vagrant-s3auth 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8bd07d8c67e818f8b050629b918f2939c85d6b43
+  data.tar.gz: 1439d1a6f47f937886bd861affe61a38c49bee2a
+SHA512:
+  metadata.gz: e6d3178aca6715909b44ba0e548045e3c70e752ca0ce81b8894214ac6d15ebe6612aeb85b1c35e6caffb089771b5a654c0098354ea36a31c990f3f060774c7a6
+  data.tar.gz: 1f79b0b7fb583e0f627ac3b6dd80bde532aab476bb80b1f42e9072a09c42842b2dd874291c81479442edd202fc46fecaf9683cddc33429020e1d0726b7509266

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.vagrant
+pkg
+Vagrantfile

data/.rubocop.yml

@@ -0,0 +1,20 @@
+AlignParameters:
+  Enabled: false
+
+AssignmentInCondition:
+  Enabled: false
+
+Documentation:
+  Enabled: false
+
+LineLength:
+  Max: 100
+
+MethodLength:
+  CountComments: false  # count full line comments?
+  Max: 20
+
+SignalException:
+  EnforcedStyle: only_raise
+  SupportedStyles:
+    - only_raise

data/Gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+group :plugins do
+  gem 'vagrant-s3auth', path: '.'
+end
+
+group :development do
+  gem 'vagrant', git: 'git://github.com/mitchellh/vagrant.git'
+end

data/Gemfile.lock

@@ -0,0 +1,58 @@
+GIT
+  remote: git://github.com/mitchellh/vagrant.git
+  revision: b97c509c15d94ee70af8ce25739934c5dccb7452
+  specs:
+    vagrant (1.5.3.dev)
+      bundler (~> 1.5.2)
+      childprocess (~> 0.5.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6.0)
+      listen (~> 2.7.1)
+      log4r (~> 1.1.9, < 1.1.11)
+      net-scp (~> 1.1.0)
+      net-ssh (>= 2.6.6, < 2.8.0)
+      rb-kqueue (~> 0.2.0)
+      wdm (~> 0.1.0)
+
+PATH
+  remote: .
+  specs:
+    vagrant-s3auth (0.0.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    celluloid (0.15.2)
+      timers (~> 1.1.0)
+    celluloid-io (0.15.0)
+      celluloid (>= 0.15.0)
+      nio4r (>= 0.5.0)
+    childprocess (0.5.2)
+      ffi (~> 1.0, >= 1.0.11)
+    erubis (2.7.0)
+    ffi (1.9.3)
+    i18n (0.6.9)
+    listen (2.7.1)
+      celluloid (>= 0.15.2)
+      celluloid-io (>= 0.15.0)
+      rb-fsevent (>= 0.9.3)
+      rb-inotify (>= 0.9)
+    log4r (1.1.10)
+    net-scp (1.1.2)
+      net-ssh (>= 2.6.5)
+    net-ssh (2.7.0)
+    nio4r (1.0.0)
+    rb-fsevent (0.9.4)
+    rb-inotify (0.9.3)
+      ffi (>= 0.5.0)
+    rb-kqueue (0.2.2)
+      ffi (>= 0.5.0)
+    timers (1.1.0)
+    wdm (0.1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  vagrant!
+  vagrant-s3auth!

data/LICENSE

@@ -0,0 +1,3 @@
+Copyright (c) 2014 WHOOP, Inc.
+
+All right reserved.

data/README.md

@@ -0,0 +1,181 @@
+# vagrant-s3auth
+
+Private, versioned Vagrant boxes hosted on Amazon S3.
+
+## Installation
+
+From the command line:
+
+```bash
+$ vagrant plugin install vagrant-s3auth
+```
+
+### Requirements
+
+* [Vagrant][vagrant], v1.5.0+
+
+## Usage
+
+vagrant-s3auth will automatically convert S3 box URLs
+
+```
+s3://bucket.example.com/path/to/metadata
+```
+
+to URLs [signed with your AWS access key][aws-signed]:
+
+```
+https://s3.amazonaws.com/bucket.example.com/path/to/metadata?AWSAccessKeyId=
+    AKIAIOSFODNN7EXAMPLE&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D
+```
+
+This means you can host your team's sensitive, private boxes on S3, and use your
+developers' existing AWS credentials to securely grant access.
+
+If you've already got your credentials stored in the appropriate environment
+variables:
+
+```ruby
+# Vagrantfile
+
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'simple-secrets'
+  config.vm.box_url = 's3://example.com/secret.box'
+end
+```
+
+### Configuration
+
+#### AWS credentials
+
+AWS credentials are read from the standard environment variables
+`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
+
+If you need to obtain credentials from elsewhere, drop a block like the
+following at the top of your Vagrantfile:
+
+```ruby
+creds = File.read(File.expand_path('~/.company-aws-creds')).lines
+ENV['AWS_ACCESS_KEY_ID']     = creds[0]
+ENV['AWS_SECRET_ACCESS_KEY'] = creds[1]
+```
+
+
+#### Simple boxes
+
+Simply point your `box_url` at Amazon S3:
+
+```ruby
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'simple-secrets'
+  config.vm.box_url = 'https://s3.amazonaws.com/bucket.example.com/secret.box'
+end
+```
+
+Note that your URL must be of the form
+
+```
+https://s3.amazonaws.com/bucket/resource
+```
+
+Other valid forms of S3 URLs (`bucket.s3.amazonaws.com/resource.box`, etc.) will
+not be detected by vagrant-s3auth.
+
+As shorthand, `s3://` URLs will be automatically transformed. This is equivalent
+to the above:
+
+```ruby
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'simple-secrets'
+  config.vm.box_url = 's3://example.com/secret.box'
+end
+```
+
+**Note:** Simple box URLs must end in `.box`, or they'll be interpreted as
+[metadata boxes](#metadata-boxes).
+
+#### Vagrant Cloud
+
+Boxes on [Vagrant Cloud][vagrant-cloud] have support for versioning, multiple
+providers, and a GUI management tool. If you've got a box version on Vagrant
+Cloud.
+
+Then just configure your Vagrantfile like normal:
+
+```ruby
+Vagrant.configure('2') do |config|
+  config.vm.box = 'examplecorp/secrets'
+end
+```
+
+#### Metadata boxes
+
+[Metadata boxes][metadata-boxes] were added to Vagrant in 1.5 and power Vagrant
+Cloud. You can host your own metadata and bypass Vagrant Cloud entirely.
+
+Essentially, you point your `box_url` at a [JSON metadata file][metadata-boxes]
+that tells Vagrant where to find all possible versions:
+
+```ruby
+# Vagrantfile
+
+Vagrant.configure('2') do |config|
+  config.vm.box     = 'examplecorp/secrets'
+  config.vm.box_url = 's3://example.com/secrets'
+end
+```
+
+```json
+"s3://example.com/secrets"
+
+{
+  "name": "examplecorp/secrets",
+  "description": "This box contains company secrets.",
+  "versions": [{
+    "version": "0.1.0",
+    "providers": [{
+      "name": "virtualbox",
+      "url": "https://s3.amazonaws.com/example.com/secrets.box",
+      "checksum_type": "sha1",
+      "checksum": "foo"
+    }]
+  }]
+}
+```
+
+**Note:** box URLs in metadata JSON must use the
+`s3.amazonaws.com/bucket.example.com/resource.box` URL form, or it won't get
+auto-signed.
+
+### Rules
+
+To sum up:
+
+* Only the `box_url` setting can use the `s3://` shorthand. URLs entered on the
+  Vagrant Cloud management interface and in JSON metadata must use the full
+  HTTPS URL.
+
+* The full HTTPS URL must be of the form
+  `https://s3.amazonaws.com/bucket.example.com/resource.box`, or it won't be
+  signed properly.
+
+* Metadata box files must *not* end in `.box`.
+
+* Actual box files *must* end in `.box`.
+
+### Auto-install
+
+The beauty of Vagrant is the magic of "`vagrant up` and done." Making your users
+install a plugin is lame.
+
+But wait! Just stick some shell in your Vagrantfile:
+
+```ruby
+%x(vagrant plugin install vagrant-s3auth) unless Vagrant.has_plugin?('vagrant-s3auth')
+```
+
+
+[aws-signed]: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+[metadata-boxes]: http://docs.vagrantup.com/v2/boxes/format.html
+[vagrant]: http://vagrantup.com
+[vagrant-cloud]: http://vagrantcloud.com

data/Rakefile

@@ -0,0 +1,6 @@
+require 'rubygems'
+require 'bundler/setup'
+
+Dir.chdir(File.expand_path('../', __FILE__))
+
+Bundler::GemHelper.install_tasks

data/lib/vagrant-s3auth.rb

@@ -0,0 +1,14 @@
+require 'pathname'
+
+require 'vagrant-s3auth/plugin'
+
+module VagrantPlugins
+  module S3Auth
+    S3_HOST         = 's3.amazonaws.com'
+    BOX_URL_MATCHER = %r{^s3://(?<bucket>[[:alnum:]\-\.]+)(?<resource>.*)/?}
+
+    def self.source_root
+      @source_root ||= Pathname.new(File.expand_path('../../', __FILE__))
+    end
+  end
+end

data/lib/vagrant-s3auth/action.rb

@@ -0,0 +1,14 @@
+require_relative 'action/authenticate_box_url'
+require_relative 'action/box_add'
+
+module VagrantPlugins
+  module S3Auth
+    module Action
+      def self.authenticate_box_url
+        Vagrant::Action::Builder.new.tap do |b|
+          b.use AuthenticateBoxUrl
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/action/authenticate_box_url.rb

@@ -0,0 +1,86 @@
+require 'base64'
+require 'cgi'
+require 'log4r'
+require 'openssl'
+require 'uri'
+
+module VagrantPlugins
+  module S3Auth
+    module Action
+      class AuthenticateBoxUrl
+        def initialize(app, env)
+          @app    = app
+          @logger = Log4r::Logger.new('vagrant_s3auth::action::authenticate_box_url')
+          @access_key = ENV['AWS_ACCESS_KEY_ID']
+          @secret_key = ENV['AWS_SECRET_ACCESS_KEY']
+        end
+
+        def call(env)
+          env[:box_urls].map! do |url_string|
+            begin
+              url = URI.parse(url_string)
+            rescue URI::InvalidURIError
+              next url_string
+            end
+
+            unless s3_url?(url)
+              @logger.debug("Skipping non-S3 host: #{url}")
+              next url_string
+            end
+
+            # Vagrant makes a HEAD request for metadata. S3 doesn't support
+            # query-string authentication on HEAD requests, so skip signing. We
+            # need to provide a different "authenticated" URL, though, or
+            # Vagrant will think the box doesn't require authentication,
+            # and won't request an authenticated URL for the box itself.
+            unless box_url?(url)
+              @logger.debug("Munging S3 metadata URL: #{url}")
+              next url_string + '?'
+            end
+
+            @logger.info("Signing URL for S3 box: #{url}")
+            sign(url)
+          end
+
+          @app.call(env)
+        end
+
+        def sign(url)
+          ensure_credentials
+
+          expires = (Time.now + 20).to_i
+          message = "GET\n\n\n#{expires}\n#{url.path}"
+          signature = CGI.escape(Base64.strict_encode64(
+            OpenSSL::HMAC.digest('sha1', @secret_key, message)))
+
+          url.query = {
+            'AWSAccessKeyId' => @access_key,
+            'Expires'        => expires,
+            'Signature'      => signature
+          }.map { |k, v| "#{k}=#{v}" }.join('&')
+
+          url.to_s
+        end
+
+        def ensure_credentials
+          missing_variables = []
+          missing_variables << 'AWS_ACCESS_KEY_ID' unless @access_key
+          missing_variables << 'AWS_SECRET_ACCESS_KEY' unless @secret_key
+
+          unless missing_variables.empty?
+            raise Errors::MissingCredentialsError,
+              missing_variables: missing_variables.join(', ')
+          end
+        end
+
+        def s3_url?(url)
+          url.host == S3_HOST
+        end
+
+        def box_url?(url)
+          url.path.end_with?('.box')
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/action/box_add.rb

@@ -0,0 +1,41 @@
+require 'uri'
+
+module Vagrant
+  module Action
+    module Builtin
+      class BoxAdd
+        def call_with_s3(env)
+          box_url = env[:box_url]
+
+          # Non-iterable box_urls are Vagrant Cloud boxes, which we don't need
+          # to handle.
+          if box_url.respond_to?(:map!)
+            box_url.map! do |url|
+              if matched = VagrantPlugins::S3Auth::BOX_URL_MATCHER.match(url)
+                @logger.info('Transforming S3 box URL: #{url}')
+                s3_url(matched[:bucket], matched[:resource])
+              else
+                @logger.info("Not transforming non-S3 box: #{url}")
+                url
+              end
+            end
+          else
+            @logger.debug('Box URL #{box_url.inspect} looks like a Vagrant "
+              Cloud box, skipping S3 transformation...')
+          end
+
+          call_without_s3(env)
+        end
+
+        def s3_url(bucket, resource)
+          URI::HTTPS.build(
+            host: VagrantPlugins::S3Auth::S3_HOST,
+            path: File.join('/', bucket, resource)).to_s
+        end
+
+        alias_method :call_without_s3, :call
+        alias_method :call, :call_with_s3
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/errors.rb

@@ -0,0 +1,15 @@
+require 'vagrant'
+
+module VagrantPlugins
+  module S3Auth
+    module Errors
+      class VagrantS3AuthError < Vagrant::Errors::VagrantError
+        error_namespace('vagrant_s3auth.errors')
+      end
+
+      class MissingCredentialsError < VagrantS3AuthError
+        error_key(:missing_credentials)
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/plugin.rb

@@ -0,0 +1,53 @@
+begin
+  require 'vagrant'
+rescue LoadError
+  raise 'The Vagrant S3Auth plugin must be run within Vagrant.'
+end
+
+if Vagrant::VERSION < '1.5.0'
+  raise 'The Vagrant AWS plugin is only compatible with Vagrant 1.5+'
+end
+
+require_relative 'action'
+require_relative 'errors'
+
+module VagrantPlugins
+  module S3Auth
+    class Plugin < Vagrant.plugin(2)
+      name 's3auth'
+
+      description <<-DESC
+        Use versioned Vagrant boxes with S3 authentication.
+      DESC
+
+      action_hook 'authenticate-box-url', :authenticate_box_url do |hook|
+        setup_i18n
+        setup_logging
+
+        hook.append(Action.authenticate_box_url)
+      end
+
+      def self.setup_i18n
+        I18n.load_path << File.expand_path('locales/en.yml', VagrantPlugins::S3Auth.source_root)
+        I18n.reload!
+      end
+
+      def self.setup_logging
+        require 'log4r'
+
+        level = nil
+        begin
+          level = Log4r.const_get(ENV['VAGRANT_LOG'].upcase)
+        rescue NameError
+          level = nil
+        end
+
+        if level
+          logger = Log4r::Logger.new('vagrant_s3auth')
+          logger.outputters = Log4r::Outputter.stderr
+          logger.level = level
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-s3auth/version.rb

@@ -0,0 +1,5 @@
+module VagrantPlugins
+  module S3Auth
+    VERSION = '0.0.1'
+  end
+end

data/locales/en.yml

@@ -0,0 +1,10 @@
+en:
+  vagrant_s3auth:
+    errors:
+      missing_credentials: |-
+        Unable to read AWS credentials from the environment.
+
+        Ensure the following variables are set in your environment, or set
+        them at the top of your Vagrantfile:
+
+            %{missing_variables}

data/vagrant-s3auth.gemspec

@@ -0,0 +1,20 @@
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+
+require 'vagrant-s3auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'vagrant-s3auth'
+  spec.version       = VagrantPlugins::S3Auth::VERSION
+  spec.authors       = ['Nikhil Benesch']
+  spec.email         = ['benesch@whoop.com']
+  spec.summary       = 'Private, versioned Vagrant boxes hosted on Amazon S3.'
+  spec.homepage      = 'https://github.com/WhoopInc/vagrant-s3auth'
+  spec.license       = 'All rights reserved'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.test_files    = spec.files.grep(/spec/)
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.5'
+  spec.add_development_dependency 'rake'
+end

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: vagrant-s3auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Nikhil Benesch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- benesch@whoop.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rubocop.yml
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- lib/vagrant-s3auth.rb
+- lib/vagrant-s3auth/action.rb
+- lib/vagrant-s3auth/action/authenticate_box_url.rb
+- lib/vagrant-s3auth/action/box_add.rb
+- lib/vagrant-s3auth/errors.rb
+- lib/vagrant-s3auth/plugin.rb
+- lib/vagrant-s3auth/version.rb
+- locales/en.yml
+- vagrant-s3auth.gemspec
+homepage: https://github.com/WhoopInc/vagrant-s3auth
+licenses:
+- All rights reserved
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: Private, versioned Vagrant boxes hosted on Amazon S3.
+test_files:
+- vagrant-s3auth.gemspec