himeko 0.1.0

data/lib/himeko/role_manager.rb

@@ -0,0 +1,106 @@
+require 'aws-sdk-dynamodb'
+require 'himeko/user_mimicking_role'
+
+module Himeko
+  class RoleManager
+    def initialize(iam:, prefix:, path:, ttl: 86400, dynamodb_table:)
+      @iam = iam
+      @prefix = prefix
+      @path = path
+      @table = dynamodb_table
+      @ttl = ttl
+    end
+
+    attr_reader :iam, :prefix, :path, :table, :ttl
+
+    def fetch(username, recreate: false)
+      item = table.query(
+        limit: 1,
+        select: 'ALL_ATTRIBUTES',
+        key_condition_expression: 'username = :username',
+        expression_attribute_values: {":username" => username},
+      ).items.first
+
+      if recreate || item.nil?
+        begin
+          return create(username)
+        rescue Aws::IAM::Errors::EntityAlreadyExists
+          remove(username, delete_record: false)
+          retry
+        end
+      end
+
+      table.update_item(
+        key: {
+          'username' => username,
+        },
+        update_expression: 'SET expires_at = :expires_at',
+        expression_attribute_values: {
+          ':expires_at' => (Time.now + ttl).to_i,
+        },
+      )
+
+      item.fetch('role_arn')
+    end
+
+    def remove(username, role_name: nil, delete_record: true)
+      role_name ||= role_name_for_username(username)
+
+      iam.list_attached_role_policies(role_name: role_name).each.flat_map(&:attached_policies).map(&:policy_arn).each do |policy_arn|
+        iam.detach_role_policy(role_name: role_name, policy_arn: policy_arn)
+      end
+      iam.list_role_policies(role_name: role_name).policy_names.each do |policy_name|
+        iam.delete_role_policy(role_name: role_name, policy_name: policy_name)
+      end
+      iam.delete_role(role_name: role_name)
+
+      if delete_record
+        table.delete_item(
+          key: {
+            'username' => username,
+          },
+        )
+      end
+    rescue Aws::IAM::Errors::NoSuchEntity
+      # do nothing
+    end
+
+    def create(username)
+      role_arn = UserMimickingRole.new(iam, username, role_name_for_username(username), path).create
+
+      table.update_item(
+        key: {
+          'username' => username,
+        },
+        update_expression: 'SET expires_at = :expires_at, role_arn = :role_arn',
+        expression_attribute_values: {
+          ':expires_at' => (Time.now + ttl).to_i,
+          ':role_arn' => role_arn,
+        },
+      )
+      
+      role_arn
+    end
+
+    def prune
+      table.client.scan(
+        table_name: table.table_name,
+        select: 'ALL_ATTRIBUTES',
+        filter_expression: 'expires_at < :now',
+        expression_attribute_values: {
+          ':now' => Time.now.to_i,
+        },
+      ).each do |page|
+        page.items.each do |item|
+          puts "==> #{item['username']} (#{item['role_arn']})"
+          remove(item['username'], role_name: item['role_arn'].split(?/)[-1])
+          table.delete_item(key: {'username' => item['username']})
+        end
+      end
+    end
+
+    def role_name_for_username(username)
+      "#{prefix}#{username}"
+    end
+  end
+end

data/lib/himeko/user_mimicking_role.rb

@@ -0,0 +1,148 @@
+require 'uri'
+require 'json'
+require 'aws-sdk-iam'
+
+module Himeko
+  class UserMimickingRole
+    def initialize(iam, username, role_name, path = nil, driver: nil)
+      @driver = driver || Driver.new(iam)
+      @username = username
+      @role_name = role_name
+      @path = path
+    end
+
+    attr_reader :driver, :username, :role_name, :path
+
+    # @return [String] role arn
+    def create
+      arn = driver.create_role(
+        path: path,
+        role_name: role_name,
+        assume_role_policy_document: assume_role_policy_document,
+      )
+
+      managed_policies.each do |policy_arn|
+        driver.attach_role_policy(role_name, policy_arn)
+      end
+
+      policies.each do |policy_name, policy|
+        driver.put_role_policy(role_name, policy_name, policy)
+      end
+
+      return arn
+    end
+
+    def user
+      @user ||= driver.get_user(username)
+    end
+
+    def account_id
+      user.arn.split(?:)[4]
+    end
+
+    def assume_role_policy_document
+      {
+        "Version"=>"2012-10-17",
+        "Statement"=>[
+          {
+            "Effect"=>"Allow",
+            "Principal"=>{
+              "AWS"=>[
+                "arn:aws:iam::#{account_id}:root",
+              ]
+            },
+            "Action"=>"sts:AssumeRole",
+            "Condition"=>{},
+          },
+        ],
+      }
+    end
+
+    def groups
+      @groups ||= driver.list_groups_for_user(username)
+    end
+
+    def managed_policies
+      @managed_policies ||= [
+        *driver.list_attached_user_policies(username),
+        *groups.flat_map do |group_name|
+          driver.list_attached_group_policies(group_name)
+        end,
+      ].sort.uniq
+    end
+
+    def policies
+      @policies ||= [
+        *driver.list_user_policies(username).map do |policy_name|
+          [policy_name, driver.get_user_policy(username, policy_name)]
+        end,
+        *groups.flat_map do |group_name|
+          driver.list_group_policies(group_name).map do |policy_name|
+            ["#{group_name}_#{policy_name}"[0..127], driver.get_group_policy(group_name, policy_name)]
+          end
+        end,
+      ].to_h
+    end
+
+    class Driver
+      def initialize(iam)
+        @iam = iam
+      end
+
+      attr_reader :iam
+
+      def get_user(username)
+        iam.get_user(user_name: username).user
+      end
+
+      def list_attached_user_policies(username)
+        iam.list_attached_user_policies(user_name: username).each.flat_map(&:attached_policies).map(&:policy_arn)
+      end
+
+      def list_user_policies(username)
+        iam.list_user_policies(user_name: username).policy_names
+      end
+
+      def get_user_policy(username, policy_name)
+        URI.decode_www_form_component(iam.get_user_policy(user_name: username, policy_name: policy_name).policy_document)
+      end
+
+      def list_groups_for_user(username)
+        iam.list_groups_for_user(user_name: username).groups.map(&:group_name)
+      end
+
+      def list_group_policies(group_name)
+        iam.list_group_policies(group_name: group_name).policy_names
+      end
+
+      def get_group_policy(group_name, policy_name)
+        URI.decode_www_form_component(iam.get_group_policy(group_name: group_name, policy_name: policy_name).policy_document)
+      end
+
+      def list_attached_group_policies(group_name)
+        iam.list_attached_group_policies(group_name: group_name).each.flat_map(&:attached_policies).map(&:policy_arn)
+      end
+
+      def create_role(path:, role_name:, assume_role_policy_document:, max_session_duration: 43200)
+        iam.create_role(
+          path: path,
+          role_name: role_name,
+          assume_role_policy_document: assume_role_policy_document.to_json,
+          max_session_duration: max_session_duration
+        ).role.arn
+      end
+
+      def attach_role_policy(role_name, policy_arn)
+        iam.attach_role_policy(role_name: role_name, policy_arn: policy_arn)
+      end
+
+      def put_role_policy(role_name, policy_name, policy)
+        iam.put_role_policy(
+          role_name: role_name,
+          policy_name: policy_name,
+          policy_document: policy,
+        )
+      end
+    end
+  end
+end

data/lib/himeko/version.rb

@@ -0,0 +1,3 @@
+module Himeko
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,196 @@
+--- !ruby/object:Gem::Specification
+name: himeko
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Sorah Fukumori
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-09-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-dynamodb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: erubi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 
+email:
+- sorah@cookpad.com
+executables:
+- himeko-clean-roles
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- app/public/style.css
+- app/views/iam_limit_exceeded_error.erb
+- app/views/index.erb
+- app/views/keys.erb
+- app/views/layout.erb
+- app/views/new_key.erb
+- app/views/no_user_error.erb
+- bin/console
+- bin/setup
+- config.ru
+- exe/himeko-clean-roles
+- himeko.gemspec
+- lib/himeko.rb
+- lib/himeko/app.rb
+- lib/himeko/role_manager.rb
+- lib/himeko/user_mimicking_role.rb
+- lib/himeko/version.rb
+homepage: https://github.com/sorah/himeko
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.7
+signing_key: 
+specification_version: 4
+summary: AWS IAM access key self service & management console federated login
+test_files: []