awskeyring 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1e905b5fccdebddbc839f898423c513e8c3c3475
-  data.tar.gz: da11dceb9c06415e01647a2de7512103df2d951d
+  metadata.gz: 8657e757b5569d9712953debdfb94b87cb120a72
+  data.tar.gz: 1cbaee2befed2828a571cdea1e8e3ec2e0b02248
 SHA512:
-  metadata.gz: 6c6b3db63fda21933153f5eb38be4a24e07701709c3d893b71c5266d8faca9b0385060dbdde6bac3ebad69d42077e8ae1e6199a74996e996be37f12883f299f8
-  data.tar.gz: d7db72c1d2f8a1d33508c113a5b8866dc48c5fc53017a89b9b14d8e7dae05d48e4ee1d8ac0f69d83d4041e48e3fbadb26f3847824c7240666ae2525018715c1d
+  metadata.gz: c7199c75966a60aba45f9c49cef0c9f11fd6fb7b5ba9f42f7740fc1df346fbad277c5d14051e6764afc9282e5bfd35273191aa4d0c305c109fa9513d757dfd0b
+  data.tar.gz: 8a842afe5dc7d834dc64c38e78fddf69c64661dd88a1c41dadcdebb48c335c3605184cac55f588fb07b062f01b768fdbbdd8fdeec2b573e42150a016bbb1e9b4

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Change Log
 
+## [v0.3.0](https://github.com/vibrato/awskeyring/tree/v0.3.0) (2018-04-12)
+[Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.2.0...v0.3.0)
+
+**Implemented enhancements:**
+
+- Validate tokens upon adding them to the keychain [\#18](https://github.com/vibrato/awskeyring/issues/18)
+- Generate a token from IAM User credentials using the GetFederationToken API [\#17](https://github.com/vibrato/awskeyring/issues/17)
+- Test creds against AWS API \(optionally\). [\#20](https://github.com/vibrato/awskeyring/pull/20) ([tristanmorgan](https://github.com/tristanmorgan))
+- Allow STS get\_session\_token without role [\#19](https://github.com/vibrato/awskeyring/pull/19) ([tristanmorgan](https://github.com/tristanmorgan))
+
 ## [v0.2.0](https://github.com/vibrato/awskeyring/tree/v0.2.0) (2018-04-05)
 [Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.1.1...v0.2.0)
 

data/lib/awskeyring/awsapi.rb

@@ -7,6 +7,19 @@ require 'json'
 module Awskeyring
   # AWS API methods for Awskeyring
   module Awsapi # rubocop:disable Metrics/ModuleLength
+    # Admin policy as json
+    ADMIN_POLICY = {
+      Version: '2012-10-17',
+      Statement: [{
+        Action: '*',
+        Resource: '*',
+        Effect: 'Allow'
+      }]
+    }.to_json.freeze
+
+    TWELVE_HOUR = (60 * 60 * 12)
+    ONE_HOUR = (60 * 60 * 1)
+
     # Retrieves a temporary session token from AWS
     #
     # @param [Hash] params including
@@ -47,6 +60,12 @@ module Awskeyring
               serial_number: params[:mfa],
               token_code: params[:code]
             )
+          else
+            sts.get_federation_token(
+              name: params[:user],
+              policy: ADMIN_POLICY,
+              duration_seconds: params[:duration]
+            )
           end
       rescue Aws::STS::Errors::AccessDenied => err
         warn err.to_s
@@ -79,6 +98,22 @@ module Awskeyring
       )
     end
 
+    # Verify Credentials are active and valid
+    #
+    # @param [String] key The aws_access_key_id
+    # @param [String] secret The aws_secret_access_key
+    # @param [String] token The aws_session_token
+    def self.verify_cred(key:, secret:)
+      begin
+        sts = Aws::STS::Client.new(access_key_id: key, secret_access_key: secret)
+        sts.get_caller_identity
+      rescue Aws::Errors::ServiceError => err
+        warn err.to_s
+        exit 1
+      end
+      true
+    end
+
     # Retrieves an AWS Console login url
     #
     # @param [String] key The aws_access_key_id
@@ -90,14 +125,6 @@ module Awskeyring
     def self.get_login_url(key:, secret:, token:, path:, user:) # rubocop:disable  Metrics/AbcSize, Metrics/MethodLength
       console_url = "https://console.aws.amazon.com/#{path}/home"
       signin_url = 'https://signin.aws.amazon.com/federation'
-      policy_json = {
-        Version: '2012-10-17',
-        Statement: [{
-          Action: '*',
-          Resource: '*',
-          Effect: 'Allow'
-        }]
-      }.to_json
 
       if token
         session_json = {
@@ -110,8 +137,8 @@ module Awskeyring
                                    secret_access_key: secret)
 
         session = sts.get_federation_token(name: user,
-                                           policy: policy_json,
-                                           duration_seconds: (60 * 60 * 12))
+                                           policy: ADMIN_POLICY,
+                                           duration_seconds: TWELVE_HOUR)
         session_json = {
           sessionId: session.credentials[:access_key_id],
           sessionKey: session.credentials[:secret_access_key],

data/lib/awskeyring/version.rb

@@ -1,4 +1,4 @@
 module Awskeyring
   # The Gems version number
-  VERSION = '0.2.0'.freeze
+  VERSION = '0.3.0'.freeze
 end

data/lib/awskeyring.rb

@@ -106,11 +106,11 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
     all_items.create(label: SESSION_KEY_PREFIX + params[:account],
                      account: params[:key],
                      password: params[:secret],
-                     comment: ROLE_PREFIX + params[:role])
+                     comment: params[:role].nil? ? '' : ROLE_PREFIX + params[:role])
     all_items.create(label: SESSION_TOKEN_PREFIX + params[:account],
                      account: params[:expiry],
                      password: params[:token],
-                     comment: ROLE_PREFIX + params[:role])
+                     comment: params[:role] || '')
   end
 
   # Return an account item by name

data/lib/awskeyring_command.rb

@@ -110,8 +110,10 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
   method_option :key, type: :string, aliases: '-k', desc: 'AWS account key id.'
   method_option :secret, type: :string, aliases: '-s', desc: 'AWS account secret.'
   method_option :mfa, type: :string, aliases: '-m', desc: 'AWS virtual mfa arn.'
+  method_option :local, type: :boolean, aliases: '-l', desc: 'Only validate locally.', default: false
+  method_option :update, type: :boolean, aliases: '-u', desc: 'Update existing.', default: false
   # Add an Account
-  def add(account = nil) # rubocop:disable Metrics/MethodLength
+  def add(account = nil) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
     account = ask_check(
       existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
     )
@@ -122,17 +124,27 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       existing: options[:secret], message: 'secret access key',
       secure: true, validator: Awskeyring::Validate.method(:secret_access_key)
     )
-    mfa = ask_check(
-      existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring::Validate.method(:mfa_arn)
-    )
-
-    Awskeyring.add_account(
-      account: account,
-      key: key,
-      secret: secret,
-      mfa: mfa
-    )
-    puts "# Added account #{account}"
+    if options[:update]
+      Awskeyring::Awsapi.verify_cred(key: key, secret: secret) unless options[:local]
+      Awskeyring.update_account(
+        account: account,
+        key: key,
+        secret: secret
+      )
+      puts "# Updated account #{account}"
+    else
+      mfa = ask_check(
+        existing: options[:mfa], message: 'mfa arn', optional: true, validator: Awskeyring::Validate.method(:mfa_arn)
+      )
+      Awskeyring::Awsapi.verify_cred(key: key, secret: secret) unless options[:local]
+      Awskeyring.add_account(
+        account: account,
+        key: key,
+        secret: secret,
+        mfa: mfa
+      )
+      puts "# Added account #{account}"
+    end
   end
 
   map 'add-role' => :add_role
@@ -230,15 +242,9 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       )
     end
     duration = options[:duration]
-    duration ||= (60 * 60 * 1).to_s if role
-    duration ||= (60 * 60 * 12).to_s if code
-
-    if !role && !code
-      warn 'Please use either a role or a code'
-      exit 2
-    end
-
-    Awskeyring.delete_token(account: account, message: '# Removing STS credentials')
+    duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s if role
+    duration ||= Awskeyring::Awsapi::TWELVE_HOUR.to_s if code
+    duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s
 
     item_hash = Awskeyring.get_account_hash(account: account)
     role_arn = Awskeyring.get_role_arn(role_name: role) if role
@@ -253,6 +259,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
         secret: item_hash[:secret],
         user: ENV['USER']
       )
+      Awskeyring.delete_token(account: account, message: '# Removing STS credentials')
     rescue Aws::Errors::ServiceError => err
       warn err.to_s
       exit 1
@@ -267,7 +274,8 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
       role: role
     )
 
-    puts "Authentication valid until #{new_creds[:expiry]}"
+    puts "# Token saved for account #{account}"
+    puts "# Authentication valid until #{Time.at(new_creds[:expiry].to_i)}"
   end
 
   desc 'console ACCOUNT', 'Open the AWS Console for the ACCOUNT'
@@ -304,7 +312,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
     comp_line = ENV['COMP_LINE']
     unless comp_line
       exec_name = File.basename($PROGRAM_NAME)
-      warn "enable autocomplete with 'complete -C /path-to-command/#{exec_name} #{exec_name}'"
+      warn "enable autocomplete with 'complete -C #{$PROGRAM_NAME} #{exec_name}'"
       exit 1
     end
     comp_len = comp_line.split.index(prev)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: awskeyring
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Tristan Morgan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-04-05 00:00:00.000000000 Z
+date: 2018-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-iam