awskeyring 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f560b1fef85ec599c9debb10eace0e76746e64d7
-  data.tar.gz: 356f577f81a1fd72ef6571e8aaf64e6bd6829a95
+  metadata.gz: 2aadd847341fb6a4dd7016dfca3fdd1ba60fe4c9
+  data.tar.gz: a8e548fb70b847b3fc7d7e1a277a4d12a054029c
 SHA512:
-  metadata.gz: 7cc1ff83f60d58b3f5c9fd9ec104657425f5719649a6b28e88ce8fd6ccd46e6f550e64314129cfbeca4c0e78c0c5a809b30c93642a53f887ef2bcf2e6a2aef9f
-  data.tar.gz: 70f3b813b8f6c3886bb83cc290e5b065351a16f365f00a2d40761811e18bf45a4768d732443e54c195e6069b6a4c6544e1117dade9a4fc9eb5acc25db85e728b
+  metadata.gz: 60a505a585398dc8e6034bbc51c4deef834f650fb76a042bc248f338dfbdb3e6354dab42d2536f404f93bee4785f21dfe5bc9fd4fb2c2a3b7cad52a297fc1414
+  data.tar.gz: 8a282201ceb09a170e1beeb2dd3ecc57dc4058ec669d5b3cb9cc1d9ce33a99ad6b3c09ad42e5c1146f504ee6559eb4c258857961a5e864709a8a5741d5bd15e0

data/.rubocop.yml

@@ -1,3 +1,4 @@
+---
 Metrics/LineLength:
   Max: 120
 
@@ -6,7 +7,7 @@ Metrics/MethodLength:
 
 Metrics/BlockLength:
   Exclude:
-    - spec/*/*
+    - spec/**/*
 
 Naming/FileName:
   Exclude:

data/.travis.yml

@@ -1,8 +1,18 @@
+---
 language: ruby
 os: osx
 rvm:
-- 2.3.3
+  - 2.3.3
 before_install: gem install bundler
 notifications:
   slack:
-    secure: okKLlQ93ogj8ut18MZazQD63XTIzCpTfneYQMlKPaLU5HnooAkUFmEpSN8igTJD0GuEQ7Jf8+BkFlhECWl1FwtzIW6z/yMadiiLwY6qA/O1ZVVYZmkS4kpcKtCMrvO0Hf3iPLXpJX0sQGfGsMsho6NZuNs0dzlrr4+HX/cEGmDXBocDDxdv2d25HzHtqt4l+4axeJ+PJdHDmYlDzhtMAXhkGoPfzws7MPvkVcqY0eZRW2WqccO52zlQrBNcphp7BI8mLTW/BwkEY9YndJf2xoBaoEOuaIJbGgHbmskGMRui3vZnd08/fiWkNsCI/EhB5BDJ41bwobsHEtuqu+Qx92kI+hzjtU4D16k1v/6HDm61T6gh6BTp0QEXJeOkiecjVGyzrMlBf5BEyIB7JfLvGPa7RUbvvvUxFGcEtnSbUZ49cXAG7cKiiSgcNOocCrMNIRAe864Tm606Mud1RbOv8tEiS9BJ96ktOpOfvrYPyYMRFTte2gRLwNDwcpXIWTI39CXD2EBxSfRK/OqmggLYMG5AKhxyS/Vl7E2p9gii6syB0LnpFBIZ6t+OSve7fZtCU/wruC5IrI/vHtWfApvADYKsXG6FEYJoJ1LsCDjIRlrkwV1dEVsp/HSSO6zRh9KhJ3b7yzL97Dyi6dCi+nM7aKGrox/8kvcn9alrdRt8sz3c=
+    secure: "okKLlQ93ogj8ut18MZazQD63XTIzCpTfneYQMlKPaLU5HnooAkUFmEpSN8ig\
+TJD0GuEQ7Jf8+BkFlhECWl1FwtzIW6z/yMadiiLwY6qA/O1ZVVYZmkS4kpcKtCMrvO0Hf3iPL\
+XpJX0sQGfGsMsho6NZuNs0dzlrr4+HX/cEGmDXBocDDxdv2d25HzHtqt4l+4axeJ+PJdHDmYl\
+DzhtMAXhkGoPfzws7MPvkVcqY0eZRW2WqccO52zlQrBNcphp7BI8mLTW/BwkEY9YndJf2xoBa\
+oEOuaIJbGgHbmskGMRui3vZnd08/fiWkNsCI/EhB5BDJ41bwobsHEtuqu+Qx92kI+hzjtU4D1\
+6k1v/6HDm61T6gh6BTp0QEXJeOkiecjVGyzrMlBf5BEyIB7JfLvGPa7RUbvvvUxFGcEtnSbUZ\
+49cXAG7cKiiSgcNOocCrMNIRAe864Tm606Mud1RbOv8tEiS9BJ96ktOpOfvrYPyYMRFTte2gR\
+LwNDwcpXIWTI39CXD2EBxSfRK/OqmggLYMG5AKhxyS/Vl7E2p9gii6syB0LnpFBIZ6t+OSve7\
+fZtCU/wruC5IrI/vHtWfApvADYKsXG6FEYJoJ1LsCDjIRlrkwV1dEVsp/HSSO6zRh9KhJ3b7y\
+zL97Dyi6dCi+nM7aKGrox/8kvcn9alrdRt8sz3c="

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## [v0.0.6](https://github.com/vibrato/awskeyring/tree/v0.0.6) (2018-03-01)
+[Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.0.5...v0.0.6)
+
+**Implemented enhancements:**
+
+- Credential Rotation Feature [\#4](https://github.com/vibrato/awskeyring/issues/4)
+- Rotate credentials feature. [\#11](https://github.com/vibrato/awskeyring/pull/11) ([tristanmorgan](https://github.com/tristanmorgan))
+
+**Merged pull requests:**
+
+- Input validation [\#10](https://github.com/vibrato/awskeyring/pull/10) ([tristanmorgan](https://github.com/tristanmorgan))
+- Adding a check for incorrect file modes. [\#9](https://github.com/vibrato/awskeyring/pull/9) ([tristanmorgan](https://github.com/tristanmorgan))
+
 ## [v0.0.5](https://github.com/vibrato/awskeyring/tree/v0.0.5) (2018-02-15)
 [Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.0.4...v0.0.5)
 

data/README.md

@@ -56,6 +56,7 @@ The CLI is using [Thor](http://whatisthor.com) with help provided interactively.
       awskeyring remove ACCOUNT              # Removes an ACCOUNT from the keyring
       awskeyring remove-role ROLE            # Removes a ROLE from the keyring
       awskeyring remove-token ACCOUNT        # Removes a token for ACCOUNT from the keyring
+      awskeyring rotate ACCOUNT              # Rotate access keys for an ACCOUNT
       awskeyring token ACCOUNT [ROLE] [MFA]  # Create an STS Token from a ROLE or an MFA code
 
 and autocomplete that can be installed with:

data/Rakefile

@@ -13,4 +13,18 @@ end
 
 RSpec::Core::RakeTask.new(:spec)
 
-task default: %i[rubocop spec]
+desc 'Check filemode bits'
+task :filemode do
+  files = Dir.glob('**/*')
+  failure = false
+  files.each do |file|
+    mode = File.stat(file).mode
+    if (mode & 0x7) != (mode >> 3 & 0x7)
+      puts file
+      failure = true
+    end
+  end
+  abort 'Error: Incorrect file mode found' if failure
+end
+
+task default: %i[filemode rubocop spec]

data/lib/awskeyring.rb

@@ -1,9 +1,10 @@
 require 'keychain'
 require 'aws-sdk-iam'
+require 'awskeyring/validate'
 
 # Aws Key-ring logical object,
 # gives you an interface to access keychains and items.
-module Awskeyring
+module Awskeyring # rubocop:disable Metrics/ModuleLength
   PREFS_FILE = (File.expand_path '~/.awskeyring').freeze
   ROLE_PREFIX = 'role '.freeze
   ACCOUNT_PREFIX = 'account '.freeze
@@ -65,6 +66,13 @@ module Awskeyring
     )
   end
 
+  def self.update_item(account:, key:, secret:)
+    item = get_item(account)
+    item.attributes[:account] = key
+    item.password = secret
+    item.save!
+  end
+
   def self.add_role(role:, arn:, account:)
     all_items.create(
       label: "#{ROLE_PREFIX}#{role}",

data/lib/awskeyring/validate.rb

@@ -0,0 +1,32 @@
+# Validation methods
+module Awskeyring
+  def self.account_name(account_name)
+    raise 'Invalid Account Name' unless account_name =~ /\S+/
+    account_name
+  end
+
+  def self.access_key(aws_access_key)
+    raise 'Invalid Access Key' unless aws_access_key =~ /\AAKIA[A-Z0-9]{12,16}\z/
+    aws_access_key
+  end
+
+  def self.secret_access_key(aws_secret_access_key)
+    raise 'Secret Access Key is not 40 chars' if aws_secret_access_key.length != 40
+    aws_secret_access_key
+  end
+
+  def self.mfa_arn(mfa_arn)
+    raise 'Invalid MFA ARN' unless mfa_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:mfa\/\S*\z)
+    mfa_arn
+  end
+
+  def self.role_name(account_name)
+    raise 'Invalid Role Name' unless account_name =~ /\S+/
+    account_name
+  end
+
+  def self.role_arn(role_arn)
+    raise 'Invalid Role ARN' unless role_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:role\/\S*\z)
+    role_arn
+  end
+end

data/lib/awskeyring/version.rb

@@ -1,3 +1,3 @@
 module Awskeyring
-  VERSION = '0.0.5'.freeze
+  VERSION = '0.0.6'.freeze
 end

data/lib/awskeyring_command.rb

@@ -37,11 +37,13 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     puts 'Creating a new Keychain, you will be prompted for a password for it.'
     Awskeyring.init_keychain(awskeyring: keychain)
 
+    exec_name = File.basename($PROGRAM_NAME)
+
     puts 'Your keychain has been initialised. It will auto-lock after 5 minutes'
     puts 'and when sleeping. Use Keychain Access to adjust.'
     puts
     puts "Add accounts to your #{keychain} keychain with:"
-    puts "    #{$PROGRAM_NAME} add"
+    puts "    #{exec_name} add"
   end
 
   desc 'list', 'Prints a list of accounts in the keyring'
@@ -57,7 +59,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
 
   desc 'env ACCOUNT', 'Outputs bourne shell environment exports for an ACCOUNT'
   def env(account = nil)
-    account = ask_missing(existing: account, message: 'account name')
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
     cred, temp_cred = get_valid_item_pair(account: account)
     token = temp_cred.password unless temp_cred.nil?
     put_env_string(
@@ -86,11 +88,16 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :key, type: :string, aliases: '-k', desc: 'AWS account key id.'
   method_option :secret, type: :string, aliases: '-s', desc: 'AWS account secret.'
   method_option :mfa, type: :string, aliases: '-m', desc: 'AWS virtual mfa arn.'
-  def add(account = nil)
-    account = ask_missing(existing: account, message: 'account name')
-    key = ask_missing(existing: options[:key], message: 'access key id')
-    secret = ask_missing(existing: options[:secret], message: 'secret access key', secure: true)
-    mfa = ask_missing(existing: options[:mfa], message: 'mfa arn', optional: true)
+  def add(account = nil) # rubocop:disable Metrics/AbcSize
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
+    key = ask_check(existing: options[:key], message: 'access key id', validator: Awskeyring.method(:access_key))
+    secret = ask_check(
+      existing: options[:secret], message: 'secret access key',
+      secure: true, validator: Awskeyring.method(:secret_access_key)
+    )
+    mfa = ask_check(
+      existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring.method(:mfa_arn)
+    )
 
     Awskeyring.add_item(
       account: account,
@@ -98,33 +105,37 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       secret: secret,
       comment: mfa
     )
+    puts "# Added account #{account}"
   end
 
   map 'add-role' => :add_role
   desc 'add-role ROLE', 'Adds a ROLE to the keyring'
   method_option :arn, type: :string, aliases: '-a', desc: 'AWS role arn.'
   def add_role(role = nil)
-    role = ask_missing(existing: role, message: 'role name')
-    arn = ask_missing(existing: options[:arn], message: 'role arn')
-    account = ask_missing(existing: account, message: 'account', optional: true)
+    role = ask_check(existing: role, message: 'role name', validator: Awskeyring.method(:role_name))
+    arn = ask_check(existing: options[:arn], message: 'role arn', validator: Awskeyring.method(:role_arn))
+    account = ask_check(
+      existing: account, message: 'account', optional: true, validator: Awskeyring.method(:account_name)
+    )
 
     Awskeyring.add_role(
       role: role,
       arn: arn,
       account: account
     )
+    puts "# Added role #{role}"
   end
 
   desc 'remove ACCOUNT', 'Removes an ACCOUNT from the keyring'
   def remove(account = nil)
-    account = ask_missing(existing: account, message: 'account name')
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
     cred, temp_cred = get_valid_item_pair(account: account)
     Awskeyring.delete_pair(cred, temp_cred, "# Removing account #{account}")
   end
 
   desc 'remove-token ACCOUNT', 'Removes a token for ACCOUNT from the keyring'
   def remove_token(account = nil)
-    account = ask_missing(existing: account, message: 'account name')
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
     session_key, session_token = Awskeyring.get_pair(account)
     session_key, session_token = Awskeyring.delete_expired(session_key, session_token) if session_key
     Awskeyring.delete_pair(session_key, session_token, "# Removing token for account #{account}") if session_key
@@ -133,17 +144,47 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map 'remove-role' => :remove_role
   desc 'remove-role ROLE', 'Removes a ROLE from the keyring'
   def remove_role(role = nil)
-    role = ask_missing(existing: role, message: 'role name')
+    role = ask_check(existing: role, message: 'role name', validator: Awskeyring.method(:role_name))
     item_role = Awskeyring.get_role(role)
     Awskeyring.delete_pair(item_role, nil, "# Removing role #{role}")
   end
 
+  desc 'rotate ACCOUNT', 'Rotate access keys for an ACCOUNT'
+  def rotate(account = nil) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
+    item = Awskeyring.get_item(account)
+    iam = Aws::IAM::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
+
+    if iam.list_access_keys[:access_key_metadata].length > 1
+      warn "You have two access keys for account #{account}"
+      exit 1
+    end
+
+    new_key = iam.create_access_key
+    iam = Aws::IAM::Client.new(
+      access_key_id: new_key[:access_key][:access_key_id],
+      secret_access_key: new_key[:access_key][:secret_access_key]
+    )
+    retry_backoff do
+      iam.delete_access_key(
+        access_key_id: item.attributes[:account]
+      )
+    end
+    Awskeyring.update_item(
+      account: account,
+      key: new_key[:access_key][:access_key_id],
+      secret: new_key[:access_key][:secret_access_key]
+    )
+
+    puts "# Updated account #{account}"
+  end
+
   desc 'token ACCOUNT [ROLE] [MFA]', 'Create an STS Token from a ROLE or an MFA code'
   method_option :role, type: :string, aliases: '-r', desc: 'The ROLE to assume.'
   method_option :code, type: :string, aliases: '-c', desc: 'Virtual mfa CODE.'
   method_option :duration, type: :string, aliases: '-d', desc: 'Session DURATION in seconds.'
   def token(account = nil, role = nil, code = nil) # rubocop:disable all
-    account = ask_missing(existing: account, message: 'account name')
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
     role ||= options[:role]
     code ||= options[:code]
     duration = options[:duration]
@@ -206,7 +247,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   desc 'console ACCOUNT', 'Open the AWS Console for the ACCOUNT'
   method_option :path, type: :string, aliases: '-p', desc: 'The service PATH to open.'
   def console(account = nil) # rubocop:disable all
-    account = ask_missing(existing: account, message: 'account name')
+    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
     cred, temp_cred = get_valid_item_pair(account: account)
     token = temp_cred.password unless temp_cred.nil?
 
@@ -334,6 +375,34 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     puts 'unset AWS_SESSION_TOKEN' unless token
   end
 
+  def ask_check(existing:, message:, secure: false, optional: false, validator: nil)
+    retries ||= 3
+    begin
+      value = ask_missing(existing: existing, message: message, secure: secure, optional: optional)
+      value = validator.call(value) unless value.empty? && optional
+    rescue RuntimeError => e
+      warn e.message
+      retry unless (retries -= 1).zero?
+      exit 1
+    end
+    value
+  end
+
+  def retry_backoff(&block)
+    retries ||= 1
+    begin
+      yield block
+    rescue Aws::IAM::Errors::InvalidClientTokenId => e
+      if retries < 4
+        sleep 2**retries
+        retries += 1
+        retry
+      end
+      warn e.message
+      exit 1
+    end
+  end
+
   def ask_missing(existing:, message:, secure: false, optional: false)
     existing || ask(message: message, secure: secure, optional: optional)
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: awskeyring
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Tristan Morgan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-02-15 00:00:00.000000000 Z
+date: 2018-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-iam
@@ -157,6 +157,7 @@ files:
 - awskeyring.gemspec
 - exe/awskeyring
 - lib/awskeyring.rb
+- lib/awskeyring/validate.rb
 - lib/awskeyring/version.rb
 - lib/awskeyring_command.rb
 homepage: https://github.com/vibrato/awskeyring