aws-session-credentials 0.1.1 → 1.0.0.pre.1

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NDkxYjJmODhkZjdiNTRlMzFlOTU0OGYzMmQ1NTBiNGIxYzc0OTU3MQ==
+    ZThmODRmYTdkNDdmN2IzNThlMGZjNzVjOTg3MzI1MDhmMzM5NDUwZg==
   data.tar.gz: !binary |-
-    NzIyZjQ2ODM1NjlkM2JmMGZlMzAxZGVkODg2YjQ4NTBjNjAxOWY3Zg==
+    OWZmM2I4YjQxM2E1NTVjZjc4YjlkNmE1NGFkZTc3NDUwNGE3Y2ZiMg==
 SHA512:
   metadata.gz: !binary |-
-    YjFjMDEyNjRkOWQ4ZDZiNTljNTRjMjg1NWUyMjQ4NmM0MWRiODlhODkxNTI2
-    OGM1MjZjZGQzN2QzYWMyMzY2NzBjYWM1ZjI1ZThiMmM4MWJmNTA3YWYxNWIz
-    NTg2MzRkOGRiNzRiN2YxMTFjMjZlZDNiMzUyZDhmNzM3ZDAyMDQ=
+    ZTA0MWMzNTY1NjEyODg1NmE3MWQ1MjE4OGU5YjU3YjMwZGVjYzQyNDZhNmY4
+    MWJiMjI3NTMzZGVjMTNkYTI4NjcwZDA0ZTBiZmY3ZGRmODNiMWVhZmU2NzNl
+    NDJjZWI2NmFmMzgyYzkyZGU1YTM3NjQxMDU4YmUzYjQzNjNhOGE=
   data.tar.gz: !binary |-
-    ZDA1MmJjNGRiY2Y5MWRkMDI4NDU4NGY3MTljYjY1YmQ3MGE1OTUxZTU4YzQ4
-    M2I3Njk1Njk4YTIzMzY2ZjYxZDliNTI4YWRmMGExZDZlYmNjMjA2ZGU4Yzkw
-    NWZmMTBhOGQxN2Y5ZDU0ODkyNzYwOGI3ZjM0ZmI1ODVmZTcxOTA=
+    OGFmN2YzZjZmNjhkNjcyMTFlMzkxZTcyOGZlOGY0YmQ3NDcyZjkxOWIzYmUx
+    NWY4YWMyNTFkNTZlM2M4N2ZiOTFiZGMyMzBkYjg1MDlmNWY5YjJmYjNiNzBm
+    OWY1MTMxMDNiOTQ1MWFlM2VkNjY3ODY4ODNhMzM3ZjJhNGQzNWY=

data/.travis.yml

@@ -1,7 +1,10 @@
 language: ruby
 rvm:
-- 2.2.3
-before_install: gem install bundler -v 1.10.6
+  - 2.2.3
+before_install:
+  - gem install bundler -v 1.10.6
+  - sudo apt-get update -qq
+  - sudo apt-get install -y libccid libpcsclite-dev pcscd pcsc-tools
 deploy:
   provider: rubygems
   api_key:

data/README.md

@@ -1,6 +1,7 @@
 # Aws::Session::Credentials
 
 [![Build Status](https://travis-ci.org/zl4bv/aws-session-credentials.svg)](https://travis-ci.org/zl4bv/aws-session-credentials)
+[![Gem Version](https://badge.fury.io/rb/aws-session-credentials.svg)](https://badge.fury.io/rb/aws-session-credentials)
 
 Command-line tool to generate AWS session credentials.
 
@@ -26,6 +27,8 @@ Or install it yourself as:
 
 ## Usage
 
+### Generating new session credentials
+
 Example:
 
 ```
@@ -41,35 +44,58 @@ Usage:
   aws-session
 
 Options:
-  [--access-key-id=ACCESS-KEY-ID]          # Access key used to generate session token
-  [--secret-access-key=SECRET-ACCESS-KEY]  # Secret key used to generate session token
-  [--region=REGION]                        # AWS region to connect to
-  [--config-file=CONFIG-FILE]              # YAML file to load config from
-                                           # Default: ~/.aws/credentials.yml
-  [--credential-file=CREDENTIAL-FILE]      # INI file to save session credentials to
-                                           # Default: ~/.aws/credentials
-  [--profile=PROFILE]                      # Profile that session token will be loaded into
-                                           # Default: default
-  [--duration=N]                           # Duration, in seconds, that credentials should remain valid
-                                           # Default: 1
-  [--mfa-device=MFA-DEVICE]                # ARN of MFA device
-  [--mfa-code=MFA-CODE]                    # Six digit code from MFA device
-```
+Usage:
+  aws-session new
 
-### Config File
+Options:
+  [--aws-access-key-id=AWS-ACCESS-KEY-ID]          # Access key used to generate session token
+  [--aws-secret-access-key=AWS-SECRET-ACCESS-KEY]  # Secret key used to generate session token
+  [--aws-region=AWS-REGION]                        # AWS region to connect to
+  [--config-file=CONFIG-FILE]                      # YAML file to load config from
+                                                   # Default: ~/.aws/aws-session-config.yml
+  [--source-profile=SOURCE-PROFILE]                # Profile in config file that user credentials will be loaded from
+                                                   # Default: default
+  [--profile=PROFILE]                              # Profile that session token will be loaded into
+                                                   # Default: default
+  [--duration=N]                                   # Duration, in seconds, that credentials should remain valid
+  [--mfa-device=MFA-DEVICE]                        # ARN of MFA device
+  [--mfa-code=MFA-CODE]                            # Six digit code from MFA device
+  [--yubikey-name=YUBIKEY-NAME]                    # Name of yubikey device
+                                                   # Default: Yubikey
+  [--oath-credential=OATH-CREDENTIAL]              # Name of OATH credential
+```
 
-By default this is located at `~/.aws/credentials.yml`.
+### Assuming a role
 
 Example:
 
-```yaml
----
-aws_access_key_id: AKIAIOSFODNN7EXAMPLE
-aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-region: ap-southeast-2
-duration: 86400
-mfa_device: arn:aws:iam::000000000000:mfa/user.name@example.com
 ```
+$ aws-session assume-role --role-arn=ROLE_ARN --role-session-name=ROLE_SESSION_NAME
+```
+
+### Source profiles
+
+Instead of specifying all of the options via the command line each time you
+want to generate new session credentials, you can store the options in a
+*source profile*.
+
+```
+$ aws-session configure
+Source profile (leave blank for "default"):
+AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
+AWS Secret Access Key:
+AWS region: ap-southeast-2
+Session duration (in seconds): 86400
+
+Configure MFA? y
+MFA device ARN: arn:aws:iam::000000000000:mfa/user.name@example.com
+
+Configure Yubikey? y
+OATH credential name: user.name@example.com@accountalias
+```
+
+See `aws-session --help configure` for more info. By default, the configuration
+is stored in `~/.aws/aws-session-config.yml`.
 
 ## Contributing
 

data/aws-session-credentials.gemspec

@@ -24,7 +24,10 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'rspec-its'
 
+  spec.add_runtime_dependency 'activesupport'
   spec.add_runtime_dependency 'aws-sdk', '~> 2.1'
   spec.add_runtime_dependency 'inifile', '~> 3.0'
+  spec.add_runtime_dependency 'smartcard'
   spec.add_runtime_dependency 'thor', '~> 0.19'
+  spec.add_runtime_dependency 'yubioath'
 end

data/lib/aws/session/credentials/cache.rb

@@ -0,0 +1,31 @@
+module Aws
+  module Session
+    module Credentials
+      # Holds session credentials
+      class Cache
+        include ProfileStorage
+        include FileProvider::YamlFileProvider
+
+        attr_reader :path
+
+        def initialize(options = {})
+          @path = File.expand_path(options[:path] || default_path)
+        end
+
+        def default_path
+          File.join(%w(~ .aws aws-session-cache.yml))
+        end
+
+        # @return [Hash<String,Hash>]
+        def profiles_hash
+          self[:profiles] || {}
+        end
+
+        # @param [Hash] hsh
+        def profiles_hash=(hsh)
+          self[:profiles] = hsh
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/cli.rb

@@ -6,26 +6,26 @@ module Aws
     module Credentials
       # Command line interface
       class Cli < Thor
-        method_option 'access-key-id',
+        method_option 'aws-access-key-id',
                       type: :string,
                       desc: 'Access key used to generate session token',
                       default: nil
-        method_option 'secret-access-key',
+        method_option 'aws-secret-access-key',
                       type: :string,
                       desc: 'Secret key used to generate session token',
                       default: nil
-        method_option 'region',
+        method_option 'aws-region',
                       type: :string,
                       desc: 'AWS region to connect to',
                       default: nil
         method_option 'config-file',
                       type: :string,
                       desc: 'YAML file to load config from',
-                      default: '~/.aws/credentials.yml'
-        method_option 'credential-file',
+                      default: '~/.aws/aws-session-config.yml'
+        method_option 'source-profile',
                       type: :string,
-                      desc: 'INI file to save session credentials to',
-                      default: '~/.aws/credentials'
+                      desc: 'Profile in config file that user credentials will be loaded from',
+                      default: 'default'
         method_option 'profile',
                       type: :string,
                       desc: 'Profile that session token will be loaded into',
@@ -33,7 +33,7 @@ module Aws
         method_option 'duration',
                       type: :numeric,
                       desc: 'Duration, in seconds, that credentials should remain valid',
-                      default: 1
+                      default: nil
         method_option 'mfa-device',
                       type: :string,
                       desc: 'ARN of MFA device',
@@ -42,21 +42,118 @@ module Aws
                       type: :string,
                       desc: 'Six digit code from MFA device',
                       default: nil
+        method_option 'yubikey-name',
+                      type: :string,
+                      desc: 'Name of yubikey device',
+                      default: 'Yubikey'
+        method_option 'oath-credential',
+                      type: :string,
+                      desc: 'Name of OATH credential',
+                      default: nil
         desc 'new', 'Generates new AWS session credentials'
         def new
-          config = Config.new(options['config-file'])
-          config.aws_access_key_id      ||= options['access-key-id']
-          config.aws_secret_access_key  ||= options['secret-access-key']
-          config.region                 ||= options['region']
-          config.credential_file        ||= options['credential-file']
-          config.profile                ||= options['profile']
-          config.duration               ||= options['duration']
-          config.mfa_device             ||= options['mfa-device']
-          config.mfa_code               ||= options['mfa-code']
+          cli_opts = options.transform_keys { |key| key.sub(/-/, '_') }
+          SessionManager.new.new_session(cli_opts)
+        end
+
+        method_option 'role_arn',
+                      type: :string,
+                      desc: 'The ARN of the role to assume',
+                      required: true
+        method_option 'role_session_name',
+                      type: :string,
+                      desc: 'An identifier for the assumed role session',
+                      required: true
+        method_option 'profile',
+                      type: :string,
+                      desc: 'Profile that session token will be loaded into',
+                      default: 'default'
+        method_option 'duration',
+                      type: :numeric,
+                      desc: 'Duration, in seconds, that credentials should remain valid',
+                      default: nil
+        method_option 'mfa-device',
+                      type: :string,
+                      desc: 'ARN of MFA device',
+                      default: nil
+        method_option 'mfa-code',
+                      type: :string,
+                      desc: 'Six digit code from MFA device',
+                      default: nil
+        method_option 'yubikey-name',
+                      type: :string,
+                      desc: 'Name of yubikey device',
+                      default: 'Yubikey'
+        method_option 'oath-credential',
+                      type: :string,
+                      desc: 'Name of OATH credential',
+                      default: nil
+        desc 'assume-role', 'Assumes a role'
+        def assume_role
+          cli_opts = options.transform_keys { |key| key.sub(/-/, '_') }
+          SessionManager.new.assume_role(cli_opts)
+        end
+
+        method_option 'aws-access-key-id',
+                      type: :string,
+                      desc: 'Access key used to generate session token',
+                      default: nil
+        method_option 'aws-secret-access-key',
+                      type: :string,
+                      desc: 'Secret key used to generate session token',
+                      default: nil
+        method_option 'aws-region',
+                      type: :string,
+                      desc: 'AWS region to connect to',
+                      default: nil
+        method_option 'config-file',
+                      type: :string,
+                      desc: 'YAML file to load config from',
+                      default: '~/.aws/aws-session-config.yml'
+        method_option 'source-profile',
+                      type: :string,
+                      desc: 'Profile in config file that user credentials will be loaded from',
+                      default: nil
+        method_option 'duration',
+                      type: :numeric,
+                      desc: 'Duration, in seconds, that credentials should remain valid',
+                      default: nil
+        method_option 'mfa-device',
+                      type: :string,
+                      desc: 'ARN of MFA device',
+                      default: nil
+        method_option 'yubikey-name',
+                      type: :string,
+                      desc: 'Name of yubikey device',
+                      default: 'Yubikey'
+        method_option 'oath-credential',
+                      type: :string,
+                      desc: 'Name of OATH credential',
+                      default: nil
+        desc 'configure', 'Configures a new source profile'
+        def configure
+          cli_opts = options.transform_keys { |key| key.sub(/-/, '_') }
+          cli_opts['source_profile'] ||= ask('Source profile (leave blank for "default"):')
+          cli_opts['aws_access_key_id'] ||= ask('AWS Access Key ID:')
+          cli_opts['aws_secret_access_key'] ||= ask('AWS Secret Access Key:', echo: false)
+          puts '' # BUG: No LF printed when echo is set to false
+          cli_opts['aws_region'] ||= ask('AWS region:')
+          cli_opts['duration'] ||= ask('Session duration (in seconds):')
+
+          puts ''
+          if yes?('Configure MFA?')
+            cli_opts['mfa_device'] ||= ask('MFA device ARN:')
+            puts ''
+            if yes?('Configure Yubikey?')
+              cli_opts['oath_credential'] ||= ask('OATH credential name:')
+            end
+          end
+
+          cli_opts['source_profile'] = 'default' if cli_opts['source_profile'].empty?
 
-          cf = CredentialFile.new(config.credential_file)
-          sb = SessionBuilder.new(config.to_h)
-          sb.update_credential_file(cf)
+          prof = Profile.new(cli_opts.except('config_file', 'source_profile'))
+          cf = Config.new(path: cli_opts['config_file'])
+          cf.set_profile(cli_opts[:source_profile], prof)
         end
 
         default_task :new

data/lib/aws/session/credentials/config.rb

@@ -3,91 +3,27 @@ module Aws
     module Credentials
       # Holds configuration
       class Config
-        def initialize(path, config = nil)
-          @path = File.expand_path(path) if path
-          @config = config || load_file
-        end
-
-        def [](key)
-          @config[key]
-        end
-
-        def []=(key, value)
-          @config[key] = value
-        end
-
-        def aws_access_key_id
-          self['aws_access_key_id']
-        end
-
-        def aws_access_key_id=(value)
-          self['aws_access_key_id'] = value
-        end
-
-        def aws_secret_access_key
-          self['aws_secret_access_key']
-        end
-
-        def aws_secret_access_key=(value)
-          self['aws_secret_access_key'] = value
-        end
-
-        def credential_file
-          self['credential_file']
-        end
-
-        def credential_file=(value)
-          self['credential_file'] = value
-        end
-
-        def duration
-          self['duration']
-        end
-
-        def duration=(value)
-          self['duration'] = value
-        end
-
-        # @api private
-        def load_file
-          return {} unless File.exist?(@path)
-          YAML.load(File.read(@path))
-        end
-
-        def mfa_code
-          self['mfa_code']
-        end
-
-        def mfa_code=(value)
-          self['mfa_code'] = value
-        end
-
-        def mfa_device
-          self['mfa_device']
-        end
-
-        def mfa_device=(value)
-          self['mfa_device'] = value
-        end
+        include ProfileStorage
+        include FileProvider::YamlFileProvider
 
-        def profile
-          self['profile']
-        end
+        attr_reader :path
 
-        def profile=(value)
-          self['profile'] = value
+        def initialize(options = {})
+          @path = File.expand_path(options[:path] || default_path)
         end
 
-        def region
-          self['region']
+        def default_path
+          File.join(%w(~ .aws aws-session-config.yml))
         end
 
-        def region=(value)
-          self['region'] = value
+        # @return [Hash<String,Hash>]
+        def profiles_hash
+          self[:profiles] || {}
         end
 
-        def to_h
-          @config
+        # @param [Hash] hsh
+        def profiles_hash=(hsh)
+          self[:profiles] = hsh
         end
       end
     end

data/lib/aws/session/credentials/credential_file.rb

@@ -1,39 +1,29 @@
 module Aws
   module Session
     module Credentials
-      # AWS credentials file. Usually located on disk at +~/.aws/credentials+.
+      # Holds credentials that are read by AWS SDKs
       class CredentialFile
-        # @param [String] path location of credentials file on disk
-        # @param [IniFile] ini_file
-        def initialize(path = '~/.aws/credentials', ini_file = nil)
-          @path = File.expand_path(path)
-          @ini_file = ini_file || init_ini_file
+        include FileProvider::IniFileProvider
+        include ProfileStorage
+
+        attr_reader :path
+
+        def initialize(options = {})
+          @path = File.expand_path(options[:path] || default_path)
+        end
+
+        def default_path
+          File.join(%w(~ .aws credentials))
         end
 
-        # @api private
-        def init_ini_file
-          if File.exist?(@path)
-            IniFile.load(@path)
-          else
-            path_dir = File.dirname(@path)
-            FileUtils.mkdir_p(path_dir) unless File.exist?(path_dir)
-            IniFile.new(filename: @path, encoding: 'UTF-8') 
-          end
+        # @return [Hash<String,Hash>]
+        def profiles_hash
+          read.to_h
         end
 
-        # Sets credentials for provided profile.
-        #
-        # Overrides provided options if they already exist for the provided
-        # profile. Does not override options if they are not provided. Set an
-        # option to +nil+ to explicitly unset an existing option.
-        # @param [String] profile name of profile to set credentials for
-        # @param [Hash] options settings to set
-        # @option options [String] :access_key_id Access key
-        # @option options [String] :secret_access_key Secret key
-        # @option options [String] :session_token Session token
-        def set_credentials(profile, options = {})
-          @ini_file[profile] = @ini_file[profile].merge(options)
-          @ini_file.write
+        # @param [Hash<String,Hash>] prfs
+        def profiles_hash=(hsh)
+          hsh.each { |key, value| self[key] = value }
         end
       end
     end

data/lib/aws/session/credentials/file_provider/ini_file_provider.rb

@@ -0,0 +1,30 @@
+module Aws
+  module Session
+    module Credentials
+      module FileProvider
+        # Mixin to store configuration in an INI file
+        module IniFileProvider
+          def [](key)
+            read[key.to_s]
+          end
+
+          def []=(key, value)
+            ini_file = read
+            ini_file[key.to_s] = value
+            ini_file.save
+          end
+
+          # @api private
+          # @return [IniFile]
+          def read
+            if File.exist?(path)
+              IniFile.load(path)
+            else
+              IniFile.new(filename: path, encoding: 'UTF-8')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/file_provider/yaml_file_provider.rb

@@ -0,0 +1,34 @@
+module Aws
+  module Session
+    module Credentials
+      module FileProvider
+        # Mixin to store configuration in a YAML file
+        module YamlFileProvider
+          def [](key)
+            read[key]
+          end
+
+          def []=(key, value)
+            hash = read.dup
+            hash[key] = value
+            write(hash)
+          end
+
+          # @api private
+          # @return [Hash]
+          def read
+            return {} unless File.exist?(path)
+            YAML.load(File.read(path)).deep_symbolize_keys
+          end
+
+          # @api private
+          # @param [Hash] hash
+          def write(hash)
+            hsh = hash.deep_stringify_keys
+            File.open(path, 'w') { |file| file.write(YAML.dump(hsh)) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/mfa_device/generic_mfa_device.rb

@@ -0,0 +1,19 @@
+module Aws
+  module Session
+    module Credentials
+      module MfaDevice
+        # Represents generic MFA device that generates codes. Class must be
+        # initialized with the code.
+        class GenericMfaDevice
+          attr_reader :code
+          attr_reader :device_arn
+
+          def initialize(options = {})
+            @code = options[:code]
+            @device_arn = options[:device_arn]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/mfa_device/yubikey_mfa_device.rb

@@ -0,0 +1,61 @@
+module Aws
+  module Session
+    module Credentials
+      module MfaDevice
+        # Gets MFA codes from a Yubikey using YubiOATH
+        class YubikeyMfaDevice
+          attr_reader :device_arn
+
+          def initialize(options = {})
+            @yubikey_name = options.fetch(:yubikey_name) { 'Yubikey' }
+            @oath_credential = options[:oath_credential]
+            @device_arn = options[:device_arn]
+          end
+
+          def code
+            card_names.each do |card_name|
+              card(card_name) do |crd|
+                oath = YubiOATH.new(crd)
+                codes = oath.calculate_all(timestamp: Time.now)
+                # Credential names are returned as ASCII-8BIT
+                codes.transform_keys! { |key| key.force_encoding('UTF-8') }
+                return codes[@oath_credential]
+              end
+            end
+            nil
+          end
+
+          private
+
+          # @param [String] name
+          # @yieldparam card [Smartcard::PCSC::Card]
+          def card(name)
+            context do |cxt|
+              begin
+                crd = cxt.card(name, :shared)
+                yield crd
+              ensure
+                crd.disconnect unless crd.nil?
+              end
+            end
+          end
+
+          # @return [Array<String>]
+          def card_names
+            context do |cxt|
+              cxt.readers.select { |name| name.include?(@yubikey_name) }
+            end
+          end
+
+          # @yieldparam context [Smartcard::PCSC::Context]
+          def context
+            context = Smartcard::PCSC::Context.new
+            yield context
+          ensure
+            context.release
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/profile.rb

@@ -0,0 +1,13 @@
+module Aws
+  module Session
+    module Credentials
+      class Profile < OpenStruct
+        def aws_credentials
+          Aws::Credentials.new(aws_access_key_id,
+                               aws_secret_access_key,
+                               aws_session_token)
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/profile_storage.rb

@@ -0,0 +1,41 @@
+module Aws
+  module Session
+    module Credentials
+      # Mixin to store profiles
+      module ProfileStorage
+        # @return [Hash<String,Profile>]
+        def profiles
+          prfs = {}
+          profiles_hash.each do |name, options|
+            prfs[name] = Profile.new(options)
+          end
+          prfs
+        end
+
+        # @param [Hash<String,Profile>] prfs
+        def profiles=(prfs)
+          hash = {}
+          prfs.each do |name, prof|
+            hash[name] = prof.to_h
+          end
+          self.profiles_hash = hash
+        end
+
+        # @param [String] name
+        # @return [Profile]
+        def profile(name)
+          profiles[name]
+        end
+
+        # @param [String] name
+        # @param [Profile] prof
+        def set_profile(name, prof)
+          profs = profiles.dup
+          profs[name] = prof
+          self.profiles = profs
+          prof
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/session_builder.rb

@@ -3,44 +3,55 @@ module Aws
     module Credentials
       # Builds AWS session
       class SessionBuilder
-        # @param [Hash] config configuration
-        # @param [Aws::STS::Client] client STS client
-        def initialize(config, client = nil)
-          @config = config
-          @client = client || init_client
+        # @param [Hash] options
+        def initialize(options)
+          @mfa_device = options[:mfa_device]
+          @session_duration_seconds = options[:session_duration_seconds]
+          @role_duration_seconds = options[:role_duration_seconds]
+          @role_arn = options[:role_arn]
+          @role_session_name = options[:role_session_name]
+          @source_profile = options[:source_profile]
+          @sts_client = options[:sts_client]
         end
 
-        # @api private
-        def init_client
-          Aws::STS::Client.new(
-            region: @config['region'],
-            access_key_id: @config['aws_access_key_id'],
-            secret_access_key: @config['aws_secret_access_key']
+        # @return [Profile]
+        def role_profile
+          resp = sts_client.assume_role(
+            role_arn: @role_arn,
+            role_session_name: @role_session_name,
+            duration_seconds: @role_duration_seconds,
+            serial_number: @mfa_device.device_arn,
+            token_code: @mfa_device.code
           )
+          return Profile.new(
+            aws_access_key_id: resp.credentials['access_key_id'],
+            aws_secret_access_key: resp.credentials['secret_access_key'],
+            aws_session_token: resp.credentials['session_token'],
+            aws_region: @source_profile.aws_region
+          ) if resp
         end
 
-        # Gets a set of session credentials
-        #
-        # @return [Aws::STS::Types::Credentials] credentials or +nil+
-        def session_credentials
-          resp = @client.get_session_token(
-            duration_seconds: @config['duration'],
-            serial_number: @config['mfa_device'],
-            token_code: @config['mfa_code']
+        # @return [Profile]
+        def session_profile
+          resp = sts_client.get_session_token(
+            duration_seconds: @session_duration_seconds,
+            serial_number: @mfa_device.device_arn,
+            token_code: @mfa_device.code
           )
-          return {
-            'aws_access_key_id' => resp.credentials['access_key_id'],
-            'aws_secret_access_key' => resp.credentials['secret_access_key'],
-            'aws_session_token' => resp.credentials['session_token']
-          } if resp
+          return Profile.new(
+            aws_access_key_id: resp.credentials['access_key_id'],
+            aws_secret_access_key: resp.credentials['secret_access_key'],
+            aws_session_token: resp.credentials['session_token'],
+            aws_region: @source_profile.aws_region
+          ) if resp
         end
 
-        # Gets a set of session credentials and updates them in a credential
-        # file.
-        #
-        # @param [String] path location of credential file
-        def update_credential_file(credential_file)
-          credential_file.set_credentials(@config['profile'], session_credentials)
+        # @api private
+        def sts_client
+          @client ||= Aws::STS::Client.new(
+            region: @source_profile.aws_region,
+            credentials: @source_profile.aws_credentials
+          )
         end
       end
     end

data/lib/aws/session/credentials/session_manager.rb

@@ -0,0 +1,90 @@
+module Aws
+  module Session
+    module Credentials
+      # Manages sessions
+      class SessionManager
+        # Assumes a role from provided options
+        # @param [Hash] options
+        # @option options [String] :profile
+        # @option options [String] :role_arn
+        # @option options [String] :duration
+        def assume_role(options)
+          options[:profile] = options[:profile].to_sym
+
+          session_prof = Cache.new.profile(options[:profile])
+          options = session_prof.to_h.deep_merge(options).deep_symbolize_keys
+
+          sb = SessionBuilder.new(
+            mfa_device: mfa_device(options),
+            role_duration_seconds: options[:duration],
+            role_arn: options[:role_arn],
+            role_session_name: options[:role_session_name],
+            source_profile: session_prof
+          )
+          role_profile = sb.role_profile
+
+          CredentialFile.new.set_profile(options[:profile], profile)
+        end
+
+        # Creates a new session from provided options
+        # @param [Hash] options
+        # @option options [String] :aws_access_key_id
+        # @option options [String] :aws_secret_access_key
+        # @option options [String] :aws_session_token
+        # @option options [String] :aws_region
+        # @option options [String] :source_profile
+        # @option options [String] :profile
+        # @option options [String] :duration
+        # @option options [String] :mfa_device
+        # @option options [String] :mfa_code
+        # @option options [String] :yubikey_name
+        # @option options [String] :oath_credential
+        # @option options [String] :config_file
+        def new_session(options)
+          options[:source_profile] = options[:source_profile].to_sym
+          options[:profile] = options[:profile].to_sym
+
+          user_prof = user_profile(options[:source_profile], options[:config_file])
+          options = user_prof.to_h.deep_merge(options).deep_symbolize_keys
+
+          sb = SessionBuilder.new(
+            mfa_device: mfa_device(options),
+            session_duration_seconds: options[:duration],
+            source_profile: user_prof
+          )
+          set_user_session_profile(options[:profile], sb.session_profile)
+        end
+
+        private
+
+        def mfa_device(options)
+          opts = {
+            device_arn: options[:mfa_device],
+            yubikey_name: options[:yubikey_name],
+            oath_credential: options[:oath_credential],
+            code: options[:mfa_code]
+          }
+          if options.key?(:oath_credential)
+            MfaDevice::YubikeyMfaDevice.new(opts)
+          else
+            MfaDevice::GenericMfaDevice.new(opts)
+          end
+        end
+
+        def set_user_session_profile(name, profile)
+          [Cache.new, CredentialFile.new].each do |profile_store|
+            profile_store.set_profile(name, profile)
+          end
+        end
+
+        def user_profile(name, path)
+          Config.new(path: path).profile(name)
+        end
+
+        def user_session_profile(name)
+          Cache.new.profile(name)
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/version.rb

@@ -1,7 +1,7 @@
 module Aws
   module Session
     module Credentials
-      VERSION = '0.1.1'
+      VERSION = '1.0.0.pre.1'
     end
   end
 end

data/lib/aws/session/credentials.rb

@@ -1,10 +1,25 @@
+require 'active_support'
+require 'active_support/core_ext/hash'
 require 'aws-sdk'
 require 'fileutils'
 require 'inifile'
+require 'ostruct'
+require 'smartcard'
 require 'yaml'
+require 'yubioath'
 
+require 'aws/session/credentials/file_provider/ini_file_provider'
+require 'aws/session/credentials/file_provider/yaml_file_provider'
+require 'aws/session/credentials/mfa_device/generic_mfa_device'
+require 'aws/session/credentials/mfa_device/yubikey_mfa_device'
+
+require 'aws/session/credentials/profile_storage'
+
+require 'aws/session/credentials/cache'
 require 'aws/session/credentials/config'
 require 'aws/session/credentials/credential_file'
+require 'aws/session/credentials/profile'
 require 'aws/session/credentials/session_builder'
+require 'aws/session/credentials/session_manager'
 
 require 'aws/session/credentials/version'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-session-credentials
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 1.0.0.pre.1
 platform: ruby
 authors:
 - Ben Vidulich
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-10-30 00:00:00.000000000 Z
+date: 2015-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -66,6 +66,20 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws-sdk
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: smartcard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +136,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.19'
+- !ruby/object:Gem::Dependency
+  name: yubioath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Command-line tool to generate AWS session credentials.
 email:
 - ben@vidulich.co.nz
@@ -129,10 +171,18 @@ files:
 - bin/setup
 - exe/aws-session
 - lib/aws/session/credentials.rb
+- lib/aws/session/credentials/cache.rb
 - lib/aws/session/credentials/cli.rb
 - lib/aws/session/credentials/config.rb
 - lib/aws/session/credentials/credential_file.rb
+- lib/aws/session/credentials/file_provider/ini_file_provider.rb
+- lib/aws/session/credentials/file_provider/yaml_file_provider.rb
+- lib/aws/session/credentials/mfa_device/generic_mfa_device.rb
+- lib/aws/session/credentials/mfa_device/yubikey_mfa_device.rb
+- lib/aws/session/credentials/profile.rb
+- lib/aws/session/credentials/profile_storage.rb
 - lib/aws/session/credentials/session_builder.rb
+- lib/aws/session/credentials/session_manager.rb
 - lib/aws/session/credentials/version.rb
 homepage: https://github.com/zl4bv/aws-session-credentials
 licenses:
@@ -149,9 +199,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.5