RubyGems - prx-ruby-aws-creds - Versions diffs - 0.1.0 → 0.1.1 - Mend

prx-ruby-aws-creds 0.1.0 → 0.1.1

Files changed (3) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7abb2239df6342948e68ed047013e67a326292b3dcde4bc474fa6464ca4ed56c
-  data.tar.gz: 2e709d49a0cbe389bf996c05c296702d36deb731c32e7f72f3fea7e548b12e5b
+  metadata.gz: de3e7ce4a5d260687d001b85f356d8ed44f0042cccb441f0713302b9a463588a
+  data.tar.gz: 809cf2c28520f1881dddaa6c39f9a7a38fc9cce84e9ea2ec04fd0fe176c9fdf9
 SHA512:
-  metadata.gz: fc8e689995304d5bd5fab0b3ed37a1ca1ae2753a0b79f9a57b94cf17f66b508bb47830c9cd34906d0c3abeee0dcdda0cb42c5a775f6f1a5977b5e19282695ad7
-  data.tar.gz: a30158aea20392ea4fceb69b440bc439b00ed5bdd7e8ac21a77621c753654ddee412e39e456cba7b3f4d811890dbd5fc4b4fd82e22cc0d32805cf6e1600ff9cd
+  metadata.gz: 36c906b505621065a7239e5f6ce04b62a3d11d474cdcb2c20b87b0ed67b3fbc7b1cb3ff4ab6456e1c5db95515a1eef839045d215cf746e6448762c8bed2d7f00
+  data.tar.gz: a3819f034b34ee12f2695afbbdcef6e3fcf70574b46e8e67730a8c97cdf44c1e52289eb47f0a2e1ba24fc8fdafaef5ad6f9d4c4d4a889c3f491af0d7eeaa1e3e

data/lib/prx-ruby-aws-creds.rb CHANGED Viewed

@@ -1,66 +1,105 @@
+require "json"
+require "digest"
+require "time"
+require "fileutils"
+require "io/console"
+require "inifile"
+require "aws-sdk-core"
+require "aws-sdk-sts"
+require "aws-sdk-sso"
+CACHE_DIRECTORY = "#{Dir.home}/.aws/ruby/cache"
 AWS_CONFIG_FILE = ENV["AWS_CONFIG_FILE"] || "#{Dir.home}/.aws/config"
 class PrxRubyAwsCreds
   class << self
-    def cache_directory
-      "#{Dir.home}/.aws/ruby/cache"
-    end
-    def cache_key_path(assume_role_options)
-      # The cache key is based on the parameters used for the AssumeRole call.
-      # The role session name is removed if it's randomly generated (which it
-      # always is for us). If the options were ever to include a policy document,
-      # that should get sorted before hashing.
-      # https://github.com/boto/botocore/blob/88d780dea1684da00689f2eef388fa4c782ced08/botocore/credentials.py#L700
-      key_opts = assume_role_options.clone
+    # The cache key is based on the parameters used to request temporary
+    # credentials (using either STS AssumeRole or SSO GetRoleCredentials). The
+    # role session name is removed if it's randomly generated (which it always
+    # is for us). If the options were ever to include a policy document, that
+    # should get sorted before hashing.
+    # https://github.com/boto/botocore/blob/88d780dea1684da00689f2eef388fa4c782ced08/botocore/credentials.py#L700
+    #
+    # For any
+    def cache_key_path(role_options)
+      key_opts = role_options.clone
       key_opts.delete(:role_session_name)
+      key_opts.delete(:access_token)
       cache_key = Digest::SHA1.hexdigest(JSON.dump(key_opts))
-      "#{cache_directory}/#{cache_key}.json"
+      "#{CACHE_DIRECTORY}/#{cache_key}.json"
     end
-    # Returns the options passed to SSO#get_role_credentials. This is used when the
-    # profile uses an SSO, rather than a key/secret. If the selected profile is
-    # not configured for SSO, returns nil.
-    def sso_get_role_options
-      aws_config_file = IniFile.load(AWS_CONFIG_FILE)
-      aws_config_file_section = aws_config_file["profile #{OPTS[:profile]}"]
-      if aws_config_file_section["sso_start_url"]
-        profile_start_url = aws_config_file_section["sso_start_url"]
-        sso_access_token = nil
-        Dir["#{Dir.home}/.aws/sso/cache/*.json"].each do |path|
-          data = JSON.parse(File.read(path))
-          if data["startUrl"] && data["startUrl"] == profile_start_url
-            sso_access_token = data["accessToken"]
-            break
+    # For a given SSO start URL, return a valid access token from the cache. If
+    # no valid token is found, returns nil. An access token will only be
+    # considered valid if it has not expired.
+    def sso_get_cached_access_token(start_url)
+      Dir["#{Dir.home}/.aws/sso/cache/*.json"].each do |path|
+        data = JSON.parse(File.read(path))
+        if data["startUrl"] && data["startUrl"] == start_url
+          expiration = Time.parse(data["expiresAt"])
+          if expiration > Time.now
+            return data["accessToken"]
           end
         end
+      end
-        if !sso_access_token
-          puts "No SSO access token was found for this profile."
-          puts "Press RETURN to request a token in a web browser."
-          puts "You can do this manually with: 'aws sso login --profile #{OPTS[:profile]}'"
-          inp = $stdin.gets.chomp
-          `aws sso login --profile #{OPTS[:profile]}` if inp.empty?
-        end
+      nil
+    end
-        {
-          role_name: aws_config_file_section["sso_role_name"],
-          account_id: aws_config_file_section["sso_account_id"].to_s,
-          access_token: sso_access_token
-        }
+    # Returns the options passed to SSO#get_role_credentials. This is used when
+    # the profile uses an SSO, rather than a key/secret. If the selected
+    # profile is not configured for SSO, returns nil.
+    #
+    # `role_name` and `account_id` are values found in the config file for the
+    # given profile. `access_token` is a SSO token found in the SSO cache for
+    # the SSO start URL associated with the given profile.
+    def sso_get_role_options(profile_name)
+      aws_config_file = IniFile.load(AWS_CONFIG_FILE)
+      aws_config_file_section = aws_config_file["profile #{profile_name}"]
+      # The selected profile does not use SSO
+      return if !aws_config_file_section["sso_start_url"]
+      # Get the SSO start URL for the selected profile
+      profile_start_url = aws_config_file_section["sso_start_url"]
+      sso_access_token = sso_get_cached_access_token(profile_start_url)
+      # If a valid token wasn't found in the cache, prompt the user to fetch a
+      # new one.
+      if !sso_access_token
+        puts
+        puts "No #{"access token".yellow} was found for this SSO start URL associated with this profile (#{profile_start_url.blue})."
+        puts "Press #{"RETURN".green} to request a new token. This will open a web browser."
+        puts "You can also do this manually with: 'aws sso login --profile #{profile_name}'".gray
+        puts
+        inp = $stdin.gets.chomp
+        `aws sso login --profile #{profile_name}` if inp.empty?
+        sso_access_token = sso_get_cached_access_token(profile_start_url)
+        puts "This #{"access token".yellow} is valid for all SSO profiles using #{profile_start_url.blue} as their start URL."
+        puts
       end
+      {
+        role_name: aws_config_file_section["sso_role_name"],
+        account_id: aws_config_file_section["sso_account_id"].to_s,
+        access_token: sso_access_token
+      }
     end
-    # Returns the options passed to AssumeRole. This is used when the profile uses
-    # a key/secret. If the selected profile is not configured for key/secret,
-    # returns nil.
-    def assume_role_options
+    # Returns the options passed to AssumeRole. This is used when the profile
+    # uses a key/secret. If the selected profile is not configured for
+    # key/secret, returns nil.
+    def assume_role_options(profile_name)
       aws_config_file = IniFile.load(AWS_CONFIG_FILE)
-      aws_config_file_section = aws_config_file["profile #{OPTS[:profile]}"]
+      aws_config_file_section = aws_config_file["profile #{profile_name}"]
+      # Get the role ARN for the selected profile
       role_arn = aws_config_file_section["role_arn"]
+      # Extract some values from the ARN
       role_name = role_arn.split("role/")[1]
       account_id = role_arn.split(":")[4]
@@ -71,49 +110,85 @@ class PrxRubyAwsCreds
       }
     end
-    def get_and_cache_credentials
-      FileUtils.mkdir_p cache_directory
+    # Makes a request to some AWS API endpoint that can generate temporary IAM
+    # credentials (e.g., AssumeRole, GetRoleCredentials, etc) based on the
+    # configuration of the selected profile.
+    #
+    # Cache the resulting credentials in the CACHE_DIRECTORY. The file is named
+    # using a hash of the options passed to the endpoint.
+    def get_and_cache_credentials(profile_name)
+      # Make sure the cache directory exists
+      FileUtils.mkdir_p CACHE_DIRECTORY
       aws_config_file = IniFile.load(AWS_CONFIG_FILE)
-      aws_config_file_section = aws_config_file["profile #{OPTS[:profile]}"]
+      aws_config_file_section = aws_config_file["profile #{profile_name}"]
       if aws_config_file_section["sso_role_name"]
-        opts = sso_get_role_options
-        sso = Aws::SSO::Client.new(region: aws_config_file_section["region"])
+        # For SSO profiles, call GetRoleCredentials with a role, account, and
+        # access token to get back a set of temporary credentials.
+        # https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html
+        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SSO/Client.html#get_role_credentials-instance_method
+        opts = sso_get_role_options(profile_name)
+        sso = Aws::SSO::Client.new(region: aws_config_file_section["sso_region"])
         credentials = sso.get_role_credentials(opts)
+        # Cache the credentials. The structure of this file doesn't exactly
+        # match what native libraries (boto, etc) use. Instead, it matches the
+        # default output of assume_role. It could be anything, it just needs
+        # to be consistent across profile types, and match what
+        # load_and_verify_cached_credentials expects.
         File.write(cache_key_path(opts), JSON.dump({"credentials" => {
           "access_key_id" => credentials.role_credentials.access_key_id,
           "secret_access_key" => credentials.role_credentials.secret_access_key,
           "session_token" => credentials.role_credentials.session_token
         }}))
+        # Return the temporary IAM credentials
         Aws::Credentials.new(credentials.role_credentials.access_key_id, credentials.role_credentials.secret_access_key, credentials.role_credentials.session_token)
       elsif aws_config_file_section["mfa_serial"]
+        # For profiles using an API key with an MFA token, get the serial
+        # number of the MFA device associated with the profile.
         mfa_serial = aws_config_file_section["mfa_serial"]
+        # Prompt the user for the current TOTP code associated with the MFA
+        # device.
         mfa_code = $stdin.getpass("Enter MFA code for #{mfa_serial}: ")
-        credentials = Aws.shared_config.assume_role_credentials_from_config(profile: OPTS[:profile], token_code: mfa_code.chomp)
-        sts = Aws::STS::Client.new(
-          region: "us-east-1",
-          credentials: credentials
-        )
+        # Get a set of credentials for the role configured in the profile using
+        # the TOTP code. I don't remember why, but I don't think these
+        # credentials should be used for anything other than making another
+        # call to assume_role. Don't cache or return these credentials.
+        # Note: This is marked as a private API
+        credentials = Aws.shared_config.assume_role_credentials_from_config(profile: profile_name, token_code: mfa_code.chomp)
+        sts = Aws::STS::Client.new(region: "us-east-1", credentials: credentials)
+        # Make a call to get_caller_identity to ensure that the first set of
+        # credentials are valid?
         _id = sts.get_caller_identity
+        # Make a regular assume_role call to get standard temporary IAM
+        # credentials.
         opts = assume_role_options
-        cacheable_role = sts.assume_role(assume_role_options)
+        cacheable_role = sts.assume_role(opts)
         File.write(cache_key_path(opts), JSON.dump(cacheable_role.to_h))
+        # Return the temporary IAM credentials
         Aws::Credentials.new(cacheable_role["credentials"]["access_key_id"], cacheable_role["credentials"]["secret_access_key"], cacheable_role["credentials"]["session_token"])
       end
     rescue Aws::SSO::Errors::UnauthorizedException
-      raise "The SSO access token for this profile is invalid. Run 'aws sso login --profile #{OPTS[:profile]}' to fetch a valid token."
+      raise "The SSO access token for this profile is invalid. Run 'aws sso login --profile #{profile_name}' to fetch a valid token."
     end
-    def load_and_verify_cached_credentials
+    # For the selected profile, look for a set of cached temporary IAM
+    # credentials. These are vanilla IAM credentials that look the same
+    # regardless of what type of profile is selected (SSO, MFA, etc).
+    #
+    # If no cached credential exist for the profile, or if the credentials are
+    # invalid (i.e., can't successfully call get_caller_identity), a new set
+    # of credentials will be fetched and cached.
+    def load_and_verify_cached_credentials(profile_name)
       # Look up the cache file based on the options for the seleted profile.
-      options = sso_get_role_options || assume_role_options
+      options = sso_get_role_options(profile_name) || assume_role_options(profile_name)
       cached_role_json = File.read(cache_key_path(options))
       cached_role = JSON.parse(cached_role_json)
@@ -127,18 +202,20 @@ class PrxRubyAwsCreds
       credentials
     rescue Aws::STS::Errors::ExpiredToken
-      get_and_cache_credentials
+      get_and_cache_credentials(profile_name)
     rescue Aws::STS::Errors::InvalidClientTokenId
-      get_and_cache_credentials
+      get_and_cache_credentials(profile_name)
     rescue Errno::ENOENT
-      get_and_cache_credentials
+      get_and_cache_credentials(profile_name)
     end
-    # Returns temporary client credentials for the profile selected with --profile
-    # when the command was run.
-    def client_credentials
+    # Returns temporary IAM client (Aws::Credentials) credentials for a given
+    # profile.
+    def client_credentials(profile_name = nil)
+      profile_name ||= OPTS[:profile]
       # For the selected profile, get the appropriate set of options.
-      options = sso_get_role_options || assume_role_options
+      options = sso_get_role_options(profile_name) || assume_role_options(profile_name)
       return if !options
@@ -146,11 +223,11 @@ class PrxRubyAwsCreds
       if !File.file?(cache_key_path(options))
         # When no cache exists for these options, fetch new credentials, cache them
         # and return them.
-        get_and_cache_credentials
+        get_and_cache_credentials(profile_name)
       else
         # When there is a cache for these options, return them if they are still
         # valid, otherwise refresh them and return the new credentials.
-        load_and_verify_cached_credentials
+        load_and_verify_cached_credentials(profile_name)
       end
     end
   end

metadata CHANGED Viewed

@@ -1,15 +1,85 @@
 --- !ruby/object:Gem::Specification
 name: prx-ruby-aws-creds
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Christopher Kalafarski
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-04 00:00:00.000000000 Z
-dependencies: []
+date: 2023-04-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-sso
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-sts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: tktk
 email: chris.kalafarski@prx.org
 executables: []