simplygenius-atmos 0.7.1 → 0.8.0

data/lib/simplygenius/atmos/plugin_manager.rb

@@ -0,0 +1,120 @@
+require_relative '../atmos'
+require_relative 'plugin'
+require 'set'
+
+module SimplyGenius
+  module Atmos
+
+    class PluginManager
+      include GemLogger::LoggerSupport
+
+      attr_reader :plugins
+
+      def initialize(plugins)
+        @plugins = []
+        Array(plugins).each do |plugin|
+          if plugin.is_a?(String)
+            name = plugin
+            plugin = SettingsHash.new
+            plugin[:name] = name
+          elsif plugin.is_a?(Hash)
+            plugin = SettingsHash.new(plugin)
+            if plugin[:name].blank?
+              logger.error "Invalid plugin definition, :name missing: #{plugin}"
+              next
+            end
+          else
+            logger.error "Invalid plugin definition: #{plugin}"
+            next
+          end
+          @plugins << plugin
+        end
+
+        @plugin_classes = Set.new
+        @plugin_instances = []
+        @output_filters = {}
+      end
+
+      def load_plugins
+        @plugins.each do |plugin|
+          load_plugin(plugin)
+
+          # Check for new plugin classes after each plugin load so that we can
+          # initialize them with their own config hash
+          Plugin.descendants.each do |plugin_class|
+            begin
+              if ! @plugin_classes.include?(plugin_class)
+                @plugin_classes << plugin_class
+                @plugin_instances << plugin_class.new(plugin)
+              end
+            rescue StandardError => e
+              logger.log_exception e, "Failed to initialize plugin: #{plugin_class}"
+            end
+          end
+        end
+      end
+
+      def load_plugin(plugin)
+        begin
+          name = plugin[:name]
+          require_name = plugin[:require] || name.gsub('-', '/')
+          logger.debug("Loading plugin #{name} as #{require_name}")
+          require require_name
+        rescue LoadError, StandardError => e
+          logger.log_exception e, "Failed to load atmos plugin: #{name} - #{e.message}"
+        end
+      end
+
+      def validate_output_filter_type(type)
+        raise "Invalid output filter type #{type}, must be one of [:stdout, :stderr]" unless [:stdout, :stderr].include?(type)
+      end
+
+      def register_output_filter(type, clazz)
+        validate_output_filter_type(type)
+        @output_filters[type.to_sym] ||= []
+        @output_filters[type.to_sym] << clazz
+      end
+
+      def output_filters(type, context)
+        validate_output_filter_type(type)
+        @output_filters[type.to_sym] ||= []
+        return OutputFilterCollection.new(@output_filters[type.to_sym].collect {|clazz| clazz.new(context) })
+      end
+
+      class OutputFilterCollection
+        include GemLogger::LoggerSupport
+
+        attr_accessor :filters
+
+        def initialize(filters)
+          @filters = filters
+        end
+
+        def filter_block
+          return Proc.new do |data|
+            @filters.inject(data) do |memo, obj|
+              begin
+                obj.filter(memo)
+              rescue StandardError => e
+                logger.log_exception e, "Output filter failed during filter: #{obj.class}"
+                memo
+              end
+            end
+          end
+        end
+
+        def close
+          @filters.each do |f|
+            begin
+              f.close
+            rescue StandardError => e
+              logger.log_exception e, "Output filter failed during close: #{f.class}"
+            end
+          end
+        end
+
+      end
+    end
+
+  end
+end

data/lib/simplygenius/atmos/plugins/output_filter.rb

@@ -0,0 +1,29 @@
+require_relative '../../atmos'
+require_relative '../../atmos/ui'
+
+module SimplyGenius
+  module Atmos
+    module Plugins
+
+      class OutputFilter
+        include GemLogger::LoggerSupport
+        include UI
+
+        attr_reader :context
+
+        def initialize(context)
+          @context = context
+        end
+
+        def filter(data)
+          raise "not implemented"
+        end
+
+        def close
+        end
+
+      end
+
+    end
+  end
+end

data/lib/simplygenius/atmos/plugins/prompt_notify.rb

@@ -0,0 +1,21 @@
+require_relative '../../atmos'
+require_relative 'output_filter'
+
+module SimplyGenius
+  module Atmos
+    module Plugins
+
+      class PromptNotify < OutputFilter
+
+        def filter(data)
+          if data =~ /^[\e\[\dm\s]*Enter a value:[\e\[\dm\s]*$/
+            notify(message: "Terraform is waiting for user input")
+          end
+          data
+        end
+
+      end
+
+    end
+  end
+end

data/lib/simplygenius/atmos/provider_factory.rb

@@ -0,0 +1,23 @@
+require_relative '../atmos'
+
+module SimplyGenius
+  module Atmos
+
+    class ProviderFactory
+      include GemLogger::LoggerSupport
+
+      def self.get(name)
+        @provider ||= begin
+          logger.debug("Loading provider: #{name}")
+          require "simplygenius/atmos/providers/#{name}/provider"
+          provider = "SimplyGenius::Atmos::Providers::#{name.camelize}::Provider".constantize
+          logger.debug("Loaded provider #{provider}")
+          provider.new(name)
+        end
+        return @provider
+      end
+
+    end
+
+  end
+end

data/lib/simplygenius/atmos/providers/aws/account_manager.rb

@@ -0,0 +1,83 @@
+require_relative '../../../atmos'
+require 'aws-sdk-organizations'
+
+module SimplyGenius
+  module Atmos
+    module Providers
+      module Aws
+
+        class AccountManager
+          include GemLogger::LoggerSupport
+          include FileUtils
+
+          def initialize(provider)
+            @provider = provider
+          end
+
+          def create_account(env, name: nil, email: nil)
+            result = {}
+            org = ::Aws::Organizations::Client.new
+            resp = nil
+            name ||= "Atmos #{env} account"
+
+            begin
+              logger.info "Looking up organization"
+              resp = org.describe_organization()
+              logger.debug "Described organization: #{resp.to_h}"
+            rescue ::Aws::Organizations::Errors::AWSOrganizationsNotInUseException
+              logger.info "Organization doesn't exist, creating"
+              resp = org.create_organization()
+              logger.debug "Created organization: #{resp.to_h}"
+            end
+
+            if email.blank?
+              master_email = resp.organization.master_account_email
+              email = master_email.sub('@', "+#{env}@")
+            end
+            result[:email] = email
+            result[:name] = name
+
+
+            begin
+              logger.info "Creating account named #{name}"
+              resp = org.create_account(account_name: name, email: email)
+            rescue ::Aws::Organizations::Errors::FinalizingOrganizationException
+              logger.info "Waiting to retry account creation as the organization needs to finalize"
+              logger.info "This will eventually succeed after receiving a"
+              logger.info "'Consolidated Billing verification' email from AWS"
+              logger.info "You can leave this running or cancel and restart later."
+              sleep 60
+              retry
+            end
+
+            logger.debug "Created account: #{resp.to_h}"
+
+            status_id = resp.create_account_status.id
+            status = resp.create_account_status.state
+            account_id = resp.create_account_status.account_id
+
+            while status =~ /in_progress/i
+              logger.info "Waiting for account creation to complete, status: #{status}"
+              resp = org.describe_create_account_status(create_account_request_id: status_id)
+              logger.debug("Account creation status check: #{resp.to_h}")
+              status = resp.create_account_status.state
+              account_id = resp.create_account_status.account_id
+              sleep 5
+            end
+
+            if status =~ /failed/i
+              logger.error "Failed to create account: #{resp.create_account_status.failure_reason}"
+              exit(1)
+            end
+
+            result[:account_id] = account_id
+
+            return result
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/simplygenius/atmos/providers/aws/auth_manager.rb

@@ -0,0 +1,220 @@
+require_relative '../../../atmos'
+require_relative '../../../atmos/utils'
+require_relative '../../../atmos/ui'
+require_relative '../../../atmos/otp'
+require 'aws-sdk-core'
+require 'aws-sdk-iam'
+require 'json'
+
+module SimplyGenius
+  module Atmos
+    module Providers
+      module Aws
+
+        class AuthManager
+          include GemLogger::LoggerSupport
+          include FileUtils
+          include UI
+
+          def initialize(provider)
+            @provider = provider
+          end
+
+          def authenticate(system_env, **opts, &block)
+
+            profile = system_env['AWS_PROFILE']
+            key = system_env['AWS_ACCESS_KEY_ID']
+            secret = system_env['AWS_SECRET_ACCESS_KEY']
+            if profile.blank? && (key.blank? || secret.blank?)
+              logger.warn("An aws profile or key/secret should be supplied via the environment")
+            end
+
+            # Handle bootstrapping a new env account.  Newly created organization
+            # accounts only have the default role that can only be assumed by an
+            # iam user, so use that as the target for assume_role, and the root
+            # check below will ensure iam user
+            assume_role_name = nil
+            if opts[:bootstrap] && Atmos.config.atmos_env != 'ops'
+              # TODO: do this hack better
+              assume_role_name = Atmos.config["auth.bootstrap_assume_role_name"]
+            else
+              assume_role_name = opts[:role] || Atmos.config["auth.assume_role_name"]
+            end
+            account_id = Atmos.config.account_hash[Atmos.config.atmos_env].to_s
+            role_arn = "arn:aws:iam::#{account_id}:role/#{assume_role_name}"
+
+            user_name = nil
+            begin
+              sts = ::Aws::STS::Client.new
+              resp = sts.get_caller_identity
+              arn_pieces = resp.arn.split(":")
+              user_name = arn_pieces.last.split("/").last
+
+              # root credentials can't assume role, but they should have full
+              # access for the current account, so proceed (e.g. for bootstrap).
+              if arn_pieces.last == "root"
+
+                # We check the account of the caller to prevent root user of ops
+                # account from bootstrapping an env account, but still allow a
+                # root user of the env account itself to be able to bootstrap
+                # (i.e. to allow not organizational accounts to bootstrap using
+                # their root user)
+                if arn_pieces[-2] != account_id
+                  logger.error <<~EOF
+                    Account doesn't match credentials.  Bootstrapping a new
+                    account should be done as an iam user from the ops account or
+                    using credentials for a root user of the env account.
+                  EOF
+                  exit(1)
+                end
+
+                # Should only use root credentials for  bootstrap, and thus we
+                # won't have role requirement for mfa, etc, even if root account
+                # uses mfa for login.  Thus skip all the other stuff, to
+                # encourage/force use of non-root accounts for normal use
+                logger.warn("Using aws root credentials - should only be neccessary for bootstrap")
+                return block.call(Hash[system_env])
+              end
+
+            rescue ::Aws::STS::Errors::ServiceError => e
+              logger.error "Could not discover aws credentials"
+              exit(1)
+            end
+
+            auth_needed = true
+            cache_key = "#{user_name}-#{assume_role_name}"
+            credentials = read_auth_cache[cache_key]
+
+            if credentials.present?
+              logger.debug("Session cache present, checking expiration...")
+              expiration = Time.parse(credentials['expiration'])
+              session_renew_interval = (session_duration / 4).to_i
+
+              if Time.now > expiration
+                logger.debug "Session cache is expired, performing normal auth"
+                auth_needed = true
+              elsif Time.now > (expiration - session_renew_interval)
+                begin
+                  # TODO: investigate making all info a warn so we don't pollute stdout for shell scripts
+                  logger.info "Session approaching expiration, renewing..."
+                  credentials = assume_role(role_arn, credentials: credentials, user_name: user_name)
+                  write_auth_cache(cache_key => credentials)
+                  auth_needed = false
+                rescue => e
+                  logger.info "Failed to renew credentials using session cache, reason: #{e.message}"
+                  auth_needed = true
+                end
+              else
+                logger.debug "Session cache is current, skipping auth"
+                auth_needed = false
+              end
+            end
+
+            if auth_needed
+              begin
+                logger.info "No active session cache, authenticating..."
+
+                credentials = assume_role(role_arn, user_name: user_name)
+                write_auth_cache(cache_key => credentials)
+
+              rescue ::Aws::STS::Errors::AccessDenied => e
+                if e.message !~ /explicit deny/
+                  logger.debug "Access Denied, reason: #{e.message}"
+                end
+
+                logger.info "Normal auth failed, checking for mfa"
+
+                iam = ::Aws::IAM::Client.new
+                response = iam.list_mfa_devices(user_name: user_name)
+                mfa_serial = response.mfa_devices.first.try(:serial_number)
+                token = nil
+                if mfa_serial.present?
+
+                  token = Otp.instance.generate(user_name)
+                  if token.nil?
+                    token = ask("Enter token to retry with mfa: ")
+                  else
+                    logger.info "Used integrated atmos mfa to generate token"
+                  end
+
+                  if token.blank?
+                    logger.error "A MFA token must be supplied"
+                    exit(1)
+                  end
+
+                else
+                  logger.error "MFA is not setup for your account, retry after doing so"
+                  exit(1)
+                end
+
+                credentials = assume_role(role_arn, serial_number: mfa_serial, token_code: token, user_name: user_name)
+                write_auth_cache(cache_key => credentials)
+
+              end
+            end
+
+            process_env = {}
+            process_env['AWS_ACCESS_KEY_ID'] = credentials['access_key_id']
+            process_env['AWS_SECRET_ACCESS_KEY'] = credentials['secret_access_key']
+            process_env['AWS_SESSION_TOKEN'] = credentials['session_token']
+            logger.debug("Calling authentication target with env: #{process_env.inspect}")
+            block.call(Hash[system_env].merge(process_env))
+          end
+
+          private
+
+          def session_duration
+            @session_duration ||= (Atmos.config["auth.session_duration"] || 3600).to_i
+          end
+
+          def assume_role(role_arn, **opts)
+            # use Aws::AssumeRoleCredentials ?
+            if opts[:credentials]
+              c = opts.delete(:credentials)
+              creds = ::Aws::Credentials.new(
+                  c[:access_key_id], c[:secret_access_key], c[:session_token]
+              )
+              client_opts = {credentials: creds}
+            else
+              client_opts = {}
+            end
+
+            user_name = opts.delete(:user_name)
+            if user_name
+              session_name = "Atmos-#{user_name}"
+            else
+              session_name = "Atmos"
+            end
+
+            sts = ::Aws::STS::Client.new(client_opts)
+            params = {
+                duration_seconds: session_duration,
+                role_session_name: session_name,
+                role_arn: role_arn
+            }.merge(opts)
+            logger.debug("Assuming role: #{params}")
+            resp = sts.assume_role(params)
+            return Utils::SymbolizedMash.new(resp.credentials.to_h)
+          end
+
+          def auth_cache_file
+            File.join(Atmos.config.auth_cache_dir, 'aws-assume-role.json')
+          end
+
+          def write_auth_cache(h)
+            File.open(auth_cache_file, 'w') do |f|
+              f.puts(JSON.pretty_generate(h))
+            end
+          end
+
+          def read_auth_cache
+            data = JSON.parse(File.read(auth_cache_file)) rescue {}
+            Utils::SymbolizedMash.new(data)
+          end
+
+        end
+
+      end
+    end
+  end
+end