aws_assume_role 1.1.0-universal-openbsd

data/lib/aws_assume_role/credentials/providers/includes.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative "../includes"
+require_relative "../../vendored/aws"
+require_relative "../../ui"
+require_relative "../../logging"
+module AwsAssumeRole::Credentials
+    module Providers end
+end

data/lib/aws_assume_role/credentials/providers/mfa_session_credentials.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "../../types"
+require_relative "../../configuration"
+begin
+    require "smartcard"
+    require "yubioath"
+    SMARTCARD_SUPPORT = true
+rescue LoadError
+    SMARTCARD_SUPPORT = false
+end
+
+class AwsAssumeRole::Credentials::Providers::MfaSessionCredentials < Dry::Struct
+    constructor_type :schema
+    include AwsAssumeRole::Vendored::Aws::CredentialProvider
+    include AwsAssumeRole::Vendored::Aws::RefreshingCredentials
+    include AwsAssumeRole::Ui
+    include AwsAssumeRole::Logging
+
+    attribute :permanent_credentials, Dry::Types["object"].optional
+    attribute :credentials, Dry::Types["object"].optional
+    attribute :expiration, Dry::Types["strict.time"].default(Time.now)
+    attribute :first_time, Dry::Types["strict.bool"].default(true)
+    attribute :persist_session, Dry::Types["strict.bool"].default(true)
+    attribute :duration_seconds, Dry::Types["coercible.int"].default(3600)
+    attribute :region, AwsAssumeRole::Types::Region.optional
+    attribute :serial_number, AwsAssumeRole::Types::MfaSerial.optional.default("automatic")
+    attribute :yubikey_oath_name, Dry::Types["strict.string"].optional
+
+    def initialize(options)
+        options.each { |key, value| instance_variable_set("@#{key}", value) }
+        @permanent_credentials ||= @credentials
+        @credentials = nil
+        @serial_number = resolve_serial_number(serial_number)
+        AwsAssumeRole::Vendored::Aws::RefreshingCredentials.instance_method(:initialize).bind(self).call(options)
+    end
+
+    private
+
+    def keyring_username
+        @keyring_username ||= "#{@identity.to_json}|#{@serial_number}"
+    end
+
+    def sts_client
+        @sts_client ||= Aws::STS::Client.new(region: @region, credentials: @permanent_credentials)
+    end
+
+    def prompt_for_token
+        text = @first_time ? t("options.mfa_token.first_time") : t("options.mfa_token.other_times")
+        Ui.input.ask text
+    end
+
+    def initialized
+        @first_time = false
+    end
+
+    def refresh
+        return set_credentials_from_keyring if @persist_session && @first_time
+        refresh_using_mfa if near_expiration?
+        broadcast(:mfa_completed)
+    end
+
+    def retrieve_yubikey_token
+        raise t("options.mfa_token.smartcard_not_supported") unless SMARTCARD_SUPPORT
+        context = Smartcard::PCSC::Context.new
+        raise "Yubikey not found" unless context.readers.length == 1
+        reader_name = context.readers.first
+        card = Smartcard::PCSC::Card.new(context, reader_name, :shared)
+        codes = YubiOATH.new(card).calculate_all(timestamp: Time.now)
+        codes.fetch(BinData::String.new(@yubikey_oath_name))
+    end
+
+    def refresh_using_mfa
+        token_code = @yubikey_oath_name ? retrieve_yubikey_token : prompt_for_token
+        token = sts_client.get_session_token(
+            duration_seconds: @duration_seconds,
+            serial_number: @serial_number,
+            token_code: token_code,
+        )
+        initialized
+        instance_credentials token.credentials
+        persist_credentials if @persist_session
+    end
+
+    def credentials_from_keyring
+        @credentials_from_keyring ||= AwsAssumeRole::Store::Keyring.fetch keyring_username
+    rescue Aws::Errors::NoSuchProfileError
+        logger.debug "Key not found"
+        @credentials_from_keyring = nil
+        return nil
+    end
+
+    def persist_credentials
+        AwsAssumeRole::Store::Keyring.save_credentials keyring_username, @credentials, expiration: @expiration
+    end
+
+    def instance_credentials(credentials)
+        return unless credentials
+        @credentials = AwsAssumeRole::Store::Serialization.credentials_from_hash(credentials)
+        @expiration = credentials.respond_to?(:expiration) ? credentials.expiration : Time.parse(credentials[:expiration])
+    end
+
+    def set_credentials_from_keyring
+        instance_credentials credentials_from_keyring if credentials_from_keyring
+        initialized
+        refresh_using_mfa unless @credentials && !near_expiration?
+    end
+
+    def identity
+        @identity ||= sts_client.get_caller_identity
+    end
+
+    def resolve_serial_number(serial_number)
+        return serial_number unless serial_number.nil? || serial_number == "automatic"
+        user_name = identity.arn.split("/")[1]
+        "arn:aws:iam::#{identity.account}:mfa/#{user_name}"
+    end
+end

data/lib/aws_assume_role/credentials/providers/shared_keyring_credentials.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "../../types"
+
+class AwsAssumeRole::Credentials::Providers::SharedKeyringCredentials < ::Aws::SharedCredentials
+    include AwsAssumeRole::Logging
+    attr_reader :region, :role_arn
+
+    def initialize(options = {})
+        logger.debug "SharedKeyringCredentials initiated with #{options}"
+        @path = options[:path]
+        @path ||= AwsAssumeRole.shared_config.credentials_path
+        @profile_name = options[:profile_name] ||= options[:profile]
+        @profile_name ||= ENV["AWS_PROFILE"]
+        @profile_name ||= AwsAssumeRole.shared_config.profile_name
+        logger.debug "SharedKeyringCredentials resolved profile name #{@profile_name}"
+        config = determine_config(@path, @profile_name)
+        @role_arn = config.profile_hash(@profile_name)
+        @region = config.profile_region(@profile_name)
+        @role_arn = config.profile_role(@profile_name)
+        attempted_credential = config.credentials(options)
+        return unless attempted_credential && attempted_credential.set?
+        @credentials = attempted_credential
+    end
+
+    private
+
+    def determine_config(path, profile_name)
+        if path && path == AwsAssumeRole.shared_config.credentials_path
+            logger.debug "SharedKeyringCredentials found shared credential path"
+            AwsAssumeRole.shared_config
+        else
+            logger.debug "SharedKeyringCredentials found custom credential path"
+            AwsAssumeRole::Store::SharedConfigWithKeyring.new(
+                credentials_path: path,
+                profile_name: profile_name,
+            )
+        end
+    end
+end

data/lib/aws_assume_role/includes.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "i18n"
+require "active_support/json"
+require "active_support/core_ext/object/blank"
+require "active_support/core_ext/string/inflections"
+require "active_support/core_ext/hash/compact"
+require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/hash/slice"
+require "aws-sdk"
+require "aws-sdk-core/ini_parser"
+require "dry-configurable"
+require "dry-struct"
+require "dry-validation"
+require "dry-types"
+require "English"
+require "gli"
+require "highline"
+require "inifile"
+require "json"
+require "keyring"
+require "launchy"
+require "logger"
+require "open-uri"
+require "pastel"
+require "securerandom"
+require "set"
+require "thread"
+require "time"
+
+module AwsAssumeRole
+    module_function
+
+    def shared_config
+        enabled = ENV["AWS_SDK_CONFIG_OPT_OUT"] ? false : true
+        @shared_config ||= SharedConfigWithKeyring.new(config_enabled: enabled)
+    end
+end

data/lib/aws_assume_role/logging.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "configuration"
+module AwsAssumeRole::Logging
+    module ClassMethods
+        def logger
+            @logger ||= begin
+                logger = Logger.new($stderr)
+                logger.level = AwsAssumeRole::Config.log_level
+                ENV["GLI_DEBUG"] = "true" if AwsAssumeRole::Config.log_level.zero?
+                logger
+            end
+        end
+    end
+
+    module InstanceMethods
+        def logger
+            self.class.logger
+        end
+    end
+
+    def self.included(base)
+        base.extend ClassMethods
+        base.include InstanceMethods
+    end
+end

data/lib/aws_assume_role/profile_configuration.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "logging"
+
+class AwsAssumeRole::ProfileConfiguration < Dry::Struct
+    constructor_type :schema
+    include AwsAssumeRole::Logging
+    attribute :access_key_id, Dry::Types["strict.string"].optional
+    attribute :credentials, Dry::Types["object"].optional
+    attribute :secret_access_key, Dry::Types["strict.string"].optional
+    attribute :session_token, Dry::Types["strict.string"].optional
+    attribute :duration_seconds, Dry::Types["coercible.int"].optional
+    attribute :external_id, Dry::Types["strict.string"].optional
+    attribute :path, Dry::Types["strict.string"].optional
+    attribute :persist_session, Dry::Types["strict.bool"].optional.default(true)
+    attribute :profile, Dry::Types["strict.string"].optional
+    attribute :region, Dry::Types["strict.string"].optional
+    attribute :role_arn, Dry::Types["strict.string"].optional
+    attribute :role_session_name, Dry::Types["strict.string"].optional
+    attribute :serial_number, Dry::Types["strict.string"].optional
+    attribute :mfa_serial, Dry::Types["strict.string"].optional
+    attribute :yubikey_oath_name, Dry::Types["strict.string"].optional
+    attribute :use_mfa, Dry::Types["strict.bool"].optional.default(false)
+    attribute :no_profile, Dry::Types["strict.bool"].optional.default(false)
+    attribute :shell_type, Dry::Types["strict.string"].optional
+    attribute :source_profile, Dry::Types["strict.string"].optional
+    attribute :args, Dry::Types["strict.array"].optional.default([])
+    attribute :instance_profile_credentials_retries, Dry::Types["strict.int"].default(0)
+    attribute :instance_profile_credentials_timeout, Dry::Types["coercible.float"].default(1.0)
+
+    attr_writer :credentials
+
+    def self.merge_mfa_variable(options)
+        new_hash = options.key?(:mfa_serial) ? options.merge(serial_number: options[:mfa_serial]) : options
+        new_hash[:use_mfa] ||= new_hash.fetch(:serial_number, nil) ? true : false
+        if new_hash.key?(:serial_number) && new_hash[:serial_number] == "automatic"
+            new_hash.delete(:serial_number)
+        end
+        new_hash
+    end
+
+    def self.new_from_cli(global_options, options, args)
+        options = global_options.merge options
+        options = options.map do |k, v|
+            [k.to_s.underscore.to_sym, v]
+        end.to_h
+        options[:args] = args
+        new merge_mfa_variable(options)
+    end
+
+    def self.new_from_credential_provider_initialization(options)
+        logger.debug "new_from_credential_provider_initialization with #{options.to_h}"
+        new_from_credential_provider(options, credentials: nil, delete: [])
+    end
+
+    def self.new_from_credential_provider(options = {}, credentials: nil, delete: [])
+        option_hash = options.to_h
+        config = option_hash.fetch(:config, {}).to_h
+        hash_to_merge = option_hash.merge config
+        hash_to_merge.merge(credentials: credentials) if credentials
+        delete.each do |k|
+            hash_to_merge.delete k
+        end
+        hash = merge_mfa_variable(hash_to_merge)
+        logger.debug "new_from_credential_provider with #{hash}"
+        new hash
+    end
+
+    def to_h
+        to_hash
+    end
+end

data/lib/aws_assume_role/runner.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "logging"
+
+class AwsAssumeRole::Runner < Dry::Struct
+    include AwsAssumeRole::Logging
+    constructor_type :schema
+    attribute :command, Dry::Types["coercible.array"].of(Dry::Types["strict.string"]).default([])
+    attribute :exit_on_error, Dry::Types["strict.bool"].default(true)
+    attribute :expected_exit_code, Dry::Types["strict.int"].default(0)
+    attribute :environment, Dry::Types["strict.hash"].default({})
+    attribute :credentials, Dry::Types["object"].optional
+
+    def initialize(options)
+        super(options)
+        command_to_exec = command.map(&:shellescape).join(" ")
+        process_credentials unless credentials.blank?
+        system environment, command_to_exec
+        exit_status = $CHILD_STATUS.exitstatus
+        process_error(exit_status) if exit_status != expected_exit_code
+    end
+
+    private
+
+    def process_credentials
+        cred_env = {
+            "AWS_ACCESS_KEY_ID" => credentials.credentials.access_key_id,
+            "AWS_SECRET_ACCESS_KEY" => credentials.credentials.secret_access_key,
+            "AWS_SESSION_TOKEN" => credentials.credentials.session_token,
+        }
+        @environment = environment.merge cred_env
+    end
+
+    def process_error(exit_status)
+        logger.error "#{command} failed with #{exit_status}"
+        exit exit_status if exit_on_error
+        raise "#{command} failed with #{exit_status}"
+    end
+end

data/lib/aws_assume_role/store/includes.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require_relative "../includes"
+
+module AwsAssumeRole
+    module Store
+    end
+end

data/lib/aws_assume_role/store/keyring.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "includes"
+require_relative "serialization"
+require_relative "../configuration"
+require_relative "../logging"
+
+module AwsAssumeRole::Store::Keyring
+    include AwsAssumeRole
+    include AwsAssumeRole::Store
+    include AwsAssumeRole::Logging
+
+    module_function
+
+    KEYRING_KEY = "AwsAssumeRole".freeze
+
+    def semaphore
+        @semaphore ||= Mutex.new
+    end
+
+    def keyrings
+        @keyrings ||= {}
+    end
+
+    def try_backend_plugin
+        return if AwsAssumeRole::Config.backend_plugin.blank?
+        logger.info "Attempting to load #{AwsAssumeRole::Config.backend_plugin} plugin"
+        require AwsAssumeRole::Config.backend_plugin
+    end
+
+    def keyring(backend = AwsAssumeRole::Config.backend)
+        keyrings[backend] ||= begin
+            try_backend_plugin
+            klass = backend ? "Keyring::Backend::#{backend}".constantize : nil
+            logger.debug "Initializing #{klass} backend"
+            ::Keyring.new(klass)
+        end
+    end
+
+    def fetch(id, backend: nil)
+        logger.debug "Fetching #{id} from keyring"
+        fetched = keyring(backend).get_password(KEYRING_KEY, id)
+        raise Aws::Errors::NoSuchProfileError if fetched == "null" || fetched.nil? || !fetched
+        JSON.parse(fetched, symbolize_names: true)
+    end
+
+    def delete_credentials(id, backend: nil)
+        semaphore.synchronize do
+            keyring(backend).delete_password(KEYRING_KEY, id)
+        end
+    end
+
+    def save_credentials(id, credentials, expiration: nil, backend: nil)
+        credentials_to_persist = Serialization.credentials_to_hash(credentials)
+        credentials_to_persist[:expiration] = expiration if expiration
+        semaphore.synchronize do
+            keyring(backend).delete_password(KEYRING_KEY, id)
+            keyring(backend).set_password(KEYRING_KEY, id, credentials_to_persist.to_json)
+        end
+    end
+end

data/lib/aws_assume_role/store/serialization.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module AwsAssumeRole::Store::Serialization
+    module_function
+
+    def credentials_from_hash(credentials)
+        creds_for_deserialization = credentials.respond_to?("[]") ? credentials : credentials_to_hash(credentials)
+        Aws::Credentials.new(creds_for_deserialization[:access_key_id],
+                             creds_for_deserialization[:secret_access_key],
+                             creds_for_deserialization[:session_token])
+    end
+
+    def credentials_to_hash(credentials)
+        {
+            access_key_id: credentials.access_key_id,
+            secret_access_key: credentials.secret_access_key,
+            session_token: credentials.session_token,
+        }
+    end
+end