Module: Awskeyring

Defined in:

lib/awskeyring.rb,
lib/awskeyring/input.rb,
lib/awskeyring/awsapi.rb,
lib/awskeyring/version.rb,
lib/awskeyring/validate.rb,
lib/awskeyring/credential_provider.rb

Overview

Awskeyring Module, gives you an interface to access keychains and items.

Defined Under Namespace

Modules: Awsapi, Input, Validate Classes: CredentialProvider

Constant Summary

PREFS_FILE =

Default rpeferences fole path

(File.expand_path '~/.awskeyring').freeze

ROLE_PREFIX =

Prefix for Roles

'role '

ACCOUNT_PREFIX =

Prefix for Accounts

'account '

SESSION_KEY_PREFIX =

Prefix for Session Keys

'session-key '

SESSION_TOKEN_PREFIX =

Prefix for Session Tokens

'session-token '

FIVE_MINUTES =

Default keychain Lock period

300

DEFAULT_KEY_AGE =

Default warning of key age in days.

90

DEFAULT_CONSOLE_LIST =

Default Console Paths

%w[cloudformation ec2/v2 iam rds route53 s3 sns sqs vpc].freeze

DEFAULT_BROWSER_LIST =

Default Browsers

%w[Brave FireFox Opera Safari Vivaldi].freeze

VERSION =

The Gem’s version number

'1.13.0'

HOMEPAGE =

The Gem’s homepage

'https://github.com/tristanmorgan/awskeyring'

GEM_VERSION_URL =

RubyGems Version url

'https://rubygems.org/api/v1/versions/awskeyring/latest.json'

Class Method Summary

• .access_key_not_exists(access_key) ⇒ Object

  Validate access key does not exists.

• .account_exists(account_name) ⇒ Object

  Validate account exists.

• .account_not_exists(account_name) ⇒ Object

  Validate account does not exists.

• .add_account(account:, key:, secret:, mfa:) ⇒ Object

  Add an account item.

• .add_role(role:, arn:) ⇒ Object

  Add a Role item.

• .add_token(params = {}) ⇒ Object

  add a session token pair of items.

• .delete_account(account:, message:) ⇒ Object

  Delete an Account.

• .delete_role(role_name:, message:) ⇒ Object

  Delete a role.

• .delete_token(account:, message:) ⇒ Object

  Delete a session token.

• .get_role_arn(role_name:) ⇒ Object

  get the ARN for a role.

• .get_valid_creds(account:, no_token: false) ⇒ Object

  Return valid creds for account.

• .init_keychain(awskeyring:) ⇒ Object

  Create a new Keychain.

• .key_age ⇒ Object

  Return Key age warning number.

• .latest_version ⇒ Object

  Retrieve the latest version from RubyGems.

• .list_account_names ⇒ Object

  Return a list account item names.

• .list_account_names_plus ⇒ Object

  Return a list account item names plus account ids.

• .list_browsers ⇒ Object

  Return a list of browserss.

• .list_console_path ⇒ Object

  Return a list of console paths.

• .list_role_names ⇒ Object

  Return a list role item names.

• .list_role_names_plus ⇒ Object

  Return a list role item names and arns.

• .list_token_names ⇒ Object

  Return a list token item names.

• .prefs ⇒ Hash

  Retrieve the preferences.

• .role_arn_not_exists(role_arn) ⇒ Object

  Validate role arn not exists.

• .role_exists(role_name) ⇒ Object

  Validate role exists.

• .role_not_exists(role_name) ⇒ Object

  Validate role does not exists.

• .solo_select(list, prefix) ⇒ Object

  return item that matches a prefix if only one.

• .token_exists(token_name) ⇒ Object

  Validate token exists.

• .update_account(account:, key:, secret:) ⇒ Object

  update and account item.

Class Method Details

.access_key_not_exists(access_key) ⇒ Object

Validate access key does not exists

Parameters:

• access_key (String) —

  the associated access key.

# File 'lib/awskeyring.rb', line 364

def self.access_key_not_exists(access_key)
  Awskeyring::Validate.access_key(access_key)
  raise 'Access KEY already exists' if item_by_account(access_key)

  access_key
end

.account_exists(account_name) ⇒ Object

Validate account exists

Parameters:

• account_name (String) —

  the associated account name.

# File 'lib/awskeyring.rb', line 344

def self.account_exists(account_name)
  Awskeyring::Validate.account_name(account_name)
  raise 'Account does not exist' unless (account_name = solo_select(list_account_names, account_name))

  account_name
end

.account_not_exists(account_name) ⇒ Object

Validate account does not exists

Parameters:

• account_name (String) —

  the associated account name.

# File 'lib/awskeyring.rb', line 354

def self.account_not_exists(account_name)
  Awskeyring::Validate.account_name(account_name)
  raise 'Account already exists' if list_account_names.include?(account_name)

  account_name
end

.add_account(account:, key:, secret:, mfa:) ⇒ Object

Add an account item

Parameters:

• account (String) —

  The account name to create

• key (String) —

  The aws_access_key_id

• secret (String) —

  The aws_secret_key

• mfa (String) —

  The arn of the MFA device

# File 'lib/awskeyring.rb', line 119

def self.add_account(account:, key:, secret:, mfa:)
  all_items.create(
    label: ACCOUNT_PREFIX + account,
    account: key,
    password: secret,
    comment: mfa
  )
end

.add_role(role:, arn:) ⇒ Object

Add a Role item

Parameters:

• role (String) —

  The role name to add

• arn (String) —

  The arn of the role

# File 'lib/awskeyring.rb', line 144

def self.add_role(role:, arn:)
  all_items.create(
    label: ROLE_PREFIX + role,
    account: arn,
    password: '',
    comment: ''
  )
end

.add_token(params = {}) ⇒ Object

add a session token pair of items

Parameters:

• params (Hash) (defaults to: {}) —

  including account The name of the accont key The aws_access_key_id secret The aws_secret_access_key token The aws_sesson_token expiry time of expiry role The role used

# File 'lib/awskeyring.rb', line 162

def self.add_token(params = {})
  all_items.create(label: SESSION_KEY_PREFIX + params[:account],
                   account: params[:key],
                   password: params[:secret],
                   comment: params[:role].nil? ? '' : ROLE_PREFIX + params[:role])
  all_items.create(label: SESSION_TOKEN_PREFIX + params[:account],
                   account: params[:expiry],
                   password: params[:token],
                   comment: params[:role] || '')
end

.delete_account(account:, message:) ⇒ Object

Delete an Account

Parameters:

• account (String) —

  The account to delete

• message (String) —

  The message to display

# File 'lib/awskeyring.rb', line 320

def self.delete_account(account:, message:)
  delete_token(account: account, message: I18n.t('message.delexpired'))
  cred = get_item(account: account)
  return unless cred

  puts message if message
  cred.delete
end

.delete_role(role_name:, message:) ⇒ Object

Delete a role

Parameters:

• role_name (String) —

  The role to delete

• message (String) —

  The message to display

# File 'lib/awskeyring.rb', line 333

def self.delete_role(role_name:, message:)
  role = get_role(role_name: role_name)
  return unless role

  puts message if message
  role.delete
end

.delete_token(account:, message:) ⇒ Object

Delete a session token

Parameters:

• account (String) —

  The account to delete a token for

• message (String) —

  The message to display

# File 'lib/awskeyring.rb', line 311

def self.delete_token(account:, message:)
  session_key, session_token = get_token_pair(account: account)
  delete_pair(key: session_key, token: session_token, message: message)
end

.get_role_arn(role_name:) ⇒ Object

get the ARN for a role

Parameters:

• role_name (String) —

  The role name to retrieve

# File 'lib/awskeyring.rb', line 282

def self.get_role_arn(role_name:)
  role_item = get_role(role_name: role_name)
  role_item.attributes[:account] if role_item
end

.get_valid_creds(account:, no_token: false) ⇒ Object

Return valid creds for account

Parameters:

• account (String) —

  The account to retrieve

• no_token (Boolean) (defaults to: false) —

  Flag to skip tokens

# File 'lib/awskeyring.rb', line 264

def self.get_valid_creds(account:, no_token: false)
  cred, temp_cred = get_valid_item_pair(account: account, no_token: no_token)
  token = temp_cred.password unless temp_cred.nil?
  expiry = temp_cred.attributes[:account].to_i unless temp_cred.nil?
  {
    account: account,
    expiry: expiry,
    key: cred.attributes[:account],
    mfa: no_token ? cred.attributes[:comment] : nil,
    secret: cred.password,
    token: token,
    updated: cred.attributes[:updated_at]
  }
end

.init_keychain(awskeyring:) ⇒ Object

Create a new Keychain

Parameters:

• awskeyring (String) —

  The keychain name to create

# File 'lib/awskeyring.rb', line 48

def self.init_keychain(awskeyring:)
  keychain = Keychain.create(awskeyring)
  keychain.lock_interval = FIVE_MINUTES
  keychain.lock_on_sleep = true

  prefs = {
    awskeyring: awskeyring,
    keyage: DEFAULT_KEY_AGE,
    browser: DEFAULT_BROWSER_LIST,
    console: DEFAULT_CONSOLE_LIST
  }
  File.new(Awskeyring::PREFS_FILE, 'w').write JSON.dump(prefs)
end

.key_age ⇒ Object

Return Key age warning number

# File 'lib/awskeyring.rb', line 238

def self.key_age
  prefs.key?('keyage') ? prefs['keyage'] : DEFAULT_KEY_AGE
end

.latest_version ⇒ Object

Retrieve the latest version from RubyGems

# File 'lib/awskeyring/version.rb', line 18

def self.latest_version
  uri       = URI(GEM_VERSION_URL)
  request   = Net::HTTP.new(uri.host, uri.port)
  request.use_ssl = true
  JSON.parse(request.get(uri).body)['version']
end

.list_account_names ⇒ Object

Return a list account item names

# File 'lib/awskeyring.rb', line 191

def self.list_account_names
  items = list_items.map { |elem| elem.attributes[:label][(ACCOUNT_PREFIX.length)..] }

  tokens = list_tokens.map { |elem| elem.attributes[:label][(SESSION_KEY_PREFIX.length)..] }

  (items + tokens).uniq.sort
end

.list_account_names_plus ⇒ Object

Return a list account item names plus account ids

# File 'lib/awskeyring.rb', line 200

def self.list_account_names_plus # rubocop:disable Metrics/AbcSize
  list_items.concat(list_tokens).map do |elem|
    account_id = Awskeyring::Awsapi.get_account_id(key: elem.attributes[:account])
    account_name = if elem.attributes[:label].start_with?(ACCOUNT_PREFIX)
                     elem.attributes[:label][(ACCOUNT_PREFIX.length)..]
                   else
                     elem.attributes[:label][(SESSION_KEY_PREFIX.length)..]
                   end
    "#{account_name}\t#{account_id}"
  end.uniq.sort
end

.list_browsers ⇒ Object

Return a list of browserss

# File 'lib/awskeyring.rb', line 233

def self.list_browsers
  prefs.key?('browser') ? prefs['browser'] : DEFAULT_BROWSER_LIST
end

.list_console_path ⇒ Object

Return a list of console paths

# File 'lib/awskeyring.rb', line 228

def self.list_console_path
  prefs.key?('console') ? prefs['console'] : DEFAULT_CONSOLE_LIST
end

.list_role_names ⇒ Object

Return a list role item names

# File 'lib/awskeyring.rb', line 213

def self.list_role_names
  list_roles.map { |elem| elem.attributes[:label][(ROLE_PREFIX.length)..] }.sort
end

.list_role_names_plus ⇒ Object

Return a list role item names and arns

# File 'lib/awskeyring.rb', line 223

def self.list_role_names_plus
  list_roles.map { |elem| "#{elem.attributes[:label][(ROLE_PREFIX.length)..]}\t#{elem.attributes[:account]}" }
end

.list_token_names ⇒ Object

Return a list token item names

# File 'lib/awskeyring.rb', line 218

def self.list_token_names
  list_tokens.map { |elem| elem.attributes[:label][(SESSION_KEY_PREFIX.length)..] }.sort
end

.prefs ⇒ Hash

Retrieve the preferences

Returns:

• (Hash) —

  prefs of the gem

# File 'lib/awskeyring.rb', line 37

def self.prefs
  if File.exist? PREFS_FILE
    JSON.parse(File.read(PREFS_FILE))
  else
    {}
  end
end

.role_arn_not_exists(role_arn) ⇒ Object

Validate role arn not exists

Parameters:

• role_arn (String) —

  the associated role arn.

# File 'lib/awskeyring.rb', line 404

def self.role_arn_not_exists(role_arn)
  Awskeyring::Validate.role_arn(role_arn)
  raise 'Role ARN already exists' if item_by_account(role_arn)

  role_arn
end

.role_exists(role_name) ⇒ Object

Validate role exists

Parameters:

• role_name (String) —

  the associated role name.

# File 'lib/awskeyring.rb', line 374

def self.role_exists(role_name)
  Awskeyring::Validate.role_name(role_name)
  raise 'Role does not exist' unless (role_name = solo_select(list_role_names, role_name))

  role_name
end

.role_not_exists(role_name) ⇒ Object

Validate role does not exists

Parameters:

• role_name (String) —

  the associated role name.

# File 'lib/awskeyring.rb', line 384

def self.role_not_exists(role_name)
  Awskeyring::Validate.role_name(role_name)
  raise 'Role already exists' if list_role_names.include?(role_name)

  role_name
end

.solo_select(list, prefix) ⇒ Object

return item that matches a prefix if only one.

# File 'lib/awskeyring.rb', line 103

def self.solo_select(list, prefix)
  return prefix if list.include?(prefix)

  list.select! { |elem| elem.start_with?(prefix) }

  return list.first if list.length == 1

  nil
end

.token_exists(token_name) ⇒ Object

Validate token exists

Parameters:

• token_name (String) —

  the associated account name.

# File 'lib/awskeyring.rb', line 394

def self.token_exists(token_name)
  Awskeyring::Validate.account_name(token_name)
  raise 'Token does not exist' unless (token_name = solo_select(list_token_names, token_name))

  token_name
end

.update_account(account:, key:, secret:) ⇒ Object

update and account item

Parameters:

• account (String) —

  The account to update

• key (String) —

  The aws_access_key_id

• secret (String) —

  The aws_secret_key

# File 'lib/awskeyring.rb', line 133

def self.update_account(account:, key:, secret:)
  item = get_item(account: account)
  item.attributes[:account] = key
  item.password = secret
  item.save!
end