dvla-kaping 1.0.0 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '09c60001616143c58b1a1023bea7cdcf653c495ea1410222d767dc8718f4507b'
-  data.tar.gz: 713da1c1de593ffc1e516aa4a0727eae53174fb6832f82a0b8c988b7bba85ff7
+  metadata.gz: 760f300cb49bc582101a24d6854ad96ca73094f81423971c47c85fcbc680992e
+  data.tar.gz: 756336c4dc3963e399f7af55e3564c7b3165388c331ae35dd8c2895bf337c278
 SHA512:
-  metadata.gz: f182de8966f9e515888ccfc137322df7a1fb8a84e7949ae2a9d8d439ff2ecc3f9f464766d864de3d7ec2480d3f965541be74e80af92e9eb8fc7b4d26ded224c0
-  data.tar.gz: 25a74e3a85a3719952e7239919b53aa1e6a9294713ece79c60ee42cce20ac862fb9b4487e65ceed33661f731dad97f1fdaaacd5256b968aab9fe69fb6f3a63cf
+  metadata.gz: 5b3ecb88b4d6c7156921bd9afb8599045064725c0cfbf3158cefbe8e7b16e7cd365071e4c63cbbb0a4e07cf502bc5bf5fbb699587f5d8d68e7745cb9ce53f763
+  data.tar.gz: f6bca6eacf464d5ce73f8a1b3028f752e53dcd63969f338f6773028c10597e4974d9648b6c8d7801f44c26431eb2234dd982df8379f6cca1b89e5d55b3948fcf

data/.rubocop.yml

@@ -2,7 +2,7 @@ inherit_gem:
   dvla-lint: ".rubocop.yml"
 
 AllCops:
-  TargetRubyVersion: 3.0
+  TargetRubyVersion: 4.0
 
 Style/StringLiterals:
   EnforcedStyle: single_quotes

data/.ruby-version

@@ -1 +1 @@
-3.4.2
+4.0.2

data/.tool-versions

@@ -0,0 +1 @@
+ruby 4.0.2

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 ## [Unreleased]
 
-## [0.1.0] - 2024-11-07
+## [1.0.5] - 2025-11-10
+
+- Fixed AWS credential handling to return proper credentials from assume role
+- Added AWS credential chain and SSO documentation to README
+
+## [1.0.4] - 2025-11-10
+
+- Update gems and fixed issue with git actions
+
+## [1.0.3] - 2025-09-03
+
+- Moved runtime dependencies to the gemspec
+
+## [1.0.2] - 2024-11-07
 
 - Initial release
+

data/README.md

@@ -1,6 +1,13 @@
 # Dvla::Kaping
 
-The Kaping! gem - an idiomatic way to create DSL openSearch definitions
+The Kaping! Gem, an idiomatic way to create DSL openSearch definitions
+
+The Ka-Ping Ruby gem enables the user to build complex ElasticSearch DSL Queries for searching and filtering large data sets
+without having to worry about formatting the JSON payloads. 
+
+Using Ruby dot notation with intuitive search terms and operations, it's easier to construct human-readable search definitions 
+without needing a deep understanding of the Query DSL syntax
+
 
 ## OpenSearch Query DSL
 https://opensearch.org/docs/latest/query-dsl/
@@ -28,10 +35,10 @@ complex to construct so this gem looks to simplify the process.
 
 ## Query and filter context
 
-A filter context asks - “Does the document match the query clause?” and returns matching documents 
+A filter context asks: “Does the document match the query clause?” and returns matching documents 
 i.e it's a binary answer
 
-A query context asks - “How well does the document match the query clause?”, - also returns a relevance score
+A query context asks: “How well does the document match the query clause?”, - also returns a relevance score
 good for full-text searches
 
 # How to use
@@ -55,8 +62,8 @@ DVLA::Kaping.configure { |attr| attr.yaml_override_path = './config/kaping.yml'
 ```
 The 'index' setting will control what environment to target
 
-The 'result_size' setting determines how many records to be returned from the query, if you are doing a post query filtering 
-code side then you should pump this value up.
+The 'result_size' setting determines how many records to be returned from the query, if you are doing a post-query filtering 
+code side, then you should pump this value up.
 
 ```yml
 kaping:
@@ -67,18 +74,52 @@ kaping:
 
 ```
 If you want to use the built-in client, and your OpenSearch instance is hosted in a Amazon VPC you will need to assume AWS permissions for access to run the queries.
-there are two options, you can either use profile or environment
+There are two options, you can either use profile or environment
 
-Profile will just pick up the credentials save in your specified shared credentials ini file at ~/.aws/credentials, 
+Profile will just pick up the credentials saved in your specified shared credentials ini file at ~/.aws/credentials, 
 
 ```yml
   aws:
-    #  to use a AWS profile config file then set to profile, otherwise environment settings will be used
-    credential_type: profile
+    #  to use an AWS profile config file, then set to profile, otherwise environment settings will be used
+    credential_type: profile | env | credentials
     account_id: ##########
+    role: ROLE 
     region: aws-region
     profile: PROFILE
-    role: ROLE  
+     
+```
+
+### AWS Credential Chain
+
+The gem supports three credential strategies:
+
+| credential_type | How it works |
+|---|---|
+| `profile` | Uses the named profile from `~/.aws/config` to create an STS client, then assumes the configured role. Supports SSO profiles. |
+| `env` | Uses environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_PROFILE`) to create an STS client, then assumes the configured role. |
+| `credentials` | Delegates to the AWS SDK default credential provider chain, which walks through env vars → shared config/credentials → SSO → ECS/EC2 instance roles in order. No role assumption is performed. |
+
+### Using AWS SSO
+
+If your organisation uses AWS IAM Identity Center (SSO), authenticate first then set the profile:
+
+```bash
+aws sso login --profile my-sso-profile
+```
+
+Then either:
+- Set `credential_type: profile` and `profile: my-sso-profile` in your `kaping.yml`
+- Or set `credential_type: env` / `credentials` and export `AWS_PROFILE=my-sso-profile`
+
+The SDK will resolve the cached SSO token automatically. Ensure your `~/.aws/config` has the SSO profile configured, for example:
+
+```ini
+[profile my-sso-profile]
+sso_start_url = https://my-org.awsapps.com/start
+sso_region = eu-west-2
+sso_account_id = 123456789012
+sso_role_name = MyRole
+region = eu-west-2
 ```
 
 ## Client
@@ -106,7 +147,7 @@ body = DVLA::Kaping::Query.new('bool')
 ## Query building
 A query can be built up with dot notation, but there are a few rules to follow. 
 
-First get a new Kaping Query instance. If we want a new Boolean query then we set the type as bool. 
+First, get a new Kaping Query instance. If we want a new Boolean query then we set the type as bool. 
 ```ruby
 my_query = DVLA::Kaping::Query.new('bool')
 my_query.filter.term('foo.bar', 'Valid').

data/lib/dvla/kaping/aws_client.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-require 'aws-sdk-core'
 require 'opensearch-aws-sigv4'
 require 'aws-sigv4'
+require 'aws-sdk-sts'
 
 module DVLA
   module Kaping
@@ -11,25 +11,34 @@ module DVLA
         @base_url = Kaping.yaml[:kaping_host]
         @aws_account_id = Kaping.yaml.dig(:aws, :account_id)
         @role = Kaping.yaml.dig(:aws, :role)
-        @region = Kaping.yaml.dig(:aws, :region)
-        Kaping.logger.info { "Kaping Client | base_url: '#{@base_url}'" }
+        @region = Kaping.yaml.dig(:aws, :region) || 'eu-west-2'
+        Kaping.logger.debug { "AWS Client | base_url: '#{@base_url}'" }
+      end
+
+      def select_credentials
+        case Kaping.yaml.dig(:aws, :credential_type)
+        when 'profile'
+          assume_role_profile(@aws_account_id, @role)
+        when 'env'
+          assume_role_env(@aws_account_id, @role)
+        when 'credentials'
+          Aws::CredentialProviderChain.new.resolve
+        else
+          logger.warn { 'Credential type not recognised, please set an option: profile, env or credentials' }
+        end
       end
 
       def connect
-        credentials = if Kaping.yaml.dig(:aws, :credential_type) == 'profile'
-                        assume_role_profile(@aws_account_id, @role)
-                      else
-                        assume_role_env(@aws_account_id, @role)
-                      end
+        credentials = select_credentials
 
         signer = Aws::Sigv4::Signer.new(service: 'es',
                                         region: @region,
                                         credentials_provider: credentials)
 
         OpenSearch::Aws::Sigv4Client.new({
-                                      host: @base_url,
-                                      log: false,
-                                    }, signer)
+                                           host: @base_url,
+                                           log: false,
+                                         }, signer)
       end
 
     private
@@ -38,7 +47,9 @@ module DVLA
       def assume_role_profile(aws_account_id, role)
         role_arn = "arn:aws:iam::#{aws_account_id}:role/#{role}"
         sts = Aws::STS::Client.new(region: @region, profile: Kaping.yaml.dig(:aws, :profile))
-        sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        resp = sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        Aws::Credentials.new(resp.credentials.access_key_id, resp.credentials.secret_access_key,
+                             resp.credentials.session_token)
       rescue Aws::STS::Errors::ServiceError => e
         raise "#{__method__}: AWS Profile Credentials Issue: #{e.message}  #{e.class.name}"
       end
@@ -47,7 +58,9 @@ module DVLA
       def assume_role_env(aws_account_id, role)
         role_arn = "arn:aws:iam::#{aws_account_id}:role/#{role}"
         sts = Aws::STS::Client.new(region: @region)
-        sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        resp = sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        Aws::Credentials.new(resp.credentials.access_key_id, resp.credentials.secret_access_key,
+                             resp.credentials.session_token)
       rescue Aws::STS::Errors::ServiceError => e
         raise "#{__method__}: AWS ENV Credentials Issue: #{e.message}  #{e.class.name}"
       end

data/lib/dvla/kaping/version.rb

@@ -2,6 +2,6 @@
 
 module DVLA
   module Kaping
-    VERSION = '1.0.0'
+    VERSION = '1.0.5'
   end
 end

metadata

@@ -1,35 +1,71 @@
 --- !ruby/object:Gem::Specification
 name: dvla-kaping
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.5
 platform: ruby
 authors:
 - Driver and Vehicle Licensing Agency (DVLA)
 - Kevin Upstill
 bindir: exe
 cert_chain: []
-date: 2025-04-11 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: nokogiri
+  name: aws-sdk-sts
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
-    - - ">="
+        version: '1.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.16.7
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: aws-sigv4
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
-    - - ">="
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.19'
+- !ruby/object:Gem::Dependency
+  name: opensearch-aws-sigv4
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.16.7
+        version: '1.3'
 description: Wrapper for the AWS elastic search API to create an idiomatic way to
   build complex search queries
 email:
@@ -38,10 +74,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".drone.yml"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-version"
+- ".tool-versions"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - LICENCE
@@ -70,14 +106,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3'
+      version: '4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 4.0.6
 specification_version: 4
 summary: Idiomatic way to create DSL openSearch definitions
 test_files: []

data/.drone.yml

@@ -1,122 +0,0 @@
----
-kind: pipeline
-name: audit, lint & test
-
-platform:
-  os: linux
-  arch: amd64
-
-trigger:
-  event:
-    - push
-
-drone_cache_image: &drone_cache_image
-  image: 448934085854.dkr.ecr.eu-west-2.amazonaws.com/ce/drone-cache
-  pull: if-not-exists
-
-drone_cache_settings: &drone_cache_settings
-  bucket: dvla-drone1-cache-448934085854
-  region: eu-west-2
-  encryption: AES256
-  endpoint: https://s3.eu-west-2.amazonaws.com
-
-gem_cache_mount: &gem_cache_mount
-  mount:
-    - vendor/bundle
-
-ruby_image: &ruby_image
-  image: 448934085854.dkr.ecr.eu-west-2.amazonaws.com/base-images/qe-ruby:3
-
-sonar_image: &sonar_image
-  image: 448934085854.dkr.ecr.eu-west-2.amazonaws.com/utilities-ci-tools/ci-drone-sonar-scanner
-  pull: if-not-exists
-
-steps:
-  - name: Restore gems from cache
-    <<: *drone_cache_image
-    settings:
-      <<: *drone_cache_settings
-      <<: *gem_cache_mount
-      restore: true
-      cache_key: '{{ checksum "./README.md" }}' # Override the README to force a rebuild
-
-  - name: Unit tests
-    <<: *ruby_image
-    depends_on:
-      - Restore gems from cache
-    commands:
-      - bundle install
-      - bundle exec rspec
-    environment:
-      BUNDLE_PATH: vendor/bundle
-
-  - name: Gem audit
-    <<: *ruby_image
-    depends_on:
-      - Restore gems from cache
-    commands:
-      - bundle install
-      - bundle exec bundle-audit
-    environment:
-      BUNDLE_PATH: vendor/bundle
-
-  - name: Lint
-    <<: *ruby_image
-    depends_on:
-      - Restore gems from cache
-    commands:
-      - bundle install
-      - bundle exec rubocop
-    environment:
-      BUNDLE_PATH: vendor/bundle
-
-  - name: SonarQube
-    <<: *sonar_image
-    depends_on:
-      - Unit tests
-
-  - name: Build and deploy (dry-run)
-    image: 448934085854.dkr.ecr.eu-west-2.amazonaws.com/utilities-ci-tools/ci-qe-deploy-gem:latest
-    commands:
-      - git fetch origin main
-      - app
-    environment:
-      DRYRUN: true
-      VERBOSE: false
-
-  - name: Rebuild gem cache
-    <<: *drone_cache_image
-    depends_on:
-      - Gem audit
-    settings:
-      <<: *drone_cache_settings
-      <<: *gem_cache_mount
-      rebuild: true
-      cache_key: '{{ checksum "./README.md" }}'
-
----
-kind: pipeline
-name: deploy
-depends_on:
-  - audit, lint & test
-
-platform:
-  os: linux
-  arch: amd64
-
-trigger:
-  event:
-    - push
-  branch:
-    - main
-
-steps:
-  - name: Build and deploy
-    image: 448934085854.dkr.ecr.eu-west-2.amazonaws.com/utilities-ci-tools/ci-qe-deploy-gem:latest
-    commands:
-      - git fetch origin main
-      - app
-    environment:
-      DRYRUN: false
-      VERBOSE: false
-