aws_assume_role 0.0.3 → 0.1.0

data/lib/aws_assume_role/credentials/factories.rb

@@ -0,0 +1,9 @@
+require_relative "factories/repository"
+require_relative "factories/abstract_factory"
+require_relative "factories/default_chain_provider"
+require_relative "factories/assume_role"
+require_relative "factories/environment"
+require_relative "factories/instance_profile"
+require_relative "factories/shared_keyring"
+require_relative "factories/shared"
+require_relative "factories/static"

data/lib/aws_assume_role/credentials/factories/abstract_factory.rb

@@ -0,0 +1,31 @@
+require_relative "includes"
+require_relative "repository"
+require_relative "../../profile_configuration"
+
+class AwsAssumeRole::Credentials::Factories::AbstractFactory
+    include AwsAssumeRole
+    include AwsAssumeRole::Credentials::Factories
+    include AwsAssumeRole::Logging
+
+    Dry::Types.register_class(Aws::SharedCredentials)
+    attr_reader :credentials, :region, :profile, :role_arn
+
+    def initialize(_options)
+        raise "Not implemented"
+    end
+
+    def self.type(str)
+        @type = Types::Strict::Symbol.enum(:credential_provider, :second_factor_provider, :role_assumption_provider)[str]
+        register_if_complete
+    end
+
+    def self.priority(i)
+        @priority = Types::Strict::Int[i]
+        register_if_complete
+    end
+
+    def self.register_if_complete
+        return unless @type && @priority
+        Repository.register_factory(self, @type, @priority)
+    end
+end

data/lib/aws_assume_role/credentials/factories/assume_role.rb

@@ -0,0 +1,38 @@
+require_relative "abstract_factory"
+require_relative "../providers/assume_role_credentials"
+require_relative "../providers/mfa_session_credentials"
+
+class AwsAssumeRole::Credentials::Factories::AssumeRole < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    include AwsAssumeRole::Credentials::Factories
+    type :role_assumption_provider
+    priority 30
+
+    def initialize(options)
+        if options[:profile]
+            try_with_profile(options)
+        else
+            if options[:use_mfa]
+                options[:credentials] = AwsAssumeRole::Credentials::Providers::MfaSessionCredentials.new(options).credentials
+            end
+            @credentials = AwsAssumeRole::Credentials::Providers::AssumeRoleCredentials.new(options)
+        end
+    end
+
+    def try_with_profile(options)
+        if AwsAssumeRole.shared_config.config_enabled?
+            @profile = options[:profile]
+            @region = options[:region]
+            @credentials = assume_role_with_profile(options[:profle], options[:region])
+        end
+        @credentials = assume_role_with_profile(@profile, @region)
+        @region ||= AwsAssumeRole.shared_config.profile_region(@profiles)
+        @role_arn ||= AwsAssumeRole.shared_config.profile_role(@profile)
+    end
+
+    def assume_role_with_profile(prof, region)
+        AwsAssumeRole.shared_config.assume_role_credentials_from_config(
+            profile: prof,
+            region: region,
+        )
+    end
+end

data/lib/aws_assume_role/credentials/factories/default_chain_provider.rb

@@ -0,0 +1,101 @@
+require_relative "includes"
+require_relative "../../logging"
+require_relative "../../profile_configuration"
+require_relative "abstract_factory"
+require_relative "environment"
+require_relative "repository"
+require_relative "instance_profile"
+require_relative "assume_role"
+require_relative "shared_keyring"
+require_relative "shared"
+require_relative "static"
+
+class AwsAssumeRole::Credentials::Factories::DefaultChainProvider
+    extend Dry::Initializer::Mixin
+    include AwsAssumeRole::Credentials::Factories
+
+    option :access_key_id, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :credentials, default: proc { nil }
+    option :secret_access_key, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :session_token, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :duration_seconds, Dry::Types["coercible.int"].optional, default: proc { nil }
+    option :external_id, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :persist_session, Dry::Types["strict.bool"], default: proc { true }
+    option :profile, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :profile_name, Dry::Types["strict.string"].optional, default: proc { @profile }
+    option :region, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :role_arn, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :role_session_name, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :serial_number, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :use_mfa, default: proc { false }
+    option :no_profile, default: proc { false }
+    option :source_profile, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :instance_profile_credentials_retries, Dry::Types["strict.int"], default: proc { 0 }
+    option :instance_profile_credentials_timeout, Dry::Types["coercible.float"], default: proc { 1 }
+
+    def initialize(*options)
+        if options[0].is_a? Seahorse::Client::Configuration::DefaultResolver
+            initialize_with_seahorse(options[0])
+        else
+            super(*options)
+        end
+        @profile_name ||= @profile
+        @original_profile = @profile
+    end
+
+    def resolve(nil_with_role_not_set: false, explicit_default_profile: false)
+        resolve_final_credentials(explicit_default_profile)
+        nil_creds = Aws::Credentials.new(nil, nil, nil)
+        return nil_creds if (nil_with_role_not_set &&
+                             @role_arn &&
+                             @credentials.credentials.session_token.nil?) || @credentials.nil?
+        @credentials
+    end
+
+    private
+
+    def resolve_final_credentials(explicit_default_profile = false)
+        resolve_credentials(:credential_provider, true, explicit_default_profile)
+        return @credentials if @credentials && @credentials.set? && !use_mfa && !role_arn
+        resolve_credentials(:second_factor_provider, true, explicit_default_profile)
+        return @credentials if @credentials && @credentials.set? && !role_arn
+        resolve_credentials(:role_assumption_provider, true, explicit_default_profile)
+        return @credentials if @credentials && @credentials.set?
+        Aws::Credentials.new(nil, nil, nil)
+    end
+
+    def initialize_with_seahorse(resolver)
+        keys = resolver.resolve
+        options = keys.map do |k|
+            [k, resolver.send(k)]
+        end
+        __initialize__(options.to_h)
+    end
+
+    def to_h
+        instance_values.delete("__options__").symbolize_keys.merge(
+            instance_profile_credentials_retries: instance_profile_credentials_retries,
+            instance_profile_credentials_timeout: instance_profile_credentials_timeout,
+        )
+    end
+
+    def resolve_credentials(type, break_if_successful = false, explicit_default_profile = false)
+        factories_to_try = Repository.factories[type]
+        factories_to_try.each do |x|
+            options = to_h
+            options[:credentials] = credentials if credentials && credentials.set?
+            factory = x.new(options)
+            @region ||= factory.region
+            @profile ||= factory.profile
+            @role_arn ||= factory.role_arn
+            next unless factory.credentials && factory.credentials.set?
+            next if explicit_default_profile && (@profile == "default") && (@profile != @original_profile)
+            @credentials ||= factory.credentials
+            break if break_if_successful
+        end
+    end
+end
+
+module AwsAssumeRole
+    DefaultProvider = AwsAssumeRole::Credentials::Factories::DefaultChainProvider
+end

data/lib/aws_assume_role/credentials/factories/environment.rb

@@ -0,0 +1,24 @@
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Environment < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 10
+
+    def initialize(_options, **)
+        key =    %w(AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY)
+        secret = %w(AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY)
+        token =  %w(AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN)
+        region = %w(AWS_DEFAULT_REGION)
+        profile = %w(AWS_PROFILE)
+        @credentials = Aws::Credentials.new(envar(key), envar(secret), envar(token))
+        @region = envar(region)
+        @profile = envar(profile)
+    end
+
+    def envar(keys)
+        keys.each do |key|
+            return ENV[key] if ENV.key?(key)
+        end
+        nil
+    end
+end

data/lib/aws_assume_role/credentials/factories/includes.rb

@@ -0,0 +1,17 @@
+require "dry-initializer"
+require "dry-types"
+require "aws-sdk"
+require_relative "../../logging"
+require_relative "../../vendored/aws"
+require_relative "../../../aws_assume_role"
+
+module AwsAssumeRole
+    module Credentials
+        module Factories
+            Types = Dry::Types.module
+            include AwsAssumeRole
+            include AwsAssumeRole::Logging
+            include AwsAssumeRole::Vendored::Aws
+        end
+    end
+end

data/lib/aws_assume_role/credentials/factories/instance_profile.rb

@@ -0,0 +1,17 @@
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::InstanceProfile < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :role_assumption_provider
+    priority 40
+
+    def initialize(options = {})
+        options[:retries] ||= options[:instance_profile_credentials_retries] || 0
+        options[:http_open_timeout] ||= options[:instance_profile_credentials_timeout] || 1
+        options[:http_read_timeout] ||= options[:instance_profile_credentials_timeout] || 1
+        @credentials = if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
+                           Aws::ECSCredentials.new(options)
+                       else
+                           Aws::InstanceProfileCredentials.new(options)
+                       end
+    end
+end

data/lib/aws_assume_role/credentials/factories/repository.rb

@@ -0,0 +1,35 @@
+require_relative "includes"
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Repository
+    include AwsAssumeRole::Credentials::Factories
+
+    SubFactoryRepositoryType = Types::Hash.schema(Types::Coercible::Int => Types::Strict::Array)
+
+    FactoryRepositoryType = Types::Hash.schema(
+        credential_provider: SubFactoryRepositoryType,
+        second_factor_provider: SubFactoryRepositoryType,
+        role_assumption_provider: SubFactoryRepositoryType,
+    )
+
+    def self.factories
+        repository.keys.map { |t| [t, flatten_factory_type_list(t)] }.to_h
+    end
+
+    def self.repository
+        @repository ||= FactoryRepositoryType[
+            credential_provider: {},
+            second_factor_provider: {},
+            role_assumption_provider: {},
+        ]
+    end
+
+    def self.register_factory(klass, type, priority)
+        repository[type][priority] ||= []
+        repository[type][priority] << klass
+    end
+
+    def self.flatten_factory_type_list(type)
+        repository[type].keys.sort.map { |x| @repository[type][x] }.flatten
+    end
+end

data/lib/aws_assume_role/credentials/factories/shared.rb

@@ -0,0 +1,15 @@
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Shared < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 20
+
+    def initialize(options = {})
+        @profile = options[:profile] || "default"
+        @credentials = AwsAssumeRole::Vendored::Aws::SharedCredentials.new(profile_name: @profile)
+        @region = AwsAssumeRole.shared_config.profile_region(@profile)
+        @role_arn = AwsAssumeRole.shared_config.profile_role(@profile)
+    rescue Aws::Errors::NoSuchProfileError
+        nil
+    end
+end

data/lib/aws_assume_role/credentials/factories/shared_keyring.rb

@@ -0,0 +1,16 @@
+require_relative "abstract_factory"
+require_relative "../providers/shared_keyring_credentials"
+
+class AwsAssumeRole::Credentials::Factories::SharedKeyring < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 19
+
+    def initialize(options = {})
+        @profile = options[:profile] || "default"
+        @credentials = AwsAssumeRole::Credentials::Providers::SharedKeyringCredentials.new(profile_name: @profile)
+        @region = AwsAssumeRole.shared_config.profile_region(@profile)
+        @role_arn = AwsAssumeRole.shared_config.profile_role(@profile)
+    rescue Aws::Errors::NoSuchProfileError
+        nil
+    end
+end

data/lib/aws_assume_role/credentials/factories/static.rb

@@ -0,0 +1,16 @@
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Static < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 0
+
+    def initialize(options = {})
+        @credentials = Aws::Credentials.new(
+            options[:access_key_id],
+            options[:secret_access_key],
+            options[:session_token],
+        )
+        @region = options[:region]
+        @profile = options[:profile]
+    end
+end

data/lib/aws_assume_role/credentials/providers/assume_role_credentials.rb

@@ -0,0 +1,58 @@
+require_relative "includes"
+require "set"
+
+class AwsAssumeRole::Credentials::Providers::AssumeRoleCredentials
+    include AwsAssumeRole::Vendored::Aws::CredentialProvider
+    include AwsAssumeRole::Vendored::Aws::RefreshingCredentials
+
+    # @option options [required, String] :role_arn
+    # @option options [required, String] :role_session_name
+    # @option options [String] :policy
+    # @option options [Integer] :duration_seconds
+    # @option options [String] :external_id
+    # @option options [STS::Client] :client
+    #
+    #
+
+    STS_KEYS = [:role_arn, :role_session_name, :policy, :duration_seconds, :external_id, :client, :credentials, :region].freeze
+
+    def initialize(options = {})
+        client_opts = {}
+        @assume_role_params = {}
+        options.each_pair do |key, value|
+            if self.class.assume_role_options.include?(key)
+                @assume_role_params[key] = value
+            else
+                next unless STS_KEYS.include?(key)
+                client_opts[key] = value
+            end
+        end
+        @client = client_opts[:client] || ::Aws::STS::Client.new(client_opts)
+        super
+    end
+
+    # @return [STS::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+        c = @client.assume_role(@assume_role_params).credentials
+        @credentials = ::Aws::Credentials.new(
+            c.access_key_id,
+            c.secret_access_key,
+            c.session_token,
+        )
+        @expiration = c.expiration
+    end
+
+    class << self
+      # @api private
+      def assume_role_options
+          @aro ||= begin
+              input = ::Aws::STS::Client.api.operation(:assume_role).input
+              Set.new(input.shape.member_names)
+          end
+      end
+      end
+end

data/lib/aws_assume_role/credentials/providers/includes.rb

@@ -0,0 +1,9 @@
+require_relative "../../vendored/aws"
+require_relative "../../ui"
+require_relative "../../logging"
+module AwsAssumeRole
+    module Credentials
+        module Providers
+        end
+    end
+end

data/lib/aws_assume_role/credentials/providers/mfa_session_credentials.rb

@@ -0,0 +1,102 @@
+require_relative "includes"
+require_relative "../../types"
+
+class AwsAssumeRole::Credentials::Providers::MfaSessionCredentials
+    include AwsAssumeRole::Vendored::Aws::CredentialProvider
+    include AwsAssumeRole::Vendored::Aws::RefreshingCredentials
+    include AwsAssumeRole::Ui
+    include AwsAssumeRole::Logging
+    include AwsAssumeRole
+    Types = Dry::Types.module
+    extend Dry::Initializer::Mixin
+
+    attr_reader :permanent_credentials
+
+    option :permanent_credentials, default: proc { credentials }
+    option :credentials
+    option :expiration, type: Types::Strict::Time, default: proc { Time.now }
+    option :first_time, type: Types::Strict::Bool, default: proc { true }
+    option :persist_session, type: Types::Strict::Bool, default: proc { true }
+    option :duration_seconds, type: Types::Coercible::Int, default: proc { 3600 }
+    option :region, type: AwsAssumeRole::Types::Region.optional, default: proc { AwsAssumeRole.Config.region }
+    option :serial_number, type: AwsAssumeRole::Types::MfaSerial.optional, default: proc { "automatic" }
+
+    def initialize(*options)
+        super(*options)
+        @permanent_credentials ||= credentials
+        @credentials = nil
+        @serial_number = resolve_serial_number(serial_number)
+        AwsAssumeRole::Vendored::Aws::RefreshingCredentials.instance_method(:initialize).bind(self).call(*options)
+    end
+
+    private
+
+    def keyring_username
+        @keyring_username ||= "#{@identity.to_json}|#{@serial_number}"
+    end
+
+    def sts_client
+        @sts_client ||= Aws::STS::Client.new(region: @region, credentials: @permanent_credentials)
+    end
+
+    def prompt_for_token(first_time)
+        text = first_time ? t("options.mfa_token.first_time") : t("options.mfa_token.other_times")
+        Ui.input.ask text
+    end
+
+    def initialized
+        @first_time = false
+    end
+
+    def refresh
+        return set_credentials_from_keyring if @persist_session && @first_time
+        refresh_using_mfa if near_expiration?
+        broadcast(:mfa_completed)
+    end
+
+    def refresh_using_mfa
+        token_code = prompt_for_token(@first_time)
+        token = sts_client.get_session_token(
+            duration_seconds: @duration_seconds,
+            serial_number: @serial_number,
+            token_code: token_code,
+        )
+        initialized
+        instance_credentials token.credentials
+        persist_credentials if @persist_session
+    end
+
+    def credentials_from_keyring
+        @credentials_from_keyring ||= AwsAssumeRole::Store::Keyring.fetch @keyring_username
+    rescue Aws::Errors::NoSuchProfileError
+        logger.debug "Key not found"
+        @credentials_from_keyring = nil
+    end
+
+    def persist_credentials
+        AwsAssumeRole::Store::Keyring.save_credentials @keyring_username, @credentials, expiration: @expiration
+    end
+
+    def instance_credentials(credentials)
+        return unless credentials
+        @credentials = AwsAssumeRole::Store::Serialization.credentials_from_hash(credentials)
+        @expiration = credentials.respond_to?(:expiration) ? credentials.expiration : Time.parse(credentials[:expiration])
+    end
+
+    def set_credentials_from_keyring
+        instance_credentials credentials_from_keyring
+        initialized
+        refresh_using_mfa unless @credentials && !near_expiration?
+    end
+
+    def identity
+        @identity ||= sts_client.get_caller_identity
+    end
+
+    def resolve_serial_number(serial_number)
+        return serial_number unless serial_number.nil? || serial_number == "automatic"
+        user_name = identity.arn.split("/")[1]
+        "arn:aws:iam::#{identity.account}:mfa/#{user_name}"
+    end
+    Dry::Types.register_class(self)
+end