awsudo 1.0.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8e4b45a3d628800167e5024b822807b35157daa3
-  data.tar.gz: 6d4ba8e55a5795fa72b89f1c4e4d9aa4212a3da5
+  metadata.gz: 55636d46f188efba965077b306ccd5c99df46923
+  data.tar.gz: dcec6bd5c2684851a1d6c010882658fd6d270b43
 SHA512:
-  metadata.gz: 18fe20ae36c9fb52041fa179880bba1131ba220f87d50955f4befc8d1a6bc3d03b7bda06e7f353613e2e39c2a47326196f7d0bf8f82eead9eaa94d24e3d15271
-  data.tar.gz: e1d3e25b4cd51d0494a99f0fd772f499704deefb3f25340a89fa8e28e2a17823450e823a267b78b385b349696a356d0fe46dfecc385dd1ee119126c55db82686
+  metadata.gz: 942140a15481c643d3a8ee3dd95ba492cd2a4f6aedcd329b3ff98a4bb4f0c94a2799943da35321558b472768cc8fe968bc53eea211d8a4d7c3a2e363920cabb9
+  data.tar.gz: 3c6b0b2f230b8c4cbd97e44dc5ed597d1214038d93a004d724c20790a0194fabd91412f3b3aa981630fa18f28d9685e30d476d3780b279a80db2a6175870e4a5

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
  
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions

data/README.md

@@ -1,6 +1,8 @@
 awsudo + aws-agent
 ==================
 
+[![Build Status](https://travis-ci.org/electronicarts/awsudo.svg?branch=master)](https://travis-ci.org/electronicarts/awsudo)
+
 Overview
 ------------
 
@@ -15,17 +17,17 @@ to use.
 Synopsis
 ------------
 
-      awsudo {role-name | role-arn} command
+    awsudo {role-name | role-arn} command
      
-      aws-agent
+    aws-agent
      
 Requirements
 ------------
 
   * UNIX, UNIX-like or GNU/Linux operating system
   * SAML compliant federation service
-  * ruby 1.9 or above
-  * ruby gems: aws-sdk
+  * ruby 2.1 or above
+  * rubygems: aws-sdk, nokogiri
 
 Install
 ------------
@@ -37,33 +39,43 @@ Configuration
 
 awsudo and aws-agent expect a configuration file named .awsudo in your home directory
 containing the values for your identity provider login url and the SAML provider name
-configured in AWS. This is an example, your setup may vary:
+configured in AWS.
+
+Example for AD FS:
+
+    IDP = adfs
+    IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
+    SAML_PROVIDER_NAME = adfs
 
-      IDP_LOGIN_URL = https://sts.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
-      SAML_PROVIDER_NAME = ADFS
+Example for Okta:
+
+    IDP = okta
+    IDP_LOGIN_URL = https://example.okta.com/app/example/abc123/sso/saml
+    SAML_PROVIDER_NAME = okta
+    API_ENDPOINT = https://example.okta.com/api/v1
 
 In addition to .awsudo, you can create .aws-roles in your home directory to map
 IAM roles ARNs to more easy to remember alias names, one per line, separated by spaces. Example:
 
-      myaccount-admin  arn:aws:iam::123456789012:role/myaccount-admin
+    myaccount-admin  arn:aws:iam::123456789012:role/myaccount-admin
  
 Examples
 ------------
 
 ### awsudo
 
-      $ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
-    
-      $ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1
+    $ awsudo arn:aws:iam::123456789012:role/myaccount-admin aws ec2 describe-tags --region us-west-2
+     
+    $ awsudo myaccount-admin aws ec2 describe-instances --region us-east-1
 
 awsudo will ask your federated credentials every time. To avoid this use aws-agent as follows:
 
 ### aws-agent
 
-      $ aws-agent
-      Login: username
-      Password:
-      AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;
+    $ aws-agent
+    Login: username
+    Password:
+    AWS_AUTH_SOCK=/var/folders/xz/lx178g0d0rb36x95446zwgd80000gp/T/aws-20150623-20990-58v1c4/agent; export AWS_AUTH_SOCK;
 
 then execute the commands printed by aws-agent. awsudo will now ask for temporary credentials to aws-agent.
 

data/bin/aws-agent

@@ -1,11 +1,12 @@
 #!/usr/bin/env ruby
-# Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
 
-require 'awsudo'
 require 'logger'
 require 'socket'
 require 'tmpdir'
 
+require 'awsudo'
+
 def usage
   warn <<EOS
 Usage:
@@ -15,36 +16,48 @@ EOS
   exit 1
 end
 
-config = Hash[*File.read(File.join(ENV['HOME'], '.awsudo')).
-  scan(/^(\w+)\s*=\s*(.*)$/).flatten]
-AWSUDO.config(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'])
+LOG_FILENAME    = File.join(ENV['HOME'], ".aws-agent.log")
+CONFIG_FILENAME = File.join(ENV['HOME'], '.awsudo')
+SUPPORTED_IDPS  = AWSUDO::IdentityProviders.constants
 
-LOGFILE = File.join(ENV['HOME'], ".aws-agent.log")
-logger = Logger.new(LOGFILE, "weekly")
+logger = Logger.new(LOG_FILENAME, "weekly")
 logger.progname = "aws-agent"
 logger.level = Logger::WARN
 
-username, password = AWSUDO.get_federated_credentials
+config = AWSUDO.load_config(CONFIG_FILENAME)
+idpname = config['IDP'].to_s.capitalize.to_sym
+unless SUPPORTED_IDPS.include?(idpname)
+  warn "`#{config['IDP']}' is not a supported identity provider"
+  exit 4
+end
+username, password = AWSUDO.ask_for_credentials
+idp = AWSUDO::IdentityProviders.new(idpname, config, username, password)
+idp.logger = logger
 
 socket_dir  = Dir.mktmpdir("aws-")
 socket_name = File.join(socket_dir, "agent")
-puts "AWS_AUTH_SOCK=#{socket_name}; export AWS_AUTH_SOCK;"
+
+case ENV['SHELL'].split('/').last
+when 'csh', 'tcsh'
+  puts "setenv AWS_AUTH_SOCK #{socket_name}"
+when 'fish'
+  puts "set -gx AWS_AUTH_SOCK #{socket_name}"
+else
+  puts "AWS_AUTH_SOCK=#{socket_name}; export AWS_AUTH_SOCK;"
+end
+
 Process.daemon
 $0 = 'aws-agent'
 Process.setrlimit(Process::RLIMIT_CORE, 0, 0)
 UNIXServer.open(socket_name) do |socket|
   loop do
     Thread.new(socket.accept) do |client|
-      logger.debug "thread started"
-      logger.debug "connection accepted: #{socket.inspect}"
+      logger.debug "Thread started"
+      logger.debug {"connection accepted: #{socket.inspect}"}
       begin
-        role = client.gets.strip
-        logger.debug "role received: #{role}"
-        role_arn = AWSUDO.resolve_role(role)
-        logger.debug "role ARN resolved: #{role_arn}"
-        saml_assertion = AWSUDO.get_saml_assertion(username, password)
-        credentials = AWSUDO.assume_role_with_saml(saml_assertion, role_arn)
-        client.puts credentials.to_h.to_json
+        role_arn = client.gets.strip
+        logger.debug {"role ARN received: #{role_arn}"}
+        client.puts idp.assume_role(role_arn).to_json
       rescue => e
         logger.error e
         error = {:error => e}.to_json

data/bin/awsudo

@@ -1,8 +1,13 @@
 #!/usr/bin/env ruby
-# Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
 
 require 'awsudo'
 
+CONFIG_FILENAME = File.join(ENV['HOME'], '.awsudo')
+ROLES_FILENAME  = File.join(ENV['HOME'], '.aws-roles')
+SOCKETNAME      = ENV['AWS_AUTH_SOCK']
+SUPPORTED_IDPS  = AWSUDO::IdentityProviders.constants
+
 def usage
   warn <<-EOS
 Usage:
@@ -12,23 +17,49 @@ Usage:
   exit 1
 end
 
-usage if ARGV.size < 2
+def find_role_arn(rolename)
+  return nil if rolename =~ /\s/ || rolename.empty?
+  line = File.readlines(ROLES_FILENAME).find do |line|
+    line =~ /^#{rolename}\s+arn:aws:iam::\d+:role\/\S+\s*$/
+  end
+  return nil if line.nil?
+  arn = line.split(/\s+/)[1]
+  arn
+end
 
-config = Hash[*File.read(File.join(ENV['HOME'], '.awsudo')).
-  scan(/^(\w+)\s*=\s*(.*)$/).flatten]
-AWSUDO.config(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'])
+def cuddle
+  begin; yield; rescue; warn $!; end
+end
+
+usage if ARGV.size < 2
 
 role = ARGV.shift
-credentials =
-  begin
-    AWSUDO.assume_role(role)
-  rescue => e
-    warn e
-    exit 2
+role_arn = role =~ /^arn:aws:iam::\d+:role\/\S+$/ ? role : find_role_arn(role)
+
+if role_arn.nil?
+  warn "`#{role}' is not a valid role"
+  exit 2
+end
+
+keys = cuddle do
+  AWSUDO.assume_role_with_agent(role_arn, SOCKETNAME) unless SOCKETNAME.nil?
+end || cuddle do
+  config = AWSUDO.load_config(CONFIG_FILENAME)
+  idpname = config['IDP'].to_s.capitalize.to_sym
+  unless SUPPORTED_IDPS.include?(idpname)
+    raise "`#{config['IDP']}' is not a supported identity provider"
   end
 
-ENV['AWS_ACCESS_KEY_ID'] = credentials['access_key_id'] || credentials[:access_key_id]
-ENV['AWS_SECRET_ACCESS_KEY'] = credentials['secret_access_key'] || credentials[:secret_access_key]
-ENV['AWS_SESSION_TOKEN'] = credentials['session_token'] || credentials[:session_token]
+  username, password = AWSUDO.ask_for_credentials
+  idp = AWSUDO::IdentityProviders.new(idpname, config, username, password)
+  idp.assume_role(role_arn)
+end || exit(3)
+
+%w(access_key_id secret_access_key session_token).each do |keyname|
+  ENV['AWS_' + keyname.upcase] = keys[keyname] || keys[keyname.to_sym]
+end
+
+# for boto2
+ENV['AWS_SECURITY_TOKEN'] = keys['session_token'] || keys[:session_token]
 
-exec *ARGV if ARGV.size > 0
+cuddle { exec *ARGV if ARGV.size > 0 }

data/lib/awsudo.rb

@@ -1,27 +1,35 @@
-# Copyright (C) 2015 Electronic Arts Inc.  All rights reserved.
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
 
-require 'aws-sdk'
 require 'io/console'
 require 'json'
-require 'net/http'
-require 'net/https'
-require 'rexml/document'
+require 'logger'
 require 'socket'
 require 'uri'
 
 module AWSUDO
-  AWS_ROLES = File.join(ENV['HOME'], '.aws-roles')
+  @logger = Logger.new(STDERR)
+  @logger.level = Logger::WARN
 
   class << self
-    attr_reader :idp_login_url, :saml_provider_name
+    attr_accessor :logger
   end
 
-  def self.config(idp_login_url, saml_provider_name)
-    @idp_login_url = idp_login_url
-    @saml_provider_name = saml_provider_name
+  def self.assume_role_with_agent(role_arn, socket_name)
+    logger.debug {"role_arn: <#{role_arn}>"}
+    logger.debug {"socket_name: <#{socket_name}>"}
+    keys = UNIXSocket.open(socket_name) do |client|
+      client.puts role_arn
+      response = client.gets
+      logger.debug {"response: <#{response}>"}
+      raise "Connection closed by peer" if response.nil?
+      JSON.parse(response.strip)
+    end
+
+    raise keys['error'] unless keys['error'].nil?
+    keys
   end
 
-  def self.get_federated_credentials
+  def self.ask_for_credentials
     fd = IO.sysopen("/dev/tty", "w")
     console = IO.new(fd,"w")
     console.print "Login: "
@@ -32,70 +40,11 @@ module AWSUDO
     [username, password]
   end
 
-  def self.assume_role_using_agent(role)
-    socket_name = ENV['AWS_AUTH_SOCK']
-    credentials = UNIXSocket.open(socket_name) do |client|
-      client.puts role
-      response = client.gets
-      raise "Connection closed by peer" if response.nil?
-      JSON.parse(response.strip)
-    end
-
-    raise credentials['error'] if credentials['error']
-    credentials
-  end
-
-  def self.assume_role_using_password(role)
-    username, password = get_federated_credentials
-    saml_assertion = get_saml_assertion(username, password)
-    role_arn = resolve_role(role)
-    assume_role_with_saml(saml_assertion, role_arn).to_h
-  end
-
-  def self.assume_role(role)
-    assume_role_using_agent(role) rescue assume_role_using_password(role)
-  end
-
-  def self.get_saml_assertion(username, password)
-    uri = URI.parse(idp_login_url)
-
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-
-    req = Net::HTTP::Post.new(uri.request_uri)
-    req.set_form_data({'username' => username, 'password' => password})
-    res = http.request(req)
-
-    raise "Authentication failed" if res['Location'].nil?
-    uri = URI.parse(res['Location'])
-    req = Net::HTTP::Get.new(uri.request_uri)
-    req['Cookie'] = res['Set-Cookie']
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    res = http.request(req)
-
-    doc = REXML::Document.new(res.body)
-    REXML::XPath.first(doc, '/html/body/form/input[@name = "SAMLResponse"]/@value').to_s
-  end
-
-  def self.assume_role_with_saml(saml_assertion, role_arn)
-    principal_arn = "#{role_arn[/^arn:aws:iam::\d+:/]}saml-provider/#{saml_provider_name}"
-    sts = Aws::STS::Client.new(credentials: Aws::Credentials.new('a', 'b', 'c'), region: 'us-east-1')
-    sts.assume_role_with_saml(
-      role_arn: role_arn,
-      principal_arn: principal_arn, 
-      saml_assertion: saml_assertion).credentials
-  end
-
-  def self.resolve_role(role, roles_filename = AWS_ROLES)
-    return role if role =~ /^arn:aws:iam::\d+:role\/\S+$/
-    raise "`#{role}' is not a valid role" if role =~ /\s/
-    line = File.readlines(roles_filename).find {|line| line =~ /^#{role}\s+arn:aws:iam::\d+:role\/\S+\s*$/ }
-    raise "`#{role}' is not a valid role" if line.nil?
-    role_arn = line.split(/\s+/)[1]
-    raise "`#{role}' is not a valid role" if role_arn.nil?
-    role_arn
+  def self.load_config(filename)
+    config = Hash[*File.read(filename).scan(/^\s*(\w+)\s*=\s*(.*)\s*$/).flatten]
+    logger.debug { "config: <#{config.inspect}>" }
+    config
   end
 end
+
+require 'awsudo/identity_providers'

data/lib/awsudo/identity_provider.rb

@@ -0,0 +1,91 @@
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
+
+require 'aws-sdk'
+require 'base64'
+require 'net/http'
+require 'net/https'
+require 'nokogiri'
+require 'uri'
+
+require 'awsudo'
+
+module AWSUDO
+  class IdentityProvider
+    attr_accessor :idp_login_url, :saml_provider_name
+    attr_accessor :username, :password, :logger
+
+    def self.sts
+      return @sts unless @sts.nil?
+      @sts = Aws::STS::Client.new(
+        credentials: Aws::Credentials.new('a', 'b', 'c'),
+        region:      'us-east-1')
+    end
+
+    def self.new_from_config(config, username, password)
+      new(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'],
+               username, password)
+    end
+
+    def initialize(url, name, username, password)
+      @idp_login_url = url
+      @saml_provider_name = name
+      @username = username
+      @password = password
+      @logger   = AWSUDO.logger
+      begin
+        URI.parse @idp_login_url
+      rescue
+        raise "`#{@idp_login_url.inspect}' is not a valid IDP login URL"
+      end
+      if @saml_provider_name.nil? || @saml_provider_name.strip.empty?
+        raise "`#{@saml_provider_name.inspect}' is not a valid SAML provider name"
+      end
+    end
+
+    def saml_request
+      raise "should be implemented by subclass"
+    end
+
+    def get_saml_response
+      req = saml_request
+      res = nil
+      uri = URI.parse(idp_login_url)
+
+      loop do
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+        res = http.request(req)
+        logger.debug {"Location: <#{res['Location']}>"}
+        logger.debug {"Headers: <#{res.to_hash.inspect}>"}
+        logger.debug {"Body: <#{res.body.inspect}>"}
+
+        break if res['Location'].nil?
+
+        uri = URI.parse(res['Location'])
+        req = Net::HTTP::Get.new(uri.request_uri)
+        req['Cookie'] = res['Set-Cookie']
+      end
+
+      doc = Nokogiri::HTML(res.body)
+      doc.xpath('/html/body//form/input[@name = "SAMLResponse"]/@value').to_s
+    end
+
+    def assume_role(role_arn)
+      logger.debug {"role_arn: <#{role_arn}>"}
+      base_arn = role_arn[/^arn:aws:iam::\d+:/]
+      principal_arn = "#{base_arn}saml-provider/#{saml_provider_name}"
+      logger.debug {"principal_arn: <#{principal_arn}>"}
+      saml_assertion = get_saml_response
+      logger.debug {"saml_assertion: <#{Base64.decode64 saml_assertion}>"}
+      if saml_assertion.empty?
+        raise 'Unable to get SAML assertion (failed authentication?)'
+      end
+      self.class.sts.assume_role_with_saml(
+        role_arn: role_arn,
+        principal_arn: principal_arn,
+        saml_assertion: saml_assertion).credentials.to_h
+    end
+  end
+end

data/lib/awsudo/identity_providers.rb

@@ -0,0 +1,12 @@
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
+
+module AWSUDO
+  module IdentityProviders
+    def self.new(idpname, config, username, password)
+      self.const_get(idpname).new_from_config(config, username, password)
+    end
+  end
+end
+
+require 'awsudo/identity_providers/adfs.rb'
+require 'awsudo/identity_providers/okta.rb'

data/lib/awsudo/identity_providers/adfs.rb

@@ -0,0 +1,16 @@
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
+
+require 'awsudo/identity_provider'
+
+module AWSUDO
+  module IdentityProviders
+    class Adfs < IdentityProvider
+      def saml_request
+        uri = URI.parse(idp_login_url)
+        req = Net::HTTP::Post.new(uri.request_uri)
+        req.set_form_data({'username' => username, 'password' => password})
+        req
+      end
+    end
+  end
+end

data/lib/awsudo/identity_providers/okta.rb

@@ -0,0 +1,69 @@
+# Copyright (C) 2015-2017 Electronic Arts Inc.  All rights reserved.
+
+require 'awsudo/identity_provider'
+
+module AWSUDO
+  module IdentityProviders
+    class Okta < IdentityProvider
+      attr_accessor :api_endpoint
+
+      def self.new_from_config(config, username, password)
+        new(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'],
+            config['API_ENDPOINT'], username, password)
+      end
+
+      def initialize(url, name, endpoint, username, password)
+        super(url, name, username, password)
+        @api_endpoint = endpoint
+        logger.debug "api_endpoint: <#{@api_endpoint}>"
+        begin
+          URI.parse(@api_endpoint)
+        rescue
+          raise "`#{@api_endpoint.inspect}' is not a valid API endpoint"
+        end
+      end
+
+      def authenticate
+        payload = { 
+          'username' => username,
+          'password' => password,
+          'options'  => {
+            'multiOptionalFactorEnroll' => false,
+          'warnBeforePasswordExpired' => false
+          }
+        }.to_json
+        uri = URI.parse(api_endpoint + '/authn')
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+        req = Net::HTTP::Post.new(uri.request_uri)
+        req.content_type = 'application/json'
+        req['Accept'] = 'application/json'
+        req.body = payload
+        logger.debug {"payload: <#{req.body.inspect}>"}
+        res = http.request(req)
+        logger.debug {"Headers: <#{res.to_hash.inspect}>"}
+        logger.debug {"Body: <#{res.body.inspect}>"}
+        result = JSON.parse(res.body)
+
+        case result['status']
+        when 'SUCCESS'
+          return result['sessionToken']
+        when 'MFA_REQUIRED'
+          raise 'MFA required'
+        else
+          raise 'Authentication failed'
+        end
+      end
+
+      def saml_request
+        session_token = authenticate
+        uri = URI.parse(idp_login_url)
+        req = Net::HTTP::Post.new(uri.request_uri)
+        req.set_form_data({'onetimetoken' => session_token})
+        req
+      end
+    end
+  end
+end

metadata

@@ -1,29 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: awsudo
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Gerardo Santana Gomez Garrido
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-12 00:00:00.000000000 Z
+date: 2017-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
 description: |
   awsudo enables users to execute commands that make API calls to AWS under the
   security context of an IAM role. The IAM role is assumed only upon successful
@@ -39,15 +53,20 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- bin/aws-agent
-- bin/awsudo
-- lib/awsudo.rb
-- LICENSE
 - CHANGELOG.md
 - CONTRIBUTING.md
+- LICENSE
 - README.md
+- bin/aws-agent
+- bin/awsudo
+- lib/awsudo.rb
+- lib/awsudo/identity_provider.rb
+- lib/awsudo/identity_providers.rb
+- lib/awsudo/identity_providers/adfs.rb
+- lib/awsudo/identity_providers/okta.rb
 homepage: https://github.com/electronicarts/awsudo
-licenses: []
+licenses:
+- BSD-3-Clause
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -55,17 +74,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: executes a command with the permissions given by an AWS IAM role