vagrant-s3auth-mfa 1.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 535efe4b64ce2e8edab42b662713d360f76c94408c291bf3e6fd99dc17664493
+  data.tar.gz: ace047d7f8806421050acbc09b99c8c43bdf6fd21bd29250d0bd8fd8e27ef72f
+SHA512:
+  metadata.gz: ffc6111b6799f0f6f747bb95e784eb1b5b0f530b4772040a99c70332c5e3c728f661404a52e9d243cd31e48ec31d740185b02318f7e695a0c7a2ecb0167277ac
+  data.tar.gz: a2e4158d7b5a8c0c679b27ea574a6ce619007b4e15724097065688de835bd15ed19a8c3f026e3207d9ff95d352ff1ecfafaeb126ab463daf3deada036065066e

data/.gitignore

@@ -0,0 +1,6 @@
+.DS_Store
+
+pkg
+*.gem
+.env
+Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,33 @@
+Lint/AssignmentInCondition:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 40
+
+Metrics/CyclomaticComplexity:
+  Max: 12
+
+Metrics/LineLength:
+  Max: 100
+
+Metrics/MethodLength:
+  CountComments: false
+  Max: 25
+
+Metrics/PerceivedComplexity:
+  Max: 15
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/Documentation:
+  Enabled: false
+
+Style/FileName:
+  Enabled: false
+
+Style/RescueModifier:
+  Enabled: false
+
+Style/SignalException:
+  EnforcedStyle: only_raise

data/.ruby-version

@@ -0,0 +1 @@
+2.2.3

data/.travis.yml

@@ -0,0 +1,56 @@
+sudo: false
+
+language: ruby
+rvm:
+- 2.2.3
+
+addons:
+  apt:
+    packages:
+    - bsdtar
+    - libxslt1.1
+
+before_install:
+# Install Bats, the Bash testing framework
+- npm install bats
+
+# Speed up Nokogiri installation substantially by using precompiled libxslt
+- bundle config build.nokogiri --use-system-libraries
+
+# Older versions of Vagrant can't handle the current version of Bundler, which
+# ships with Travis.
+- |
+  if [[ "$BUNDLER_VERSION" ]]
+  then
+    rvm @default,@global do gem uninstall bundler --all --executables
+    gem install bundler -v "$BUNDLER_VERSION"
+  fi
+- bundle --version
+
+before_script:
+- test/setup.rb
+
+after_script:
+- test/cleanup.rb
+
+env:
+  global:
+  - VAGRANT_S3AUTH_ATLAS_BOX_NAME="travis-$TRAVIS_JOB_NUMBER"
+  - VAGRANT_S3AUTH_BUCKET="travis-$TRAVIS_JOB_NUMBER.vagrant-s3auth.com"
+  - VAGRANT_S3AUTH_REGION_NONSTANDARD=eu-west-1
+  - VAGRANT_S3AUTH_BOX_BASE=minimal
+  matrix:
+  - VAGRANT_VERSION=master BUNDLER_VERSION=
+  - VAGRANT_VERSION=v1.9.1 BUNDLER_VERSION=
+  - VAGRANT_VERSION=v1.8.7 BUNDLER_VERSION=1.12.5
+  - VAGRANT_VERSION=v1.7.4 BUNDLER_VERSION=1.10.5
+  - VAGRANT_VERSION=v1.6.5 BUNDLER_VERSION=1.6.9
+  - VAGRANT_VERSION=v1.5.1 BUNDLER_VERSION=1.5.3
+
+deploy:
+  provider: rubygems
+  api_key:
+    secure: b7ZiPX6EfA4DNV6B65ZvVJF8Xswne4N0MdIqwTkyQ5//0+3hSHg0ChTvjeb+eeTcPFiYxuh0UvXqJMtxi8hCJub03aJ5qeDDm6FJeM7WqsHmXx6A6UGFxnCTi6z7IaaBCs71jygzdjN6AaKOV9PuvhD079dci/yylr0SDHQgvrY=
+  on:
+    tags: true
+    repo: WhoopInc/vagrant-s3auth

data/CHANGELOG.md

@@ -0,0 +1,154 @@
+## 1.3.2
+
+**6 January 2016**
+
+Enhancements:
+
+* upgrade to AWS SDK v2.6.44
+
+## 1.3.1
+
+**30 December 2016**
+
+Fixes:
+
+* suppress warning about invalid region with certain buckets ([#31])
+
+## 1.3.0
+
+**18 January 2016**
+
+Enhancements:
+
+* upgrade to AWS SDK v2.2.10
+
+Fixes:
+
+* allow box update checks when offline ([#26])
+* support the Vagrant 1.8.x series ([#27])
+
+## 1.2.0
+
+**20 August 2015**
+
+Enhancements:
+
+* output the discovered AWS access key and its source (environment variable or
+  profile) when downloading an authenticated S3 box ([#21])
+
+Thanks, [@Daemoen][Daemoen]!
+
+## 1.1.1
+
+**6 August 2015**
+
+Enhancements:
+
+* bump dependencies to latest patch versions and dev dependencies to latest
+  versions
+
+## 1.1.0
+
+**1 June 2015**
+
+Enhancements:
+
+* upgrade to AWS SDK v2 ([#15])
+* recommend the use of the AWS SDK's centralized credential file ([#14])
+
+Fixes:
+
+* allow up to ten minutes of time skew ([#16])
+* try an unauthenticated download before demanding AWS credentials ([#10])
+
+Thanks, [@kimpepper][kimpepper] and [@companykitchen-dev][companykitchen-dev]!
+
+## 1.0.3
+
+**10 March 2015**
+
+Fixes:
+
+* fix namespace collisions with [vagrant-aws][vagrant-aws] ([#11])
+
+Thanks, [@andres-rojas][andres-rojas]!
+
+
+## 1.0.2
+
+**25 December 2014**
+
+Enhancements:
+
+* provide better error messages when S3 API requests are denied ([#9])
+* include IAM policy recommendations in README
+
+## 1.0.1
+
+**21 December 2014**
+
+Enhancements:
+
+* support bucket-in-host style S3 URLs to simplify usage instructions
+
+Fixes:
+
+* internal cleanup
+* improved detection of incompatible Vagrant versions
+
+## 1.0.0
+
+**16 December 2014**
+
+Enhancements:
+
+* passes a complete acceptance test suite
+* detects full and shorthand S3 URLs at all download stages
+
+Fixes:
+
+* automatically determines region for shorthand S3 URLs ([#1], [#7])
+
+## 0.1.0
+
+**13 June 2014**
+
+Enhancements:
+
+* support buckets hosted in any S3 region ([#1])
+
+Fixes:
+
+* properly authenticate requests for simple (non-metadata) S3 boxes ([#1])
+
+## 0.0.2
+
+**6 June 2014**
+
+Enhancements:
+
+* formally license under MIT
+
+## 0.0.1
+
+* initial release
+
+[#1]: https://github.com/WhoopInc/vagrant-s3auth/issues/1
+[#7]: https://github.com/WhoopInc/vagrant-s3auth/issues/7
+[#9]: https://github.com/WhoopInc/vagrant-s3auth/issues/9
+[#10]: https://github.com/WhoopInc/vagrant-s3auth/issues/10
+[#11]: https://github.com/WhoopInc/vagrant-s3auth/pull/11
+[#14]: https://github.com/WhoopInc/vagrant-s3auth/issues/14
+[#15]: https://github.com/WhoopInc/vagrant-s3auth/issues/15
+[#16]: https://github.com/WhoopInc/vagrant-s3auth/issues/16
+[#21]: https://github.com/WhoopInc/vagrant-s3auth/issues/21
+[#26]: https://github.com/WhoopInc/vagrant-s3auth/issues/26
+[#27]: https://github.com/WhoopInc/vagrant-s3auth/issues/27
+[#31]: https://github.com/WhoopInc/vagrant-s3auth/issues/31
+
+[Daemoen]: https://github.com/Daemoen
+[andres-rojas]: https://github.com/andres-rojas
+[companykitchen-dev]: https://github.com/companykitchen-dev
+[kimpepper]: https://github.com/kimpepper
+
+[vagrant-aws]: https://github.com/mitchellh/vagrant-aws

data/CONTRIBUTING.md

@@ -0,0 +1,40 @@
+# Contributing
+
+We love contributions! Pull request away.
+
+## Hacking
+
+You'll need Ruby and Bundler, of course. Then, check out the code and install
+the gems:
+
+```bash
+$ git clone git@github.com:WhoopInc/vagrant-s3auth.git
+$ cd vagrant-s3auth
+$ bundle
+```
+
+Hack away! When you're ready to test, either [run the test suite](TESTING.md) or
+run Vagrant manually *using the configured Bundler environment*:
+
+```bash
+$ VAGRANT_LOG=debug bundle exec vagrant box add S3_URL
+```
+
+If you forget the `bundle exec`, you'll use system Vagrant—not the Vagrant that
+has your plugin changes installed!
+
+## Guidelines
+
+We do ask that all contributions pass the linter and test suite. Travis will
+automatically run these against your contribution once you submit the pull
+request, but you can also run them locally as you go!
+
+### Linting
+
+```bash
+$ rake lint
+```
+
+### Testing
+
+See [TESTING](TESTING.md).

data/Gemfile

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+VAGRANT_REF = ENV['VAGRANT_VERSION'] || 'master'
+
+group :development do
+  gem 'vagrant', git: 'git://github.com/mitchellh/vagrant.git', ref: VAGRANT_REF
+end
+
+group :plugins do
+  gemspec
+  gem 'vagrant-aws', git: 'git://github.com/mitchellh/vagrant-aws.git', ref: 'master'
+end

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2014 WHOOP, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,261 @@
+# vagrant-s3auth
+
+<a href="https://travis-ci.org/WhoopInc/vagrant-s3auth">
+  <img src="https://travis-ci.org/WhoopInc/vagrant-s3auth.svg?branch=master"
+    align="right">
+</a>
+
+Private, versioned Vagrant boxes hosted on Amazon S3.
+
+## Installation
+
+From the command line:
+
+```bash
+$ vagrant plugin install vagrant-s3auth
+```
+
+### Requirements
+
+* [Vagrant][vagrant], v1.5.1+
+
+## Usage
+
+vagrant-s3auth will automatically sign requests for S3 URLs
+
+```
+s3://bucket.example.com/path/to/metadata
+```
+
+with your AWS access key.
+
+This means you can host your team's sensitive, private boxes on S3, and use your
+developers' existing AWS credentials to securely grant access.
+
+If you've already got your credentials stored in the standard environment
+variables:
+
+```ruby
+# Vagrantfile
+
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'simple-secrets'
+  config.vm.box_url = 's3://example.com/secret.box'
+end
+```
+
+### Configuration
+
+#### AWS credentials
+
+AWS credentials are read from the standard environment variables
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
+
+You may find it more convenient to use the
+[centralized credential file][aws-cred-file] to create a credential
+profile. Select the appropriate profile using the `AWS_PROFILE`
+environment variable. For example:
+
+```ini
+# ~/.aws/credentials
+
+[vagrant-s3auth]
+aws_access_key_id = AKIA...
+aws_secret_access_key = ...
+```
+
+```ruby
+# Vagrantfile
+
+ENV.delete_if { |name| name.start_with?('AWS_') }  # Filter out rogue env vars.
+ENV['AWS_PROFILE'] = 'vagrant-s3auth'
+
+Vagrant.configure("2") { |config| ... }
+```
+
+**CAUTION:** If `AWS_ACCESS_KEY_ID` exists in your environment, it will
+take precedence over `AWS_PROFILE`! Either take care to filter rogue
+environment variables as above, or set the access key explicitly:
+
+```ruby
+access_key, secret_key = whizbang_inc_api.fetch_api_creds()
+ENV['AWS_ACCESS_KEY_ID']     = access_key
+ENV['AWS_SECRET_ACCESS_KEY'] = secret_key
+```
+
+The detected AWS access key and its source (environment variable or
+profile file) will be displayed when the box is downloaded. If you use
+multiple AWS credentials and see authentication errors, verify that the
+correct access key was detected.
+
+##### IAM configuration
+
+IAM accounts will need at least the following policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::BUCKET/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
+      "Resource": "arn:aws:s3:::BUCKET"
+    }
+  ]
+}
+```
+
+**IMPORTANT:** You must split up bucket and object permissions into separate policy statements as written above! See [Writing IAM Policies: How to grant access to an Amazon S3 Bucket][aws-s3-iam].
+
+Also note that `s3:ListBucket` permission is not strictly necessary. vagrant-s3auth will never
+make a ListBucket request, but without ListBucket permission, a misspelled box
+name results in a 403 Forbidden error instead of a 404 Not Found error. ([Why?][aws-403-404])
+
+See [AWS S3 Guide: User Policy Examples][aws-user-policy] for more.
+
+#### S3 URLs
+
+You can use any valid HTTP(S) URL for your object:
+
+```bash
+# path style
+http://s3.amazonaws.com/bucket/resource
+https://s3.amazonaws.com/bucket/resource
+
+# host style
+http://bucket.s3.amazonaws.com/resource
+https://bucket.s3.amazonaws.com/resource
+```
+
+Or the S3 protocol shorthand
+
+```
+s3://bucket/resource
+```
+
+which expands to the path-style HTTPS URL.
+
+##### Non-standard regions
+
+If your bucket is not hosted in the US Standard region, you'll need to specify
+the correct region endpoint as part of the URL:
+
+```
+https://s3-us-west-2.amazonaws.com/bucket/resource
+https://bucket.s3-us-west-2.amazonaws.com/resource
+```
+
+Or just use the S3 protocol shorthand, which will automatically determine the
+correct region at the cost of an extra API call:
+
+```
+s3://bucket/resource
+```
+
+For additional details on specifying S3 URLs, refer to the [S3 Developer Guide:
+Virtual hosting of buckets][bucket-vhost].
+
+#### Simple boxes
+
+Simply point your `box_url` at a [supported S3 URL](#s3-url):
+
+```ruby
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'simple-secrets'
+  config.vm.box_url = 'https://s3.amazonaws.com/bucket.example.com/secret.box'
+end
+```
+
+#### Vagrant Cloud
+
+If you've got a box version on [Vagrant Cloud][vagrant-cloud], just point it at
+a [supported S3 URL](#s3-urls):
+
+![Adding a S3 box to Vagrant Cloud](https://cloud.githubusercontent.com/assets/882976/3273399/d5d70966-f323-11e3-8393-22195050aeac.png)
+
+Then configure your Vagrantfile like normal:
+
+```ruby
+Vagrant.configure('2') do |config|
+  config.vm.box = 'benesch/test-box'
+end
+```
+
+#### Metadata (versioned) boxes
+
+[Metadata boxes][metadata-boxes] were added to Vagrant in 1.5 and power Vagrant
+Cloud. You can host your own metadata and bypass Vagrant Cloud entirely.
+
+Essentially, you point your `box_url` at a [JSON metadata file][metadata-boxes]
+that tells Vagrant where to find all possible versions:
+
+```ruby
+# Vagrantfile
+
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'examplecorp/secrets'
+  config.vm.box_url = 's3://example.com/secrets'
+end
+```
+
+```json
+"s3://example.com/secrets"
+
+{
+  "name": "examplecorp/secrets",
+  "description": "This box contains company secrets.",
+  "versions": [{
+    "version": "0.1.0",
+    "providers": [{
+      "name": "virtualbox",
+      "url": "https://s3.amazonaws.com/example.com/secrets.box",
+      "checksum_type": "sha1",
+      "checksum": "foo"
+    }]
+  }]
+}
+```
+
+Within your metadata JSON, be sure to use [supported S3 URLs](#s3-urls).
+
+Note that the metadata itself doesn't need to be hosted on S3. Any metadata that
+points to a supported S3 URL will result in an authenticated request.
+
+**IMPORTANT:** Your metadata *must* be served with `Content-Type: application/json`
+or Vagrant will not recognize it as metadata! Most S3 uploader tools (and most
+webservers) will *not* automatically set the `Content-Type` header when the file
+extension is not `.json`. Consult your tool's documentation for instructions on
+manually setting the content type.
+
+## Auto-install
+
+The beauty of Vagrant is the magic of "`vagrant up` and done." Making your users
+install a plugin is lame.
+
+But wait! Just stick some shell in your Vagrantfile:
+
+```ruby
+unless Vagrant.has_plugin?('vagrant-s3auth')
+  # Attempt to install ourself. Bail out on failure so we don't get stuck in an
+  # infinite loop.
+  system('vagrant plugin install vagrant-s3auth') || exit!
+
+  # Relaunch Vagrant so the plugin is detected. Exit with the same status code.
+  exit system('vagrant', *ARGV)
+end
+```
+
+[aws-403-404]: https://forums.aws.amazon.com/thread.jspa?threadID=56531#jive-message-210346
+[aws-cred-file]: http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs
+[aws-s3-iam]: http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket
+[aws-signed]: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#ConstructingTheAuthenticationHeader
+[aws-user-policy]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html
+[bucket-vhost]: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html#VirtualHostingExamples
+[metadata-boxes]: http://docs.vagrantup.com/v2/boxes/format.html
+[vagrant]: http://vagrantup.com
+[vagrant-cloud]: http://vagrantcloud.com