sty 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: be460e9dd95543a4956eddfaa6e45b8f1d8f9f89d74560bc769e23ad8284fd71
+  data.tar.gz: 0f6383f3d4913d6997420b78b6a30a9c266d029a45b2539c2fee6fa0c33aba77
+SHA512:
+  metadata.gz: 1a6cab7166156c2be6e4f4ca0e7c66fe34687ec30b738ad4b35cf229f04852540fcc29bd2488f583e09a666c3f837bad12c1eb01c7c12c065ce282dce53e4d90
+  data.tar.gz: 67468b0793e2073b989d91d20d4e0e81e067b3e7cc9429bed8cb67de829e2161ce9cc0c898a9c97141dee04d9200e910bda0e6f8aa0d27bb902e0d19e8ce4400

data/.document

@@ -0,0 +1,2 @@
+lib/*.rb
+lib/**/*.rb

data/README.md

@@ -0,0 +1,5 @@
+# Sty
+[![Build Status](https://travis-ci.org/sozonnyk/sty.svg?branch=master)](https://travis-ci.org/sozonnyk/sty)
+
+<a title="Jean-Pol GRANDMONT [CC BY 3.0 (https://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons" href="https://commons.wikimedia.org/wiki/File:Fourneau_St-Michel_-_Porcherie_(Forri%C3%A8res).JPG">
+<img alt="Fourneau St-Michel - Porcherie (Forrières)" src="https://upload.wikimedia.org/wikipedia/commons/thumb/7/7c/Fourneau_St-Michel_-_Porcherie_%28Forri%C3%A8res%29.JPG/1024px-Fourneau_St-Michel_-_Porcherie_%28Forri%C3%A8res%29.JPG"></a>

data/auth-keys.yaml

@@ -0,0 +1,8 @@
+username:
+ssh-keys: keys
+accounts:
+  ga:
+    prod:
+      users:
+        key_id: 
+        secret_key: 

data/auth.yaml

@@ -0,0 +1,19 @@
+accounts:
+  ga:
+    prod:
+      users:
+        acc_id: 123
+      tools:
+        acc_id: 456
+        parent: ga/prod/users
+        role: abc
+      mgmt:
+        acc_id: 789
+        parent: ga/prod/users
+        role: cde
+      hub:
+        acc_id: 121
+        parent: ga/prod/users
+
+
+

data/bin/sty

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ -z "$ZSH_VERSION" ] && [ -z "$BASH_VERSION" ]; then
+  echo "Your shell is neither bash nor zsh. Sty will not work."
+  exit 1
+fi
+
+if [[ $0 == "$BASH_SOURCE" ]]; then
+  export STY_SOURCE_RUN=false
+else
+  export STY_SOURCE_RUN=true
+fi
+
+result=`ruby -e "require 'sty'" $@`
+
+marker="#EVAL#"
+if [[ "$result" =~ $marker ]]; then
+  eval "$result"
+else
+  printf "$result\n"
+fi

data/ec2.yaml

@@ -0,0 +1,7 @@
+ga:
+  prod:
+    mgmt:
+      linux: sshjumphost.internal
+      windows: rdp-proxy.internal
+    tools: ga/prod/mgmt
+    test: ga/prod/mgmt

data/ext/install/Rakefile

@@ -0,0 +1,39 @@
+require 'rubygems'
+require 'fileutils'
+
+task default: ['install_script']
+
+task :install_script do
+
+  fail "Sty doesnt work on Windows" if Gem.win_platform?
+
+  # Create /usr/local/bin/sty
+  src = "#{Dir.pwd}/../../bin/sty"
+  dst = '/usr/local/bin/sty'
+
+  #TODO check if /usr/local/bin exists
+  begin
+    FileUtils.cp(src, dst)
+  rescue Errno::EPERM, Errno::EACCES => e
+    puts "No permission to create #{dst}, let's try with sudo."
+    `sudo cp #{src} #{dst}`
+  end
+
+  # Create ~/.sty
+  home = File.expand_path('~')
+  sty_home = "#{home}/.sty/"
+  FileUtils.mkdir_p(sty_home)
+  FileUtils.mkdir_p("#{sty_home}/auth-cache")
+
+  # Copy config file examples
+  yamls = Dir.glob("#{Dir.pwd}/../../*.yaml")
+  dest_yamls = Dir.glob("#{sty_home}/*.yaml").map{|f| File.basename(f)}
+
+  yamls.reject! do |y|
+    dest_yamls.include?(File.basename(y))
+  end
+
+  FileUtils.cp(yamls, sty_home)
+
+  puts "All done"
+end

data/lib/sty.rb

@@ -0,0 +1,7 @@
+trap "INT" do
+  $stderr.reopen(IO::NULL)
+  $stdout.reopen(IO::NULL)
+  exit 1
+end
+
+require_relative 'sty/cli'

data/lib/sty/account.rb

@@ -0,0 +1,18 @@
+require_relative 'functions'
+
+class Account
+
+  def self.from_fqn(fqn)
+
+  end
+
+  def self.from_path(path)
+
+  end
+
+  def initialize(path)
+
+  end
+
+
+end

data/lib/sty/auth-rotate.rb

@@ -0,0 +1,69 @@
+require_relative 'functions'
+
+require 'aws-sdk-iam'
+
+DEFAULT_KEY_AGE = 90
+Aws.config.update(:http_proxy => ENV['https_proxy'])
+
+class Rotator
+
+  def rotate
+    keys = yaml('auth-keys')
+    path = to_path(act_acc)
+    current_key = keys['accounts'].dig(*path)
+    puts "Current account #{white(act_acc)}"
+
+    unless current_key
+      puts red("You need to authenticate to userstore account to rotate keys.")
+      exit(1)
+    end
+    puts "Current key #{white(current_key['key_id'])}"
+
+    iam = Aws::IAM::Client.new(region: region)
+
+    account_keys = iam.list_access_keys.access_key_metadata
+
+    key_to_rotate = account_keys.select {|k| k.access_key_id == current_key['key_id']}.first
+
+    unless key_to_rotate
+      puts red("Key #{current_key['key_id']} for account #{ act_acc } doesn't exist in AWS.")
+      exit(1)
+    end
+
+    if account_keys.size > 1
+      puts "You have #{white(account_keys.size)} keys already. Remove other keys before trying to rotate."
+      account_keys.each do |k|
+        key = k.access_key_id == current_key['key_id'] ? "#{white(k.access_key_id)} <-- Keep" : "#{red(k.access_key_id)} <-- Remove"
+        puts key
+      end
+      exit(1)
+    end
+
+    key_age_days = ((Time.now - key_to_rotate.create_date)/3600/24).round
+    puts "The key is #{white(key_age_days)} days old."
+
+    if key_age_days < DEFAULT_KEY_AGE
+      puts green('All good.')
+      exit(0)
+    else
+      puts 'Key needs rotation.'
+    end
+
+    new_key = iam.create_access_key()
+    current_key['key_id'] = new_key.access_key.access_key_id
+    current_key['secret_key'] = new_key.access_key.secret_access_key
+
+    puts "New key #{white(current_key['key_id'])} was created"
+
+    dump(keys, 'auth-keys')
+
+    account_keys.each do |k|
+      puts "Removing old key #{white(k.access_key_id)}"
+      iam.delete_access_key(access_key_id: k.access_key_id)
+    end
+
+    puts green('Key was rotated successfully.')
+  end
+end
+
+Rotator.new.rotate

data/lib/sty/auth.rb

@@ -0,0 +1,188 @@
+require_relative 'functions'
+require_relative 'dig'
+
+SESSION_DURATION_SECONDS = 43_200
+DEFAULT_ROLE_NAME = 'ReadOnlyRole'
+DEFAULT_REGION = 'ap-southeast-2'
+
+class Auth
+
+  def logout
+    current = ENV['AWS_ACTIVE_ACCOUNT']
+    identity = ENV['AWS_ACTIVE_IDENTITY']
+    STDERR.puts "Logging off from: #{white(current)}"
+    if current
+      cache = cache_file(to_path(current),identity)
+      begin
+        File.delete(cache)
+      rescue Errno::ENOENT => e
+      end
+    end
+    puts "#EVAL#"
+    puts "unset AWS_ACTIVE_ACCOUNT AWS_SESSION_EXPIRY AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_ACTIVE_IDENTITY"
+  end
+
+  def deep_merge(h1,h2)
+    h1.merge(h2){|k,v1,v2| v1.is_a?(Hash) && v2.is_a?(Hash) ? deep_merge(v1,v2) : v2}
+  end
+
+  def initialize
+    #aws-sdk is slow, so load it only when needed
+    require 'aws-sdk-core'
+    Aws.config.update(:http_proxy => ENV['https_proxy'])
+    @config = deep_merge(yaml('auth'),yaml('auth-keys'))
+  end
+
+  def check_proxy
+    unless ENV.find { |k,v| k =~ /HTTPS_PROXY/i }
+      STDERR.puts red("WARNING! \"https_proxy\" env variable is not set.")
+    end
+  end
+
+  def user
+    @config['username']
+  end
+
+  def account(path)
+    acc = @config['accounts'].dig(*path)
+    unless acc
+      STDERR.puts red("ERROR! Account #{to_fqn(path)} not found in config")
+      exit 1
+    end
+
+    acc['path'] = path
+    acc
+  end
+
+  def parent(acc)
+    acc['parent']
+  end
+
+  def cached_creds(path, identity)
+    acc_fqn = to_fqn(path)
+    begin
+      cached_creds = Psych.load_file(cache_file(path, identity))
+      raise(RuntimeError) unless cached_creds
+    rescue Errno::ENOENT, RuntimeError
+      STDERR.puts "No cached creds for #{acc_fqn}"
+      return nil
+    end
+
+    remained_minutes = ((cached_creds['expiration'] - Time.now) / 60).to_i
+
+    if remained_minutes > 0
+      STDERR.puts "Loaded cached creds for #{acc_fqn}"
+      STDERR.puts "Credentials will stay active for the next #{remained_minutes} min"
+      return {creds: Aws::Credentials.new(cached_creds['access_key_id'],
+                                          cached_creds['secret_access_key'],
+                                          cached_creds['session_token']),
+              expiry: cached_creds['expiration']}
+    else
+      STDERR.puts "Cached creds for #{acc_fqn} expired"
+    end
+  end
+
+  def save_creds(acc, creds, expiration, identity)
+    creds_hash = {'access_key_id' => creds.access_key_id,
+                  'secret_access_key' => creds.secret_access_key,
+                  'session_token' => creds.session_token,
+                  'expiration' => expiration
+    }
+    File.open(cache_file(acc['path'], identity), 'w') do |file|
+      file.write(Psych.dump(creds_hash))
+    end
+  end
+
+  def login_bare(acc)
+
+    path = acc['path']
+    acc_fqn = to_fqn(path)
+
+    cached = cached_creds(path, user)
+    return { creds: cached[:creds], expiry: cached[:expiry], identity: user } if cached
+
+    STDERR.puts "Enter MFA for #{acc_fqn}"
+    token = STDIN.gets.chomp
+
+    mfa = "arn:aws:iam::#{acc['acc_id']}:mfa/#{user}"
+
+    bare_creds = Aws::Credentials.new(acc['key_id'], acc['secret_key'])
+
+    sts = Aws::STS::Client.new(credentials: bare_creds, region: region)
+
+    begin
+      session = sts.get_session_token(duration_seconds: SESSION_DURATION_SECONDS,
+                                      serial_number: mfa,
+                                      token_code: token)
+
+      creds = Aws::Credentials.new(session.credentials.access_key_id,
+                                   session.credentials.secret_access_key,
+                                   session.credentials.session_token)
+    rescue Exception => e
+      STDERR.puts red("ERROR! Unable to obtain credentials for #{acc_fqn}")
+      STDERR.puts white(e.message)
+      exit 1
+    end
+
+    STDERR.puts green("Successfully obtained creds for #{acc_fqn}")
+
+    save_creds(acc, creds, session.credentials.expiration, user)
+
+    {creds: creds, expiry: session.credentials.expiration, identity: user}
+  end
+
+  def login_role(acc, role)
+    path = acc['path']
+    active_role = role || acc['role'] || DEFAULT_ROLE_NAME
+    role_arn = "arn:aws:iam::#{acc['acc_id']}:role/#{active_role}"
+
+    cached = cached_creds(path, active_role)
+    return { creds: cached[:creds], expiry: cached[:expiry], identity: active_role } if cached
+
+    parent_path = to_path(parent(acc))
+    parent_acc = account(parent_path)
+    parent_creds = login_bare(parent_acc)[:creds]
+    sts = Aws::STS::Client.new(
+        credentials: parent_creds,
+        endpoint: 'https://sts.ap-southeast-2.amazonaws.com',
+        region: region
+    )
+    begin
+      creds = sts.assume_role(role_arn: role_arn,
+                              role_session_name: "#{user}-#{parent_path.join('-')}",
+                              duration_seconds: 3600).credentials
+    rescue Exception => e
+      STDERR.puts red("ERROR! Unable to obtain credentials for #{to_fqn(path)}")
+      STDERR.puts white(e.message)
+      exit 1
+    end
+    STDERR.puts green("Successfully obtained creds for #{to_fqn(path)}")
+    save_creds(acc, creds, creds.expiration, active_role)
+
+    {creds: creds, expiry: creds.expiration, identity: active_role}
+  end
+
+  def print_creds(acc, creds)
+    puts "#EVAL#"
+    puts "export AWS_ACTIVE_ACCOUNT=#{to_fqn(acc['path'])}"
+    puts "export AWS_ACTIVE_IDENTITY=#{creds[:identity]}"
+    puts "export AWS_SESSION_EXPIRY=\"#{creds[:expiry]}\""
+    puts "export AWS_ACCESS_KEY_ID=#{creds[:creds].access_key_id}"
+    puts "export AWS_SECRET_ACCESS_KEY=#{creds[:creds].secret_access_key}"
+    puts "export AWS_SESSION_TOKEN=#{creds[:creds].session_token}"
+  end
+
+  def login(fqn, role = nil)
+    check_proxy
+    acc = account(to_path(fqn))
+
+    if parent(acc)
+      creds = login_role(acc, role)
+    else
+      creds = login_bare(acc)
+    end
+
+    print_creds(acc, creds) if creds
+  end
+
+end

data/lib/sty/cli.rb

@@ -0,0 +1,71 @@
+require 'thor'
+require_relative 'info'
+require_relative 'auth'
+require_relative 'console'
+require_relative 'proxy'
+require_relative 'ssh'
+
+class Cli < Thor
+  map auth: :login, acct: :account, px: :proxy
+
+  def self.basename
+    'sty'
+  end
+
+  desc "ssh [OPTIONS] <SEARCH_TERM...>","Creates ssh connection to desired ec2 instance through existing jumphost. SEARCH_TERM to search in EC2 instance ID, name or IP address"
+  method_option :no_jumphost, type: :boolean, default: false, aliases: "-n", desc: "Connect directly without jumphost"
+  method_option :select_jumphost, type: :boolean, aliases: "-s", desc: "Select jumphost instance"
+  method_option :use_key, type: :boolean, aliases: "-k", desc: "Use private key auth for target instance. Keys are searched recursively in ~/.sty/keys"
+  def ssh(*search_term)
+    Ssh.new.connect(search_term, options[:no_jumphost], options[:select_jumphost], options[:use_key])
+  end
+
+  desc "console", "Opens AWS console in browser for currently authenticated session"
+  method_option :browser, type: :string, aliases: "-b", enum: Console::BROWSERS, desc: "Use specific browser"
+  method_option :incognito, type: :boolean, aliases: "-i", desc: "Create new incognito window"
+  method_option :logout, type: :boolean, aliases: "-l", dssc: "Logout from current session"
+  def console
+    Console.new.action(options[:browser], options[:incognito], options[:logout])
+  end
+
+  desc "login ACCOUNT_PATH", "Authenticate to the account"
+  method_option :role, aliases: "-r", dssc: "Override role name"
+  def login(path)
+    source_run(__method__)
+    Auth.new.login(path, options[:browser])
+  end
+
+  desc "logout", "Forget current credentials and clear cache"
+  def logout
+    source_run(__method__)
+    Auth.new.logout
+  end
+
+  desc "info", "Get current session information"
+  def info
+    Info.new.session_info
+  end
+
+  desc "account ACCOUNT_ID", "Find account information"
+  def account(path)
+    Info.new.account_info(path)
+  end
+
+  desc "proxy [PROXY_ID]", "Switch session proxy (use 'off' to disable)"
+  def proxy(px = nil)
+    source_run(__method__)
+    Proxy.new.action(px)
+  end
+
+  no_tasks do
+    def source_run(method)
+      unless ENV['STY_SOURCE_RUN'] == 'true'
+        puts "When using '#{method.to_s}' command, you must source it, i.e.: '. sty #{method.to_s}'"
+        exit 128
+      end
+    end
+  end
+
+end
+
+Cli.start(ARGV)