aws_runas 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 29d8ce9a9034488a4faa15f5243852d67fb45850
-  data.tar.gz: 177b2295df14d918a2a0105527f6fb0c4057b22a
+SHA256:
+  metadata.gz: d280ef6460171b56e718f87a5f60300f5a17c9d06a7f9ee638ebf82e08ec4a9b
+  data.tar.gz: 3059ae7baea24658c569ff71dec7623c53447dd357101ec63544d6cecceb8bcc
 SHA512:
-  metadata.gz: 051dc45bdd27dc5a6c93d41f0f3e25cfde3767e8d7b0d0774ef8db619d30136644edfd716d974f1ecdb0850be1c8fc2e1b78a214f4bde92918e28d5c9562dcca
-  data.tar.gz: 7508a80014cc4d18de0f7228b7871a519038d8b9a7c83728904abc3d534de9cbc1fc0f1c4355097369766c2a6074778810c2e308b34349902f9a594cb8359d1c
+  metadata.gz: 26104c0fea4f55532118f3be8443750ddafdf018e4e78457a49ceb3b8c6bead60d0ba79425ee065b0407f501bd0d8f3498496ea38b6a1ab46f7437208dc9b17b
+  data.tar.gz: 757866792aa06ce28b68db85ee423111eba5bdf5435615e327a43442ef37ffc06a3e198a2b8e2f5ac9833deb00b2b634d5d27c87a9880c3695ddada9c3c75899

data/CHANGELOG.md

@@ -1,3 +1,25 @@
+## v0.7.0
+
+* Version now can be printed by supplying --version.
+* The gem now uses [Optimist][ref-optimist], and as such should no longer give
+  deprecation warnings for its previous name.
+  [#21](https://github.com/vancluever/aws-runas/issues/21)
+* Corrected an issue with session ID generation when the calculated new
+  long-from session ID exceeded 64 characters. In this situation, the session
+  name will fall back to the classic generic timestamped ID.
+  [#17](https://github.com/vancluever/aws-runas/issues/17)
+* When calling from an assumed role, the session ID now takes on the name of the
+  access key ID instead of the account ID and user name. This should help
+  prevent length or session name nesting issues, while still making the session
+  name useful. [#17](https://github.com/vancluever/aws-runas/issues/17)
+* The access key ID-based session ID will also be used if the account and
+  user-based session ID would exceed 64 characters under normal circumstances,
+  ensuring that the classic ID is strictly a fallback in major edge cases where
+  either is unusable or if the user has no access to GetCallerIdentity.
+  [#17](https://github.com/vancluever/aws-runas/issues/17)
+
+[ref-optimist]: https://github.com/ManageIQ/optimist
+
 ## v0.6.0
 
 ### Session Duration Support

data/LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2015-2017 Chris Marchesi
+   Copyright 2015-2018 Chris Marchesi
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

data/README.md

@@ -30,14 +30,24 @@ thing, but there are some differentiators in this gem:
    with `--no-role`. Subsequent uses of `aws-runas` after this will not prompt
    you for MFA (useful for tooling that needs to assume multiple roles off the
    same session token).
+ * The session duration can be controlled with the `--duration` parameter. This
+   allows you to change the session expiration if you require a period longer or
+   shorter than an hour. The actual ranges you can choose with this setting
+   depend on the account you are using and any configured maximums set on your
+   role. More details can be found in the API documentation for
+   [GetSesionToken][get-session-token] and [AssumeRole][assume-role].
+
+[get-session-token]: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
+[assume-role]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
 
 How it Works
 -------------
 
 Roles are assumed, or session tokens are simply acquired (if `--no-role` is
-specified) via the `AssumeRole` or the `GetSessionToken` AWS STS API calls.
-After this, your command or shell is launched with the standard AWS credential
-chain environment variables set:
+specified) via the [`AssumeRole`][assume-role] or the
+[`GetSessionToken`][get-session-token] AWS STS API calls.  After this, your
+command or shell is launched with the standard AWS credential chain environment
+variables set:
 
  * `AWS_ACCESS_KEY_ID`
  * `AWS_SECRET_ACCESS_KEY`
@@ -45,17 +55,24 @@ chain environment variables set:
 
 ### Additional Variables
 
-In addition to the above, two toolchain-local environment variables are set to
-help you determine what credentials are in use locally:
+In addition to the above, the following environment variables are set to help
+you gather additional information about the role and environment you are running
+under:
 
  * `AWS_RUNAS_ASSUMED_ROLE_ARN` - set when a role is assumed (not set if
    `--no-role` is used)
- * `AWS_RUNAS_PROFILE` - set with the profile used when `aws-runas` was run
+ * `AWS_ROLE_SESSION_NAME` - contains the assumed role's session name (not set
+   if `--no-role` is used). The format is
+   `aws-runas-session_ACCTID_USERNAME_TIMESTAMP` when the user has access to
+   [`GetCallerIdentity`][get-caller-identity], and `aws-runas-session_TIMESTAMP`
+   format when they do not.
+ * `AWS_RUNAS_PROFILE` - set with the profile used when `aws-runas` was run.
  * `AWS_REGION` and `AWS_DEFAULT_REGION` - set with the region name defined in
-   the profile being used
- * `AWS_SESSION_EXPIRATION` - set with the expiry timestamp in UTC
- * `AWS_SESSION_EXPIRATION_UNIX` - set with the expiry timestamp in Unix time,
-   useful for scripting
+   the profile being used.
+ * `AWS_SESSION_EXPIRATION` - set with the expiry timestamp in UTC.
+ * `AWS_SESSION_EXPIRATION_UNIX` - set with the expiry timestamp in Unix time.
+
+[get-caller-identity]: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
 
 ### Fancy Bash/Zsh Prompt
 
@@ -143,7 +160,7 @@ License
 --------
 
 ```
-Copyright 2015-2017 Chris Marchesi
+Copyright 2015-2018 Chris Marchesi
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

data/aws_runas.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'aws-sdk', '~> 2.11'
   spec.add_dependency 'inifile', '~> 3.0'
-  spec.add_dependency 'trollop', '~> 2.1'
+  spec.add_dependency 'optimist', '~> 3.0'
 
   spec.add_development_dependency 'rake', '~> 10.4'
   spec.add_development_dependency 'rspec', '~> 3.4'

data/lib/aws_runas/cli.rb

@@ -12,9 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'trollop'
+require 'optimist'
 require 'aws_runas/config'
 require 'aws_runas/main'
+require 'aws_runas/version'
 require 'io/console'
 
 module AwsRunAs
@@ -23,7 +24,8 @@ module AwsRunAs
 
     # loads the command-line options.
     def load_opts(args: ARGV)
-      Trollop.options(args) do
+      Optimist.options(args) do
+        version AwsRunAs::VERSION
         banner <<-EOS.gsub(/^ {10}/, '')
           aws-runas: Run commands under AWS IAM roles
 

data/lib/aws_runas/main.rb

@@ -25,7 +25,9 @@ module AwsRunAs
   # Main program logic for aws-runas - sets up sts asession and assumed role,
   # and hands off environment to called process.
   class Main
-    # Instantiate the object and set up the path, profile, and populate MFA
+    # Instantiate the object and set up the path, profile, and populate MFA.
+    #
+    # Session timestamp is also registered here to prevent races.
     def initialize(path: nil, profile: default, mfa_code: nil, no_role: nil, duration_seconds: 3600)
       cfg_path = if path
                    path
@@ -36,6 +38,7 @@ module AwsRunAs
       @mfa_code = mfa_code
       @no_role = no_role
       @duration_seconds = duration_seconds
+      @session_timestamp = Time.now.to_i
     end
 
     def sts_client
@@ -47,11 +50,37 @@ module AwsRunAs
       )
     end
 
+    def render_classic_session
+      "aws-runas-session_#{@session_timestamp}"
+    end
+
+    def render_account_user_session(caller_identity)
+      "aws-runas-session_#{caller_identity.account}_#{caller_identity.arn.split('/')[-1]}_#{@session_timestamp}"
+    end
+
+    def render_access_key_session(caller_identity)
+      "aws-runas-session_#{caller_identity.user_id.split(':')[0]}_#{@session_timestamp}"
+    end
+
+    def use_access_key_id?(caller_identity)
+      caller_identity.arn =~ %r{^arn:aws:sts::\d+:assumed-role\/} ||
+        render_account_user_session(caller_identity).length > 64
+    end
+
+    # Returns a session name based on the following criteria:
+    #  * If the user ARN matches that of an assumed role, return the access key ID
+    #  * Otherwise, return the account ID and the user (last part of the ARN).
+    def render_modern_session(caller_identity)
+      return render_access_key_session(caller_identity) if use_access_key_id?(caller_identity)
+      render_account_user_session(caller_identity)
+    end
+
     def session_id
       caller_identity = sts_client.get_caller_identity
-      "aws-runas-session_#{caller_identity.account}_#{caller_identity.arn.split('/')[-1]}_#{Time.now.to_i}"
+      return render_classic_session if render_modern_session(caller_identity).length > 64
+      render_modern_session(caller_identity)
     rescue Aws::STS::Errors::AccessDeniedException
-      "aws-runas-session_#{Time.now.to_i}"
+      render_classic_session
     end
 
     def assume_role

data/lib/aws_runas/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 
 module AwsRunAs
-  VERSION = '0.6.0'
+  VERSION = '0.7.0'
 end

data/spec/aws_runas/main_spec.rb

@@ -35,6 +35,104 @@ describe AwsRunAs::Main do
     end
   end
 
+  describe '#render_classic_session' do
+    it 'renders an account ID and user based session' do
+      expect(@main.render_classic_session).to eq("aws-runas-session_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+  end
+
+  describe '#render_account_user_session' do
+    it 'renders an account ID and user based session' do
+      expect(
+        @main.render_account_user_session(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/Alice',
+            user_id: 'AKIAI44QH8DHBEXAMPLE'
+          )
+        )
+      ).to eq("aws-runas-session_123456789012_Alice_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+  end
+
+  describe '#render_access_key_session' do
+    it 'renders an access key ID-based session' do
+      expect(
+        @main.render_access_key_session(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/Alice',
+            user_id: 'AKIAI44QH8DHBEXAMPLE'
+          )
+        )
+      ).to eq("aws-runas-session_AKIAI44QH8DHBEXAMPLE_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+  end
+
+  describe '#use_access_key_id?' do
+    it 'is falsey when an account ID and user based session is within 64 characters' do
+      expect(
+        @main.use_access_key_id?(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/Alice',
+            user_id: 'AKIAI44QH8DHBEXAMPLE'
+          )
+        )
+      ).to be_falsey
+    end
+
+    it 'is truthy when an account ID and user based session is more than 64 characters' do
+      expect(
+        @main.use_access_key_id?(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/AliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAlice',
+            user_id: 'AKIAI44QH8DHBEXAMPLE'
+          )
+        )
+      ).to be_truthy
+    end
+  end
+
+  describe '#render_modern_session' do
+    it 'returns account ID and user based session when caller identity is not an assumed role' do
+      expect(
+        @main.render_modern_session(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/Alice',
+            user_id: 'AKIAI44QH8DHBEXAMPLE'
+          )
+        )
+      ).to eq("aws-runas-session_123456789012_Alice_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+
+    it 'returns access key ID based session when caller identity is an assumed role' do
+      expect(
+        @main.render_modern_session(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:sts::123456789012:assumed-role/AliceAdmins/AliceSession',
+            user_id: 'AKIAI44QH8DHBEXAMPLE:AliceSession'
+          )
+        )
+      ).to eq("aws-runas-session_AKIAI44QH8DHBEXAMPLE_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+
+    it 'returns access key ID based session when account ID and user session is over 64 characters' do
+      expect(
+        @main.render_modern_session(
+          double(
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/AliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAlice',
+            user_id: 'AKIAI44QH8DHBEXAMPLE'
+          )
+        )
+      ).to eq("aws-runas-session_AKIAI44QH8DHBEXAMPLE_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+  end
+
   describe '#session_id' do
     it 'returns a properly formatted AWS session name for assuming roles' do
       allow_any_instance_of(Aws::STS::Client).to receive(:get_caller_identity) do |obj|
@@ -47,7 +145,21 @@ describe AwsRunAs::Main do
           }
         )
       end
-      expect(@main.session_id).to eq("aws-runas-session_123456789012_Alice_#{Time.now.to_i}")
+      expect(@main.session_id).to eq("aws-runas-session_123456789012_Alice_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+
+    it 'returns a session name formatted on access key ID when user is assumed role' do
+      allow_any_instance_of(Aws::STS::Client).to receive(:get_caller_identity) do |obj|
+        obj.stub_data(
+          :get_caller_identity,
+          {
+            account: '123456789012',
+            arn: 'arn:aws:sts::123456789012:assumed-role/AliceAdmins/AliceSession',
+            user_id: 'AKIAI44QH8DHBEXAMPLE:AliceSession'
+          }
+        )
+      end
+      expect(@main.session_id).to eq("aws-runas-session_AKIAI44QH8DHBEXAMPLE_#{@main.instance_variable_get(:@session_timestamp)}")
     end
 
     it 'returns a basic session ID when caller has no access to get_caller_identity' do
@@ -58,7 +170,21 @@ describe AwsRunAs::Main do
           }
         )
       )
-      expect(@main.session_id).to eq("aws-runas-session_#{Time.now.to_i}")
+      expect(@main.session_id).to eq("aws-runas-session_#{@main.instance_variable_get(:@session_timestamp)}")
+    end
+
+    it 'returns a basic session ID if the resultant session would be longer than 64 characters' do
+      allow_any_instance_of(Aws::STS::Client).to receive(:get_caller_identity) do |obj|
+        obj.stub_data(
+          :get_caller_identity,
+          {
+            account: '123456789012',
+            arn: 'arn:aws:iam::123456789012:user/AliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAliceAlice',
+            user_id: 'AKIAI44QH8DHBEXAMPLEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE'
+          }
+        )
+      end
+      expect(@main.session_id).to eq("aws-runas-session_#{@main.instance_variable_get(:@session_timestamp)}")
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_runas
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Chris Marchesi
@@ -31,7 +31,7 @@ cert_chain:
   /CMDeSP9Z1l0CVvcRsZvmOu3NllZcezFyYi78K+tlmRajCeAV4pWXdcJg26w+u7I
   uK4=
   -----END CERTIFICATE-----
-date: 2018-04-17 00:00:00.000000000 Z
+date: 2018-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -62,19 +62,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: trollop
+  name: optimist
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -188,7 +188,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.14.1
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Run a command or shell under an assumed AWS IAM role