      EOL
+    end
+
+  private
+
+    # Use the aws cli to spare coding work from parsing it.
+    def aws_configure_set(options={})
+      k, v = options.keys.first, options.values.first
+      sh "aws configure set #{k} #{v} --profile #{@profile}"
+    end
+
+    def aws_configure_get(k)
+      out = `aws configure get #{k} --profile #{@profile}` # use backtick to grab output
+      out.strip!
+      out == '' ? nil : out
+    end
+  end
+end