initial version

Author: wjordan

.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/.idea/

.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.14.6

Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright 2019 Code.org
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -0,0 +1,92 @@
+# Aws::Google
+
+Use Google OAuth as an AWS Credential Provider.
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'aws-google'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install aws-google
+
+## Usage
+
+- Visit the [Google API Console](https://console.developers.google.com/) to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
+- Create an AWS IAM Role with the desired IAM policies attached, and a 'trust relationship' (`AssumeRolePolicyDocument`) allowing the `sts:AssumeRoleWithWebIdentity` action to be permitted
+by your Google Client ID and a specific set of Google Account IDs:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "accounts.google.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com"
+        },
+        "ForAnyValue:StringEquals": {
+          "accounts.google.com:sub": [
+            "000000000000000000000",
+            "111111111111111111111"
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+- In your Ruby code, construct an `Aws::Google` object by passing in the AWS role, client id and client secret:
+```ruby
+aws_role = 'arn:aws:iam::[AccountID]:role/[Role]'
+client_id = '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com'
+client_secret = '01234567890abcdefghijklmn'
+
+role_credentials = Aws::Google.new(
+  role_arn: aws_role,
+  google_client_id: client_id,
+  google_client_secret: client_secret
+)
+
+puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
+```
+
+- Or, set `Aws::Google.config` hash to add Google auth to the default credential provider chain:
+
+```ruby
+Aws::Google.config = {
+  role_arn: aws_role,
+  google_client_id: client_id,
+  google_client_secret: client_secret,
+}
+
+puts Aws::STS::Client.new.get_caller_identity
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/code-dot-org/aws-google.
+
+## License
+
+The gem is available as open source under the terms of the [Apache 2.0 License](http://opensource.org/licenses/apache-2.0).

Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

aws-google.gemspec

@@ -0,0 +1,43 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'aws/google/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'aws-google'
+  spec.version       = Aws::Google::VERSION
+  spec.authors       = ['Will Jordan']
+  spec.email         = ['[email protected]']
+
+  spec.summary       = 'Use Google OAuth as an AWS credential provider.'
+  spec.description   = 'Use Google OAuth as an AWS credential provider.'
+  spec.homepage      = 'https://github.com/code-dot-org/aws-google'
+  spec.license       = 'Apache-2.0'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'aws-sdk-core', '~> 3'
+  spec.add_dependency 'google-api-client', '~> 0.23'
+  spec.add_dependency 'launchy' # Peer dependency of Google::APIClient::InstalledAppFlow
+
+  spec.add_development_dependency 'activesupport'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'mocha'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'timecop'
+  spec.add_development_dependency 'webmock'
+end

bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'aws/google'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

lib/aws/google.rb

@@ -0,0 +1,167 @@
+require_relative 'google/version'
+require 'aws-sdk-core'
+require_relative 'google/credential_provider'
+
+require 'googleauth'
+require 'google/api_client/auth/storage'
+require 'google/api_client/auth/storages/file_store'
+require 'google/api_client/auth/installed_app'
+
+module Aws
+  # An auto-refreshing credential provider that works by assuming
+  # a role via {Aws::STS::Client#assume_role_with_web_identity},
+  # using an ID token derived from a Google refresh token.
+  #
+  #   role_credentials = Aws::Google.new(
+  #     role_arn: aws_role,
+  #     google_client_id: client_id,
+  #     google_client_secret: client_secret
+  #   )
+  #
+  #   ec2 = Aws::EC2::Client.new(credentials: role_credentials)
+  #
+  # If you omit `:client` option, a new {STS::Client} object will be
+  # constructed.
+  class Google
+    include ::Aws::CredentialProvider
+    include ::Aws::RefreshingCredentials
+
+    class << self
+      attr_accessor :config
+    end
+
+    # @option options [required, String] :role_arn
+    # @option options [String] :policy
+    # @option options [Integer] :duration_seconds
+    # @option options [String] :external_id
+    # @option options [STS::Client] :client STS::Client to use (default: create new client)
+    # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
+    # @option options [::Google::Auth::ClientId] :google_id
+    def initialize(options = {})
+      @oauth_attempted = false
+      @assume_role_params = options.slice(
+        *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
+          input.shape.member_names
+      )
+
+      @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+      @google_id = ::Google::Auth::ClientId.new(
+        options[:google_client_id],
+        options[:google_client_secret]
+      )
+      @client = options[:client] || Aws::STS::Client.new(credentials: nil)
+
+      # Use existing AWS credentials stored in the shared config if available.
+      # If this is `nil` or expired, #refresh will be called on the first AWS API service call
+      # to generate AWS credentials derived from Google authentication.
+      @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
+      @mutex = Mutex.new
+      if near_expiration?
+        refresh!
+      else
+        @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
+      end
+    end
+
+    private
+
+    # Use cached Application Default Credentials if available,
+    # otherwise fallback to creating new Google credentials through browser login.
+    def google_client
+      @google_client ||= (::Google::Auth.get_application_default rescue nil) || google_oauth
+    end
+
+    # Create an OAuth2 Client using Google's default browser-based OAuth InstalledAppFlow.
+    # Store cached credentials to the standard Google Application Default Credentials location.
+    # Ref: http://goo.gl/IUuyuX
+    def google_oauth
+      return nil if @oauth_attempted
+      @oauth_attempted = true
+      require 'google/api_client/auth/installed_app'
+      flow = ::Google::APIClient::InstalledAppFlow.new(
+        client_id: @google_id.id,
+        client_secret: @google_id.secret,
+        scope: %w[email profile]
+      )
+      path = "#{ENV['HOME']}/.config/#{::Google::Auth::CredentialsLoader::WELL_KNOWN_PATH}"
+      FileUtils.mkdir_p(File.dirname(path))
+      flow.authorize(GoogleStorage.new(::Google::APIClient::FileStore.new(path)))
+    end
+
+    def refresh
+      assume_role = begin
+        client = google_client
+        return unless client
+
+        begin
+          tries ||= 2
+          id_token = client.id_token
+          # Decode the JWT id_token to use the Google email as the AWS role session name.
+          token_params = JWT.decode(id_token, nil, false).first
+        rescue JWT::DecodeError, JWT::ExpiredSignature
+          # Refresh and retry once if token is expired or invalid.
+          client.refresh!
+          (tries -= 1).zero? ? raise : retry
+        end
+
+        @client.assume_role_with_web_identity(
+          @assume_role_params.merge(
+            web_identity_token: id_token,
+            role_session_name: token_params['email']
+          )
+        )
+      rescue Signet::AuthorizationError => e
+        (@google_client = google_oauth) && retry || raise
+      rescue Aws::STS::Errors::AccessDenied => e
+        retry if (@google_client = google_oauth)
+        raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
+Role: #{@assume_role_params[:role_arn]}
+Email: #{token_params['email']}
+Google ID: #{token_params['sub']}", e.backtrace
+      end
+      c = assume_role.credentials
+      @credentials = Aws::Credentials.new(
+        c.access_key_id,
+        c.secret_access_key,
+        c.session_token
+      )
+      @expiration = c.expiration.to_i
+      write_credentials
+    end
+
+    # Use `aws configure set` to write credentials and expiration to AWS credentials file.
+    # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
+    def write_credentials
+      %w[
+        access_key_id
+        secret_access_key
+        session_token
+      ].map {|x| ["aws_#{x}", @credentials.send(x)]}.
+        to_h.
+        merge(expiration: @expiration).each do |key, value|
+        system("aws configure set #{key} #{value} --profile #{@profile}")
+      end
+    end
+  end
+
+  # Patch Aws::SharedConfig to allow fetching arbitrary keys from the shared config.
+  module SharedConfigGetKey
+    def get(key, opts = {})
+      profile = opts.delete(:profile) || @profile_name
+      if @parsed_config && (prof_config = @parsed_config[profile])
+        prof_config[key]
+      else
+        nil
+      end
+    end
+  end
+  Aws::SharedConfig.prepend SharedConfigGetKey
+
+  # Extend ::Google::APIClient::Storage to write {type: 'authorized_user'} to credentials,
+  # as required by Google's default credentials loader.
+  class GoogleStorage < ::Google::APIClient::Storage
+    def credentials_hash
+      super.merge(type: 'authorized_user')
+    end
+  end
+end

lib/aws/google/credential_provider.rb

@@ -0,0 +1,18 @@
+module Aws
+  class Google
+    # Inserts GoogleCredentials into the default AWS credential provider chain.
+    # Google credentials will only be used if Aws::Google.config is set before initialization.
+    module CredentialProvider
+      # Insert google_credentials as the second-to-last credentials provider
+      # (in front of instance profile, which makes an http request).
+      def providers
+        super.insert(-2, [:google_credentials, {}])
+      end
+
+      def google_credentials(options)
+        (config = Google.config) && Google.new(options.merge(config))
+      end
+    end
+    ::Aws::CredentialProviderChain.prepend CredentialProvider
+  end
+end

lib/aws/google/version.rb

@@ -0,0 +1,5 @@
+module Aws
+  class Google
+    VERSION = '0.1.0'.freeze
+  end
+end