RubyGems - prx-ruby-aws-creds - Versions diffs - 0.1.0 → 0.1.1 - Mend

prx-ruby-aws-creds 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7abb2239df6342948e68ed047013e67a326292b3dcde4bc474fa6464ca4ed56c
-  data.tar.gz: 2e709d49a0cbe389bf996c05c296702d36deb731c32e7f72f3fea7e548b12e5b
+  metadata.gz: de3e7ce4a5d260687d001b85f356d8ed44f0042cccb441f0713302b9a463588a
+  data.tar.gz: 809cf2c28520f1881dddaa6c39f9a7a38fc9cce84e9ea2ec04fd0fe176c9fdf9
 SHA512:
-  metadata.gz: fc8e689995304d5bd5fab0b3ed37a1ca1ae2753a0b79f9a57b94cf17f66b508bb47830c9cd34906d0c3abeee0dcdda0cb42c5a775f6f1a5977b5e19282695ad7
-  data.tar.gz: a30158aea20392ea4fceb69b440bc439b00ed5bdd7e8ac21a77621c753654ddee412e39e456cba7b3f4d811890dbd5fc4b4fd82e22cc0d32805cf6e1600ff9cd
+  metadata.gz: 36c906b505621065a7239e5f6ce04b62a3d11d474cdcb2c20b87b0ed67b3fbc7b1cb3ff4ab6456e1c5db95515a1eef839045d215cf746e6448762c8bed2d7f00
+  data.tar.gz: a3819f034b34ee12f2695afbbdcef6e3fcf70574b46e8e67730a8c97cdf44c1e52289eb47f0a2e1ba24fc8fdafaef5ad6f9d4c4d4a889c3f491af0d7eeaa1e3e

data/lib/prx-ruby-aws-creds.rb CHANGED Viewed

@@ -1,66 +1,105 @@
+require "json"
+require "digest"
+require "time"
+require "fileutils"
+require "io/console"
+require "inifile"
+require "aws-sdk-core"
+require "aws-sdk-sts"
+require "aws-sdk-sso"
+CACHE_DIRECTORY = "#{Dir.home}/.aws/ruby/cache"
 AWS_CONFIG_FILE = ENV["AWS_CONFIG_FILE"] || "#{Dir.home}/.aws/config"
 class PrxRubyAwsCreds
   class << self
-    def cache_directory
-      "#{Dir.home}/.aws/ruby/cache"
-    end
-    def cache_key_path(assume_role_options)
-      # The cache key is based on the parameters used for the AssumeRole call.
-      # The role session name is removed if it's randomly generated (which it
-      # always is for us). If the options were ever to include a policy document,
-      # that should get sorted before hashing.
-      # https://github.com/boto/botocore/blob/88d780dea1684da00689f2eef388fa4c782ced08/botocore/credentials.py#L700
-      key_opts = assume_role_options.clone
+    # The cache key is based on the parameters used to request temporary
+    # credentials (using either STS AssumeRole or SSO GetRoleCredentials). The
+    # role session name is removed if it's randomly generated (which it always
+    # is for us). If the options were ever to include a policy document, that
+    # should get sorted before hashing.
+    # https://github.com/boto/botocore/blob/88d780dea1684da00689f2eef388fa4c782ced08/botocore/credentials.py#L700
+    #
+    # For any
+    def cache_key_path(role_options)
+      key_opts = role_options.clone
       key_opts.delete(:role_session_name)
+      key_opts.delete(:access_token)
       cache_key = Digest::SHA1.hexdigest(JSON.dump(key_opts))
-      "#{cache_directory}/#{cache_key}.json"
+      "#{CACHE_DIRECTORY}/#{cache_key}.json"
     end
-    # Returns the options passed to SSO#get_role_credentials. This is used when the
-    # profile uses an SSO, rather than a key/secret. If the selected profile is
-    # not configured for SSO, returns nil.
-    def sso_get_role_options
-      aws_config_file = IniFile.load(AWS_CONFIG_FILE)
-      aws_config_file_section = aws_config_file["profile #{OPTS[:profile]}"]
-      if aws_config_file_section["sso_start_url"]
-        profile_start_url = aws_config_file_section["sso_start_url"]
-        sso_access_token = nil
-        Dir["#{Dir.home}/.aws/sso/cache/*.json"].each do |path|
-          data = JSON.parse(File.read(path))
-          if data["startUrl"] && data["startUrl"] == profile_start_url
-            sso_access_token = data["accessToken"]
-            break
+    # For a given SSO start URL, return a valid access token from the cache. If
+    # no valid token is found, returns nil. An access token will only be
+    # considered valid if it has not expired.
+    def sso_get_cached_access_token(start_url)
+      Dir["#{Dir.home}/.aws/sso/cache/*.json"].each do |path|
+        data = JSON.parse(File.read(path))
+        if data["startUrl"] && data["startUrl"] == start_url
+          expiration = Time.parse(data["expiresAt"])
+          if expiration > Time.now
+            return data["accessToken"]
           end
         end
+      end
-        if !sso_access_token
-          puts "No SSO access token was found for this profile."
-          puts "Press RETURN to request a token in a web browser."
-          puts "You can do this manually with: 'aws sso login --profile #{OPTS[:profile]}'"
-          inp = $stdin.gets.chomp
-          `aws sso login --profile #{OPTS[:profile]}` if inp.empty?
-        end
+      nil
+    end
-        {
-          role_name: aws_config_file_section["sso_role_name"],
-          account_id: aws_config_file_section["sso_account_id"].to_s,
-          access_token: sso_access_token
-        }
+    # Returns the options passed to SSO#get_role_credentials. This is used when
+    # the profile uses an SSO, rather than a key/secret. If the selected
+    # profile is not configured for SSO, returns nil.
+    #
+    # `role_name` and `account_id` are values found in the config file for the
+    # given profile. `access_token` is a SSO token found in the SSO cache for
+    # the SSO start URL associated with the given profile.
+    def sso_get_role_options(profile_name)
+      aws_config_file = IniFile.load(AWS_CONFIG_FILE)
+      aws_config_file_section = aws_config_file["profile #{profile_name}"]
+      # The selected profile does not use SSO
+      return if !aws_config_file_section["sso_start_url"]
+      # Get the SSO start URL for the selected profile
+      profile_start_url = aws_config_file_section["sso_start_url"]
+      sso_access_token = sso_get_cached_access_token(profile_start_url)
+      # If a valid token wasn't found in the cache, prompt the user to fetch a
+      # new one.
+      if !sso_access_token
+        puts
+        puts "No #{"access token".yellow} was found for this SSO start URL associated with this profile (#{profile_start_url.blue})."
+        puts "Press #{"RETURN".green} to request a new token. This will open a web browser."
+        puts "You can also do this manually with: 'aws sso login --profile #{profile_name}'".gray
+        puts
+        inp = $stdin.gets.chomp
+        `aws sso login --profile #{profile_name}` if inp.empty?
+        sso_access_token = sso_get_cached_access_token(profile_start_url)
+        puts "This #{"access token".yellow} is valid for all SSO profiles using #{profile_start_url.blue} as their start URL."
+        puts
       end
+      {
+        role_name: aws_config_file_section["sso_role_name"],
+        account_id: aws_config_file_section["sso_account_id"].to_s,
+        access_token: sso_access_token
+      }
     end
-    # Returns the options passed to AssumeRole. This is used when the profile uses
-    # a key/secret. If the selected profile is not configured for key/secret,
-    # returns nil.
-    def assume_role_options
+    # Returns the options passed to AssumeRole. This is used when the profile
+    # uses a key/secret. If the selected profile is not configured for
+    # key/secret, returns nil.
+    def assume_role_options(profile_name)
       aws_config_file = IniFile.load(AWS_CONFIG_FILE)
-      aws_config_file_section = aws_config_file["profile #{OPTS[:profile]}"]
+      aws_config_file_section = aws_config_file["profile #{profile_name}"]
+      # Get the role ARN for the selected profile
       role_arn = aws_config_file_section["role_arn"]
+      # Extract some values from the ARN
       role_name = role_arn.split("role/")[1]
       account_id = role_arn.split(":")[4]
@@ -71,49 +110,85 @@ class PrxRubyAwsCreds
       }
     end
-    def get_and_cache_credentials
-      FileUtils.mkdir_p cache_directory
+    # Makes a request to some AWS API endpoint that can generate temporary IAM
+    # credentials (e.g., AssumeRole, GetRoleCredentials, etc) based on the
+    # configuration of the selected profile.
+    #
+    # Cache the resulting credentials in the CACHE_DIRECTORY. The file is named
+    # using a hash of the options passed to the endpoint.
+    def get_and_cache_credentials(profile_name)
+      # Make sure the cache directory exists
+      FileUtils.mkdir_p CACHE_DIRECTORY
       aws_config_file = IniFile.load(AWS_CONFIG_FILE)
-      aws_config_file_section = aws_config_file["profile #{OPTS[:profile]}"]
+      aws_config_file_section = aws_config_file["profile #{profile_name}"]
       if aws_config_file_section["sso_role_name"]
-        opts = sso_get_role_options
-        sso = Aws::SSO::Client.new(region: aws_config_file_section["region"])
+        # For SSO profiles, call GetRoleCredentials with a role, account, and
+        # access token to get back a set of temporary credentials.
+        # https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html
+        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SSO/Client.html#get_role_credentials-instance_method
+        opts = sso_get_role_options(profile_name)
+        sso = Aws::SSO::Client.new(region: aws_config_file_section["sso_region"])
         credentials = sso.get_role_credentials(opts)
+        # Cache the credentials. The structure of this file doesn't exactly
+        # match what native libraries (boto, etc) use. Instead, it matches the
+        # default output of assume_role. It could be anything, it just needs
+        # to be consistent across profile types, and match what
+        # load_and_verify_cached_credentials expects.
         File.write(cache_key_path(opts), JSON.dump({"credentials" => {
           "access_key_id" => credentials.role_credentials.access_key_id,
           "secret_access_key" => credentials.role_credentials.secret_access_key,
           "session_token" => credentials.role_credentials.session_token
         }}))
+        # Return the temporary IAM credentials
         Aws::Credentials.new(credentials.role_credentials.access_key_id, credentials.role_credentials.secret_access_key, credentials.role_credentials.session_token)
       elsif aws_config_file_section["mfa_serial"]
+        # For profiles using an API key with an MFA token, get the serial
+        # number of the MFA device associated with the profile.
         mfa_serial = aws_config_file_section["mfa_serial"]
+        # Prompt the user for the current TOTP code associated with the MFA
+        # device.
         mfa_code = $stdin.getpass("Enter MFA code for #{mfa_serial}: ")
-        credentials = Aws.shared_config.assume_role_credentials_from_config(profile: OPTS[:profile], token_code: mfa_code.chomp)
-        sts = Aws::STS::Client.new(
-          region: "us-east-1",
-          credentials: credentials
-        )
+        # Get a set of credentials for the role configured in the profile using
+        # the TOTP code. I don't remember why, but I don't think these
+        # credentials should be used for anything other than making another
+        # call to assume_role. Don't cache or return these credentials.
+        # Note: This is marked as a private API
+        credentials = Aws.shared_config.assume_role_credentials_from_config(profile: profile_name, token_code: mfa_code.chomp)
+        sts = Aws::STS::Client.new(region: "us-east-1", credentials: credentials)
+        # Make a call to get_caller_identity to ensure that the first set of
+        # credentials are valid?
         _id = sts.get_caller_identity
+        # Make a regular assume_role call to get standard temporary IAM
+        # credentials.
         opts = assume_role_options
-        cacheable_role = sts.assume_role(assume_role_options)
+        cacheable_role = sts.assume_role(opts)
         File.write(cache_key_path(opts), JSON.dump(cacheable_role.to_h))
+        # Return the temporary IAM credentials
         Aws::Credentials.new(cacheable_role["credentials"]["access_key_id"], cacheable_role["credentials"]["secret_access_key"], cacheable_role["credentials"]["session_token"])
       end
     rescue Aws::SSO::Errors::UnauthorizedException
-      raise "The SSO access token for this profile is invalid. Run 'aws sso login --profile #{OPTS[:profile]}' to fetch a valid token."
+      raise "The SSO access token for this profile is invalid. Run 'aws sso login --profile #{profile_name}' to fetch a valid token."
     end
-    def load_and_verify_cached_credentials
+    # For the selected profile, look for a set of cached temporary IAM
+    # credentials. These are vanilla IAM credentials that look the same
+    # regardless of what type of profile is selected (SSO, MFA, etc).
+    #
+    # If no cached credential exist for the profile, or if the credentials are
+    # invalid (i.e., can't successfully call get_caller_identity), a new set
+    # of credentials will be fetched and cached.
+    def load_and_verify_cached_credentials(profile_name)
       # Look up the cache file based on the options for the seleted profile.
-      options = sso_get_role_options || assume_role_options
+      options = sso_get_role_options(profile_name) || assume_role_options(profile_name)
       cached_role_json = File.read(cache_key_path(options))
       cached_role = JSON.parse(cached_role_json)
@@ -127,18 +202,20 @@ class PrxRubyAwsCreds
       credentials
     rescue Aws::STS::Errors::ExpiredToken
-      get_and_cache_credentials
+      get_and_cache_credentials(profile_name)
     rescue Aws::STS::Errors::InvalidClientTokenId
-      get_and_cache_credentials
+      get_and_cache_credentials(profile_name)
     rescue Errno::ENOENT
-      get_and_cache_credentials
+      get_and_cache_credentials(profile_name)
     end
-    # Returns temporary client credentials for the profile selected with --profile
-    # when the command was run.
-    def client_credentials
+    # Returns temporary IAM client (Aws::Credentials) credentials for a given
+    # profile.
+    def client_credentials(profile_name = nil)
+      profile_name ||= OPTS[:profile]
       # For the selected profile, get the appropriate set of options.
-      options = sso_get_role_options || assume_role_options
+      options = sso_get_role_options(profile_name) || assume_role_options(profile_name)
       return if !options
@@ -146,11 +223,11 @@ class PrxRubyAwsCreds
       if !File.file?(cache_key_path(options))
         # When no cache exists for these options, fetch new credentials, cache them
         # and return them.
-        get_and_cache_credentials
+        get_and_cache_credentials(profile_name)
       else
         # When there is a cache for these options, return them if they are still
         # valid, otherwise refresh them and return the new credentials.
-        load_and_verify_cached_credentials
+        load_and_verify_cached_credentials(profile_name)
       end
     end
   end

metadata CHANGED Viewed

@@ -1,15 +1,85 @@
 --- !ruby/object:Gem::Specification
 name: prx-ruby-aws-creds
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Christopher Kalafarski
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-04 00:00:00.000000000 Z
-dependencies: []
+date: 2023-04-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-sso
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-sts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: tktk
 email: chris.kalafarski@prx.org
 executables: []