keyrod 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 02571240ed3e856bc865d507a84a82c66c976ccc
+  data.tar.gz: c40032cbbb8ff3240daf558553af5a6e3f23dec2
+SHA512:
+  metadata.gz: c910ad52f352c61592dd02b7d8c894d5d601ccfc7963a5a4a2e0c8a933a752fa25daef9dba4c0483f4c3d483a8001492547b9fcb8174e525deec6081c1c2f3dd
+  data.tar.gz: 5299b20133bda56bc0e0c5f42c4d985865c0b41389af48136efcee05a7a5ee61b84f324844ba8ecc152d4f24fa455fdd71d107e77cd674b642ee5698938f567c

data/bin/keyrod

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require 'keyrod'
+
+Keyrod::CLI.start(ARGV)

data/config/config.yml

@@ -0,0 +1,15 @@
+keyrod:
+  debug: false # Debug mode
+  ca-dir: # CA directory
+  verify-ssl: false # Verify SSL certificate
+  fedcloud:
+    site: https://took51.ics.muni.cz:5000 # EGI FedCloud Site to authenticate against
+    access_token: # Access token
+    group: # ID of the group to join
+    interactive-fallback: false # Fallback to interactive mode if group is not set
+    identity-provider: egi.eu # Identity provider for token
+  oidc:
+    site: https://aai-dev.egi.eu/oidc/token # OIDC site to authenticate refresh token against
+    refresh_token: eyJhbGciOiJub25lIn0.eyJqdGkiOiI0ZDQ5MzUxMC00MDJhLTQ3NDQtYjE4Yi1lYmM5ODUxZmVlMTcifQ. # Refresh token
+    client_id: keyrodcli # OIDC client ID
+    client_secret: PpbuS_i3HcNV88ex48UKYPWCI1OwresZAxMjh1Pdf1NRHS6QTYb-PuUtzkd3XthD0dghxKSfzmapLBNHFxdFWg # OIDC client secret

data/lib/keyrod/cli.rb

@@ -0,0 +1,150 @@
+require 'thor'
+require 'yell'
+
+module Keyrod
+  class CLI < Thor
+    desc 'token', 'Get login token for FedCloud site'
+    option :debug,
+           required: false,
+           default: Keyrod::Settings['debug'],
+           type: :boolean,
+           desc: 'Runs Keyrod in debug mode'
+    option :'ca-dir',
+           required: false,
+           default: Keyrod::Settings['ca-dir'],
+           type: :string,
+           desc: 'CA directory'
+    option :'verify-ssl',
+           required: false,
+           default: Keyrod::Settings['verify-ssl'],
+           type: :boolean,
+           desc: 'Check SSL certificate of FedCloud site'
+    option :site,
+           required: true,
+           default: Keyrod::Settings['fedcloud']['site'],
+           type: :string,
+           desc: 'EGI FedCloud Site',
+           aliases: '-s'
+    option :'access-token',
+           required: false,
+           default: Keyrod::Settings['fedcloud']['access_token'],
+           type: :string,
+           desc: 'Access token for authentication',
+           aliases: '-a'
+    option :group,
+           required: false,
+           default: Keyrod::Settings['fedcloud']['group'],
+           type: :string,
+           desc: 'Group to join',
+           aliases: '-g'
+    option :'interactive-fallback',
+           required: false,
+           default: Keyrod::Settings['fedcloud']['interactive-fallback'],
+           type: :boolean,
+           desc: 'Fallback to interactive mode if group is not set',
+           aliases: '-f'
+    option :'identity-provider',
+           required: true,
+           default: Keyrod::Settings['fedcloud']['identity-provider'],
+           type: :string,
+           desc: 'Identity provider for token',
+           aliases: '-p'
+    option :'refresh-token',
+           required: false,
+           default: Keyrod::Settings['oidc']['refresh_token'],
+           type: :string,
+           desc: 'Refresh token for creating access token',
+           aliases: '-r'
+    option :'oidc-site',
+           required: false,
+           default: Keyrod::Settings['oidc']['site'],
+           type: :string,
+           desc: 'OIDC site for authenticating refresh token',
+           aliases: '-o'
+    option :'client-id',
+           required: false,
+           default: Keyrod::Settings['oidc']['client_id'],
+           type: :string,
+           desc: 'OIDC client ID',
+           aliases: '-i'
+    option :'client-secret',
+           required: false,
+           default: Keyrod::Settings['oidc']['client_secret'],
+           type: :string,
+           desc: 'OIDC client secret',
+           aliases: '-t'
+    def token
+      merge_config options
+      validate_config options
+      init_logger
+      process_tokens
+    rescue Keyrod::Errors::ParamsError => e
+      abort e.message
+    end
+
+    desc 'version', 'Prints Keyrod version'
+    def version
+      $stdout.puts Keyrod::VERSION
+    end
+
+    default_task :token
+
+    private
+
+    def init_logger
+      logging_level = Keyrod::Settings[:debug] ? [:debug] : [:info]
+      Yell.new :stdout, name: Object, level: logging_level
+      Object.send :include, Yell::Loggable
+    end
+
+    def merge_config(options)
+      Keyrod::Settings.clear
+      Keyrod::Settings.merge! options.to_hash
+      ssl_params = { verify: Keyrod::Settings[:'verify-ssl'] }
+      ssl_params[:ca_path] = Keyrod::Settings[:'ca-dir'] if Keyrod::Settings[:'ca-dir']
+      Keyrod::Settings[:ssl] = ssl_params
+    end
+
+    def validate_config(options)
+      raise Keyrod::Errors::ParamsError, 'Refresh/access token required' unless options[:'access-token'] || options[:'refresh-token']
+      raise Keyrod::Errors::ParamsError, 'Use one of refresh/access token' if options[:'access-token'] && options[:'refresh-token']
+
+      return unless options[:'refresh-token']
+      validate_config_group options,
+                            ['oidc-site', 'client-id', 'client-secret'],
+                            '--oidc-site, --client-id, --client-secret are required with refresh token'
+    end
+
+    def validate_config_group(options, group, message)
+      return if group.all? { |option| options[option] }
+
+      raise Keyrod::Errors::ParamsError, message
+    end
+
+    def process_tokens
+      access_token if Keyrod::Settings[:'refresh-token']
+
+      fedcloud_client = Keyrod::FedcloudClient.new
+      unscoped_token = fedcloud_client.unscoped_token
+      project = select_project(fedcloud_client.projects(unscoped_token))
+
+      $stdout.puts fedcloud_client.scoped_token(unscoped_token, project)
+    rescue Keyrod::Errors::ProjectError => e
+      abort e.message
+    end
+
+    def access_token
+      oidc_client = Keyrod::OIDCClient.new
+      Keyrod::Settings[:'access-token'] = oidc_client.access_token
+    end
+
+    def select_project(projects)
+      group = Keyrod::Settings[:group]
+      return group if projects.include? group
+
+      raise Keyrod::Errors::ProjectError, "Group #{group} is not available" if group && !Keyrod::Settings[:'interactive-fallback']
+
+      ask('Choose one of these groups:', limited_to: projects)
+    end
+  end
+end

data/lib/keyrod/errors.rb

@@ -0,0 +1,8 @@
+module Keyrod
+  module Errors
+    class ResponseError < StandardError; end
+    class ConnectionError < StandardError; end
+    class ParamsError < StandardError; end
+    class ProjectError < StandardError; end
+  end
+end

data/lib/keyrod/fedcloud_client.rb

@@ -0,0 +1,111 @@
+require 'faraday'
+require 'json'
+require 'net/http'
+
+module Keyrod
+  class FedcloudClient
+    attr_reader :site, :access_token, :auth_path, :ssl
+
+    PROJECTS_PATH = '/v3/auth/projects'.freeze
+    SCOPED_PATH = '/v3/auth/tokens'.freeze
+    REDIRECT_HEADER = 'WWW-Authenticate'.freeze
+
+    def initialize
+      @site = Keyrod::Settings[:site]
+      @access_token = Keyrod::Settings[:'access-token']
+      @auth_path = "/v3/OS-FEDERATION/identity_providers/#{Keyrod::Settings[:'identity-provider']}/protocols/oidc/auth"
+      @ssl = Keyrod::Settings[:ssl]
+    end
+
+    def unscoped_token
+      response = handle_response(unscoped_token_params, error_message: 'Response for getting unscoped token was')
+      response.headers[:'X-Subject-Token']
+    end
+
+    def projects(unscoped_token)
+      response = handle_response(projects_params(unscoped_token), error_message: 'Response for getting list of projects was')
+      parse_projects(response.body)
+    end
+
+    def scoped_token(unscoped_token, project)
+      response = handle_response(scoped_token_params, body: scoped_token_body(unscoped_token, project),
+                                                      error_message: 'Response for getting scoped token was')
+      response.headers[:'X-Subject-Token']
+    end
+
+    private
+
+    def unscoped_token_params
+      {
+        site: site,
+        headers: { Authorization: "Bearer #{access_token}", Accept: 'application/json' },
+        path: auth_path
+      }
+    end
+
+    def projects_params(unscoped_token)
+      {
+        site: site,
+        headers: { 'X-Auth-Token': unscoped_token, Accept: 'application/json' },
+        path: PROJECTS_PATH
+      }
+    end
+
+    def scoped_token_params
+      {
+        site: site,
+        headers: { Accept: 'application/json', 'Content-Type': 'application/json' },
+        path: SCOPED_PATH
+      }
+    end
+
+    def scoped_token_body(unscoped_token, project)
+      {
+        auth: {
+          identity: {
+            methods: ['token'],
+            token: {
+              id: unscoped_token
+            }
+          },
+          scope: {
+            project: {
+              id: project
+            }
+          }
+        }
+      }.to_json
+    end
+
+    def parse_projects(projects_body)
+      project_json = JSON.parse(projects_body, symbolize_names: true)
+      project_json[:projects].map { |project| project[:id] }
+    end
+
+    def parse_redirect(response)
+      response.headers[REDIRECT_HEADER].downcase.sub('keystone uri=', '').delete("'")
+    end
+
+    def connection(params)
+      Faraday.new(File.join(params[:site], params[:path]), ssl: ssl, headers: params[:headers])
+    end
+
+    def handle_response(params, body: nil, error_message: '')
+      conn = connection(params)
+      logger.debug "Sending request with headers #{conn.headers}"
+      begin
+        response = body ? conn.post { |req| req.body = body } : conn.get
+
+        if response.status == 401 && response.headers[REDIRECT_HEADER]
+          params[:site] = parse_redirect(response)
+          response = handle_response(params, body: body, error_message: error_message)
+        end
+      rescue Faraday::ConnectionFailed => e
+        raise Keyrod::Errors::ConnectionError, e.message
+      end
+
+      raise Keyrod::Errors::ResponseError, "#{error_message} #{response.status}" unless response.success?
+      response
+    end
+  end
+end

data/lib/keyrod/oidc_client.rb

@@ -0,0 +1,37 @@
+require 'faraday'
+require 'json'
+
+module Keyrod
+  class OIDCClient
+    attr_reader :oidc_site, :refresh_token, :client_id, :client_secret, :ssl
+
+    def initialize
+      @oidc_site = Keyrod::Settings[:'oidc-site']
+      @refresh_token = Keyrod::Settings[:'refresh-token']
+      @client_id = Keyrod::Settings[:'client-id']
+      @client_secret = Keyrod::Settings[:'client-secret']
+      @ssl = Keyrod::Settings[:ssl]
+    end
+
+    def access_token
+      conn = Faraday.new(oidc_site, ssl: ssl, params: params)
+
+      logger.debug "access_token: Sending request with params #{conn.params}"
+      response = conn.post
+      logger.debug "Received response with code #{response.status} and body #{response.body}"
+      raise Keyrod::Errors::ResponseError, "Response from OIDC server was #{response.status}" unless response.success?
+
+      JSON.parse(response.body, symbolize_names: true)[:access_token]
+    end
+
+    private
+
+    def params
+      { grant_type: 'refresh_token',
+        client_id: client_id,
+        client_secret: client_secret,
+        refresh_token: refresh_token,
+        scope: 'openid profile' }
+    end
+  end
+end

data/lib/keyrod/settings.rb

@@ -0,0 +1,16 @@
+require 'settingslogic'
+
+module Keyrod
+  class Settings < Settingslogic
+    config_file = 'config.yml'
+
+    source "#{ENV['HOME']}/.keyrod/#{config_file}"\
+    if File.exist?("#{ENV['HOME']}/.keyrod/#{config_file}")
+
+    source "/etc/keyrod/#{config_file}"\
+    if File.exist?("/etc/keyrod/#{config_file}")
+
+    source "#{File.dirname(__FILE__)}/../../config/#{config_file}"
+    namespace 'keyrod'
+  end
+end

data/lib/keyrod/version.rb

@@ -0,0 +1,3 @@
+module Keyrod
+  VERSION = '1.0.0'.freeze
+end

data/lib/keyrod.rb

@@ -0,0 +1,9 @@
+module Keyrod
+  autoload :CLI, 'keyrod/cli'
+  autoload :Settings, 'keyrod/settings'
+  autoload :OIDCClient, 'keyrod/oidc_client'
+  autoload :FedcloudClient, 'keyrod/fedcloud_client'
+  autoload :Errors, 'keyrod/errors'
+end
+
+require 'keyrod/version'

metadata

@@ -0,0 +1,193 @@
+--- !ruby/object:Gem::Specification
+name: keyrod
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Cuong Duong Tuan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-04-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.53'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.53'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.22'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: settingslogic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: yell
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: CLI for authenticating OIDC clients in EGI Federated Cloud
+email: cduongt@cesnet.cz
+executables:
+- keyrod
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/keyrod
+- config/config.yml
+- lib/keyrod.rb
+- lib/keyrod/cli.rb
+- lib/keyrod/errors.rb
+- lib/keyrod/fedcloud_client.rb
+- lib/keyrod/oidc_client.rb
+- lib/keyrod/settings.rb
+- lib/keyrod/version.rb
+homepage: https://github.com/cduongt/keyrod
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Keyrod CLI
+test_files: []