aws_assume_role 1.1.0-universal-openbsd

data/lib/aws_assume_role/configuration.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+
+module AwsAssumeRole
+    class Configuration
+        extend Dry::Configurable
+        Types = Dry::Types.module
+
+        setting(:backend_plugin, ENV.fetch("AWS_ASSUME_ROLE_KEYRING_PLUGIN", nil)) do |value|
+            Types::Coercible::String[value]
+        end
+
+        setting(:backend, ENV.fetch("AWS_ASSUME_ROLE_KEYRING_BACKEND", "automatic")) do |value|
+            value == "automatic" ? nil : Types::Coercible::String[value]
+        end
+
+        setting(:log_level, ENV.fetch("AWS_ASSUME_ROLE_LOG_LEVEL", "WARN")) do |value|
+            {
+                DEBUG: 0,
+                INFO: 1,
+                WARN: 2,
+                ERROR: 3,
+                FATAL: 4,
+                UNKNOWN: 5,
+            }[value.to_sym] || 2
+        end
+    end
+    Config = Configuration.config
+end

data/lib/aws_assume_role/core_ext/aws-sdk/credential_provider_chain.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "../../credentials/factories/default_chain_provider"
+Aws.const_set :CredentialProviderChain, AwsAssumeRole::Credentials::Factories::DefaultChainProvider

data/lib/aws_assume_role/core_ext/aws-sdk/includes.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative "../../includes"
+module AwsAssumeRole
+    module CoreExt
+        module Aws
+        end
+    end
+end

data/lib/aws_assume_role/credentials/factories.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative "factories/repository"
+require_relative "factories/abstract_factory"
+require_relative "factories/default_chain_provider"
+require_relative "factories/assume_role"
+require_relative "factories/environment"
+require_relative "factories/instance_profile"
+require_relative "factories/shared_keyring"
+require_relative "factories/shared"
+require_relative "factories/static"

data/lib/aws_assume_role/credentials/factories/abstract_factory.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "repository"
+require_relative "../../profile_configuration"
+
+class AwsAssumeRole::Credentials::Factories::AbstractFactory
+    include AwsAssumeRole
+    include AwsAssumeRole::Credentials::Factories
+    include AwsAssumeRole::Logging
+
+    Dry::Types.register_class(Aws::SharedCredentials)
+    attr_reader :credentials, :region, :profile, :role_arn
+
+    def initialize(_options)
+        raise "Not implemented"
+    end
+
+    def self.type(str)
+        @type = Types::Strict::Symbol.enum(:credential_provider, :second_factor_provider, :instance_role_provider)[str]
+        register_if_complete
+    end
+
+    def self.priority(i)
+        @priority = Types::Strict::Int[i]
+        register_if_complete
+    end
+
+    def self.register_if_complete
+        return unless @type && @priority
+        Repository.register_factory(self, @type, @priority)
+    end
+end

data/lib/aws_assume_role/credentials/factories/assume_role.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require_relative "abstract_factory"
+require_relative "../providers/assume_role_credentials"
+require_relative "../providers/mfa_session_credentials"
+
+class AwsAssumeRole::Credentials::Factories::AssumeRole < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    include AwsAssumeRole::Credentials::Factories
+    type :credential_provider
+    priority 20
+
+    def initialize(options)
+        logger.debug "AwsAssumeRole::Credentials::Factories::AssumeRole initiated with #{options}"
+        return unless options[:profile] || options[:role_arn]
+        if options[:profile]
+            logger.debug "AwsAssumeRole: #{options[:profile]} found. Trying with profile"
+            try_with_profile(options)
+        else
+            if options[:use_mfa]
+                options[:credentials] = AwsAssumeRole::Credentials::Providers::MfaSessionCredentials.new(options).credentials
+            end
+            @credentials = AwsAssumeRole::Credentials::Providers::AssumeRoleCredentials.new(options)
+        end
+    end
+
+    def try_with_profile(options)
+        return unless AwsAssumeRole.shared_config.config_enabled?
+        logger.debug "AwsAssumeRole: Shared Config enabled"
+        @profile = options[:profile]
+        @region = options[:region]
+        @credentials = assume_role_with_profile(options)
+        @region ||= AwsAssumeRole.shared_config.profile_region(@profile)
+        @role_arn ||= AwsAssumeRole.shared_config.profile_role(@profile)
+    end
+
+    def assume_role_with_profile(options)
+        AwsAssumeRole.shared_config.assume_role_credentials_from_config(options)
+    end
+end

data/lib/aws_assume_role/credentials/factories/default_chain_provider.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "../../logging"
+require_relative "../../profile_configuration"
+require_relative "abstract_factory"
+require_relative "environment"
+require_relative "repository"
+require_relative "instance_profile"
+require_relative "assume_role"
+require_relative "shared"
+require_relative "static"
+
+class AwsAssumeRole::Credentials::Factories::DefaultChainProvider < Dry::Struct
+    constructor_type :schema
+    include AwsAssumeRole::Credentials::Factories
+    include AwsAssumeRole::Logging
+
+    attribute :access_key_id, Dry::Types["strict.string"].optional
+    attribute :credentials, Dry::Types["object"].optional
+    attribute :duration_seconds, Dry::Types["coercible.int"].optional
+    attribute :external_id, Dry::Types["strict.string"].optional
+    attribute :instance_profile_credentials_retries, Dry::Types["strict.int"].default(0)
+    attribute :instance_profile_credentials_timeout, Dry::Types["coercible.float"].default(1.0)
+    attribute :mfa_serial, Dry::Types["strict.string"].optional
+    attribute :no_profile, Dry::Types["strict.bool"].default(false)
+    attribute :path, Dry::Types["strict.string"].optional
+    attribute :persist_session, Dry::Types["strict.bool"].default(true)
+    attribute :profile_name, Dry::Types["strict.string"].optional
+    attribute :profile, Dry::Types["strict.string"].optional
+    attribute :region, Dry::Types["strict.string"].optional
+    attribute :role_arn, Dry::Types["strict.string"].optional
+    attribute :role_session_name, Dry::Types["strict.string"].optional
+    attribute :secret_access_key, Dry::Types["strict.string"].optional
+    attribute :serial_number, Dry::Types["strict.string"].optional
+    attribute :session_token, Dry::Types["strict.string"].optional
+    attribute :source_profile, Dry::Types["strict.string"].optional
+    attribute :use_mfa, Dry::Types["strict.bool"].default(false)
+    attribute :yubikey_oath_name, Dry::Types["strict.string"].optional
+
+    def self.new(options)
+        if options.respond_to? :resolve
+            finalize_instance new_with_seahorse(options)
+        else
+            finalize_instance(options)
+        end
+    end
+
+    def self.finalize_instance(options)
+        new_opts = options.to_h
+        new_opts[:profile_name] ||= new_opts[:profile]
+        new_opts[:original_profile] = new_opts[:profile_name]
+        instance = allocate
+        instance.send(:initialize, new_opts)
+        instance
+    end
+
+    def self.new_with_seahorse(resolver)
+        keys = resolver.resolve
+        options = keys.map do |k|
+            [k, resolver.send(k)]
+        end
+        finalize_instance(options.to_h)
+    end
+
+    def resolve(nil_with_role_not_set: false, explicit_default_profile: false)
+        resolve_final_credentials(explicit_default_profile)
+        # nil_creds = Aws::Credentials.new(nil, nil, nil)
+        return nil if (nil_with_role_not_set &&
+                             @role_arn &&
+                             @credentials.credentials.session_token.nil?) || @credentials.nil?
+        @credentials
+    end
+
+    def to_h
+        to_hash
+    end
+
+    private
+
+    def resolve_final_credentials(explicit_default_profile = false)
+        resolve_credentials(:credential_provider, true, explicit_default_profile)
+        return @credentials if @credentials && @credentials.set? && !use_mfa && !role_arn
+        resolve_credentials(:second_factor_provider, true, explicit_default_profile)
+        return @credentials if @credentials && @credentials.set?
+        resolve_credentials(:instance_role_provider, true, explicit_default_profile)
+        return @credentials if @credentials && @credentials.set?
+        nil
+    end
+
+    def resolve_credentials(type, break_if_successful = false, explicit_default_profile = false)
+        factories_to_try = Repository.factories[type]
+        factories_to_try.each do |x|
+            options = to_h
+            options[:credentials] = credentials if credentials && credentials.set?
+            logger.debug "About to try credential lookup with #{x}"
+            factory = x.new(options)
+            @region ||= factory.region
+            @profile ||= factory.profile
+            @role_arn ||= factory.role_arn
+            next unless factory.credentials && factory.credentials.set?
+            logger.debug "Profile currently #{@profile}"
+            next if explicit_default_profile && (@profile == "default") && (@profile != @original_profile)
+            @credentials ||= factory.credentials
+            logger.debug "Got #{@credentials}"
+            break if break_if_successful
+        end
+    end
+end
+
+module AwsAssumeRole
+    DefaultProvider = AwsAssumeRole::Credentials::Factories::DefaultChainProvider
+end

data/lib/aws_assume_role/credentials/factories/environment.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Environment < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 10
+
+    def initialize(_options, **)
+        key =    %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY]
+        secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
+        token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
+        region = %w[AWS_DEFAULT_REGION]
+        profile = %w[AWS_PROFILE]
+        @credentials = Aws::Credentials.new(envar(key), envar(secret), envar(token))
+        @region = envar(region)
+        @profile = envar(profile)
+    end
+
+    def envar(keys)
+        keys.each do |key|
+            return ENV[key] if ENV.key?(key)
+        end
+        nil
+    end
+end

data/lib/aws_assume_role/credentials/factories/includes.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative "../includes"
+require_relative "../../logging"
+require_relative "../../vendored/aws"
+require_relative "../../../aws_assume_role"
+
+module AwsAssumeRole::Credentials
+    module Factories
+        Types = Dry::Types.module
+        include AwsAssumeRole
+        include AwsAssumeRole::Logging
+        include AwsAssumeRole::Vendored::Aws
+    end
+end

data/lib/aws_assume_role/credentials/factories/instance_profile.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::InstanceProfile < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :instance_role_provider
+    priority 40
+
+    def initialize(options = {})
+        options[:retries] ||= options[:instance_profile_credentials_retries] || 0
+        options[:http_open_timeout] ||= options[:instance_profile_credentials_timeout] || 1
+        options[:http_read_timeout] ||= options[:instance_profile_credentials_timeout] || 1
+        @credentials = if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
+                           Aws::ECSCredentials.new(options)
+                       else
+                           Aws::InstanceProfileCredentials.new(options)
+                       end
+    end
+end

data/lib/aws_assume_role/credentials/factories/repository.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Repository
+    include AwsAssumeRole::Credentials::Factories
+
+    SubFactoryRepositoryType = Types::Hash.schema(Types::Coercible::Int => Types::Strict::Array)
+
+    FactoryRepositoryType = Types::Hash.schema(
+        credential_provider: SubFactoryRepositoryType,
+        second_factor_provider: SubFactoryRepositoryType,
+        instance_role_provider: SubFactoryRepositoryType,
+    )
+
+    def self.factories
+        repository.keys.map { |t| [t, flatten_factory_type_list(t)] }.to_h
+    end
+
+    def self.repository
+        @repository ||= FactoryRepositoryType[
+            credential_provider: {},
+            second_factor_provider: {},
+            instance_role_provider: {},
+        ]
+    end
+
+    def self.register_factory(klass, type, priority)
+        repository[type][priority] ||= []
+        repository[type][priority] << klass
+    end
+
+    def self.flatten_factory_type_list(type)
+        repository[type].keys.sort.map { |x| @repository[type][x] }.flatten
+    end
+end

data/lib/aws_assume_role/credentials/factories/shared.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "abstract_factory"
+require_relative "../providers/shared_keyring_credentials"
+
+class AwsAssumeRole::Credentials::Factories::Shared < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 30
+
+    def initialize(options = {})
+        logger.debug "Shared Factory initiated with #{options}"
+        @profile = options[:profile]
+        @credentials = AwsAssumeRole::Credentials::Providers::SharedKeyringCredentials.new(options)
+        @region = @credentials.region
+        @role_arn = @credentials.role_arn
+    rescue Aws::Errors::NoSuchProfileError
+        nil
+    end
+end

data/lib/aws_assume_role/credentials/factories/static.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "abstract_factory"
+
+class AwsAssumeRole::Credentials::Factories::Static < AwsAssumeRole::Credentials::Factories::AbstractFactory
+    type :credential_provider
+    priority 0
+
+    def initialize(options = {})
+        @credentials = Aws::Credentials.new(
+            options[:access_key_id],
+            options[:secret_access_key],
+            options[:session_token],
+        )
+        @region = options[:region]
+        @profile = options[:profile]
+    end
+end

data/lib/aws_assume_role/credentials/includes.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require_relative "../includes"
+module AwsAssumeRole
+    module Credentials end
+end

data/lib/aws_assume_role/credentials/providers/assume_role_credentials.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require "set"
+
+class AwsAssumeRole::Credentials::Providers::AssumeRoleCredentials
+    include AwsAssumeRole::Vendored::Aws::CredentialProvider
+    include AwsAssumeRole::Vendored::Aws::RefreshingCredentials
+
+    # @option options [required, String] :role_arn
+    # @option options [required, String] :role_session_name
+    # @option options [String] :policy
+    # @option options [Integer] :duration_seconds
+    # @option options [String] :external_id
+    # @option options [STS::Client] :client
+    #
+    #
+
+    STS_KEYS = %i[role_arn role_session_name policy duration_seconds external_id client credentials region].freeze
+
+    def initialize(options = {})
+        client_opts = {}
+        @assume_role_params = {}
+        options.each_pair do |key, value|
+            if self.class.assume_role_options.include?(key)
+                @assume_role_params[key] = value
+            else
+                next unless STS_KEYS.include?(key)
+                client_opts[key] = value
+            end
+        end
+        @client = client_opts[:client] || ::Aws::STS::Client.new(client_opts)
+        super
+    end
+
+    # @return [STS::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+        c = @client.assume_role(@assume_role_params).credentials
+        @credentials = ::Aws::Credentials.new(
+            c.access_key_id,
+            c.secret_access_key,
+            c.session_token,
+        )
+        @expiration = c.expiration
+    end
+
+    class << self
+      # @api private
+      def assume_role_options
+          @aro ||= begin
+              input = ::Aws::STS::Client.api.operation(:assume_role).input
+              Set.new(input.shape.member_names)
+          end
+      end
+      end
+end