RubyGems - keyrod - Versions diffs - 1.0.0 - Mend

keyrod 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +7 -0
data/bin/keyrod +4 -0
data/config/config.yml +15 -0
data/lib/keyrod/cli.rb +150 -0
data/lib/keyrod/errors.rb +8 -0
data/lib/keyrod/fedcloud_client.rb +111 -0
data/lib/keyrod/oidc_client.rb +37 -0
data/lib/keyrod/settings.rb +16 -0
data/lib/keyrod/version.rb +3 -0
data/lib/keyrod.rb +9 -0
metadata +193 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 02571240ed3e856bc865d507a84a82c66c976ccc
+  data.tar.gz: c40032cbbb8ff3240daf558553af5a6e3f23dec2
+SHA512:
+  metadata.gz: c910ad52f352c61592dd02b7d8c894d5d601ccfc7963a5a4a2e0c8a933a752fa25daef9dba4c0483f4c3d483a8001492547b9fcb8174e525deec6081c1c2f3dd
+  data.tar.gz: 5299b20133bda56bc0e0c5f42c4d985865c0b41389af48136efcee05a7a5ee61b84f324844ba8ecc152d4f24fa455fdd71d107e77cd674b642ee5698938f567c

data/bin/keyrod ADDED Viewed

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require 'keyrod'
+Keyrod::CLI.start(ARGV)

data/config/config.yml ADDED Viewed

@@ -0,0 +1,15 @@
+keyrod:
+  debug: false # Debug mode
+  ca-dir: # CA directory
+  verify-ssl: false # Verify SSL certificate
+  fedcloud:
+    site: https://took51.ics.muni.cz:5000 # EGI FedCloud Site to authenticate against
+    access_token: # Access token
+    group: # ID of the group to join
+    interactive-fallback: false # Fallback to interactive mode if group is not set
+    identity-provider: egi.eu # Identity provider for token
+  oidc:
+    site: https://aai-dev.egi.eu/oidc/token # OIDC site to authenticate refresh token against
+    refresh_token: eyJhbGciOiJub25lIn0.eyJqdGkiOiI0ZDQ5MzUxMC00MDJhLTQ3NDQtYjE4Yi1lYmM5ODUxZmVlMTcifQ. # Refresh token
+    client_id: keyrodcli # OIDC client ID
+    client_secret: PpbuS_i3HcNV88ex48UKYPWCI1OwresZAxMjh1Pdf1NRHS6QTYb-PuUtzkd3XthD0dghxKSfzmapLBNHFxdFWg # OIDC client secret

data/lib/keyrod/cli.rb ADDED Viewed

@@ -0,0 +1,150 @@
+require 'thor'
+require 'yell'
+module Keyrod
+  class CLI < Thor
+    desc 'token', 'Get login token for FedCloud site'
+    option :debug,
+           required: false,
+           default: Keyrod::Settings['debug'],
+           type: :boolean,
+           desc: 'Runs Keyrod in debug mode'
+    option :'ca-dir',
+           required: false,
+           default: Keyrod::Settings['ca-dir'],
+           type: :string,
+           desc: 'CA directory'
+    option :'verify-ssl',
+           required: false,
+           default: Keyrod::Settings['verify-ssl'],
+           type: :boolean,
+           desc: 'Check SSL certificate of FedCloud site'
+    option :site,
+           required: true,
+           default: Keyrod::Settings['fedcloud']['site'],
+           type: :string,
+           desc: 'EGI FedCloud Site',
+           aliases: '-s'
+    option :'access-token',
+           required: false,
+           default: Keyrod::Settings['fedcloud']['access_token'],
+           type: :string,
+           desc: 'Access token for authentication',
+           aliases: '-a'
+    option :group,
+           required: false,
+           default: Keyrod::Settings['fedcloud']['group'],
+           type: :string,
+           desc: 'Group to join',
+           aliases: '-g'
+    option :'interactive-fallback',
+           required: false,
+           default: Keyrod::Settings['fedcloud']['interactive-fallback'],
+           type: :boolean,
+           desc: 'Fallback to interactive mode if group is not set',
+           aliases: '-f'
+    option :'identity-provider',
+           required: true,
+           default: Keyrod::Settings['fedcloud']['identity-provider'],
+           type: :string,
+           desc: 'Identity provider for token',
+           aliases: '-p'
+    option :'refresh-token',
+           required: false,
+           default: Keyrod::Settings['oidc']['refresh_token'],
+           type: :string,
+           desc: 'Refresh token for creating access token',
+           aliases: '-r'
+    option :'oidc-site',
+           required: false,
+           default: Keyrod::Settings['oidc']['site'],
+           type: :string,
+           desc: 'OIDC site for authenticating refresh token',
+           aliases: '-o'
+    option :'client-id',
+           required: false,
+           default: Keyrod::Settings['oidc']['client_id'],
+           type: :string,
+           desc: 'OIDC client ID',
+           aliases: '-i'
+    option :'client-secret',
+           required: false,
+           default: Keyrod::Settings['oidc']['client_secret'],
+           type: :string,
+           desc: 'OIDC client secret',
+           aliases: '-t'
+    def token
+      merge_config options
+      validate_config options
+      init_logger
+      process_tokens
+    rescue Keyrod::Errors::ParamsError => e
+      abort e.message
+    end
+    desc 'version', 'Prints Keyrod version'
+    def version
+      $stdout.puts Keyrod::VERSION
+    end
+    default_task :token
+    private
+    def init_logger
+      logging_level = Keyrod::Settings[:debug] ? [:debug] : [:info]
+      Yell.new :stdout, name: Object, level: logging_level
+      Object.send :include, Yell::Loggable
+    end
+    def merge_config(options)
+      Keyrod::Settings.clear
+      Keyrod::Settings.merge! options.to_hash
+      ssl_params = { verify: Keyrod::Settings[:'verify-ssl'] }
+      ssl_params[:ca_path] = Keyrod::Settings[:'ca-dir'] if Keyrod::Settings[:'ca-dir']
+      Keyrod::Settings[:ssl] = ssl_params
+    end
+    def validate_config(options)
+      raise Keyrod::Errors::ParamsError, 'Refresh/access token required' unless options[:'access-token'] || options[:'refresh-token']
+      raise Keyrod::Errors::ParamsError, 'Use one of refresh/access token' if options[:'access-token'] && options[:'refresh-token']
+      return unless options[:'refresh-token']
+      validate_config_group options,
+                            ['oidc-site', 'client-id', 'client-secret'],
+                            '--oidc-site, --client-id, --client-secret are required with refresh token'
+    end
+    def validate_config_group(options, group, message)
+      return if group.all? { |option| options[option] }
+      raise Keyrod::Errors::ParamsError, message
+    end
+    def process_tokens
+      access_token if Keyrod::Settings[:'refresh-token']
+      fedcloud_client = Keyrod::FedcloudClient.new
+      unscoped_token = fedcloud_client.unscoped_token
+      project = select_project(fedcloud_client.projects(unscoped_token))
+      $stdout.puts fedcloud_client.scoped_token(unscoped_token, project)
+    rescue Keyrod::Errors::ProjectError => e
+      abort e.message
+    end
+    def access_token
+      oidc_client = Keyrod::OIDCClient.new
+      Keyrod::Settings[:'access-token'] = oidc_client.access_token
+    end
+    def select_project(projects)
+      group = Keyrod::Settings[:group]
+      return group if projects.include? group
+      raise Keyrod::Errors::ProjectError, "Group #{group} is not available" if group && !Keyrod::Settings[:'interactive-fallback']
+      ask('Choose one of these groups:', limited_to: projects)
+    end
+  end
+end

data/lib/keyrod/errors.rb ADDED Viewed

@@ -0,0 +1,8 @@
+module Keyrod
+  module Errors
+    class ResponseError < StandardError; end
+    class ConnectionError < StandardError; end
+    class ParamsError < StandardError; end
+    class ProjectError < StandardError; end
+  end
+end

data/lib/keyrod/fedcloud_client.rb ADDED Viewed

@@ -0,0 +1,111 @@
+require 'faraday'
+require 'json'
+require 'net/http'
+module Keyrod
+  class FedcloudClient
+    attr_reader :site, :access_token, :auth_path, :ssl
+    PROJECTS_PATH = '/v3/auth/projects'.freeze
+    SCOPED_PATH = '/v3/auth/tokens'.freeze
+    REDIRECT_HEADER = 'WWW-Authenticate'.freeze
+    def initialize
+      @site = Keyrod::Settings[:site]
+      @access_token = Keyrod::Settings[:'access-token']
+      @auth_path = "/v3/OS-FEDERATION/identity_providers/#{Keyrod::Settings[:'identity-provider']}/protocols/oidc/auth"
+      @ssl = Keyrod::Settings[:ssl]
+    end
+    def unscoped_token
+      response = handle_response(unscoped_token_params, error_message: 'Response for getting unscoped token was')
+      response.headers[:'X-Subject-Token']
+    end
+    def projects(unscoped_token)
+      response = handle_response(projects_params(unscoped_token), error_message: 'Response for getting list of projects was')
+      parse_projects(response.body)
+    end
+    def scoped_token(unscoped_token, project)
+      response = handle_response(scoped_token_params, body: scoped_token_body(unscoped_token, project),
+                                                      error_message: 'Response for getting scoped token was')
+      response.headers[:'X-Subject-Token']
+    end
+    private
+    def unscoped_token_params
+      {
+        site: site,
+        headers: { Authorization: "Bearer #{access_token}", Accept: 'application/json' },
+        path: auth_path
+      }
+    end
+    def projects_params(unscoped_token)
+      {
+        site: site,
+        headers: { 'X-Auth-Token': unscoped_token, Accept: 'application/json' },
+        path: PROJECTS_PATH
+      }
+    end
+    def scoped_token_params
+      {
+        site: site,
+        headers: { Accept: 'application/json', 'Content-Type': 'application/json' },
+        path: SCOPED_PATH
+      }
+    end
+    def scoped_token_body(unscoped_token, project)
+      {
+        auth: {
+          identity: {
+            methods: ['token'],
+            token: {
+              id: unscoped_token
+            }
+          },
+          scope: {
+            project: {
+              id: project
+            }
+          }
+        }
+      }.to_json
+    end
+    def parse_projects(projects_body)
+      project_json = JSON.parse(projects_body, symbolize_names: true)
+      project_json[:projects].map { |project| project[:id] }
+    end
+    def parse_redirect(response)
+      response.headers[REDIRECT_HEADER].downcase.sub('keystone uri=', '').delete("'")
+    end
+    def connection(params)
+      Faraday.new(File.join(params[:site], params[:path]), ssl: ssl, headers: params[:headers])
+    end
+    def handle_response(params, body: nil, error_message: '')
+      conn = connection(params)
+      logger.debug "Sending request with headers #{conn.headers}"
+      begin
+        response = body ? conn.post { |req| req.body = body } : conn.get
+        if response.status == 401 && response.headers[REDIRECT_HEADER]
+          params[:site] = parse_redirect(response)
+          response = handle_response(params, body: body, error_message: error_message)
+        end
+      rescue Faraday::ConnectionFailed => e
+        raise Keyrod::Errors::ConnectionError, e.message
+      end
+      raise Keyrod::Errors::ResponseError, "#{error_message} #{response.status}" unless response.success?
+      response
+    end
+  end
+end

data/lib/keyrod/oidc_client.rb ADDED Viewed

@@ -0,0 +1,37 @@
+require 'faraday'
+require 'json'
+module Keyrod
+  class OIDCClient
+    attr_reader :oidc_site, :refresh_token, :client_id, :client_secret, :ssl
+    def initialize
+      @oidc_site = Keyrod::Settings[:'oidc-site']
+      @refresh_token = Keyrod::Settings[:'refresh-token']
+      @client_id = Keyrod::Settings[:'client-id']
+      @client_secret = Keyrod::Settings[:'client-secret']
+      @ssl = Keyrod::Settings[:ssl]
+    end
+    def access_token
+      conn = Faraday.new(oidc_site, ssl: ssl, params: params)
+      logger.debug "access_token: Sending request with params #{conn.params}"
+      response = conn.post
+      logger.debug "Received response with code #{response.status} and body #{response.body}"
+      raise Keyrod::Errors::ResponseError, "Response from OIDC server was #{response.status}" unless response.success?
+      JSON.parse(response.body, symbolize_names: true)[:access_token]
+    end
+    private
+    def params
+      { grant_type: 'refresh_token',
+        client_id: client_id,
+        client_secret: client_secret,
+        refresh_token: refresh_token,
+        scope: 'openid profile' }
+    end
+  end
+end

data/lib/keyrod/settings.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require 'settingslogic'
+module Keyrod
+  class Settings < Settingslogic
+    config_file = 'config.yml'
+    source "#{ENV['HOME']}/.keyrod/#{config_file}"\
+    if File.exist?("#{ENV['HOME']}/.keyrod/#{config_file}")
+    source "/etc/keyrod/#{config_file}"\
+    if File.exist?("/etc/keyrod/#{config_file}")
+    source "#{File.dirname(__FILE__)}/../../config/#{config_file}"
+    namespace 'keyrod'
+  end
+end

data/lib/keyrod/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module Keyrod
+  VERSION = '1.0.0'.freeze
+end

data/lib/keyrod.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module Keyrod
+  autoload :CLI, 'keyrod/cli'
+  autoload :Settings, 'keyrod/settings'
+  autoload :OIDCClient, 'keyrod/oidc_client'
+  autoload :FedcloudClient, 'keyrod/fedcloud_client'
+  autoload :Errors, 'keyrod/errors'
+end
+require 'keyrod/version'

metadata ADDED Viewed

@@ -0,0 +1,193 @@
+--- !ruby/object:Gem::Specification
+name: keyrod
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Cuong Duong Tuan
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-04-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.53'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.53'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: settingslogic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: yell
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: CLI for authenticating OIDC clients in EGI Federated Cloud
+email: cduongt@cesnet.cz
+executables:
+- keyrod
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/keyrod
+- config/config.yml
+- lib/keyrod.rb
+- lib/keyrod/cli.rb
+- lib/keyrod/errors.rb
+- lib/keyrod/fedcloud_client.rb
+- lib/keyrod/oidc_client.rb
+- lib/keyrod/settings.rb
+- lib/keyrod/version.rb
+homepage: https://github.com/cduongt/keyrod
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.13
+signing_key:
+specification_version: 4
+summary: Keyrod CLI
+test_files: []