Merge branch 'process-credentials' into main

Author: wjordan

README.md

@@ -77,6 +77,17 @@ Aws::Google.config = {
 puts Aws::STS::Client.new.get_caller_identity
 ```
 
+- Or, set `credential_process` in your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to `aws-google` to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) without any change to your application code:
+
+```
+[profile my_google]
+credential_process = aws-google --profile my_google
+aws_role = arn:aws:iam::[AccountID]:role/[Role]
+google_client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+google_client_secret = 01234567890abcdefghijklmn
+
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

aws-google.gemspec

@@ -23,11 +23,11 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'aws-sdk-core', '~> 3'
   spec.add_dependency 'google-api-client', '~> 0.23'
-  spec.add_dependency 'launchy', '~> 2' # Peer dependency of Google::APIClient::InstalledAppFlow
+  spec.add_dependency 'launchy', '~> 2'
 
   spec.add_development_dependency 'activesupport', '~> 5'
-  spec.add_development_dependency 'bundler', '~> 1'
-  spec.add_development_dependency 'minitest', '~> 5.10'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'minitest', '~> 5.14.2'
   spec.add_development_dependency 'mocha', '~> 1.5'
   spec.add_development_dependency 'rake', '~> 12'
   spec.add_development_dependency 'timecop', '~> 0.8'

exe/aws-google

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+
+# CLI to retrieve AWS credentials in credential_process format.
+# Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
+
+require 'aws/google'
+require 'time'
+require 'json'
+require 'optparse'
+
+def error(msg)
+  puts msg
+  exit 1
+end
+
+options = {}
+OptionParser.new do |opts|
+  opts.on('-p PROFILE', '--profile PROFILE', 'Profile') do |p|
+    options[:profile] = p
+  end
+  opts.on('-v', '--version', 'Version') do
+    require 'aws/google/version'
+    puts Aws::Google::VERSION
+    exit 0
+  end
+  opts.on('-r ROLE', '--role ROLE', 'AWS Role arn') do |r|
+    options[:role_arn] = r
+  end
+  opts.on('-i ID', '--client-id ID', 'Google Client ID') do |id|
+    options[:google_client_id] = id
+  end
+  opts.on('-s SECRET', '--client-secret SECRET', 'Google Client Secret') do |secret|
+    options[:google_client_secret] = secret
+  end
+  opts.on('-h DOMAIN', '--domain DOMAIN', 'Google Domain') do |hd|
+    options[:domain] = hd
+  end
+  opts.on('-d DURATION', '--duration DURATION', 'Duration in seconds') do |d|
+    options[:duration_seconds] = d.to_i
+  end
+  opts.on('--port PORT', 'Port number for local server') do |p|
+    options[:port] = p.to_i
+  end
+  opts.on('--online', 'Online authentication, no refresh token') do |o|
+    options[:online] = true
+  end
+end.parse!
+
+config = Aws.shared_config
+profile = options[:profile] || ENV['AWS_PROFILE'] || 'default'
+
+options[:role_arn] ||= config.get('aws_role', profile: profile) ||
+                   error('Missing config: aws_role')
+options[:google_client_id] ||= config.get('google_client_id', profile: profile) ||
+                        error('Missing config: google_client_id')
+options[:google_client_secret] ||= config.get('google_client_secret', profile: profile) ||
+                            error('Missing config: google_client_secret')
+
+# Cache temporary-session credentials in a separately-named profile.
+# Stored credentials take priority over credential_process,
+# so they would never be refreshed if stored in the same profile.
+options[:profile] += '_session'
+google = Aws::Google.new(options)
+credentials = google.credentials
+output = {
+  Version: 1,
+  AccessKeyId: credentials.access_key_id,
+  SecretAccessKey: credentials.secret_access_key,
+  SessionToken: credentials.session_token,
+  Expiration: Time.at(google.expiration.to_i).iso8601
+}
+require 'json'
+puts output.to_json

lib/aws/google.rb

@@ -39,7 +39,7 @@ class << self
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
     # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
-    #                 Defaults to an out-of-band authentication process.
+    #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
     # @option options [::Google::Auth::ClientId] :google_id
     def initialize(options = {})
       @oauth_attempted = false
@@ -56,7 +56,7 @@ def initialize(options = {})
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
-      @port = options[:port]
+      @port = options[:port] || 1234
 
       # Use existing AWS credentials stored in the shared config if available.
       # If this is `nil` or expired, #refresh will be called on the first AWS API service call
@@ -105,8 +105,18 @@ def google_oauth
       credentials.tap(&storage.method(:write_credentials))
     end
 
+    def silence_output
+      outs = [$stdout, $stderr]
+      clones = outs.map(&:clone)
+      outs.each { |io| io.reopen '/dev/null'}
+      yield
+    ensure
+      outs.each_with_index { |io, i| io.reopen(clones[i]) }
+    end
+
     def get_oauth_code(client, options)
-      raise 'fallback' unless @port
+      raise 'fallback' unless @port && !@port.zero?
+
       require 'launchy'
       require 'webrick'
       code = nil
@@ -123,26 +133,29 @@ def get_oauth_code(client, options)
       end
       trap('INT') { server.shutdown }
       client.redirect_uri = "http://localhost:#{@port}"
-      launchy = Launchy.open(client.authorization_uri(options).to_s)
-      server_thread = Thread.new do
-        begin
-          server.start
-        ensure server.shutdown
+      silence_output do
+        launchy = Launchy.open(client.authorization_uri(options).to_s)
+        server_thread = Thread.new do
+          begin
+            server.start
+          ensure server.shutdown
+          end
+        end
+        while server_thread.alive?
+          raise 'fallback' if !launchy.alive? && !launchy.value.success?
+
+          sleep 0.1
         end
-      end
-      while server_thread.alive?
-        raise 'fallback' if !launchy.alive? && !launchy.value.success?
-        sleep 0.1
       end
       code || raise('fallback')
     rescue StandardError
       trap('INT', 'DEFAULT')
       # Fallback to out-of-band authentication if browser launch failed.
       client.redirect_uri = 'oob'
-      url = client.authorization_uri(options)
-      print "\nOpen the following URL in a browser and enter the " \
-             "resulting code after authorization:\n#{url}\n> "
-      gets
+      return ENV['OAUTH_CODE'] if ENV['OAUTH_CODE']
+
+      raise RuntimeError, 'Open the following URL in a browser to get a code,' \
+             "export to $OAUTH_CODE and rerun:\n#{client.authorization_uri(options)}", []
     end
 
     def refresh
@@ -176,7 +189,7 @@ def refresh
         raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
 Role: #{@assume_role_params[:role_arn]}
 Email: #{token_params['email']}
-Google ID: #{token_params['sub']}", e.backtrace
+Google ID: #{token_params['sub']}", []
       end
 
       c = assume_role.credentials

test/aws/google_test.rb

@@ -17,6 +17,7 @@
     )
     # Disable instance metadata credentials.
     stub_request(:get, '169.254.169.254/latest/meta-data/iam/security-credentials/')
+    stub_request(:put, '169.254.169.254/latest/api/token')
     # Disable environment credentials.
     ENV.stubs(:[]).returns(nil)
   end
@@ -79,9 +80,9 @@
       system.times(5)
 
       c = Aws::STS::Client.new.config.credentials
-      c.credentials.access_key_id.must_equal credentials[:access_key_id]
-      c.credentials.secret_access_key.must_equal credentials[:secret_access_key]
-      c.credentials.session_token.must_equal credentials[:session_token]
+      _(c.credentials.access_key_id).must_equal credentials[:access_key_id]
+      _(c.credentials.secret_access_key).must_equal credentials[:secret_access_key]
+      _(c.credentials.session_token).must_equal credentials[:session_token]
     end
 
     it 'refreshes expired Google auth token credentials' do
@@ -95,9 +96,9 @@
       system.times(5)
 
       c = Aws::STS::Client.new.config.credentials
-      c.credentials.access_key_id.must_equal credentials[:access_key_id]
-      c.credentials.secret_access_key.must_equal credentials[:secret_access_key]
-      c.credentials.session_token.must_equal credentials[:session_token]
+      _(c.credentials.access_key_id).must_equal credentials[:access_key_id]
+      _(c.credentials.secret_access_key).must_equal credentials[:secret_access_key]
+      _(c.credentials.session_token).must_equal credentials[:session_token]
     end
 
     it 'refreshes expired credentials' do
@@ -110,9 +111,9 @@
       )
       service = Aws::STS::Client.new
       expiration = service.config.credentials.expiration
-      expiration.must_equal(service.config.credentials.expiration)
+      _(expiration).must_equal(service.config.credentials.expiration)
       Timecop.travel(1.5.hours.from_now) do
-        expiration.wont_equal(service.config.credentials.expiration)
+        _(expiration).wont_equal(service.config.credentials.expiration)
       end
     end
 
@@ -153,7 +154,7 @@
         err = assert_raises(Aws::STS::Errors::AccessDenied) do
           Aws::STS::Client.new.config.credentials
         end
-        err.message.must_match /Your Google ID does not have access to the requested AWS Role./
+        _(err.message).must_match 'Your Google ID does not have access to the requested AWS Role.'
       end
     end