awskeyring 1.2.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c691b2c94541dc7bf3562ae06b25231dbc8b04f42a04cb327209424f46c9849
-  data.tar.gz: a4c0362c4656c64de13708d44a38a1258da651abc1fb79635d99992b0259fd4a
+  metadata.gz: ae2606582cb2a9c079bf4ebcb6223570148954cf66fe9938c9b4d969c1312da6
+  data.tar.gz: d6b24f01901e6c3161e1874f9bd9d018f9b62e734d7d73f5ffaed78f0125ecb1
 SHA512:
-  metadata.gz: d7982836f83b748af2e4a64ce91b74f33f7f26a6423919fe0ce114011b8ffae9af61039e93a9307e7caeb97eb60ba22131dc57725d6bedd69529fc80e57c6db2
-  data.tar.gz: 79700754547b8ce87008a8624686dac7d362947f48e2e9a8a9904e71522454c53c63ed5edfc0fea5f16f5b2be9409641375836fb78fc0dd1c6f91c7b7b6464ca
+  metadata.gz: d7704820e908585b67575c319e03493512917a9e5ea5db9620040402c49fbcd6466448e108949bcf32ea2d2f782e2ee8bf7e3e1bdd4e4138cb6d462c2c603635
+  data.tar.gz: 667e7d6d0417cda0a79c1d81680469f1ba2c7a03630bd8e7269e03f137ad669155126a927eb39542b1e9e0b07ee0f408678bb603bc77900cc7db9ff60e702c6b

data/CHANGELOG.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## [v1.4.0](https://github.com/servian/awskeyring/tree/v1.4.0) (2020-06-19)
+
+[Full Changelog](https://github.com/servian/awskeyring/compare/v1.3.3...v1.4.0)
+
+**Implemented enhancements:**
+
+- Import Keys and Tokens from shared credentials files. [\#65](https://github.com/servian/awskeyring/pull/65) ([tristanmorgan](https://github.com/tristanmorgan))
+
+## [v1.3.3](https://github.com/servian/awskeyring/tree/v1.3.3) (2020-06-04)
+
+[Full Changelog](https://github.com/servian/awskeyring/compare/v1.3.2...v1.3.3)
+
+**Implemented enhancements:**
+
+- Change email references from Vibrato to Servian [\#64](https://github.com/servian/awskeyring/pull/64) ([tristanmorgan](https://github.com/tristanmorgan))
+
+## [v1.3.2](https://github.com/servian/awskeyring/tree/v1.3.2) (2020-04-27)
+
+[Full Changelog](https://github.com/servian/awskeyring/compare/v1.3.1...v1.3.2)
+
+**Fixed bugs:**
+
+- Fix I18n message load when used as a library. [\#63](https://github.com/servian/awskeyring/pull/63) ([tristanmorgan](https://github.com/tristanmorgan))
+
+## [v1.3.1](https://github.com/servian/awskeyring/tree/v1.3.1) (2020-03-19)
+
+[Full Changelog](https://github.com/servian/awskeyring/compare/v1.3.0...v1.3.1)
+
+**Implemented enhancements:**
+
+- Markdown linting changes and removed Rubocop-MD. [\#61](https://github.com/servian/awskeyring/pull/61) ([tristanmorgan](https://github.com/tristanmorgan))
+- Removed some redundant code. [\#60](https://github.com/servian/awskeyring/pull/60) ([tristanmorgan](https://github.com/tristanmorgan))
+
+**Merged pull requests:**
+
+- Update Ronn code and PR template. [\#59](https://github.com/servian/awskeyring/pull/59) ([tristanmorgan](https://github.com/tristanmorgan))
+
+## [v1.3.0](https://github.com/servian/awskeyring/tree/v1.3.0) (2020-02-19)
+
+[Full Changelog](https://github.com/servian/awskeyring/compare/v1.2.0...v1.3.0)
+
+**Implemented enhancements:**
+
+- Add a man-page and tweak README. [\#58](https://github.com/servian/awskeyring/pull/58) ([tristanmorgan](https://github.com/tristanmorgan))
+- Enhanced version [\#57](https://github.com/servian/awskeyring/pull/57) ([AzySir](https://github.com/AzySir))
+
 ## [v1.2.0](https://github.com/servian/awskeyring/tree/v1.2.0) (2020-01-20)
 
 [Full Changelog](https://github.com/servian/awskeyring/compare/v1.1.2...v1.2.0)

data/CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [tristan@vibrato.com.au]. All
+reported by contacting the project team at [tristan.morgan@servian.com](mailto:tristan.morgan@servian.com). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -68,6 +68,6 @@ members of the project's leadership.
 ## Attribution
 
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+available [here](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html)
 
 [homepage]: https://www.contributor-covenant.org

data/CONTRIBUTING.md

@@ -35,7 +35,7 @@ A friendly `README.md` written for many audiences.
 
 The [wiki].
 
-###  API documentation
+### API documentation
 
 API documentation is written as [YARD] docblocks in the Ruby code.
 

data/Gemfile

@@ -8,9 +8,9 @@ gemspec
 group :development do
   gem 'github_changelog_generator'
   gem 'rake'
+  gem 'ronn'
   gem 'rspec'
   gem 'rubocop'
-  gem 'rubocop-md'
   gem 'rubocop-performance'
   gem 'rubocop-rake'
   gem 'rubocop-rspec'

data/README.md

@@ -9,7 +9,8 @@
 * [![Version Downloads](https://ruby-gem-downloads-badge.herokuapp.com/awskeyring?label=downloads-current-version)](https://rubygems.org/gems/awskeyring)
 * [![Documentation](https://img.shields.io/badge/yard-docs-brightgreen.svg)](https://www.rubydoc.info/gems/awskeyring)
 
-Awskeyring is a small tool to manage AWS account keys in the macOS Keychain.
+Awskeyring is a small tool to manage AWS account keys in the macOS Keychain. It has
+grown to incorporate a lot of [features](https://github.com/servian/awskeyring/wiki/Awskeyring-features).
 
 ## Motivation
 
@@ -34,17 +35,19 @@ Please see the [Wiki](https://github.com/servian/awskeyring/wiki) for full usage
 
 First you need to initialise your keychain to hold your AWS credentials.
 
-    awskeyring initialise
+    $ awskeyring initialise
 
 Then add your keys to it.
 
-    awskeyring add personal-aws
+    $ awskeyring add personal-aws
 
 Now your keys are stored safely in the macOS keychain. To print environment variables run...
 
-    awskeyring env personal-aws
+    $ awskeyring env personal-aws
 
-Alternatively you can create a profile using the credential_process config variable. See the [AWS CLI Config docs](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#cli-aws-help-config-vars) for more details on this config option.
+Alternatively you can create a profile using the credential_process config variable. See the
+[AWS CLI Config docs](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#cli-aws-help-config-vars) for
+more details on this config option.
 
     [profile personal]
     region = us-west-1
@@ -62,6 +65,7 @@ The CLI is using [Thor](http://whatisthor.com) with help provided interactively.
       awskeyring env ACCOUNT                 # Outputs bourne shell environment exports for an ACCOUNT
       awskeyring exec ACCOUNT command...     # Execute a COMMAND with the environment set for an ACCOUNT
       awskeyring help [COMMAND]              # Describe available commands or one specific command
+      awskeyring import ACCOUNT              # Import an ACCOUNT to the keyring from ~/.aws/credentials
       awskeyring initialise                  # Initialises a new KEYCHAIN
       awskeyring json ACCOUNT                # Outputs AWS CLI compatible JSON for an ACCOUNT
       awskeyring list                        # Prints a list of accounts in the keyring
@@ -87,17 +91,28 @@ To set your environment easily the following bash function helps:
 
 ## Development
 
-After checking out the repo, run `bundle update` to install dependencies. Then, run `rake` to run the tests. Run `bundle exec awskeyring` to use the gem in this directory, ignoring other installed copies of this gem. Awskeyring is tested against the last two versions of Ruby shipped with macOS.
+After checking out the repo, run `bundle update` to install dependencies. Then, run `bundle exec rake` to run the
+tests. Run `bundle exec awskeyring` to use the gem in this directory, ignoring other installed copies of this gem.
+Awskeyring is tested against the last two versions of Ruby shipped with macOS.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
 
 ## Security
 
-If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at [tristan@vibrato.com.au](mailto:tristan@vibrato.com.au). Awskeyring is a Ruby script and as such Ruby is whitelisted to access your "awskeyring" keychain. Use a strong password and keep the unlock time short.
+If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at
+[tristan.morgan@servian.com](mailto:tristan.morgan@servian.com). Awskeyring is a Ruby script and as such Ruby is whitelisted
+to access your "awskeyring" keychain. Use a strong password and keep the unlock time short.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/servian/awskeyring. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](https://contributor-covenant.org) code of conduct.
+Bug reports and pull requests are welcome on GitHub at [https://github.com/servian/awskeyring](https://github.com/servian/awskeyring).
+This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to
+the [Contributor Covenant](https://contributor-covenant.org) code of conduct.
+
+### Contributors
+
+* Tristan [tristanmorgan](https://github.com/tristanmorgan)
+* Adam Sir [AzySir](https://github.com/AzySir)
 
 ## License
 

data/Rakefile

@@ -3,6 +3,7 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rubocop/rake_task'
+require 'ronn'
 require 'github_changelog_generator/task'
 require 'yard'
 
@@ -14,30 +15,48 @@ GitHubChangelogGenerator::RakeTask.new :changelog do |config|
 end
 
 RuboCop::RakeTask.new do |rubocop|
-  rubocop.options = ['-D']
+  rubocop.options = %w[-D --enable-pending-cops]
+  rubocop.requires << 'rubocop-performance'
+  rubocop.requires << 'rubocop-rake'
+  rubocop.requires << 'rubocop-rspec'
+  rubocop.requires << 'rubocop-rubycw'
 end
 
-RSpec::Core::RakeTask.new(:spec)
+desc 'Run RSpec code examples'
+task :spec do
+  puts 'Running RSpec...'
+  require 'rspec/core'
+  runner = RSpec::Core::Runner
+  xcode = runner.run(%w[--pattern spec/**{,/*/**}/*_spec.rb --order rand --format documentation --color])
+  abort 'RSpec failed' if xcode.positive?
+end
 
 desc 'Check filemode bits'
 task :filemode do
-  files = `git ls-files -z`.split("\x0")
-  failure = false
-  files.each do |file|
+  puts 'Running FileMode...'
+  files = Set.new(`git ls-files -z`.split("\x0"))
+  dirs = Set.new(files.map { |file| File.dirname(file) })
+  failure = []
+  files.merge(dirs).each do |file|
     mode = File.stat(file).mode
     print '.'
-    if (mode & 0x7) != (mode >> 3 & 0x7)
-      puts file
-      failure = true
-    end
+    failure << file if (mode & 0x7) != (mode >> 3 & 0x7)
   end
-  abort 'Error: Incorrect file mode found' if failure
+  abort "\nError: Incorrect file mode found\n#{failure.join("\n")}" unless failure.empty?
   print "\n"
 end
 
+desc 'generate manpage'
+task :ronn do
+  puts 'Running Ronn...'
+  roff_text = Ronn::Document.new('man/awskeyring.5.ronn').to_roff
+  File.write('man/awskeyring.5', roff_text)
+  puts "done\n\n"
+end
+
 YARD::Rake::YardocTask.new do |t|
   t.options = ['--fail-on-warning', '--no-progress']
   t.stats_options = ['--list-undoc']
 end
 
-task default: %i[filemode rubocop spec yard]
+task default: %i[filemode rubocop spec ronn yard]

data/awskeyring.gemspec

@@ -8,18 +8,26 @@ Gem::Specification.new do |spec|
   spec.name          = 'awskeyring'
   spec.version       = Awskeyring::VERSION
   spec.authors       = ['Tristan Morgan']
-  spec.email         = ['tristan@vibrato.com.au']
+  spec.email         = 'tristan.morgan@servian.com'
 
   spec.summary       = 'Manages AWS credentials in the macOS keychain'
   spec.description   = 'Manages AWS credentials in the macOS keychain'
   spec.homepage      = Awskeyring::HOMEPAGE
-  spec.license       = 'MIT'
+  spec.licenses      = ['MIT']
 
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^spec/|^\..*|^.*\.png}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
+  spec.metadata = {
+    'bug_tracker_uri' => "#{Awskeyring::HOMEPAGE}/issues",
+    'changelog_uri' => "#{Awskeyring::HOMEPAGE}/blob/master/CHANGELOG.md",
+    'documentation_uri' => "https://rubydoc.info/gems/#{spec.name}/#{Awskeyring::VERSION}",
+    'source_code_uri' => "#{Awskeyring::HOMEPAGE}/tree/v#{Awskeyring::VERSION}",
+    'wiki_uri' => "#{Awskeyring::HOMEPAGE}/wiki"
+  }
+
   spec.add_dependency('aws-sdk-iam')
   spec.add_dependency('i18n')
   spec.add_dependency('ruby-keychain')

data/i18n/en.yml

@@ -14,6 +14,8 @@ en:
     desc: Outputs bourne shell environment exports for an ACCOUNT
   exec:
     desc: Execute a COMMAND with the environment set for an ACCOUNT
+  import:
+    desc: Import an ACCOUNT to the keyring from ~/.aws/credentials
   initialise:
     desc: Initialises a new KEYCHAIN
   json:

data/lib/awskeyring.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'i18n'
 require 'json'
 require 'keychain'
 require 'awskeyring/validate'
@@ -7,6 +8,9 @@ require 'awskeyring/validate'
 # Awskeyring Module,
 # gives you an interface to access keychains and items.
 module Awskeyring # rubocop:disable Metrics/ModuleLength
+  I18n.load_path = Dir.glob(File.join(File.realpath(__dir__), '..', 'i18n', '*.{yml,yaml}'))
+  I18n.backend.load_translations
+
   # Default rpeferences fole path
   PREFS_FILE = (File.expand_path '~/.awskeyring').freeze
   # Prefix for Roles
@@ -68,18 +72,17 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
 
   # Return a list of all acount items
   private_class_method def self.list_items
-    items = all_items.all.sort do |elem_a, elem_b|
-      elem_a.attributes[:label] <=> elem_b.attributes[:label]
-    end
-    items.select { |elem| elem.attributes[:label].start_with?(ACCOUNT_PREFIX) }
+    all_items.all.select { |elem| elem.attributes[:label].start_with?(ACCOUNT_PREFIX) }
   end
 
   # Return a list of all role items
   private_class_method def self.list_roles
-    items = all_items.all.sort do |elem_a, elem_b|
-      elem_a.attributes[:label] <=> elem_b.attributes[:label]
-    end
-    items.select { |elem| elem.attributes[:label].start_with?(ROLE_PREFIX) }
+    all_items.all.select { |elem| elem.attributes[:label].start_with?(ROLE_PREFIX) }
+  end
+
+  # Return a list of all acount items
+  private_class_method def self.list_tokens
+    all_items.all.select { |elem| elem.attributes[:label].start_with?(SESSION_KEY_PREFIX) }
   end
 
   # Return all keychain items
@@ -171,12 +174,21 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
 
   # Return a list account item names
   def self.list_account_names
-    list_items.map { |elem| elem.attributes[:label][(ACCOUNT_PREFIX.length)..-1] }
+    items = list_items.map { |elem| elem.attributes[:label][(ACCOUNT_PREFIX.length)..-1] }
+
+    tokens = list_tokens.map { |elem| elem.attributes[:label][(SESSION_KEY_PREFIX.length)..-1] }
+
+    (items + tokens).uniq.sort
   end
 
   # Return a list role item names
   def self.list_role_names
-    list_roles.map { |elem| elem.attributes[:label][(ROLE_PREFIX.length)..-1] }
+    list_roles.map { |elem| elem.attributes[:label][(ROLE_PREFIX.length)..-1] }.sort
+  end
+
+  # Return a list token item names
+  def self.list_token_names
+    list_tokens.map { |elem| elem.attributes[:label][(SESSION_KEY_PREFIX.length)..-1] }.sort
   end
 
   # Return a list role item names and arns
@@ -242,7 +254,7 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
   # Delete session token items if expired
   private_class_method def self.delete_expired(key:, token:)
     expires_at = Time.at(token.attributes[:account].to_i)
-    if expires_at < Time.now
+    if expires_at < Time.new
       delete_pair(key: key, token: token, message: I18n.t('message.delexpired'))
       key = nil
       token = nil
@@ -343,6 +355,16 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     role_name
   end
 
+  # Validate token exists
+  #
+  # @param [String] token_name the associated account name.
+  def self.token_exists(token_name)
+    Awskeyring::Validate.account_name(token_name)
+    raise 'Token does not exist' unless list_token_names.include?(token_name)
+
+    token_name
+  end
+
   # Validate role arn not exists
   #
   # @param [String] role_arn the associated role arn.

data/lib/awskeyring/awsapi.rb

@@ -24,6 +24,7 @@ module Awskeyring
 
     # AWS Env vars
     AWS_ENV_VARS = %w[
+      AWS_ACCOUNT_NAME
       AWS_ACCESS_KEY_ID
       AWS_ACCESS_KEY
       AWS_SECRET_ACCESS_KEY
@@ -116,29 +117,23 @@ module Awskeyring
     # Generates Environment Variables for the AWS CLI
     #
     # @param [Hash] params including
-    #    [String] account The aws_access_key_id
+    #    [String] account The aws account name
+    #    [String] key The aws_access_key_id
     #    [String] secret The aws_secret_access_key
     #    [String] token The aws_session_token
     # @return [Hash] env_var hash
     def self.get_env_array(params = {})
       env_var = {}
       env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
-      env_var['AWS_ACCOUNT_NAME'] = params[:account] if params[:account]
 
-      if params[:key]
-        env_var['AWS_ACCESS_KEY_ID'] = params[:key]
-        env_var['AWS_ACCESS_KEY'] = params[:key]
-      end
-
-      if params[:secret]
-        env_var['AWS_SECRET_ACCESS_KEY'] = params[:secret]
-        env_var['AWS_SECRET_KEY'] = params[:secret]
+      params.each_key do |param_name|
+        AWS_ENV_VARS.each do |var_name|
+          if var_name.include?(param_name.to_s.upcase) && !params[param_name].nil?
+            env_var[var_name] = params[param_name]
+          end
+        end
       end
 
-      if params[:token]
-        env_var['AWS_SECURITY_TOKEN'] = params[:token]
-        env_var['AWS_SESSION_TOKEN'] = params[:token]
-      end
       env_var
     end
 
@@ -146,10 +141,11 @@ module Awskeyring
     #
     # @param [String] key The aws_access_key_id
     # @param [String] secret The aws_secret_access_key
-    def self.verify_cred(key:, secret:)
+    # @param [String] token The aws_session_token
+    def self.verify_cred(key:, secret:, token:)
       begin
         ENV['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
-        sts = Aws::STS::Client.new(access_key_id: key, secret_access_key: secret)
+        sts = Aws::STS::Client.new(access_key_id: key, secret_access_key: secret, session_token: token)
         sts.get_caller_identity
       rescue Aws::Errors::ServiceError => e
         warn e.to_s
@@ -158,6 +154,26 @@ module Awskeyring
       true
     end
 
+    # Retrieve credentials from the AWS Credentials file
+    #
+    # @param [String] account the profile name wanted
+    # @return [Hash] with the new credentials
+    #    key The aws_access_key_id
+    #    secret The aws_secret_access_key
+    #    token The aws_session_token
+    #    expiry expiry time
+    def self.get_credentials_from_file(account:)
+      creds = Aws::SharedCredentials.new(profile_name: account)
+      {
+        account: account,
+        key: creds.credentials.access_key_id,
+        secret: creds.credentials.secret_access_key,
+        token: creds.credentials.session_token,
+        expiry: Time.new + TWELVE_HOUR,
+        role: nil
+      }
+    end
+
     # Retrieves an AWS Console login url
     #
     # @param [String] key The aws_access_key_id
@@ -166,30 +182,22 @@ module Awskeyring
     # @param [String] user The local username
     # @param [String] path within the Console to access
     # @return [String] login_url to access
-    def self.get_login_url(key:, secret:, token:, path:, user:) # rubocop:disable Metrics/MethodLength
+    def self.get_login_url(key:, secret:, token:, path:, user:)
       console_url = "https://console.aws.amazon.com/#{path}/home"
 
-      if token
-        session_json = {
-          sessionId: key,
-          sessionKey: secret,
-          sessionToken: token
-        }.to_json
-      else
-        ENV['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
-        sts = Aws::STS::Client.new(access_key_id: key,
-                                   secret_access_key: secret)
-
-        session = sts.get_federation_token(name: user,
-                                           policy: ADMIN_POLICY,
-                                           duration_seconds: TWELVE_HOUR)
-        session_json = {
-          sessionId: session.credentials[:access_key_id],
-          sessionKey: session.credentials[:secret_access_key],
-          sessionToken: session.credentials[:session_token]
-        }.to_json
+      unless token
+        cred = get_token({ key: key, secret: secret, user: user, duration: TWELVE_HOUR })
+        key = cred[:key]
+        secret = cred[:secret]
+        token = cred[:token]
       end
 
+      session_json = {
+        sessionId: key,
+        sessionKey: secret,
+        sessionToken: token
+      }.to_json
+
       destination_param = '&Destination=' + CGI.escape(console_url)
 
       AWS_SIGNIN_URL + '?Action=login' + token_param(session_json: session_json) + destination_param
@@ -235,10 +243,10 @@ module Awskeyring
         exit 1
       end
 
-      new_key = iam.create_access_key
+      new_key = iam.create_access_key[:access_key]
       iam = Aws::IAM::Client.new(
-        access_key_id: new_key[:access_key][:access_key_id],
-        secret_access_key: new_key[:access_key][:secret_access_key]
+        access_key_id: new_key[:access_key_id],
+        secret_access_key: new_key[:secret_access_key]
       )
       retry_backoff do
         iam.delete_access_key(
@@ -247,8 +255,8 @@ module Awskeyring
       end
       {
         account: account,
-        key: new_key[:access_key][:access_key_id],
-        secret: new_key[:access_key][:secret_access_key]
+        key: new_key[:access_key_id],
+        secret: new_key[:secret_access_key]
       }
     end
 

data/lib/awskeyring/validate.rb

@@ -9,7 +9,7 @@ module Awskeyring
     #
     # @param [String] account_name the associated account name.
     def self.account_name(account_name)
-      raise 'Invalid Account Name' unless account_name =~ /\S+/
+      raise 'Invalid Account Name' unless /\S+/.match?(account_name)
 
       account_name
     end
@@ -18,7 +18,7 @@ module Awskeyring
     #
     # @param [String] aws_access_key The aws_access_key_id
     def self.access_key(aws_access_key)
-      raise 'Invalid Access Key' unless aws_access_key =~ /\AAKIA[A-Z0-9]{12,16}\z/
+      raise 'Invalid Access Key' unless /\AAKIA[A-Z0-9]{12,16}\z/.match?(aws_access_key)
 
       aws_access_key
     end
@@ -36,7 +36,7 @@ module Awskeyring
     #
     # @param [String] mfa_arn The users MFA arn
     def self.mfa_arn(mfa_arn)
-      raise 'Invalid MFA ARN' unless mfa_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:mfa\/\S*\z)
+      raise 'Invalid MFA ARN' unless %r(\Aarn:aws:iam::[0-9]{12}:mfa/\S*\z).match?(mfa_arn)
 
       mfa_arn
     end
@@ -45,7 +45,7 @@ module Awskeyring
     #
     # @param [String] role_name
     def self.role_name(role_name)
-      raise 'Invalid Role Name' unless role_name =~ /\S+/
+      raise 'Invalid Role Name' unless /\S+/.match?(role_name)
 
       role_name
     end
@@ -54,7 +54,7 @@ module Awskeyring
     #
     # @param [String] role_arn The role arn
     def self.role_arn(role_arn)
-      raise 'Invalid Role ARN' unless role_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:role\/\S*\z)
+      raise 'Invalid Role ARN' unless %r(\Aarn:aws:iam::[0-9]{12}:role/\S*\z).match?(role_arn)
 
       role_arn
     end
@@ -63,7 +63,7 @@ module Awskeyring
     #
     # @param [String] mfa_code The mfa code
     def self.mfa_code(mfa_code)
-      raise 'Invalid MFA CODE' unless mfa_code =~ /\A\d{6}\z/
+      raise 'Invalid MFA CODE' unless /\A\d{6}\z/.match?(mfa_code)
 
       mfa_code
     end

data/lib/awskeyring/version.rb

@@ -1,8 +1,24 @@
 # frozen_string_literal: true
 
+require 'json'
+
+# Awskeyring Module,
+# Version const and query of latest.
 module Awskeyring
   # The Gem's version number
-  VERSION = '1.2.0'
+  VERSION = '1.4.0'
   # The Gem's homepage
   HOMEPAGE = 'https://github.com/servian/awskeyring'
+
+  # RubyGems Version url
+  GEM_VERSION_URL = 'https://rubygems.org/api/v1/versions/awskeyring/latest.json'
+
+  # Retrieve the latest version from RubyGems
+  #
+  def self.latest_version
+    uri       = URI(GEM_VERSION_URL)
+    request   = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    JSON.parse(request.get(uri).body)['version']
+  end
 end

data/lib/awskeyring_command.rb

@@ -34,9 +34,13 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   end
 
   desc '--version, -v', I18n.t('__version.desc')
+  method_option 'no-remote', type: :boolean, aliases: '-r', desc: I18n.t('method_option.noremote'), default: false
   # print the version number
   def __version
     puts "Awskeyring v#{Awskeyring::VERSION}"
+    if !options['no-remote'] && Awskeyring::VERSION != Awskeyring.latest_version
+      puts "the latest version v#{Awskeyring.latest_version}"
+    end
     puts "Homepage #{Awskeyring::HOMEPAGE}"
   end
 
@@ -118,6 +122,42 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     )
   end
 
+  desc 'import ACCOUNT', I18n.t('import.desc')
+  method_option 'no-remote', type: :boolean, aliases: '-r', desc: I18n.t('method_option.noremote'), default: false
+  # Import an Account
+  def import(account = nil) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+    account = ask_check(
+      existing: account, message: I18n.t('message.account'), validator: Awskeyring.method(:account_not_exists)
+    )
+    new_creds = Awskeyring::Awsapi.get_credentials_from_file(account: account)
+    unless options['no-remote']
+      Awskeyring::Awsapi.verify_cred(
+        key: new_creds[:key],
+        secret: new_creds[:secret],
+        token: new_creds[:token]
+      )
+    end
+    if new_creds[:token].nil?
+      Awskeyring.add_account(
+        account: new_creds[:account],
+        key: new_creds[:key],
+        secret: new_creds[:secret],
+        mfa: ''
+      )
+      puts I18n.t('message.addaccount', account: account)
+    else
+      Awskeyring.add_token(
+        account: new_creds[:account],
+        key: new_creds[:key],
+        secret: new_creds[:secret],
+        token: new_creds[:token],
+        expiry: new_creds[:expiry].to_i.to_s,
+        role: nil
+      )
+      puts I18n.t('message.addtoken', account: account, time: Time.at(new_creds[:expiry].to_i))
+    end
+  end
+
   desc 'exec ACCOUNT command...', I18n.t('exec.desc')
   method_option 'no-token', type: :boolean, aliases: '-n', desc: I18n.t('method_option.notoken'), default: false
   # execute an external command with env set
@@ -159,7 +199,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       existing: options[:mfa], message: I18n.t('message.mfa'),
       flags: 'optional', validator: Awskeyring::Validate.method(:mfa_arn)
     )
-    Awskeyring::Awsapi.verify_cred(key: key, secret: secret) unless options['no-remote']
+    Awskeyring::Awsapi.verify_cred(key: key, secret: secret, token: nil) unless options['no-remote']
     Awskeyring.add_account(
       account: account,
       key: key,
@@ -231,8 +271,8 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   # remove a session token
   def remove_token(account = nil)
     account = ask_check(
-      existing: account, message: I18n.t('message.account'), validator: Awskeyring.method(:account_exists),
-      limited_to: Awskeyring.list_account_names
+      existing: account, message: I18n.t('message.account'), validator: Awskeyring.method(:token_exists),
+      limited_to: Awskeyring.list_token_names
     )
     Awskeyring.delete_token(account: account, message: I18n.t('message.deltoken', account: account))
   end
@@ -285,7 +325,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :code, type: :string, aliases: '-c', desc: I18n.t('method_option.code')
   method_option :duration, type: :string, aliases: '-d', desc: I18n.t('method_option.duration')
   # generate a sessiopn token
-  def token(account = nil, role = nil, code = nil) # rubocop:disable all
+  def token(account = nil, role = nil, code = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     account = ask_check(
       existing: account,
       message: I18n.t('message.account'),
@@ -305,19 +345,13 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
         existing: code, message: I18n.t('message.code'), validator: Awskeyring::Validate.method(:mfa_code)
       )
     end
-    duration = options[:duration]
-    duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s if role
-    duration ||= Awskeyring::Awsapi::TWELVE_HOUR.to_s if code
-    duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s
-
     item_hash = age_check_and_get(account: account, no_token: true)
-    role_arn = Awskeyring.get_role_arn(role_name: role) if role
 
     begin
       new_creds = Awskeyring::Awsapi.get_token(
         code: code,
-        role_arn: role_arn,
-        duration: duration,
+        role_arn: (Awskeyring.get_role_arn(role_name: role) if role),
+        duration: default_duration(options[:duration], role, code),
         mfa: item_hash[:mfa],
         key: item_hash[:key],
         secret: item_hash[:secret],
@@ -417,6 +451,8 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       comp_len = 2
     when '--path', '-p'
       comp_len = 4
+    when 'remove-token', 'rmt'
+      comp_len = 5
     end
 
     [curr, comp_len, sub_cmd]
@@ -432,7 +468,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     self.class.map[sub_cmd].to_s
   end
 
-  def print_auto_resp(curr, len, sub_cmd)
+  def print_auto_resp(curr, len, sub_cmd) # rubocop:disable Metrics/MethodLength, Metrics/CyclomaticComplexity
     list = []
     case len
     when 0
@@ -445,6 +481,8 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       list = list_arguments(command: sub_cmd)
     when 4
       list = Awskeyring.list_console_path
+    when 5
+      list = Awskeyring.list_token_names
     else
       exit 1
     end
@@ -467,6 +505,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     Awskeyring::Awsapi::AWS_ENV_VARS.each { |key| puts "unset #{key}" unless env_var.key?(key) }
   end
 
+  def default_duration(duration, role, code)
+    duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s if role
+    duration ||= Awskeyring::Awsapi::TWELVE_HOUR.to_s if code
+    duration || Awskeyring::Awsapi::ONE_HOUR.to_s
+  end
+
   def ask_check(existing:, message:, flags: nil, validator: nil, limited_to: nil) # rubocop:disable Metrics/MethodLength
     retries ||= 3
     begin

data/man/awskeyring.5

@@ -0,0 +1,194 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "AWSKEYRING" "5" "June 2020" "" ""
+.
+.SH "NAME"
+\fBAwskeyring\fR \- is a small tool to manage AWS account keys in the macOS Keychain
+.
+.SH "SYNOPSIS"
+awskeyring COMMAND [ACCOUNT|ROLE] [OPTIONS]
+.
+.P
+awskeyring help COMMAND
+.
+.SH "DESCRIPTION"
+The Awskeyring utility stores and manages AWS access keys and provides the facility to generate access tokens with combinations of assumed roles and multi\-factor\-authentication codes\. It includes autocompletion features and multiple validation checks for input parsing\. It also includes the ability for the AWS CLI to call it directly to provide authentication\.
+.
+.P
+The commands are as follows:
+.
+.TP
+\-\-version, \-v:
+.
+.IP
+Prints the version
+.
+.TP
+add ACCOUNT:
+.
+.IP
+Adds an ACCOUNT to the keyring
+.
+.TP
+add\-role ROLE:
+.
+.IP
+Adds a ROLE to the keyring
+.
+.TP
+console ACCOUNT:
+.
+.IP
+Open the AWS Console for the ACCOUNT
+.
+.TP
+env ACCOUNT:
+.
+.IP
+Outputs bourne shell environment exports for an ACCOUNT
+.
+.TP
+exec ACCOUNT command\.\.\.:
+.
+.IP
+Execute a COMMAND with the environment set for an ACCOUNT
+.
+.TP
+help [COMMAND]:
+.
+.IP
+Describe available commands or one specific command
+.
+.TP
+import:
+.
+.IP
+Import an ACCOUNT to the keyring from ~/\.aws/credentials
+.
+.TP
+initialise:
+.
+.IP
+Initialises a new KEYCHAIN
+.
+.TP
+json ACCOUNT:
+.
+.IP
+Outputs AWS CLI compatible JSON for an ACCOUNT
+.
+.TP
+list:
+.
+.IP
+Prints a list of accounts in the keyring
+.
+.TP
+list\-role:
+.
+.IP
+Prints a list of roles in the keyring
+.
+.TP
+remove ACCOUNT:
+.
+.IP
+Removes an ACCOUNT from the keyring
+.
+.TP
+remove\-role ROLE:
+.
+.IP
+Removes a ROLE from the keyring
+.
+.TP
+remove\-token ACCOUNT:
+.
+.IP
+Removes a token for ACCOUNT from the keyring
+.
+.TP
+rotate ACCOUNT:
+.
+.IP
+Rotate access keys for an ACCOUNT
+.
+.TP
+token ACCOUNT [ROLE] [MFA]:
+.
+.IP
+Create an STS Token from a ROLE or an MFA code
+.
+.TP
+update ACCOUNT:
+.
+.IP
+Updates an ACCOUNT in the keyring
+.
+.SH "ENVIRONMENT"
+The AWS_DEFAULT_REGION environment variable will be used for AWS API calls where specified or fall back to us\-east\-1 when not\.
+.
+.SH "EXIT STATUS"
+The Awskeyring utility exits 0 on success, and >0 if an error occurs\.
+.
+.SH "EXAMPLES"
+First you need to initialise your keychain to hold your AWS credentials\.
+.
+.IP "" 4
+.
+.nf
+
+awskeyring initialise
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Then add your keys to it\.
+.
+.IP "" 4
+.
+.nf
+
+awskeyring add personal\-aws
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Now your keys are stored safely in the macOS keychain\. To print environment variables run\.\.\.
+.
+.IP "" 4
+.
+.nf
+
+awskeyring env personal\-aws
+.
+.fi
+.
+.IP "" 0
+.
+.SH "HISTORY"
+The motivation of this application is to provide a local secure store of AWS credentials using specifically in the macOS Keychain, to have them easily accessed from the Terminal, and to provide useful functions like assuming roles and opening the AWS Console from the cli\. For Enterprise environments there are better suited tools to use like HashiCorp Vault \fIhttps://vaultproject\.io/\fR\.
+.
+.SH "SECURITY"
+If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at \fItristan\.morgan@servian\.com\fR\. Awskeyring is a Ruby script and as such Ruby is whitelisted to access your "awskeyring" keychain\. Use a strong password and keep the unlock time short\.
+.
+.SH "AUTHOR"
+Tristan Morgan \fItristan\.morgan@servian\.com\fR is the maintainer of Awskeyring\.
+.
+.SH "CONTRIBUTORS"
+.
+.IP "\(bu" 4
+Tristan tristanmorgan \fIhttps://github\.com/tristanmorgan\fR
+.
+.IP "\(bu" 4
+Adam Sir AzySir \fIhttps://github\.com/AzySir\fR
+.
+.IP "" 0
+.
+.SH "LICENSE"
+The gem is available as open source under the terms of the MIT License \fIhttps://opensource\.org/licenses/MIT\fR\.

data/man/awskeyring.5.ronn

@@ -0,0 +1,138 @@
+# Awskeyring -- is a small tool to manage AWS account keys in the macOS Keychain
+
+## SYNOPSIS
+
+awskeyring COMMAND [ACCOUNT|ROLE] [OPTIONS]
+
+awskeyring help COMMAND
+
+## DESCRIPTION
+
+The Awskeyring utility stores and manages AWS access keys and provides the facility to generate access tokens with
+combinations of assumed roles and multi-factor-authentication codes. It includes autocompletion features and multiple
+validation checks for input parsing. It also includes the ability for the AWS CLI to call it directly to provide authentication.
+
+The commands are as follows:
+
+* --version, -v:
+
+    Prints the version
+
+* add ACCOUNT:
+
+    Adds an ACCOUNT to the keyring
+
+* add-role ROLE:
+
+    Adds a ROLE to the keyring
+
+* console ACCOUNT:
+
+    Open the AWS Console for the ACCOUNT
+
+* env ACCOUNT:
+
+    Outputs bourne shell environment exports for an ACCOUNT
+
+* exec ACCOUNT command...:
+
+    Execute a COMMAND with the environment set for an ACCOUNT
+
+* help [COMMAND]:
+
+    Describe available commands or one specific command
+
+* import:
+
+    Import an ACCOUNT to the keyring from ~/.aws/credentials
+
+* initialise:
+
+    Initialises a new KEYCHAIN
+
+* json ACCOUNT:
+
+    Outputs AWS CLI compatible JSON for an ACCOUNT
+
+* list:
+
+    Prints a list of accounts in the keyring
+
+* list-role:
+
+    Prints a list of roles in the keyring
+
+* remove ACCOUNT:
+
+    Removes an ACCOUNT from the keyring
+
+* remove-role ROLE:
+
+    Removes a ROLE from the keyring
+
+* remove-token ACCOUNT:
+
+    Removes a token for ACCOUNT from the keyring
+
+* rotate ACCOUNT:
+
+    Rotate access keys for an ACCOUNT
+
+* token ACCOUNT [ROLE] [MFA]:
+
+    Create an STS Token from a ROLE or an MFA code
+
+* update ACCOUNT:
+
+    Updates an ACCOUNT in the keyring
+
+## ENVIRONMENT
+
+The AWS_DEFAULT_REGION environment variable will be used for AWS API calls where specified or fall back to us-east-1
+when not.
+
+## EXIT STATUS
+
+The Awskeyring utility exits 0 on success, and >0 if an error occurs.
+
+## EXAMPLES
+
+First you need to initialise your keychain to hold your AWS credentials.
+
+    awskeyring initialise
+
+Then add your keys to it.
+
+    awskeyring add personal-aws
+
+Now your keys are stored safely in the macOS keychain. To print environment variables run...
+
+    awskeyring env personal-aws
+
+## HISTORY
+
+The motivation of this application is to provide a local secure store of AWS
+credentials using specifically in the macOS Keychain, to have them easily accessed
+from the Terminal, and to provide useful functions like assuming roles and opening
+the AWS Console from the cli.
+For Enterprise environments there are better suited tools to use
+like [HashiCorp Vault](https://vaultproject.io/).
+
+## SECURITY
+
+If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at
+[tristan.morgan@servian.com](mailto:tristan.morgan@servian.com). Awskeyring is a Ruby script and as such Ruby is whitelisted to
+access your "awskeyring" keychain. Use a strong password and keep the unlock time short.
+
+## AUTHOR
+
+Tristan Morgan <tristan.morgan@servian.com> is the maintainer of Awskeyring.
+
+## CONTRIBUTORS
+
+* Tristan [tristanmorgan](https://github.com/tristanmorgan)
+* Adam Sir [AzySir](https://github.com/AzySir)
+
+## LICENSE
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: awskeyring
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Tristan Morgan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-01-20 00:00:00.000000000 Z
+date: 2020-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-iam
@@ -67,8 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 description: Manages AWS credentials in the macOS keychain
-email:
-- tristan@vibrato.com.au
+email: tristan.morgan@servian.com
 executables:
 - awskeyring
 extensions: []
@@ -90,10 +89,17 @@ files:
 - lib/awskeyring/validate.rb
 - lib/awskeyring/version.rb
 - lib/awskeyring_command.rb
+- man/awskeyring.5
+- man/awskeyring.5.ronn
 homepage: https://github.com/servian/awskeyring
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/servian/awskeyring/issues
+  changelog_uri: https://github.com/servian/awskeyring/blob/master/CHANGELOG.md
+  documentation_uri: https://rubydoc.info/gems/awskeyring/1.4.0
+  source_code_uri: https://github.com/servian/awskeyring/tree/v1.4.0
+  wiki_uri: https://github.com/servian/awskeyring/wiki
 post_install_message: 
 rdoc_options: []
 require_paths: