ssm-cli 0.1.3.dev2__tar.gz → 0.1.4.dev0__tar.gz

{ssm_cli-0.1.3.dev2/ssm_cli.egg-info → ssm_cli-0.1.4.dev0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ssm-cli
-Version: 0.1.3.dev2
+Version: 0.1.4.dev0
 Summary: CLI tool to help with SSM functionality, aimed at adminstrators
 Author-email: Simon Fletcher <simon.fletcher@lexisnexisrisk.com>
 License: MIT License
@@ -96,7 +96,7 @@ I recommend using conditions in some way to control fine grained access.
         "Sid": "FirstStatement",
         "Effect": "Allow",
         "Action": [
-            "resourcegroupstaggingapi:GetResources",
+            "tag:GetResources",
             "ssm:DescribeInstanceInformation",
             "ssm:StartSession"
         ],

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/README.md

@@ -53,7 +53,7 @@ I recommend using conditions in some way to control fine grained access.
         "Sid": "FirstStatement",
         "Effect": "Allow",
         "Action": [
-            "resourcegroupstaggingapi:GetResources",
+            "tag:GetResources",
             "ssm:DescribeInstanceInformation",
             "ssm:StartSession"
         ],

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/aws.py

@@ -3,10 +3,18 @@ import botocore
 import contextlib
 from ssm_cli.cli_args import ARGS
 
-class AWSAuthError(Exception):
+class AWSError(Exception):
+    """ A generic exception for any AWS errors """
+    pass
+
+class AWSAuthError(AWSError):
     """ A generic exception for any AWS authentication errors """
     pass
 
+class AWSAccessDeniedError(AWSError):
+    """ An exception for when the AWS credentials do not have the required permissions """
+    pass
+
 _session_cache = []
 _client_cache = {}
 
@@ -29,6 +37,8 @@ def aws_session():
     except botocore.exceptions.ClientError as e:
         if e.response['Error']['Code'] == 'ExpiredTokenException':
             raise AWSAuthError(f"AWS credentials expired") from e
+        elif e.response['Error']['Code'] == "AccessDeniedException":
+            raise AWSAccessDeniedError(f"AWS credentials do not have the required permissions") from e
         raise e
 
 @contextlib.contextmanager

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/cli.py

@@ -5,10 +5,11 @@ from rich_argparse import ArgumentDefaultsRichHelpFormatter
 import confclasses
 from ssm_cli.config import CONFIG
 from ssm_cli.xdg import get_log_file, get_conf_file
-from ssm_cli.commands import COMMANDS, BaseCommand
+from ssm_cli.commands import COMMANDS
 from ssm_cli.cli_args import CliArgumentParser, ARGS
-from ssm_cli.aws import AWSAuthError
+from ssm_cli.aws import AWSAuthError, AWSAccessDeniedError
 from ssm_cli.console import console
+from rich.markup import escape
 
 # Setup logging
 import logging
@@ -56,8 +57,7 @@ def cli(argv: list = None) -> int:
     
     # Setup is a special case, we cannot load config if we dont have any.
     if ARGS.command == "setup":
-        run_command()
-        return 0
+        return _run()
     
     try:
         with open(get_conf_file(), 'r') as file:
@@ -65,7 +65,7 @@ def cli(argv: list = None) -> int:
             ARGS.update_config()
             logger.debug(f"Config: {CONFIG}")
     except EnvironmentError as e:
-        console.print(f"[red]Invalid config: {e}[/red]")
+        console.print(f"Invalid config: {e}", style="red")
         return 1
     
     logging.getLogger().setLevel(CONFIG.log.level.upper())
@@ -75,27 +75,31 @@ def cli(argv: list = None) -> int:
         logger.debug(f"setting logger {logger_name} to {level}")
         logging.getLogger(logger_name).setLevel(level.upper())
 
-    try:
-        if ARGS.command not in COMMANDS:
-            console.print(f"[red]failed to find action {ARGS.action}[/red]")
-            return 3
-        COMMANDS[ARGS.command].run()
-    except AWSAuthError as e:
-        console.print(f"[red]AWS Authentication error: {e}[/red]")
-        return 2
+
+    if ARGS.command not in COMMANDS:
+        console.print(f"failed to find action {ARGS.action}", style="red")
+        return 1
     
-    return 0
+    return _run()
 
-def run_command():
+def _run():
     """
     Run a command, better exceptions and logging
     """
     try:
         COMMANDS[ARGS.command].run()
+        return 0
+    except AWSAuthError as e:
+        console.print(f"AWS Authentication error: {e}", style="red")
+        return 1
+    except AWSAccessDeniedError as e:
+            logger.error(f"access denied: {e}")
+            console.print(f"Access denied, see README for details on required permissions", style="bold red")
+            console.print(escape(str(e.__cause__)), style="grey50")
     except Exception as e:
         logger.error(f"Unhandled exception in {ARGS.command}")
-        console.print(f"Unhandled exception, check [link=file://{get_log_file()}]{get_log_file()}[/link] for more information", style="red")
+        log_path = str(get_log_file())
+        console.print(f"Unhandled exception, check [link=file://{log_path}]{log_path}[/link] for more information", style="red")
         console.print(f"Error: {e}", style="red bold")
         logger.exception(e, stack_info=True, stacklevel=20)
         return 1
-    return 0

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/commands/base.py

@@ -12,5 +12,5 @@ class BaseCommand(ABC):
         pass
     
     @abstractmethod
-    def run(args: list):
+    def run():
         pass

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/commands/setup.py

@@ -6,6 +6,7 @@ from ssm_cli.cli_args import ARGS
 from ssm_cli.config import CONFIG
 from confclasses import from_dict, save
 from ssm_cli.console import console
+from rich.markup import escape
 
 GREY = "grey50"
 
@@ -55,7 +56,9 @@ class SetupCommand(BaseCommand):
             console.print(f"{path} creating", style="green")
             from_dict(CONFIG, {})
 
-            CONFIG.group_tag_key = console.input(f"What tag to use to split up the instances \[{CONFIG.group_tag_key}]: ") or CONFIG.group_tag_key
+            text = escape(f"What tag to use to split up the instances [{CONFIG.group_tag_key}]: ")
+            tag_key = console.input(text)
+            CONFIG.group_tag_key = tag_key or CONFIG.group_tag_key
             console.print(f"Using '{CONFIG.group_tag_key}' as the group tag", style=GREY)
             logger.info(f"Writing config to {path}")
 

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/commands/shell.py

@@ -1,7 +1,7 @@
 from ssm_cli.instances import Instances
 from ssm_cli.commands.base import BaseCommand
 from ssm_cli.cli_args import ARGS
-from ssm_cli import console
+from ssm_cli.console import console
 
 import logging
 logger = logging.getLogger(__name__)
@@ -31,4 +31,4 @@ class ShellCommand(BaseCommand):
 
         logger.info(f"connecting to {repr(instance)}")
         
-        instance.start_session()
+        instance.start_session()

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/commands/ssh_proxy/__init__.py

@@ -35,23 +35,32 @@ class SshProxyCommand(BaseCommand):
 
 def direct_tcpip_callback(instance: Instance, connections: dict) -> callable:
     def callback(host, remote_port) -> socket.socket:
-        if (host, remote_port) not in connections:
-            logger.debug(f"connect to {host}:{remote_port}")
-            internal_port = get_next_free_port(remote_port + 3000, 20)
-            logger.debug(f"got internal port {internal_port}")
-            try:
-                instance.start_port_forwarding_session_to_remote_host(host, remote_port, internal_port)
-                connections[(host, remote_port)] = internal_port
-            except Exception as e:
-                logger.error(f"failed to open port forward: {e}")
-                return None
-        else:
-            internal_port = connections[(host, remote_port)]
+        internal_port, proc = None, None
+
+        if (host, remote_port) in connections:
+            internal_port, proc = connections[(host, remote_port)]
+            if proc.poll() is not None:
+                logger.debug(f"process for {host}:{remote_port} has exited, restarting")
+                del connections[(host, remote_port)]
+                internal_port, proc = None, None
+        
+        if internal_port is None:
+            # Retry because of rare race condition from get_free_port
+            for attempt in range(3):
+                try:
+                    internal_port = get_free_port()
+                    proc = instance.start_port_forwarding_session_to_remote_host(host, remote_port, internal_port)
+                except Exception as e: # TODO: catch more specific exceptions
+                    logger.warning(f"session-manager-plugin attempt {attempt} failed: {e}")
+                    time.sleep(0.1)
         
         logger.debug(f"connecting to session manager plugin on 127.0.0.1:{internal_port}")
         # Even though we wait for the process to say its connected, we STILL need to wait for it
         for attempt in range(10):
             try:
+                if proc.poll() is not None:
+                    logger.error(f"session-manager-plugin has exited")
+                    raise RuntimeError("session-manager-plugin has exited")
                 sock = socket.create_connection(('127.0.0.1', internal_port))
                 logger.info(f"connected to 127.0.0.1:{internal_port}")
             except Exception as e:
@@ -62,16 +71,14 @@ def direct_tcpip_callback(instance: Instance, connections: dict) -> callable:
 
     return callback
 
-def get_next_free_port(port: int, tries: int) -> int:
+
+def get_free_port(bind_host="127.0.0.1"):
     """
-    Get the next free port after the given port, TODO: investigate if we can use socket files
+    Ask OS for an ephemeral free port. Returns the port number, however it is not guaranteed that the port will remain free. A retry should be used.
     """
-    max_port = port + tries
-    while port < max_port:
-        logger.debug(f"attempting port {port}")
-        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        s.settimeout(1)
-        result = s.connect_ex(('127.0.0.1', port))
-        if result != 0:
-            return port
-        port += 1
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind((bind_host, 0))  # port 0 => let OS pick
+    port = s.getsockname()[1]
+    s.close()
+    return port

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0}/ssm_cli/instances.py

@@ -5,7 +5,7 @@ import re
 import signal
 import subprocess
 import sys
-from typing import List, Dict
+from typing import List
 
 from ssm_cli.selectors import SELECTORS
 from ssm_cli.config import CONFIG
@@ -85,14 +85,18 @@ class Instance:
                     json.dumps(parameters),
                     f"https://ssm.{session.region_name}.amazonaws.com"
                 ],
-                stdout=subprocess.PIPE
+                stdout=subprocess.PIPE,
+                stderr=subprocess.STDOUT
             )
 
-            for line in proc.stdout.readline():
+            for line in proc.stdout: # this will block, needs sorting
+                line = line.strip()
                 if line == b'Waiting for connections...':
-                    return
-
+                    return proc
+                else:
+                    logger.debug(f"Recieved from session-manager-plugin: {line}")
 
+            raise RuntimeError("Failed to start port forwarding session")
 
 def _session_manager_plugin( command: list) -> int:
     """ Call out to subprocess and ignore interrupts """

{ssm_cli-0.1.3.dev2 → ssm_cli-0.1.4.dev0/ssm_cli.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ssm-cli
-Version: 0.1.3.dev2
+Version: 0.1.4.dev0
 Summary: CLI tool to help with SSM functionality, aimed at adminstrators
 Author-email: Simon Fletcher <simon.fletcher@lexisnexisrisk.com>
 License: MIT License
@@ -96,7 +96,7 @@ I recommend using conditions in some way to control fine grained access.
         "Sid": "FirstStatement",
         "Effect": "Allow",
         "Action": [
-            "resourcegroupstaggingapi:GetResources",
+            "tag:GetResources",
             "ssm:DescribeInstanceInformation",
             "ssm:StartSession"
         ],