aws_assume_role 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 740d4539f3f7bf68b7acedc131890496b67eaef4
-  data.tar.gz: a5f739bbb05c1cd1edfc59e156ee2a348c88c9ff
+  metadata.gz: a54b02fa08cf71de92e8cae70bc4b8d0b7f3c6cc
+  data.tar.gz: d97b2748840f3a481eb388b5d52be5ab3631e34d
 SHA512:
-  metadata.gz: 0898326d54de021a939f2375466c7376a3e42cca8b7c597d4b03a9b11b4a407b078b4560ec3790418c462a84bbde0836a2f9ea30acf5e1b3cebfab25e2567a55
-  data.tar.gz: f161cc86abf84c2e893cc9426bea9861b02b30bd31fccbf2ed8f7ac526252d51f236e530b5a178fffde1db94ef910a7cf87fc22c9645f8685f0eaa49eeb58c24
+  metadata.gz: 4d1135bfcc67444456e07d1a0fdef7c72dac266997af27fd1f1d321b8f82955907ebf4ded1ad19944945519eb5929c201a7cbe162007a9d8d83e4ed51d15b55c
+  data.tar.gz: 5bab6c3e11e56fd1ea80e748fef7c397bd9d6ae9914a09105af9def7e022a2a5a14d13f99c01def3b204e1098dfc6daea29c1d3b43681fb495f81d431634809e

data/CHANGELOG.md

@@ -0,0 +1,29 @@
+## 0.2.0
+
+* Add support for Yubikey as a source for MFA (@davbo)
+* Remove expired crednetials before writing new STS credentials (@davbo)
+
+## 0.1.2
+
+* Become compatible with Ruby 2.1 (@randomvariable)
+* Added test suite from AWS SDK for Ruby (@randomvariable)
+
+## 0.1.1
+
+* Fix logging on Ruby 2.2 (@randomvariable)
+
+## 0.1.0
+
+* Complete rewrite with SDK compatible API layer (@randomvariable)
+
+## 0.0.3
+
+* Store master credentials in OS credential store. (@mrprimate)
+
+## 0.0.2
+
+* Add CLI (@mrprimate)
+
+## 0.0.1
+
+* Initial release (@jtopper)

data/README.md

@@ -82,6 +82,29 @@ set up a role that you will assume in every day use:
 More options are available in the application help.
 Use `> aws-assume-role --help ` for help at any time.
 
+Using MFA TOTP with a Yubikey
+-----------------------------
+
+[Yubikeys support TOTP](https://developers.yubico.com/OATH/) this offers some
+benefits over using a phone. One benefit is the TOTP token can be retrieved by
+an API call rather than a user reading the token from the device.
+
+This allows developers to call AWS through aws-assume-role, providing an MFA
+token without prompting for user input. To use this specify
+`--yubikey-oath-name` when calling configure role.
+
+``` sh
+> aws-assume-role configure role -p company-dev --source-profile company-sso  \
+--role-arn=arn:aws:iam::000000000001:role/ViewEC2 --role-session-name=growthsmith \
+--mfa-serial automatic --yubikey-oath-name "Amazon Web Services:myuser@company-sso"
+```
+
+_Yubikey Support_: `aws-assume-role` uses the [smartcard gem](https://rubygems.org/gems/smartcard)
+to connect to the Yubikey, this itself depends upon some C libraries being installed. They provide
+[platform specific instructions](https://github.com/costan/smartcard/blob/master/BUILD#L19)
+for installing these libraries PC/SC.
+
+
 Running applications
 --------------------
 

data/aws_assume_role.gemspec

@@ -35,6 +35,8 @@ Gem::Specification.new do |spec|
     spec.add_runtime_dependency "launchy", "~> 2.4"
     spec.add_runtime_dependency "keyring", "~> 0.4", ">= 0.4.1"
     spec.add_runtime_dependency "pastel", "~> 0.7"
+    spec.add_runtime_dependency "smartcard", "~> 0.5.6"
+    spec.add_runtime_dependency "yubioath", "~> 1.2", ">= 1.2.1"
     spec.add_development_dependency "rspec", "~> 3.5"
     spec.add_development_dependency "rubocop", "~> 0.46"
     spec.add_development_dependency "yard", "~> 0.9"

data/i18n/en.yml

@@ -77,6 +77,7 @@ en:
         mfa_token:
             first_time: "Please provide an MFA token"
             other_times: "Credentials have expired, please provide another MFA"
+            smartcard_not_supported: "Smartcard drivers not installed, see https://github.com/scalefactory/aws-assume-role/blob/master/README.md for details" 
         default_role: "A default role to assume (leave blank to not use)"
         external_id: String provided by the external account holder to uniquely identify you.
         source_profile: Which profile to use to assume this role.
@@ -86,9 +87,11 @@ en:
         duration_seconds: Default session length
         shell_type: What type of shell to use.
         name_to_delete: Please type the name of the profile, i.e. %s , to continue deletion.
+        yubikey_oath_name: Identifier of the OATH / TOTP secret stored on the yubikey.
     program_description: "A tool for AWS credential management"
     errors:
         NoSuchProfileError: Profile %s not found in shared configuration.
+        SmartcardException:  No YubiKey found!
         MissingCredentialsError: No credentials found!
         rules:
             profile:

data/lib/aws_assume_role/cli/actions/abstract_action.rb

@@ -24,8 +24,11 @@ class AwsAssumeRole::Cli::Actions::AbstractAction
         creds = @provider.resolve(nil_with_role_not_set: true)
         logger.debug "Got credentials #{creds}"
         return creds unless creds.nil?
+    rescue Smartcard::PCSC::Exception
+        error t("errors.SmartcardException")
+        exit 403
     rescue NoMethodError
-        error "Cannot find any credentials"
+        error t("errors.MissingCredentialsError")
         exit 404
     end
 

data/lib/aws_assume_role/cli/actions/configure_profile.rb

@@ -7,6 +7,7 @@ class AwsAssumeRole::Cli::Actions::ConfigureProfile < AwsAssumeRole::Cli::Action
         optional(:region) { filled? > format?(REGION_REGEX) }
         optional(:mfa_serial)
         optional(:profile_name)
+        optional(:yubikey_oath_name)
     end
 
     def act_on(config)

data/lib/aws_assume_role/cli/actions/configure_role_assumption.rb

@@ -10,6 +10,7 @@ class AwsAssumeRole::Cli::Actions::ConfigureRoleAssumption < AwsAssumeRole::Cli:
         required(:role_arn) { filled? & format?(ROLE_REGEX) }
         required(:external_id).filled?
         required(:duration_seconds).filled?
+        optional(:yubikey_oath_name)
     end
 
     def act_on(config)

data/lib/aws_assume_role/cli/commands/configure.rb

@@ -20,6 +20,7 @@ module AwsAssumeRole::Cli
             r.flag ["region"], desc: t("options.region")
             r.flag ["external-id"], desc: t("options.external_id")
             r.flag ["duration-seconds"], desc: t("options.duration_seconds"), default_value: 3600
+            r.flag ["yubikey-oath-name"], desc: t("options.yubikey_oath_name")
 
             r.action do |global_options, options, args|
                 AwsAssumeRole::Cli::Actions::ConfigureRoleAssumption.new(global_options, options, args)

data/lib/aws_assume_role/credentials/providers/mfa_session_credentials.rb

@@ -1,6 +1,13 @@
 require_relative "includes"
 require_relative "../../types"
 require_relative "../../configuration"
+begin
+    require "smartcard"
+    require "yubioath"
+    SMARTCARD_SUPPORT = true
+rescue LoadError
+    SMARTCARD_SUPPORT = false
+end
 
 class AwsAssumeRole::Credentials::Providers::MfaSessionCredentials < Dry::Struct
     constructor_type :schema
@@ -17,6 +24,7 @@ class AwsAssumeRole::Credentials::Providers::MfaSessionCredentials < Dry::Struct
     attribute :duration_seconds, Dry::Types["coercible.int"].default(3600)
     attribute :region, AwsAssumeRole::Types::Region.optional
     attribute :serial_number, AwsAssumeRole::Types::MfaSerial.optional.default("automatic")
+    attribute :yubikey_oath_name, Dry::Types["strict.string"].optional
 
     def initialize(options)
         options.each { |key, value| instance_variable_set("@#{key}", value) }
@@ -36,8 +44,8 @@ class AwsAssumeRole::Credentials::Providers::MfaSessionCredentials < Dry::Struct
         @sts_client ||= Aws::STS::Client.new(region: @region, credentials: @permanent_credentials)
     end
 
-    def prompt_for_token(first_time)
-        text = first_time ? t("options.mfa_token.first_time") : t("options.mfa_token.other_times")
+    def prompt_for_token
+        text = @first_time ? t("options.mfa_token.first_time") : t("options.mfa_token.other_times")
         Ui.input.ask text
     end
 
@@ -51,8 +59,18 @@ class AwsAssumeRole::Credentials::Providers::MfaSessionCredentials < Dry::Struct
         broadcast(:mfa_completed)
     end
 
+    def retrieve_yubikey_token
+        raise t("options.mfa_token.smartcard_not_supported") unless SMARTCARD_SUPPORT
+        context = Smartcard::PCSC::Context.new
+        raise "Yubikey not found" unless context.readers.length == 1
+        reader_name = context.readers.first
+        card = Smartcard::PCSC::Card.new(context, reader_name, :shared)
+        codes = YubiOATH.new(card).calculate_all(timestamp: Time.now)
+        codes.fetch(BinData::String.new(@yubikey_oath_name))
+    end
+
     def refresh_using_mfa
-        token_code = prompt_for_token(@first_time)
+        token_code = @yubikey_oath_name ? retrieve_yubikey_token : prompt_for_token
         token = sts_client.get_session_token(
             duration_seconds: @duration_seconds,
             serial_number: @serial_number,

data/lib/aws_assume_role/profile_configuration.rb

@@ -18,6 +18,7 @@ class AwsAssumeRole::ProfileConfiguration < Dry::Struct
     attribute :role_session_name, Dry::Types["strict.string"].optional
     attribute :serial_number, Dry::Types["strict.string"].optional
     attribute :mfa_serial, Dry::Types["strict.string"].optional
+    attribute :yubikey_oath_name, Dry::Types["strict.string"].optional
     attribute :use_mfa, Dry::Types["strict.bool"].optional.default(false)
     attribute :no_profile, Dry::Types["strict.bool"].optional.default(false)
     attribute :shell_type, Dry::Types["strict.string"].optional

data/lib/aws_assume_role/store/keyring.rb

@@ -52,6 +52,7 @@ module AwsAssumeRole::Store::Keyring
         credentials_to_persist = Serialization.credentials_to_hash(credentials)
         credentials_to_persist[:expiration] = expiration if expiration
         semaphore.synchronize do
+            keyring(backend).delete_password(KEYRING_KEY, id)
             keyring(backend).set_password(KEYRING_KEY, id, credentials_to_persist.to_json)
         end
     end

data/lib/aws_assume_role/store/shared_config_with_keyring.rb

@@ -69,7 +69,8 @@ class AwsAssumeRole::Store::SharedConfigWithKeyring < AwsAssumeRole::Vendored::A
         semaphore.synchronize do
             Keyring.save_credentials profile_name, credentials if credentials.set?
             merged_config = merged_config.slice :region, :role_arn, :mfa_serial, :source_profile,
-                                                :role_session_name, :external_id, :duration_seconds
+                                                :role_session_name, :external_id, :duration_seconds,
+                                                :yubikey_oath_name
             configuration.delete_section ckey
             configuration[ckey] = merged_config.compact
             save_configuration
@@ -155,9 +156,15 @@ class AwsAssumeRole::Store::SharedConfigWithKeyring < AwsAssumeRole::Vendored::A
                 opts[:role_arn] ||= prof_cfg["role_arn"]
                 opts[:external_id] ||= prof_cfg["external_id"]
                 opts[:serial_number] ||= prof_cfg["mfa_serial"]
+                opts[:yubikey_oath_name] ||= prof_cfg["yubikey_oath_name"]
                 opts[:region] ||= profile_region(profile)
                 if opts[:serial_number]
-                    mfa_opts = { credentials: opts[:credentials], region: opts[:region], serial_number: opts[:serial_number] }
+                    mfa_opts = {
+                        credentials: opts[:credentials],
+                        region: opts[:region],
+                        serial_number: opts[:serial_number],
+                        yubikey_oath_name: opts[:yubikey_oath_name],
+                    }
                     mfa_creds = mfa_session(cfg, opts[:source_profile], mfa_opts)
                     opts.delete :serial_number
                 end

data/lib/aws_assume_role/version.rb

@@ -1,3 +1,3 @@
 module AwsAssumeRole
-    VERSION = "0.1.2".freeze
+    VERSION = "0.2.0".freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_assume_role
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Jon Topper
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-20 00:00:00.000000000 Z
+date: 2017-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -200,6 +200,40 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: smartcard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.6
+- !ruby/object:Gem::Dependency
+  name: yubioath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.1
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -306,6 +340,7 @@ files:
 - ".ruby-version"
 - ".simplecov"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.md
 - README.md