aws_su 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7c94982b2139e90c3f36bb7b8e7f4d2989b05a2e
-  data.tar.gz: b6de06567ecb9a29348ecce20a12d4b93600ad19
+  metadata.gz: ced5b07379bc4a4e9f0f3d316e575886367f0cca
+  data.tar.gz: 14ab789e98f42ad0790d43d1d72020c65514db48
 SHA512:
-  metadata.gz: 412fb1c85c563d71b74e6aca277ef5c3031ad7503aafbeb6baccc58dde436b81fe5c7755ac0d71095af878cff2d1062b3570868624cd7f8041782f32f006561b
-  data.tar.gz: de13c38ada25aeada402abff4465d24f91346b032365ebaef4c02f5992b20bdb503332caab3b8a9800d9a58571ed977a2779e72a541550fcb4a95df812a9580a
+  metadata.gz: c2eeaa96c2b04eb60d6ed82d5d7b76c4f9c0cc1d5d24aa881754f4581d5bd142ac8321f3e0a905ec4fc35d49b6c2c7820a255806fc04cebe043b6ced7dbabd58
+  data.tar.gz: 10253e4ab496fc1924807d6f22b32d6c271b7c634a671a1813b929e6c433066040c8b9afd5e99348109df32abd36f783b7db43dc1c7266306f72a203b280e93c

data/.gitignore

@@ -10,3 +10,4 @@
 .idea/*
 Gemfile.lock
 *.html
+/test/runner.rb

data/CHANGELOG.md

@@ -8,4 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.1.0] - 01-12-2018
 ### Added
 - Ability to authenticate and switch role via a single authenticate() method
-- Gemspec file updated to enable push to Rubygems.org
+- Gemspec file updated to enable push to Rubygems.org
+
+## [0.1.1] - 02-12-2018
+### Added
+- Required ruby version in gemspec
+- Housekeeping now that gem is on both github and rubygems
+- Changed authenticate() method to accept options hash
+- Added detailed header to AwsSu module

data/README.md

@@ -1,6 +1,6 @@
 # AwsSu
 
-AwsSu is a gem developed for a specific use case, where the user has an ID setuo in an AWS master account and wants to 
+AwsSu is a gem developed for a specific use case, where the user has an ID setup in an AWS master account and wants to 
 assume a role in another account that they have permission to assume.
 
 ## Installation
@@ -8,7 +8,7 @@ assume a role in another account that they have permission to assume.
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'aws_su'
+  gem 'aws_su'
 ```
 
 And then execute:
@@ -25,15 +25,19 @@ Implemented as a Ruby Module, the gem can be included into any class that needs
 a role prior to calling one of the aws client methods like so:
 
 ```ruby
-require 'aws_su'
-
-class Runner
-  include AwsSu
-end
-
-runner = Runner.new
-runner.authenticate('my-profile')
-runner.ec2_client.describe_vpcs
+    require 'aws_su'
+    
+    class RunAwsSu
+      include AwsSu
+    end
+    
+    run_aws_su = RunAwsSu.new
+    run_aws_su.authenticate(
+      profile: 'ds-nonprod',
+      duration: '28800',
+      region: 'eu-west-2'
+    )
+    run_aws_su.ec2_client.describe_vpcs
 ```
 
 The gem expects to find the standard aws secrets files:
@@ -51,19 +55,26 @@ With the former containing the master account secrets:
 And the latter containing the details of the role to be assumed:
 
 ```
-[profile my-profile]
-source_profile=master
-mfa_serial=arn:aws:iam::1234567890:mfa/bradley.atkins@bjss.com
-role_arn=arn:aws:iam::1234567890:role/MY-NONPROD-TESTER-ROLE
+    [profile my-profile]
+    source_profile=master
+    mfa_serial=arn:aws:iam::1234567890:mfa/bradley.atkins@bjss.com
+    role_arn=arn:aws:iam::1234567890:role/MY-NONPROD-TESTER-ROLE
 ```
 
 AwsSu also configures the current shell with the necessary environment variables to allow system calls to 
 be made without further authentication:
 
 ```ruby
-system('aws ec2 describe-vpcs --region eu-west-2')
+  system('aws ec2 describe-vpcs --region eu-west-2')
 ```
 
+Clients currently supported are:
+
+- ec2_client
+- elb_client
+- iam_client
+- sqs_client
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -72,7 +83,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/aws_sudo. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+Bug reports and pull requests are welcome on GitHub at [The Github Repository](https://github.com/museadmin/aws_su). This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 ## License
 

data/Rakefile

@@ -1,10 +1,12 @@
-require "bundler/gem_tasks"
-require "rake/testtask"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rake/testtask'
 
 Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
+  t.libs << 'test'
+  t.libs << 'lib'
   t.test_files = FileList["test/**/*_test.rb"]
 end
 
-task :default => :test
+task default: :test

data/aws_su.gemspec

@@ -12,8 +12,8 @@ Gem::Specification.new do |spec|
 
   spec.summary       = 'Gem to wrap helper methods around AWS authentication API'
   spec.description   = 'Developed for a specific use case: ' \
-      'User has an AWS id in a master account and wants to assume'\
-      ' a role in another account. This module exposes a single'\
+      'User has an AWS id in a master account and wants to assume '\
+      'a role in another account. This module exposes a single '\
       'authenticate() method that handles authentication and switching role '\
       'by referencing the user\'s aws secrets.'
   spec.homepage      = 'https://github.com/museadmin'
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
   if spec.respond_to?(:metadata)
     spec.metadata['homepage_uri'] = spec.homepage
     spec.metadata['source_code_uri'] = 'https://github.com/museadmin/aws_su'
-    spec.metadata['changelog_uri'] = "Put your gem's CHANGELOG.md URL here."
+    spec.metadata['changelog_uri'] = 'https://github.com/museadmin/aws_su/blob/master/CHANGELOG.md'
   else
     raise 'RubyGems >= 2.0 is required to protect against public gem pushes'
   end
@@ -39,6 +39,7 @@ Gem::Specification.new do |spec|
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.4'
 
   spec.add_development_dependency 'awsecrets'
   spec.add_development_dependency 'bundler', '~> 1.17'

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
-require "bundler/setup"
-require "aws_su"
+require "bundler/setup".freeze
+require "aws_su".freeze
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +10,5 @@ require "aws_su"
 # require "pry"
 # Pry.start
 
-require "irb"
+require "irb".freeze
 IRB.start(__FILE__)

data/lib/aws_su/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AwsSu
-  VERSION = '0.1.0'
+  VERSION = '0.1.1'
 end

data/lib/aws_su.rb

@@ -3,9 +3,39 @@
 require 'aws_config'
 require 'matches'
 require 'awsecrets'
-require 'aws_sudo/version'
+require 'aws_su/version'
 
-# Set up the AWS authentication environment
+# Set up the AWS authentication environment for a user
+# who has an ID in a master account and is allowed to
+# switch to a role in another account.
+#
+# Typical usage scenario:
+#
+#   require 'aws_su'
+#
+#   class RunAwsSu
+#   include AwsSu
+#   end
+#
+#   run_aws_su = RunAwsSu.new
+#   run_aws_su.authenticate(
+#     profile: 'ds-nonprod',
+#     duration: '28800',
+#     region: 'eu-west-2'
+#   )
+#   run_aws_su.ec2_client.describe_vpcs
+#
+# also sets up current shell so system calls don't need further authentication:
+#
+#   system('aws ec2 describe-vpcs --region eu-west-2')
+#
+# It is assumed that the region is set in the first profile in .aws/config, e.g.
+#
+#   [profile master]
+#   region=eu-west-2
+#
+# or it can be set in the call to authenticate() as shown above
+#
 module AwsSu
   class Error < StandardError; end
 
@@ -19,11 +49,21 @@ module AwsSu
   @master_config = Awsecrets.load # AWS config for master account
 
   # Authenticate user for the session
-  def authenticate(profile, duration = DURATION)
-    @session = "awssudo-session-#{Time.now.to_i}"
-    @token_ttl = calculate_session_expiry(duration)
-    @profile = profile
-    @duration = duration
+  # @param options Hash {
+  #   duration: 'AWS role session timeout',
+  #   region: AWS region,
+  #   profile: Name of profile in .aws/config to use
+  # }
+  def authenticate(options = {})
+    @session = "aws-su-session-#{Time.now.to_i}"
+    @profile = options[:profile]
+    @duration = options[:duration].nil? ? DURATION : options[:duration]
+    @token_ttl = calculate_session_expiry(@duration)
+
+    region = AWSConfig.profiles.first[1][:region]
+    @region = options[:region].nil? ? region : options[:region]
+    raise('Unable to determine region') if @region.nil?
+
     export_aws_sudo_file
     assume_role
   end
@@ -48,21 +88,24 @@ module AwsSu
     Aws::S3::Client.new
   end
 
-  # Get an STS client so we can request a session token
+  # SQS Client
+  def sqs_client
+    Aws::SQS::Client.new
+  end
+
+  # STS
   def sts_client
     Aws::STS::Client.new(
-        credentials: load_secrets,
-        region: 'eu-west-2'
+      credentials: load_secrets,
+      region: @region
     )
   end
 
   private
+
   # Assume a role
-  # @param duration A string integer representing the session duration
+  # @param duration A string integer representing the role session duration
   def assume_role(duration = DURATION)
-    # For the benefit of anything downstream we are running
-    export_aws_sudo_file
-
     if session_valid?
       # Recover persisted session and use that to update AWS.config
       Aws.config.update(
@@ -74,25 +117,28 @@ module AwsSu
       )
     else
       # Session has expired so auth again
-      assume_role_with_mfa_token(duration)
+      assume_role_mfa(duration)
     end
+    # For the benefit of anything downstream we are running
+    export_aws_sudo_file
   end
 
   # Assume a role using an MFA Token
-  def assume_role_with_mfa_token(duration, mfa_code = nil)
+  def assume_role_mfa(duration, mfa_code = nil)
     mfa_code = prompt_for_mfa_code if mfa_code.nil?
     role_creds = sts_client.assume_role(
-        role_arn: AWSConfig[@profile]['role_arn'],
-        role_session_name: @session,
-        duration_seconds: duration.to_i,
-        serial_number: AWSConfig[@profile]['mfa_serial'],
-        token_code: mfa_code.to_s
+      role_arn: AWSConfig[@profile]['role_arn'],
+      role_session_name: @session,
+      duration_seconds: duration.to_i,
+      serial_number: AWSConfig[@profile]['mfa_serial'],
+      token_code: mfa_code.to_s
     )
     update_aws_config(role_creds)
-    persist_aws_sudo(role_creds)
+    persist_aws_su(role_creds)
   end
 
   # Calculate the session expiration
+  # # @param duration A string integer representing the role session duration
   def calculate_session_expiry(duration = DURATION)
     (Time.now + duration.to_i).strftime('%Y-%m-%d %H:%M:%S')
   end
@@ -148,20 +194,6 @@ module AwsSu
     end
   end
 
-  # Recover the role_arn from the AWS config file
-  def parse_role_arn
-    File.readlines(AWS_CONFIG_FILE).each do |line|
-      return line.split('=')[1].chomp if line.include?('role_arn')
-    end
-  end
-
-  # Recover the mfa serial number from AWS config file
-  def parse_mfa_serial
-    File.readlines(AWS_CONFIG_FILE).each do |line|
-      return line.split('=')[1].chomp if line.include?('mfa_serial')
-    end
-  end
-
   # Parse the session token from awssudo
   def parse_session_token
     File.readlines(AWS_SUDO_FILE).each do |line|
@@ -177,14 +209,16 @@ module AwsSu
   end
 
   # Persist the config to the awssudo file
-  def persist_aws_sudo(config, file = AWS_SUDO_FILE)
-    File.open(file, 'w') do |file|
-      file.puts('AWS_ACCESS_KEY_ID=' + config.credentials.access_key_id)
-      file.puts('AWS_SECRET_ACCESS_KEY=' + config.credentials.secret_access_key)
-      file.puts('AWS_SESSION_TOKEN=' + config.credentials.session_token)
-      file.puts('AWS_SECURITY_TOKEN=' + config.credentials.session_token)
-      file.puts('AWS_TOKEN_TTL=' + @token_ttl)
-      file.puts('AWS_PROFILE=' + @profile)
+  # @param config Credentials from assume role to persist
+  # @param file The temporary secrets file ~/.awssudo
+  def persist_aws_su(config, file = AWS_SUDO_FILE)
+    File.open(file, 'w') do |f|
+      f.puts('AWS_ACCESS_KEY_ID=' + config.credentials.access_key_id)
+      f.puts('AWS_SECRET_ACCESS_KEY=' + config.credentials.secret_access_key)
+      f.puts('AWS_SESSION_TOKEN=' + config.credentials.session_token)
+      f.puts('AWS_SECURITY_TOKEN=' + config.credentials.session_token)
+      f.puts('AWS_TOKEN_TTL=' + @token_ttl)
+      f.puts('AWS_PROFILE=' + @profile)
     end
   end
 

data/lib/matches_aws_access_key_id.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 # Match AWS_ACCESS_KEY_ID
 class MatchesAwsAccessKeyId

data/lib/matches_aws_profile.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 # Match AWS_PROFILE
 class MatchesAwsProfile

data/lib/matches_aws_secret_access_key.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 # Match AWS_SECRET_ACCESS_KEY
 class MatchesAwsSecretAccessKey

data/lib/matches_aws_security_token.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 # Match AWS_SECURITY_TOKEN
 class MatchesAwsSecurityToken

data/lib/matches_aws_session_token.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 # Match AWS_SESSION_TOKEN
 class MatchesAwsSessionToken

data/lib/matches_aws_token_etl.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 # Match AWS_TOKEN_TTL
 class MatchesAwsTokenEtl

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws_su
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Bradley Atkins
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-12-01 00:00:00.000000000 Z
+date: 2018-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: awsecrets
@@ -67,7 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '10.0'
 description: 'Developed for a specific use case: User has an AWS id in a master account
-  and wants to assume a role in another account. This module exposes a singleauthenticate()
+  and wants to assume a role in another account. This module exposes a single authenticate()
   method that handles authentication and switching role by referencing the user''s
   aws secrets.'
 email:
@@ -103,7 +103,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/museadmin
   source_code_uri: https://github.com/museadmin/aws_su
-  changelog_uri: Put your gem's CHANGELOG.md URL here.
+  changelog_uri: https://github.com/museadmin/aws_su/blob/master/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -112,7 +112,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="