vagrant-s3auth-mfa 1.4.0

data/Rakefile

@@ -0,0 +1,15 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'rubocop/rake_task'
+
+Dir.chdir(File.expand_path('../', __FILE__))
+
+Bundler::GemHelper.install_tasks
+
+RuboCop::RakeTask.new(:lint)
+
+task :test do
+  sh 'bats test/run.bats'
+end
+
+task default: %w[lint test]

data/TESTING.md

@@ -0,0 +1,70 @@
+# Testing
+
+No unit testing, since the project is so small. But a full suite of acceptance
+tests that run using [Bats: Bash Automated Testing System][bats]! Basically, the
+acceptance tests run `vagrant box add S3_URL` with a bunch of S3 URLs and box
+types, and assert that everything works!
+
+See [the .travis.yml CI configuration](.travis.yml) for a working example.
+
+## Environment variables
+
+You'll need to export the below. Recommended values included when not sensitive.
+
+```bash
+# AWS credentials with permissions to create S3 buckets
+export AWS_ACCESS_KEY_ID=
+export AWS_SECRET_ACCESS_KEY=
+
+# Atlas (Vagrant Cloud) API credentials
+export ATLAS_USERNAME="vagrant-s3auth"
+export ATLAS_TOKEN
+
+# Base name of bucket. Must be unique.
+export VAGRANT_S3AUTH_BUCKET="testing.vagrant-s3auth.com"
+
+# If specified as 'metadata', will upload 'box/metadata' and 'box/metadata.box'
+# to each S3 bucket
+export VAGRANT_S3AUTH_BOX_BASE="minimal"
+
+# Base name of Atlas (Vagrant Cloud) box. Atlas boxes can never re-use a once
+# existing name, so include a timestamp or random string in the name.
+export VAGRANT_S3AUTH_ATLAS_BOX_NAME="vagrant-s3auth-192458"
+
+# Additional S3 region to use in testing. US Standard is always used.
+export VAGRANT_S3AUTH_REGION_NONSTANDARD="eu-west-1"
+```
+
+[bats]: https://github.com/sstephenson/bats
+
+## Running tests
+
+You'll need [Bats][bats] installed! Then:
+
+```bash
+# export env vars as described
+$ test/setup.rb
+$ rake test
+# hack hack hack
+$ rake test
+$ test/cleanup.rb
+```
+
+## Scripts
+
+### test/setup.rb
+
+Creates two S3 buckets—one in US Standard (`us-east-1`) and one in
+`$VAGRANT_S3AUTH_REGION_NONSTANDARD`, both with the contents of the box
+directory.
+
+Then creates an Atlas (Vagrant Cloud) box with one version with one VirtualBox
+provider that points to one of the S3 boxes at random.
+
+### test/cleanup.rb
+
+Destroys S3 buckets and Atlas box.
+
+## run.bats
+
+Attempts to `vagrant box add` the boxes on S3 in every way possible.

data/lib/vagrant-s3auth.rb

@@ -0,0 +1,14 @@
+require 'pathname'
+
+require 'vagrant-s3auth/plugin'
+
+module VagrantPlugins
+  module S3Auth
+    def self.source_root
+      @source_root ||= Pathname.new(File.expand_path('../../', __FILE__))
+    end
+
+    I18n.load_path << File.expand_path('locales/en.yml', source_root)
+    I18n.reload!
+  end
+end

data/lib/vagrant-s3auth/errors.rb

@@ -0,0 +1,27 @@
+require 'vagrant'
+
+module VagrantPlugins
+  module S3Auth
+    module Errors
+      class VagrantS3AuthError < Vagrant::Errors::VagrantError
+        error_namespace('vagrant_s3auth.errors')
+      end
+
+      class MissingCredentialsError < VagrantS3AuthError
+        error_key(:missing_credentials)
+      end
+
+      class MalformedShorthandURLError < VagrantS3AuthError
+        error_key(:malformed_shorthand_url)
+      end
+
+      class BucketLocationAccessDeniedError < VagrantS3AuthError
+        error_key(:bucket_location_access_denied_error)
+      end
+
+      class S3APIError < VagrantS3AuthError
+        error_key(:s3_api_error)
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/extension/downloader.rb

@@ -0,0 +1,84 @@
+require 'uri'
+
+require 'vagrant/util/downloader'
+require 'vagrant-s3auth/util'
+
+S3Auth = VagrantPlugins::S3Auth
+
+module Vagrant
+  module Util
+    class Downloader
+      def s3auth_credential_source
+        credential_provider = S3Auth::Util.s3_credential_provider
+        case credential_provider
+        when ::Aws::Credentials
+          I18n.t(
+            'vagrant_s3auth.downloader.env_credential_provider',
+            access_key: credential_provider.credentials.access_key_id,
+            env_var: S3Auth::Util::AWS_ACCESS_KEY_ENV_VARS.find { |k| ENV.key?(k) }
+          )
+        when ::Aws::SharedCredentials
+          I18n.t(
+            'vagrant_s3auth.downloader.profile_credential_provider',
+            access_key: credential_provider.credentials.access_key_id,
+            profile: credential_provider.profile_name
+          )
+        end
+      end
+
+      def s3auth_download(options, subprocess_options, &data_proc)
+        # The URL sent to curl is always the last argument. We have to rely
+        # on this implementation detail because we need to hook into both
+        # HEAD and GET requests.
+        url = options.last
+
+        s3_object = S3Auth::Util.s3_object_for(url)
+        return unless s3_object
+
+        @logger.info("s3auth: Discovered S3 URL: #{@source}")
+        @logger.debug("s3auth: Bucket: #{s3_object.bucket.name.inspect}")
+        @logger.debug("s3auth: Key: #{s3_object.key.inspect}")
+
+        method = options.any? { |o| o == '-I' } ? :head : :get
+
+        @logger.info("s3auth: Generating signed URL for #{method.upcase}")
+
+        @ui.detail(s3auth_credential_source) if @ui
+
+        url.replace(S3Auth::Util.s3_url_for(method, s3_object).to_s)
+
+        execute_curl_without_s3auth(options, subprocess_options, &data_proc)
+      rescue Errors::DownloaderError => e
+        if e.message =~ /403 Forbidden/
+          e.message << "\n\n"
+          e.message << I18n.t('vagrant_s3auth.errors.box_download_forbidden',
+            bucket: s3_object && s3_object.bucket.name)
+        end
+        raise
+      rescue ::Aws::Errors::MissingCredentialsError
+        raise S3Auth::Errors::MissingCredentialsError
+      rescue ::Aws::Errors::ServiceError => e
+        raise S3Auth::Errors::S3APIError, error: e
+      rescue ::Seahorse::Client::NetworkingError => e
+        # Vagrant ignores download errors during e.g. box update checks
+        # because an internet connection isn't necessary if the box is
+        # already downloaded. Vagrant isn't expecting AWS's
+        # Seahorse::Client::NetworkingError, so we cast it to the
+        # DownloaderError Vagrant expects.
+        raise Errors::DownloaderError, message: e
+      end
+
+      def execute_curl_with_s3auth(options, subprocess_options, &data_proc)
+        execute_curl_without_s3auth(options, subprocess_options, &data_proc)
+      rescue Errors::DownloaderError => e
+        # Ensure the progress bar from the just-failed request is cleared.
+        @ui.clear_line if @ui
+
+        s3auth_download(options, subprocess_options, &data_proc) || (raise e)
+      end
+
+      alias execute_curl_without_s3auth execute_curl
+      alias execute_curl execute_curl_with_s3auth
+    end
+  end
+end

data/lib/vagrant-s3auth/middleware/expand_s3_urls.rb

@@ -0,0 +1,28 @@
+require 'uri'
+
+module VagrantPlugins
+  module S3Auth
+    class ExpandS3Urls
+      def initialize(app, _)
+        @app = app
+      end
+
+      def call(env)
+        env[:box_urls].map! do |url_string|
+          url = URI(url_string)
+
+          if url.scheme == 's3'
+            bucket = url.host
+            key = url.path[1..-1]
+            raise Errors::MalformedShorthandURLError, url: url unless bucket && key
+            next "http://s3-placeholder.amazonaws.com/#{bucket}/#{key}"
+          end
+
+          url_string
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/plugin.rb

@@ -0,0 +1,27 @@
+begin
+  require 'vagrant'
+rescue LoadError
+  raise 'The Vagrant S3Auth plugin must be run within Vagrant.'
+end
+
+require_relative 'errors'
+require_relative 'extension/downloader'
+
+module VagrantPlugins
+  module S3Auth
+    class Plugin < Vagrant.plugin('2')
+      Vagrant.require_version('>= 1.5.1')
+
+      name 's3auth'
+
+      description <<-DESC
+        Use versioned Vagrant boxes with S3 authentication.
+      DESC
+
+      action_hook(:s3_urls, :authenticate_box_url) do |hook|
+        require_relative 'middleware/expand_s3_urls'
+        hook.prepend(ExpandS3Urls)
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/util.rb

@@ -0,0 +1,83 @@
+require 'aws-sdk'
+require 'log4r'
+require 'net/http'
+require 'uri'
+
+module VagrantPlugins
+  module S3Auth
+    module Util
+      S3_HOST_MATCHER = /^((?<bucket>[[:alnum:]\-\.]+).)?s3([[:alnum:]\-\.]+)?\.amazonaws\.com$/
+
+      # The list of environment variables that the AWS Ruby SDK searches
+      # for access keys. Sadly, there's no better way to determine which
+      # environment variable the Ruby SDK is using without mirroring the
+      # logic ourself.
+      #
+      # See: https://github.com/aws/aws-sdk-ruby/blob/ab0eb18d0ce0a515254e207dae772864c34b048d/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb#L42
+      AWS_ACCESS_KEY_ENV_VARS = %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY].freeze
+
+      DEFAULT_REGION = 'us-east-1'.freeze
+
+      LOCATION_TO_REGION = Hash.new { |_, key| key }.merge(
+        '' => DEFAULT_REGION,
+        'EU' => 'eu-west-1'
+      )
+
+      class NullObject
+        def method_missing(*) # rubocop:disable Style/MethodMissing
+          nil
+        end
+      end
+
+      def self.s3_client(region = DEFAULT_REGION)
+        ::Aws::S3::Client.new(region: region)
+      end
+
+      def self.s3_resource(region = DEFAULT_REGION)
+        ::Aws::S3::Resource.new(client: s3_client(region))
+      end
+
+      def self.s3_object_for(url, follow_redirect = true)
+        url = URI(url)
+
+        if url.scheme == 's3'
+          bucket = url.host
+          key = url.path[1..-1]
+          raise Errors::MalformedShorthandURLError, url: url unless bucket && key
+        elsif match = S3_HOST_MATCHER.match(url.host)
+          components = url.path.split('/').delete_if(&:empty?)
+          bucket = match['bucket'] || components.shift
+          key = components.join('/')
+        end
+
+        if bucket && key
+          s3_resource(get_bucket_region(bucket)).bucket(bucket).object(key)
+        elsif follow_redirect
+          response = Net::HTTP.get_response(url) rescue nil
+          if response.is_a?(Net::HTTPRedirection)
+            s3_object_for(response['location'], false)
+          end
+        end
+      end
+
+      def self.s3_url_for(method, s3_object)
+        s3_object.presigned_url(method, expires_in: 60 * 10)
+      end
+
+      def self.get_bucket_region(bucket)
+        LOCATION_TO_REGION[
+          s3_client.get_bucket_location(bucket: bucket).location_constraint
+        ]
+      rescue ::Aws::S3::Errors::AccessDenied
+        raise Errors::BucketLocationAccessDeniedError, bucket: bucket
+      end
+
+      def self.s3_credential_provider
+        # Providing a NullObject here is the same as instantiating a
+        # client without specifying a credentials config, like we do in
+        # `self.s3_client`.
+        ::Aws::CredentialProviderChain.new(NullObject.new).resolve
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/version.rb

@@ -0,0 +1,5 @@
+module VagrantPlugins
+  module S3Auth
+      VERSION = '1.4.0'.freeze
+  end
+end

data/locales/en.yml

@@ -0,0 +1,53 @@
+en:
+  vagrant_s3auth:
+    downloader:
+      env_credential_provider: |-
+        Signing S3 request with key '%{access_key}' loaded from $%{env_var}
+
+      profile_credential_provider: |-
+        Signing S3 request with key '%{access_key}' loaded from profile '%{profile}'
+
+    errors:
+      missing_credentials: |-
+        Unable to find AWS credentials.
+
+        Ensure the following variables are set in your environment, or set
+        them at the top of your Vagrantfile:
+
+            AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY
+
+        Alternatively, you can create a credential profile and set the
+
+            AWS_PROFILE
+
+        environment variable. Consult the documentation for details.
+
+      malformed_shorthand_url: |-
+        Malformed shorthand S3 box URL:
+
+            %{url}
+
+        Check your `box_url` setting.
+
+      s3_api_error: |-
+        Unable to communicate with Amazon S3 to download box. The S3 API reports:
+
+            %{error}
+
+      bucket_location_access_denied_error: |-
+        Request for box's Amazon S3 region was denied.
+
+        This usually indicates that your user account is misconfigured. Ensure
+        your IAM policy allows the "s3:GetBucketLocation" action for your bucket:
+
+            arn:aws:s3:::%{bucket}
+
+      box_download_forbidden: |-
+        This box is hosted on Amazon S3. A 403 Forbidden error usually indicates
+        that your user account is misconfigured. Ensure your IAM policy allows
+        the "s3:GetObject" action for your bucket:
+
+            arn:aws:s3:::%{bucket}/*
+
+        It may also indicate the box does not exist, so check your spelling.

data/test/box/minimal

@@ -0,0 +1,13 @@
+{
+  "name": "vagrant-s3auth/minimal",
+  "description": "This box contains company secrets.",
+  "versions": [{
+    "version": "1.0.1",
+    "providers": [{
+      "name": "virtualbox",
+      "url": "%{box_url}",
+      "checksum_type": "sha1",
+      "checksum": "8ea536dd3092cf159f02405edd44ded5b62ba4e6"
+    }]
+  }]
+}

data/test/box/public-minimal

@@ -0,0 +1,13 @@
+{
+  "name": "vagrant-s3auth/public-minimal",
+  "description": "This box contains no company secrets.",
+  "versions": [{
+    "version": "1.0.1",
+    "providers": [{
+      "name": "virtualbox",
+      "url": "%{box_url}",
+      "checksum_type": "sha1",
+      "checksum": "8ea536dd3092cf159f02405edd44ded5b62ba4e6"
+    }]
+  }]
+}