aws_assume_role 1.0.6-linux

data/lib/aws_assume_role/runner.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "logging"
+
+class AwsAssumeRole::Runner < Dry::Struct
+    include AwsAssumeRole::Logging
+    constructor_type :schema
+    attribute :command, Dry::Types["coercible.array"].of(Dry::Types["strict.string"]).default([])
+    attribute :exit_on_error, Dry::Types["strict.bool"].default(true)
+    attribute :expected_exit_code, Dry::Types["strict.int"].default(0)
+    attribute :environment, Dry::Types["strict.hash"].default({})
+    attribute :credentials, Dry::Types["object"].optional
+
+    def initialize(options)
+        super(options)
+        command_to_exec = command.map(&:shellescape).join(" ")
+        process_credentials unless credentials.blank?
+        system environment, command_to_exec
+        exit_status = $CHILD_STATUS.exitstatus
+        process_error(exit_status) if exit_status != expected_exit_code
+    end
+
+    private
+
+    def process_credentials
+        cred_env = {
+            "AWS_ACCESS_KEY_ID" => credentials.credentials.access_key_id,
+            "AWS_SECRET_ACCESS_KEY" => credentials.credentials.secret_access_key,
+            "AWS_SESSION_TOKEN" => credentials.credentials.session_token,
+        }
+        @environment = environment.merge cred_env
+    end
+
+    def process_error(exit_status)
+        logger.error "#{command} failed with #{exit_status}"
+        exit exit_status if exit_on_error
+        raise "#{command} failed with #{exit_status}"
+    end
+end

data/lib/aws_assume_role/store/includes.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require_relative "../includes"
+
+module AwsAssumeRole
+    module Store
+    end
+end

data/lib/aws_assume_role/store/keyring.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "serialization"
+require_relative "../configuration"
+require_relative "../logging"
+
+module AwsAssumeRole::Store::Keyring
+    include AwsAssumeRole
+    include AwsAssumeRole::Store
+    include AwsAssumeRole::Logging
+
+    module_function
+
+    KEYRING_KEY = "AwsAssumeRole".freeze
+
+    def semaphore
+        @semaphore ||= Mutex.new
+    end
+
+    def keyrings
+        @keyrings ||= {}
+    end
+
+    def try_backend_plugin
+        return if AwsAssumeRole::Config.backend_plugin.blank?
+        logger.info "Attempting to load #{AwsAssumeRole::Config.backend_plugin} plugin"
+        require AwsAssumeRole::Config.backend_plugin
+    end
+
+    def keyring(backend = AwsAssumeRole::Config.backend)
+        keyrings[backend] ||= begin
+            try_backend_plugin
+            klass = backend ? "Keyring::Backend::#{backend}".constantize : nil
+            logger.debug "Initializing #{klass} backend"
+            ::Keyring.new(klass)
+        end
+    end
+
+    def fetch(id, backend: nil)
+        logger.debug "Fetching #{id} from keyring"
+        fetched = keyring(backend).get_password(KEYRING_KEY, id)
+        raise Aws::Errors::NoSuchProfileError if fetched == "null" || fetched.nil? || !fetched
+        JSON.parse(fetched, symbolize_names: true)
+    end
+
+    def delete_credentials(id, backend: nil)
+        semaphore.synchronize do
+            keyring(backend).delete_password(KEYRING_KEY, id)
+        end
+    end
+
+    def save_credentials(id, credentials, expiration: nil, backend: nil)
+        credentials_to_persist = Serialization.credentials_to_hash(credentials)
+        credentials_to_persist[:expiration] = expiration if expiration
+        semaphore.synchronize do
+            keyring(backend).delete_password(KEYRING_KEY, id)
+            keyring(backend).set_password(KEYRING_KEY, id, credentials_to_persist.to_json)
+        end
+    end
+end

data/lib/aws_assume_role/store/serialization.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module AwsAssumeRole::Store::Serialization
+    module_function
+
+    def credentials_from_hash(credentials)
+        creds_for_deserialization = credentials.respond_to?("[]") ? credentials : credentials_to_hash(credentials)
+        Aws::Credentials.new(creds_for_deserialization[:access_key_id],
+                             creds_for_deserialization[:secret_access_key],
+                             creds_for_deserialization[:session_token])
+    end
+
+    def credentials_to_hash(credentials)
+        {
+            access_key_id: credentials.access_key_id,
+            secret_access_key: credentials.secret_access_key,
+            session_token: credentials.session_token,
+        }
+    end
+end

data/lib/aws_assume_role/store/shared_config_with_keyring.rb

@@ -0,0 +1,250 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "../logging"
+require_relative "keyring"
+require_relative "../profile_configuration"
+require_relative "../credentials/providers/mfa_session_credentials"
+
+class AwsAssumeRole::Store::SharedConfigWithKeyring < AwsAssumeRole::Vendored::Aws::SharedConfig
+    include AwsAssumeRole::Store
+    include AwsAssumeRole::Logging
+
+    attr_reader :parsed_config
+
+    # @param [Hash] options
+    # @option options [String] :credentials_path Path to the shared credentials
+    #   file. Defaults to "#{Dir.home}/.aws/credentials".
+    # @option options [String] :config_path Path to the shared config file.
+    #   Defaults to "#{Dir.home}/.aws/config".
+    # @option options [String] :profile_name The credential/config profile name
+    #   to use. If not specified, will check `ENV['AWS_PROFILE']` before using
+    #   the fixed default value of 'default'.
+    # @option options [Boolean] :config_enabled If true, loads the shared config
+    #   file and enables new config values outside of the old shared credential
+    #   spec.
+    def initialize(options = {})
+        @profile_name = determine_profile(options)
+        @config_enabled = options[:config_enabled]
+        @credentials_path = options[:credentials_path] ||
+                            determine_credentials_path
+        @parsed_credentials = {}
+        load_credentials_file if loadable?(@credentials_path)
+        return unless @config_enabled
+        @config_path = options[:config_path] || determine_config_path
+        load_config_file if loadable?(@config_path)
+    end
+
+    # @api private
+    def fresh(options = {})
+        @configuration = nil
+        @semaphore = nil
+        @assume_role_shared_config = nil
+        @profile_name = nil
+        @credentials_path = nil
+        @config_path = nil
+        @parsed_credentials = {}
+        @parsed_config = nil
+        @config_enabled = options[:config_enabled] ? true : false
+        @profile_name = determine_profile(options)
+        @credentials_path = options[:credentials_path] ||
+                            determine_credentials_path
+        load_credentials_file if loadable?(@credentials_path)
+        return unless @config_enabled
+        @config_path = options[:config_path] || determine_config_path
+        load_config_file if loadable?(@config_path)
+    end
+
+    def credentials(opts = {})
+        logger.debug "SharedConfigWithKeyring asked for credentials with opts #{opts}"
+        p = opts[:profile] || @profile_name
+        validate_profile_exists(p) if credentials_present?
+        credentials_from_keyring(p, opts) || credentials_from_shared(p, opts) || credentials_from_config(p, opts)
+    end
+
+    def save_profile(profile_name, hash)
+        ckey = "profile #{profile_name}"
+        merged_config = configuration[ckey].deep_symbolize_keys.merge hash.to_h
+        merged_config[:mfa_serial] = merged_config[:serial_number] if merged_config[:serial_number]
+        credentials = Aws::Credentials.new(merged_config.delete(:aws_access_key_id),
+                                           merged_config.delete(:aws_secret_access_key))
+        semaphore.synchronize do
+            Keyring.save_credentials profile_name, credentials if credentials.set?
+            merged_config = merged_config.slice :region, :role_arn, :mfa_serial, :source_profile,
+                                                :role_session_name, :external_id, :duration_seconds,
+                                                :yubikey_oath_name
+            configuration.delete_section ckey
+            configuration[ckey] = merged_config.compact
+            save_configuration
+        end
+    end
+
+    def profiles
+        configuration.sections.map { |c| c.gsub("profile ", "") }
+    end
+
+    def delete_profile(profile_name)
+        # Keyring does not return errors for non-existent things, so always attempt.
+        Keyring.delete_credentials(profile_name)
+        semaphore.synchronize do
+            raise KeyError if configuration["profile #{profile_name}"].blank?
+            configuration.delete_section("profile #{profile_name}")
+            save_configuration
+        end
+    end
+
+    def migrate_profile(profile_name)
+        validate_profile_exists(profile_name)
+        save_profile(profile_name, configuration["profile #{profile_name}"])
+    end
+
+    def profile_region(profile_name)
+        resolve_profile_parameter(profile_name, "region")
+    end
+
+    def profile_role(profile_name)
+        resolve_profile_parameter(profile_name, "role_arn")
+    end
+
+    def profile_hash(profile_name)
+        {} || @parsed_config[profile_key(profile_name)]
+    end
+
+    private
+
+    def profile_key(profile)
+        logger.debug "About to lookup #{profile}"
+        if profile == "default" || profile.nil? || profile == ""
+            "default"
+        else
+            profile
+        end
+    end
+
+    def resolve_profile_parameter(profile_name, param)
+        return unless @parsed_config
+        prof_cfg = @parsed_config[profile_key(profile_name)]
+        resolve_parameter(param, @parsed_config, prof_cfg)
+    end
+
+    def resolve_parameter(param, cfg, prof_cfg)
+        return unless prof_cfg && cfg
+        return prof_cfg[param] if prof_cfg.key? param
+        source_profile = prof_cfg["source_profile"]
+        return unless source_profile
+        source_cfg = cfg[source_profile]
+        return unless source_cfg
+        cfg[prof_cfg["source_profile"]][param] if source_cfg.key?(param)
+    end
+
+    def resolve_region(cfg, prof_cfg)
+        resolve_parameter("region", cfg, prof_cfg)
+    end
+
+    def resolve_arn(cfg, prof_cfg)
+        resolve_parameter("role_arn", cfg, prof_cfg)
+    end
+
+    def assume_role_from_profile(cfg, profile, opts)
+        logger.debug "Entering assume_role_from_profile with #{cfg}, #{profile}, #{opts}"
+        prof_cfg = cfg[profile]
+        return unless cfg && prof_cfg
+        opts[:source_profile] ||= prof_cfg["source_profile"]
+        if opts[:source_profile]
+            opts[:credentials] = credentials(profile: opts[:source_profile])
+            if opts[:credentials]
+                opts[:role_session_name] ||= prof_cfg["role_session_name"]
+                opts[:role_session_name] ||= "default_session"
+                opts[:role_arn] ||= prof_cfg["role_arn"]
+                opts[:external_id] ||= prof_cfg["external_id"]
+                opts[:serial_number] ||= prof_cfg["mfa_serial"]
+                opts[:yubikey_oath_name] ||= prof_cfg["yubikey_oath_name"]
+                opts[:region] ||= profile_region(profile)
+                if opts[:serial_number]
+                    mfa_opts = {
+                        credentials: opts[:credentials],
+                        region: opts[:region],
+                        serial_number: opts[:serial_number],
+                        yubikey_oath_name: opts[:yubikey_oath_name],
+                    }
+                    mfa_creds = mfa_session(cfg, opts[:source_profile], mfa_opts)
+                    opts.delete :serial_number
+                end
+                opts[:credentials] = mfa_creds if mfa_creds
+                opts[:profile] = opts.delete(:source_profile)
+                AwsAssumeRole::Credentials::Providers::AssumeRoleCredentials.new(opts)
+            else
+                raise ::Aws::Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, and source_profile, but the"\
+                      " source_profile does not have credentials."
+            end
+        elsif prof_cfg["role_arn"]
+            raise ::Aws::Errors::NoSourceProfileError, "Profile #{profile} has a role_arn, but no source_profile."
+        end
+    end
+
+    def mfa_session(cfg, profile, opts)
+        prof_cfg = cfg[profile]
+        return unless cfg && prof_cfg
+        opts[:serial_number] ||= opts[:mfa_serial] || prof_cfg["mfa_serial"]
+        opts[:source_profile] ||= prof_cfg["source_profile"]
+        opts[:region] ||= profile_region(profile)
+        return unless opts[:serial_number]
+        opts[:credentials] ||= credentials(profile: opts[:profile])
+        AwsAssumeRole::Credentials::Providers::MfaSessionCredentials.new(opts)
+    end
+
+    def credentials_from_keyring(profile, opts)
+        logger.debug "Entering credentials_from_keyring"
+        return unless @parsed_config
+        logger.debug "credentials_from_keyring: @parsed_config found"
+        prof_cfg = @parsed_config[profile]
+        return unless prof_cfg
+        logger.debug "credentials_from_keyring: prof_cfg found"
+        opts[:serial_number] ||= opts[:mfa_serial] || prof_cfg[:mfa_serial] || prof_cfg[:serial_number]
+        if opts[:serial_number]
+            logger.debug "credentials_from_keyring detected mfa requirement"
+            mfa_session(@parsed_config, profile, opts)
+        else
+            logger.debug "Attempt to fetch #{profile} from keyring"
+            keyring_creds = Keyring.fetch(profile)
+            return unless keyring_creds
+            creds = Serialization.credentials_from_hash Keyring.fetch(profile)
+            creds if credentials_complete(creds)
+        end
+    rescue Aws::Errors::NoSourceProfileError, Aws::Errors::NoSuchProfileError
+        nil
+    end
+
+    def semaphore
+        @semaphore ||= Mutex.new
+    end
+
+    def configuration
+        @configuration ||= IniFile.new(filename: determine_config_path, default: "default")
+    end
+
+    # Please run in a mutex
+    def save_configuration
+        if File.exist? determine_config_path
+            bytes_required = File.size(determine_config_path)
+            # Overwrite the current .config file with random bytes to eliminate
+            # unencrypted credentials.
+            # This won't account for COW filesystems or SSD wear-levelling but
+            # is a best effort protection.
+            random_bytes = SecureRandom.random_bytes(bytes_required)
+            File.write(determine_config_path, random_bytes)
+        else
+            FileUtils.mkdir_p(Pathname.new(determine_config_path).dirname)
+        end
+        configuration.save
+    end
+end
+
+module AwsAssumeRole
+    module_function
+
+    def shared_config
+        enabled = ENV["AWS_SDK_CONFIG_OPT_OUT"] ? false : true
+        @assume_role_shared_config ||= ::AwsAssumeRole::Store::SharedConfigWithKeyring.new(config_enabled: enabled)
+    end
+end

data/lib/aws_assume_role/types.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+module AwsAssumeRole
+    module Types
+        Dry = Dry::Types.module
+
+        ::Dry::Types.register_class(::Aws::Credentials)
+        AwsAssumeRole::Types::Credentials = ::Dry::Types["aws.credentials"]
+
+        ACCESS_KEY_REGEX = /[\w]+/
+        ACCESS_KEY_VALIDATOR = proc { filled? & str? & format?(ACCESS_KEY_REGEX) & min_size?(16) & max_size?(32) }
+        ARN_REGEX = %r{arn:[\w+=\/,.@-]+:[\w+=\/,.@-]+:[\w+=\/,.@-]*:[0-9]+:[\w+=,.@-]+(\/[\w+=\/,.@-]+)*}
+        EXTERNAL_ID_REGEX = %r{[\w+=,.@:\/-]*}
+        MFA_REGEX = %r{arn:aws:iam::[0-9]+:mfa\/([\w+=,.@-]+)*|automatic}
+        REGION_REGEX = /^(us|eu|ap|sa|ca)\-\w+\-\d+$|^cn\-\w+\-\d+$|^us\-gov\-\w+\-\d+$/
+        REGION_VALIDATOR = proc { filled? & str? & format?(REGION_REGEX) }
+        ROLE_REGEX = %r{arn:aws:iam::[0-9]+:role\/([\w+=,.@-]+)*}
+        ROLE_SESSION_NAME_REGEX = /[\w+=,.@-]*/
+        SECRET_ACCESS_KEY_REGEX = //
+        SECRET_ACCESS_KEY_VALIDATOR = proc { filled? & str? & format?(SECRET_ACCESS_KEY_REGEX) }
+
+        AwsAssumeRole::Types::Region = Dry::Strict::String.constrained(
+            format: REGION_REGEX,
+        )
+
+        AwsAssumeRole::Types::MfaSerial = Dry::Strict::String.constrained(
+            format: MFA_REGEX,
+        )
+    end
+end

data/lib/aws_assume_role/ui.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+
+module AwsAssumeRole::Ui
+    include AwsAssumeRole
+
+    ::I18n.load_path += Dir.glob(File.join(File.realpath(__dir__), "..", "..", "i18n", "*.{rb,yml,yaml}"))
+    ::I18n.locale = ENV.fetch("LANG", nil).split(".").first.split("_").first || I18n.default_locale
+
+    module_function
+
+    def out(text)
+        puts text
+    end
+
+    def pastel
+        @pastel ||= Pastel.new
+    end
+
+    def input
+        @input ||= HighLine.new($stdin, $stderr)
+    end
+
+    def validation_errors_to_s(result)
+        text = result.errors.keys.map do |k|
+            result.errors[k].join(";")
+        end.join(" ")
+        text
+    end
+
+    def error(text)
+        puts pastel.red(text)
+    end
+
+    def show_validation_errors(result)
+        error validation_errors_to_s(result)
+    end
+
+    def ask_with_validation(variable_name, question, type: Dry::Types["coercible.string"], &block)
+        STDOUT.puts pastel.yellow question
+        validator = Dry::Validation.Schema do
+            configure do
+                config.messages = :i18n
+            end
+            required(variable_name) { instance_eval(&block) }
+        end
+        result = validator.call(variable_name => type[(STDIN.gets || "").chomp])
+        return result.to_h[variable_name] if result.success?
+        show_validation_errors result
+        ask_with_validation variable_name, question, &block
+    end
+
+    def t(*options)
+        ::I18n.t(options).first
+    end
+end

data/lib/aws_assume_role/vendored/aws/README.md

@@ -0,0 +1,2 @@
+These are copies of the private API from the AWS SDK v2, as partial protection to changes, for which the source is available at
+https://github.com/aws/aws-sdk-ruby

data/lib/aws_assume_role/vendored/aws/assume_role_credentials.rb

@@ -0,0 +1,67 @@
+require_relative "includes"
+
+module AwsAssumeRole::Vendored::Aws
+    # An auto-refreshing credential provider that works by assuming
+    # a role via {Aws::STS::Client#assume_role}.
+    #
+    #     role_credentials = Aws::AssumeRoleCredentials.new(
+    #       client: Aws::STS::Client.new(...),
+    #       role_arn: "linked::account::arn",
+    #       role_session_name: "session-name"
+    #     )
+    #
+    #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
+    #
+    # If you omit `:client` option, a new {STS::Client} object will be
+    # constructed.
+    class AssumeRoleCredentials
+        include ::Aws::CredentialProvider
+        include ::Aws::RefreshingCredentials
+
+        # @option options [required, String] :role_arn
+        # @option options [required, String] :role_session_name
+        # @option options [String] :policy
+        # @option options [Integer] :duration_seconds
+        # @option options [String] :external_id
+        # @option options [STS::Client] :client
+        def initialize(options = {}, **)
+
+            client_opts = {}
+            @assume_role_params = {}
+            options.each_pair do |key, value|
+                if self.class.assume_role_options.include?(key)
+                    @assume_role_params[key] = value
+                else
+                    client_opts[key] = value
+                end
+            end
+            @client = client_opts[:client] || ::Aws::STS::Client.new(client_opts)
+            super
+        end
+
+        # @return [STS::Client]
+        attr_reader :client
+
+        private
+
+        def refresh
+            c = @client.assume_role(@assume_role_params).credentials
+            @credentials = ::Aws::Credentials.new(
+                c.access_key_id,
+                c.secret_access_key,
+                c.session_token,
+            )
+            @expiration = c.expiration
+        end
+
+        class << self
+          # @api private
+          def assume_role_options
+              @aro ||= begin
+                  input = ::Aws::STS::Client.api.operation(:assume_role).input
+                  Set.new(input.shape.member_names)
+              end
+          end
+          end
+    end
+end

data/lib/aws_assume_role/vendored/aws/includes.rb

@@ -0,0 +1,9 @@
+require_relative "../../includes"
+
+module AwsAssumeRole
+    module Vendored
+        module Aws
+            include ::Aws
+        end
+    end
+end

data/lib/aws_assume_role/vendored/aws/refreshing_credentials.rb

@@ -0,0 +1,58 @@
+module AwsAssumeRole::Vendored::Aws
+    # Base class used credential classes that can be refreshed. This
+    # provides basic refresh logic in a thread-safe manor. Classes mixing in
+    # this module are expected to implement a #refresh method that populates
+    # the following instance variables:
+    #
+    # * `@access_key_id`
+    # * `@secret_access_key`
+    # * `@session_token`
+    # * `@expiration`
+    #
+    # @api private
+    module RefreshingCredentials
+        def initialize(_options = {})
+            @mutex = Mutex.new
+            refresh
+      end
+
+        # @return [Credentials]
+        def credentials
+            refresh_if_near_expiration
+            @credentials
+        end
+
+        # @return [Time,nil]
+        def expiration
+            refresh_if_near_expiration
+            @expiration
+        end
+
+        # Refresh credentials.
+        # @return [void]
+        def refresh!
+            @mutex.synchronize { refresh }
+        end
+
+        private
+
+        # Refreshes instance metadata credentials if they are within
+        # 5 minutes of expiration.
+        def refresh_if_near_expiration
+            if near_expiration?
+                @mutex.synchronize do
+                    refresh if near_expiration?
+                end
+            end
+        end
+
+        def near_expiration?
+            if @expiration
+                # are we within 5 minutes of expiration?
+                (Time.now.to_i + 5 * 60) > @expiration.to_i
+            else
+                true
+            end
+        end
+      end
+end