vagrant-s3auth-mfa 1.4.0 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 535efe4b64ce2e8edab42b662713d360f76c94408c291bf3e6fd99dc17664493
-  data.tar.gz: ace047d7f8806421050acbc09b99c8c43bdf6fd21bd29250d0bd8fd8e27ef72f
+  metadata.gz: 5dc3518823602d8b94d24b4da53cbb502aaff6fe0851c12558ba900c2766ed26
+  data.tar.gz: 53f891c31a090cda061ce2d881b2443150ea6a050b67959a7fbd2b4103474d57
 SHA512:
-  metadata.gz: ffc6111b6799f0f6f747bb95e784eb1b5b0f530b4772040a99c70332c5e3c728f661404a52e9d243cd31e48ec31d740185b02318f7e695a0c7a2ecb0167277ac
-  data.tar.gz: a2e4158d7b5a8c0c679b27ea574a6ce619007b4e15724097065688de835bd15ed19a8c3f026e3207d9ff95d352ff1ecfafaeb126ab463daf3deada036065066e
+  metadata.gz: e626ce2486a31e5f294c0b8460f81414643548045b1860bad94197204291b3474d311451629f8f4558f33a8456b362f95ad8c6f28772f7192e67929689ec4242
+  data.tar.gz: fa3d4878e116ac5227db36ccc498c48d359f1872d637c03395931747ec4d9dfd0d5d4c194216e8964385c52468914fe6d283c54d7022beeab133ad135bb23823

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 1.4.1
+
+**15 January 2018**
+
+Features:
+
+* Rename to vagrant-s3auth-mfa
+
+## 1.4.0
+
+**14 January 2018**
+
+Features:
+
+* Added support for MFA and Assume Role
+
+
 ## 1.3.2
 
 **6 January 2016**

data/README.md

@@ -1,4 +1,4 @@
-# vagrant-s3auth
+# vagrant-s3auth-mfa
 
 <a href="https://travis-ci.org/WhoopInc/vagrant-s3auth">
   <img src="https://travis-ci.org/WhoopInc/vagrant-s3auth.svg?branch=master"
@@ -12,7 +12,7 @@ Private, versioned Vagrant boxes hosted on Amazon S3.
 From the command line:
 
 ```bash
-$ vagrant plugin install vagrant-s3auth
+$ vagrant plugin install vagrant-s3auth-mfa
 ```
 
 ### Requirements
@@ -21,7 +21,7 @@ $ vagrant plugin install vagrant-s3auth
 
 ## Usage
 
-vagrant-s3auth will automatically sign requests for S3 URLs
+vagrant-s3auth-mfa will automatically sign requests for S3 URLs
 
 ```
 s3://bucket.example.com/path/to/metadata
@@ -59,7 +59,7 @@ environment variable. For example:
 ```ini
 # ~/.aws/credentials
 
-[vagrant-s3auth]
+[vagrant-s3auth-mfa]
 aws_access_key_id = AKIA...
 aws_secret_access_key = ...
 ```
@@ -68,7 +68,7 @@ aws_secret_access_key = ...
 # Vagrantfile
 
 ENV.delete_if { |name| name.start_with?('AWS_') }  # Filter out rogue env vars.
-ENV['AWS_PROFILE'] = 'vagrant-s3auth'
+ENV['AWS_PROFILE'] = 'vagrant-s3auth-mfa'
 
 Vagrant.configure("2") { |config| ... }
 ```
@@ -88,6 +88,30 @@ profile file) will be displayed when the box is downloaded. If you use
 multiple AWS credentials and see authentication errors, verify that the
 correct access key was detected.
 
+##### AWS credentials using ~/.aws/config profiles
+
+Using this feature adds support for assuming an IAM Role and MFA authentication.
+
+```ini
+# ~/.aws/config
+
+[profile role-to-assume]
+ region = eu-west-1
+ source_profile = vagrant-s3auth-mfa
+ role_arn = arn:aws:iam::12345678900:role/role-to-assume
+ mfa_serial = arn:aws:iam::12345678900:mfa/user
+```
+
+```ruby
+# Vagrantfile
+
+ENV.delete_if { |name| name.start_with?('AWS_') }  # Filter out rogue env vars.
+ENV['AWS_REGION'] = 'eu-west-1'
+ENV['AWS_CONFIG_PROFILE'] = 'role-to-assume'
+
+Vagrant.configure("2") { |config| ... }
+```
+
 ##### IAM configuration
 
 IAM accounts will need at least the following policy:
@@ -112,7 +136,7 @@ IAM accounts will need at least the following policy:
 
 **IMPORTANT:** You must split up bucket and object permissions into separate policy statements as written above! See [Writing IAM Policies: How to grant access to an Amazon S3 Bucket][aws-s3-iam].
 
-Also note that `s3:ListBucket` permission is not strictly necessary. vagrant-s3auth will never
+Also note that `s3:ListBucket` permission is not strictly necessary. vagrant-s3auth-mfa will never
 make a ListBucket request, but without ListBucket permission, a misspelled box
 name results in a 403 Forbidden error instead of a 404 Not Found error. ([Why?][aws-403-404])
 
@@ -240,10 +264,10 @@ install a plugin is lame.
 But wait! Just stick some shell in your Vagrantfile:
 
 ```ruby
-unless Vagrant.has_plugin?('vagrant-s3auth')
+unless Vagrant.has_plugin?('vagrant-s3auth-mfa')
   # Attempt to install ourself. Bail out on failure so we don't get stuck in an
   # infinite loop.
-  system('vagrant plugin install vagrant-s3auth') || exit!
+  system('vagrant plugin install vagrant-s3auth-mfa') || exit!
 
   # Relaunch Vagrant so the plugin is detected. Exit with the same status code.
   exit system('vagrant', *ARGV)

data/lib/{vagrant-s3auth.rb → vagrant-s3auth-mfa.rb}

@@ -1,6 +1,6 @@
 require 'pathname'
 
-require 'vagrant-s3auth/plugin'
+require 'vagrant-s3auth-mfa/plugin'
 
 module VagrantPlugins
   module S3Auth

data/lib/{vagrant-s3auth → vagrant-s3auth-mfa}/errors.rb

@@ -22,6 +22,10 @@ module VagrantPlugins
       class S3APIError < VagrantS3AuthError
         error_key(:s3_api_error)
       end
+
+      class SetCredentialsFromProfileError < VagrantS3AuthError
+        error_key(:set_credentials_from_profile_error)
+      end
     end
   end
 end

data/lib/{vagrant-s3auth → vagrant-s3auth-mfa}/extension/downloader.rb

@@ -1,7 +1,7 @@
 require 'uri'
 
 require 'vagrant/util/downloader'
-require 'vagrant-s3auth/util'
+require 'vagrant-s3auth-mfa/util'
 
 S3Auth = VagrantPlugins::S3Auth
 
@@ -23,6 +23,11 @@ module Vagrant
             access_key: credential_provider.credentials.access_key_id,
             profile: credential_provider.profile_name
           )
+        when String
+          I18n.t(
+            'vagrant_s3auth.downloader.profile_credential_config',
+            profile: credential_provider
+          )
         end
       end
 

data/lib/{vagrant-s3auth → vagrant-s3auth-mfa}/util.rb

@@ -2,6 +2,7 @@ require 'aws-sdk'
 require 'log4r'
 require 'net/http'
 require 'uri'
+require 'aws_config'
 
 module VagrantPlugins
   module S3Auth
@@ -30,6 +31,10 @@ module VagrantPlugins
       end
 
       def self.s3_client(region = DEFAULT_REGION)
+        unless ENV['AWS_CONFIG_PROFILE'].nil?
+          config = AWSConfig[ENV['AWS_CONFIG_PROFILE']]
+          set_credentials_from_profile(config) if ::Aws.config.empty?
+        end
         ::Aws::S3::Client.new(region: region)
       end
 
@@ -76,7 +81,48 @@ module VagrantPlugins
         # Providing a NullObject here is the same as instantiating a
         # client without specifying a credentials config, like we do in
         # `self.s3_client`.
-        ::Aws::CredentialProviderChain.new(NullObject.new).resolve
+          unless ENV['AWS_CONFIG_PROFILE'].nil?
+            ENV['AWS_CONFIG_PROFILE']
+          else
+            ::Aws::CredentialProviderChain.new(NullObject.new).resolve
+          end
+      end
+
+      def self.set_credentials_from_profile(region = DEFAULT_REGION, config)
+        creds = ::Aws::Credentials.new(
+          config.aws_access_key_id,
+          config.aws_secret_access_key
+        )
+        sts_client = ::Aws::STS::Client.new(
+          credentials: creds 
+        )
+        if config.respond_to?(:mfa_serial)
+          print 'Enter AWS MFA token: '
+          token_code = STDIN.noecho(&:gets).chomp
+          creds = sts_client.get_session_token(
+            duration_seconds: 900,
+            serial_number: config.mfa_serial,
+            token_code: token_code
+          )
+          sts_client = ::Aws::STS::Client.new(
+            access_key_id: creds.credentials.access_key_id,
+            secret_access_key: creds.credentials.secret_access_key,
+            session_token: creds.credentials.session_token
+          )
+        end
+        if config.respond_to?(:role_arn)
+        creds = ::Aws::AssumeRoleCredentials.new(
+          client: sts_client,
+          role_arn: config.role_arn,
+          role_session_name: "#{ENV['USER']}-#{Time.now.utc.iso8601.tr!('-:', '_')}"
+        )
+        end
+        ::Aws.config.update(
+          region: config.region,
+          credentials: creds
+        )
+      rescue StandardError => e
+          raise Errors::SetCredentialsFromProfileError, profile: config.name, error: e
       end
     end
   end

data/lib/{vagrant-s3auth → vagrant-s3auth-mfa}/version.rb

@@ -1,5 +1,5 @@
 module VagrantPlugins
   module S3Auth
-      VERSION = '1.4.0'.freeze
+      VERSION = '1.4.1'.freeze
   end
 end

data/locales/en.yml

@@ -7,6 +7,9 @@ en:
       profile_credential_provider: |-
         Signing S3 request with key '%{access_key}' loaded from profile '%{profile}'
 
+      profile_credential_config: |-
+        Signing S3 request with profile '%{profile}' loaded from ~/.aws/config
+
     errors:
       missing_credentials: |-
         Unable to find AWS credentials.
@@ -51,3 +54,8 @@ en:
             arn:aws:s3:::%{bucket}/*
 
         It may also indicate the box does not exist, so check your spelling.
+      
+      set_credentials_from_profile_error: |-
+        Error while trying to set credententials for profile '%{profile}'
+
+            %{error}

data/test/box/minimal

@@ -1,5 +1,5 @@
 {
-  "name": "vagrant-s3auth/minimal",
+  "name": "vagrant-s3auth-mfa/minimal",
   "description": "This box contains company secrets.",
   "versions": [{
     "version": "1.0.1",

data/test/box/public-minimal

@@ -1,5 +1,5 @@
 {
-  "name": "vagrant-s3auth/public-minimal",
+  "name": "vagrant-s3auth-mfa/public-minimal",
   "description": "This box contains no company secrets.",
   "versions": [{
     "version": "1.0.1",

data/test/cleanup.rb

@@ -10,7 +10,7 @@ require_relative 'support'
 
   buckets = if ARGV.include?('--all')
               s3.buckets.select do |b|
-                b.name.include?('vagrant-s3auth.com') && b.name.include?(region)
+                b.name.include?('vagrant-s3auth-mfa.com') && b.name.include?(region)
               end
             else
               [s3.bucket("#{region}.#{BUCKET}")]

data/test/run.bats

@@ -24,8 +24,8 @@ fi
 teardown() {
   bundle exec vagrant box remove "$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
   bundle exec vagrant box remove "public-$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
-  bundle exec vagrant box remove "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
-  bundle exec vagrant box remove "vagrant-s3auth/public-$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
+  bundle exec vagrant box remove "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
+  bundle exec vagrant box remove "vagrant-s3auth-mfa/public-$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
   bundle exec vagrant box remove "$ATLAS_USERNAME/$VAGRANT_S3AUTH_ATLAS_BOX_NAME" > /dev/null 2>&1 || true
 }
 
@@ -85,52 +85,52 @@ teardown() {
 
 @test "metadata box with full path standard url" {
   bundle exec vagrant box add \
-    --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
     "https://s3.amazonaws.com/us-east-1.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 @test "public metadata box with full path standard url without credentials" {
   AWS_ACCESS_KEY_ID= \
     bundle exec vagrant box add \
-    --name "vagrant-s3auth/public-$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/public-$VAGRANT_S3AUTH_BOX_BASE" \
     "https://s3.amazonaws.com/us-east-1.$VAGRANT_S3AUTH_BUCKET/public-$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 @test "metadata box with full host standard url" {
   bundle exec vagrant box add \
-    --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
     "https://us-east-1.$VAGRANT_S3AUTH_BUCKET.s3.amazonaws.com/$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 @test "metadata box with shorthand standard url" {
   bundle exec vagrant box add \
-    --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
     "s3://us-east-1.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 @test "metadata box with full path nonstandard url" {
   bundle exec vagrant box add \
-    --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
     "https://s3-$VAGRANT_S3AUTH_REGION_NONSTANDARD.amazonaws.com/$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 @test "public metadata box with full path nonstandard url without credentials" {
   AWS_ACCESS_KEY_ID= \
     bundle exec vagrant box add \
-    --name "vagrant-s3auth/public-$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/public-$VAGRANT_S3AUTH_BOX_BASE" \
     "https://s3-$VAGRANT_S3AUTH_REGION_NONSTANDARD.amazonaws.com/$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET/public-$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 
 @test "metadata box with full host nonstandard url" {
   bundle exec vagrant box add \
-    --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
     "https://$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET.s3-$VAGRANT_S3AUTH_REGION_NONSTANDARD.amazonaws.com/$VAGRANT_S3AUTH_BOX_BASE"
 }
 
 @test "metadata box with shorthand nonstandard url" {
   bundle exec vagrant box add \
-    --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
+    --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
     "s3://$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
 }
 

data/{vagrant-s3auth.gemspec → vagrant-s3auth-mfa.gemspec}

@@ -1,14 +1,14 @@
 $LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
 
-require 'vagrant-s3auth/version'
+require 'vagrant-s3auth-mfa/version'
 
 Gem::Specification.new do |spec|
   spec.name          = 'vagrant-s3auth-mfa'
   spec.version       = VagrantPlugins::S3Auth::VERSION
   spec.authors       = ['Nikhil Benesch']
   spec.email         = ['benesch@whoop.com']
-  spec.summary       = '[Forked by VRTDev] Private, versioned Vagrant boxes hosted on Amazon S3.'
-  spec.homepage      = 'https://github.com/WhoopInc/vagrant-s3auth'
+  spec.summary       = '[VRTDev Fork]Private, versioned Vagrant boxes hosted on Amazon S3.'
+  spec.homepage      = 'https://github.com/vrtdev/vagrant-s3auth-mfa'
   spec.license       = 'MIT'
 
   spec.files         = `git ls-files -z`.split("\x0")
@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'aws-sdk', '~> 2.6.44'
-  spec.add_dependency 'aws_config', '~> 0.1.0'
+  spec.add_dependency 'aws_config', '0.1.0'
 
   spec.add_development_dependency 'bundler', '~> 1.5'
   spec.add_development_dependency 'http', '~> 1.0.2'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vagrant-s3auth-mfa
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.4.1
 platform: ruby
 authors:
 - Nikhil Benesch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-14 00:00:00.000000000 Z
+date: 2019-01-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -28,14 +28,14 @@ dependencies:
   name: aws_config
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
         version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
         version: 0.1.0
 - !ruby/object:Gem::Dependency
@@ -112,13 +112,13 @@ files:
 - README.md
 - Rakefile
 - TESTING.md
-- lib/vagrant-s3auth.rb
-- lib/vagrant-s3auth/errors.rb
-- lib/vagrant-s3auth/extension/downloader.rb
-- lib/vagrant-s3auth/middleware/expand_s3_urls.rb
-- lib/vagrant-s3auth/plugin.rb
-- lib/vagrant-s3auth/util.rb
-- lib/vagrant-s3auth/version.rb
+- lib/vagrant-s3auth-mfa.rb
+- lib/vagrant-s3auth-mfa/errors.rb
+- lib/vagrant-s3auth-mfa/extension/downloader.rb
+- lib/vagrant-s3auth-mfa/middleware/expand_s3_urls.rb
+- lib/vagrant-s3auth-mfa/plugin.rb
+- lib/vagrant-s3auth-mfa/util.rb
+- lib/vagrant-s3auth-mfa/version.rb
 - locales/en.yml
 - test/box/minimal
 - test/box/minimal.box
@@ -128,8 +128,8 @@ files:
 - test/run.bats
 - test/setup.rb
 - test/support.rb
-- vagrant-s3auth.gemspec
-homepage: https://github.com/WhoopInc/vagrant-s3auth
+- vagrant-s3auth-mfa.gemspec
+homepage: https://github.com/vrtdev/vagrant-s3auth-mfa
 licenses:
 - MIT
 metadata: {}
@@ -152,6 +152,6 @@ rubyforge_project:
 rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
-summary: "[Forked by VRTDev] Private, versioned Vagrant boxes hosted on Amazon S3."
+summary: "[VRTDev Fork]Private, versioned Vagrant boxes hosted on Amazon S3."
 test_files:
-- vagrant-s3auth.gemspec
+- vagrant-s3auth-mfa.gemspec