aws-rotate 0.1.0

data/lib/aws_rotate/keys.rb

@@ -0,0 +1,42 @@
+module AwsRotate
+  class Keys < Base
+    def run
+      list = List.new(@options)
+      list.profiles.each do |profile|
+        next unless filter_match?(profile)
+
+        ENV['AWS_PROFILE'] = profile
+        update_key
+      end
+    end
+
+    def filter_match?(profile)
+      return true if @options[:select].nil? && @options[:reject].nil?
+
+      unless @options[:reject].nil?
+        reject_list = @options[:reject]
+        reject_list.map! { |f|  Regexp.new(f) }
+        rejected = !!reject_list.detect do |regexp|
+          profile =~ regexp
+        end
+        return false if rejected
+      end
+
+      return true if @options[:select].nil?
+
+      select_list = @options[:select]
+      select_list.map! { |f|  Regexp.new(f) }
+      selected = !!select_list.detect do |regexp|
+        profile =~ regexp
+      end
+      selected
+    end
+
+    def update_key
+      Key.new(@options).run
+    rescue Key::GetIamUserError
+      message = @options[:noop] ? "Will not be able to update key" : "Unable to update key"
+      puts "WARN: #{message} for AWS_PROFILE=#{@profile}".color(:yellow)
+    end
+  end
+end

data/lib/aws_rotate/list.rb

@@ -0,0 +1,20 @@
+module AwsRotate
+  class List < Base
+    def run
+      puts "AWS Profiles:"
+      puts profiles
+    end
+
+    def profiles
+      lines = IO.readlines(@credentials_path)
+      profiles = []
+      lines.each do |line|
+        next if line =~ /^\s*#/ # ignore comments
+
+        md = line.match(/\[(.*)\]/)
+        profiles << md[1] if md
+      end
+      profiles
+    end
+  end
+end

data/lib/aws_rotate/version.rb

@@ -0,0 +1,3 @@
+module AwsRotate
+  VERSION = "0.1.0"
+end

data/spec/fixtures/home/.aws/config

@@ -0,0 +1,15 @@
+[profile default]
+output = json
+region = us-west-2
+
+[profile parent-account]
+output = json
+region = us-west-2
+
+[profile child-account]
+output = json
+region = us-west-2
+
+[profile iam-account]
+output = json
+region = us-east-1

data/spec/fixtures/home/.aws/credentials

@@ -0,0 +1,15 @@
+[default]
+role_arn = arn:aws:iam::112233445566:role/Admin
+source_profile = parent-account
+
+[parent-account]
+aws_access_key_id=AAAEXAMPLEAABBCCDDEE
+aws_secret_access_key=AAAEXAMPLEAABBCCDDEEFFGGHHIIJJKKLLMMNNOO
+
+[child-account]
+role_arn = arn:aws:iam::112233445566:role/Admin
+source_profile = parent-account
+
+[iam-account]
+aws_access_key_id=BBBEXAMPLEAABBCCDDEE
+aws_secret_access_key=BBBEXAMPLEAABBCCDDEEFFGGHHIIJJKKLLMMNNOO

data/spec/lib/cli_spec.rb

@@ -0,0 +1,12 @@
+describe AwsRotate::CLI do
+  before(:all) do
+    @args = ""
+  end
+
+  describe "aws-rotate" do
+    it "list" do
+      out = execute("exe/aws-rotate list #{@args}")
+      expect(out).to include("AWS Profiles:")
+    end
+  end
+end

data/spec/lib/key_spec.rb

@@ -0,0 +1,52 @@
+describe AwsRotate::Key do
+  let(:rotater) do
+    rotater = AwsRotate::Key.new
+    # The methods that are commented out have stubs at lower-levels.
+    # allow(rotater).to receive(:get_iam_user).and_return('tung')
+    allow(rotater).to receive(:check_max_keys_limit).and_return(null)
+    allow(rotater).to receive(:cache_access_key).and_return(cache_access_key)
+    # allow(rotater).to receive(:create_access_key).and_return(create_access_key)
+    allow(rotater).to receive(:update_aws_credentials_file).and_return(null)
+    # allow(rotater).to receive(:delete_old_access_key).and_return(null)
+
+    # stub out aws configure calls
+    allow(rotater).to receive(:aws_configure_get).and_return(null)
+    allow(rotater).to receive(:aws_configure_set).and_return(null)
+
+    # stub out aws clients
+    allow(rotater).to receive(:sts).and_return(sts)
+    allow(rotater).to receive(:iam).and_return(iam)
+
+    rotater
+  end
+  let(:null)              { double(:null).as_null_object }
+  let(:cache_access_key)  { nil }
+  let(:create_access_key) { null }
+
+  let(:iam) do
+    iam = double(:null).as_null_object
+    resp = OpenStruct.new(
+        access_key: OpenStruct.new(
+          access_key_id: "FAKE-KEY-ID",
+          secret_access_key: "FAKE-SECRET-ACCESS-KEY",
+        )
+      )
+
+    allow(iam).to receive(:create_access_key).and_return(resp)
+    iam
+  end
+
+  let(:sts) do
+    sts = double(:null).as_null_object
+    resp = OpenStruct.new(arn: 'arn:aws:iam::112233445566:user/tung')
+    allow(sts).to receive(:get_caller_identity).and_return(resp)
+    sts
+  end
+
+  describe "rotater" do
+    it "run" do
+      completed = rotater.run
+      expect(completed).to be true
+    end
+  end
+end

data/spec/lib/keys_spec.rb

@@ -0,0 +1,60 @@
+describe AwsRotate::Key do
+  let(:keys) do
+    AwsRotate::Keys.new(options)
+  end
+  let(:options) { {select: select, reject: reject } }
+  let(:select)  { nil }
+  let(:reject)  { nil }
+
+  context "no filters" do
+    it "always returns true" do
+      result = keys.filter_match?("my-account")
+      expect(result).to be true
+      result = keys.filter_match?("whatever")
+      expect(result).to be true
+    end
+  end
+
+  context "select filter string match" do
+    let(:select) { ["my"] }
+    it "test" do
+      result = keys.filter_match?("my-account")
+      expect(result).to be true
+      result = keys.filter_match?("whatever")
+      expect(result).to be false
+    end
+  end
+
+  context "select filter regexp match" do
+    let(:select) { ["^my"] }
+    it "test" do
+      result = keys.filter_match?("my-account")
+      expect(result).to be true
+      result = keys.filter_match?("test-my-test")
+      expect(result).to be false
+    end
+  end
+
+  context "reject filter" do
+    let(:reject) { ["my"] }
+    it "test" do
+      result = keys.filter_match?("my-account")
+      expect(result).to be false
+      result = keys.filter_match?("whatever")
+      expect(result).to be true
+    end
+  end
+
+  context "both select and reject filters" do
+    let(:select) { ["my"] }
+    let(:reject) { ["test"] }
+    it "test" do
+      result = keys.filter_match?("my-account")
+      expect(result).to be true
+      result = keys.filter_match?("my-test-account")
+      expect(result).to be false
+      result = keys.filter_match?("whatever")
+      expect(result).to be false
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,33 @@
+ENV["TEST"] = "1"
+# Ensures aws api never called. Fixture home does not contain ~/.aws/credentials
+ENV['HOME'] = "spec/fixtures/home"
+
+# CodeClimate test coverage: https://docs.codeclimate.com/docs/configuring-test-coverage
+# require 'simplecov'
+# SimpleCov.start
+
+require "pp"
+require "byebug"
+root = File.expand_path("../", File.dirname(__FILE__))
+require "#{root}/lib/aws-rotate"
+
+require 'webmock/rspec'
+
+module Helper
+  def execute(cmd)
+    puts "Running: #{cmd}" if show_command?
+    out = `#{cmd}`
+    puts out if show_command?
+    out
+  end
+
+  # Added SHOW_COMMAND because DEBUG is also used by other libraries like
+  # bundler and it shows its internal debugging logging also.
+  def show_command?
+    ENV['DEBUG'] || ENV['SHOW_COMMAND']
+  end
+end
+
+RSpec.configure do |c|
+  c.include Helper
+end

metadata

@@ -0,0 +1,243 @@
+--- !ruby/object:Gem::Specification
+name: aws-rotate
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tung Nguyen
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-08-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cli_markdown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- tongueroo@gmail.com
+executables:
+- aws-rotate
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws-rotate.gemspec
+- exe/aws-rotate
+- lib/aws-rotate.rb
+- lib/aws_rotate.rb
+- lib/aws_rotate/autoloader.rb
+- lib/aws_rotate/aws_services.rb
+- lib/aws_rotate/backup.rb
+- lib/aws_rotate/base.rb
+- lib/aws_rotate/cache_key.rb
+- lib/aws_rotate/cli.rb
+- lib/aws_rotate/command.rb
+- lib/aws_rotate/completer.rb
+- lib/aws_rotate/completer/script.rb
+- lib/aws_rotate/completer/script.sh
+- lib/aws_rotate/help.rb
+- lib/aws_rotate/help/completion.md
+- lib/aws_rotate/help/completion_script.md
+- lib/aws_rotate/help/key.md
+- lib/aws_rotate/help/keys.md
+- lib/aws_rotate/help/list.md
+- lib/aws_rotate/key.rb
+- lib/aws_rotate/keys.rb
+- lib/aws_rotate/list.rb
+- lib/aws_rotate/version.rb
+- spec/fixtures/home/.aws/config
+- spec/fixtures/home/.aws/credentials
+- spec/lib/cli_spec.rb
+- spec/lib/key_spec.rb
+- spec/lib/keys_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/tongueroo/aws-rotate
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Easy way to rotate all your AWS keys in your ~/.aws/credentials
+test_files:
+- spec/fixtures/home/.aws/config
+- spec/fixtures/home/.aws/credentials
+- spec/lib/cli_spec.rb
+- spec/lib/key_spec.rb
+- spec/lib/keys_spec.rb
+- spec/spec_helper.rb