add aws-google CLI executable

wjordan · wjordan · commit 74523a01c522 · 2019-08-08T16:15:05.000-07:00
diff --git a/README.md b/README.md
@@ -79,6 +79,17 @@ Aws::Google.config = {
 puts Aws::STS::Client.new.get_caller_identity
 ```
 
+- Or, set `credential_process` in your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to `aws-google` to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) without any change to your application code:
+
+```
+[profile my_google]
+credential_process = aws-google --profile my_google
+aws_role = arn:aws:iam::[AccountID]:role/[Role]
+google_client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+google_client_secret = 01234567890abcdefghijklmn
+
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
diff --git a/aws-google.gemspec b/aws-google.gemspec
@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'aws-sdk-core', '~> 3'
   spec.add_dependency 'google-api-client', '~> 0.23'
-  spec.add_dependency 'launchy', '~> 2' # Peer dependency of Google::APIClient::InstalledAppFlow
+  spec.add_dependency 'launchy', '~> 2'
 
   spec.add_development_dependency 'activesupport', '~> 5'
   spec.add_development_dependency 'bundler', '~> 1'
diff --git a/exe/aws-google b/exe/aws-google
@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+
+# CLI to retrieve AWS credentials in credential_process format.
+# Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
+
+require 'aws/google'
+require 'time'
+require 'json'
+require 'optparse'
+
+def error(msg)
+  puts msg
+  exit 1
+end
+
+options = {}
+OptionParser.new do |opts|
+  opts.on('-p PROFILE', '--profile PROFILE', 'Profile') do |p|
+    options[:profile] = p
+  end
+  opts.on('-v', '--version', 'Version') do
+    require 'aws/google/version'
+    puts Aws::Google::VERSION
+    exit 0
+  end
+  opts.on('-r ROLE', '--role ROLE', 'AWS Role arn') do |r|
+    options[:role_arn] = r
+  end
+  opts.on('-i ID', '--client-id ID', 'Google Client ID') do |id|
+    options[:google_client_id] = id
+  end
+  opts.on('-s SECRET', '--client-secret SECRET', 'Google Client Secret') do |secret|
+    options[:google_client_secret] = secret
+  end
+  opts.on('-h DOMAIN', '--domain DOMAIN', 'Google Domain') do |hd|
+    options[:domain] = hd
+  end
+  opts.on('-d DURATION', '--duration DURATION', 'Duration in seconds') do |d|
+    options[:duration_seconds] = d.to_i
+  end
+  opts.on('--port PORT', 'Port number for local server') do |p|
+    options[:port] = p.to_i
+  end
+  opts.on('--online', 'Online authentication, no refresh token') do |o|
+    options[:online] = true
+  end
+end.parse!
+
+config = Aws.shared_config
+profile = options[:profile] || ENV['AWS_PROFILE'] || 'default'
+
+options[:role_arn] ||= config.get('aws_role', profile: profile) ||
+                   error('Missing config: aws_role')
+options[:google_client_id] ||= config.get('google_client_id', profile: profile) ||
+                        error('Missing config: google_client_id')
+options[:google_client_secret] ||= config.get('google_client_secret', profile: profile) ||
+                            error('Missing config: google_client_secret')
+
+# Cache temporary-session credentials in a separately-named profile.
+# Stored credentials take priority over credential_process,
+# so they would never be refreshed if stored in the same profile.
+options[:profile] += '_session'
+google = Aws::Google.new(options)
+credentials = google.credentials
+output = {
+  Version: 1,
+  AccessKeyId: credentials.access_key_id,
+  SecretAccessKey: credentials.secret_access_key,
+  SessionToken: credentials.session_token,
+  Expiration: Time.at(google.expiration.to_i).iso8601
+}
+require 'json'
+puts output.to_json
diff --git a/lib/aws/google.rb b/lib/aws/google.rb
@@ -39,7 +39,7 @@ class << self
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
     # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
-    #                 Defaults to an out-of-band authentication process.
+    #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
     # @option options [::Google::Auth::ClientId] :google_id
     def initialize(options = {})
       @oauth_attempted = false
@@ -56,7 +56,7 @@ def initialize(options = {})
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
-      @port = options[:port]
+      @port = options[:port] || 1234
 
       # Use existing AWS credentials stored in the shared config if available.
       # If this is `nil` or expired, #refresh will be called on the first AWS API service call
@@ -105,8 +105,18 @@ def google_oauth
       credentials.tap(&storage.method(:write_credentials))
     end
 
+    def silence_output
+      outs = [$stdout, $stderr]
+      clones = outs.map(&:clone)
+      outs.each { |io| io.reopen '/dev/null'}
+      yield
+    ensure
+      outs.each_with_index { |io, i| io.reopen(clones[i]) }
+    end
+
     def get_oauth_code(client, options)
-      raise 'fallback' unless @port
+      raise 'fallback' unless @port && !@port.zero?
+
       require 'launchy'
       require 'webrick'
       code = nil
@@ -123,26 +133,29 @@ def get_oauth_code(client, options)
       end
       trap('INT') { server.shutdown }
       client.redirect_uri = "http://localhost:#{@port}"
-      launchy = Launchy.open(client.authorization_uri(options).to_s)
-      server_thread = Thread.new do
-        begin
-          server.start
-        ensure server.shutdown
+      silence_output do
+        launchy = Launchy.open(client.authorization_uri(options).to_s)
+        server_thread = Thread.new do
+          begin
+            server.start
+          ensure server.shutdown
+          end
+        end
+        while server_thread.alive?
+          raise 'fallback' if !launchy.alive? && !launchy.value.success?
+
+          sleep 0.1
         end
-      end
-      while server_thread.alive?
-        raise 'fallback' if !launchy.alive? && !launchy.value.success?
-        sleep 0.1
       end
       code || raise('fallback')
     rescue StandardError
       trap('INT', 'DEFAULT')
       # Fallback to out-of-band authentication if browser launch failed.
       client.redirect_uri = 'oob'
-      url = client.authorization_uri(options)
-      print "\nOpen the following URL in a browser and enter the " \
-             "resulting code after authorization:\n#{url}\n> "
-      gets
+      return ENV['OAUTH_CODE'] if ENV['OAUTH_CODE']
+
+      raise RuntimeError, 'Open the following URL in a browser to get a code,' \
+             "export to $OAUTH_CODE and rerun:\n#{client.authorization_uri(options)}", []
     end
 
     def refresh
@@ -176,7 +189,7 @@ def refresh
         raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
 Role: #{@assume_role_params[:role_arn]}
 Email: #{token_params['email']}
-Google ID: #{token_params['sub']}", e.backtrace
+Google ID: #{token_params['sub']}", []
       end
 
       c = assume_role.credentials
