RubyGems - awskeyring - Versions diffs - 0.0.6 → 0.1.0 - Mend

awskeyring 0.0.6 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/.rspec +1 -0
data/.rubocop.yml +3 -0
data/CHANGELOG.md +8 -0
data/awskeyring.gemspec +1 -1
data/lib/awskeyring/awsapi.rb +167 -0
data/lib/awskeyring/validate.rb +46 -24
data/lib/awskeyring/version.rb +2 -1
data/lib/awskeyring.rb +130 -31
data/lib/awskeyring_command.rb +101 -183
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2aadd847341fb6a4dd7016dfca3fdd1ba60fe4c9
-  data.tar.gz: a8e548fb70b847b3fc7d7e1a277a4d12a054029c
+  metadata.gz: e245afbb0324eea304fcc2c010617ebc3b78c53f
+  data.tar.gz: 7be3de5bff9b16373021863d33a5aaa677046f60
 SHA512:
-  metadata.gz: 60a505a585398dc8e6034bbc51c4deef834f650fb76a042bc248f338dfbdb3e6354dab42d2536f404f93bee4785f21dfe5bc9fd4fb2c2a3b7cad52a297fc1414
-  data.tar.gz: 8a282201ceb09a170e1beeb2dd3ecc57dc4058ec669d5b3cb9cc1d9ce33a99ad6b3c09ad42e5c1146f504ee6559eb4c258857961a5e864709a8a5741d5bd15e0
+  metadata.gz: 04610b85c96d2da14c5d7874790fd9b33425aea0c0d1e1b087c8e17534daa2c6238bb1dee84830890f4b13256d55dd0c37521f33c90bd97f171d50c5fd488fc8
+  data.tar.gz: fde8d5db0fc622b19423a171e3027c222ee9f54e5263533248eaaf10e27c05ab613404cf07656c58ec427069f8e660114fc1614ee0a252f435827b426ba486a2

data/.rspec CHANGED Viewed

@@ -1,2 +1,3 @@
+--order rand
 --format documentation
 --color

data/.rubocop.yml CHANGED Viewed

@@ -9,6 +9,9 @@ Metrics/BlockLength:
   Exclude:
     - spec/**/*
+Metrics/AbcSize:
+  Max: 20
 Naming/FileName:
   Exclude:
     - Gemfile

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Change Log
+## [v0.1.0](https://github.com/vibrato/awskeyring/tree/v0.1.0) (2018-03-14)
+[Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.0.6...v0.1.0)
+**Implemented enhancements:**
+- Item refactor [\#13](https://github.com/vibrato/awskeyring/pull/13) ([tristanmorgan](https://github.com/tristanmorgan))
+- Aws refactor [\#12](https://github.com/vibrato/awskeyring/pull/12) ([tristanmorgan](https://github.com/tristanmorgan))
 ## [v0.0.6](https://github.com/vibrato/awskeyring/tree/v0.0.6) (2018-03-01)
 [Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.0.5...v0.0.6)

data/awskeyring.gemspec CHANGED Viewed

@@ -1,4 +1,4 @@
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'awskeyring/version'

data/lib/awskeyring/awsapi.rb ADDED Viewed

@@ -0,0 +1,167 @@
+require 'aws-sdk-iam'
+require 'cgi'
+require 'json'
+# Awskeyring Module,
+# gives you an interface to access keychains and items.
+module Awskeyring
+  # AWS API methods for Awskeyring
+  module Awsapi # rubocop:disable Metrics/ModuleLength
+    # Retrieves a temporary session token from AWS
+    #
+    # @param [Hash] params including
+    #    key The aws_access_key_id
+    #    secret The aws_secret_access_key
+    #    user The local username
+    #    mfa The users MFA arn
+    #    code The MFA code
+    #    duration time in seconds until expiry
+    #    role_arn ARN of the role to assume
+    # @return [Hash] with the new credentials
+    #    key The aws_access_key_id
+    #    secret The aws_secret_access_key
+    #    token The aws_session_token
+    #    expiry expiry time
+    def self.get_token(params = {}) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
+      sts = Aws::STS::Client.new(access_key_id: params[:key], secret_access_key: params[:secret])
+      begin
+        response =
+          if params[:code] && params[:role_arn]
+            sts.assume_role(
+              duration_seconds: params[:duration].to_i,
+              role_arn: params[:role_arn],
+              role_session_name: params[:user],
+              serial_number: params[:mfa],
+              token_code: params[:code]
+            )
+          elsif params[:role_arn]
+            sts.assume_role(
+              duration_seconds: params[:duration].to_i,
+              role_arn: params[:role_arn],
+              role_session_name: params[:user]
+            )
+          elsif params[:code]
+            sts.get_session_token(
+              duration_seconds: params[:duration].to_i,
+              serial_number: params[:mfa],
+              token_code: params[:code]
+            )
+          end
+      rescue Aws::STS::Errors::AccessDenied => e
+        puts e.to_s
+        exit 1
+      end
+      {
+        key: response.credentials[:access_key_id],
+        secret: response.credentials[:secret_access_key],
+        token: response.credentials[:session_token],
+        expiry: response.credentials[:expiration]
+      }
+    end
+    # Retrieves an AWS Console login url
+    #
+    # @param [String] key The aws_access_key_id
+    # @param [String] secret The aws_secret_access_key
+    # @param [String] token The aws_session_token
+    # @param [String] user The local username
+    # @param [String] path within the Console to access
+    # @return [String] login_url to access
+    def self.get_login_url(key:, secret:, token:, path:, user:) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
+      console_url = "https://console.aws.amazon.com/#{path}/home"
+      signin_url = 'https://signin.aws.amazon.com/federation'
+      policy_json = {
+        Version: '2012-10-17',
+        Statement: [{
+          Action: '*',
+          Resource: '*',
+          Effect: 'Allow'
+        }]
+      }.to_json
+      if token
+        session_json = {
+          sessionId: key,
+          sessionKey: secret,
+          sessionToken: token
+        }.to_json
+      else
+        sts = Aws::STS::Client.new(access_key_id: key,
+                                   secret_access_key: secret)
+        session = sts.get_federation_token(name: user,
+                                           policy: policy_json,
+                                           duration_seconds: (60 * 60 * 12))
+        session_json = {
+          sessionId: session.credentials[:access_key_id],
+          sessionKey: session.credentials[:secret_access_key],
+          sessionToken: session.credentials[:session_token]
+        }.to_json
+      end
+      get_signin_token_url = signin_url + '?Action=getSigninToken' \
+                             '&Session=' + CGI.escape(session_json)
+      returned_content = Net::HTTP.get(URI.parse(get_signin_token_url))
+      signin_token = JSON.parse(returned_content)['SigninToken']
+      signin_token_param = '&SigninToken=' + CGI.escape(signin_token)
+      destination_param = '&Destination=' + CGI.escape(console_url)
+      signin_url + '?Action=login' + signin_token_param + destination_param
+    end
+    # Rotates the AWS access keys
+    #
+    # @param [String] key The aws_access_key_id
+    # @param [String] secret The aws_secret_access_key
+    # @param [String] account the associated account name.
+    # @return [String] key The aws_access_key_id
+    # @return [String] secret The aws_secret_access_key
+    # @return [String] account the associated account name.
+    def self.rotate(account:, key:, secret:) # rubocop:disable  Metrics/MethodLength
+      iam = Aws::IAM::Client.new(access_key_id: key, secret_access_key: secret)
+      if iam.list_access_keys[:access_key_metadata].length > 1
+        warn "You have two access keys for account #{account}"
+        exit 1
+      end
+      new_key = iam.create_access_key
+      iam = Aws::IAM::Client.new(
+        access_key_id: new_key[:access_key][:access_key_id],
+        secret_access_key: new_key[:access_key][:secret_access_key]
+      )
+      retry_backoff do
+        iam.delete_access_key(
+          access_key_id: key
+        )
+      end
+      {
+        account: account,
+        key: new_key[:access_key][:access_key_id],
+        secret: new_key[:access_key][:secret_access_key]
+      }
+    end
+    # Retry the call with backoff
+    #
+    # @param [Block] block the block to retry.
+    def self.retry_backoff(&block)
+      retries ||= 1
+      begin
+        yield block
+      rescue Aws::IAM::Errors::InvalidClientTokenId => e
+        if retries < 4
+          sleep 2**retries
+          retries += 1
+          retry
+        end
+        warn e.message
+        exit 1
+      end
+    end
+  end
+end

data/lib/awskeyring/validate.rb CHANGED Viewed

@@ -1,32 +1,54 @@
-# Validation methods
+# Awskeyring Module,
+# gives you an interface to access keychains and items.
 module Awskeyring
-  def self.account_name(account_name)
-    raise 'Invalid Account Name' unless account_name =~ /\S+/
-    account_name
-  end
+  # Validation methods for Awskeyring
+  module Validate
+    # Validate an account name
+    #
+    # @param [String] account_name the associated account name.
+    def self.account_name(account_name)
+      raise 'Invalid Account Name' unless account_name =~ /\S+/
+      account_name
+    end
-  def self.access_key(aws_access_key)
-    raise 'Invalid Access Key' unless aws_access_key =~ /\AAKIA[A-Z0-9]{12,16}\z/
-    aws_access_key
-  end
+    # Validate an AWS Access Key ID
+    #
+    # @param [String] aws_access_key The aws_access_key_id
+    def self.access_key(aws_access_key)
+      raise 'Invalid Access Key' unless aws_access_key =~ /\AAKIA[A-Z0-9]{12,16}\z/
+      aws_access_key
+    end
-  def self.secret_access_key(aws_secret_access_key)
-    raise 'Secret Access Key is not 40 chars' if aws_secret_access_key.length != 40
-    aws_secret_access_key
-  end
+    # Validate an AWS Secret Key ID
+    #
+    # @param [String] aws_secret_access_key The aws_secret_access_key
+    def self.secret_access_key(aws_secret_access_key)
+      raise 'Secret Access Key is not 40 chars' if aws_secret_access_key.length != 40
+      aws_secret_access_key
+    end
-  def self.mfa_arn(mfa_arn)
-    raise 'Invalid MFA ARN' unless mfa_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:mfa\/\S*\z)
-    mfa_arn
-  end
+    # Validate an Users mfa ARN
+    #
+    # @param [String] mfa_arn The users MFA arn
+    def self.mfa_arn(mfa_arn)
+      raise 'Invalid MFA ARN' unless mfa_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:mfa\/\S*\z)
+      mfa_arn
+    end
-  def self.role_name(account_name)
-    raise 'Invalid Role Name' unless account_name =~ /\S+/
-    account_name
-  end
+    # Validate a Role name
+    #
+    # @param [String] role_name
+    def self.role_name(role_name)
+      raise 'Invalid Role Name' unless role_name =~ /\S+/
+      role_name
+    end
-  def self.role_arn(role_arn)
-    raise 'Invalid Role ARN' unless role_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:role\/\S*\z)
-    role_arn
+    # Validate a Role ARN
+    #
+    # @param [String] role_arn The role arn
+    def self.role_arn(role_arn)
+      raise 'Invalid Role ARN' unless role_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:role\/\S*\z)
+      role_arn
+    end
   end
 end

data/lib/awskeyring/version.rb CHANGED Viewed

@@ -1,3 +1,4 @@
 module Awskeyring
-  VERSION = '0.0.6'.freeze
+  # The Gems version number
+  VERSION = '0.1.0'.freeze
 end

data/lib/awskeyring.rb CHANGED Viewed

@@ -1,14 +1,23 @@
+require 'json'
 require 'keychain'
-require 'aws-sdk-iam'
-require 'awskeyring/validate'
-# Aws Key-ring logical object,
+# Awskeyring Module,
 # gives you an interface to access keychains and items.
 module Awskeyring # rubocop:disable Metrics/ModuleLength
+  # Default rpeferences fole path
   PREFS_FILE = (File.expand_path '~/.awskeyring').freeze
+  # Prefix for Roles
   ROLE_PREFIX = 'role '.freeze
+  # Prefix for Accounts
   ACCOUNT_PREFIX = 'account '.freeze
+  # Prefix for Session Keys
+  SESSION_KEY_PREFIX = 'session-key '.freeze
+  # Prefix for Session Tokens
+  SESSION_TOKEN_PREFIX = 'session-token '.freeze
+  # Retrieve the preferences
+  #
+  # @return [Hash] prefs of the gem
   def self.prefs
     if File.exist? PREFS_FILE
       JSON.parse(File.read(PREFS_FILE))
@@ -17,6 +26,7 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     end
   end
+  # Create a new Keychain
   def self.init_keychain(awskeyring:)
     keychain = Keychain.create(awskeyring)
     keychain.lock_interval = 300
@@ -26,7 +36,10 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     File.new(Awskeyring::PREFS_FILE, 'w').write JSON.dump(prefs)
   end
-  def self.load_keychain
+  # Load the keychain for access
+  #
+  # @return [Keychain] keychain ready for use.
+  private_class_method def self.load_keychain
     unless File.exist?(Awskeyring::PREFS_FILE) && !prefs.empty?
       warn "Config missing, run `#{File.basename($PROGRAM_NAME)} initialise` to recreate."
       exit 1
@@ -39,95 +52,181 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     keychain
   end
-  def self.list_items
+  # Return a list of all acount items
+  private_class_method def self.list_items
     items = all_items.all.sort do |a, b|
       a.attributes[:label] <=> b.attributes[:label]
     end
     items.select { |elem| elem.attributes[:label].start_with?(ACCOUNT_PREFIX) }
   end
-  def self.list_roles
+  # Return a list of all role items
+  private_class_method def self.list_roles
     items = all_items.all.sort do |a, b|
       a.attributes[:label] <=> b.attributes[:label]
     end
     items.select { |elem| elem.attributes[:label].start_with?(ROLE_PREFIX) }
   end
-  def self.all_items
+  # Return all keychain items
+  private_class_method def self.all_items
     load_keychain.generic_passwords
   end
-  def self.add_item(account:, key:, secret:, comment:)
+  # Add an account item
+  def self.add_account(account:, key:, secret:, mfa:)
     all_items.create(
-      label: "#{ACCOUNT_PREFIX}#{account}",
+      label: ACCOUNT_PREFIX + account,
       account: key,
       password: secret,
-      comment: comment
+      comment: mfa
     )
   end
-  def self.update_item(account:, key:, secret:)
-    item = get_item(account)
+  # update and account item
+  def self.update_account(account:, key:, secret:)
+    item = get_item(account: account)
     item.attributes[:account] = key
     item.password = secret
     item.save!
   end
+  # Add a Role item
   def self.add_role(role:, arn:, account:)
     all_items.create(
-      label: "#{ROLE_PREFIX}#{role}",
+      label: ROLE_PREFIX + role,
       account: arn,
       password: '',
       comment: account
     )
   end
-  def self.add_pair(params = {})
-    all_items.create(label: "session-key #{params[:account]}",
+  # add a session token pair of items
+  def self.add_token(params = {})
+    all_items.create(label: SESSION_KEY_PREFIX + params[:account],
                      account: params[:key],
                      password: params[:secret],
-                     comment: "#{ROLE_PREFIX}#{params[:role]}")
-    all_items.create(label: "session-token #{params[:account]}",
+                     comment: ROLE_PREFIX + params[:role])
+    all_items.create(label: SESSION_TOKEN_PREFIX + params[:account],
                      account: params[:expiry],
                      password: params[:token],
-                     comment: "#{ROLE_PREFIX}#{params[:role]}")
+                     comment: ROLE_PREFIX + params[:role])
   end
-  def self.get_item(account)
-    all_items.where(label: "#{ACCOUNT_PREFIX}#{account}").first
+  # Return an account item by name
+  private_class_method def self.get_item(account:)
+    all_items.where(label: ACCOUNT_PREFIX + account).first
   end
-  def self.get_role(name)
-    all_items.where(label: "#{ROLE_PREFIX}#{name}").first
+  # Return a role item by name
+  private_class_method def self.get_role(role_name:)
+    all_items.where(label: ROLE_PREFIX + role_name).first
   end
-  def self.get_pair(account)
-    session_key = all_items.where(label: "session-key #{account}").first
-    session_token = all_items.where(label: "session-token #{account}").first if session_key
+  # Return a session token pair of items by name
+  private_class_method def self.get_pair(account:)
+    session_key = all_items.where(label: SESSION_KEY_PREFIX + account).first
+    session_token = all_items.where(label: SESSION_TOKEN_PREFIX + account).first if session_key
     [session_key, session_token]
   end
-  def self.list_item_names
+  # Return a list account item names
+  def self.list_account_names
     list_items.map { |elem| elem.attributes[:label][(ACCOUNT_PREFIX.length)..-1] }
   end
+  # Return a list role item names
   def self.list_role_names
     list_roles.map { |elem| elem.attributes[:label][(ROLE_PREFIX.length)..-1] }
   end
-  def self.delete_expired(key, token)
+  # Return a session token if available or a static key
+  private_class_method def self.get_valid_item_pair(account:)
+    session_key, session_token = get_pair(account: account)
+    session_key, session_token = delete_expired(key: session_key, token: session_token) if session_key
+    if session_key && session_token
+      puts '# Using temporary session credentials'
+      return session_key, session_token
+    end
+    item = get_item(account: account)
+    if item.nil?
+      warn "# Credential not found with name: #{account}"
+      exit 2
+    end
+    [item, nil]
+  end
+  # Return valid creds for account
+  def self.get_valid_creds(account:)
+    cred, temp_cred = get_valid_item_pair(account: account)
+    token = temp_cred.password unless temp_cred.nil?
+    {
+      account: account,
+      key: cred.attributes[:account],
+      secret: cred.password,
+      token: token
+    }
+  end
+  # Return a hash for account (skip tokens)
+  def self.get_account_hash(account:)
+    cred = get_item(account: account)
+    return unless cred
+    {
+      account: account,
+      key: cred.attributes[:account],
+      secret: cred.password,
+      mfa: cred.attributes[:comment]
+    }
+  end
+  # get the ARN for a role
+  def self.get_role_arn(role_name:)
+    role_item = get_role(role_name: role_name)
+    role_item.attributes[:account] if role_item
+  end
+  # Delete session token items if expired
+  private_class_method def self.delete_expired(key:, token:)
     expires_at = Time.at(token.attributes[:account].to_i)
     if expires_at < Time.now
-      delete_pair(key, token, '# Removing expired session credentials')
+      delete_pair(key: key, token: token, message: '# Removing expired session credentials')
       key = nil
       token = nil
     end
     [key, token]
   end
-  def self.delete_pair(key, token, message)
+  # Delete session token items
+  private_class_method def self.delete_pair(key:, token:, message:)
+    return unless key
     puts message if message
     token.delete if token
-    key.delete if key
+    key.delete
+  end
+  # Delete a session token
+  def self.delete_token(account:, message:)
+    session_key, session_token = get_pair(account: account)
+    delete_pair(key: session_key, token: session_token, message: message)
+  end
+  # Delete an Account
+  def self.delete_account(account:, message:)
+    delete_token(account: account, message: '# Removing expired session credentials')
+    cred = get_item(account: account)
+    return unless cred
+    puts message if message
+    cred.delete
+  end
+  # Delete a role
+  def self.delete_role(role_name:, message:)
+    role = get_role(role_name: role_name)
+    return unless role
+    puts message if message
+    role.delete
   end
 end

data/lib/awskeyring_command.rb CHANGED Viewed

@@ -1,14 +1,12 @@
-require 'aws-sdk-iam'
-require 'cgi'
 require 'highline'
-require 'json'
-require 'open-uri'
 require 'thor'
-require_relative 'awskeyring'
+require 'awskeyring'
+require 'awskeyring/awsapi'
+require 'awskeyring/validate'
 require 'awskeyring/version'
-# AWS Key-ring command line interface.
+# AWSkeyring command line interface.
 class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map %w[--version -v] => :__version
   map ['init'] => :initialise
@@ -19,13 +17,15 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map ['rmt'] => :remove_token
   desc '--version, -v', 'Prints the version'
+  # print the version number
   def __version
     puts Awskeyring::VERSION
   end
   desc 'initialise', 'Initialises a new KEYCHAIN'
   method_option :keychain, type: :string, aliases: '-n', desc: 'Name of KEYCHAIN to initialise.'
-  def initialise # rubocop:disable  Metrics/AbcSize
+  # initialise the keychain
+  def initialise
     unless Awskeyring.prefs.empty?
       puts "#{Awskeyring::PREFS_FILE} exists. no need to initialise."
       exit 1
@@ -47,38 +47,42 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   end
   desc 'list', 'Prints a list of accounts in the keyring'
+  # list the accounts
   def list
-    puts Awskeyring.list_item_names.join("\n")
+    puts Awskeyring.list_account_names.join("\n")
   end
   map 'list-role' => :list_role
   desc 'list-role', 'Prints a list of roles in the keyring'
+  # List roles
   def list_role
     puts Awskeyring.list_role_names.join("\n")
   end
   desc 'env ACCOUNT', 'Outputs bourne shell environment exports for an ACCOUNT'
+  # Print Env vars
   def env(account = nil)
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    cred, temp_cred = get_valid_item_pair(account: account)
-    token = temp_cred.password unless temp_cred.nil?
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    cred = Awskeyring.get_valid_creds(account: account)
     put_env_string(
-      account: cred.attributes[:label],
-      key: cred.attributes[:account],
-      secret: cred.password,
-      token: token
+      account: cred[:account],
+      key: cred[:key],
+      secret: cred[:secret],
+      token: cred[:token]
     )
   end
   desc 'exec ACCOUNT command...', 'Execute a COMMAND with the environment set for an ACCOUNT'
+  # execute an external command with env set
   def exec(account, *command)
-    cred, temp_cred = get_valid_item_pair(account: account)
-    token = temp_cred.password unless temp_cred.nil?
+    cred = Awskeyring.get_valid_creds(account: account)
     env_vars = env_vars(
-      account: cred.attributes[:label],
-      key: cred.attributes[:account],
-      secret: cred.password,
-      token: token
+      account: cred[:account],
+      key: cred[:key],
+      secret: cred[:secret],
+      token: cred[:token]
     )
     pid = Process.spawn(env_vars, command.join(' '))
     Process.wait pid
@@ -88,22 +92,27 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :key, type: :string, aliases: '-k', desc: 'AWS account key id.'
   method_option :secret, type: :string, aliases: '-s', desc: 'AWS account secret.'
   method_option :mfa, type: :string, aliases: '-m', desc: 'AWS virtual mfa arn.'
-  def add(account = nil) # rubocop:disable Metrics/AbcSize
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    key = ask_check(existing: options[:key], message: 'access key id', validator: Awskeyring.method(:access_key))
+  # Add an Account
+  def add(account = nil) # rubocop:disable Metrics/MethodLength
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    key = ask_check(
+      existing: options[:key], message: 'access key id', validator: Awskeyring::Validate.method(:access_key)
+    )
     secret = ask_check(
       existing: options[:secret], message: 'secret access key',
-      secure: true, validator: Awskeyring.method(:secret_access_key)
+      secure: true, validator: Awskeyring::Validate.method(:secret_access_key)
     )
     mfa = ask_check(
-      existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring.method(:mfa_arn)
+      existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring::Validate.method(:mfa_arn)
     )
-    Awskeyring.add_item(
+    Awskeyring.add_account(
       account: account,
       key: key,
       secret: secret,
-      comment: mfa
+      mfa: mfa
     )
     puts "# Added account #{account}"
   end
@@ -111,11 +120,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map 'add-role' => :add_role
   desc 'add-role ROLE', 'Adds a ROLE to the keyring'
   method_option :arn, type: :string, aliases: '-a', desc: 'AWS role arn.'
+  # Add a role
   def add_role(role = nil)
-    role = ask_check(existing: role, message: 'role name', validator: Awskeyring.method(:role_name))
-    arn = ask_check(existing: options[:arn], message: 'role arn', validator: Awskeyring.method(:role_arn))
+    role = ask_check(existing: role, message: 'role name', validator: Awskeyring::Validate.method(:role_name))
+    arn = ask_check(existing: options[:arn], message: 'role arn', validator: Awskeyring::Validate.method(:role_arn))
     account = ask_check(
-      existing: account, message: 'account', optional: true, validator: Awskeyring.method(:account_name)
+      existing: account, message: 'account', optional: true, validator: Awskeyring::Validate.method(:account_name)
     )
     Awskeyring.add_role(
@@ -127,53 +137,43 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   end
   desc 'remove ACCOUNT', 'Removes an ACCOUNT from the keyring'
+  # Remove an account
   def remove(account = nil)
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    cred, temp_cred = get_valid_item_pair(account: account)
-    Awskeyring.delete_pair(cred, temp_cred, "# Removing account #{account}")
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    Awskeyring.delete_account(account: account, message: "# Removing account #{account}")
   end
   desc 'remove-token ACCOUNT', 'Removes a token for ACCOUNT from the keyring'
+  # remove a session token
   def remove_token(account = nil)
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    session_key, session_token = Awskeyring.get_pair(account)
-    session_key, session_token = Awskeyring.delete_expired(session_key, session_token) if session_key
-    Awskeyring.delete_pair(session_key, session_token, "# Removing token for account #{account}") if session_key
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    Awskeyring.delete_token(account: account, message: "# Removing token for account #{account}")
   end
   map 'remove-role' => :remove_role
   desc 'remove-role ROLE', 'Removes a ROLE from the keyring'
+  # remove a role
   def remove_role(role = nil)
-    role = ask_check(existing: role, message: 'role name', validator: Awskeyring.method(:role_name))
-    item_role = Awskeyring.get_role(role)
-    Awskeyring.delete_pair(item_role, nil, "# Removing role #{role}")
+    role = ask_check(existing: role, message: 'role name', validator: Awskeyring::Validate.method(:role_name))
+    Awskeyring.delete_role(role_name: role, message: "# Removing role #{role}")
   end
   desc 'rotate ACCOUNT', 'Rotate access keys for an ACCOUNT'
-  def rotate(account = nil) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    item = Awskeyring.get_item(account)
-    iam = Aws::IAM::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
-    if iam.list_access_keys[:access_key_metadata].length > 1
-      warn "You have two access keys for account #{account}"
-      exit 1
-    end
-    new_key = iam.create_access_key
-    iam = Aws::IAM::Client.new(
-      access_key_id: new_key[:access_key][:access_key_id],
-      secret_access_key: new_key[:access_key][:secret_access_key]
+  # rotate Account keys
+  def rotate(account = nil)
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
     )
-    retry_backoff do
-      iam.delete_access_key(
-        access_key_id: item.attributes[:account]
-      )
-    end
-    Awskeyring.update_item(
+    item_hash = Awskeyring.get_account_hash(account: account)
+    new_key = Awskeyring::Awsapi.rotate(account: item_hash[:account], key: item_hash[:key], secret: item_hash[:secret])
+    Awskeyring.update_account(
       account: account,
-      key: new_key[:access_key][:access_key_id],
-      secret: new_key[:access_key][:secret_access_key]
+      key: new_key[:key],
+      secret: new_key[:secret]
     )
     puts "# Updated account #{account}"
@@ -183,8 +183,11 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :role, type: :string, aliases: '-r', desc: 'The ROLE to assume.'
   method_option :code, type: :string, aliases: '-c', desc: 'Virtual mfa CODE.'
   method_option :duration, type: :string, aliases: '-d', desc: 'Session DURATION in seconds.'
+  # generate a sessiopn token
   def token(account = nil, role = nil, code = nil) # rubocop:disable all
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
     role ||= options[:role]
     code ||= options[:code]
     duration = options[:duration]
@@ -196,111 +199,58 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       exit 2
     end
-    session_key, session_token = Awskeyring.get_pair(account)
-    Awskeyring.delete_pair(session_key, session_token, '# Removing STS credentials') if session_key
-    item = Awskeyring.get_item(account)
-    item_role = Awskeyring.get_role(role) if role
+    Awskeyring.delete_token(account: account, message: '# Removing STS credentials')
-    sts = Aws::STS::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
+    item_hash = Awskeyring.get_account_hash(account: account)
+    role_arn = Awskeyring.get_role_arn(role_name: role) if role
-    begin
-      response =
-        if code && role
-          sts.assume_role(
-            duration_seconds: duration.to_i,
-            role_arn: item_role.attributes[:account],
-            role_session_name: ENV['USER'],
-            serial_number: item.attributes[:comment],
-            token_code: code
-          )
-        elsif role
-          sts.assume_role(
-            duration_seconds: duration.to_i,
-            role_arn: item_role.attributes[:account],
-            role_session_name: ENV['USER']
-          )
-        elsif code
-          sts.get_session_token(
-            duration_seconds: duration.to_i,
-            serial_number: item.attributes[:comment],
-            token_code: code
-          )
-        end
-    rescue Aws::STS::Errors::AccessDenied => e
-      puts e.to_s
-      exit 1
-    end
+    new_creds = Awskeyring::Awsapi.get_token(
+      code: code,
+      role_arn: role_arn,
+      duration: duration,
+      mfa: item_hash[:mfa],
+      key: item_hash[:key],
+      secret: item_hash[:secret],
+      user: ENV['USER']
+    )
-    Awskeyring.add_pair(
+    Awskeyring.add_token(
       account: account,
-      key: response.credentials[:access_key_id],
-      secret: response.credentials[:secret_access_key],
-      token: response.credentials[:session_token],
-      expiry: response.credentials[:expiration].to_i.to_s,
+      key: new_creds[:key],
+      secret: new_creds[:secret],
+      token: new_creds[:token],
+      expiry: new_creds[:expiry].to_i.to_s,
       role: role
     )
-    puts "Authentication valid until #{response.credentials[:expiration]}"
+    puts "Authentication valid until #{new_creds[:expiry]}"
   end
   desc 'console ACCOUNT', 'Open the AWS Console for the ACCOUNT'
   method_option :path, type: :string, aliases: '-p', desc: 'The service PATH to open.'
-  def console(account = nil) # rubocop:disable all
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    cred, temp_cred = get_valid_item_pair(account: account)
-    token = temp_cred.password unless temp_cred.nil?
+  # Open the AWS Console
+  def console(account = nil)
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    cred = Awskeyring.get_valid_creds(account: account)
     path = options[:path] || 'console'
-    console_url = "https://console.aws.amazon.com/#{path}/home"
-    signin_url = 'https://signin.aws.amazon.com/federation'
-    policy_json = {
-      Version: '2012-10-17',
-      Statement: [{
-        Action: '*',
-        Resource: '*',
-        Effect: 'Allow'
-      }]
-    }.to_json
-    if temp_cred
-      session_json = {
-        sessionId: cred.attributes[:account],
-        sessionKey: cred.password,
-        sessionToken: token
-      }.to_json
-    else
-      sts = Aws::STS::Client.new(access_key_id: cred.attributes[:account],
-                                 secret_access_key: cred.password)
-      session = sts.get_federation_token(name: ENV['USER'],
-                                         policy: policy_json,
-                                         duration_seconds: (60 * 60 * 12))
-      session_json = {
-        sessionId: session.credentials[:access_key_id],
-        sessionKey: session.credentials[:secret_access_key],
-        sessionToken: session.credentials[:session_token]
-      }.to_json
-    end
-    get_signin_token_url = signin_url + '?Action=getSigninToken' \
-                           '&Session=' + CGI.escape(session_json)
-    returned_content = open(get_signin_token_url).read
-    signin_token = JSON.parse(returned_content)['SigninToken']
-    signin_token_param = '&SigninToken=' + CGI.escape(signin_token)
-    destination_param = '&Destination=' + CGI.escape(console_url)
-    login_url = signin_url + '?Action=login' + signin_token_param + destination_param
+    login_url = Awskeyring::Awsapi.get_login_url(
+      key: cred[:key],
+      secret: cred[:secret],
+      token: cred[:token],
+      path: path,
+      user: ENV['USER']
+    )
     pid = Process.spawn("open \"#{login_url}\"")
     Process.wait pid
   end
-  # autocomplete
   desc 'awskeyring CURR PREV', 'Autocompletion for bourne shells', hide: true
+  # autocomplete
   def awskeyring(curr, prev)
     comp_line = ENV['COMP_LINE']
     unless comp_line
@@ -318,12 +268,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   private
-  def print_auto_resp(curr, len) # rubocop:disable  Metrics/AbcSize
+  def print_auto_resp(curr, len)
     case len
     when 2
       puts list_commands.select { |elem| elem.start_with?(curr) }.join("\n")
     when 3
-      puts Awskeyring.list_item_names.select { |elem| elem.start_with?(curr) }.join("\n")
+      puts Awskeyring.list_account_names.select { |elem| elem.start_with?(curr) }.join("\n")
     when 4
       puts Awskeyring.list_role_names.select { |elem| elem.start_with?(curr) }.join("\n")
     else
@@ -335,23 +285,6 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     self.class.all_commands.keys.map { |elem| elem.tr('_', '-') }
   end
-  def get_valid_item_pair(account:)
-    session_key, session_token = Awskeyring.get_pair(account)
-    session_key, session_token = Awskeyring.delete_expired(session_key, session_token) if session_key
-    if session_key && session_token
-      puts '# Using temporary session credentials'
-      return session_key, session_token
-    end
-    item = Awskeyring.get_item(account)
-    if item.nil?
-      warn "# Credential not found with name: #{account}"
-      exit 2
-    end
-    [item, nil]
-  end
   def env_vars(account:, key:, secret:, token:)
     env_var = {}
     env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless ENV['AWS_DEFAULT_REGION']
@@ -388,21 +321,6 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     value
   end
-  def retry_backoff(&block)
-    retries ||= 1
-    begin
-      yield block
-    rescue Aws::IAM::Errors::InvalidClientTokenId => e
-      if retries < 4
-        sleep 2**retries
-        retries += 1
-        retry
-      end
-      warn e.message
-      exit 1
-    end
-  end
   def ask_missing(existing:, message:, secure: false, optional: false)
     existing || ask(message: message, secure: secure, optional: optional)
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: awskeyring
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.1.0
 platform: ruby
 authors:
 - Tristan Morgan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-03-01 00:00:00.000000000 Z
+date: 2018-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-iam
@@ -157,6 +157,7 @@ files:
 - awskeyring.gemspec
 - exe/awskeyring
 - lib/awskeyring.rb
+- lib/awskeyring/awsapi.rb
 - lib/awskeyring/validate.rb
 - lib/awskeyring/version.rb
 - lib/awskeyring_command.rb