cloudx-proxy 0.4.4__tar.gz → 0.4.6__tar.gz

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [0.4.6](https://github.com/easytocloud/cloudX-proxy/compare/v0.4.5...v0.4.6) (2025-03-07)
+
+
+### Bug Fixes
+
+* added --yes for non-interactive setup ([7e6007f](https://github.com/easytocloud/cloudX-proxy/commit/7e6007f68db3a958d1987a308f20fa85b5f7289f))
+
+## [0.4.5](https://github.com/easytocloud/cloudX-proxy/compare/v0.4.4...v0.4.5) (2025-03-07)
+
+
+### Bug Fixes
+
+* 1Password key matching ([4583e20](https://github.com/easytocloud/cloudX-proxy/commit/4583e20915b9bf8ab5cb2244676ee735aaa35cfc))
+
 ## [0.4.4](https://github.com/easytocloud/cloudX-proxy/compare/v0.4.3...v0.4.4) (2025-03-07)
 
 

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cloudx-proxy
-Version: 0.4.4
+Version: 0.4.6
 Summary: SSH proxy command to connect VSCode with Cloud9/CloudX instance using AWS Systems Manager
 Author-email: easytocloud <info@easytocloud.com>
 License: MIT License
@@ -224,6 +224,30 @@ When adding new instances to an existing environment, you can choose to:
 
 This three-tier structure offers better maintainability by reducing duplication and making it clear which settings apply broadly and which are specific to an environment or host.
 
+### Security Model: AWS and SSH Integration
+
+cloudX-proxy implements a unique dual-layer security approach that combines AWS's robust authentication mechanisms with SSH's connection handling capabilities:
+
+#### AWS Security Layer (Primary)
+The primary security boundary is enforced through AWS Systems Manager (SSM) and EC2 Instance Connect. This layer provides:
+- **Access Control**: Only authenticated AWS users with appropriate IAM permissions can establish SSM sessions
+- **Dynamic Key Authorization**: EC2 Instance Connect allows temporary injection of SSH public keys, valid only for a single session
+- **Network Security**: No inbound SSH ports need to be exposed, as all connections are established through AWS SSM's secure tunneling
+- **Audit Trail**: All connection attempts and key pushes are logged in AWS CloudTrail
+
+#### SSH Layer (Secondary)
+SSH serves primarily as a connection handler rather than the main security mechanism:
+- **Ephemeral Authentication**: The SSH key pair is used only to establish the connection through the SSM tunnel
+- **Session Management**: SSH handles the actual terminal session, file transfers, and multiplexing
+- **Key Flexibility**: Since keys are pushed dynamically for each session, the same key can safely be used across multiple instances
+- **Zero Trust Model**: Even if a key is compromised, access still requires valid AWS credentials and permissions
+
+This architecture means that:
+1. The security of the connection relies primarily on AWS IAM permissions and SSM session management
+2. SSH keys can be reused across instances without security implications
+3. Each connection gets a fresh key authorization through EC2 Instance Connect
+4. Instances remain completely closed to direct SSH access from the internet
+
 ### VSCode Configuration
 
 1. Install the "Remote - SSH" extension in VSCode

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/README.md

@@ -174,6 +174,30 @@ When adding new instances to an existing environment, you can choose to:
 
 This three-tier structure offers better maintainability by reducing duplication and making it clear which settings apply broadly and which are specific to an environment or host.
 
+### Security Model: AWS and SSH Integration
+
+cloudX-proxy implements a unique dual-layer security approach that combines AWS's robust authentication mechanisms with SSH's connection handling capabilities:
+
+#### AWS Security Layer (Primary)
+The primary security boundary is enforced through AWS Systems Manager (SSM) and EC2 Instance Connect. This layer provides:
+- **Access Control**: Only authenticated AWS users with appropriate IAM permissions can establish SSM sessions
+- **Dynamic Key Authorization**: EC2 Instance Connect allows temporary injection of SSH public keys, valid only for a single session
+- **Network Security**: No inbound SSH ports need to be exposed, as all connections are established through AWS SSM's secure tunneling
+- **Audit Trail**: All connection attempts and key pushes are logged in AWS CloudTrail
+
+#### SSH Layer (Secondary)
+SSH serves primarily as a connection handler rather than the main security mechanism:
+- **Ephemeral Authentication**: The SSH key pair is used only to establish the connection through the SSM tunnel
+- **Session Management**: SSH handles the actual terminal session, file transfers, and multiplexing
+- **Key Flexibility**: Since keys are pushed dynamically for each session, the same key can safely be used across multiple instances
+- **Zero Trust Model**: Even if a key is compromised, access still requires valid AWS credentials and permissions
+
+This architecture means that:
+1. The security of the connection relies primarily on AWS IAM permissions and SSM session management
+2. SSH keys can be reused across instances without security implications
+3. Each connection gets a fresh key authorization through EC2 Instance Connect
+4. Instances remain completely closed to direct SSH access from the internet
+
 ### VSCode Configuration
 
 1. Install the "Remote - SSH" extension in VSCode

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/cloudx_proxy/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.4.4'
-__version_tuple__ = version_tuple = (0, 4, 4)
+__version__ = version = '0.4.6'
+__version_tuple__ = version_tuple = (0, 4, 6)

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/cloudx_proxy/cli.py

@@ -55,7 +55,10 @@ def connect(instance_id: str, port: int, profile: str, region: str, ssh_key: str
 @click.option('--ssh-config', help='SSH config file to use (default: ~/.ssh/vscode/config)')
 @click.option('--aws-env', help='AWS environment directory (default: ~/.aws, use name of directory in ~/.aws/aws-envs/)')
 @click.option('--1password', 'use_1password', is_flag=True, help='Use 1Password SSH agent for SSH authentication')
-def setup(profile: str, ssh_key: str, ssh_config: str, aws_env: str, use_1password: bool):
+@click.option('--instance', help='EC2 instance ID to set up connection for')
+@click.option('--yes', 'non_interactive', is_flag=True, help='Non-interactive mode, use default values for all prompts')
+def setup(profile: str, ssh_key: str, ssh_config: str, aws_env: str, use_1password: bool, 
+          instance: str, non_interactive: bool):
     """Set up AWS profile, SSH keys, and configuration for CloudX.
     
     This command will:
@@ -69,6 +72,7 @@ def setup(profile: str, ssh_key: str, ssh_config: str, aws_env: str, use_1passwo
         cloudx-proxy setup --profile myprofile --ssh-key mykey
         cloudx-proxy setup --ssh-config ~/.ssh/cloudx/config
         cloudx-proxy setup --1password
+        cloudx-proxy setup --instance i-0123456789abcdef0 --yes
     """
     try:
         setup = CloudXSetup(
@@ -76,7 +80,9 @@ def setup(profile: str, ssh_key: str, ssh_config: str, aws_env: str, use_1passwo
             ssh_key=ssh_key, 
             ssh_config=ssh_config, 
             aws_env=aws_env,
-            use_1password=use_1password
+            use_1password=use_1password,
+            instance_id=instance,
+            non_interactive=non_interactive
         )
         
         print("\n\033[1;95m=== cloudx-proxy Setup ===\033[0m\n")
@@ -91,8 +97,13 @@ def setup(profile: str, ssh_key: str, ssh_config: str, aws_env: str, use_1passwo
         
         # Get environment and instance details
         cloudx_env = setup.prompt("Enter environment", getattr(setup, 'default_env', None))
-        instance_id = setup.prompt("Enter EC2 instance ID (e.g., i-0123456789abcdef0)")
-        hostname = setup.prompt("Enter hostname for the instance")
+        
+        # Use the --instance parameter if provided, otherwise prompt
+        instance_id = instance or setup.prompt("Enter EC2 instance ID (e.g., i-0123456789abcdef0)")
+        
+        # Generate a default hostname based on instance ID if we're in non-interactive mode
+        hostname_default = f"instance-{instance_id[-7:]}" if non_interactive else None
+        hostname = setup.prompt("Enter hostname for the instance", hostname_default)
         
         # Set up SSH config
         if not setup.setup_ssh_config(cloudx_env, instance_id, hostname):

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/cloudx_proxy/setup.py

@@ -10,8 +10,12 @@ from botocore.exceptions import ClientError
 from ._1password import check_1password_cli, check_ssh_agent, list_ssh_keys, create_ssh_key, get_vaults, save_public_key
 
 class CloudXSetup:
+    # Define SSH key prefix as a constant
+    SSH_KEY_PREFIX = "cloudX SSH Key - "
+    
     def __init__(self, profile: str = "vscode", ssh_key: str = "vscode", ssh_config: str = None, 
-                 aws_env: str = None, use_1password: bool = False):
+                 aws_env: str = None, use_1password: bool = False, instance_id: str = None, 
+                 non_interactive: bool = False):
         """Initialize cloudx-proxy setup.
         
         Args:
@@ -20,11 +24,15 @@ class CloudXSetup:
             ssh_config: SSH config file path (default: None, uses ~/.ssh/vscode/config)
             aws_env: AWS environment directory (default: None)
             use_1password: Use 1Password SSH agent for authentication (default: False)
+            instance_id: EC2 instance ID to set up connection for (optional)
+            non_interactive: Non-interactive mode, use defaults for all prompts (default: False)
         """
         self.profile = profile
         self.ssh_key = ssh_key
         self.aws_env = aws_env
         self.use_1password = use_1password
+        self.instance_id = instance_id
+        self.non_interactive = non_interactive
         self.home_dir = str(Path.home())
         self.onepassword_agent_sock = Path(self.home_dir) / ".1password" / "agent.sock"
         
@@ -74,6 +82,16 @@ class CloudXSetup:
         Returns:
             str: User's input or default value
         """
+        # In non-interactive mode, always use the default value
+        if self.non_interactive:
+            if default:
+                self.print_status(f"{message}: Using default [{default}]", None, 2)
+                return default
+            else:
+                self.print_status(f"{message}: No default value available", False, 2)
+                raise ValueError(f"Non-interactive mode requires default value for: {message}")
+        
+        # Interactive prompt
         if default:
             prompt_text = f"\033[93m{message} [{default}]: \033[0m"
         else:
@@ -200,6 +218,43 @@ class CloudXSetup:
             bool: True if successful
         """
         try:
+            # Create possible title variations for the 1Password item
+            ssh_key_title_with_prefix = f"{self.SSH_KEY_PREFIX}{self.ssh_key}"
+            ssh_key_title_without_prefix = self.ssh_key
+            
+            # First check if key exists in any vault
+            ssh_keys = list_ssh_keys()
+            
+            # Check for both prefixed and non-prefixed format
+            existing_key = next((key for key in ssh_keys if key['title'] == ssh_key_title_with_prefix), None)
+            if not existing_key:
+                existing_key = next((key for key in ssh_keys if key['title'] == ssh_key_title_without_prefix), None)
+            
+            if existing_key:
+                key_title = existing_key['title']
+                self.print_status(f"SSH key '{key_title}' already exists in 1Password", True, 2)
+                # Get the public key
+                result = subprocess.run(
+                    ['op', 'item', 'get', existing_key['id'], '--fields', 'public key'],
+                    capture_output=True,
+                    text=True,
+                    check=False
+                )
+                
+                if result.returncode == 0:
+                    public_key = result.stdout.strip()
+                    # Save it to the expected location
+                    if save_public_key(public_key, f"{self.ssh_key_file}.pub"):
+                        self.print_status(f"Saved existing public key to {self.ssh_key_file}.pub", True, 2)
+                        return True
+                    else:
+                        self.print_status(f"Failed to save public key to {self.ssh_key_file}.pub", False, 2)
+                        return False
+                else:
+                    self.print_status(f"Failed to retrieve public key from 1Password", False, 2)
+                    return False
+            
+            # If we reach here, the key doesn't exist and we need to create it
             # Get vaults to determine where to store the key
             vaults = get_vaults()
             if not vaults:
@@ -223,48 +278,24 @@ class CloudXSetup:
             except ValueError:
                 self.print_status("Invalid input", False, 2)
                 return False
+                
+            # Create a new SSH key in 1Password
+            self.print_status(f"Creating new SSH key '{ssh_key_title_with_prefix}' in 1Password...", None, 2)
+            success, public_key, item_id = create_ssh_key(ssh_key_title_with_prefix, selected_vault)
             
-            # Create a title for the 1Password item
-            ssh_key_title = f"cloudX SSH Key - {self.ssh_key}"
+            if not success:
+                self.print_status("Failed to create SSH key in 1Password", False, 2)
+                return False
             
-            # Check if a key with this title already exists in 1Password
-            ssh_keys = list_ssh_keys()
-            existing_key = next((key for key in ssh_keys if key['title'] == ssh_key_title), None)
+            self.print_status("SSH key created successfully in 1Password", True, 2)
             
-            if existing_key:
-                self.print_status(f"SSH key '{ssh_key_title}' already exists in 1Password", True, 2)
-                # Get the public key
-                result = subprocess.run(
-                    ['op', 'item', 'get', existing_key['id'], '--fields', 'public key'],
-                    capture_output=True,
-                    text=True,
-                    check=False
-                )
-                
-                if result.returncode == 0:
-                    public_key = result.stdout.strip()
-                    # Save it to the expected location
-                    if save_public_key(public_key, f"{self.ssh_key_file}.pub"):
-                        self.print_status(f"Saved existing public key to {self.ssh_key_file}.pub", True, 2)
-                        return True
+            # Save the public key to the expected location
+            if save_public_key(public_key, f"{self.ssh_key_file}.pub"):
+                self.print_status(f"Saved public key to {self.ssh_key_file}.pub", True, 2)
+                return True
             else:
-                # Create a new SSH key in 1Password
-                self.print_status(f"Creating new SSH key '{ssh_key_title}' in 1Password...", None, 2)
-                success, public_key, item_id = create_ssh_key(ssh_key_title, selected_vault)
-                
-                if not success:
-                    self.print_status("Failed to create SSH key in 1Password", False, 2)
-                    return False
-                
-                self.print_status("SSH key created successfully in 1Password", True, 2)
-                
-                # Save the public key to the expected location
-                if save_public_key(public_key, f"{self.ssh_key_file}.pub"):
-                    self.print_status(f"Saved public key to {self.ssh_key_file}.pub", True, 2)
-                    return True
-                else:
-                    self.print_status(f"Failed to save public key to {self.ssh_key_file}.pub", False, 2)
-                    return False
+                self.print_status(f"Failed to save public key to {self.ssh_key_file}.pub", False, 2)
+                return False
             
             # Remind user to enable the key in 1Password SSH agent
             self.print_status("\033[93mImportant: Make sure the key is enabled in 1Password's SSH agent settings\033[0m", None, 2)

{cloudx_proxy-0.4.4 → cloudx_proxy-0.4.6}/cloudx_proxy.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cloudx-proxy
-Version: 0.4.4
+Version: 0.4.6
 Summary: SSH proxy command to connect VSCode with Cloud9/CloudX instance using AWS Systems Manager
 Author-email: easytocloud <info@easytocloud.com>
 License: MIT License
@@ -224,6 +224,30 @@ When adding new instances to an existing environment, you can choose to:
 
 This three-tier structure offers better maintainability by reducing duplication and making it clear which settings apply broadly and which are specific to an environment or host.
 
+### Security Model: AWS and SSH Integration
+
+cloudX-proxy implements a unique dual-layer security approach that combines AWS's robust authentication mechanisms with SSH's connection handling capabilities:
+
+#### AWS Security Layer (Primary)
+The primary security boundary is enforced through AWS Systems Manager (SSM) and EC2 Instance Connect. This layer provides:
+- **Access Control**: Only authenticated AWS users with appropriate IAM permissions can establish SSM sessions
+- **Dynamic Key Authorization**: EC2 Instance Connect allows temporary injection of SSH public keys, valid only for a single session
+- **Network Security**: No inbound SSH ports need to be exposed, as all connections are established through AWS SSM's secure tunneling
+- **Audit Trail**: All connection attempts and key pushes are logged in AWS CloudTrail
+
+#### SSH Layer (Secondary)
+SSH serves primarily as a connection handler rather than the main security mechanism:
+- **Ephemeral Authentication**: The SSH key pair is used only to establish the connection through the SSM tunnel
+- **Session Management**: SSH handles the actual terminal session, file transfers, and multiplexing
+- **Key Flexibility**: Since keys are pushed dynamically for each session, the same key can safely be used across multiple instances
+- **Zero Trust Model**: Even if a key is compromised, access still requires valid AWS credentials and permissions
+
+This architecture means that:
+1. The security of the connection relies primarily on AWS IAM permissions and SSM session management
+2. SSH keys can be reused across instances without security implications
+3. Each connection gets a fresh key authorization through EC2 Instance Connect
+4. Instances remain completely closed to direct SSH access from the internet
+
 ### VSCode Configuration
 
 1. Install the "Remote - SSH" extension in VSCode