cerberus_client 1.2.1 → 1.3.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    YjkyZTNlMDliYzMwNWUzMGRmNWNmNDJiYWI0MDE1YjdmYWVkODEyNA==
-  data.tar.gz: !binary |-
-    YjIwYzE2M2NjNjA3NDMxYzVjMjhiZmRhZGYzYjFlN2RmNWExNGE0Nw==
+SHA1:
+  metadata.gz: c9c2c6f6e7a6835b0a8681dceffdebbff7a83633
+  data.tar.gz: cd165f1d90a67a582b5092482f2215984da19d22
 SHA512:
-  metadata.gz: !binary |-
-    ODRhNzFkYTllNDBkMWRhZjI0YWYwYzY2ZGJkNGJlZTMxMjFhM2YwODZhZjYz
-    ZTg1OGQ3NzY3MDk1NzU5ZTRlZWE0OGE5MWU4NGQ0ZWNhNDNmZGRhZDkxM2I2
-    YjZkZmU2NGI4YmM2NzJjMDRlODYzZTQ5YzNkMTcyMTAyNDNmNTM=
-  data.tar.gz: !binary |-
-    ZDVhZjkzNzJkMmU3ZGRmMjY0MDhmMjg5ODlhYTBhMWRmN2FkM2RjOWJhY2Q2
-    ZTg4ZTZhOTU4MDU1ZDQ0NjgxMmYwZmI1NTRhNzIxMzRhYTFjMzkzYjI4YmNm
-    NDQ5ODMzNTY0MTA4NmI5MjNlMmEzMzViMDhlNWM1Y2E5MGI5Mjg=
+  metadata.gz: 1265585ef0f9fbf30069b14fc70dad9c3ca2f570471fb4e2079ca5ac78910bcabc14a0efb1f40e73e2575d36b252abd0665717a01e7f5143e3e36b8382c4c261
+  data.tar.gz: 0aed3abacaf93e8e4d012ff15f993ad2ff602d5901a149106107b4071f37f3879597c0f1fd18957c0c4ef02f69411fcc2da1a124ddb8660196892376fd5b3b50

data/.travis.yml

@@ -0,0 +1,14 @@
+language: ruby
+rvm:
+- 2.0
+- jruby
+script: bundle exec rspec spec
+deploy:
+  provider: rubygems
+  api_key:
+    secure: Qt16Y+xUbDJS1zGdXj+EFbxyj+P6+eE+KZygCvEI4s3tOmpFgPfOAhAZ0FJYZ93DjU9DjmhpXjJ/z9Ho872XKzdTnMd8PUgLts1ktnbmrsHnunMye6II9xvesMB4gaM2JogzoBdu80udMYy6tj4o1MWzJo2lVDYkFkkoEDhtOkOdExqwX2x5v9FDDzMfVKC309e7ZjuuGBQZCGxGj9J0xxOgRZkD2O/n71qo0Z0f/wFg7ELVAF1BQTBrGmoWji2yI+jtALQhlVxYfnoINPt3/P++ZvJQJrlDpRozDT/hH8Gxe+AOwqur+a3xdXrqGOw6q+/BPcYDwzlwlNTo9WiGYv1ZmZRm7UzA9iE2PU8TP7nxITP/yV5iJ502i7TDsz2RJkwXHppSLLgfGaHWvnKqPZzULgK9A3WjxQih3Bis3QlmAnkq8cnfn4wF6NUPi4cy2k/fJLYwKPUTDynRmPDiI0al02DU5nOA9MJCVYTF/pQMBDpS3CB957pkTBEhHv4OT9iJO/NJfzsP2l/tFxquQciAi67aB3HRNxHXGo4haWdplvHhgD0Col6AcLlvIlOXbuHpxHJXjlm/c/pWzXGg0zQ5OjxNtGkPgJ7UkwNpZadmdee5hNXqyQHi5a2kXAoAZyccHZf0YvY1/1KzB1qxyJD57H+mFesjeKH5+mACXfI=
+  gem: cerberus_client
+  on:
+    tags: true
+    repo: Nike-Inc/cerberus-ruby-client
+    branch: publish-gem

data/README.md

@@ -1,5 +1,10 @@
 # Cerberus Ruby Client
 
+[![Gem](https://img.shields.io/gem/v/cerberus_client.svg)](https://rubygems.org/gems/cerberus_client)
+[![Downloads](https://img.shields.io/gem/dt/cerberus_client.svg)](https://rubygems.org/gems/cerberus_client)
+[![Build](https://img.shields.io/travis/USER/REPO/BRANCH.svg)](https://travis-ci.org/Nike-Inc/cerberus-ruby-client)
+
+
 This is a Ruby based client library for communicating with Vault via HTTP and enables authentication schemes specific
 to AWS and Cerberus.
 
@@ -15,7 +20,7 @@ These installation instructions need to be updated after we open source and publ
 Add this to your application's Gemfile:
 
 ```ruby
-source "https://xxx/gems/nike-gems"
+source 'https://rubygems.org'
 gem 'cerberus_client' 
 ```
 
@@ -26,7 +31,7 @@ $ bundle
     
 Or do it yourself:
 ```bash 
-$ gem install cerberus_client --source "https://xxx/gems/nike-gems"
+$ gem install cerberus_client 
 ```
 
 ## Usage

data/cerberus_client.gemspec

@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.13"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency 'aws-sdk', '~> 2'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'bundler', '~> 1.13'
 end

data/lib/cerberus/aws_role_credentials_provider.rb

@@ -55,7 +55,11 @@ module Cerberus
     ##
     def getClientToken
 
-      if (@clientToken == nil)
+      if (@role.nil?)
+        raise Cerberus::Exception::NoValueError
+      end
+
+      if (@clientToken.nil?)
         @clientToken = getCredentialsFromCerberus
       end
 
@@ -70,12 +74,37 @@ module Cerberus
 
     end
 
+    ##
+    # Policy: if we are given these three pieces of data, we will assume a role to do auth
+    ##
+    def should_assume_role?(roleAccountId, roleName, roleRegion)
+      !(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
+    end
+
+    ##
+    # Policy: if we do not have an instance MD service URL and we can't assume a role, then this instance
+    # of the provider cannot use a role to provide credentials.  Primarily used for testing.
+    ##
+    def have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
+      (!instanceMdSvcBaseUrl.nil? || should_assume_role?(roleName, roleRegion, roleAccountId))
+    end
+
     private
 
+    ##
+    # Uses provided data to determine how to construct the AwsRoleInfo use by this provider
+    ##
     def get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
-      if (should_assume_role(roleAccountId, roleName, roleRegion))
+
+      # if we have no metedata about how to auth, we do nothing
+      # this is used in unit testing primarily
+      if (!have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId))
+        return nil;
+      elsif (should_assume_role(roleAccountId, roleName, roleRegion))
+        # we are assuming a role to do auth
         return get_role_from_provided_info(roleName, roleRegion, roleAccountId)
       else
+        # we are using a role that the instance has associated with it
         @instanceMdSvcBaseUrl = instanceMdSvcBaseUrl.nil? ? INSTANCE_METADATA_SVC_BASE_URL : instanceMdSvcBaseUrl
 
         # collect instance MD we need to auth with Cerberus
@@ -83,12 +112,25 @@ module Cerberus
       end
     end
 
+
+    ##
+    # Get an AwsRoleInfo object from the provided data
+    ##
     def get_role_from_provided_info(roleName, roleRegion, roleAccountId)
-      role_creds = Aws::AssumeRoleCredentials.new(client: Aws::STS::Client.new(region: roleRegion), role_arn: "arn:aws:iam::#{roleAccountId}:role/#{roleName}", role_session_name: "hiera-cpe-build")
+
+      role_creds = Aws::AssumeRoleCredentials.new(
+          client: Aws::STS::Client.new(region: roleRegion),
+          role_arn: "arn:aws:iam::#{roleAccountId}:role/#{roleName}",
+          role_session_name: "hiera-cpe-build")
 
       return AwsRoleInfo.new(roleName, roleRegion, roleAccountId, credentials: role_creds)
     end
 
+    ##
+    # Use the instance metadata to extract the role information
+    # This function should only be called from an EC2 instance otherwise the http
+    # call will fail.
+    ##
     def get_role_from_instance_metadata
       role_arn = getIAMRoleARN
       region = getRegionFromAZ(getAvailabilityZone)
@@ -103,10 +145,6 @@ module Cerberus
       return AwsRoleInfo.new(role_name, region, account_id, nil)
     end
 
-    def should_assume_role(roleAccountId, roleName, roleRegion)
-      !(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
-    end
-
     ##
     # Reach out to the Cerberus management service and get an auth token
     ##

data/lib/cerberus_client/version.rb

@@ -1,3 +1,3 @@
 module CerberusClient
-  VERSION = "1.2.1"
+  VERSION = "1.3.0"
 end

metadata

@@ -1,43 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: cerberus_client
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Joe Teibel
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-03-27 00:00:00.000000000 Z
+date: 2017-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: aws-sdk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '2'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
 description: This is a Ruby based client library for communicating with Vault via
   HTTP and enables authentication schemes specific to AWS and Cerberus. This client
   currently supports read-only operations (write operations are not yet implemented,
@@ -49,8 +63,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
@@ -85,18 +100,18 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
-summary: ! '["A Ruby Client for Cerberus, a secure property store for cloud applications"]'
+summary: '["A Ruby Client for Cerberus, a secure property store for cloud applications"]'
 test_files: []