simplygenius-atmos 0.7.1 → 0.8.0

data/lib/atmos/ipc_actions/ping.rb

@@ -1,19 +0,0 @@
-require_relative '../../atmos'
-require 'open3'
-require 'os'
-
-module Atmos
-  module IpcActions
-    class Ping
-      include GemLogger::LoggerSupport
-
-      def initialize()
-      end
-
-      def execute(**opts)
-        return opts.merge(action: 'pong')
-      end
-
-    end
-  end
-end

data/lib/atmos/logging.rb

@@ -1,160 +0,0 @@
-require 'logging'
-require 'gem_logger'
-require 'rainbow'
-require 'delegate'
-
-module Atmos
-  module Logging
-
-    module GemLoggerConcern
-      extend ActiveSupport::Concern
-
-      def logger
-        ::Logging.logger[self.class]
-      end
-
-      module ClassMethods
-        def logger
-          ::Logging.logger[self]
-        end
-      end
-    end
-
-    class CaptureStream < SimpleDelegator
-
-      def initialize(logger_name, appender, stream, color=nil)
-        super(stream)
-        @color = stream.tty? && color ? color : nil
-        @logger = ::Logging.logger[logger_name]
-        @logger.appenders = [appender]
-        @logger.additive = false
-      end
-
-      def strip_color(str)
-        str.gsub(/\e\[\d+m/, '')
-      end
-
-      def write(data)
-        @logger.info(strip_color(data))
-        if @color
-          count = 0
-          d = data.lines.each do |l|
-            cl = Kernel.send(:Rainbow, l).send(@color)
-            count += super(cl)
-          end
-          return count
-        else
-          return super(data)
-        end
-      end
-    end
-
-    def self.init_logger
-      return if @initialized
-      @initialized = true
-
-      ::Logging.format_as :inspect
-      ::Logging.backtrace true
-
-      ::Logging.color_scheme(
-          'bright',
-          lines: {
-              debug: :green,
-              info: :default,
-              warn: :yellow,
-              error: :red,
-              fatal: [:white, :on_red]
-          },
-          date: :blue,
-          logger: :cyan,
-          message: :magenta
-      )
-
-      ::Logging.logger.root.level = :info
-      GemLogger.configure do |config|
-        config.default_logger = ::Logging.logger.root
-        config.logger_concern = Atmos::Logging::GemLoggerConcern
-      end
-    end
-
-
-    def self.testing
-      @t
-    end
-
-    def self.testing=(t)
-      @t = t
-    end
-
-    def self.sio
-      ::Logging.logger.root.appenders.find {|a| a.name == 'sio' }
-    end
-
-    def self.contents
-      sio.try(:sio).try(:to_s)
-    end
-
-    def self.clear
-      sio.try(:clear)
-    end
-
-    def self.setup_logging(debug, color, logfile)
-      init_logger
-
-      ::Logging.logger.root.level = debug ? :debug : :info
-      appenders = []
-      detail_pattern = '[%d] %-5l %c{2} %m\n'
-      plain_pattern = '%m\n'
-
-      pattern_options = {
-          pattern: plain_pattern
-      }
-      if color
-        pattern_options[:color_scheme] = 'bright'
-      end
-
-      if self.testing
-
-        appender = ::Logging.appenders.string_io(
-            'sio',
-            layout: ::Logging.layouts.pattern(pattern_options)
-        )
-        appenders << appender
-
-      else
-
-        appender = ::Logging.appenders.stdout(
-            'stdout',
-            layout: ::Logging.layouts.pattern(pattern_options)
-        )
-        appenders << appender
-
-      end
-
-      # Do this after setting up stdout appender so we don't duplicate output
-      # to stdout with our capture
-      if logfile.present?
-
-        appender = ::Logging.appenders.file(
-            logfile,
-            truncate: true,
-            layout: ::Logging.layouts.pattern(pattern: detail_pattern)
-        )
-        appenders << appender
-
-        if ! $stdout.is_a? CaptureStream
-          $stdout = CaptureStream.new("stdout", appender, $stdout)
-          $stderr = CaptureStream.new("stderr", appender, $stderr, :red)
-          silence_warnings {
-            Object.const_set(:STDOUT, $stdout)
-            Object.const_set(:STDERR, $stderr)
-          }
-        end
-
-      end
-
-      ::Logging.logger.root.appenders = appenders
-    end
-
-  end
-end

data/lib/atmos/otp.rb

@@ -1,61 +0,0 @@
-require_relative '../atmos'
-require 'singleton'
-require 'rotp'
-
-module Atmos
-
-  class Otp
-    include Singleton
-    include GemLogger::LoggerSupport
-
-    def initialize
-      @secret_file = Atmos.config["otp.secret_file"] || "~/.atmos.yml"
-      @secret_file = File.expand_path(@secret_file)
-      yml_hash = YAML.load_file(@secret_file) rescue Hash.new
-      @secret_store = SettingsHash.new(yml_hash)
-      @secret_store[Atmos.config[:org]] ||= {}
-      @secret_store[Atmos.config[:org]][:otp] ||= {}
-      @scoped_secret_store = @secret_store[Atmos.config[:org]][:otp]
-    end
-
-    def add(name, secret)
-      old = @scoped_secret_store[name]
-      logger.info "Replacing OTP secret #{name}=#{old}" if old
-      @scoped_secret_store[name] = secret
-    end
-
-    def remove(name)
-      old = @scoped_secret_store.delete(name)
-      @otp.try(:delete, name)
-      logger.info "Removed OTP secret #{name}=#{old}" if old
-    end
-
-    def save
-      File.write(@secret_file, YAML.dump(@secret_store.to_hash))
-      File.chmod(0600, @secret_file)
-    end
-
-    def generate(name)
-      otp(name).try(:now)
-    end
-
-    private
-
-    def otp(name)
-      @otp ||= {}
-      @otp[name] ||= begin
-        secret =  @scoped_secret_store[name]
-        totp = nil
-        if secret
-          totp = ROTP::TOTP.new(secret)
-        else
-          logger.debug "OTP secret does not exist for '#{name}'"
-        end
-        totp
-      end
-    end
-
-  end
-
-end
-

data/lib/atmos/provider_factory.rb

@@ -1,19 +0,0 @@
-require_relative '../atmos'
-
-module Atmos
-  class ProviderFactory
-    include GemLogger::LoggerSupport
-
-    def self.get(name)
-      @provider ||= begin
-        logger.debug("Loading provider: #{name}")
-        require "atmos/providers/#{name}/provider"
-        provider = "Atmos::Providers::#{name.camelize}::Provider".constantize
-        logger.debug("Loaded provider #{provider}")
-        provider.new(name)
-      end
-      return @provider
-    end
-
-  end
-end

data/lib/atmos/providers/aws/account_manager.rb

@@ -1,82 +0,0 @@
-require_relative '../../../atmos'
-require 'aws-sdk-organizations'
-
-module Atmos
-  module Providers
-    module Aws
-
-      class AccountManager
-        include GemLogger::LoggerSupport
-        include FileUtils
-
-        def initialize(provider)
-          @provider = provider
-        end
-
-        def create_account(env, name: nil, email: nil)
-          result = {}
-          org = ::Aws::Organizations::Client.new
-          resp = nil
-          name ||= "Atmos #{env} account"
-
-          begin
-            logger.info "Looking up organization"
-            resp = org.describe_organization()
-            logger.debug "Described organization: #{resp.to_h}"
-          rescue ::Aws::Organizations::Errors::AWSOrganizationsNotInUseException
-            logger.info "Organization doesn't exist, creating"
-            resp = org.create_organization()
-            logger.debug "Created organization: #{resp.to_h}"
-          end
-
-          if email.blank?
-            master_email = resp.organization.master_account_email
-            email = master_email.sub('@', "+#{env}@")
-          end
-          result[:email] = email
-          result[:name] = name
-
-
-          begin
-            logger.info "Creating account named #{name}"
-            resp = org.create_account(account_name: name, email: email)
-          rescue ::Aws::Organizations::Errors::FinalizingOrganizationException
-            logger.info "Waiting to retry account creation as the organization needs to finalize"
-            logger.info "This will eventually succeed after receiving a"
-            logger.info "'Consolidated Billing verification' email from AWS"
-            logger.info "You can leave this running or cancel and restart later."
-            sleep 60
-            retry
-          end
-
-          logger.debug "Created account: #{resp.to_h}"
-
-          status_id = resp.create_account_status.id
-          status = resp.create_account_status.state
-          account_id = resp.create_account_status.account_id
-
-          while status =~ /in_progress/i
-            logger.info "Waiting for account creation to complete, status: #{status}"
-            resp = org.describe_create_account_status(create_account_request_id: status_id)
-            logger.debug("Account creation status check: #{resp.to_h}")
-            status = resp.create_account_status.state
-            account_id = resp.create_account_status.account_id
-            sleep 5
-          end
-
-          if status =~ /failed/i
-            logger.error "Failed to create account: #{resp.create_account_status.failure_reason}"
-            exit(1)
-          end
-
-          result[:account_id] = account_id
-
-          return result
-        end
-
-      end
-
-    end
-  end
-end
-

data/lib/atmos/providers/aws/auth_manager.rb

@@ -1,208 +0,0 @@
-require_relative '../../../atmos'
-require_relative '../../../atmos/utils'
-require_relative '../../../atmos/ui'
-require_relative '../../../atmos/otp'
-require 'aws-sdk-core'
-require 'aws-sdk-iam'
-require 'json'
-
-module Atmos
-  module Providers
-    module Aws
-
-      class AuthManager
-        include GemLogger::LoggerSupport
-        include FileUtils
-        include Atmos::UI
-
-        def initialize(provider)
-          @provider = provider
-        end
-
-        def authenticate(system_env, **opts, &block)
-
-          profile = system_env['AWS_PROFILE']
-          key = system_env['AWS_ACCESS_KEY_ID']
-          secret = system_env['AWS_SECRET_ACCESS_KEY']
-          if profile.blank? && (key.blank? || secret.blank?)
-            logger.warn("An aws profile or key/secret should be supplied via the environment")
-          end
-
-          # Handle bootstrapping a new env account.  Newly created organization
-          # accounts only have the default role that can only be assumed by an
-          # iam user, so use that as the target for assume_role, and the root
-          # check below will ensure iam user
-          assume_role_name = nil
-          if opts[:bootstrap] && Atmos.config.atmos_env != 'ops'
-            # TODO: do this hack better
-            assume_role_name = Atmos.config["auth.bootstrap_assume_role_name"]
-          else
-            assume_role_name = opts[:role] || Atmos.config["auth.assume_role_name"]
-          end
-          account_id = Atmos.config.account_hash[Atmos.config.atmos_env].to_s
-          role_arn = "arn:aws:iam::#{account_id}:role/#{assume_role_name}"
-
-          user_name = nil
-          begin
-            sts = ::Aws::STS::Client.new
-            resp = sts.get_caller_identity
-            arn_pieces = resp.arn.split(":")
-            user_name = arn_pieces.last.split("/").last
-
-            # root credentials can't assume role, but they should have full
-            # access for the current account, so proceed (e.g. for bootstrap).
-            if arn_pieces.last == "root"
-
-              # We check the account of the caller to prevent root user of ops
-              # account from bootstrapping an env account, but still allow a
-              # root user of the env account itself to be able to bootstrap
-              # (i.e. to allow not organizational accounts to bootstrap using
-              # their root user)
-              if arn_pieces[-2] != account_id
-                logger.error <<~EOF
-                  Account doesn't match credentials.  Bootstrapping a new
-                  account should be done as an iam user from the ops account or
-                  using credentials for a root user of the env account.
-                EOF
-                exit(1)
-              end
-
-              # Should only use root credentials for  bootstrap, and thus we
-              # won't have role requirement for mfa, etc, even if root account
-              # uses mfa for login.  Thus skip all the other stuff, to
-              # encourage/force use of non-root accounts for normal use
-              logger.warn("Using aws root credentials - should only be neccessary for bootstrap")
-              return block.call(Hash[system_env])
-            end
-
-          rescue ::Aws::STS::Errors::ServiceError => e
-            logger.error "Could not discover aws credentials"
-            exit(1)
-          end
-
-          auth_needed = true
-          cache_key = "#{user_name}-#{assume_role_name}"
-          credentials = read_auth_cache[cache_key]
-
-          if credentials.present?
-            logger.debug("Session cache present, checking expiration...")
-            expiration = Time.parse(credentials['expiration'])
-            session_renew_interval = (session_duration / 4).to_i
-
-            if Time.now > expiration
-              logger.debug "Session cache is expired, performing normal auth"
-              auth_needed = true
-            elsif Time.now > (expiration - session_renew_interval)
-              begin
-                logger.info "Session approaching expiration, renewing..."
-                credentials = assume_role(role_arn, credentials: credentials)
-                auth_needed = false
-              rescue => e
-                logger.info "Failed to renew credentials using session cache, reason: #{e.message}"
-                auth_needed = true
-              end
-            else
-              logger.debug "Session cache is current, skipping auth"
-              auth_needed = false
-            end
-          end
-
-          if auth_needed
-            begin
-              logger.info "No active session cache, authenticating..."
-
-              credentials = assume_role(role_arn)
-              write_auth_cache(cache_key => credentials)
-
-            rescue ::Aws::STS::Errors::AccessDenied => e
-              if e.message !~ /explicit deny/
-                logger.debug "Access Denied, reason: #{e.message}"
-              end
-
-              logger.info "Normal auth failed, checking for mfa"
-
-              iam = ::Aws::IAM::Client.new
-              response = iam.list_mfa_devices(user_name: user_name)
-              mfa_serial = response.mfa_devices.first.try(:serial_number)
-              token = nil
-              if mfa_serial.present?
-
-                token = Atmos::Otp.instance.generate(user_name)
-                if token.nil?
-                  token = ask("Enter token to retry with mfa: ")
-                else
-                  logger.info "Used integrated atmos mfa to generate token"
-                end
-
-                if token.blank?
-                  logger.error "A MFA token must be supplied"
-                  exit(1)
-                end
-
-              else
-                logger.error "MFA is not setup for your account, retry after doing so"
-                exit(1)
-              end
-
-              credentials = assume_role(role_arn, serial_number: mfa_serial, token_code: token)
-              write_auth_cache(cache_key => credentials)
-
-            end
-          end
-
-          process_env = {}
-          process_env['AWS_ACCESS_KEY_ID'] = credentials['access_key_id']
-          process_env['AWS_SECRET_ACCESS_KEY'] = credentials['secret_access_key']
-          process_env['AWS_SESSION_TOKEN'] = credentials['session_token']
-          logger.debug("Calling authentication target with env: #{process_env.inspect}")
-          block.call(Hash[system_env].merge(process_env))
-        end
-
-        private
-
-        def session_duration
-          @session_duration ||= (Atmos.config["auth.session_duration"] || 3600).to_i
-        end
-
-        def assume_role(role_arn, **opts)
-          # use Aws::AssumeRoleCredentials ?
-          if opts[:credentials]
-            c = opts.delete(:credentials)
-            creds = ::Aws::Credentials.new(
-                c[:access_key_id], c[:secret_access_key], c[:session_token]
-            )
-            client_opts = {credentials: creds}
-          else
-            client_opts = {}
-          end
-          sts = ::Aws::STS::Client.new(client_opts)
-          params = {
-              duration_seconds: session_duration,
-              role_session_name: "Atmos",
-              role_arn: role_arn
-          }.merge(opts)
-          logger.debug("Assuming role: #{params}")
-          resp = sts.assume_role(params)
-          return Atmos::Utils::SymbolizedMash.new(resp.credentials.to_h)
-        end
-
-        def auth_cache_file
-          File.join(Atmos.config.auth_cache_dir, 'aws-assume-role.json')
-        end
-
-        def write_auth_cache(h)
-          File.open(auth_cache_file, 'w') do |f|
-            f.puts(JSON.pretty_generate(h))
-          end
-        end
-
-        def read_auth_cache
-          data = JSON.parse(File.read(auth_cache_file)) rescue {}
-          Atmos::Utils::SymbolizedMash.new(data)
-        end
-
-      end
-
-    end
-  end
-end