miasma-aws 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1cb99ed122c82e005f8d171610fff1b9d5709e58
-  data.tar.gz: 1c9e9dc24dd0bbe188498a49c4f1255f82e11b94
+  metadata.gz: 9221ddb29c7683d78498567b552c6295078a97aa
+  data.tar.gz: e83a397c308eb038fdbaa14a0cc65da3b7da5441
 SHA512:
-  metadata.gz: 1bc7a82669aad8364a8efb38ebd87ae97b5682d1449561f24f810549d16b4ebf74be2af02faaba072bf17650dd86c1f7f55703ce51d23cb90485a8c91e181688
-  data.tar.gz: 11d1fc54c194c3401c5a1eb4c9a20c6d4be8679349b486386c54b86178ab3b3275941c9159111341bf2897a975c2b19533bdfae99a5e7f0b17e23e19ca2185d9
+  metadata.gz: 3e5f23aba1e47e832362638e817d66d6763b0422453fc78a8ec3814afd43130aa0762b8326b7111657d85d4106daf4791dfd20b93f8e596ccb836f7fe9ed0ee7
+  data.tar.gz: eeafe49ac5867ae0f24960ad25e7cb8a173bf0e5054535b5ec40efedd4700da84fa19aa1ab3aa96656d0be37d3fa5bbe2a27481628e63a0479ef737a26055721

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v0.3.0
+* [feature] Add sts session token support (MFA #35)
+* [enhancement] Load single bucket directly (remove bucket list permission requirement #33)
+
 # v0.2.4
 * [enhancement] Add aws credential file mappings for token value (#31)
 * [fix] Support quoted values within aws credentials/configuration files (#31)

data/README.md

@@ -39,6 +39,9 @@ Miasma.api(
 * `aws_sts_role_arn` - Assume role
 * `aws_external_id` - Provide an external ID when assuming role
 * `aws_sts_role_session_name` - Provide custom session name when assuming role
+* `aws_sts_session_token` - MFA related session token
+* `aws_sts_session_token_code` - Six digit code from MFA device
+* `aws_sts_mfa_serial_number` - Serial number or ARN of MFA device
 
 ### S3 related attributes
 

data/lib/miasma/contrib/aws/storage.rb

@@ -92,6 +92,27 @@ module Miasma
           bucket
         end
 
+        # Directly fetch bucket
+        #
+        # @param ident [String] identifier
+        # @return [Models::Storage::Bucket, NilClass]
+        def bucket_get(ident)
+          bucket = Bucket.new(self,
+            :id => ident,
+            :name => ident
+          )
+          begin
+            bucket.reload
+            bucket
+          rescue Error::ApiError::RequestError => e
+            if(e.response.status == 404)
+              nil
+            else
+              raise
+            end
+          end
+        end
+
         # Destroy bucket
         #
         # @param bucket [Models::Storage::Bucket]

data/lib/miasma/contrib/aws.rb

@@ -337,6 +337,9 @@ module Miasma
             attribute :aws_sts_role_session_name, String
             attribute :aws_sts_region, String
             attribute :aws_sts_host, String
+            attribute :aws_sts_session_token, String
+            attribute :aws_sts_session_token_code, [String, Proc, Method]
+            attribute :aws_sts_mfa_serial_number, [String]
             attribute :aws_credentials_file, String, :required => true, :default => File.join(Dir.home, '.aws/credentials')
             attribute :aws_config_file, String, :required => true, :default => File.join(Dir.home, '.aws/config')
             attribute :aws_access_key_id, String, :required => true
@@ -349,9 +352,6 @@ module Miasma
             attribute :euca_compat, Symbol, :allowed_values => [:path, :dns], :coerce => lambda{|v| v.is_a?(String) ? v.to_sym : v}
             attribute :euca_dns_map, Smash, :coerce => lambda{|v| v.to_smash}, :default => Smash.new
             attribute :ssl_enabled, [TrueClass, FalseClass], :default => true
-
-            # @return [Contrib::AwsApiCore::SignatureV4]
-            attr_reader :signer
           end
 
           # AWS config file key remapping
@@ -360,7 +360,7 @@ module Miasma
               'region' => 'aws_region',
               'role_arn' => 'aws_sts_role_arn',
               'aws_security_token' => 'aws_sts_token',
-              'aws_session_token' => 'aws_sts_token'
+              'aws_session_token' => 'aws_sts_session_token'
             )
           )
           klass.const_set(:INSTANCE_PROFILE_HOST, 'http://169.254.169.254')
@@ -405,9 +405,6 @@ module Miasma
               ).merge(creds)
             )
           end
-          if(creds[:aws_sts_role_arn])
-            sts_assume_role!(creds)
-          end
           if(creds[:aws_iam_instance_profile])
             load_instance_credentials!(creds)
           end
@@ -472,24 +469,42 @@ module Miasma
           true
         end
 
+        def sts_mfa_session!(creds)
+          if(sts_mfa_session_update_required?(creds))
+            sts = Miasma::Contrib::Aws::Api::Sts.new(
+              :aws_access_key_id => creds[:aws_access_key_id],
+              :aws_secret_access_key => creds[:aws_secret_access_key],
+              :aws_region => creds.fetch(:aws_sts_region, 'us-east-1'),
+              :aws_credentials_file => creds.fetch(:aws_credentials_file, aws_credentials_file),
+              :aws_config_file => creds.fetch(:aws_config_file, aws_config_file),
+              :aws_profile_name => creds[:aws_profile_name],
+              :aws_host => creds[:aws_sts_host],
+            )
+            creds.merge!(
+              sts.mfa_session(
+                creds[:aws_sts_session_token_code],
+                :mfa_serial => creds[:aws_sts_mfa_serial_number]
+              )
+            )
+          end
+          true
+        end
+
         # Assume requested role and replace key id and secret
         #
         # @param creds [Hash]
         # @return [TrueClass]
         def sts_assume_role!(creds)
-          unless(creds[:aws_access_key_id_original])
-            creds[:aws_access_key_id_original] = creds[:aws_access_key_id]
-            creds[:aws_secret_access_key_original] = creds[:aws_secret_access_key]
-          end
-          if(sts_update_required?(creds))
+          if(sts_assume_role_update_required?(creds))
             sts = Miasma::Contrib::Aws::Api::Sts.new(
-              :aws_access_key_id => creds[:aws_access_key_id_original],
-              :aws_secret_access_key => creds[:aws_secret_access_key_original],
+              :aws_access_key_id => get_credential(:access_key_id, creds),
+              :aws_secret_access_key => get_credential(:secret_access_key, creds),
               :aws_region => creds.fetch(:aws_sts_region, 'us-east-1'),
               :aws_credentials_file => creds.fetch(:aws_credentials_file, aws_credentials_file),
               :aws_config_file => creds.fetch(:aws_config_file, aws_config_file),
               :aws_profile_name => creds[:aws_profile_name],
-              :aws_host => creds[:aws_sts_host]
+              :aws_host => creds[:aws_sts_host],
+              :aws_sts_token => creds[:aws_sts_session_token]
             )
             role_info = sts.assume_role(
               creds[:aws_sts_role_arn],
@@ -590,11 +605,33 @@ module Miasma
               ].join('.')
             end
           end
-          @signer = Contrib::AwsApiCore::SignatureV4.new(
-            aws_access_key_id, aws_secret_access_key, aws_region, self.class::API_SERVICE
+        end
+
+        # @return [Contrib::AwsApiCore::SignatureV4]
+        def signer
+          Contrib::AwsApiCore::SignatureV4.new(
+            get_credential(:access_key_id),
+            get_credential(:secret_access_key),
+            aws_region,
+            self.class::API_SERVICE
           )
         end
 
+        # Return correct credential value based on STS context
+        #
+        # @param key [String, Symbol] credential suffix
+        # @return [Object]
+        def get_credential(key, data_hash=nil)
+          data_hash = attributes if data_hash.nil?
+          if(data_hash[:aws_sts_token])
+            data_hash.fetch("aws_sts_#{key}", data_hash["aws_#{key}"])
+          elsif(data_hash[:aws_sts_session_token])
+            data_hash.fetch("aws_sts_session_#{key}", data_hash["aws_#{key}"])
+          else
+            data_hash["aws_#{key}"]
+          end
+        end
+
         # @return [String] custom escape for aws compat
         def uri_escape(string)
           signer.safe_escape(string)
@@ -637,8 +674,16 @@ module Miasma
               )
             end
           end
-          if(aws_sts_token)
-            sts_assume_role!(attributes) if sts_update_required?
+          if(aws_sts_session_token || aws_sts_session_token_code)
+            if(sts_mfa_session_update_required?)
+              sts_mfa_session!(data)
+            end
+            options.set(:headers, 'X-Amz-Security-Token', aws_sts_session_token)
+          end
+          if(aws_sts_token || aws_sts_role_arn)
+            if(sts_assume_role_update_required?)
+              sts_assume_role!(data)
+            end
             options.set(:headers, 'X-Amz-Security-Token', aws_sts_token)
           end
           signature = signer.generate(http_method, path, options)
@@ -649,10 +694,21 @@ module Miasma
 
         # @return [TrueClass, FalseClass]
         # @note update check only applied if assuming role
-        def sts_update_required?(args={})
-          if(args.fetch(:aws_sts_role_arn, data[:aws_sts_role_arn]))
-            expiry = args.fetch(:aws_sts_token_expires, data[:aws_sts_token_expires])
-            expiry.nil? || expiry <= Time.now - 1
+        def sts_assume_role_update_required?(args={})
+          if(args.fetch(:aws_sts_role_arn, attributes[:aws_sts_role_arn]))
+            expiry = args.fetch(:aws_sts_token_expires, attributes[:aws_sts_token_expires])
+            expiry.nil? || expiry <= Time.now - 15
+          else
+            false
+          end
+        end
+
+        # @return [TrueClass, FalseClass]
+        # @note update check only applied if assuming role
+        def sts_mfa_session_update_required?(args={})
+          if(args.fetch(:aws_sts_session_token_code, attributes[:aws_sts_session_token_code]))
+            expiry = args.fetch(:aws_sts_session_token_expires, attributes[:aws_sts_session_token_expires])
+            expiry.nil? || expiry <= Time.now - 15
           else
             false
           end

data/lib/miasma-aws/api/iam.rb

@@ -0,0 +1,49 @@
+require 'miasma'
+
+module Miasma
+  module Contrib
+    module Aws
+      module Api
+        class Iam < Miasma::Types::Api
+
+          # Service name of the API
+          API_SERVICE = 'iam'
+          # Supported version of the IAM API
+          API_VERSION = '2010-05-08'
+
+          include Contrib::AwsApiCore::ApiCommon
+          include Contrib::AwsApiCore::RequestUtils
+
+          def connect
+            super
+            service_name = self.class::API_SERVICE.downcase
+            self.aws_host = [
+              service_name,
+              api_endpoint
+            ].join('.')
+          end
+
+          # Fetch current user information
+          def user_info
+            result = request(
+              :path => '/',
+              :params => {
+                'Action' => 'GetUser'
+              }
+            ).get(:body, 'GetUserResponse', 'GetUserResult', 'User')
+            Smash.new(
+              :user_id => result['UserId'],
+              :path => result['Path'],
+              :username => result['UserName'],
+              :arn => result['Arn'],
+              :created => result['CreateDate'],
+              :password_last_used => result['PasswordLastUsed'],
+              :account_id => result['Arn'].split(':')[4]
+            )
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/miasma-aws/api/sts.rb

@@ -8,12 +8,38 @@ module Miasma
 
           # Service name of the API
           API_SERVICE = 'sts'
-          # Supported version of the AutoScaling API
+          # Supported version of the STS API
           API_VERSION = '2011-06-15'
 
           include Contrib::AwsApiCore::ApiCommon
           include Contrib::AwsApiCore::RequestUtils
 
+          # Generate MFA session credentials
+          #
+          # @param token_code [String, Proc] Code from MFA device
+          # @param args [Hash]
+          # @option args [Integer] :duration life of session in seconds
+          # @option args [String] :mfa_serial MFA device identification number
+          # @return [Hash]
+          def mfa_session(token_code, args={})
+            req_params = Smash.new.tap do |params|
+              params['Action'] = 'GetSessionToken'
+              params['TokenCode'] = token_code.respond_to?(:call) ? token_code.call : token_code
+              params['DurationSeconds'] = args[:duration] if args[:duration]
+              params['SerialNumber'] = args[:mfa_serial].to_s.empty? ? default_mfa_serial : args[:mfa_serial]
+            end
+            result = request(
+              :path => '/',
+              :params => req_params
+            ).get(:body, 'GetSessionTokenResponse', 'GetSessionTokenResult', 'Credentials')
+            Smash.new(
+              :aws_sts_session_token => result['SessionToken'],
+              :aws_sts_session_secret_access_key => result['SecretAccessKey'],
+              :aws_sts_session_access_key_id => result['AccessKeyId'],
+              :aws_sts_session_token_expires => Time.parse(result['Expiration'])
+            )
+          end
+
           # Assume new role
           #
           # @param role_arn [String] IAM Role ARN
@@ -34,14 +60,26 @@ module Miasma
             ).get(:body, 'AssumeRoleResponse', 'AssumeRoleResult')
             Smash.new(
               :aws_sts_token => result.get('Credentials', 'SessionToken'),
-              :aws_secret_access_key => result.get('Credentials', 'SecretAccessKey'),
-              :aws_access_key_id => result.get('Credentials', 'AccessKeyId'),
+              :aws_sts_secret_access_key => result.get('Credentials', 'SecretAccessKey'),
+              :aws_sts_access_key_id => result.get('Credentials', 'AccessKeyId'),
               :aws_sts_token_expires => Time.parse(result.get('Credentials', 'Expiration')),
               :aws_sts_assumed_role_arn => result.get('AssumedRoleUser', 'Arn'),
               :aws_sts_assumed_role_id => result.get('AssumedRoleUser', 'AssumedRoleId')
             )
           end
 
+          # @return [String]
+          def default_mfa_serial
+            user_data = Iam.new(
+              Smash[
+                [:aws_access_key_id, :aws_secret_access_key, :aws_region].map do |key|
+                  [key, attributes[key]]
+                end
+              ]
+            ).user_info
+            "arn:aws:iam::#{user_data[:account_id]}:mfa/#{user_data[:username]}"
+          end
+
         end
       end
     end

data/lib/miasma-aws/api.rb

@@ -5,6 +5,7 @@ module Miasma
     module Aws
       module Api
         autoload :Sts, 'miasma-aws/api/sts'
+        autoload :Iam, 'miasma-aws/api/iam'
       end
     end
   end

data/lib/miasma-aws/version.rb

@@ -1,4 +1,4 @@
 module MiasmaAws
   # Current library version
-  VERSION = Gem::Version.new('0.2.4')
+  VERSION = Gem::Version.new('0.3.0')
 end

data/miasma-aws.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |s|
   s.description = 'Smoggy AWS API'
   s.license = 'Apache 2.0'
   s.require_path = 'lib'
-  s.add_development_dependency 'miasma', '>= 0.2.35'
+  s.add_runtime_dependency 'miasma', '>= 0.2.39', '< 0.5'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rubocop'
   s.add_development_dependency 'pry'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: miasma-aws
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Chris Roberts
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-03 00:00:00.000000000 Z
+date: 2016-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: miasma
@@ -16,14 +16,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.35
-  type: :development
+        version: 0.2.39
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.35
+        version: 0.2.39
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -147,6 +153,7 @@ files:
 - README.md
 - lib/miasma-aws.rb
 - lib/miasma-aws/api.rb
+- lib/miasma-aws/api/iam.rb
 - lib/miasma-aws/api/sts.rb
 - lib/miasma-aws/version.rb
 - lib/miasma/contrib/aws.rb