RubyGems - awsudo - Versions diffs - 1.0.1 - Mend

awsudo 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8e4b45a3d628800167e5024b822807b35157daa3
+  data.tar.gz: 6d4ba8e55a5795fa72b89f1c4e4d9aa4212a3da5
+SHA512:
+  metadata.gz: 18fe20ae36c9fb52041fa179880bba1131ba220f87d50955f4befc8d1a6bc3d03b7bda06e7f353613e2e39c2a47326196f7d0bf8f82eead9eaa94d24e3d15271
+  data.tar.gz: e1d3e25b4cd51d0494a99f0fd772f499704deefb3f25340a89fa8e28e2a17823450e823a267b78b385b349696a356d0fe46dfecc385dd1ee119126c55db82686

data/CHANGELOG.md ADDED

File without changes

data/CONTRIBUTING.md ADDED

@@ -0,0 +1,20 @@
+How to contribute
+=================
+Thanks for your interest!
+Contributing is easy. After signing the [Contributor License Agreement (CLA)](https://ea.tap.thinksmart.com/prod/Portal/ShowWorkFlow/AnonymousEmbed/26adfdf8-b74e-4212-bb4a-3e756b722c32) just follow the steps described below.
+Getting Started
+---------------
+* Make sure you have a [GitHub account](https://github.com/signup/free)
+* Fork the repository on GitHub
+Making changes
+---------------
+* Create a topic branch from where you want to base your work.
+* Make commits of logical units, adding messages for describing what was done.
+Submitting changes
+------------------
+* Push your changes to a topic branch in your fork of the repository.
+* Submit a pull request to the repository.

data/LICENSE ADDED

@@ -0,0 +1,25 @@
+Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1.  Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+2.  Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+3.  Neither the name of Electronic Arts, Inc. ("EA") nor the names of
+    its contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY ELECTRONIC ARTS AND ITS CONTRIBUTORS "AS IS" AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL ELECTRONIC ARTS OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md ADDED

@@ -0,0 +1,79 @@
+awsudo + aws-agent
+==================
+Overview
+------------
+**awsudo** enables users to execute commands that make API calls to AWS under
+the security context of an IAM role. The IAM role is assumed only upon
+successful authentication against a SAML compliant federation service.
+**aws-agent** enables users to authenticate against a SAML compliant federation
+service once, after which aws-agent provides temporary credentials to awsudo
+to use.
+Synopsis
+------------
+      awsudo {role-name | role-arn} command
+      aws-agent
+Requirements
+------------
+  * UNIX, UNIX-like or GNU/Linux operating system
+  * SAML compliant federation service
+  * ruby 1.9 or above
+  * ruby gems: aws-sdk
+Install
+------------
+      sudo gem install awsudo
+Configuration
+------------
+awsudo and aws-agent expect a configuration file named .awsudo in your home directory
+containing the values for your identity provider login url and the SAML provider name
+configured in AWS. This is an example, your setup may vary:
+      IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
+      SAML_PROVIDER_NAME = ADFS
+In addition to .awsudo, you can create .aws-roles in your home directory to map
+IAM roles ARNs to more easy to remember alias names, one per line, separated by spaces. Example:
+      myaccount-admin  arn:aws:iam::123456789012:role/myaccount-admin
+Examples
+------------
+### awsudo
+      $ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
+      $ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1
+awsudo will ask your federated credentials every time. To avoid this use aws-agent as follows:
+### aws-agent
+      $ aws-agent
+      Login: username
+      Password:
+      AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;
+then execute the commands printed by aws-agent. awsudo will now ask for temporary credentials to aws-agent.
+Author
+-------
+[Gerardo Santana Gomez Garrido](https://github.com/santana)
+Contributors
+-------------
+  * [Matthew Wygant](https://github.com/mkwygant)
+  * [Ivan Zenteno](https://github.com/k001)
+  * [David Hannon](https://github.com/dhannon)

data/bin/aws-agent ADDED

@@ -0,0 +1,62 @@
+#!/usr/bin/env ruby
+# Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+require 'awsudo'
+require 'logger'
+require 'socket'
+require 'tmpdir'
+def usage
+  warn <<EOS
+Usage:
+  #{File.basename $0}
+EOS
+  exit 1
+end
+config = Hash[*File.read(File.join(ENV['HOME'], '.awsudo')).
+  scan(/^(\w+)\s*=\s*(.*)$/).flatten]
+AWSUDO.config(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'])
+LOGFILE = File.join(ENV['HOME'], ".aws-agent.log")
+logger = Logger.new(LOGFILE, "weekly")
+logger.progname = "aws-agent"
+logger.level = Logger::WARN
+username, password = AWSUDO.get_federated_credentials
+socket_dir  = Dir.mktmpdir("aws-")
+socket_name = File.join(socket_dir, "agent")
+puts "AWS_AUTH_SOCK=#{socket_name}; export AWS_AUTH_SOCK;"
+Process.daemon
+$0 = 'aws-agent'
+Process.setrlimit(Process::RLIMIT_CORE, 0, 0)
+UNIXServer.open(socket_name) do |socket|
+  loop do
+    Thread.new(socket.accept) do |client|
+      logger.debug "thread started"
+      logger.debug "connection accepted: #{socket.inspect}"
+      begin
+        role = client.gets.strip
+        logger.debug "role received: #{role}"
+        role_arn = AWSUDO.resolve_role(role)
+        logger.debug "role ARN resolved: #{role_arn}"
+        saml_assertion = AWSUDO.get_saml_assertion(username, password)
+        credentials = AWSUDO.assume_role_with_saml(saml_assertion, role_arn)
+        client.puts credentials.to_h.to_json
+      rescue => e
+        logger.error e
+        error = {:error => e}.to_json
+        client.print error
+      ensure
+        logger.debug "Closing connection"
+        client.close
+        logger.debug "Connection closed"
+      end
+      logger.debug "Thread ending"
+    end
+  end
+end
+FileUtils.rmdir socket_dir

data/bin/awsudo ADDED

@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+# Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+require 'awsudo'
+def usage
+  warn <<-EOS
+Usage:
+  #{File.basename $0} {role-name | role-arn} command
+  EOS
+  exit 1
+end
+usage if ARGV.size < 2
+config = Hash[*File.read(File.join(ENV['HOME'], '.awsudo')).
+  scan(/^(\w+)\s*=\s*(.*)$/).flatten]
+AWSUDO.config(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'])
+role = ARGV.shift
+credentials =
+  begin
+    AWSUDO.assume_role(role)
+  rescue => e
+    warn e
+    exit 2
+  end
+ENV['AWS_ACCESS_KEY_ID'] = credentials['access_key_id'] || credentials[:access_key_id]
+ENV['AWS_SECRET_ACCESS_KEY'] = credentials['secret_access_key'] || credentials[:secret_access_key]
+ENV['AWS_SESSION_TOKEN'] = credentials['session_token'] || credentials[:session_token]
+exec *ARGV if ARGV.size > 0

data/lib/awsudo.rb ADDED

@@ -0,0 +1,101 @@
+# Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+require 'aws-sdk'
+require 'io/console'
+require 'json'
+require 'net/http'
+require 'net/https'
+require 'rexml/document'
+require 'socket'
+require 'uri'
+module AWSUDO
+  AWS_ROLES = File.join(ENV['HOME'], '.aws-roles')
+  class << self
+    attr_reader :idp_login_url, :saml_provider_name
+  end
+  def self.config(idp_login_url, saml_provider_name)
+    @idp_login_url = idp_login_url
+    @saml_provider_name = saml_provider_name
+  end
+  def self.get_federated_credentials
+    fd = IO.sysopen("/dev/tty", "w")
+    console = IO.new(fd,"w")
+    console.print "Login: "
+    username = STDIN.gets.chomp
+    console.print "Password: "
+    password = STDIN.noecho(&:gets).chomp
+    console.print "\n"
+    [username, password]
+  end
+  def self.assume_role_using_agent(role)
+    socket_name = ENV['AWS_AUTH_SOCK']
+    credentials = UNIXSocket.open(socket_name) do |client|
+      client.puts role
+      response = client.gets
+      raise "Connection closed by peer" if response.nil?
+      JSON.parse(response.strip)
+    end
+    raise credentials['error'] if credentials['error']
+    credentials
+  end
+  def self.assume_role_using_password(role)
+    username, password = get_federated_credentials
+    saml_assertion = get_saml_assertion(username, password)
+    role_arn = resolve_role(role)
+    assume_role_with_saml(saml_assertion, role_arn).to_h
+  end
+  def self.assume_role(role)
+    assume_role_using_agent(role) rescue assume_role_using_password(role)
+  end
+  def self.get_saml_assertion(username, password)
+    uri = URI.parse(idp_login_url)
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    req = Net::HTTP::Post.new(uri.request_uri)
+    req.set_form_data({'username' => username, 'password' => password})
+    res = http.request(req)
+    raise "Authentication failed" if res['Location'].nil?
+    uri = URI.parse(res['Location'])
+    req = Net::HTTP::Get.new(uri.request_uri)
+    req['Cookie'] = res['Set-Cookie']
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    res = http.request(req)
+    doc = REXML::Document.new(res.body)
+    REXML::XPath.first(doc, '/html/body/form/input[@name = "SAMLResponse"]/@value').to_s
+  end
+  def self.assume_role_with_saml(saml_assertion, role_arn)
+    principal_arn = "#{role_arn[/^arn:aws:iam::\d+:/]}saml-provider/#{saml_provider_name}"
+    sts = Aws::STS::Client.new(credentials: Aws::Credentials.new('a', 'b', 'c'), region: 'us-east-1')
+    sts.assume_role_with_saml(
+      role_arn: role_arn,
+      principal_arn: principal_arn,
+      saml_assertion: saml_assertion).credentials
+  end
+  def self.resolve_role(role, roles_filename = AWS_ROLES)
+    return role if role =~ /^arn:aws:iam::\d+:role\/\S+$/
+    raise "`#{role}' is not a valid role" if role =~ /\s/
+    line = File.readlines(roles_filename).find {|line| line =~ /^#{role}\s+arn:aws:iam::\d+:role\/\S+\s*$/ }
+    raise "`#{role}' is not a valid role" if line.nil?
+    role_arn = line.split(/\s+/)[1]
+    raise "`#{role}' is not a valid role" if role_arn.nil?
+    role_arn
+  end
+end

metadata ADDED

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: awsudo
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Gerardo Santana Gomez Garrido
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-02-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2'
+description: |
+  awsudo enables users to execute commands that make API calls to AWS under the
+  security context of an IAM role. The IAM role is assumed only upon successful
+  authentication against a SAML compliant federation service.
+  aws-agent enables users to authenticate against a SAML compliant federation
+  service once, after which aws-agent provides temporary credentials to awsudo to
+  use.
+email: gsantana@ea.com
+executables:
+- awsudo
+- aws-agent
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/aws-agent
+- bin/awsudo
+- lib/awsudo.rb
+- LICENSE
+- CHANGELOG.md
+- CONTRIBUTING.md
+- README.md
+homepage: https://github.com/electronicarts/awsudo
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.0.14
+signing_key:
+specification_version: 4
+summary: executes a command with the permissions given by an AWS IAM role
+test_files: []