ssm-cli 0.0.2__py3-none-any.whl

ssm_cli/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.0.2"

ssm_cli/__main__.py

@@ -0,0 +1,5 @@
+import sys
+from ssm_cli.cli import cli
+
+if __name__ == "__main__":
+    sys.exit(cli())

ssm_cli/cli.py

@@ -0,0 +1,105 @@
+import sys
+
+import boto3
+import botocore
+from rich_argparse import ArgumentDefaultsRichHelpFormatter
+
+from confclasses import load_config
+from ssm_cli.config import config
+from ssm_cli.xdg import get_log_file, get_conf_file
+from ssm_cli.commands import COMMANDS
+from ssm_cli.cli_args import CliArgumentParser
+
+import logging
+logging.basicConfig(
+    level=logging.WARNING,
+    filename=get_log_file(),
+    filemode='+wt',
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
+    datefmt='%Y-%m-%d %H:%M:%S'
+)
+logger = logging.getLogger(__name__)
+
+def cli(argv: list = None) -> int:
+    if argv is None:
+        argv = sys.argv[1:]
+
+    # Getting everything ready for config has useful logs, this helps develop that area
+    for i, arg in enumerate(argv):
+        if arg == '--log-level':
+            logging.getLogger().setLevel(argv[i+1].upper())
+        if arg.startswith('--log-level='):
+            logging.getLogger().setLevel(arg.split('=')[1].upper())
+
+    logger.debug(f"CLI called with {argv}")
+
+    # Build the actual parser
+    parser = CliArgumentParser(
+        prog="ssm",
+        description="tool to manage AWS SSM",
+        formatter_class=ArgumentDefaultsRichHelpFormatter,
+    )
+    parser.add_global_argument("--version", action="version", version="0.1.0") #TODO: swap to pull dynamically
+    parser.add_global_argument("--profile", type=str, help="Which AWS profile to use")
+
+    for name, command in COMMANDS.items():
+        command_parser = parser.add_command_parser(name, command.HELP)
+        command.add_arguments(command_parser)
+
+    args = parser.parse_args(argv)
+
+    logger.debug(f"Arguments: {args}")
+
+    if not args.command:
+        parser.print_help()
+        return 1
+    
+    # Setup is a special case, we cannot load config if we dont have any.
+    if args.command == "setup":
+        COMMANDS['setup'].run(args, None)
+        return 0
+    
+    try:
+        with open(get_conf_file(), 'r') as file:
+            load_config(config, file)
+            args.update_config()
+            logger.debug(f"Config: {config}")
+    except EnvironmentError as e:
+        eprint(f"Invalid config: {e}")
+        return 1
+    
+    logging.getLogger().setLevel(config.log.level.upper())
+    
+    for logger_name, level in config.log.loggers.items():
+        logger.debug(f"setting logger {logger_name} to {level}")
+        logging.getLogger(logger_name).setLevel(level.upper())
+
+    try:
+        session = boto3.Session(profile_name=args.global_args.profile)
+        if session.region_name is None:
+            eprint(f"AWS config missing region for profile {session.profile_name}")
+            logger.error(f"AWS config missing region for profile {session.profile_name}")
+            return 2
+    except botocore.exceptions.ProfileNotFound as e:
+        eprint(f"AWS profile invalid")
+        logger.error(f"AWS profile invalid: {e}")
+        return 2
+
+    try:
+        if args.command not in COMMANDS:
+            eprint(f"failed to find action {args.action}")
+            return 3
+        COMMANDS[args.command].run(args, session)
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'ExpiredTokenException':
+            eprint(f"AWS credentials expired")
+            logger.error(f"AWS credentials expired")
+            return 2
+    except Exception as e:
+        eprint(e)
+        return 5
+    
+    return 0
+
+def eprint(*args, **kwargs):
+    print(file=sys.stderr, *args, **kwargs)

ssm_cli/cli_args.py

@@ -0,0 +1,84 @@
+import argparse
+import sys
+from confclasses import fields, is_confclass
+from ssm_cli.config import config
+
+class CliArgumentParser(argparse.ArgumentParser):
+    def __init__(self, *args, help_as_global=True, **kwargs):
+        self.global_args_parser = argparse.ArgumentParser(add_help=False)
+        self.global_args_parser_group = self.global_args_parser.add_argument_group("Global Options")
+        
+        self.help_as_global = help_as_global
+        if help_as_global:
+            kwargs['add_help'] = False
+            # we cannot use help action here because it will just return the global arguments
+            self.global_args_parser_group.add_argument('--help', '-h', action="store_true", help="show this help message and exit")
+
+        super().__init__(*args, **kwargs)
+        self._command_subparsers = self.add_subparsers(title="Commands", dest="command", metavar="<command>", parser_class=argparse.ArgumentParser)
+        self._command_subparsers_map = {}
+
+        self.add_config_args(config)
+
+    def parse_args(self, args=None):
+        # we have to manually do the parents logic here because arguments are added after init
+        self._add_container_actions(self.global_args_parser)
+        defaults = self.global_args_parser._defaults
+        self._defaults.update(defaults)
+
+        if args is None:
+            args = sys.argv[1:]
+        global_args, unknown = self.global_args_parser.parse_known_args(args, CliNamespace())
+        
+        args = super().parse_args(unknown, CliNamespace(global_args=global_args))
+
+        if self.help_as_global and global_args.help:
+            if args.command and args.command in self._command_subparsers_map:
+                self._command_subparsers_map[args.command].print_help()
+                self.exit()
+            self.print_help()
+            self.exit()
+
+        # Clean up from parents and help
+        for arg in vars(global_args):
+            if hasattr(args, arg):
+                delattr(args, arg)
+        if hasattr(global_args, 'help'):
+            delattr(global_args, 'help')
+        
+        return args
+
+    def add_global_argument(self, *args, **kwargs):
+        self.global_args_parser_group.add_argument(*args, **kwargs)
+    
+    def add_command_parser(self, name, help):
+        parser = self._command_subparsers.add_parser(name, help=help, formatter_class=self.formatter_class, parents=[self.global_args_parser], add_help=not self.help_as_global)
+        self._command_subparsers_map[name] = parser
+        return parser
+
+    def add_config_args(self, config, prefix=""):
+        for field in fields(config):
+            if is_confclass(field.type):
+                self.add_config_args(field.type, f"{field.name}-")
+            else:
+                self.global_args_parser.add_argument(f"--{prefix}{field.name.replace('_','-')}", type=field.type, help=field.metadata.get('help', None))
+
+
+
+class CliNamespace(argparse.Namespace):
+    def update_config(self):
+        self._do_update_config(config, vars(self.global_args))
+    
+    def _do_update_config(self, config, data: dict):
+        for field in fields(config):
+            name = field.name
+            if is_confclass(field.type):
+                # If default value in the confclass
+                if not hasattr(config, name):
+                    raise RuntimeError("Config not loaded before injecting arg overrides")
+
+                prefix = f"{name}_"
+                data = {k.replace(prefix, ""): v for k, v in data.items() if k.startswith(prefix)}
+                self._do_update_config(getattr(config, name), data)
+            elif name in data and data[name] is not None:
+                setattr(config, name, data[name])

ssm_cli/commands/__init__.py

@@ -0,0 +1,14 @@
+from typing import Dict
+from ssm_cli.commands.base import BaseCommand
+from ssm_cli.commands.list import ListCommand
+from ssm_cli.commands.shell import ShellCommand
+from ssm_cli.commands.proxycommand import ProxyCommandCommand
+from ssm_cli.commands.setup import SetupCommand
+
+
+COMMANDS : Dict[str, BaseCommand] = {
+    'list': ListCommand,
+    'shell': ShellCommand,
+    'proxycommand': ProxyCommandCommand,
+    'setup': SetupCommand
+}

ssm_cli/commands/base.py

@@ -0,0 +1,15 @@
+from abc import ABC, abstractmethod
+import argparse
+
+import boto3
+
+class BaseCommand(ABC):
+    HELP: str = None
+    CONFIG: type = None
+    
+    @abstractmethod
+    def add_arguments(parser: argparse.ArgumentParser):
+        pass
+    @abstractmethod
+    def run(args: list, session: boto3.Session):
+        pass

ssm_cli/commands/list.py

@@ -0,0 +1,22 @@
+from ssm_cli.instances import Instances
+from ssm_cli.commands.base import BaseCommand
+
+import logging
+logger = logging.getLogger(__name__)
+
+class ListCommand(BaseCommand):
+    HELP = """List all instances in a group, if no group provided, will list all available groups"""
+    def add_arguments(parser):
+        parser.add_argument("group", type=str, nargs="?", help="group to run against")
+    
+    def run(args, session):
+        logger.info("running list action")
+
+        instances = Instances(session)
+
+        if args.group:
+            for instance in instances.list_instances(args.group):
+                print(instance)
+        else:
+            for group in instances.list_groups():
+                print(group)

ssm_cli/commands/proxycommand.py

@@ -0,0 +1,67 @@
+import socket
+import time
+
+from ssm_cli.ssh.server import SshServer
+from ssm_cli.instances import Instances
+from ssm_cli.config import config
+from ssm_cli.commands.base import BaseCommand
+
+import logging
+logger = logging.getLogger(__name__)
+
+class ProxyCommandCommand(BaseCommand):
+    HELP="SSH ProxyCommand feature"
+    def add_arguments(parser):
+        parser.add_argument("group", type=str, help="group to run against")
+
+    def run(args, session):
+        logger.info("running proxycommand action")
+
+
+        instances = Instances(session)
+        instance = instances.select_instance(args.group, config.actions.proxycommand.selector)
+
+        if instance is None:
+            logger.error("failed to select host")
+            raise RuntimeError("failed to select host")
+
+        logger.info(f"connecting to {repr(instance)}")
+        
+        server = SshServer(direct_tcpip_callback(instance, session))
+        server.start()
+
+def direct_tcpip_callback(instance, session):
+    def callback(host, remote_port) -> socket.socket:
+        logger.debug(f"connect to {host}:{remote_port}")
+        internal_port = get_next_free_port(remote_port + 3000, 20)
+        logger.debug(f"got internal port {internal_port}")
+        try:
+            instance.start_port_forwarding_session_to_remote_host(session, host, remote_port, internal_port)
+        except Exception as e:
+            logger.error(f"failed to open port forward: {e}")
+            return None
+        
+        logger.debug(f"connecting to session manager plugin on 127.0.0.1:{internal_port}")
+        # Even though we wait for the process to say its connected, we STILL need to wait for it
+        for attempt in range(10):
+            try:
+                sock = socket.create_connection(('127.0.0.1', internal_port))
+                logger.info(f"connected to 127.0.0.1:{internal_port}")
+            except Exception as e:
+                logger.warning(f"connection attempt {attempt} failed: {e}")
+                time.sleep(0.1)
+        
+        return sock
+
+    return callback
+
+def get_next_free_port(port: int, tries: int) -> int:
+    max_port = port + tries
+    while port < max_port:
+        logger.debug(f"attempting port {port}")
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.settimeout(1)
+        result = s.connect_ex(('127.0.0.1', port))
+        if result != 0:
+            return port
+        port += 1

ssm_cli/commands/setup.py

@@ -0,0 +1,54 @@
+import argparse
+from ssm_cli.commands.base import BaseCommand
+from ssm_cli.xdg import get_conf_root, get_conf_file, get_log_file, get_ssh_hostkey
+
+import logging
+logger = logging.getLogger(__name__)
+
+class SetupCommand(BaseCommand):
+    HELP = "Setups up ssm-cli"
+    
+    def add_arguments(parser):
+        parser.add_argument("--replace", action=argparse.BooleanOptionalAction, default=False, help="if we should replace existing")
+
+    def run(args, session):
+        logger.info("running setup action")
+
+        create_conf_dir()
+        create_conf_file(args.replace)
+
+def create_conf_dir():
+    root = get_conf_root(False)
+    if root.exists():
+        if not root.is_dir():
+            raise FileExistsError(f"{root} already exists and is not a directory. Cleanup is likely needed.")
+        print(f"{root} - skipping (already exists)")
+        return
+    
+    print(f"{root} - creating directory")
+    root.mkdir(511, True, True)
+
+def create_conf_file(replace):
+    from confclasses import load_config
+    from confclasses_comments import save_config
+    from ssm_cli.config import Config
+
+    path = get_conf_file(False)
+    if path.exists() and not replace:
+        print(f"{path} - skipping (already exists)")
+        return
+    
+    # stop accidental polution of the config object, cannot see 
+    # this being a real issue but better to be safe
+    config = Config()
+    load_config(config, "")
+
+    config.group_tag_key = input(f"What tag to use to split up the instances [{config.group_tag_key}]: ") or config.group_tag_key
+
+    try:
+        with path.open("w+") as file:
+            save_config(config, file)
+            print(f"{path} - created")
+    except Exception as e:
+        logger.error(e)
+        path.unlink(True)

ssm_cli/commands/shell.py

@@ -0,0 +1,32 @@
+from ssm_cli.instances import Instances
+from ssm_cli.config import config
+from ssm_cli.commands.base import BaseCommand
+from dataclasses import dataclass
+
+import logging
+logger = logging.getLogger(__name__)
+
+@dataclass
+class ShellConfig:
+    selector: str = "tui"
+
+class ShellCommand(BaseCommand):
+    CONFIG = ShellConfig
+    HELP = "Connects to instances"
+    
+    def add_arguments(parser):
+        parser.add_argument("group", type=str, help="group to run against")
+
+    def run(args, session):
+        logger.info("running shell action")
+
+        instances = Instances(session)
+        instance = instances.select_instance(args.group, "tui")
+
+        if instance is None:
+            logger.error("failed to select host")
+            raise RuntimeError("failed to select host")
+
+        logger.info(f"connecting to {repr(instance)}")
+        
+        instance.start_session(session)

ssm_cli/config.py

@@ -0,0 +1,28 @@
+from typing import Dict
+from confclasses import confclass
+
+
+@confclass
+class ProxyCommandConfig:
+    selector: str = "first"
+
+@confclass
+class ActionsConfig:
+    proxycommand: ProxyCommandConfig
+    
+@confclass
+class LoggingConfig:
+    level: str = "info"
+    loggers: Dict[str, str] = {
+        "botocore": "warn"
+    }
+    """key value dictionary to override log level on, some modules make a lot of noise, botocore for example"""
+
+@confclass
+class Config:
+    log: LoggingConfig
+    actions: ActionsConfig
+    group_tag_key: str = "group"
+    """Tag key to use when filtering, this is usually set during ssm setup."""
+    
+config = Config()

ssm_cli/instances.py

@@ -0,0 +1,221 @@
+from dataclasses import dataclass, field
+from functools import cache
+import json
+import re
+import signal
+import subprocess
+import sys
+from typing import Any, List
+
+import boto3
+from ssm_cli.selectors import SELECTORS
+from ssm_cli.config import config
+
+import logging
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class Instance:
+    """ Save passing around giant objects, we only need handful of details for this tool """
+    id: str
+    name: str
+    ip: str
+    ping: str
+
+    def __str__(self):
+        return f"{self.id} {self.ip:<15} {self.ping:<7} {self.name}"
+    
+    def start_session(self, session):
+        logger.debug(f"start session instance={self.id}")
+        client = session.client('ssm')
+
+        parameters = dict(
+            Target=self.id
+        )
+        
+        logger.info("calling out to ssm:StartSession")
+        response = client.start_session(**parameters)
+        logger.info(f"starting session: {response['SessionId']}")
+        result = _session_manager_plugin([
+            json.dumps({
+                "SessionId": response["SessionId"],
+                "TokenValue": response["TokenValue"],
+                "StreamUrl": response["StreamUrl"]
+            }),
+            session.region_name,
+            "StartSession",
+            session.profile_name,
+            json.dumps(parameters),
+            f"https://ssm.{session.region_name}.amazonaws.com"
+        ])
+        if result != 0:
+            logger.error(f"Failed to connect to session: {result.stderr.decode()}")
+            raise RuntimeError(f"Failed to connect to session: {result.stderr.decode()}")
+        
+    def start_port_forwarding_session_to_remote_host(self, session, host: str, remote_port: int, internal_port: int):
+        logger.debug(f"start port forwarding between localhost:{internal_port} and {host}:{remote_port} via {self.id}")
+        client = session.client('ssm')
+
+        parameters = dict(
+            Target=self.id,
+            DocumentName='AWS-StartPortForwardingSessionToRemoteHost',
+            Parameters={
+                'host': [host],
+                'portNumber': [str(remote_port)],
+                'localPortNumber': [str(internal_port)]
+            }
+        )
+        logger.info("calling out to ssm:StartSession")
+        response = client.start_session(**parameters)
+
+        logger.info(f"starting session: {response['SessionId']}")
+        proc = subprocess.Popen(
+            [
+                "session-manager-plugin",
+                json.dumps({
+                    "SessionId": response["SessionId"],
+                    "TokenValue": response["TokenValue"],
+                    "StreamUrl": response["StreamUrl"]
+                }),
+                session.region_name,
+                "StartSession",
+                session.profile_name,
+                json.dumps(parameters),
+                f"https://ssm.{session.region_name}.amazonaws.com"
+            ],
+            stdout=subprocess.PIPE
+        )
+
+        for line in proc.stdout.readline():
+            if line == b'Waiting for connections...':
+                return
+
+
+
+def _session_manager_plugin( command: list) -> int:
+    """ Call out to subprocess and ignore interrupts """
+    if sys.platform == "win32":
+        signals_to_ignore = [signal.SIGINT]
+    else:
+        signals_to_ignore = [signal.SIGINT, signal.SIGQUIT, signal.SIGTSTP]
+
+    original_signal_handlers = {}
+    for sig in signals_to_ignore:
+        original_signal_handlers[sig] = signal.signal(sig, signal.SIG_IGN)
+    try:
+        return subprocess.check_call(["session-manager-plugin", *command])
+    finally:
+        for sig, handler in original_signal_handlers.items():
+            signal.signal(sig, handler)
+
+
+class Instances:
+    session: boto3.Session
+
+    def __init__(self, session):
+        self.session = session
+        
+    def select_instance(self, group_tag_value: str, selector: str) -> Instance:
+        instances = sorted(self.list_instances(group_tag_value), key=lambda x: ip_as_int(x.ip))
+        count = len(instances)
+        if count == 1:
+            return instances[0]
+        if count < 1:
+            return
+        
+        if selector not in SELECTORS:
+            raise ValueError(f"invalid selector {selector}")
+        
+        self.selector = SELECTORS[selector]
+        return self.selector(instances)
+
+    def list_groups(self) -> List[str]:
+        groups = set()
+        for resource in self._get_resources():
+            value = get_tag(resource['Tags'], config.group_tag_key)
+            if value:
+                groups.add(value)
+        return sorted(list(groups))
+
+    def list_instances(self, group_tag_value: str) -> List[Instance]:
+        instances = []
+        instances_info = self._describe_instance_information(group_tag_value)
+        resources = self._get_resources(group_tag_value)
+
+        for resource in resources:
+            id = arn_to_instance_id(resource['ResourceARN'])
+            name = get_tag(resource['Tags'], 'Name')
+            for instance in instances_info:
+                if instance['InstanceId'] == id:
+                    instances.append(Instance(
+                        id,
+                        name,
+                        instance['IPAddress'],
+                        instance['PingStatus']
+                    ))
+
+        return instances
+
+    def _get_resources(self, group_tag_value: str = None):
+        logger.info("calling out to resourcegroupstaggingapi:GetResources")
+
+        client = self.session.client('resourcegroupstaggingapi')
+        paginator = client.get_paginator('get_resources')
+        tag_filter = {
+            'Key': config.group_tag_key
+        }
+        if group_tag_value is not None:
+            tag_filter['Values'] = [group_tag_value]
+
+        logger.debug(f"filtering on {tag_filter}")
+        page_iter = paginator.paginate(
+            ResourceTypeFilters=[
+                "ec2:instance"
+            ],
+            TagFilters=[tag_filter]
+        )
+        total = 0
+        for page in page_iter:
+            for resource in page['ResourceTagMappingList']:
+                total += 1
+                yield resource
+        logger.debug(f"yielded {total} resources")
+
+
+    def _describe_instance_information(self, group_tag_value: str):
+        logger.info("calling out to ssm:DescribeInstanceInformation")
+
+        client = self.session.client('ssm')
+        response = client.describe_instance_information(
+            Filters=[
+                {
+                    'Key': f'tag:{config.group_tag_key}',
+                    'Values': [group_tag_value]
+                }
+            ]
+        )
+        logger.debug(f"found {len(response['InstanceInformationList'])} instances")
+        return response['InstanceInformationList']
+
+
+
+def get_tag(tags: list, key: str) -> str:
+    for tag in tags:
+        if tag['Key'] == key:
+            return tag['Value']
+    return None
+
+@cache
+def arn_to_instance_id(arn: str) -> str:
+	parts = arn.split('/')
+	if len(parts) != 2:
+		raise ValueError(f"invalid instance arn {arn}")
+	return parts[1]
+
+
+def ip_as_int(ip: str) -> int:
+    m = re.match(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', ip)
+    if not m:
+        raise ValueError(f"Invalid IP address: {ip}")
+    return (int(m.group(1)) << 24) + (int(m.group(2)) << 16) + (int(m.group(3)) << 8) + int(m.group(4))

ssm_cli/selectors/__init__.py

@@ -0,0 +1,7 @@
+import ssm_cli.selectors.tui as tui
+import ssm_cli.selectors.first as first
+
+SELECTORS = {
+    'tui': tui.select,
+    'first': first.select
+}

ssm_cli/selectors/first.py

@@ -0,0 +1,2 @@
+def select(instances):
+    return instances[0]

ssm_cli/selectors/tui.py

@@ -0,0 +1,14 @@
+import inquirer
+
+def select(instances: list) -> dict:
+    questions = [
+        inquirer.List(
+            "host",
+            message="Which host?",
+            choices=instances,
+        ),
+    ]
+    answers = inquirer.prompt(questions)
+    if answers is None:
+        return None
+    return answers["host"]

ssm_cli/ssh/channels.py

@@ -0,0 +1,37 @@
+import threading
+import paramiko
+
+import logging
+logger = logging.getLogger(__name__)
+
+class Channels:
+    """
+    This class was needed because of the multitheading and not always getting the channel we accept in the right order
+    """
+    def __init__(self, transport: paramiko.Transport, timeout=10):
+        self.transport = transport
+        self.timeout = timeout
+        self._channels = {}
+        self._channels_lock = threading.Lock()
+
+    def get_channel(self, chanid: int):
+        logger.debug(f"getting channel {chanid}")
+        with self._channels_lock:
+            if chanid in self._channels:
+                chan = self._channels[chanid]
+                del self._channels[chanid]
+                logger.debug(f"got channel from buffer")
+                return chan
+
+            for attempt in range(3):
+                chan = self.transport.accept(self.timeout)
+                if chan is None: # Timeout
+                    logger.error(f"no channel available")
+                    return None
+ 
+                if chan.get_id() != chanid:
+                    self._channels[chan.get_id()] = chan
+                    logger.error(f"channel ID mismatch, attempt {attempt}, trying again")
+                    continue
+                logger.debug("got channel from transport")
+                return chan

ssm_cli/ssh/forward.py

@@ -0,0 +1,34 @@
+import select
+import threading
+
+import logging
+logger = logging.getLogger(__name__)
+
+class ForwardThread(threading.Thread):
+    def __init__(self, sock, chanid, channels, chunk_size=1024):
+        threading.Thread.__init__(self)
+        
+        logger.debug(f"setting up forward thread chan={chanid}")
+        self.sock = sock
+        self.chanid = chanid
+        self.channels = channels
+        self.chunk_size = chunk_size
+
+    def run(self):
+        logger.info(f"starting forward thread chan={self.chanid}")
+
+        chan = self.channels.get_channel(self.chanid)
+        while True:
+            r, _, _ = select.select([chan, self.sock], [], [])
+            if self.sock in r:
+                data = self.sock.recv(self.chunk_size)
+                if len(data) == 0:
+                    break
+                chan.send(data)
+
+            if chan in r:
+                data = chan.recv(self.chunk_size)
+                if len(data) == 0:
+                    break
+                self.sock.send(data)
+    

ssm_cli/ssh/server.py

@@ -0,0 +1,99 @@
+import threading
+import paramiko
+
+from ssm_cli.ssh.transport import StdIoSocket
+from ssm_cli.ssh.shell import ShellThread
+from ssm_cli.ssh.forward import ForwardThread
+from ssm_cli.ssh.channels import Channels
+from ssm_cli.xdg import get_ssh_hostkey
+
+import logging
+logger = logging.getLogger(__name__)
+
+class SshServer(paramiko.ServerInterface):
+    """
+    Creates ssh server using StdIoSocket
+    """
+    event: threading.Event
+    direct_tcpip_callback: callable
+    
+    def __init__(self, direct_tcpip_callback: callable):
+        logger.debug("creating server")
+        self.event = threading.Event()
+        self.direct_tcpip_callback = direct_tcpip_callback
+    
+    def start(self):
+        logger.info("starting server")
+
+        sock = StdIoSocket()
+        self.transport = paramiko.Transport(sock)
+        self.channels = Channels(self.transport)
+
+        key_path = get_ssh_hostkey()
+        if key_path.exists():
+            host_key = paramiko.RSAKey(filename=key_path)
+            logger.info("Loaded existing host key")
+        else:
+            host_key = paramiko.RSAKey.generate(1024)
+            host_key.write_private_key_file(key_path)
+            logger.info("Generated new host key and saved to file")
+
+        self.transport.add_server_key(host_key)
+        self.transport.start_server(server=self)
+
+        self.event.wait()
+
+    # Auth handlers, just allow anything. The only use of this code is ProxyCommand and auth is not needed
+    def get_allowed_auths(self, username):
+        logger.info(f"allowing all auths: username={username}")
+        return "password,publickey,none"
+    def check_auth_none(self, username):
+        logger.info(f"accepting auth none: username={username}")
+        return paramiko.AUTH_SUCCESSFUL
+    def check_auth_password(self, username, password):
+        logger.info(f"accepting auth password: username={username}")
+        return paramiko.AUTH_SUCCESSFUL
+    def check_auth_publickey(self, username, key):
+        logger.info(f"accepting auth public key: username={username}")
+        return paramiko.AUTH_SUCCESSFUL
+    
+    # Allow sessions
+    def check_channel_request(self, kind, chanid):
+        logger.info(f"received channel request: kind={kind} chanid={chanid}")
+        if kind == 'session':
+            return paramiko.OPEN_SUCCEEDED
+        logger.error(f"we only accept session")
+        return paramiko.OPEN_FAILED_ADMINISTRATIVELY
+    
+    # Just accept the PTY request
+    def check_channel_pty_request(self, channel, term, width, height, pixelwidth, pixelheight, modes):
+        return True
+    # Start a echo shell if requested
+    def check_channel_shell_request(self, channel):
+        logger.info(f"shell request: {channel.get_id()}")
+        t = ShellThread(channel, self.channels)
+        t.start()
+        return True
+
+    # The real meat and potatos here!
+    def check_channel_direct_tcpip_request(self, chanid, origin, destination):
+        logger.info(f"direct TCP/IP request: chan={chanid} origin={origin} destination={destination}")
+        host = destination[0]
+        remote_port = destination[1]
+
+        sock = self.direct_tcpip_callback(host, remote_port)
+        
+        if not sock:
+            logger.error("failed to connect to session manager plugin")
+            return paramiko.OPEN_FAILED_CONNECT_FAILED
+        
+        # Start thread to open the channel and forward data
+        t = ForwardThread(sock, chanid, self.channels)
+        t.start()
+        
+        logger.debug("started forwarding thread")
+        return paramiko.OPEN_SUCCEEDED
+    
+    def get_banner(self):
+        return ("SSM CLI - ProxyCommand SSH server\r\n", "en-US")
+

ssm_cli/ssh/shell.py

@@ -0,0 +1,38 @@
+import threading
+import paramiko
+import select
+
+from ssm_cli.ssh.channels import Channels
+
+import logging
+logger = logging.getLogger(__name__)
+
+
+class ShellThread(threading.Thread):
+    daemon = True
+
+    def __init__(self, chan: paramiko.Channel, channels: Channels):
+        threading.Thread.__init__(self)
+
+        logger.debug(f"setting up shell thread chan={chan.get_id()}")
+        self.chan = chan
+        self.channels = channels
+
+    def run(self):
+        logger.info(f"starting shell thread chan={self.chan.get_id()}")
+
+        # Even though a channel object is passed in here, we STILL have to do this bit to avoid
+        # it being the first channel accepted when doing forwarding.
+        chan = self.channels.get_channel(self.chan.get_id())
+        
+        self.chan.send(f"\r\nShell Requested for fake SSH Ctl+C or EOF (Ctl+D) to quit\r\n")
+        
+        while True:
+            r, _, _ = select.select([self.chan], [], [])
+            if self.chan in r:
+                data = self.chan.recv(1024)
+                if len(data) == 0 or data in [b'\x03', b'\x04']: # Ctl+C or Ctl+D
+                    break
+                self.chan.send(f"echo {data}\r\n")
+        
+        self.chan.close()

ssm_cli/ssh/transport.py

@@ -0,0 +1,22 @@
+import sys
+
+import logging
+logger = logging.getLogger(__name__)
+
+class StdIoSocket:
+    _closed = True
+
+    def send(self, bytes):
+        n = sys.stdout.buffer.write(bytes)
+        sys.stdout.flush()
+        return n
+    def recv(self, length):
+        return sys.stdin.buffer.read(length)
+    
+    # ignore close for now, we can probably handle it
+    def close(self):
+        logger.debug("Ignoring close")
+
+    # timeout should be used, for now we are ignoring it
+    def settimeout(self, timeout):
+        logger.debug("Ignoring settimeout")

ssm_cli/xdg.py

@@ -0,0 +1,29 @@
+# All XDG path logic here
+from pathlib import Path
+from xdg_base_dirs import xdg_config_home
+
+
+def get_conf_root(check=True) -> Path:
+    root = xdg_config_home() / 'ssm-cli'
+    if check and not root.exists():
+        from ssm_cli.commands.setup import create_conf_dir
+        create_conf_dir()
+    return root
+
+def get_conf_file(check=True) -> Path:
+    path = get_conf_root(check) / 'ssm.yaml'
+    if check and not path.exists():
+        raise EnvironmentError(f"{path} missing, run `ssm setup` to create")
+    return path
+
+def get_log_file(check=False) -> Path:
+    path = get_conf_root(True) / 'ssm.log'
+    if check and not path.exists():
+        raise EnvironmentError(f"{path} missing, run `ssm setup` to create")
+    return path
+
+def get_ssh_hostkey(check=True) -> Path:
+    path = get_conf_root(check) / 'hostkey.pem'
+    if check and not path.exists():
+        raise EnvironmentError(f"{path} missing, run `ssm setup` to create")
+    return path

ssm_cli-0.0.2.dist-info/METADATA

@@ -0,0 +1,75 @@
+Metadata-Version: 2.4
+Name: ssm-cli
+Version: 0.0.2
+Summary: CLI tool to help with SSM functionality, aimed at adminstrators
+Author-email: Simon Fletcher <simon.fletcher@lexisnexisrisk.com>
+License: MIT License
+        
+        Copyright (c) 2025 Simon Fletcher
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://github.com/simonfletcher-ln/ssm-cli
+Project-URL: Issues, https://github.com/simonfletcher-ln/ssm-cli/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: Operating System :: OS Independent
+Classifier: License :: OSI Approved :: MIT License
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENCE
+Requires-Dist: boto3
+Requires-Dist: inquirer
+Requires-Dist: paramiko
+Requires-Dist: rich-argparse
+Requires-Dist: confclasses
+Requires-Dist: xdg_base_dirs
+Dynamic: license-file
+
+# SSM CLI
+
+A tool to make common tasks with SSM easier. The goal of this project is to help with the Session Manager, the tool tries to keep the access it requires to a minimum.
+
+## Installation
+
+It can be installed with `pip install ssm-cli`, however most features rely on the session-manager-plugin being installed as well, this is the standard way to make SSM connections.
+
+[AWS install guide](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
+
+## AWS permission
+
+The tool uses boto3, so any standard AWS_ environment variables can be used. Also the `--profile` option can be used.
+
+You will need access to a few aws actions, below is a policy which should cover all features used by the tool.
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Sid": "FirstStatement",
+        "Effect": "Allow",
+        "Action": [
+            "resourcegroupstaggingapi:GetResources",
+            "ssm:DescribeInstanceInformation",
+            "ssm:StartSession"
+        ],
+        "Resource": "*"
+        }
+    ]
+}
+```

ssm_cli-0.0.2.dist-info/RECORD

@@ -0,0 +1,28 @@
+ssm_cli/__init__.py,sha256=xy5icTVL_-T_uZleOq5SPoLjDLVLWIK0U8whN-ij6kI,21
+ssm_cli/__main__.py,sha256=3sQX718hwpIMiuyDOHWXKoBxcvQ01816dkxQbHozApA,86
+ssm_cli/cli.py,sha256=-0vMsfS8zZ6I6O-ihcnTYzepoVe2GYABtkA69kpcXvg,3459
+ssm_cli/cli_args.py,sha256=1-BUhyO7yMHd4AaTm7-vmMBxe2OBcHMAM0-XqXw0QJI,3679
+ssm_cli/config.py,sha256=4rX24YAzbvoDtjHnKMAr9TI6supkGfJlUZEZVnNtFX0,644
+ssm_cli/instances.py,sha256=-H07hJocp5u54wvwrw3xAPiosPSM2-t1MvyFKLo2Di8,7304
+ssm_cli/xdg.py,sha256=pbGAX6OYPQ510KZYpgVxylz9ofI8C452r9xUzE5iEA8,957
+ssm_cli/commands/__init__.py,sha256=jk6ZXNuVZWq3rGw4JkCN-hzh_Xl6KcVjVw1CfHemjuE,434
+ssm_cli/commands/base.py,sha256=_TncEahZMnA1xQITFvf5zA_zvUA0ondg-N9YOzKe9S4,311
+ssm_cli/commands/list.py,sha256=izHi0qKfuVx_6LkJGxvNsct2f_2Iqbzmb3nYzyBSITI,722
+ssm_cli/commands/proxycommand.py,sha256=15glDyaEfkROncHPPXrwtMMzyZ1X89v1GKRGbQXtZCE,2407
+ssm_cli/commands/setup.py,sha256=Pet2mz-2ZvKj12Uz5GSO9LjD9nQLVkKWfqIIbtK9wew,1739
+ssm_cli/commands/shell.py,sha256=ZvyK_CwAxZiT5dijpe85LTWEIfRkXrvHqlTgz97hkNc,887
+ssm_cli/selectors/__init__.py,sha256=usmQjV4YN9so1CI3AdbDVK-sQawdpio16UbmaodBDaw,141
+ssm_cli/selectors/first.py,sha256=EnwcztpeohIQAjsOhWipSdw9OaqETc_skHtCCTDFOAs,46
+ssm_cli/selectors/tui.py,sha256=KneigVhEBYWCA6JWWwo6oe2Nd1wKfoyNDpQ3C59IGD0,310
+ssm_cli/ssh/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ssm_cli/ssh/channels.py,sha256=YagZobN9lnwyjs4o5eYu6JposRmt7yIYOEkeNcdP-cE,1324
+ssm_cli/ssh/forward.py,sha256=Y71g8-xA4BLenqbBN0Hz_RMac1QVyTgZDrvdczQ6LiM,1010
+ssm_cli/ssh/server.py,sha256=hwveSRRBldurwC77SfDjWVZmu4GI0G62Pg78xKE2Zbs,3652
+ssm_cli/ssh/shell.py,sha256=3WtBNvRPbjsxo2lcpr2gI42W107jIrS4ZOTkYklrw0o,1213
+ssm_cli/ssh/transport.py,sha256=IARq-4mIT3pY3ZUMiMs-Uu-0XkcZ2AcooXna3VvcSsw,547
+ssm_cli-0.0.2.dist-info/licenses/LICENCE,sha256=7R7m4xx5vJHEfQIeHswksFvaYZvllKUIlRf23aDhTGo,1071
+ssm_cli-0.0.2.dist-info/METADATA,sha256=ok6fSd--oKcyjLo9vnfjhjOn45sqi_nhYE8KjdZB1ok,3079
+ssm_cli-0.0.2.dist-info/WHEEL,sha256=1tXe9gY0PYatrMPMDd6jXqjfpz_B-Wqm32CPfRC58XU,91
+ssm_cli-0.0.2.dist-info/entry_points.txt,sha256=RM34aPLcnd2Tn4S_faCQ87ZnGSEbDtj0mvDGVaqharU,40
+ssm_cli-0.0.2.dist-info/top_level.txt,sha256=XU6k4a4BcH64MrGYG6KqGI3T_qlNAKjz29gaBS7JFUs,8
+ssm_cli-0.0.2.dist-info/RECORD,,

ssm_cli-0.0.2.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (77.0.3)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

ssm_cli-0.0.2.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+ssm = ssm_cli.cli:cli

ssm_cli-0.0.2.dist-info/licenses/LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Simon Fletcher
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

ssm_cli-0.0.2.dist-info/top_level.txt

@@ -0,0 +1 @@
+ssm_cli