vagrant-s3auth-mfa 1.4.0 → 1.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 535efe4b64ce2e8edab42b662713d360f76c94408c291bf3e6fd99dc17664493
4
- data.tar.gz: ace047d7f8806421050acbc09b99c8c43bdf6fd21bd29250d0bd8fd8e27ef72f
3
+ metadata.gz: 5dc3518823602d8b94d24b4da53cbb502aaff6fe0851c12558ba900c2766ed26
4
+ data.tar.gz: 53f891c31a090cda061ce2d881b2443150ea6a050b67959a7fbd2b4103474d57
5
5
  SHA512:
6
- metadata.gz: ffc6111b6799f0f6f747bb95e784eb1b5b0f530b4772040a99c70332c5e3c728f661404a52e9d243cd31e48ec31d740185b02318f7e695a0c7a2ecb0167277ac
7
- data.tar.gz: a2e4158d7b5a8c0c679b27ea574a6ce619007b4e15724097065688de835bd15ed19a8c3f026e3207d9ff95d352ff1ecfafaeb126ab463daf3deada036065066e
6
+ metadata.gz: e626ce2486a31e5f294c0b8460f81414643548045b1860bad94197204291b3474d311451629f8f4558f33a8456b362f95ad8c6f28772f7192e67929689ec4242
7
+ data.tar.gz: fa3d4878e116ac5227db36ccc498c48d359f1872d637c03395931747ec4d9dfd0d5d4c194216e8964385c52468914fe6d283c54d7022beeab133ad135bb23823
data/CHANGELOG.md CHANGED
@@ -1,3 +1,20 @@
1
+ ## 1.4.1
2
+
3
+ **15 January 2018**
4
+
5
+ Features:
6
+
7
+ * Rename to vagrant-s3auth-mfa
8
+
9
+ ## 1.4.0
10
+
11
+ **14 January 2018**
12
+
13
+ Features:
14
+
15
+ * Added support for MFA and Assume Role
16
+
17
+
1
18
  ## 1.3.2
2
19
 
3
20
  **6 January 2016**
data/README.md CHANGED
@@ -1,4 +1,4 @@
1
- # vagrant-s3auth
1
+ # vagrant-s3auth-mfa
2
2
 
3
3
  <a href="https://travis-ci.org/WhoopInc/vagrant-s3auth">
4
4
  <img src="https://travis-ci.org/WhoopInc/vagrant-s3auth.svg?branch=master"
@@ -12,7 +12,7 @@ Private, versioned Vagrant boxes hosted on Amazon S3.
12
12
  From the command line:
13
13
 
14
14
  ```bash
15
- $ vagrant plugin install vagrant-s3auth
15
+ $ vagrant plugin install vagrant-s3auth-mfa
16
16
  ```
17
17
 
18
18
  ### Requirements
@@ -21,7 +21,7 @@ $ vagrant plugin install vagrant-s3auth
21
21
 
22
22
  ## Usage
23
23
 
24
- vagrant-s3auth will automatically sign requests for S3 URLs
24
+ vagrant-s3auth-mfa will automatically sign requests for S3 URLs
25
25
 
26
26
  ```
27
27
  s3://bucket.example.com/path/to/metadata
@@ -59,7 +59,7 @@ environment variable. For example:
59
59
  ```ini
60
60
  # ~/.aws/credentials
61
61
 
62
- [vagrant-s3auth]
62
+ [vagrant-s3auth-mfa]
63
63
  aws_access_key_id = AKIA...
64
64
  aws_secret_access_key = ...
65
65
  ```
@@ -68,7 +68,7 @@ aws_secret_access_key = ...
68
68
  # Vagrantfile
69
69
 
70
70
  ENV.delete_if { |name| name.start_with?('AWS_') } # Filter out rogue env vars.
71
- ENV['AWS_PROFILE'] = 'vagrant-s3auth'
71
+ ENV['AWS_PROFILE'] = 'vagrant-s3auth-mfa'
72
72
 
73
73
  Vagrant.configure("2") { |config| ... }
74
74
  ```
@@ -88,6 +88,30 @@ profile file) will be displayed when the box is downloaded. If you use
88
88
  multiple AWS credentials and see authentication errors, verify that the
89
89
  correct access key was detected.
90
90
 
91
+ ##### AWS credentials using ~/.aws/config profiles
92
+
93
+ Using this feature adds support for assuming an IAM Role and MFA authentication.
94
+
95
+ ```ini
96
+ # ~/.aws/config
97
+
98
+ [profile role-to-assume]
99
+ region = eu-west-1
100
+ source_profile = vagrant-s3auth-mfa
101
+ role_arn = arn:aws:iam::12345678900:role/role-to-assume
102
+ mfa_serial = arn:aws:iam::12345678900:mfa/user
103
+ ```
104
+
105
+ ```ruby
106
+ # Vagrantfile
107
+
108
+ ENV.delete_if { |name| name.start_with?('AWS_') } # Filter out rogue env vars.
109
+ ENV['AWS_REGION'] = 'eu-west-1'
110
+ ENV['AWS_CONFIG_PROFILE'] = 'role-to-assume'
111
+
112
+ Vagrant.configure("2") { |config| ... }
113
+ ```
114
+
91
115
  ##### IAM configuration
92
116
 
93
117
  IAM accounts will need at least the following policy:
@@ -112,7 +136,7 @@ IAM accounts will need at least the following policy:
112
136
 
113
137
  **IMPORTANT:** You must split up bucket and object permissions into separate policy statements as written above! See [Writing IAM Policies: How to grant access to an Amazon S3 Bucket][aws-s3-iam].
114
138
 
115
- Also note that `s3:ListBucket` permission is not strictly necessary. vagrant-s3auth will never
139
+ Also note that `s3:ListBucket` permission is not strictly necessary. vagrant-s3auth-mfa will never
116
140
  make a ListBucket request, but without ListBucket permission, a misspelled box
117
141
  name results in a 403 Forbidden error instead of a 404 Not Found error. ([Why?][aws-403-404])
118
142
 
@@ -240,10 +264,10 @@ install a plugin is lame.
240
264
  But wait! Just stick some shell in your Vagrantfile:
241
265
 
242
266
  ```ruby
243
- unless Vagrant.has_plugin?('vagrant-s3auth')
267
+ unless Vagrant.has_plugin?('vagrant-s3auth-mfa')
244
268
  # Attempt to install ourself. Bail out on failure so we don't get stuck in an
245
269
  # infinite loop.
246
- system('vagrant plugin install vagrant-s3auth') || exit!
270
+ system('vagrant plugin install vagrant-s3auth-mfa') || exit!
247
271
 
248
272
  # Relaunch Vagrant so the plugin is detected. Exit with the same status code.
249
273
  exit system('vagrant', *ARGV)
@@ -1,6 +1,6 @@
1
1
  require 'pathname'
2
2
 
3
- require 'vagrant-s3auth/plugin'
3
+ require 'vagrant-s3auth-mfa/plugin'
4
4
 
5
5
  module VagrantPlugins
6
6
  module S3Auth
@@ -22,6 +22,10 @@ module VagrantPlugins
22
22
  class S3APIError < VagrantS3AuthError
23
23
  error_key(:s3_api_error)
24
24
  end
25
+
26
+ class SetCredentialsFromProfileError < VagrantS3AuthError
27
+ error_key(:set_credentials_from_profile_error)
28
+ end
25
29
  end
26
30
  end
27
31
  end
@@ -1,7 +1,7 @@
1
1
  require 'uri'
2
2
 
3
3
  require 'vagrant/util/downloader'
4
- require 'vagrant-s3auth/util'
4
+ require 'vagrant-s3auth-mfa/util'
5
5
 
6
6
  S3Auth = VagrantPlugins::S3Auth
7
7
 
@@ -23,6 +23,11 @@ module Vagrant
23
23
  access_key: credential_provider.credentials.access_key_id,
24
24
  profile: credential_provider.profile_name
25
25
  )
26
+ when String
27
+ I18n.t(
28
+ 'vagrant_s3auth.downloader.profile_credential_config',
29
+ profile: credential_provider
30
+ )
26
31
  end
27
32
  end
28
33
 
@@ -2,6 +2,7 @@ require 'aws-sdk'
2
2
  require 'log4r'
3
3
  require 'net/http'
4
4
  require 'uri'
5
+ require 'aws_config'
5
6
 
6
7
  module VagrantPlugins
7
8
  module S3Auth
@@ -30,6 +31,10 @@ module VagrantPlugins
30
31
  end
31
32
 
32
33
  def self.s3_client(region = DEFAULT_REGION)
34
+ unless ENV['AWS_CONFIG_PROFILE'].nil?
35
+ config = AWSConfig[ENV['AWS_CONFIG_PROFILE']]
36
+ set_credentials_from_profile(config) if ::Aws.config.empty?
37
+ end
33
38
  ::Aws::S3::Client.new(region: region)
34
39
  end
35
40
 
@@ -76,7 +81,48 @@ module VagrantPlugins
76
81
  # Providing a NullObject here is the same as instantiating a
77
82
  # client without specifying a credentials config, like we do in
78
83
  # `self.s3_client`.
79
- ::Aws::CredentialProviderChain.new(NullObject.new).resolve
84
+ unless ENV['AWS_CONFIG_PROFILE'].nil?
85
+ ENV['AWS_CONFIG_PROFILE']
86
+ else
87
+ ::Aws::CredentialProviderChain.new(NullObject.new).resolve
88
+ end
89
+ end
90
+
91
+ def self.set_credentials_from_profile(region = DEFAULT_REGION, config)
92
+ creds = ::Aws::Credentials.new(
93
+ config.aws_access_key_id,
94
+ config.aws_secret_access_key
95
+ )
96
+ sts_client = ::Aws::STS::Client.new(
97
+ credentials: creds
98
+ )
99
+ if config.respond_to?(:mfa_serial)
100
+ print 'Enter AWS MFA token: '
101
+ token_code = STDIN.noecho(&:gets).chomp
102
+ creds = sts_client.get_session_token(
103
+ duration_seconds: 900,
104
+ serial_number: config.mfa_serial,
105
+ token_code: token_code
106
+ )
107
+ sts_client = ::Aws::STS::Client.new(
108
+ access_key_id: creds.credentials.access_key_id,
109
+ secret_access_key: creds.credentials.secret_access_key,
110
+ session_token: creds.credentials.session_token
111
+ )
112
+ end
113
+ if config.respond_to?(:role_arn)
114
+ creds = ::Aws::AssumeRoleCredentials.new(
115
+ client: sts_client,
116
+ role_arn: config.role_arn,
117
+ role_session_name: "#{ENV['USER']}-#{Time.now.utc.iso8601.tr!('-:', '_')}"
118
+ )
119
+ end
120
+ ::Aws.config.update(
121
+ region: config.region,
122
+ credentials: creds
123
+ )
124
+ rescue StandardError => e
125
+ raise Errors::SetCredentialsFromProfileError, profile: config.name, error: e
80
126
  end
81
127
  end
82
128
  end
@@ -1,5 +1,5 @@
1
1
  module VagrantPlugins
2
2
  module S3Auth
3
- VERSION = '1.4.0'.freeze
3
+ VERSION = '1.4.1'.freeze
4
4
  end
5
5
  end
data/locales/en.yml CHANGED
@@ -7,6 +7,9 @@ en:
7
7
  profile_credential_provider: |-
8
8
  Signing S3 request with key '%{access_key}' loaded from profile '%{profile}'
9
9
 
10
+ profile_credential_config: |-
11
+ Signing S3 request with profile '%{profile}' loaded from ~/.aws/config
12
+
10
13
  errors:
11
14
  missing_credentials: |-
12
15
  Unable to find AWS credentials.
@@ -51,3 +54,8 @@ en:
51
54
  arn:aws:s3:::%{bucket}/*
52
55
 
53
56
  It may also indicate the box does not exist, so check your spelling.
57
+
58
+ set_credentials_from_profile_error: |-
59
+ Error while trying to set credententials for profile '%{profile}'
60
+
61
+ %{error}
data/test/box/minimal CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
- "name": "vagrant-s3auth/minimal",
2
+ "name": "vagrant-s3auth-mfa/minimal",
3
3
  "description": "This box contains company secrets.",
4
4
  "versions": [{
5
5
  "version": "1.0.1",
@@ -1,5 +1,5 @@
1
1
  {
2
- "name": "vagrant-s3auth/public-minimal",
2
+ "name": "vagrant-s3auth-mfa/public-minimal",
3
3
  "description": "This box contains no company secrets.",
4
4
  "versions": [{
5
5
  "version": "1.0.1",
data/test/cleanup.rb CHANGED
@@ -10,7 +10,7 @@ require_relative 'support'
10
10
 
11
11
  buckets = if ARGV.include?('--all')
12
12
  s3.buckets.select do |b|
13
- b.name.include?('vagrant-s3auth.com') && b.name.include?(region)
13
+ b.name.include?('vagrant-s3auth-mfa.com') && b.name.include?(region)
14
14
  end
15
15
  else
16
16
  [s3.bucket("#{region}.#{BUCKET}")]
data/test/run.bats CHANGED
@@ -24,8 +24,8 @@ fi
24
24
  teardown() {
25
25
  bundle exec vagrant box remove "$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
26
26
  bundle exec vagrant box remove "public-$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
27
- bundle exec vagrant box remove "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
28
- bundle exec vagrant box remove "vagrant-s3auth/public-$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
27
+ bundle exec vagrant box remove "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
28
+ bundle exec vagrant box remove "vagrant-s3auth-mfa/public-$VAGRANT_S3AUTH_BOX_BASE" > /dev/null 2>&1 || true
29
29
  bundle exec vagrant box remove "$ATLAS_USERNAME/$VAGRANT_S3AUTH_ATLAS_BOX_NAME" > /dev/null 2>&1 || true
30
30
  }
31
31
 
@@ -85,52 +85,52 @@ teardown() {
85
85
 
86
86
  @test "metadata box with full path standard url" {
87
87
  bundle exec vagrant box add \
88
- --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
88
+ --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
89
89
  "https://s3.amazonaws.com/us-east-1.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
90
90
  }
91
91
 
92
92
  @test "public metadata box with full path standard url without credentials" {
93
93
  AWS_ACCESS_KEY_ID= \
94
94
  bundle exec vagrant box add \
95
- --name "vagrant-s3auth/public-$VAGRANT_S3AUTH_BOX_BASE" \
95
+ --name "vagrant-s3auth-mfa/public-$VAGRANT_S3AUTH_BOX_BASE" \
96
96
  "https://s3.amazonaws.com/us-east-1.$VAGRANT_S3AUTH_BUCKET/public-$VAGRANT_S3AUTH_BOX_BASE"
97
97
  }
98
98
 
99
99
  @test "metadata box with full host standard url" {
100
100
  bundle exec vagrant box add \
101
- --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
101
+ --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
102
102
  "https://us-east-1.$VAGRANT_S3AUTH_BUCKET.s3.amazonaws.com/$VAGRANT_S3AUTH_BOX_BASE"
103
103
  }
104
104
 
105
105
  @test "metadata box with shorthand standard url" {
106
106
  bundle exec vagrant box add \
107
- --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
107
+ --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
108
108
  "s3://us-east-1.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
109
109
  }
110
110
 
111
111
  @test "metadata box with full path nonstandard url" {
112
112
  bundle exec vagrant box add \
113
- --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
113
+ --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
114
114
  "https://s3-$VAGRANT_S3AUTH_REGION_NONSTANDARD.amazonaws.com/$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
115
115
  }
116
116
 
117
117
  @test "public metadata box with full path nonstandard url without credentials" {
118
118
  AWS_ACCESS_KEY_ID= \
119
119
  bundle exec vagrant box add \
120
- --name "vagrant-s3auth/public-$VAGRANT_S3AUTH_BOX_BASE" \
120
+ --name "vagrant-s3auth-mfa/public-$VAGRANT_S3AUTH_BOX_BASE" \
121
121
  "https://s3-$VAGRANT_S3AUTH_REGION_NONSTANDARD.amazonaws.com/$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET/public-$VAGRANT_S3AUTH_BOX_BASE"
122
122
  }
123
123
 
124
124
 
125
125
  @test "metadata box with full host nonstandard url" {
126
126
  bundle exec vagrant box add \
127
- --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
127
+ --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
128
128
  "https://$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET.s3-$VAGRANT_S3AUTH_REGION_NONSTANDARD.amazonaws.com/$VAGRANT_S3AUTH_BOX_BASE"
129
129
  }
130
130
 
131
131
  @test "metadata box with shorthand nonstandard url" {
132
132
  bundle exec vagrant box add \
133
- --name "vagrant-s3auth/$VAGRANT_S3AUTH_BOX_BASE" \
133
+ --name "vagrant-s3auth-mfa/$VAGRANT_S3AUTH_BOX_BASE" \
134
134
  "s3://$VAGRANT_S3AUTH_REGION_NONSTANDARD.$VAGRANT_S3AUTH_BUCKET/$VAGRANT_S3AUTH_BOX_BASE"
135
135
  }
136
136
 
@@ -1,14 +1,14 @@
1
1
  $LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
2
2
 
3
- require 'vagrant-s3auth/version'
3
+ require 'vagrant-s3auth-mfa/version'
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = 'vagrant-s3auth-mfa'
7
7
  spec.version = VagrantPlugins::S3Auth::VERSION
8
8
  spec.authors = ['Nikhil Benesch']
9
9
  spec.email = ['benesch@whoop.com']
10
- spec.summary = '[Forked by VRTDev] Private, versioned Vagrant boxes hosted on Amazon S3.'
11
- spec.homepage = 'https://github.com/WhoopInc/vagrant-s3auth'
10
+ spec.summary = '[VRTDev Fork]Private, versioned Vagrant boxes hosted on Amazon S3.'
11
+ spec.homepage = 'https://github.com/vrtdev/vagrant-s3auth-mfa'
12
12
  spec.license = 'MIT'
13
13
 
14
14
  spec.files = `git ls-files -z`.split("\x0")
@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
16
16
  spec.require_paths = ['lib']
17
17
 
18
18
  spec.add_dependency 'aws-sdk', '~> 2.6.44'
19
- spec.add_dependency 'aws_config', '~> 0.1.0'
19
+ spec.add_dependency 'aws_config', '0.1.0'
20
20
 
21
21
  spec.add_development_dependency 'bundler', '~> 1.5'
22
22
  spec.add_development_dependency 'http', '~> 1.0.2'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vagrant-s3auth-mfa
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.0
4
+ version: 1.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nikhil Benesch
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-01-14 00:00:00.000000000 Z
11
+ date: 2019-01-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk
@@ -28,14 +28,14 @@ dependencies:
28
28
  name: aws_config
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - "~>"
31
+ - - '='
32
32
  - !ruby/object:Gem::Version
33
33
  version: 0.1.0
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - "~>"
38
+ - - '='
39
39
  - !ruby/object:Gem::Version
40
40
  version: 0.1.0
41
41
  - !ruby/object:Gem::Dependency
@@ -112,13 +112,13 @@ files:
112
112
  - README.md
113
113
  - Rakefile
114
114
  - TESTING.md
115
- - lib/vagrant-s3auth.rb
116
- - lib/vagrant-s3auth/errors.rb
117
- - lib/vagrant-s3auth/extension/downloader.rb
118
- - lib/vagrant-s3auth/middleware/expand_s3_urls.rb
119
- - lib/vagrant-s3auth/plugin.rb
120
- - lib/vagrant-s3auth/util.rb
121
- - lib/vagrant-s3auth/version.rb
115
+ - lib/vagrant-s3auth-mfa.rb
116
+ - lib/vagrant-s3auth-mfa/errors.rb
117
+ - lib/vagrant-s3auth-mfa/extension/downloader.rb
118
+ - lib/vagrant-s3auth-mfa/middleware/expand_s3_urls.rb
119
+ - lib/vagrant-s3auth-mfa/plugin.rb
120
+ - lib/vagrant-s3auth-mfa/util.rb
121
+ - lib/vagrant-s3auth-mfa/version.rb
122
122
  - locales/en.yml
123
123
  - test/box/minimal
124
124
  - test/box/minimal.box
@@ -128,8 +128,8 @@ files:
128
128
  - test/run.bats
129
129
  - test/setup.rb
130
130
  - test/support.rb
131
- - vagrant-s3auth.gemspec
132
- homepage: https://github.com/WhoopInc/vagrant-s3auth
131
+ - vagrant-s3auth-mfa.gemspec
132
+ homepage: https://github.com/vrtdev/vagrant-s3auth-mfa
133
133
  licenses:
134
134
  - MIT
135
135
  metadata: {}
@@ -152,6 +152,6 @@ rubyforge_project:
152
152
  rubygems_version: 2.7.7
153
153
  signing_key:
154
154
  specification_version: 4
155
- summary: "[Forked by VRTDev] Private, versioned Vagrant boxes hosted on Amazon S3."
155
+ summary: "[VRTDev Fork]Private, versioned Vagrant boxes hosted on Amazon S3."
156
156
  test_files:
157
- - vagrant-s3auth.gemspec
157
+ - vagrant-s3auth-mfa.gemspec