aws_session_token 0.3.0

data/lib/aws_session_token/credentials_file.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+#
+# AWS Session Token Gem - Tool to wrap AWS API to create and store
+# Session tokens so that other commands/tools (e.g. Terraform) can function as
+# necessary.
+#
+#
+# Copyright 2018 Bryan Stopp <bryan.stopp@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module AwsSessionToken
+
+  # Helper class for interacting with the Credentials file.
+  class CredentialsFile
+
+    Profile = Struct.new(:name, :data)
+
+    def write(filename, profile, credentials)
+      file = nil
+      begin
+        profiles = read_profiles(filename)
+        file = File.open(filename, 'w')
+        write_file(credentials, file, profile, profiles)
+      ensure
+        file&.close
+      end
+    end
+
+    private
+
+    def read_profiles(credentials_file)
+      profiles = []
+      profile = nil
+      File.readlines(credentials_file).each do |line|
+        if line =~ /^\[/
+          profile = Profile.new(line, [])
+          profiles << profile
+        else
+          profile.data << line
+        end
+      end
+      profiles
+    end
+
+    def write_file(credentials, file, profile, profiles)
+      found = false
+      profiles.each do |p|
+        if p.name =~ /^\[#{profile}\]/
+          write_session(file, profile, credentials)
+          found = true
+        else
+          write_profile(file, p)
+        end
+      end
+      write_session(file, profile, credentials) unless found
+    end
+
+    def write_profile(file, profile)
+      file.puts(profile.name)
+      profile.data.each do |l|
+        file.puts(l)
+      end
+    end
+
+    def write_session(file, profile, creds)
+      file.puts("[#{profile}]")
+      file.puts("aws_access_key_id = #{creds.access_key_id}")
+      file.puts("aws_secret_access_key = #{creds.secret_access_key}")
+      file.puts("aws_session_token = #{creds.session_token}")
+    end
+  end
+end

data/lib/aws_session_token/options.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+#
+# AWS Session Token Gem - Tool to wrap AWS API to create and store Session tokens
+# so that other commands/tools (e.g. Terraform) can function as necessary.
+#
+# Copyright 2018 Bryan Stopp <bryan.stopp@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an 'AS IS' BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module AwsSessionToken
+
+  # Options class to define properties for the command line.
+  class Options
+
+    SESSION_PROFILE = 'session_profile'
+    DURATION = 3600
+
+    attr_accessor :credentials_file, :duration, :profile, :profile_provided, :session_profile, :token, :user
+
+    def initialize
+      creds = Aws::SharedCredentials.new
+      self.credentials_file = creds.path
+      self.profile = creds.profile_name
+      self.session_profile = SESSION_PROFILE
+      self.duration = DURATION
+      self.profile_provided = false
+    end
+
+    def parse(args)
+      define_options.parse!(args)
+      validate
+    end
+
+    private
+
+    def define_options
+      opts = OptionParser.new
+      opts.banner = 'Usage: aws_session_token [options]'
+      opts.separator('')
+
+      # Additional options
+      file_option(opts)
+      user_option(opts)
+      profile_option(opts)
+      session_profile_option(opts)
+      duration_option(opts)
+      token_option(opts)
+      common_options(opts)
+      opts
+    end
+
+    def file_option(opts)
+      opts.on('-f', '--file FILE', 'Specify a custom credentials file.') do |f|
+        self.credentials_file = f
+      end
+    end
+
+    def user_option(opts)
+      opts.on('-u', '--user USER',
+              'Specify the AWS User name for passing to API.') do |u|
+        self.user = u
+      end
+    end
+
+    def profile_option(opts)
+      opts.on('-p', '--profile PROFILE',
+              'Specify the AWS credentials profile to use. Also sets user, if user is not provided.') do |p|
+        self.profile = p
+        self.profile_provided = true
+      end
+    end
+
+    def session_profile_option(opts)
+      opts.on('-s', '--session SESSION_PROFILE',
+              'Specify the name of the profile used to store the session credentials.') do |s|
+        self.session_profile = s
+      end
+    end
+
+    def duration_option(opts)
+      opts.on('-d', '--duration DURATION', Integer,
+              'Specify the duration the of the token in seconds. (Default 3600)') do |d|
+        self.duration = d
+      end
+    end
+
+    def token_option(opts)
+      opts.on('-t', '--token TOKEN', Integer,
+              'Specify the OTP Token to use for creating the session credentials.') do |t|
+        self.token = t
+      end
+    end
+
+    def common_options(opts)
+      opts.separator('')
+      opts.separator('Common options:')
+      opts.on_tail('-h', '--help', 'Show this message.') do
+        puts opts
+        exit
+      end
+      opts.on_tail('-v', '--version', 'Show version.') do
+        puts SemVer.find.format(+ '%M.%m.%p%s')
+        exit
+      end
+    end
+
+    def validate
+      validate_profiles
+    end
+
+    def validate_profiles
+      raise ArgumentError, 'Profile and Session Profile must be different.' if profile == session_profile
+      self.user ||= profile if profile_provided
+    end
+  end
+
+end

data/spec/aws_session_token/cli_spec.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+#
+# AWS Session Token Gem - Tool to wrap AWS API to create and store Session tokens
+# so that other commands/tools (e.g. Terraform) can function as necessary.
+#
+# Copyright 2018 Bryan Stopp <bryan.stopp@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+require 'aws_session_token/credentials_file'
+
+describe AwsSessionToken::CLI do
+
+  before do
+    $stdout = StringIO.new
+    $stderr = StringIO.new
+  end
+
+  after do
+    $stdout = STDOUT
+    $stderr = STDERR
+  end
+
+  subject(:cli) { described_class.new }
+
+  let(:creds_data) do
+    Aws::STS::Types::Credentials.new(
+      access_key_id:      'AKIAIOSFODNN7EXAMPLE',
+      expiration:         Time.parse('2011-07-11T19:55:29.611Z'),
+      secret_access_key:  'wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY',
+      session_token:      'EXAMPLE SESSION TOKEN'
+    )
+  end
+
+  let(:mfa_arn) { 'Fake Serial Number' }
+
+  let(:mfa_token) { 123_456 }
+
+  describe 'run' do
+    it 'should work' do
+      expect(cli).to receive(:set_aws_creds)
+      expect(cli).to receive(:mfa_device).and_return(mfa_arn)
+      expect(cli).to receive(:token_prompt).and_return(mfa_token)
+      expect(cli).to receive(:session_token).with(mfa_arn, mfa_token).and_return(creds_data)
+      expect_any_instance_of(AwsSessionToken::CredentialsFile).to receive(:write).with(
+        Aws::SharedCredentials.new.path,
+        AwsSessionToken::Options::SESSION_PROFILE,
+        creds_data
+      )
+      cli.run
+    end
+
+    describe 'token provided' do
+      before do
+        ARGV << '-t'
+        ARGV << mfa_token.to_s
+      end
+
+      it 'should skip token prompt' do
+        expect(cli).to receive(:set_aws_creds)
+        expect(cli).to receive(:mfa_device).and_return(mfa_arn)
+        expect(cli).to receive(:session_token).with(mfa_arn, mfa_token).and_return(creds_data)
+        expect_any_instance_of(AwsSessionToken::CredentialsFile).to receive(:write).with(
+          Aws::SharedCredentials.new.path,
+          AwsSessionToken::Options::SESSION_PROFILE,
+          creds_data
+        )
+        cli.run
+      end
+    end
+  end
+
+  describe 'validate_creds_file' do
+    it 'should succeed if file exists' do
+      creds = Aws::SharedCredentials.new
+      expect(File).to receive(:exist?).with(creds.path).and_return(true)
+      expect { cli.validate_creds_file }.to_not raise_error
+    end
+
+    it 'should fail if file is missing' do
+      creds = Aws::SharedCredentials.new
+      expect(File).to receive(:exist?).with(creds.path).at_least(:once).and_return(false)
+      expect { cli.validate_creds_file }.to raise_error(ArgumentError, /Specified credentials file is missing/)
+    end
+
+    it 'should fail if file is not writable by current user' do
+      creds = Aws::SharedCredentials.new
+      expect(File).to receive(:exist?).with(creds.path).at_least(:once).and_return(true)
+      expect(File).to receive(:writable?).with(creds.path).at_least(:once).and_return(false)
+      expect { cli.validate_creds_file }.to raise_error(ArgumentError, /Specified credentials file cannot /)
+    end
+  end
+
+  describe 'set_aws_creds' do
+    it 'is should work' do
+      expect(Aws.config).to receive(:update).with(
+        credentials: instance_of(Aws::SharedCredentials)
+      )
+      cli.set_aws_creds
+    end
+    it 'is should fail if profile does not exist' do
+      cli.options.profile = 'nonexistent'
+      expect { cli.set_aws_creds }.to exit_with_code(1)
+      expect($stderr.string).to match(/Specified AWS Profile doesn't exist: nonexistent/)
+    end
+  end
+
+  describe 'mfa_device' do
+    let(:mfa_device) do
+      mfa = Aws::IAM::Types::MFADevice.new
+      mfa.user_name = 'username'
+      mfa.serial_number = 'serial-number'
+      mfa.enable_date = 'enable-date'
+      mfa
+    end
+
+    it 'should work without user' do
+      params = { max_items: 1 }
+      client = double('iam_client')
+      response = Aws::IAM::Types::ListMFADevicesResponse.new(mfa_devices: [mfa_device])
+      expect(Aws::IAM::Client).to receive(:new).and_return(client)
+      expect(client).to receive(:list_mfa_devices).with(params).and_return(response)
+      expect(cli.mfa_device).to eq('serial-number')
+    end
+    it 'should work with user' do
+      cli.options.user = 'foo'
+      params = { user_name: 'foo', max_items: 1 }
+      client = double('iam_client')
+      response = Aws::IAM::Types::ListMFADevicesResponse.new(mfa_devices: [mfa_device])
+      expect(Aws::IAM::Client).to receive(:new).and_return(client)
+      expect(client).to receive(:list_mfa_devices).with(params).and_return(response)
+      expect(cli.mfa_device).to eq('serial-number')
+    end
+    it 'should exit if no MFA devices' do
+
+      client = double('iam_client')
+      response = Aws::IAM::Types::ListMFADevicesResponse.new(mfa_devices: [])
+      expect(Aws::IAM::Client).to receive(:new).and_return(client)
+      expect(client).to receive(:list_mfa_devices).and_return(response)
+      begin
+        expect { cli.mfa_device }.to exit_with_code(0)
+      rescue SystemExit # rubocop:disable Lint/HandleExceptions
+      end
+      expected = 'Script execution unnecessary.'
+      expect($stderr.string).to match(/#{expected}/)
+    end
+  end
+
+  context 'token_prompt' do
+    before do
+      $stdin = StringIO.new
+      $stdin.puts('123456')
+      $stdin.rewind
+    end
+    it 'should work' do
+      expect { cli.token_prompt }.to_not raise_error
+    end
+  end
+
+  describe 'session_token' do
+    let(:response) do
+      creds = Aws::STS::Types::Credentials.new
+      creds.access_key_id = 'access_key_id'
+      creds.secret_access_key = 'secret_access_key'
+      creds.expiration = 'expiration'
+      creds.session_token = 'session_token'
+
+      resp = Aws::STS::Types::GetSessionTokenResponse.new
+      resp.credentials = creds
+      resp
+    end
+
+    it 'should work' do
+      device = 'device'
+      token = 'token'
+      client = double('sts-client')
+      expect(Aws::STS::Client).to receive(:new).and_return(client)
+      expect(client).to receive(:get_session_token).with(
+        duration_seconds: 3600, serial_number: device, token_code: token
+      ).and_return(response)
+      expect(cli.session_token(device, token)).to eq(response.credentials)
+    end
+  end
+end

data/spec/aws_session_token/credentials_file_spec.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+#
+# AWS Session Token Gem - Tool to wrap AWS API to create and store
+# Session tokens so that other commands/tools (e.g. Terraform) can function as
+# necessary.
+#
+#
+# Copyright 2018 Bryan Stopp <bryan.stopp@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+
+describe AwsSessionToken::CredentialsFile, :isolated_environment do
+  before do
+    $stdout = StringIO.new
+    $stderr = StringIO.new
+  end
+
+  after do
+    $stdout = STDOUT
+    $stderr = STDERR
+  end
+
+  subject(:cf) { described_class.new }
+
+  let(:creds) do
+    creds = Aws::STS::Types::Credentials.new
+    creds.access_key_id = 'access_key_id'
+    creds.secret_access_key = 'secret_access_key'
+    creds.expiration = 'expiration'
+    creds.session_token = 'session_token'
+    creds
+  end
+
+  describe 'write' do
+    let(:file_contents) do
+      <<~CREDS
+        [stopp]
+        aws_access_key_id = EXAMPLESTOPPACCESSID
+        aws_secret_access_key = EXAMPLESTOPPSECRETKEY
+        [admin]
+        aws_access_key_id = EXAMPLEADMINACCESSID
+        aws_secret_access_key = EXAMPLEADMINSECRETKEY
+      CREDS
+    end
+
+    shared_examples 'update file' do |opts|
+      it do
+        file = StringIO.new
+        default_creds = Aws::SharedCredentials.new
+        expect(File).to receive(:readlines).with(default_creds.path).and_return(file_contents.split("\n"))
+        expect(File).to receive(:open).with(default_creds.path, 'w').and_return(file)
+        cf.write(default_creds.path, opts[:profile], creds)
+        expect(file.string).to eq(opts[:expected])
+      end
+    end
+
+    describe 'profile does not exist' do
+      contents = <<~CREDS
+        [stopp]
+        aws_access_key_id = EXAMPLESTOPPACCESSID
+        aws_secret_access_key = EXAMPLESTOPPSECRETKEY
+        [admin]
+        aws_access_key_id = EXAMPLEADMINACCESSID
+        aws_secret_access_key = EXAMPLEADMINSECRETKEY
+        [session_profile]
+        aws_access_key_id = access_key_id
+        aws_secret_access_key = secret_access_key
+        aws_session_token = session_token
+      CREDS
+
+      it_should_behave_like('update file', expected: contents, profile: 'session_profile')
+    end
+
+    describe 'profile exists' do
+      describe 'first profile' do
+        contents = <<~CREDS
+          [stopp]
+          aws_access_key_id = access_key_id
+          aws_secret_access_key = secret_access_key
+          aws_session_token = session_token
+          [admin]
+          aws_access_key_id = EXAMPLEADMINACCESSID
+          aws_secret_access_key = EXAMPLEADMINSECRETKEY
+        CREDS
+
+        it_should_behave_like('update file', expected: contents, profile: 'stopp')
+      end
+      describe 'last profile' do
+        contents = <<~CREDS
+          [stopp]
+          aws_access_key_id = EXAMPLESTOPPACCESSID
+          aws_secret_access_key = EXAMPLESTOPPSECRETKEY
+          [admin]
+          aws_access_key_id = access_key_id
+          aws_secret_access_key = secret_access_key
+          aws_session_token = session_token
+        CREDS
+        it_should_behave_like('update file', expected: contents, profile: 'admin')
+      end
+    end
+  end
+end