aws_cli_config_parser 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: cd3589f780327c218d9bc8bf20273c00ad3730999d1484083282eacb9eb3b94b
+  data.tar.gz: 49bab64edb2769d217642b212a5267e6b7c8b3a89502ebbcf1f4f7a9f2174dfb
+SHA512:
+  metadata.gz: bb59817770089eb5c3ec25c6e31935af3f9ba6ca6b9b06b9075ad0eda4c9b9cb31a6713c7fc48bd57990b927b347c8c2fbb98746b4c41494fd3ad7a729c6ed6a
+  data.tar.gz: b1f0c10fa51f5697a589ee9428248e10b4a609e3aaffb41be9e268b2f1b07cb9bf3e25fd3efc6bdb0268a78a3e94f1610734261098eeb1914040d164fbece32f

data/.gitignore

@@ -0,0 +1 @@
+pkg/

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2021-05-08
+
+- First release: parses all files in the AWS CLI configuration folder and merges information.

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in aws_cli_config_parser.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "minitest", "~> 5.0"

data/Gemfile.lock

@@ -0,0 +1,21 @@
+PATH
+  remote: .
+  specs:
+    aws_cli_config_parser (0.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    minitest (5.14.4)
+    rake (13.0.3)
+
+PLATFORMS
+  x86_64-linux-musl
+
+DEPENDENCIES
+  aws_cli_config_parser!
+  minitest (~> 5.0)
+  rake (~> 13.0)
+
+BUNDLED WITH
+   2.2.16

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 TODO: Write your name
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,134 @@
+# AWS CLI Configuration Parser
+
+This Ruby gem provides a tool to parse profile settings and secrets from AWS CLI configuration files, including the cached credentials from STS AssumeRole calls. This is often useful when using the AWS CLI with roles that require an MFA code. After authenticating successfully with an MFA code temporary session credentials are cached in your `~/.aws` folder. You'll often need to pass these temporary credentials to other tools such as Docker containers. This gem parses the files in your `~/.aws` folder and merges all information allowing you to retrieve any credential or setting.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'aws_cli_config_parser'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install aws_cli_config_parser
+
+
+## Usage
+
+With a file tree like this:
+
+```
+~/.aws/
+├── cli
+│   └── cache
+│       ├── 1a2b3c4d5etc.json
+├── config
+└── credentials
+```
+
+**~/.aws/config**
+```
+[default]
+region = eu-west-1
+
+[profile admin]
+role_arn = arn:aws:iam::222200002222:role/SomeRole
+source_profile = default
+role_session_name = session_name
+region = eu-central-1
+```
+
+**~/.aws/credentials**
+```
+[default]
+aws_access_key_id = AKID1111000011110000
+aws_secret_access_key = SECRET1111000011110000111100001111000011
+```
+
+**~/.aws/cli/cache/1a2b3c4d5etc.json**
+```
+{
+  "Credentials": {
+    "AccessKeyId": "AKID2222000022220000",
+    "SecretAccessKey": "SECRET2222000022220000222200002222000022",
+    "SessionToken": "SESSIONTOKEN222200002222000022220000222200002222000022220000etc",
+    "Expiration": "<some timestamp in the future>"
+  },
+  "AssumedRoleUser": {
+    "AssumedRoleId": "ARLID2222000022220000:session_name",
+    "Arn": "arn:aws:sts::222200002222:assumed-role/SomeRole/session_name"
+  },
+  ...
+}
+```
+
+You can obtain any individual configuration value like this:
+
+```ruby
+profiles = AwsCliConfigParser.parse
+# => #<AwsCliConfigParser::Profiles:0x000055b0526261e8>
+
+default = profiles.get('default')
+# => #<AwsCliConfigParser::Profile:0x000055b052654ea8>
+
+default.get('region')
+# => "eu-west-1"
+default.get('aws_access_key_id')
+# => "AKID1111000011110000"
+default.get('aws_secret_access_key')
+# => "SECRET1111000011110000111100001111000011"
+
+admin = profiles.get('admin')
+# => #<AwsCliConfigParser::Profile:0x000055b052644b98>
+
+admin.get('region')
+# => "eu-central-1"
+admin.get('role_arn')
+# => "arn:aws:iam::222200002222:role/SomeRole"
+admin.get('aws_access_key_id')
+# => "AKID2222000022220000"
+admin.get('aws_secret_access_key')
+# => "SECRET2222000022220000222200002222000022"
+admin.get('aws_session_token')
+# => "SESSIONTOKEN222200002222000022220000222200002222000022220000etc"
+```
+
+Or if you prefer using hashes:
+
+```ruby
+AwsCliConfigParser.parse.to_h == {
+  'default' => {
+    'region'                => 'eu-west-1',
+    'aws_access_key_id'     => 'AKID1111000011110000',
+    'aws_secret_access_key' => 'SECRET1111000011110000111100001111000011'
+  },
+  'admin' => {
+    'region'                => 'eu-central-1',
+    'role_arn'              => 'arn:aws:iam::222200002222:role/SomeRole',
+    'source_profile'        => 'default',
+    'role_session_name'     => 'session_name',
+    'aws_access_key_id'     => 'AKID2222000022220000',
+    'aws_secret_access_key' => 'SECRET2222000022220000222200002222000022',
+    'aws_session_token'     => 'SESSIONTOKEN222200002222000022220000222200002222000022220000etc',
+  }
+}
+# => true
+```
+
+If you have your AWS CLI configuration directory somewhere other than the default you can tell the parser where to look for it:
+
+```ruby
+AwsCliConfigParser.parse(aws_directory: '/somewhere/else/.my-aws-folder')
+# => ...
+```
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task default: :test

data/aws_cli_config_parser.gemspec

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require_relative 'lib/aws_cli_config_parser/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'aws_cli_config_parser'
+  spec.version       = AwsCliConfigParser::VERSION
+  spec.authors       = ['brunze']
+
+  spec.summary       = 'Parses profile settings from AWS CLI configuration files.'
+  spec.description   = <<~DESCRIPTION.strip
+    Parses profile settings and secrets from AWS CLI configuration files,
+    including the cached credentials from AssumeRole such as when using MFA.
+  DESCRIPTION
+  spec.homepage      = 'https://github.com/brunze/aws_cli_config_parser'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+  spec.metadata['changelog_uri'] = 'https://github.com/brunze/aws_cli_config_parser/CHANGELOG.md'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency 'example-gem', '~> 1.0'
+
+  # For more information and examples about making a new gem, checkout our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "aws_cli_config_parser"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/lib/aws_cli_config_parser.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module AwsCliConfigParser; end
+
+require 'aws_cli_config_parser/version'
+require 'aws_cli_config_parser/profiles'
+require 'aws_cli_config_parser/cached_credential'
+require 'pathname'
+
+module AwsCliConfigParser
+  using Refined::Arrays
+
+  def self.parse(
+    aws_directory: '~/.aws',
+    config_file_name: 'config',
+    credentials_file_name: 'credentials',
+    cli_cache_directory: './cli/cache',
+    cached_credential_file_name_pattern: /\A\h{40}\.json\z/,
+    now: lambda{ Time.now.utc }
+  )
+    aws_directory = Pathname(aws_directory).expand_path.realpath
+
+    config_files = [
+      aws_directory.join(config_file_name),
+      aws_directory.join(credentials_file_name),
+    ]
+    .select{ |path| path.file? && path.readable_real? }
+
+    cli_cache_directory = aws_directory.join(cli_cache_directory)
+
+    cached_credential_files = if cli_cache_directory.directory? && cli_cache_directory.readable_real?
+      cli_cache_directory
+        .each_child
+        .select{ |path| path.basename.to_s.match(cached_credential_file_name_pattern) }
+        .select{ |path| path.file? && path.readable_real? }
+    else
+      []
+    end
+
+    parse_files(
+      configs: config_files,
+      cached_credentials: cached_credential_files,
+      now: now,
+    )
+  end
+
+  def self.parse_files configs: [], cached_credentials: [], now: lambda{ Time.now.utc }
+    configs
+      .map(&Profiles.method(:from_io))
+      .reduce(:merge!)
+      &.merge_credentials!(
+        cached_credentials
+          .map(&CachedCredential.method(:from_io))
+          .reject{ |credential| credential.expired?(now: now) }
+      ) || []
+  end
+
+end

data/lib/aws_cli_config_parser/cached_credential.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'date'
+
+class AwsCliConfigParser::CachedCredential
+
+  def initialize assumed_role, expiration_date, configuration
+    @assumed_role = assumed_role or raise TypeError
+    @expiration_date = expiration_date.to_time
+    @configuration = configuration.to_hash
+  end
+
+  attr_reader :assumed_role, :expiration_date, :configuration
+
+  def self.from_io io, parse_json: JSON.method(:parse), parse_date: DateTime.method(:parse)
+    json = parse_json[io.read]
+
+    assumed_role = json.dig('AssumedRoleUser', 'Arn') or return nil
+    assumed_role = assumed_role.match(%r|arn:aws:sts:\w*:(\d{12}):assumed-role/(.+?)/?\w*/?$|)&.captures or return nil
+
+    expiration_date = json.dig('Credentials', 'Expiration') or return nil
+    expiration_date = parse_date[expiration_date]
+
+    new(
+      assumed_role,
+      expiration_date,
+      'aws_access_key_id'     => json.dig('Credentials', 'AccessKeyId'),
+      'aws_secret_access_key' => json.dig('Credentials', 'SecretAccessKey'),
+      'aws_session_token'     => json.dig('Credentials', 'SessionToken'),
+    )
+  end
+
+  def expired? now: lambda{ Time.now.utc }
+    @expiration_date <= now.call
+  end
+
+end

data/lib/aws_cli_config_parser/profile.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+class AwsCliConfigParser::Profile
+
+  def initialize name, configuration
+    @name = name.to_str ; raise ArgumentError if @name.empty?
+    @configuration = configuration
+  end
+
+  attr_reader :name, :configuration
+
+  def role
+    @configuration['role_arn'].to_s.match(%r|arn:aws:iam:\w*:(\d{12}):role/(.+?)/?$|)&.captures
+  end
+
+  def merge! other
+    raise TypeError unless other.is_a?(self.class)
+
+    @configuration.merge!(other.configuration)
+
+    self
+  end
+
+  def merge_credential! credential
+    @configuration.merge!(credential.configuration)
+  end
+
+  def get key
+    @configuration[key]
+  end
+
+  def to_h
+    @configuration.to_h
+  end
+
+end

data/lib/aws_cli_config_parser/profiles.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'aws_cli_config_parser/profile'
+require 'aws_cli_config_parser/refined/arrays'
+
+class AwsCliConfigParser::Profiles
+  using ::AwsCliConfigParser::Refined::Arrays
+
+  def initialize profiles
+    @profiles = profiles.each.to_a or raise TypeError
+  end
+
+  def self.from_io io
+    new(
+      io.each_line.with_object([]) do |line, profiles|
+        case line
+        when /^ *\[(?:profile +)?(.+)\] *\n$/ then $1.strip! ;           ; profiles.push({ name: $1 })
+        when /^ *(\w+) *= *(.+) *\n?$/        then $1.strip! ; $2.strip! ; profiles.last.store($1, $2)
+        else next
+        end
+      end
+      .map do |pairs|
+        ::AwsCliConfigParser::Profile.new(pairs.delete(:name), pairs)
+      end
+    )
+  end
+
+  def merge! other
+    raise TypeError unless other.is_a?(self.class)
+
+    @profiles = [
+      *@profiles,
+      *other.instance_variable_get(:@profiles),
+    ]
+    .group_by(&:name)
+    .map do |(_name, profiles)|
+      profiles.reduce(:merge!)
+    end
+
+    self
+  end
+
+  def merge_credentials! credentials
+    credentials = credentials.to_a.index_by(&:assumed_role)
+
+    @profiles.each do |profile|
+      profile.merge_credential!(credentials[profile.role]) if credentials.has_key?(profile.role)
+    end
+
+    self
+  end
+
+  def get name
+    @profiles.find{ |profile| profile.name == name }
+  end
+
+  def to_h
+    @profiles.map{ |profile| [profile.name, profile.to_h] }.to_h
+  end
+
+end

data/lib/aws_cli_config_parser/refined/arrays.rb

@@ -0,0 +1,13 @@
+module AwsCliConfigParser
+  module Refined
+    module Arrays
+      refine Array do
+
+        def index_by
+          each_with_object({}){ |value, index| index[yield(value)] = value }
+        end
+
+      end
+    end
+  end
+end

data/lib/aws_cli_config_parser/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module AwsCliConfigParser
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,62 @@
+--- !ruby/object:Gem::Specification
+name: aws_cli_config_parser
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- brunze
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-05-08 00:00:00.000000000 Z
+dependencies: []
+description: |-
+  Parses profile settings and secrets from AWS CLI configuration files,
+  including the cached credentials from AssumeRole such as when using MFA.
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws_cli_config_parser.gemspec
+- bin/console
+- lib/aws_cli_config_parser.rb
+- lib/aws_cli_config_parser/cached_credential.rb
+- lib/aws_cli_config_parser/profile.rb
+- lib/aws_cli_config_parser/profiles.rb
+- lib/aws_cli_config_parser/refined/arrays.rb
+- lib/aws_cli_config_parser/version.rb
+homepage: https://github.com/brunze/aws_cli_config_parser
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/brunze/aws_cli_config_parser
+  source_code_uri: https://github.com/brunze/aws_cli_config_parser
+  changelog_uri: https://github.com/brunze/aws_cli_config_parser/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.17
+signing_key: 
+specification_version: 4
+summary: Parses profile settings from AWS CLI configuration files.
+test_files: []