aws_assume_role 0.0.3 → 0.1.0

data/lib/aws_assume_role/types.rb

@@ -0,0 +1,30 @@
+require "dry-types"
+
+module AwsAssumeRole
+    module Types
+        Dry = Dry::Types.module
+
+        ::Dry::Types.register_class(::Aws::Credentials)
+        AwsAssumeRole::Types::Credentials = ::Dry::Types["aws.credentials"]
+
+        ACCESS_KEY_REGEX = /[\w]+/
+        ACCESS_KEY_VALIDATOR = proc { filled? & str? & format?(ACCESS_KEY_REGEX) & min_size?(16) & max_size?(32) }
+        ARN_REGEX = %r{arn:[\w+=\/,.@-]+:[\w+=\/,.@-]+:[\w+=\/,.@-]*:[0-9]+:[\w+=,.@-]+(\/[\w+=\/,.@-]+)*}
+        EXTERNAL_ID_REGEX = %r{[\w+=,.@:\/-]*}
+        MFA_REGEX = %r{arn:aws:iam::[0-9]+:mfa\/([\w+=,.@-]+)*|automatic}
+        REGION_REGEX = /^(us|eu|ap|sa|ca)\-\w+\-\d+$|^cn\-\w+\-\d+$|^us\-gov\-\w+\-\d+$/
+        REGION_VALIDATOR = proc { filled? & str? & format?(REGION_REGEX) }
+        ROLE_REGEX = %r{arn:aws:iam::[0-9]+:role\/([\w+=,.@-]+)*}
+        ROLE_SESSION_NAME_REGEX = /[\w+=,.@-]*/
+        SECRET_ACCESS_KEY_REGEX = //
+        SECRET_ACCESS_KEY_VALIDATOR = proc { filled? & str? & format?(SECRET_ACCESS_KEY_REGEX) }
+
+        AwsAssumeRole::Types::Region = Dry::Strict::String.constrained(
+            format: REGION_REGEX,
+        )
+
+        AwsAssumeRole::Types::MfaSerial = Dry::Strict::String.constrained(
+            format: MFA_REGEX,
+        )
+    end
+end

data/lib/aws_assume_role/ui.rb

@@ -0,0 +1,55 @@
+require_relative "includes"
+
+module AwsAssumeRole::Ui
+    include AwsAssumeRole
+
+    ::I18n.load_path += Dir.glob(File.join(File.realpath(__dir__), "..", "..", "i18n", "*.{rb,yml,yaml}"))
+    ::I18n.locale = ENV.fetch("LANG", nil).split(".").first.split("_").first || I18n.default_locale
+
+    module_function
+
+    def out(text)
+        puts text
+    end
+
+    def pastel
+        @pastel ||= Pastel.new
+    end
+
+    def input
+        @input ||= HighLine.new
+    end
+
+    def validation_errors_to_s(result)
+        text = result.errors.keys.map do |k|
+            result.errors[k].join(";")
+        end.join(" ")
+        text
+    end
+
+    def error(text)
+        puts pastel.red(text)
+    end
+
+    def show_validation_errors(result)
+        error validation_errors_to_s(result)
+    end
+
+    def ask_with_validation(variable_name, question, type: Dry::Types["coercible.string"], &block)
+        STDOUT.puts pastel.yellow question
+        validator = Dry::Validation.Schema do
+            configure do
+                config.messages = :i18n
+            end
+            required(variable_name) { instance_eval(&block) }
+        end
+        result = validator.call(variable_name => type[STDIN.gets.chomp])
+        return result.to_h[variable_name] if result.success?
+        show_validation_errors result
+        ask_with_validation variable_name, question, &block
+    end
+
+    def t(*options)
+        ::I18n.t(options).first
+    end
+end

data/lib/aws_assume_role/vendored/aws.rb

@@ -0,0 +1,4 @@
+require_relative "aws/assume_role_credentials"
+require_relative "aws/refreshing_credentials"
+require_relative "../store/shared_config_with_keyring"
+require_relative "aws/shared_config"

data/lib/aws_assume_role/vendored/aws/README.md

@@ -0,0 +1,2 @@
+These are copies of the private API from the AWS SDK v2, as partial protection to changes, for which the source is available at
+https://github.com/aws/aws-sdk-ruby

data/lib/aws_assume_role/vendored/aws/assume_role_credentials.rb

@@ -0,0 +1,68 @@
+require_relative "includes"
+require "set"
+
+module AwsAssumeRole::Vendored::Aws
+    # An auto-refreshing credential provider that works by assuming
+    # a role via {Aws::STS::Client#assume_role}.
+    #
+    #     role_credentials = Aws::AssumeRoleCredentials.new(
+    #       client: Aws::STS::Client.new(...),
+    #       role_arn: "linked::account::arn",
+    #       role_session_name: "session-name"
+    #     )
+    #
+    #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
+    #
+    # If you omit `:client` option, a new {STS::Client} object will be
+    # constructed.
+    class AssumeRoleCredentials
+        include ::Aws::CredentialProvider
+        include ::Aws::RefreshingCredentials
+
+        # @option options [required, String] :role_arn
+        # @option options [required, String] :role_session_name
+        # @option options [String] :policy
+        # @option options [Integer] :duration_seconds
+        # @option options [String] :external_id
+        # @option options [STS::Client] :client
+        def initialize(options = {}, **)
+
+            client_opts = {}
+            @assume_role_params = {}
+            options.each_pair do |key, value|
+                if self.class.assume_role_options.include?(key)
+                    @assume_role_params[key] = value
+                else
+                    client_opts[key] = value
+                end
+            end
+            @client = client_opts[:client] || ::Aws::STS::Client.new(client_opts)
+            super
+        end
+
+        # @return [STS::Client]
+        attr_reader :client
+
+        private
+
+        def refresh
+            c = @client.assume_role(@assume_role_params).credentials
+            @credentials = ::Aws::Credentials.new(
+                c.access_key_id,
+                c.secret_access_key,
+                c.session_token,
+            )
+            @expiration = c.expiration
+        end
+
+        class << self
+          # @api private
+          def assume_role_options
+              @aro ||= begin
+                  input = ::Aws::STS::Client.api.operation(:assume_role).input
+                  Set.new(input.shape.member_names)
+              end
+          end
+          end
+    end
+end

data/lib/aws_assume_role/vendored/aws/includes.rb

@@ -0,0 +1,9 @@
+require "aws-sdk"
+
+module AwsAssumeRole
+    module Vendored
+        module Aws
+            include ::Aws
+        end
+    end
+end

data/lib/aws_assume_role/vendored/aws/refreshing_credentials.rb

@@ -0,0 +1,60 @@
+require "thread"
+
+module AwsAssumeRole::Vendored::Aws
+    # Base class used credential classes that can be refreshed. This
+    # provides basic refresh logic in a thread-safe manor. Classes mixing in
+    # this module are expected to implement a #refresh method that populates
+    # the following instance variables:
+    #
+    # * `@access_key_id`
+    # * `@secret_access_key`
+    # * `@session_token`
+    # * `@expiration`
+    #
+    # @api private
+    module RefreshingCredentials
+        def initialize(_options = {})
+            @mutex = Mutex.new
+            refresh
+      end
+
+        # @return [Credentials]
+        def credentials
+            refresh_if_near_expiration
+            @credentials
+        end
+
+        # @return [Time,nil]
+        def expiration
+            refresh_if_near_expiration
+            @expiration
+        end
+
+        # Refresh credentials.
+        # @return [void]
+        def refresh!
+            @mutex.synchronize { refresh }
+        end
+
+        private
+
+        # Refreshes instance metadata credentials if they are within
+        # 5 minutes of expiration.
+        def refresh_if_near_expiration
+            if near_expiration?
+                @mutex.synchronize do
+                    refresh if near_expiration?
+                end
+            end
+        end
+
+        def near_expiration?
+            if @expiration
+                # are we within 5 minutes of expiration?
+                (Time.now.to_i + 5 * 60) > @expiration.to_i
+            else
+                true
+            end
+        end
+      end
+end

data/lib/aws_assume_role/vendored/aws/shared_config.rb

@@ -0,0 +1,220 @@
+require_relative "includes"
+module AwsAssumeRole::Vendored::Aws
+    # @api private
+    class SharedConfig
+        # @return [String]
+        attr_reader :credentials_path
+
+        # @return [String]
+        attr_reader :config_path
+
+        # @return [String]
+        attr_reader :profile_name
+
+        # Constructs a new SharedConfig provider object. This will load the shared
+        # credentials file, and optionally the shared configuration file, as ini
+        # files which support profiles.
+        #
+        # By default, the shared credential file (the default path for which is
+        # `~/.aws/credentials`) and the shared config file (the default path for
+        # which is `~/.aws/config`) are loaded. However, if you set the
+        # `ENV['AWS_SDK_CONFIG_OPT_OUT']` environment variable, only the shared
+        # credential file will be loaded.
+        #
+        # The default profile name is 'default'. You can specify the profile name
+        # with the `ENV['AWS_PROFILE']` environment variable or with the
+        # `:profile_name` option.
+        #
+        # @param [Hash] options
+        # @option options [String] :credentials_path Path to the shared credentials
+        #   file. Defaults to "#{Dir.home}/.aws/credentials".
+        # @option options [String] :config_path Path to the shared config file.
+        #   Defaults to "#{Dir.home}/.aws/config".
+        # @option options [String] :profile_name The credential/config profile name
+        #   to use. If not specified, will check `ENV['AWS_PROFILE']` before using
+        #   the fixed default value of 'default'.
+        # @option options [Boolean] :config_enabled If true, loads the shared config
+        #   file and enables new config values outside of the old shared credential
+        #   spec.
+        def initialize(options = {})
+            @profile_name = determine_profile(options)
+            @config_enabled = options[:config_enabled]
+            @credentials_path = options[:credentials_path] ||
+                                determine_credentials_path
+            @parsed_credentials = {}
+            load_credentials_file if loadable?(@credentials_path)
+            if @config_enabled
+                @config_path = options[:config_path] || determine_config_path
+                load_config_file if loadable?(@config_path)
+            end
+        end
+
+        # @api private
+        def fresh(options = {})
+            @profile_name = nil
+            @credentials_path = nil
+            @config_path = nil
+            @parsed_credentials = {}
+            @parsed_config = nil
+            @config_enabled = options[:config_enabled] ? true : false
+            @profile_name = determine_profile(options)
+            @credentials_path = options[:credentials_path] ||
+                                determine_credentials_path
+            load_credentials_file if loadable?(@credentials_path)
+            if @config_enabled
+                @config_path = options[:config_path] || determine_config_path
+                load_config_file if loadable?(@config_path)
+            end
+        end
+
+        # @return [Boolean] Returns `true` if a credential file
+        #   exists and has appropriate read permissions at {#path}.
+        # @note This method does not indicate if the file found at {#path}
+        #   will be parsable, only if it can be read.
+        def loadable?(path)
+            !path.nil? && File.exist?(path) && File.readable?(path)
+        end
+
+        # @return [Boolean] returns `true` if use of the shared config file is
+        #   enabled.
+        def config_enabled?
+            @config_enabled ? true : false
+        end
+
+        # Sources static credentials from shared credential/config files.
+        #
+        # @param [Hash] options
+        # @option options [String] :profile the name of the configuration file from
+        #   which credentials are being sourced.
+        # @return [Aws::Credentials] credentials sourced from configuration values,
+        #   or `nil` if no valid credentials were found.
+        def credentials(opts = {})
+            p = opts[:profile] || @profile_name
+            validate_profile_exists(p) if credentials_present?
+            if credentials = credentials_from_shared(p, opts)
+                credentials
+            elsif credentials = credentials_from_config(p, opts)
+                credentials
+            end
+        end
+
+        # Attempts to assume a role from shared config or shared credentials file.
+        # Will always attempt first to assume a role from the shared credentials
+        # file, if present.
+        def assume_role_credentials_from_config(opts = {})
+            p = opts.delete(:profile) || @profile_name
+            credentials = assume_role_from_profile(@parsed_credentials, p, opts)
+            if @parsed_config
+                credentials ||= assume_role_from_profile(@parsed_config, p, opts)
+            end
+            credentials
+        end
+
+        def region(opts = {})
+            p = opts[:profile] || @profile_name
+            if @config_enabled
+                if @parsed_credentials
+                    region = @parsed_credentials.fetch(p, {})["region"]
+                end
+                region ||= @parsed_config.fetch(p, {})["region"] if @parsed_config
+                region
+            end
+        end
+
+        private
+
+        def credentials_present?
+            (@parsed_credentials && !@parsed_credentials.empty?) ||
+                (@parsed_config && !@parsed_config.empty?)
+        end
+
+        def assume_role_from_profile(cfg, profile, opts)
+            if cfg && prof_cfg = cfg[profile]
+                opts[:source_profile] ||= prof_cfg["source_profile"]
+                if opts[:source_profile]
+                    opts[:credentials] = credentials(profile: opts[:source_profile])
+                    if opts[:credentials]
+                        opts[:role_session_name] ||= prof_cfg["role_session_name"]
+                        opts[:role_session_name] ||= "default_session"
+                        opts[:role_arn] ||= prof_cfg["role_arn"]
+                        opts[:external_id] ||= prof_cfg["external_id"]
+                        opts[:serial_number] ||= prof_cfg["mfa_serial"]
+                        opts[:profile] = opts.delete(:source_profile)
+                        AwsAssumeRole::Vendored::Aws::AssumeRoleCredentials.new(opts)
+                    else
+                        raise ::Aws::Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, and source_profile, but the"\
+                              " source_profile does not have credentials."
+                    end
+                elsif prof_cfg["role_arn"]
+                    raise ::Aws::Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, but no source_profile."
+                end
+            end
+        end
+
+        def credentials_from_shared(profile, _opts)
+            if @parsed_credentials && prof_config = @parsed_credentials[profile]
+                credentials_from_profile(prof_config)
+            end
+        end
+
+        def credentials_from_config(profile, _opts)
+            if @parsed_config && prof_config = @parsed_config[profile]
+                credentials_from_profile(prof_config)
+            end
+        end
+
+        def credentials_from_profile(prof_config)
+            creds = Aws::Credentials.new(
+                prof_config["aws_access_key_id"],
+                prof_config["aws_secret_access_key"],
+                prof_config["aws_session_token"],
+            )
+            creds if credentials_complete(creds)
+        end
+
+        def credentials_complete(creds)
+            creds.set?
+        end
+
+        def load_credentials_file
+            @parsed_credentials = Aws::IniParser.ini_parse(
+                File.read(@credentials_path),
+            )
+        end
+
+        def load_config_file
+            @parsed_config = Aws::IniParser.ini_parse(File.read(@config_path))
+        end
+
+        def determine_credentials_path
+            default = default_shared_config_path("credentials")
+        end
+
+        def determine_config_path
+            default = default_shared_config_path("config")
+        end
+
+        def default_shared_config_path(file)
+            File.join(Dir.home, ".aws", file)
+        rescue ArgumentError
+            # Dir.home raises ArgumentError when ENV['home'] is not set
+            nil
+        end
+
+        def validate_profile_exists(profile)
+            unless (@parsed_credentials && @parsed_credentials[profile]) ||
+                   (@parsed_config && @parsed_config[profile])
+                msg = "Profile `#{profile}' not found in #{@credentials_path}"
+                msg << " or #{@config_path}" if @config_path
+                raise ::Aws::Errors::NoSuchProfileError, msg
+            end
+        end
+
+        def determine_profile(options)
+            ret = options[:profile_name]
+            ret ||= ENV["AWS_PROFILE"]
+            ret ||= "default"
+            ret
+        end
+    end
+end