credsummoner 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d9c3a614f16fb15c9ba37707b6b87e834b7961573445a1416ea4a6b343310ae6
+  data.tar.gz: d79155dacf952e1b9974f3cfffadbc38619c1b5466c820ab9de3fd2d73c98e6b
+SHA512:
+  metadata.gz: 19bac7a5369554246d91ef42005581f1a1321d89929f66e6b6bec89ca15d6501c21d2c1b7b6a999eca9690cea5ee76463444f149f95881fd503c7b688627d587
+  data.tar.gz: f63d654e84c47e50e7e9e6d5bc2cda5651e8d290b8de76d62ea0debb0fc5872f20b2aed343ec90823646853fd5de709957088bd4d10251d52b99e42e75b1aef4

data/bin/credsummoner

@@ -0,0 +1,166 @@
+#!/usr/bin/env ruby
+
+require 'credsummoner'
+require 'optparse'
+require 'tty-prompt'
+
+duration = 12 * 60 * 60 # 12 hour session
+mode = :command
+region = ENV['AWS_REGION'] || 'us-east-1'
+account_name = nil
+role_name = nil
+
+root_parser = OptionParser.new do |opts|
+  opts.banner = "Usage: credsummoner SUBCOMMAND [OPTION ...]"
+  #opts.separator ""
+end
+
+subcommands = {
+  'get' => OptionParser.new do |opts|
+    opts.banner = "Usage: credsummoner get USERNAME [OPTION ...] [COMMAND ...]
+
+Fetch temporary AWS tokens and do one of the following:
+
+* Print environment variables to stdout if --env is specified
+* Run COMMAND if specified
+* Otherwise, run default user shell
+"
+
+    opts.on('-d', '--duration=DURATION', 'the ttl of the session token in seconds') do |d|
+      duration = d
+    end
+
+    opts.on('-e', '--environment', 'display environment variables instead of running a command') do |e|
+      mode = :environment
+    end
+
+    opts.on('--region=REGION', 'AWS region') do |r|
+      region = r
+    end
+
+    opts.on('-a', '--account=ACCOUNT', 'AWS account alias') do |a|
+      account_name = a
+    end
+
+    opts.on('-r', '--role=ROLE', 'AWS role name') do |r|
+      role_name = r
+    end
+  end,
+  'config' => OptionParser.new do |opts|
+    opts.banner = 'Usage: credsummoner config KEY VALUE
+
+Set the configuration option KEY to VALUE.
+
+Available configuration keys:
+
+* okta_aws_embed_link: The embed link for the AWS application in Okta.
+This link can be found in the "General" tab when viewing the AWS
+application settings in the Okta admin interface.
+'
+  end
+}
+
+root_parser.order!
+subcommand = ARGV.shift
+subcommands[subcommand].parse!
+
+case subcommand
+when 'get'
+  username = ARGV[0]
+
+  unless username
+    puts 'username must be specified'
+    puts "see 'credsummoner --help'"
+    exit(1)
+  end
+
+  unless CredSummoner::Config.exists?
+    puts 'CredSummoner has not yet been configured'
+    puts "see 'credsummoner config --help'"
+    exit(1)
+  end
+
+  prompt = TTY::Prompt.new
+  user = CredSummoner::Okta::User.new(username) do
+    password = prompt.mask('password:')
+    totp_token = prompt.ask('TOTP token:')
+    CredSummoner::Okta::Credentials.new(password, totp_token)
+  end
+  account = if account_name
+              user.role_map.keys.find { |a| a.name == account_name } ||
+                begin
+                  puts "account '#{account_name}' is not a valid choice"
+                  puts 'available accounts:'
+                  user.role_map.keys.each do |acc|
+                    puts " - #{acc.name}"
+                  end
+                  exit(1)
+                end
+            else
+              prompt.select('which account?') do |menu|
+                user.role_map.keys.each do |account|
+                  menu.choice(account.to_s, account)
+                end
+              end
+            end
+  role = if role_name
+           user.role_map[account].find { |r| r.name == role_name } ||
+             begin
+               puts "role '#{role_name}' is not a valid choice"
+               puts 'available roles:'
+               user.role_map[account].each do |role|
+                 puts " - #{role.name}"
+               end
+               exit(1)
+             end
+         else
+           prompt.select('which role?') do |menu|
+             user.role_map[account].each do |role|
+               menu.choice(role.to_s, role)
+             end
+           end
+         end
+  credentials = user.assume_role(role, duration, region)
+
+  if mode == :command
+    command = if ARGV.length > 1
+                ARGV.drop(1)
+              else
+                # Default to user's preferred shell, falling back to bash.
+                [ENV['SHELL']] || ['bash']
+              end
+
+    # Fork and use exec to spawn a child process with the AWS session
+    # environment variables prepared.
+    pid = Process.fork do
+      ENV['AWS_ACCESS_KEY_ID'] = credentials[:access_key_id]
+      ENV['AWS_SECRET_ACCESS_KEY'] = credentials[:secret_access_key]
+      ENV['AWS_SESSION_TOKEN'] = credentials[:session_token]
+      # For decorating the shell prompt.
+      ENV['CREDSUMMONER_AWS_ROLE'] = "#{account.name}/#{role.name}"
+      STDERR.puts "session expires at #{credentials[:expiration]}"
+      exec(*command)
+    end
+
+    if pid
+      Process.waitpid(pid)
+      exit($?.exitstatus) # exit with status of child process
+    end
+  elsif mode == :environment
+    puts "export AWS_ACCESS_KEY_ID=\"#{credentials[:access_key_id]}\""
+    puts "export AWS_SECRET_ACCESS_KEY=\"#{credentials[:secret_access_key]}\""
+    puts "export AWS_SESSION_TOKEN=\"#{credentials[:session_token]}\""
+    puts "export CREDSUMMONER_AWS_ROLE=\"#{account.name}/#{role.name}\""
+    STDERR.puts "session expires at #{credentials[:expiration]}"
+  end
+when 'config'
+  key = ARGV[0]
+  value = ARGV[1]
+  config = if CredSummoner::Config.exists?
+             CredSummoner::Config.load
+           else
+             CredSummoner::Config.new
+           end
+  config.send("#{key}=", value)
+  config.save
+end

data/lib/credsummoner.rb

@@ -0,0 +1,8 @@
+require 'credsummoner/config'
+require 'credsummoner/account'
+require 'credsummoner/role'
+require 'credsummoner/saml_assertion'
+require 'credsummoner/web'
+require 'credsummoner/okta/credentials'
+require 'credsummoner/okta/session'
+require 'credsummoner/okta/user'

data/lib/credsummoner/account.rb

@@ -0,0 +1,14 @@
+module CredSummoner
+  class Account
+    attr_reader :name, :id
+
+    def initialize(name, id)
+      @name = name
+      @id = id
+    end
+
+    def to_s
+      name
+    end
+  end
+end

data/lib/credsummoner/config.rb

@@ -0,0 +1,46 @@
+require 'fileutils'
+require 'yaml'
+
+module CredSummoner
+  class Config
+    attr_accessor :okta_aws_embed_link
+
+    def initialize(okta_aws_embed_link: nil)
+      @okta_aws_embed_link = okta_aws_embed_link
+    end
+
+    def self.exists?
+      File.exists?(config_file)
+    end
+
+    def self.load
+      if exists?
+        yaml = YAML.load(File.read(config_file))
+        Config.new(okta_aws_embed_link: yaml['okta_aws_embed_link'])
+      else
+        raise 'no config file'
+      end
+    end
+
+    def self.config_dir
+      "#{ENV['HOME']}/.config/credsummoner"
+    end
+
+    def self.config_file
+      "#{config_dir}/config.yml"
+    end
+
+    def save
+      FileUtils.mkdir_p(Config.config_dir)
+      File.open(Config.config_file, 'w', 0600) do |file|
+        file.puts(YAML.dump(serialize))
+      end
+    end
+
+    def serialize
+      {
+        'okta_aws_embed_link' => okta_aws_embed_link
+      }
+    end
+  end
+end

data/lib/credsummoner/okta/credentials.rb

@@ -0,0 +1,12 @@
+module CredSummoner
+  module Okta
+    class Credentials
+      attr_reader :password, :totp_token
+
+      def initialize(password, totp_token)
+        @password = password
+        @totp_token = totp_token
+      end
+    end
+  end
+end

data/lib/credsummoner/okta/session.rb

@@ -0,0 +1,116 @@
+require 'fileutils'
+
+module CredSummoner
+  module Okta
+    class Session
+      attr_reader :username, :get_creds
+
+      def initialize(username, get_creds)
+        @username = username
+        @get_creds = get_creds
+      end
+
+      def cache_dir
+        "#{ENV['HOME']}/.cache/credsummoner"
+      end
+
+      def cache_file
+        "#{cache_dir}/okta_session_#{username}"
+      end
+
+      def lookup_cached_session
+        File.exists?(cache_file) && JSON.parse(File.read(cache_file))
+      end
+
+      def cache_session(session)
+        FileUtils.mkdir_p(cache_dir)
+        File.open(cache_file, 'w', 0600) do |file|
+          file.puts(session.to_json)
+        end
+      end
+
+      def clear!
+        File.delete(cache_file)
+        @data = nil
+      end
+
+      def aws_embed_uri
+        @aws_embed_uri ||= URI.parse(Config.load.okta_aws_embed_link)
+      end
+
+      def base_okta_url
+        "#{aws_embed_uri.scheme}://#{aws_embed_uri.host}"
+      end
+
+      def auth_url
+        "#{base_okta_url}/api/v1/authn"
+      end
+
+      def login(creds)
+        response = Web.post_json(auth_url,
+                                 username: username,
+                                 password: creds.password)
+
+        if response
+          status = response['status']
+          case status
+          when 'SUCCESS'
+            response['sessionToken']
+          when 'MFA_REQUIRED'
+            # FIXME: TOTP is the only supported factor currently.
+            factor = response['_embedded']['factors'].find do |factor|
+              factor['factorType'] == 'token:software:totp'
+            end
+            mfa(factor['id'], response['stateToken'], creds)
+          end
+        else
+          raise 'incorrect password'
+        end
+      end
+
+      def mfa(factor_id, state_token, creds)
+        response = Web.post_json("#{base_okta_url}/api/v1/authn/factors/#{factor_id}/verify",
+                                 stateToken: state_token,
+                                 passCode: creds.totp_token)
+        if response
+          response['sessionToken']
+        else
+          raise 'invalid MFA token'
+        end
+      end
+
+      def create_fresh_session
+        creds = get_creds.call
+        session_token = login(creds)
+        app_url_with_token = "#{aws_embed_uri.to_s}?onetimetoken=#{session_token}"
+        # A successful login yields a URL to redirect to and a cookie that has
+        # our session.
+        response = Web.get(app_url_with_token)
+        redirect_url = response['location']
+        # Really simple cookie parsing.
+        cookie = response.get_fields('set-cookie').map do |field|
+          field.split('; ')[0]
+        end.join('; ')
+        saml_url = Web.get(redirect_url, cookie: cookie)['location']
+        data = {
+          'saml_url' => saml_url,
+          'cookie' => cookie
+        }
+        cache_session(data)
+        data
+      end
+
+      def data
+        @data ||= lookup_cached_session || create_fresh_session
+      end
+
+      def saml_url
+        data['saml_url']
+      end
+
+      def cookie
+        data['cookie']
+      end
+    end
+  end
+end

data/lib/credsummoner/okta/user.rb

@@ -0,0 +1,115 @@
+require 'fileutils'
+require 'json'
+require 'nokogiri'
+
+module CredSummoner
+  module Okta
+    class User
+      attr_reader :username
+
+      def initialize(username, &blk)
+        @username = username
+        @get_creds = blk.to_proc
+      end
+
+      def session
+        @session ||= Session.new(username, @get_creds)
+      end
+
+      def saml_assertion
+        @saml_assertion ||=
+          begin
+            response = nil
+            while true
+              # Get the base64 encoded SAML assertion that we will need to
+              # send along to AWS.
+              response = Web.get(session.saml_url, cookie: session.cookie)
+              if response.code == '200'
+                break
+              else
+                # Cookie expired!  Clear session and try again.  The
+                # user will be prompted for credentials again.
+                session.clear!
+              end
+            end
+            saml_page = response.body
+            SAMLAssertion.new(Nokogiri::HTML(saml_page).at_css('form input[name=SAMLResponse]')['value'])
+          end
+      end
+
+      def role_map
+        @role_map ||=
+          begin
+            # Two things can happen on this sign-in page:
+            #
+            # 1) The user only has access to a single role in a single
+            # account, in which case they are redirected straight to the
+            # console for that account + role
+            #
+            # 2) The user has access to more than one role in one or more
+            # accounts, in which case they are presented with a page that
+            # lists all accounts and roles for them to choose from.
+            #
+            # For case #1, the response body will be the empty string and
+            # the set-cookie header will contain the account + role
+            # information and we will parse that.
+            #
+            # For case #2, the response body will be scraped for all the
+            # account + role information.
+            #
+            # In both cases we return a hash table mapping accounts to
+            # roles.
+            response = Web.post_form('https://signin.aws.amazon.com/saml',
+                                     SAMLResponse: saml_assertion.response,
+                                     RelayState: '')
+            if response.body.empty?
+              cookie = response.get_fields('set-cookie').each_with_object({}) do |field, h|
+                key, value = field.split('; ')[0].split('=')
+                h[key] = value
+              end
+              user_info = JSON.parse(URI.unescape(cookie['aws-userInfo']))
+              split_arn = user_info['arn'].split('/')
+              role_name = split_arn[1]
+              account_id = split_arn[0].split(':')[4]
+              role_arn = "arn:aws:iam::#{account_id}:role/#{role_name}"
+              account = Account.new(user_info['alias'], account_id)
+              role = Role.new(
+                name: role_name,
+                arn: role_arn,
+                principal_arn: saml_assertion.principal_arn_map[role_arn]
+              )
+              { account => [role] }
+            else
+              # Time for a little web scraping.  Create an account -> roles mapping
+              # so that we can present the user with a list of roles to choose from.
+              role_page = response.body
+              html = Nokogiri::HTML(role_page)
+              accounts = html.css('div[class=saml-account-name]').map do |node|
+                # example account text we are parsing:
+                #    Account: maestro-staging (774082247212)
+                parts = node.text.split(' ')
+                name = parts[1]
+                id = parts[2][1..-2] # account name is in parens, trim those off
+                Account.new(name, id)
+              end
+              roles = html.css('div[class=saml-account] div[class=saml-account]').map do |node|
+                node.css('input[name=roleIndex]').map do |field|
+                  id = field['id']
+                  arn = field['value']
+                  # Extract the human readable role name.
+                  name = node.css("label[for='#{id}']").text
+                  Role.new(name: name, arn: arn,
+                           principal_arn: saml_assertion.principal_arn_map[arn])
+                end
+              end
+              accounts.zip(roles).to_h
+            end
+          end
+      end
+
+      def assume_role(role, duration, region)
+        role.assume(saml_assertion, duration, region)
+      end
+    end
+  end
+end

data/lib/credsummoner/role.rb

@@ -0,0 +1,25 @@
+require 'aws-sdk-core'
+
+class Role
+  attr_reader :name, :arn, :principal_arn
+
+  def initialize(name:, arn:, principal_arn:)
+    @name = name
+    @arn = arn
+    @principal_arn = principal_arn
+  end
+
+  def assume(saml, duration, region)
+    sts = Aws::STS::Client.new(region: region)
+    sts.assume_role_with_saml(
+      principal_arn: principal_arn,
+      role_arn: arn,
+      saml_assertion: saml.response,
+      duration_seconds: duration
+    ).credentials
+  end
+
+  def to_s
+    name
+  end
+end

data/lib/credsummoner/saml_assertion.rb

@@ -0,0 +1,32 @@
+require 'base64'
+require 'nokogiri'
+
+module CredSummoner
+  class SAMLAssertion
+    attr_reader :response
+
+    def initialize(response)
+      @response = response
+    end
+
+    def xml_tree
+      @xml_tree ||= Nokogiri::XML(Base64.decode64(response))
+    end
+
+    # Role->Principal mapping
+    def principal_arn_map
+      @principal_arn_map ||=
+        begin
+          # The SAML document has the principal ARNs and role ARNs in
+          # "principal,role" pairs.  So, we generate a mapping from role
+          # to principal for lookup later when we talk to AWS STS to
+          # create a session.
+          saml_xpath = "//saml2:Attribute[@Name='https://aws.amazon.com/SAML/Attributes/Role']/saml2:AttributeValue"
+          saml_namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'
+          xml_tree.xpath(saml_xpath, saml2: saml_namespace).map do |node|
+            node.text.split(',').reverse
+          end.to_h
+        end
+    end
+  end
+end

data/lib/credsummoner/web.rb

@@ -0,0 +1,39 @@
+require 'json'
+require 'net/http'
+
+module CredSummoner
+  class Web
+    def self.get(url, cookie: nil)
+      uri = URI.parse(url)
+      http = Net::HTTP::new(uri.host, uri.port)
+      http.use_ssl = true
+      request = Net::HTTP::Get.new(uri.request_uri)
+      request['Cookie'] = cookie if cookie
+      http.request(request)
+    end
+
+    def self.post_form(url, form_data)
+      uri = URI.parse(url)
+      http = Net::HTTP::new(uri.host, uri.port)
+      http.use_ssl = true
+      request = Net::HTTP::Post.new(uri.request_uri)
+      request.set_form_data(form_data)
+      http.request(request)
+    end
+
+    def self.post_json(url, args)
+      uri = URI.parse(url)
+      http = Net::HTTP::new(uri.host, uri.port)
+      http.use_ssl = true
+      request = Net::HTTP::Post.new(uri.request_uri)
+      request.body = args.to_json
+      request.content_type = 'application/json'
+      response = http.request(request)
+      if response.code == '200'
+        JSON.parse(response.body)
+      else
+        false
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,95 @@
+--- !ruby/object:Gem::Specification
+name: credsummoner
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- David Thompson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-07-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: tty-prompt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+description: Retrieve temporary AWS credentials via an identity provider.
+email: dthompson@vistahigherlearning.com
+executables:
+- credsummoner
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/credsummoner
+- lib/credsummoner.rb
+- lib/credsummoner/account.rb
+- lib/credsummoner/config.rb
+- lib/credsummoner/okta/credentials.rb
+- lib/credsummoner/okta/session.rb
+- lib/credsummoner/okta/user.rb
+- lib/credsummoner/role.rb
+- lib/credsummoner/saml_assertion.rb
+- lib/credsummoner/web.rb
+homepage: https://github.com/vhl/credsummoner
+licenses:
+- GPL-3.0+
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Retrieve temporary AWS credentials via an identity provider
+test_files: []