RubyGems - awskeyring - Versions diffs - 0.0.6 → 0.1.0 - Mend

awskeyring 0.0.6 → 0.1.0

Files changed (11) hide show

checksums.yaml +4 -4
data/.rspec +1 -0
data/.rubocop.yml +3 -0
data/CHANGELOG.md +8 -0
data/awskeyring.gemspec +1 -1
data/lib/awskeyring/awsapi.rb +167 -0
data/lib/awskeyring/validate.rb +46 -24
data/lib/awskeyring/version.rb +2 -1
data/lib/awskeyring.rb +130 -31
data/lib/awskeyring_command.rb +101 -183
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2aadd847341fb6a4dd7016dfca3fdd1ba60fe4c9
-  data.tar.gz: a8e548fb70b847b3fc7d7e1a277a4d12a054029c
+  metadata.gz: e245afbb0324eea304fcc2c010617ebc3b78c53f
+  data.tar.gz: 7be3de5bff9b16373021863d33a5aaa677046f60
 SHA512:
-  metadata.gz: 60a505a585398dc8e6034bbc51c4deef834f650fb76a042bc248f338dfbdb3e6354dab42d2536f404f93bee4785f21dfe5bc9fd4fb2c2a3b7cad52a297fc1414
-  data.tar.gz: 8a282201ceb09a170e1beeb2dd3ecc57dc4058ec669d5b3cb9cc1d9ce33a99ad6b3c09ad42e5c1146f504ee6559eb4c258857961a5e864709a8a5741d5bd15e0
+  metadata.gz: 04610b85c96d2da14c5d7874790fd9b33425aea0c0d1e1b087c8e17534daa2c6238bb1dee84830890f4b13256d55dd0c37521f33c90bd97f171d50c5fd488fc8
+  data.tar.gz: fde8d5db0fc622b19423a171e3027c222ee9f54e5263533248eaaf10e27c05ab613404cf07656c58ec427069f8e660114fc1614ee0a252f435827b426ba486a2

data/.rspec CHANGED Viewed

@@ -1,2 +1,3 @@
+--order rand
 --format documentation
 --color

data/.rubocop.yml CHANGED Viewed

@@ -9,6 +9,9 @@ Metrics/BlockLength:
   Exclude:
     - spec/**/*
+Metrics/AbcSize:
+  Max: 20
 Naming/FileName:
   Exclude:
     - Gemfile

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Change Log
+## [v0.1.0](https://github.com/vibrato/awskeyring/tree/v0.1.0) (2018-03-14)
+[Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.0.6...v0.1.0)
+**Implemented enhancements:**
+- Item refactor [\#13](https://github.com/vibrato/awskeyring/pull/13) ([tristanmorgan](https://github.com/tristanmorgan))
+- Aws refactor [\#12](https://github.com/vibrato/awskeyring/pull/12) ([tristanmorgan](https://github.com/tristanmorgan))
 ## [v0.0.6](https://github.com/vibrato/awskeyring/tree/v0.0.6) (2018-03-01)
 [Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.0.5...v0.0.6)

data/awskeyring.gemspec CHANGED Viewed

@@ -1,4 +1,4 @@
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'awskeyring/version'

data/lib/awskeyring/awsapi.rb ADDED Viewed

@@ -0,0 +1,167 @@
+require 'aws-sdk-iam'
+require 'cgi'
+require 'json'
+# Awskeyring Module,
+# gives you an interface to access keychains and items.
+module Awskeyring
+  # AWS API methods for Awskeyring
+  module Awsapi # rubocop:disable Metrics/ModuleLength
+    # Retrieves a temporary session token from AWS
+    #
+    # @param [Hash] params including
+    #    key The aws_access_key_id
+    #    secret The aws_secret_access_key
+    #    user The local username
+    #    mfa The users MFA arn
+    #    code The MFA code
+    #    duration time in seconds until expiry
+    #    role_arn ARN of the role to assume
+    # @return [Hash] with the new credentials
+    #    key The aws_access_key_id
+    #    secret The aws_secret_access_key
+    #    token The aws_session_token
+    #    expiry expiry time
+    def self.get_token(params = {}) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
+      sts = Aws::STS::Client.new(access_key_id: params[:key], secret_access_key: params[:secret])
+      begin
+        response =
+          if params[:code] && params[:role_arn]
+            sts.assume_role(
+              duration_seconds: params[:duration].to_i,
+              role_arn: params[:role_arn],
+              role_session_name: params[:user],
+              serial_number: params[:mfa],
+              token_code: params[:code]
+            )
+          elsif params[:role_arn]
+            sts.assume_role(
+              duration_seconds: params[:duration].to_i,
+              role_arn: params[:role_arn],
+              role_session_name: params[:user]
+            )
+          elsif params[:code]
+            sts.get_session_token(
+              duration_seconds: params[:duration].to_i,
+              serial_number: params[:mfa],
+              token_code: params[:code]
+            )
+          end
+      rescue Aws::STS::Errors::AccessDenied => e
+        puts e.to_s
+        exit 1
+      end
+      {
+        key: response.credentials[:access_key_id],
+        secret: response.credentials[:secret_access_key],
+        token: response.credentials[:session_token],
+        expiry: response.credentials[:expiration]
+      }
+    end
+    # Retrieves an AWS Console login url
+    #
+    # @param [String] key The aws_access_key_id
+    # @param [String] secret The aws_secret_access_key
+    # @param [String] token The aws_session_token
+    # @param [String] user The local username
+    # @param [String] path within the Console to access
+    # @return [String] login_url to access
+    def self.get_login_url(key:, secret:, token:, path:, user:) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
+      console_url = "https://console.aws.amazon.com/#{path}/home"
+      signin_url = 'https://signin.aws.amazon.com/federation'
+      policy_json = {
+        Version: '2012-10-17',
+        Statement: [{
+          Action: '*',
+          Resource: '*',
+          Effect: 'Allow'
+        }]
+      }.to_json
+      if token
+        session_json = {
+          sessionId: key,
+          sessionKey: secret,
+          sessionToken: token
+        }.to_json
+      else
+        sts = Aws::STS::Client.new(access_key_id: key,
+                                   secret_access_key: secret)
+        session = sts.get_federation_token(name: user,
+                                           policy: policy_json,
+                                           duration_seconds: (60 * 60 * 12))
+        session_json = {
+          sessionId: session.credentials[:access_key_id],
+          sessionKey: session.credentials[:secret_access_key],
+          sessionToken: session.credentials[:session_token]
+        }.to_json
+      end
+      get_signin_token_url = signin_url + '?Action=getSigninToken' \
+                             '&Session=' + CGI.escape(session_json)
+      returned_content = Net::HTTP.get(URI.parse(get_signin_token_url))
+      signin_token = JSON.parse(returned_content)['SigninToken']
+      signin_token_param = '&SigninToken=' + CGI.escape(signin_token)
+      destination_param = '&Destination=' + CGI.escape(console_url)
+      signin_url + '?Action=login' + signin_token_param + destination_param
+    end
+    # Rotates the AWS access keys
+    #
+    # @param [String] key The aws_access_key_id
+    # @param [String] secret The aws_secret_access_key
+    # @param [String] account the associated account name.
+    # @return [String] key The aws_access_key_id
+    # @return [String] secret The aws_secret_access_key
+    # @return [String] account the associated account name.
+    def self.rotate(account:, key:, secret:) # rubocop:disable  Metrics/MethodLength
+      iam = Aws::IAM::Client.new(access_key_id: key, secret_access_key: secret)
+      if iam.list_access_keys[:access_key_metadata].length > 1
+        warn "You have two access keys for account #{account}"
+        exit 1
+      end
+      new_key = iam.create_access_key
+      iam = Aws::IAM::Client.new(
+        access_key_id: new_key[:access_key][:access_key_id],
+        secret_access_key: new_key[:access_key][:secret_access_key]
+      )
+      retry_backoff do
+        iam.delete_access_key(
+          access_key_id: key
+        )
+      end
+      {
+        account: account,
+        key: new_key[:access_key][:access_key_id],
+        secret: new_key[:access_key][:secret_access_key]
+      }
+    end
+    # Retry the call with backoff
+    #
+    # @param [Block] block the block to retry.
+    def self.retry_backoff(&block)
+      retries ||= 1
+      begin
+        yield block
+      rescue Aws::IAM::Errors::InvalidClientTokenId => e
+        if retries < 4
+          sleep 2**retries
+          retries += 1
+          retry
+        end
+        warn e.message
+        exit 1
+      end
+    end
+  end
+end

data/lib/awskeyring/validate.rb CHANGED Viewed

@@ -1,32 +1,54 @@
-# Validation methods
+# Awskeyring Module,
+# gives you an interface to access keychains and items.
 module Awskeyring
-  def self.account_name(account_name)
-    raise 'Invalid Account Name' unless account_name =~ /\S+/
-    account_name
-  end
+  # Validation methods for Awskeyring
+  module Validate
+    # Validate an account name
+    #
+    # @param [String] account_name the associated account name.
+    def self.account_name(account_name)
+      raise 'Invalid Account Name' unless account_name =~ /\S+/
+      account_name
+    end
-  def self.access_key(aws_access_key)
-    raise 'Invalid Access Key' unless aws_access_key =~ /\AAKIA[A-Z0-9]{12,16}\z/
-    aws_access_key
-  end
+    # Validate an AWS Access Key ID
+    #
+    # @param [String] aws_access_key The aws_access_key_id
+    def self.access_key(aws_access_key)
+      raise 'Invalid Access Key' unless aws_access_key =~ /\AAKIA[A-Z0-9]{12,16}\z/
+      aws_access_key
+    end
-  def self.secret_access_key(aws_secret_access_key)
-    raise 'Secret Access Key is not 40 chars' if aws_secret_access_key.length != 40
-    aws_secret_access_key
-  end
+    # Validate an AWS Secret Key ID
+    #
+    # @param [String] aws_secret_access_key The aws_secret_access_key
+    def self.secret_access_key(aws_secret_access_key)
+      raise 'Secret Access Key is not 40 chars' if aws_secret_access_key.length != 40
+      aws_secret_access_key
+    end
-  def self.mfa_arn(mfa_arn)
-    raise 'Invalid MFA ARN' unless mfa_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:mfa\/\S*\z)
-    mfa_arn
-  end
+    # Validate an Users mfa ARN
+    #
+    # @param [String] mfa_arn The users MFA arn
+    def self.mfa_arn(mfa_arn)
+      raise 'Invalid MFA ARN' unless mfa_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:mfa\/\S*\z)
+      mfa_arn
+    end
-  def self.role_name(account_name)
-    raise 'Invalid Role Name' unless account_name =~ /\S+/
-    account_name
-  end
+    # Validate a Role name
+    #
+    # @param [String] role_name
+    def self.role_name(role_name)
+      raise 'Invalid Role Name' unless role_name =~ /\S+/
+      role_name
+    end
-  def self.role_arn(role_arn)
-    raise 'Invalid Role ARN' unless role_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:role\/\S*\z)
-    role_arn
+    # Validate a Role ARN
+    #
+    # @param [String] role_arn The role arn
+    def self.role_arn(role_arn)
+      raise 'Invalid Role ARN' unless role_arn =~ %r(\Aarn:aws:iam::[0-9]{12}:role\/\S*\z)
+      role_arn
+    end
   end
 end

data/lib/awskeyring/version.rb CHANGED Viewed

@@ -1,3 +1,4 @@
 module Awskeyring
-  VERSION = '0.0.6'.freeze
+  # The Gems version number
+  VERSION = '0.1.0'.freeze
 end

data/lib/awskeyring.rb CHANGED Viewed

@@ -1,14 +1,23 @@
+require 'json'
 require 'keychain'
-require 'aws-sdk-iam'
-require 'awskeyring/validate'
-# Aws Key-ring logical object,
+# Awskeyring Module,
 # gives you an interface to access keychains and items.
 module Awskeyring # rubocop:disable Metrics/ModuleLength
+  # Default rpeferences fole path
   PREFS_FILE = (File.expand_path '~/.awskeyring').freeze
+  # Prefix for Roles
   ROLE_PREFIX = 'role '.freeze
+  # Prefix for Accounts
   ACCOUNT_PREFIX = 'account '.freeze
+  # Prefix for Session Keys
+  SESSION_KEY_PREFIX = 'session-key '.freeze
+  # Prefix for Session Tokens
+  SESSION_TOKEN_PREFIX = 'session-token '.freeze
+  # Retrieve the preferences
+  #
+  # @return [Hash] prefs of the gem
   def self.prefs
     if File.exist? PREFS_FILE
       JSON.parse(File.read(PREFS_FILE))
@@ -17,6 +26,7 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     end
   end
+  # Create a new Keychain
   def self.init_keychain(awskeyring:)
     keychain = Keychain.create(awskeyring)
     keychain.lock_interval = 300
@@ -26,7 +36,10 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     File.new(Awskeyring::PREFS_FILE, 'w').write JSON.dump(prefs)
   end
-  def self.load_keychain
+  # Load the keychain for access
+  #
+  # @return [Keychain] keychain ready for use.
+  private_class_method def self.load_keychain
     unless File.exist?(Awskeyring::PREFS_FILE) && !prefs.empty?
       warn "Config missing, run `#{File.basename($PROGRAM_NAME)} initialise` to recreate."
       exit 1
@@ -39,95 +52,181 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     keychain
   end
-  def self.list_items
+  # Return a list of all acount items
+  private_class_method def self.list_items
     items = all_items.all.sort do |a, b|
       a.attributes[:label] <=> b.attributes[:label]
     end
     items.select { |elem| elem.attributes[:label].start_with?(ACCOUNT_PREFIX) }
   end
-  def self.list_roles
+  # Return a list of all role items
+  private_class_method def self.list_roles
     items = all_items.all.sort do |a, b|
       a.attributes[:label] <=> b.attributes[:label]
     end
     items.select { |elem| elem.attributes[:label].start_with?(ROLE_PREFIX) }
   end
-  def self.all_items
+  # Return all keychain items
+  private_class_method def self.all_items
     load_keychain.generic_passwords
   end
-  def self.add_item(account:, key:, secret:, comment:)
+  # Add an account item
+  def self.add_account(account:, key:, secret:, mfa:)
     all_items.create(
-      label: "#{ACCOUNT_PREFIX}#{account}",
+      label: ACCOUNT_PREFIX + account,
       account: key,
       password: secret,
-      comment: comment
+      comment: mfa
     )
   end
-  def self.update_item(account:, key:, secret:)
-    item = get_item(account)
+  # update and account item
+  def self.update_account(account:, key:, secret:)
+    item = get_item(account: account)
     item.attributes[:account] = key
     item.password = secret
     item.save!
   end
+  # Add a Role item
   def self.add_role(role:, arn:, account:)
     all_items.create(
-      label: "#{ROLE_PREFIX}#{role}",
+      label: ROLE_PREFIX + role,
       account: arn,
       password: '',
       comment: account
     )
   end
-  def self.add_pair(params = {})
-    all_items.create(label: "session-key #{params[:account]}",
+  # add a session token pair of items
+  def self.add_token(params = {})
+    all_items.create(label: SESSION_KEY_PREFIX + params[:account],
                      account: params[:key],
                      password: params[:secret],
-                     comment: "#{ROLE_PREFIX}#{params[:role]}")
-    all_items.create(label: "session-token #{params[:account]}",
+                     comment: ROLE_PREFIX + params[:role])
+    all_items.create(label: SESSION_TOKEN_PREFIX + params[:account],
                      account: params[:expiry],
                      password: params[:token],
-                     comment: "#{ROLE_PREFIX}#{params[:role]}")
+                     comment: ROLE_PREFIX + params[:role])
   end
-  def self.get_item(account)
-    all_items.where(label: "#{ACCOUNT_PREFIX}#{account}").first
+  # Return an account item by name
+  private_class_method def self.get_item(account:)
+    all_items.where(label: ACCOUNT_PREFIX + account).first
   end
-  def self.get_role(name)
-    all_items.where(label: "#{ROLE_PREFIX}#{name}").first
+  # Return a role item by name
+  private_class_method def self.get_role(role_name:)
+    all_items.where(label: ROLE_PREFIX + role_name).first
   end
-  def self.get_pair(account)
-    session_key = all_items.where(label: "session-key #{account}").first
-    session_token = all_items.where(label: "session-token #{account}").first if session_key
+  # Return a session token pair of items by name
+  private_class_method def self.get_pair(account:)
+    session_key = all_items.where(label: SESSION_KEY_PREFIX + account).first
+    session_token = all_items.where(label: SESSION_TOKEN_PREFIX + account).first if session_key
     [session_key, session_token]
   end
-  def self.list_item_names
+  # Return a list account item names
+  def self.list_account_names
     list_items.map { |elem| elem.attributes[:label][(ACCOUNT_PREFIX.length)..-1] }
   end
+  # Return a list role item names
   def self.list_role_names
     list_roles.map { |elem| elem.attributes[:label][(ROLE_PREFIX.length)..-1] }
   end
-  def self.delete_expired(key, token)
+  # Return a session token if available or a static key
+  private_class_method def self.get_valid_item_pair(account:)
+    session_key, session_token = get_pair(account: account)
+    session_key, session_token = delete_expired(key: session_key, token: session_token) if session_key
+    if session_key && session_token
+      puts '# Using temporary session credentials'
+      return session_key, session_token
+    end
+    item = get_item(account: account)
+    if item.nil?
+      warn "# Credential not found with name: #{account}"
+      exit 2
+    end
+    [item, nil]
+  end
+  # Return valid creds for account
+  def self.get_valid_creds(account:)
+    cred, temp_cred = get_valid_item_pair(account: account)
+    token = temp_cred.password unless temp_cred.nil?
+    {
+      account: account,
+      key: cred.attributes[:account],
+      secret: cred.password,
+      token: token
+    }
+  end
+  # Return a hash for account (skip tokens)
+  def self.get_account_hash(account:)
+    cred = get_item(account: account)
+    return unless cred
+    {
+      account: account,
+      key: cred.attributes[:account],
+      secret: cred.password,
+      mfa: cred.attributes[:comment]
+    }
+  end
+  # get the ARN for a role
+  def self.get_role_arn(role_name:)
+    role_item = get_role(role_name: role_name)
+    role_item.attributes[:account] if role_item
+  end
+  # Delete session token items if expired
+  private_class_method def self.delete_expired(key:, token:)
     expires_at = Time.at(token.attributes[:account].to_i)
     if expires_at < Time.now
-      delete_pair(key, token, '# Removing expired session credentials')
+      delete_pair(key: key, token: token, message: '# Removing expired session credentials')
       key = nil
       token = nil
     end
     [key, token]
   end
-  def self.delete_pair(key, token, message)
+  # Delete session token items
+  private_class_method def self.delete_pair(key:, token:, message:)
+    return unless key
     puts message if message
     token.delete if token
-    key.delete if key
+    key.delete
+  end
+  # Delete a session token
+  def self.delete_token(account:, message:)
+    session_key, session_token = get_pair(account: account)
+    delete_pair(key: session_key, token: session_token, message: message)
+  end
+  # Delete an Account
+  def self.delete_account(account:, message:)
+    delete_token(account: account, message: '# Removing expired session credentials')
+    cred = get_item(account: account)
+    return unless cred
+    puts message if message
+    cred.delete
+  end
+  # Delete a role
+  def self.delete_role(role_name:, message:)
+    role = get_role(role_name: role_name)
+    return unless role
+    puts message if message
+    role.delete
   end
 end

data/lib/awskeyring_command.rb CHANGED Viewed

@@ -1,14 +1,12 @@
-require 'aws-sdk-iam'
-require 'cgi'
 require 'highline'
-require 'json'
-require 'open-uri'
 require 'thor'
-require_relative 'awskeyring'
+require 'awskeyring'
+require 'awskeyring/awsapi'
+require 'awskeyring/validate'
 require 'awskeyring/version'
-# AWS Key-ring command line interface.
+# AWSkeyring command line interface.
 class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map %w[--version -v] => :__version
   map ['init'] => :initialise
@@ -19,13 +17,15 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map ['rmt'] => :remove_token
   desc '--version, -v', 'Prints the version'
+  # print the version number
   def __version
     puts Awskeyring::VERSION
   end
   desc 'initialise', 'Initialises a new KEYCHAIN'
   method_option :keychain, type: :string, aliases: '-n', desc: 'Name of KEYCHAIN to initialise.'
-  def initialise # rubocop:disable  Metrics/AbcSize
+  # initialise the keychain
+  def initialise
     unless Awskeyring.prefs.empty?
       puts "#{Awskeyring::PREFS_FILE} exists. no need to initialise."
       exit 1
@@ -47,38 +47,42 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   end
   desc 'list', 'Prints a list of accounts in the keyring'
+  # list the accounts
   def list
-    puts Awskeyring.list_item_names.join("\n")
+    puts Awskeyring.list_account_names.join("\n")
   end
   map 'list-role' => :list_role
   desc 'list-role', 'Prints a list of roles in the keyring'
+  # List roles
   def list_role
     puts Awskeyring.list_role_names.join("\n")
   end
   desc 'env ACCOUNT', 'Outputs bourne shell environment exports for an ACCOUNT'
+  # Print Env vars
   def env(account = nil)
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    cred, temp_cred = get_valid_item_pair(account: account)
-    token = temp_cred.password unless temp_cred.nil?
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    cred = Awskeyring.get_valid_creds(account: account)
     put_env_string(
-      account: cred.attributes[:label],
-      key: cred.attributes[:account],
-      secret: cred.password,
-      token: token
+      account: cred[:account],
+      key: cred[:key],
+      secret: cred[:secret],
+      token: cred[:token]
     )
   end
   desc 'exec ACCOUNT command...', 'Execute a COMMAND with the environment set for an ACCOUNT'
+  # execute an external command with env set
   def exec(account, *command)
-    cred, temp_cred = get_valid_item_pair(account: account)
-    token = temp_cred.password unless temp_cred.nil?
+    cred = Awskeyring.get_valid_creds(account: account)
     env_vars = env_vars(
-      account: cred.attributes[:label],
-      key: cred.attributes[:account],
-      secret: cred.password,
-      token: token
+      account: cred[:account],
+      key: cred[:key],
+      secret: cred[:secret],
+      token: cred[:token]
     )
     pid = Process.spawn(env_vars, command.join(' '))
     Process.wait pid
@@ -88,22 +92,27 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :key, type: :string, aliases: '-k', desc: 'AWS account key id.'
   method_option :secret, type: :string, aliases: '-s', desc: 'AWS account secret.'
   method_option :mfa, type: :string, aliases: '-m', desc: 'AWS virtual mfa arn.'
-  def add(account = nil) # rubocop:disable Metrics/AbcSize
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    key = ask_check(existing: options[:key], message: 'access key id', validator: Awskeyring.method(:access_key))
+  # Add an Account
+  def add(account = nil) # rubocop:disable Metrics/MethodLength
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    key = ask_check(
+      existing: options[:key], message: 'access key id', validator: Awskeyring::Validate.method(:access_key)
+    )
     secret = ask_check(
       existing: options[:secret], message: 'secret access key',
-      secure: true, validator: Awskeyring.method(:secret_access_key)
+      secure: true, validator: Awskeyring::Validate.method(:secret_access_key)
     )
     mfa = ask_check(
-      existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring.method(:mfa_arn)
+      existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring::Validate.method(:mfa_arn)
     )
-    Awskeyring.add_item(
+    Awskeyring.add_account(
       account: account,
       key: key,
       secret: secret,
-      comment: mfa
+      mfa: mfa
     )
     puts "# Added account #{account}"
   end
@@ -111,11 +120,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   map 'add-role' => :add_role
   desc 'add-role ROLE', 'Adds a ROLE to the keyring'
   method_option :arn, type: :string, aliases: '-a', desc: 'AWS role arn.'
+  # Add a role
   def add_role(role = nil)
-    role = ask_check(existing: role, message: 'role name', validator: Awskeyring.method(:role_name))
-    arn = ask_check(existing: options[:arn], message: 'role arn', validator: Awskeyring.method(:role_arn))
+    role = ask_check(existing: role, message: 'role name', validator: Awskeyring::Validate.method(:role_name))
+    arn = ask_check(existing: options[:arn], message: 'role arn', validator: Awskeyring::Validate.method(:role_arn))
     account = ask_check(
-      existing: account, message: 'account', optional: true, validator: Awskeyring.method(:account_name)
+      existing: account, message: 'account', optional: true, validator: Awskeyring::Validate.method(:account_name)
     )
     Awskeyring.add_role(
@@ -127,53 +137,43 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   end
   desc 'remove ACCOUNT', 'Removes an ACCOUNT from the keyring'
+  # Remove an account
   def remove(account = nil)
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    cred, temp_cred = get_valid_item_pair(account: account)
-    Awskeyring.delete_pair(cred, temp_cred, "# Removing account #{account}")
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    Awskeyring.delete_account(account: account, message: "# Removing account #{account}")
   end
   desc 'remove-token ACCOUNT', 'Removes a token for ACCOUNT from the keyring'
+  # remove a session token
   def remove_token(account = nil)
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    session_key, session_token = Awskeyring.get_pair(account)
-    session_key, session_token = Awskeyring.delete_expired(session_key, session_token) if session_key
-    Awskeyring.delete_pair(session_key, session_token, "# Removing token for account #{account}") if session_key
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    Awskeyring.delete_token(account: account, message: "# Removing token for account #{account}")
   end
   map 'remove-role' => :remove_role
   desc 'remove-role ROLE', 'Removes a ROLE from the keyring'
+  # remove a role
   def remove_role(role = nil)
-    role = ask_check(existing: role, message: 'role name', validator: Awskeyring.method(:role_name))
-    item_role = Awskeyring.get_role(role)
-    Awskeyring.delete_pair(item_role, nil, "# Removing role #{role}")
+    role = ask_check(existing: role, message: 'role name', validator: Awskeyring::Validate.method(:role_name))
+    Awskeyring.delete_role(role_name: role, message: "# Removing role #{role}")
   end
   desc 'rotate ACCOUNT', 'Rotate access keys for an ACCOUNT'
-  def rotate(account = nil) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    item = Awskeyring.get_item(account)
-    iam = Aws::IAM::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
-    if iam.list_access_keys[:access_key_metadata].length > 1
-      warn "You have two access keys for account #{account}"
-      exit 1
-    end
-    new_key = iam.create_access_key
-    iam = Aws::IAM::Client.new(
-      access_key_id: new_key[:access_key][:access_key_id],
-      secret_access_key: new_key[:access_key][:secret_access_key]
+  # rotate Account keys
+  def rotate(account = nil)
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
     )
-    retry_backoff do
-      iam.delete_access_key(
-        access_key_id: item.attributes[:account]
-      )
-    end
-    Awskeyring.update_item(
+    item_hash = Awskeyring.get_account_hash(account: account)
+    new_key = Awskeyring::Awsapi.rotate(account: item_hash[:account], key: item_hash[:key], secret: item_hash[:secret])
+    Awskeyring.update_account(
       account: account,
-      key: new_key[:access_key][:access_key_id],
-      secret: new_key[:access_key][:secret_access_key]
+      key: new_key[:key],
+      secret: new_key[:secret]
     )
     puts "# Updated account #{account}"
@@ -183,8 +183,11 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :role, type: :string, aliases: '-r', desc: 'The ROLE to assume.'
   method_option :code, type: :string, aliases: '-c', desc: 'Virtual mfa CODE.'
   method_option :duration, type: :string, aliases: '-d', desc: 'Session DURATION in seconds.'
+  # generate a sessiopn token
   def token(account = nil, role = nil, code = nil) # rubocop:disable all
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
     role ||= options[:role]
     code ||= options[:code]
     duration = options[:duration]
@@ -196,111 +199,58 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       exit 2
     end
-    session_key, session_token = Awskeyring.get_pair(account)
-    Awskeyring.delete_pair(session_key, session_token, '# Removing STS credentials') if session_key
-    item = Awskeyring.get_item(account)
-    item_role = Awskeyring.get_role(role) if role
+    Awskeyring.delete_token(account: account, message: '# Removing STS credentials')
-    sts = Aws::STS::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
+    item_hash = Awskeyring.get_account_hash(account: account)
+    role_arn = Awskeyring.get_role_arn(role_name: role) if role
-    begin
-      response =
-        if code && role
-          sts.assume_role(
-            duration_seconds: duration.to_i,
-            role_arn: item_role.attributes[:account],
-            role_session_name: ENV['USER'],
-            serial_number: item.attributes[:comment],
-            token_code: code
-          )
-        elsif role
-          sts.assume_role(
-            duration_seconds: duration.to_i,
-            role_arn: item_role.attributes[:account],
-            role_session_name: ENV['USER']
-          )
-        elsif code
-          sts.get_session_token(
-            duration_seconds: duration.to_i,
-            serial_number: item.attributes[:comment],
-            token_code: code
-          )
-        end
-    rescue Aws::STS::Errors::AccessDenied => e
-      puts e.to_s
-      exit 1
-    end
+    new_creds = Awskeyring::Awsapi.get_token(
+      code: code,
+      role_arn: role_arn,
+      duration: duration,
+      mfa: item_hash[:mfa],
+      key: item_hash[:key],
+      secret: item_hash[:secret],
+      user: ENV['USER']
+    )
-    Awskeyring.add_pair(
+    Awskeyring.add_token(
       account: account,
-      key: response.credentials[:access_key_id],
-      secret: response.credentials[:secret_access_key],
-      token: response.credentials[:session_token],
-      expiry: response.credentials[:expiration].to_i.to_s,
+      key: new_creds[:key],
+      secret: new_creds[:secret],
+      token: new_creds[:token],
+      expiry: new_creds[:expiry].to_i.to_s,
       role: role
     )
-    puts "Authentication valid until #{response.credentials[:expiration]}"
+    puts "Authentication valid until #{new_creds[:expiry]}"
   end
   desc 'console ACCOUNT', 'Open the AWS Console for the ACCOUNT'
   method_option :path, type: :string, aliases: '-p', desc: 'The service PATH to open.'
-  def console(account = nil) # rubocop:disable all
-    account = ask_check(existing: account, message: 'account name', validator: Awskeyring.method(:account_name))
-    cred, temp_cred = get_valid_item_pair(account: account)
-    token = temp_cred.password unless temp_cred.nil?
+  # Open the AWS Console
+  def console(account = nil)
+    account = ask_check(
+      existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
+    )
+    cred = Awskeyring.get_valid_creds(account: account)
     path = options[:path] || 'console'
-    console_url = "https://console.aws.amazon.com/#{path}/home"
-    signin_url = 'https://signin.aws.amazon.com/federation'
-    policy_json = {
-      Version: '2012-10-17',
-      Statement: [{
-        Action: '*',
-        Resource: '*',
-        Effect: 'Allow'
-      }]
-    }.to_json
-    if temp_cred
-      session_json = {
-        sessionId: cred.attributes[:account],
-        sessionKey: cred.password,
-        sessionToken: token
-      }.to_json
-    else
-      sts = Aws::STS::Client.new(access_key_id: cred.attributes[:account],
-                                 secret_access_key: cred.password)
-      session = sts.get_federation_token(name: ENV['USER'],
-                                         policy: policy_json,
-                                         duration_seconds: (60 * 60 * 12))
-      session_json = {
-        sessionId: session.credentials[:access_key_id],
-        sessionKey: session.credentials[:secret_access_key],
-        sessionToken: session.credentials[:session_token]
-      }.to_json
-    end
-    get_signin_token_url = signin_url + '?Action=getSigninToken' \
-                           '&Session=' + CGI.escape(session_json)
-    returned_content = open(get_signin_token_url).read
-    signin_token = JSON.parse(returned_content)['SigninToken']
-    signin_token_param = '&SigninToken=' + CGI.escape(signin_token)
-    destination_param = '&Destination=' + CGI.escape(console_url)
-    login_url = signin_url + '?Action=login' + signin_token_param + destination_param
+    login_url = Awskeyring::Awsapi.get_login_url(
+      key: cred[:key],
+      secret: cred[:secret],
+      token: cred[:token],
+      path: path,
+      user: ENV['USER']
+    )
     pid = Process.spawn("open \"#{login_url}\"")
     Process.wait pid
   end
-  # autocomplete
   desc 'awskeyring CURR PREV', 'Autocompletion for bourne shells', hide: true
+  # autocomplete
   def awskeyring(curr, prev)
     comp_line = ENV['COMP_LINE']
     unless comp_line
@@ -318,12 +268,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   private
-  def print_auto_resp(curr, len) # rubocop:disable  Metrics/AbcSize
+  def print_auto_resp(curr, len)
     case len
     when 2
       puts list_commands.select { |elem| elem.start_with?(curr) }.join("\n")
     when 3
-      puts Awskeyring.list_item_names.select { |elem| elem.start_with?(curr) }.join("\n")
+      puts Awskeyring.list_account_names.select { |elem| elem.start_with?(curr) }.join("\n")
     when 4
       puts Awskeyring.list_role_names.select { |elem| elem.start_with?(curr) }.join("\n")
     else
@@ -335,23 +285,6 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     self.class.all_commands.keys.map { |elem| elem.tr('_', '-') }
   end
-  def get_valid_item_pair(account:)
-    session_key, session_token = Awskeyring.get_pair(account)
-    session_key, session_token = Awskeyring.delete_expired(session_key, session_token) if session_key
-    if session_key && session_token
-      puts '# Using temporary session credentials'
-      return session_key, session_token
-    end
-    item = Awskeyring.get_item(account)
-    if item.nil?
-      warn "# Credential not found with name: #{account}"
-      exit 2
-    end
-    [item, nil]
-  end
   def env_vars(account:, key:, secret:, token:)
     env_var = {}
     env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless ENV['AWS_DEFAULT_REGION']
@@ -388,21 +321,6 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     value
   end
-  def retry_backoff(&block)
-    retries ||= 1
-    begin
-      yield block
-    rescue Aws::IAM::Errors::InvalidClientTokenId => e
-      if retries < 4
-        sleep 2**retries
-        retries += 1
-        retry
-      end
-      warn e.message
-      exit 1
-    end
-  end
   def ask_missing(existing:, message:, secure: false, optional: false)
     existing || ask(message: message, secure: secure, optional: optional)
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: awskeyring
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.1.0
 platform: ruby
 authors:
 - Tristan Morgan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-03-01 00:00:00.000000000 Z
+date: 2018-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-iam
@@ -157,6 +157,7 @@ files:
 - awskeyring.gemspec
 - exe/awskeyring
 - lib/awskeyring.rb
+- lib/awskeyring/awsapi.rb
 - lib/awskeyring/validate.rb
 - lib/awskeyring/version.rb
 - lib/awskeyring_command.rb