wdi_runas 0.5.1

data/lib/aws_runas/config.rb

@@ -0,0 +1,61 @@
+# Copyright 2015 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'inifile'
+
+module AwsRunAs
+  # Manages the configuartion file, including loading and retrieving values.
+  class Config
+    attr_reader :profile
+    # Finds the configuration file (used if no file is specified).
+    # paths searched: ./aws_config, and ~/.aws/config.
+    def self.find_config_file
+      local_config = File.expand_path('aws_config')
+      user_config = File.expand_path('~/.aws/config')
+      return local_config if File.exist?(local_config)
+      user_config if File.exist?(user_config)
+    end
+
+    def initialize(path:, profile:)
+      @path = path
+      @path = self.class.find_config_file unless @path
+      fail(Errno::ENOENT, "#{@path}") unless File.exist?(@path.to_s)
+      @profile = profile
+    end
+
+    # Loads the config section for a specific profile.
+    def load_config_value(key:)
+      section = @profile
+      section = "profile #{@profile}" unless @profile == 'default'
+      aws_config = IniFile.load(@path)
+      unless aws_config.has_section?(section)
+        fail(NameError, "Profile #{@profile} not found in #{@path}")
+      end
+      aws_config[section][key]
+    end
+
+    # Checks to see if MFA is required for a specific profile.
+    def mfa_required?
+      return true if load_config_value(key: 'mfa_serial') && !ENV.include?('AWS_SESSION_TOKEN')
+      false
+    end
+
+    # loads the soruce credentials profile based on the supplied profile.
+    def load_source_profile
+      source_profile = load_config_value(key: 'source_profile')
+      return source_profile if source_profile
+      @profile
+    end
+  end
+end

data/lib/aws_runas/main.rb

@@ -0,0 +1,104 @@
+# Copyright 2015 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'aws_runas/config'
+require 'aws_runas/utils'
+
+# AWS_SDK_CONFIG_OPT_OUT must be set here so that we use the pre-2.4 SDK
+# behaviour, which ensures that ~/.aws/config is not re-read when assuming
+# roles.
+ENV.store('AWS_SDK_CONFIG_OPT_OUT', '1')
+require 'aws-sdk'
+
+module AwsRunAs
+  # Main program logic for aws-runas - sets up sts asession and assumed role,
+  # and hands off environment to called process.
+  class Main
+    # Instantiate the object and set up the path, profile, and populate MFA
+    def initialize(path: nil, profile: default, mfa_code: nil, no_role: nil)
+      cfg_path = if path
+                   path
+                 else
+                   AwsRunAs::Config.find_config_file
+                 end
+      @cfg = AwsRunAs::Config.new(path: cfg_path, profile: profile)
+      @mfa_code = mfa_code
+      @no_role = no_role
+    end
+
+    def sts_client
+      region = @cfg.load_config_value(key: 'region')
+      region = 'us-east-1' unless region
+      Aws::STS::Client.new(
+        profile: @cfg.load_source_profile,
+        region: region
+      )
+    end
+
+    def assume_role
+      session_id = "aws-runas-session_#{Time.now.to_i}"
+      role_arn = @cfg.load_config_value(key: 'role_arn')
+      mfa_serial = @cfg.load_config_value(key: 'mfa_serial') unless ENV.include?('AWS_SESSION_TOKEN')
+      if @no_role
+        raise 'No mfa_serial in selected profile, session will be useless' if mfa_serial.nil?
+        @session = sts_client.get_session_token(
+          duration_seconds: 86400,
+          serial_number: mfa_serial,
+          token_code: @mfa_code
+        )
+      else
+        @session = Aws::AssumeRoleCredentials.new(
+          client: sts_client,
+          role_arn: role_arn,
+          serial_number: mfa_serial,
+          token_code: @mfa_code,
+          role_session_name: session_id
+        )
+      end
+    end
+
+    def session_credentials
+      @session.credentials
+    end
+
+    def credentials_env
+      env = {}
+      env['AWS_ACCESS_KEY_ID'] = session_credentials.access_key_id
+      env['AWS_SECRET_ACCESS_KEY'] = session_credentials.secret_access_key
+      env['AWS_SESSION_TOKEN'] = session_credentials.session_token
+      env['AWS_RUNAS_PROFILE'] = @cfg.profile
+      unless @cfg.load_config_value(key: 'region').nil?
+        env['AWS_REGION'] = @cfg.load_config_value(key: 'region')
+        env['AWS_DEFAULT_REGION'] = @cfg.load_config_value(key: 'region')
+      end
+      if @no_role
+        env['AWS_SESSION_EXPIRATION'] = session_credentials.expiration.to_s
+        env['AWS_SESSION_EXPIRATION_UNIX'] = DateTime.parse(session_credentials.expiration.to_s).strftime('%s')
+      else
+        env['AWS_SESSION_EXPIRATION'] = @session.expiration.to_s
+        env['AWS_SESSION_EXPIRATION_UNIX'] = DateTime.parse(@session.expiration.to_s).strftime('%s')
+        env['AWS_RUNAS_ASSUMED_ROLE_ARN'] = @cfg.load_config_value(key: 'role_arn')
+      end
+      env
+    end
+
+    def handoff(command: nil, argv: nil, skip_prompt:)
+      env = credentials_env
+      unless command
+        AwsRunAs::Utils.handoff_to_shell(env: env, profile: @no_role ? nil : @cfg.profile, skip_prompt: skip_prompt)
+      end
+      exec(env, command, *argv)
+    end
+  end
+end

data/lib/aws_runas/utils.rb

@@ -0,0 +1,106 @@
+# Copyright 2016 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'rbconfig'
+require 'tempfile'
+require 'tmpdir'
+require 'fileutils'
+require 'English'
+
+module AwsRunAs
+  # Utility functions that aren't specifically tied to a class.
+  module Utils
+    module_function
+
+    # Return the path to the shell_profiles directory vendored with the gem.
+    def shell_profiles_dir
+      File.expand_path('../../../shell_profiles', __FILE__)
+    end
+
+    # Run an interactive bash session with a special streamed RC file.  The RC
+    # merges a local .bashrc if it exists, with a prompt that includes the
+    # computed message from handoff_to_shell.
+    def handoff_bash(env:, path:, message:, skip_prompt:)
+      rc_data = IO.read("#{ENV['HOME']}/.bashrc") if File.exist?("#{ENV['HOME']}/.bashrc")
+      rc_file = Tempfile.new('aws_runas_bashrc')
+      rc_file.write("#{rc_data}\n") unless rc_data.nil?
+      rc_file.write(IO.read("#{shell_profiles_dir}/sh.profile"))
+      unless skip_prompt
+        rc_file.write("PS1=\"\\[\\e[\\$(aws_session_status_color)m\\](#{message})\\[\\e[0m\\] $PS1\"\n")
+      end
+      rc_file.close
+      system(env, path, '--rcfile', rc_file.path)
+    ensure
+      rc_file.unlink
+    end
+
+    # Run an interactive zsh session with a special streamed RC file.  The RC
+    # merges a local .zshrc if it exists, with a prompt that includes the
+    # computed message from handoff_to_shell.
+    def handoff_zsh(env:, path:, message:, skip_prompt:)
+      rc_data = IO.read("#{ENV['HOME']}/.zshrc") if File.exist?("#{ENV['HOME']}/.zshrc")
+      rc_dir = Dir.mktmpdir('aws_runas_zsh')
+      rc_file = File.new("#{rc_dir}/.zshrc", 'w')
+      rc_file.write("#{rc_data}\n") unless rc_data.nil?
+      rc_file.write(IO.read("#{shell_profiles_dir}/sh.profile"))
+      unless skip_prompt
+        rc_file.write("setopt PROMPT_SUBST\n")
+        rc_file.write("export OLDPROMPT=\"${PROMPT}\"\n")
+        rc_file.write("PROMPT=$'%{\\e[\\%}$(aws_session_status_color)m(#{message})%{\\e[0m%} $OLDPROMPT'\n")
+      end
+      rc_file.close
+      env.store('ZDOTDIR', rc_dir)
+      system(env, path)
+    ensure
+      FileUtils.rmtree(rc_dir)
+    end
+
+    # load the shell for a specific operating system.
+    # if $SHELL exists, load that.
+    def shell
+      if RbConfig::CONFIG['host_os'] =~ /mswin|windows|mingw32/i
+        'cmd.exe'
+      elsif ENV.include?('SHELL')
+        ENV['SHELL']
+      else
+        '/bin/sh'
+      end
+    end
+
+    # Compute the message given to the prompt based off supplied profile.
+    def compute_message(profile:)
+      if profile.nil?
+        'AWS'
+      else
+        "AWS:#{profile}"
+      end
+    end
+
+    # "Handoff" to a supported interactive shell. More technically, this runs
+    # an interactive shell with the shell prompt customized to the current
+    # running AWS profile. If the shell is not something we can handle
+    # specifically, just run the shell.
+    def handoff_to_shell(env:, profile: nil, skip_prompt:)
+      path = shell
+      if path.end_with?('/bash')
+        handoff_bash(env: env, path: path, message: compute_message(profile: profile), skip_prompt: skip_prompt)
+      elsif path.end_with?('/zsh')
+        handoff_zsh(env: env, path: path, message: compute_message(profile: profile), skip_prompt: skip_prompt)
+      else
+        system(env, path)
+      end
+      exit $CHILD_STATUS.exitstatus
+    end
+  end
+end

data/lib/aws_runas/version.rb

@@ -0,0 +1,17 @@
+# Copyright 2015 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module AwsRunAs
+  VERSION = '0.5.1'
+end

data/lib/aws_runas.rb

@@ -0,0 +1,15 @@
+# Copyright 2015 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'aws_runas/main'

data/shell_profiles/sh.profile

@@ -0,0 +1,23 @@
+# vim:filetype=sh
+#
+# aws_session_expired checks to see if the current session has expired, based
+# off of the value stored in AWS_SESSION_EXPIRATION_UNIX. This functionality
+# relies on date being in $PATH.
+aws_session_expired() {
+  if [[ "${AWS_SESSION_EXPIRATION_UNIX}" -lt "$(date +%s)" ]]; then
+    return 0
+  fi
+  return 1
+}
+
+# aws_session_status_color returns an ANSI color number for the specific status
+# of the session. Note that if session_expired is not correctly functioning,
+# this will always be yellow. Red is shown when it's verified that the session
+# has expired.
+aws_session_status_color() {
+  if aws_session_expired; then
+    echo "31"
+  else
+    echo "33"
+  fi
+}

data/spec/aws_runas/cli_spec.rb

@@ -0,0 +1,59 @@
+# Copyright 2015 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+require 'aws_runas/cli'
+require 'aws_runas/main'
+
+describe AwsRunAs::Cli do
+  describe '::load_opts' do
+    it 'loads the path option' do
+      opts = AwsRunAs::Cli.load_opts(args: ['--path', 'test-opts/aws_config'])
+      expect(opts[:path]).to eq('test-opts/aws_config')
+    end
+
+    it 'loads the profile option' do
+      opts = AwsRunAs::Cli.load_opts(args: ['--profile', 'test-profile'])
+      expect(opts[:profile]).to eq('test-profile')
+    end
+  end
+
+  describe '::start' do
+    before(:example) do
+      allow(AwsRunAs::Cli).to receive(:load_opts).and_return({})
+      allow(AwsRunAs::Cli).to receive(:read_mfa_if_needed)
+      allow(AwsRunAs::Main).to receive(:new).and_return double(
+        'AwsRunAs::Main',
+        assume_role: true,
+        handoff: true
+      )
+    end
+
+    it 'creates an AwsConfig::Main instance' do
+      expect(AwsRunAs::Main).to receive(:new)
+      AwsRunAs::Cli.start
+    end
+  end
+
+  describe '::read_mfa_if_needed' do
+    it 'reads the MFA code' do
+      allow(STDIN).to receive(:gets).and_return('123456')
+      mfa_code = AwsRunAs::Cli.read_mfa_if_needed(
+        path: MOCK_AWS_CONFIGPATH,
+        profile: 'test-profile'
+      )
+      expect(mfa_code).to eq('123456')
+    end
+  end
+end

data/spec/aws_runas/config_spec.rb

@@ -0,0 +1,114 @@
+# Copyright 2015 Chris Marchesi
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+require 'aws_runas/config'
+
+describe AwsRunAs::Config do
+  describe '::find_config_file' do
+    before(:example) do
+      allow(File).to receive(:expand_path).with('aws_config').and_return('./aws_config')
+      allow(File).to receive(:expand_path).with('~/.aws/config').and_return('./.aws/config')
+      allow(File).to receive(:exist?).with('./.aws/config').and_return true
+    end
+
+    it 'finds a file at ./aws_config' do
+      allow(File).to receive(:exist?).with('./aws_config').and_return true
+      expect(AwsRunAs::Config.find_config_file).to eq('./aws_config')
+    end
+    it 'finds a file at ~/.aws/config' do
+      allow(File).to receive(:exist?).with('./aws_config').and_return false
+      expect(AwsRunAs::Config.find_config_file).to eq('./.aws/config')
+    end
+  end
+
+  context 'with profile set to default' do
+    before(:context) do
+      @cfg = AwsRunAs::Config.new(path: MOCK_AWS_CONFIGPATH, profile: 'default')
+    end
+
+    describe '#load_config_value' do
+      it 'loads a value from the default profile' do
+        expect(@cfg.load_config_value(key: 'region')).to eq('us-east-1')
+      end
+    end
+
+    describe '#load_source_profile' do
+      it 'returns the default profile when no source profile is present' do
+        expect(@cfg.load_source_profile).to eq('default')
+      end
+    end
+  end
+
+  context 'with profile set to test-profile' do
+    before(:context) do
+      @cfg = AwsRunAs::Config.new(path: MOCK_AWS_CONFIGPATH, profile: 'test-profile')
+    end
+
+    describe '#initialize' do
+      it 'sets the profile correctly' do
+        expect(@cfg.instance_variable_get('@profile')).to eq('test-profile')
+      end
+    end
+
+    describe '#load_config_value' do
+      it 'loads a value from the non-default profile' do
+        expect(@cfg.load_config_value(key: 'mfa_serial')).to eq('arn:aws:iam::123456789012:mfa/test')
+      end
+    end
+
+    describe '#mfa_required' do
+      it 'confirms MFA is required the non-default profile' do
+        expect(@cfg.instance_variable_get('@profile')).to eq('test-profile')
+        expect(@cfg.mfa_required?).to be true
+      end
+
+      it 'confirms MFA is not required if AWS_SESSION_TOKEN is set' do
+        expect(@cfg.instance_variable_get('@profile')).to eq('test-profile')
+        expect(@cfg.mfa_required?).to be true
+        ENV.store('AWS_SESSION_TOKEN', 'foo')
+      end
+    end
+
+    describe '#load_source_profile' do
+      it 'loads the source credentials profile for the the non-default profile' do
+        expect(@cfg.load_source_profile).to eq('test-credentials')
+      end
+    end
+  end
+
+  context 'with profile set to an invalid profile' do
+    before(:context) do
+      @cfg = AwsRunAs::Config.new(path: MOCK_AWS_CONFIGPATH, profile: 'bad-profile')
+    end
+
+    describe '#load_config_value' do
+      it 'raises a NameError when a value load is attempted' do
+        expect { @cfg.load_config_value(key: 'region') }.to raise_error(NameError)
+      end
+    end
+  end
+
+  context 'with an invalid config file supplied' do
+    describe '#load_config_value' do
+      it 'raises a Errno::ENOENT error' do
+        expect do
+          AwsRunAs::Config.new(
+            path: '/bad/path/here', profile: 'default'
+          )
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+  end
+end