himeko 0.1.0

data/app/views/iam_limit_exceeded_error.erb

@@ -0,0 +1,7 @@
+<h2>400: IAM limit exceeded</h2>
+
+<p>Sadly, we have reached some IAM limit during operation...<p>
+
+<p><code><%= @iam_error&.inspect %></code></p>
+
+<%== conf.dig(:custom_html, :iam_limit_exceeded_error) %>

data/app/views/index.erb

@@ -0,0 +1,52 @@
+
+<div class='access-console-form'>
+  <form action='/console' method='POST'>
+    <div class='access-console-form-auto access-console-form-auto-enabled'>
+      <p>Taking you to console in <span class='access-console-form-auto-sec'>4</span> seconds... <a class='access-console-form-auto-cancel' href='#'>Stop</a></p>
+    </div>
+    <p><button type='submit' class='btn-primary'>Access to Console</button></p>
+    <p><input type='checkbox' name='recreate' value='1' id='recreate'><label for='recreate'>Reinitiailze</label></p>
+    <p><small>Choose "Reinitiailze" when you have a change in your IAM permissions</small></p>
+  </form>
+  <div class='access-console-form-loading'>
+    <p>Logging into console... (This could take up to 10-20 seconds)</p>
+  </div>
+</div>
+
+<%== conf.dig(:custom_html, :index) %>
+
+<script>
+  "use strict";
+  document.addEventListener("DOMContentLoaded", () => {
+    document.body.addEventListener('click', () => {
+      document.body.querySelectorAll('.access-console-form-auto-enabled').forEach((elem) => {
+        elem.classList.remove('access-console-form-auto-enabled');
+      });
+    });
+    document.querySelectorAll('.access-console-form').forEach((elem) => {
+      elem.querySelector('form').addEventListener('submit', (e) => {
+        elem.classList.add('access-console-form-submitted');
+      });
+      elem.querySelector('.access-console-form-auto-cancel').addEventListener('click', (e) => {
+        elem.querySelector('.access-console-form-auto').classList.remove('access-console-form-auto-enabled');
+        e.preventDefault();
+      });
+
+      const countDown = function() {
+        const secElem = elem.querySelector('.access-console-form-auto-sec');
+        var sec = parseInt(secElem.innerHTML, 10);
+        sec -= 1;
+        secElem.innerHTML = `${sec}`;
+        if (sec < 1) {
+          if (elem.querySelector('.access-console-form-auto-enabled')) {
+            elem.querySelector('form').submit();
+            elem.classList.add('access-console-form-submitted');
+          }
+        } else {
+          setTimeout(countDown, 1000);
+        }
+      };
+      setTimeout(countDown, 1000);
+    });
+  });
+</script>

data/app/views/keys.erb

@@ -0,0 +1,44 @@
+<h2>Keys</h2>
+
+<p>List of IAM access key for <code><%= current_username %></code>:</p>
+
+<section class='iam-keys'>
+  <%- @keys.each do |key, last_used| -%>
+    <div class='iam-key'>
+      <div class='iam-key-info'>
+        <h3><%= key.access_key_id %></h3>
+        Status: <%= key.status %><br>
+        Since: <%= key.create_date %><br>
+        Last Used: <%= last_used.service_name %> @ <%= last_used.region %> / <%= last_used.last_used_date %>
+      </div>
+
+      <div class='iam-key-actions'>
+        <form action='/keys/<%= key.access_key_id %>' method='POST' onsubmit="return confirm('Are you sure? This cannot be undone.')">
+          <input type='hidden' name='_method' value='DELETE'>
+          <button type='submit' class='btn-danger'>Delete</button>
+        </form>
+
+        <%- if key.status == 'Active' -%>
+          <form action='/keys/<%= key.access_key_id %>/active' method='POST' onsubmit="return confirm('Are you sure?')">
+            <input type='hidden' name='_method' value='DELETE'>
+            <button type='submit' class='btn'>Disable</button>
+          </form>
+        <%- else -%>
+          <form action='/keys/<%= key.access_key_id %>/active' method='POST'>
+            <button type='submit' class='btn'>Activate</button>
+          </form>
+        <%- end -%>
+      </div>
+    </div>
+  <%- end -%>
+</section>
+
+<%- if @keys.size < 2 -%>
+  <form action='/keys' method='POST'>
+    <button type='submit' class='btn-primary'>Create</button>
+  </form>
+<%- else -%>
+  <p>IAM user cannot have more than 2 access keys at once. Delete an existing key to create new one; <a href='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entities'>AWS docs</a><p>
+<%- end -%>
+
+

data/app/views/layout.erb

@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset='utf-8'>
+    <meta name='viewport' content='width=device-width, minimum-scale=1'>
+    <title>AWS self-service portal | Himeko</title>
+    <link rel='stylesheet' href='/style.css' type="text/css">
+  </head>
+
+  <body>
+    <div class="container">
+      <header class='header'>
+        <h1 class='logo'>
+          <a href='/'>AWS self-service</a>
+        </h1>
+
+        <nav>
+          <a href='/'>Console</a>
+          <a href='/keys'>Access Keys</a>
+        </nav>
+      </header>
+
+      <% notice ||= session.delete(:notice); error ||= session.delete(:error) %>
+      <% if notice %>
+        <div class="notice"><%= notice %></div>
+      <% end %>
+
+      <% if error %>
+        <div class="error"><%= error %></div>
+      <% end %>
+
+      <div class="box">
+        <%== yield %>
+      </div>
+
+      <footer>
+        <p>Logged in as <%== current_username %></p>
+        <div class="credit">
+          Powered by <a href="https://github.com/sorah/himeko">sorah/himeko</a>
+        </div>
+      </footer>
+    </div>
+  </body>
+</html>
+

data/app/views/new_key.erb

@@ -0,0 +1,35 @@
+<h2>New IAM Access Key Created</h2>
+
+<p>New IAM access key has been created for <code><%= @key.user_name %></code>. Note that you won't be able to see the secret key again!</p>
+
+<%== conf.dig(:custom_html, :new_key_guidance) %>
+
+<section class='iam-secret-key'>
+  <div>
+    <h4>AWS_ACCESS_KEY_ID</code></h4>
+    <pre class='iam-copyable'><code><%= @key.access_key_id %></code></pre>
+  </div>
+  <div>
+    <h4>AWS_SECRET_ACCESS_KEY</code></h4>
+    <pre class='iam-copyable'><code><%= @key.secret_access_key %></code></pre>
+  </div>
+</section>
+
+<script>
+  "use strict";
+  document.addEventListener('DOMContentLoaded', () => {
+    document.querySelectorAll('.iam-copyable > code').forEach((e) => {
+      e.addEventListener('mouseenter', (e) => {
+        const range = document.createRange();
+        range.selectNodeContents(e.target);
+        const selection = window.getSelection();
+        selection.removeAllRanges();
+        selection.addRange(range);
+      });
+      e.addEventListener('mouseleave', (e) => {
+        const selection = window.getSelection();
+        selection.removeAllRanges();
+      });
+    });
+  });
+</script>

data/app/views/no_user_error.erb

@@ -0,0 +1,5 @@
+<h2>403: No IAM user found</h2>
+
+<p>We couldn't find IAM user <code><%== current_username %></code> to proceed.</p>
+
+<%== conf.dig(:custom_html, :no_user_error) %>

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "himeko"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config.ru

@@ -0,0 +1,96 @@
+require 'bundler/setup'
+require 'securerandom'
+
+require 'omniauth'
+
+require 'himeko'
+
+if ENV['RACK_ENV'] == 'production'
+  raise 'Set $SECRET_KEY_BASE' unless ENV['SECRET_KEY_BASE']
+end
+
+dev = ENV.fetch('RACK_ENV', 'development') == 'development'
+
+use(
+  Rack::Session::Cookie,
+  key: 'himekosess',
+  expire_after: 3600,
+  secure: ENV.fetch('HIMEKO_SECURE_SESSION', ENV['RACK_ENV'] == 'production' ? '1' : nil) == '1',
+  secret: ENV.fetch('SECRET_KEY_BASE', SecureRandom.base64(256)),
+)
+
+provider = nil
+case
+when ENV['HIMEKO_GITHUB_KEY'] && ENV['HIMEKO_GITHUB_SECRET']
+  require 'omniauth-github'
+  gh_client_options = {}
+  if ENV['HIMEKO_GITHUB_HOST']
+    gh_client_options[:site] = "#{ENV['HIMEKO_GITHUB_HOST']}/api/v3"
+    gh_client_options[:authorize_url] = "#{ENV['HIMEKO_GITHUB_HOST']}/login/oauth/authorize"
+    gh_client_options[:token_url] = "#{ENV['HIMEKO_GITHUB_HOST']}/login/oauth/access_token"
+  end
+
+  gh_scope = ''
+  if ENV['HIMEKO_GITHUB_TEAMS']
+    gh_scope = 'read:org'
+  end
+
+  use OmniAuth::Builder do
+    provider(:github, ENV['HIMEKO_GITHUB_KEY'], ENV['HIMEKO_GITHUB_SECRET'], client_options: gh_client_options, scope: gh_scope)
+  end
+  provider = :github
+when ENV['HIMEKO_GOOGLE_KEY'] && ENV['HIMEKO_GOOGLE_SECRET']
+  require 'omniauth-google-oauth2'
+  use OmniAuth::Builder do
+    provider(:google_oauth2, ENV['HIMEKO_GOOGLE_KEY'], ENV['HIMEKO_GOOGLE_SECRET'], hd: ENV['HIMEKO_GOOGLE_HD'])
+  end
+  provider = :google_oauth2
+when dev
+  use OmniAuth::Builder do
+    provider(:developer, fields: %i(uid), uid_field: :uid)
+  end
+  provider = :developer
+end
+
+use(Class.new do
+  def initialize(app, provider)
+    @app = app
+    @provider = provider
+  end
+
+  def call(env)
+    return process_callback(env) if env['omniauth.auth']
+    session = env.fetch('rack.session')
+
+    user = env['himeko.user'] = session[:user]
+    unless user
+      session[:back_to] ||= env['PATH_INFO']
+      return [302, {'Location' => "/auth/#{@provider}"}, []]
+    end
+
+    @app.call env
+  end
+
+  def process_callback(env)
+    session = env.fetch('rack.session')
+    auth = env.fetch('omniauth.auth')
+    case auth.fetch(:provider)
+    when 'github'
+      session[:user] = auth.fetch(:info).fetch(:nickname)
+    when 'google_oauth2'
+      session[:user] = auth.fetch(:info).fetch(:email).split(?@,2)[0]
+    when 'developer'
+      session[:user] = auth.fetch(:uid)
+    end
+    return [302, {'Location' => session.delete(:back_to) || '/'}, []]
+  end
+end, provider)
+
+config = {
+  role_path: ENV.fetch('HIMEKO_ROLE_PATH', '/user-role/'),
+  role_prefix: ENV.fetch('HIMEKO_ROLE_PREFIX', 'user_'),
+  dynamodb_table_name: ENV.fetch('HIMEKO_DYNAMODB_TABLE'),
+  session_duration: ENV.fetch('HIMEKO_SESSION_DURATION', 3600).to_i,
+}
+
+run Himeko.app(config)

data/exe/himeko-clean-roles

@@ -0,0 +1,18 @@
+#!/usr/bin/env ruby
+require 'himeko'
+require 'logger'
+require 'aws-sdk-dynamodb'
+require 'aws-sdk-iam'
+
+config = {
+  role_path: ENV.fetch('HIMEKO_ROLE_PATH', '/user-role/'),
+  role_prefix: ENV.fetch('HIMEKO_ROLE_PREFIX', 'user_'),
+  dynamodb_table_name: ENV.fetch('HIMEKO_DYNAMODB_TABLE', 'himeko-staging'),
+}
+
+Himeko::RoleManager.new(
+  iam: Aws::IAM::Client.new(logger: Logger.new($stdout)),
+  path: config[:role_path],
+  prefix: config[:role_prefix],
+  dynamodb_table: Aws::DynamoDB::Resource.new(logger: Logger.new($stdout)).table(config[:dynamodb_table_name]),
+).prune

data/himeko.gemspec

@@ -0,0 +1,34 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "himeko/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "himeko"
+  spec.version       = Himeko::VERSION
+  spec.authors       = ["Sorah Fukumori"]
+  spec.email         = ["sorah@cookpad.com"]
+
+  spec.summary       = %q{AWS IAM access key self service & management console federated login}
+  spec.homepage      = "https://github.com/sorah/himeko"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "aws-sdk-core" # aws-sdk-sts
+  spec.add_dependency "aws-sdk-iam"
+  spec.add_dependency "aws-sdk-dynamodb"
+
+  spec.add_dependency "sinatra"
+  spec.add_dependency "rack-protection"
+  spec.add_dependency "erubi"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

data/lib/himeko.rb

@@ -0,0 +1,2 @@
+require "himeko/version"
+require "himeko/app"

data/lib/himeko/app.rb

@@ -0,0 +1,177 @@
+require 'open-uri'
+require 'uri'
+require 'json'
+require 'erubi'
+require 'sinatra/base'
+require 'rack/protection'
+
+require 'aws-sdk-core' # sts
+require 'aws-sdk-iam'
+require 'aws-sdk-dynamodb'
+
+require 'himeko/role_manager'
+
+module Himeko
+  def self.app(*args)
+    App.rack(*args)
+  end
+
+  class App < Sinatra::Base
+    CONTEXT_RACK_ENV_NAME = 'himeko.ctx'
+    USER_RACK_ENV_NAME = 'himeko.user'
+
+    def self.initialize_context(config)
+      {
+        config: config,
+      }
+    end
+
+    def self.rack(config={})
+      klass = App
+
+      context = initialize_context(config)
+      lambda { |env|
+        env[CONTEXT_RACK_ENV_NAME] = context
+        klass.call(env)
+      }
+    end
+
+    configure do
+      enable :logging
+    end
+
+    set :root, File.expand_path(File.join(__dir__, '..', '..', 'app'))
+    set :erb, escape_html: true
+
+    use Rack::MethodOverride
+    use Rack::Protection
+
+    helpers do
+      def context
+        request.env[CONTEXT_RACK_ENV_NAME]
+      end
+
+      def conf
+        context[:config]
+      end
+
+      def current_username
+        name = request.env[USER_RACK_ENV_NAME]
+        halt 401, "request.env[#{USER_RACK_ENV_NAME}] is missing (maybe a configuration bug!)" unless name
+        name
+      end
+
+      def sts
+        @sts ||= context[:sts] ||= conf[:sts] || Aws::STS::Client.new(logger: env['rack.logger'])
+      end
+
+      def iam
+        @iam ||= context[:iam] ||= conf[:iam] || Aws::IAM::Client.new(logger: env['rack.logger'])
+      end
+
+      def dynamodb_table
+        @dynamodb_table ||= context[:dynamodb_table] ||= conf[:dynamodb_table] ||= Aws::DynamoDB::Resource.new().table(conf.fetch(:dynamodb_table_name))
+      end
+
+      def role_manager
+        @role_manager ||= context[:role_manager] ||= RoleManager.new(
+          iam: iam,
+          prefix: conf.fetch(:role_prefix),
+          path: conf.fetch(:role_path),
+          ttl: conf.fetch(:role_ttl, 86400),
+          dynamodb_table: dynamodb_table,
+        )
+      end
+
+      def console_session_duration
+        conf.fetch(:session_duration, 3600)
+      end
+
+      def render_no_user_error
+        status 403
+        erb :no_user_error
+      end
+    end
+
+    get '/' do
+      erb :index
+    end
+
+    post '/console' do
+      recreate = params[:recreate] == '1'
+      begin
+        arn = role_manager.fetch(current_username, recreate: recreate)
+      rescue Aws::IAM::Errors::LimitExceeded => e
+        @iam_error = e
+        status 400
+        return erb :iam_limit_exceeded_error
+      end
+
+      retries = 0
+      resp = nil
+      begin
+        resp = sts.assume_role(
+          duration_seconds: console_session_duration,
+          role_arn: arn,
+          role_session_name: current_username,
+        )
+      rescue Aws::STS::Errors::AccessDenied
+        raise if retries > 5
+        sleep 1 + (1.1**retries)
+        retries += 1
+        retry
+      end
+      json = {sessionId: resp.credentials.access_key_id, sessionKey: resp.credentials.secret_access_key, sessionToken: resp.credentials.session_token}.to_json
+      signin_token = JSON.parse(open("https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=#{URI.encode_www_form_component(json)}", 'r', &:read))
+
+      url = "https://signin.aws.amazon.com/federation?Action=login&Issuer=#{URI.encode_www_form_component(request.base_url)}&Destination=#{URI.encode_www_form_component(params[:relay] || 'https://console.aws.amazon.com/console/home')}&SigninToken=#{signin_token.fetch("SigninToken")}"
+
+      redirect url
+    end
+
+    get '/keys' do
+      @keys = iam.list_access_keys(user_name: current_username)
+        .access_key_metadata.map do |key_data|
+          [
+            key_data,
+            iam.get_access_key_last_used(access_key_id: key_data.access_key_id).access_key_last_used,
+          ]
+        end
+      erb :keys
+    rescue Aws::IAM::Errors::NoSuchEntity
+      return render_no_user_error()
+    end
+
+    post '/keys' do
+      #\@key = Struct.new(:user_name, :access_key_id, :secret_access_key).new('foobar', 'DUMMY123', 'secret+secret')
+      @key = iam.create_access_key(user_name: current_username).access_key
+      erb :new_key
+    rescue Aws::IAM::Errors::NoSuchEntity
+      return render_no_user_error()
+    end
+
+    delete '/keys/:id' do
+      iam.delete_access_key(access_key_id: params[:id], user_name: current_username)
+      session[:notice] = "Access key #{params[:id]} has been deleted."
+      redirect '/keys'
+    rescue Aws::IAM::Errors::NoSuchEntity
+      halt 404, 'NoSuchEntity'
+    end
+
+    post '/keys/:id/active' do
+      iam.update_access_key(access_key_id: params[:id], user_name: current_username, status: 'Active')
+      session[:notice] = "Access key #{params[:id]} has been activated."
+      redirect '/keys'
+    rescue Aws::IAM::Errors::NoSuchEntity
+      halt 404, 'NoSuchEntity'
+    end
+
+    delete '/keys/:id/active' do
+      iam.update_access_key(access_key_id: params[:id], user_name: current_username, status: 'Inactive')
+      session[:notice] = "Access key #{params[:id]} has been deactivated."
+      redirect '/keys'
+    rescue Aws::IAM::Errors::NoSuchEntity
+      halt 404, 'NoSuchEntity'
+    end
+  end
+end