aws_assume_role 0.0.3 → 0.1.0

data/lib/aws_assume_role/credentials/providers/shared_keyring_credentials.rb

@@ -0,0 +1,22 @@
+require_relative "includes"
+require_relative "../../types"
+
+class AwsAssumeRole::Credentials::Providers::SharedKeyringCredentials < ::Aws::SharedCredentials
+    def initialize(options = {})
+        shared_config = AwsAssumeRole.shared_config
+        @path = options[:path]
+        @path ||= shared_config.credentials_path
+        @profile_name = options[:profile_name]
+        @profile_name ||= ENV["AWS_PROFILE"]
+        @profile_name ||= shared_config.profile_name
+        if @path && @path == shared_config.credentials_path
+            @credentials = shared_config.credentials(profile: @profile_name)
+        else
+            config = AwsAssumeRole::Store::SharedConfig.new(
+                credentials_path: @path,
+                profile_name: @profile_name,
+            )
+            @credentials = config.credentials(profile: @profile_name)
+        end
+    end
+end

data/lib/aws_assume_role/includes.rb

@@ -0,0 +1,30 @@
+require "i18n"
+require "keyring"
+require "active_support/core_ext/object/blank"
+require "active_support/core_ext/string/inflections"
+require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/object/json"
+require "aws-sdk"
+require "aws-sdk-core/ini_parser"
+require "dry-configurable"
+require "dry-initializer"
+require "dry-validation"
+require "dry-types"
+require "English"
+require "gli"
+require "highline"
+require "inifile"
+require "json"
+require "logger"
+require "pastel"
+require "thread"
+require "time"
+
+module AwsAssumeRole
+    module_function
+
+    def shared_config
+        enabled = ENV["AWS_SDK_CONFIG_OPT_OUT"] ? false : true
+        @shared_config ||= SharedConfigWithKeyring.new(config_enabled: enabled)
+    end
+end

data/lib/aws_assume_role/logging.rb

@@ -1,36 +1,24 @@
-# Mixin to provide global logging object
-module AWSAssumeRole
-
-    module Logging
-
-        require 'logger'
-
-        class << self
-
-            def logger
-                @logger ||= Logger.new($stderr)
-            end
-
-            attr_writer :logger
-
-        end
-
-        def self.included(base)
-
-            class << base
-
-                def logger # rubocop:disable Lint/NestedMethodDefinition
-                    Logging.logger
-                end
-
+require_relative "includes"
+require_relative "configuration"
+module AwsAssumeRole::Logging
+    module ClassMethods
+        def logger
+            @logger ||= begin
+                logger = Logger.new($stderr)
+                logger.level = AwsAssumeRole::Config.log_level
+                logger
             end
-
         end
+    end
 
+    module InstanceMethods
         def logger
-            Logging.logger
+            self.class.logger
         end
-
     end
 
+    def self.included(base)
+        base.extend ClassMethods
+        base.include InstanceMethods
+    end
 end

data/lib/aws_assume_role/profile_configuration.rb

@@ -0,0 +1,71 @@
+require_relative "includes"
+require_relative "logging"
+
+class AwsAssumeRole::ProfileConfiguration
+    extend Dry::Initializer
+    include AwsAssumeRole::Logging
+    option :access_key_id, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :credentials, default: proc { nil }
+    option :secret_access_key, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :session_token, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :duration_seconds, Dry::Types["coercible.int"].optional, default: proc { nil }
+    option :external_id, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :persist_session, Dry::Types["strict.bool"], default: proc { true }
+    option :profile, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :region, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :role_arn, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :role_session_name, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :serial_number, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :mfa_serial, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :use_mfa, default: proc { false }
+    option :no_profile, default: proc { false }
+    option :shell_type, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :source_profile, Dry::Types["strict.string"].optional, default: proc { nil }
+    option :args, default: proc { [] }
+    option :instance_profile_credentials_retries, Dry::Types["strict.int"], default: proc { 0 }
+    option :instance_profile_credentials_timeout, Dry::Types["coercible.float"], default: proc { 1 }
+
+    attr_writer :credentials
+
+    def self.merge_mfa_variable(options)
+        new_hash = options.key?(:mfa_serial) ? options.merge(serial_number: options[:mfa_serial]) : options
+        new_hash[:use_mfa] ||= new_hash.fetch(:serial_number, nil) ? true : false
+        if new_hash.key?(:serial_number) && new_hash[:serial_number] == "automatic"
+            new_hash.delete(:serial_number)
+        end
+        new_hash
+    end
+
+    def self.new_from_cli(global_options, options, args)
+        options = global_options.merge options
+        options = options.map do |k, v|
+            [k.to_s.underscore.to_sym, v]
+        end.to_h
+        options[:args] = args
+        new merge_mfa_variable(options)
+    end
+
+    def self.new_from_credential_provider_initialization(options)
+        logger.debug "new_from_credential_provider_initialization with #{options.to_h}"
+        new_from_credential_provider(options, credentials: nil, delete: [])
+    end
+
+    def self.new_from_credential_provider(options = {}, credentials: nil, delete: [])
+        option_hash = options.to_h
+        config = option_hash.fetch(:config, {}).to_h
+        hash_to_merge = option_hash.merge config
+        hash_to_merge.merge(credentials: credentials) if credentials
+        delete.each do |k|
+            hash_to_merge.delete k
+        end
+        hash = merge_mfa_variable(hash_to_merge)
+        logger.debug "new_from_credential_provider with #{hash}"
+        new hash
+    end
+
+    def to_h
+        instance_values.delete("__options__").symbolize_keys
+    end
+
+    Dry::Types.register_class(self)
+end

data/lib/aws_assume_role/runner.rb

@@ -0,0 +1,39 @@
+require_relative "includes"
+require_relative "logging"
+
+class AwsAssumeRole::Runner
+    include AwsAssumeRole::Logging
+    extend Dry::Initializer
+
+    param :command, Dry::Types["coercible.array"].member(Dry::Types["strict.string"])
+    option :exit_on_error, Dry::Types["strict.bool"], default: proc { true }
+    option :expected_exit_code, Dry::Types["strict.int"], default: proc { 0 }
+    option :environment, Dry::Types["strict.hash"], default: proc { {} }
+    option :credentials, optional: true
+
+    def initialize(params, options = {})
+        super(params, options)
+        command_to_exec = command.join(" ")
+        process_credentials unless credentials.blank?
+        system environment, command_to_exec
+        exit_status = $CHILD_STATUS.exitstatus
+        process_error(exit_status) if exit_status != expected_exit_code
+    end
+
+    private
+
+    def process_credentials
+        cred_env = {
+            "AWS_ACCESS_KEY_ID" => credentials.credentials.access_key_id,
+            "AWS_SECRET_ACCESS_KEY" => credentials.credentials.secret_access_key,
+            "AWS_SESSION_TOKEN" => credentials.credentials.session_token,
+        }
+        @environment = environment.merge cred_env
+    end
+
+    def process_error(exit_status)
+        logger.error "#{command} failed with #{exit_status}"
+        exit exit_status if exit_on_error
+        raise "#{command} failed with #{exit_status}"
+    end
+end

data/lib/aws_assume_role/store/includes.rb

@@ -0,0 +1,16 @@
+require "active_support/core_ext/object/blank"
+require "active_support/core_ext/string/inflections"
+require "active_support/core_ext/hash/slice"
+require "active_support/json"
+require "aws-sdk"
+require "aws-sdk-core/ini_parser"
+require "inifile"
+require "json"
+require "keyring"
+require "time"
+require "securerandom"
+
+module AwsAssumeRole
+    module Store
+    end
+end

data/lib/aws_assume_role/store/keyring.rb

@@ -0,0 +1,59 @@
+require_relative "includes"
+require_relative "serialization"
+require_relative "../configuration"
+require_relative "../logging"
+
+module AwsAssumeRole::Store::Keyring
+    include AwsAssumeRole
+    include AwsAssumeRole::Store
+    include AwsAssumeRole::Logging
+
+    module_function
+
+    KEYRING_KEY = "AwsAssumeRole".freeze
+
+    def semaphore
+        @semaphore ||= Mutex.new
+    end
+
+    def keyrings
+        @keyrings ||= {}
+    end
+
+    def try_backend_plugin
+        return if AwsAssumeRole::Config.backend_plugin.blank?
+        logger.info "Attempting to load #{AwsAssumeRole::Config.backend_plugin} plugin"
+        require AwsAssumeRole::Config.backend_plugin
+    end
+
+    def keyring(backend = AwsAssumeRole::Config.backend)
+        keyrings[backend] ||= begin
+            try_backend_plugin
+            klass = backend ? "Keyring::Backend::#{backend}".constantize : nil
+            logger.debug "Initializing #{klass} backend"
+            ::Keyring.new(klass)
+        end
+    end
+
+    def fetch(id, backend: nil)
+        logger.debug "Fetching #{id} from keyring"
+        fetched = keyring(backend).get_password(KEYRING_KEY, id)
+        return nil if fetched == "null" || fetched.nil?
+        raise Aws::Errors::NoSuchProfileError unless fetched
+        JSON.parse(fetched, symbolize_names: true)
+    end
+
+    def delete_credentials(id, backend: nil)
+        semaphore.synchronize do
+            keyring(backend).delete_password(KEYRING_KEY, id)
+        end
+    end
+
+    def save_credentials(id, credentials, expiration: nil, backend: nil)
+        credentials_to_persist = Serialization.credentials_to_hash(credentials)
+        credentials_to_persist[:expiration] = expiration if expiration
+        semaphore.synchronize do
+            keyring(backend).set_password(KEYRING_KEY, id, credentials_to_persist.to_json)
+        end
+    end
+end

data/lib/aws_assume_role/store/serialization.rb

@@ -0,0 +1,18 @@
+module AwsAssumeRole::Store::Serialization
+    module_function
+
+    def credentials_from_hash(credentials)
+        creds_for_deserialization = credentials.respond_to?("[]") ? credentials : credentials_to_hash(credentials)
+        Aws::Credentials.new(creds_for_deserialization[:access_key_id],
+                             creds_for_deserialization[:secret_access_key],
+                             creds_for_deserialization[:session_token])
+    end
+
+    def credentials_to_hash(credentials)
+        {
+            access_key_id: credentials.access_key_id,
+            secret_access_key: credentials.secret_access_key,
+            session_token: credentials.session_token,
+        }
+    end
+end

data/lib/aws_assume_role/store/shared_config_with_keyring.rb

@@ -0,0 +1,175 @@
+require_relative "includes"
+require_relative "../logging"
+require_relative "keyring"
+require_relative "../profile_configuration"
+require_relative "../credentials/providers/mfa_session_credentials"
+
+class AwsAssumeRole::Store::SharedConfigWithKeyring < AwsAssumeRole::Vendored::Aws::SharedConfig
+    include AwsAssumeRole::Store
+    include AwsAssumeRole::Logging
+
+    attr_reader :parsed_config
+
+    def initialize(options = {})
+        super(options)
+        @config_enabled = true
+        @config_path = determine_config_path
+        load_config_file
+    end
+
+    def credentials(opts = {})
+        p = opts[:profile] || @profile_name
+        validate_profile_exists(p) if credentials_present?
+        credentials_from_keyring(p, opts) || credentials_from_shared(p, opts) || credentials_from_config(p, opts)
+    end
+
+    def save_profile(profile_name, hash)
+        ckey = "profile #{profile_name}"
+        merged_config = configuration[ckey].deep_symbolize_keys.merge hash.to_h
+        merged_config[:mfa_serial] = merged_config[:serial_number] if merged_config[:serial_number]
+        credentials = Aws::Credentials.new(merged_config.delete(:aws_access_key_id),
+                                           merged_config.delete(:aws_secret_access_key))
+        semaphore.synchronize do
+            Keyring.save_credentials profile_name, credentials if credentials.set?
+            merged_config = merged_config.slice :region, :role_arn, :mfa_serial, :source_profile,
+                                                :role_session_name, :external_id, :duration_seconds
+            configuration.delete_section ckey
+            configuration[ckey] = merged_config.compact
+            save_configuration
+        end
+    end
+
+    def profiles
+        configuration.sections.map { |c| c.gsub("profile ", "") }
+    end
+
+    def delete_profile(profile_name)
+        # Keyring does not return errors for non-existent things, so always attempt.
+        Keyring.delete_credentials(profile_name)
+        semaphore.synchronize do
+            raise KeyError if configuration["profile #{profile_name}"].blank?
+            configuration.delete_section("profile #{profile_name}")
+            save_configuration
+        end
+    end
+
+    def migrate_profile(profile_name)
+        validate_profile_exists(profile_name)
+        save_profile(profile_name, configuration["profile #{profile_name}"])
+    end
+
+    def profile_region(profile_name)
+        prof_cfg = @parsed_config[profile_key(profile_name)]
+        resolve_region(@parsed_config, prof_cfg)
+    end
+
+    def profile_role(profile_name)
+        prof_cfg = @parsed_config[profile_key(profile_name)]
+        resolve_arn(@parsed_config, prof_cfg)
+    end
+
+    def determine_profile(options)
+        ret = options[:profile_name]
+        ret ||= ENV["AWS_PROFILE"]
+        ret ||= "default"
+        ret
+    end
+
+    private
+
+    def profile_key(profile)
+        logger.debug "About to lookup #{profile}"
+        if profile == "default" || profile.nil? || profile == ""
+            "default"
+        else
+            profile
+        end
+    end
+
+    def resolve_region(cfg, prof_cfg)
+        return unless prof_cfg && cfg
+        return prof_cfg["region"] if prof_cfg.key? "region"
+        source_cfg = cfg[prof_cfg["source_profile"]]
+        cfg[prof_cfg["source_profile"]]["region"] if source_cfg && source_cfg.key?("region")
+    end
+
+    def resolve_arn(cfg, prof_cfg)
+        return unless prof_cfg && cfg
+        return prof_cfg["role_arn"] if prof_cfg.key? "role_arn"
+        source_cfg = cfg[prof_cfg["source_profile"]]
+        cfg[prof_cfg["source_profile"]]["role_arn"] if source_cfg && source_cfg.key?("role_arn")
+    end
+
+    def assume_role_from_profile(cfg, profile, opts)
+        prof_cfg = cfg[profile]
+        return unless cfg && prof_cfg
+        opts[:source_profile] ||= prof_cfg["source_profile"]
+        if opts[:source_profile]
+            opts[:credentials] = credentials(profile: opts[:source_profile])
+            if opts[:credentials]
+                opts[:role_session_name] ||= prof_cfg["role_session_name"]
+                opts[:role_session_name] ||= "default_session"
+                opts[:role_arn] ||= prof_cfg["role_arn"]
+                opts[:external_id] ||= prof_cfg["external_id"]
+                opts[:serial_number] ||= prof_cfg["mfa_serial"]
+                opts[:region] ||= profile_region(profile)
+                if opts[:serial_number]
+                    mfa_opts = { credentials: opts[:credentials], region: opts[:region], serial_number: opts[:serial_number] }
+                    mfa_creds = mfa_session(cfg, opts[:source_profile], mfa_opts)
+                    opts.delete :serial_number
+                end
+                opts[:credentials] = mfa_creds if mfa_creds
+                opts[:profile] = opts.delete(:source_profile)
+                AwsAssumeRole::Credentials::Providers::AssumeRoleCredentials.new(opts)
+            else
+                raise ::Aws::Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, and source_profile, but the"\
+                      " source_profile does not have credentials."
+            end
+        elsif prof_cfg["role_arn"]
+            raise ::Aws::Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, but no source_profile."
+        end
+    end
+
+    def mfa_session(cfg, profile, opts)
+        prof_cfg = cfg[profile]
+        return unless cfg && prof_cfg
+        opts[:serial_number] ||= prof_cfg["mfa_serial"]
+        opts[:source_profile] ||= prof_cfg["source_profile"]
+        opts[:region] ||= profile_region(profile)
+        return unless opts[:serial_number]
+        opts[:credentials] ||= credentials(profile: opts[:profile])
+        AwsAssumeRole::Credentials::Providers::MfaSessionCredentials.new(opts)
+    end
+
+    def credentials_from_keyring(profile, _options)
+        return unless @parsed_config && @parsed_config[profile_key(profile)]
+        logger.debug "Attempt to fetch #{profile} from keyring"
+        creds = Serialization.credentials_from_hash Keyring.fetch(profile)
+        creds if credentials_complete(creds)
+    end
+
+    def semaphore
+        @semaphore ||= Mutex.new
+    end
+
+    def configuration
+        @configuration ||= IniFile.new(filename: determine_config_path, default: "default")
+    end
+
+    # Please run in a mutex
+    def save_configuration
+        bytes_required = File.size(determine_config_path)
+        random_bytes = SecureRandom.random_bytes(bytes_required)
+        File.write(determine_config_path, random_bytes)
+        configuration.save
+    end
+end
+
+module AwsAssumeRole
+    module_function
+
+    def shared_config
+        enabled = ENV["AWS_SDK_CONFIG_OPT_OUT"] ? false : true
+        @assuome_role_shared_config ||= ::AwsAssumeRole::Store::SharedConfigWithKeyring.new(config_enabled: enabled)
+    end
+end