module Core

module CredentialProviders

# This module is mixed into the various credential provider

# classes. It provides a unified interface for getting

# credentials and refreshing them.

module Provider

# The list of possible keys in the hash returned by {#credentials}.

KEYS = Set[:access_key_id, :secret_access_key, :session_token]

# @return [Hash] Returns a hash of credentials containg at least

# the `:access_key_id` and `:secret_access_key`. The hash may

# also contain a `:session_token`.

#

# @raise [Errors::MissingCredentialsError] Raised when the

# `:access_key_id` or the `:secret_access_key` can not be found.

#

def credentials

raise Errors::MissingCredentialsError unless set?

@cached_credentials.dup

end

# @return [Boolean] Returns true if has credentials and it contains

# at least the `:access_key_id` and `:secret_access_key`.

#

def set?

@cache_mutex ||= Mutex.new

unless @cached_credentials

@cache_mutex.synchronize do

@cached_credentials ||= get_credentials

end

end

!!(@cached_credentials[:access_key_id] &&

@cached_credentials[:secret_access_key])

end

# @return [String] Returns the AWS access key id.

# @raise (see #credentials)

def access_key_id

credentials[:access_key_id]

end

# @return [String] Returns the AWS secret access key.

# @raise (see #credentials)

def secret_access_key

credentials[:secret_access_key]

end

# @return [String,nil] Returns the AWS session token or nil if these

# are not session credentials.

# @raise (see #credentials)

def session_token

credentials[:session_token]

end

# Clears out cached/memoized credentials. Causes the provider

# to refetch credentials from the source.

# @return [nil]

def refresh

@cached_credentials = nil

end

protected

# This method is called on a credential provider to fetch

# credentials. The credentials hash returned from this

# method will be cached until the client calls {#refresh}.

# @return [Hash]

def get_credentials

# should be defined in provider classes.

raise NotImplementedError

end

end

# The default credential provider makes a best effort to

# locate your AWS credentials. It checks a variety of locations

# in the following order:

#

# * Static credentials from AWS.config (e.g. AWS.config.access_key_id,

# AWS.config.secret_access_key)

#

# * The environment (e.g. ENV['AWS_ACCESS_KEY_ID'] or

# ENV['AMAZON_ACCESS_KEY_ID'])

#

# * EC2 metadata service (checks for credentials provided by

# roles for instances).

#

class DefaultProvider

include Provider

# (see StaticProvider#new)

def initialize static_credentials = {}

@providers = []

@providers << StaticProvider.new(static_credentials)

@providers << ENVProvider.new('AWS')

@providers << ENVProvider.new('AWS', :access_key_id => 'ACCESS_KEY', :secret_access_key => 'SECRET_KEY', :session_token => 'SESSION_TOKEN')

@providers << ENVProvider.new('AMAZON')

begin

if Dir.home

@providers << SharedCredentialFileProvider.new

end

rescue ArgumentError, NoMethodError

end

@providers << EC2Provider.new

end

# @return [Array<Provider>]

attr_reader :providers

def credentials

providers.each do |provider|

if provider.set?

return provider.credentials

end

end

raise Errors::MissingCredentialsError

end

def set?

providers.any?(&:set?)

end

def refresh

providers.each do |provider|

provider.refresh

end

end

end

# Static credentials are provided directly to config via

# `:access_key_id` and `:secret_access_key` (and optionally

# `:session_token`).

# @api private

class StaticProvider

include Provider

# @param [Hash] static_credentials

# @option static_credentials [required,String] :access_key_id

# @option static_credentials [required,String] :secret_access_key

# @option static_credentials [String] :session_token

def initialize static_credentials = {}

static_credentials.keys.each do |opt_name|

unless KEYS.include?(opt_name)

raise ArgumentError, "invalid option #{opt_name.inspect}"

end

end

@static_credentials = {}

KEYS.each do |opt_name|

if opt_value = static_credentials[opt_name]

@static_credentials[opt_name] = opt_value

end

end

end

# (see Provider#get_credentials)

def get_credentials

@static_credentials

end

end

# Fetches credentials from the environment (ENV). You construct

# an ENV provider with a prefix. Given the prefix "AWS"

# ENV will be checked for the following keys:

#

# * AWS_ACCESS_KEY_ID

# * AWS_SECRET_ACCESS_KEY

# * AWS_SESSION_TOKEN (optional)

#

class ENVProvider

include Provider

# @param [String] prefix The prefix to apply to the ENV variable.

def initialize(prefix, suffixes=Hash[KEYS.map{|key| [key, key.to_s.upcase]}])

@prefix = prefix

@suffixes = suffixes

end

# @return [String]

attr_reader :prefix

# (see Provider#get_credentials)

def get_credentials

credentials = {}

KEYS.each do |key|

if value = ENV["#{@prefix}_#{@suffixes[key]}"]

credentials[key] = value

end

end

# Merge in CredentialFileProvider credentials if

# a #{@prefix}_CREDENTIAL_FILE environment(ENV) variable is set

if ENV["#{@prefix}_CREDENTIAL_FILE"]

credentials.merge! CredentialFileProvider.new(ENV["#{@prefix}_CREDENTIAL_FILE"]).get_credentials

end

credentials

end

end

# This credential provider gets credentials from a credential file

# with the following format:

#

# AWSAccessKeyId=your_key

# AWSSecretKey=your_secret

#

class CredentialFileProvider

include Provider

# Map of AWS credential file key names to accepted provider key names

CREDENTIAL_FILE_KEY_MAP = { "AWSAccessKeyId" => :access_key_id, "AWSSecretKey" => :secret_access_key }

attr_reader :credential_file

# @param [String] credential_file The file path of a credential file

def initialize(credential_file)

@credential_file = credential_file

end

# (see Provider#get_credentials)

def get_credentials

credentials = {}

if File.exist?(credential_file) && File.readable?(credential_file)

File.open(credential_file, 'r') do |fh|

fh.each_line do |line|

key, val = line.strip.split(%r(\s*=\s*))

if key && val && CREDENTIAL_FILE_KEY_MAP[key] && KEYS.include?(CREDENTIAL_FILE_KEY_MAP[key])

credentials[CREDENTIAL_FILE_KEY_MAP[key]] = val

end

end

fh.close

end

end

credentials

end

end

class SharedCredentialFileProvider

include Provider

def shared_credential_file_path

if RUBY_VERSION < '1.9'

msg = "Must specify the :path to your shared credential file when using"

msg << " Ruby #{RUBY_VERSION}"

raise ArgumentError, msg

else

File.join(Dir.home, '.aws', 'credentials')

end

end

# @api private

KEY_MAP = {

"aws_access_key_id" => :access_key_id,

"aws_secret_access_key" => :secret_access_key,

"aws_session_token" => :session_token,

}

# @option [String] :path

# @option [String] :profile_name

def initialize(options = {})

@path = options[:path] || shared_credential_file_path

@profile_name = options[:profile_name]

@profile_name ||= ENV['AWS_PROFILE']

@profile_name ||= 'default'

end

# @return [String]

attr_reader :path

# @return [String]

attr_reader :profile_name

# (see Provider#get_credentials)

def get_credentials

if File.exist?(path) && File.readable?(path)

load_from_path

else

{}

end

end

private

def load_from_path

profile = load_profile

KEY_MAP.inject({}) do |credentials, (source, target)|

credentials[target] = profile[source] if profile.key?(source)

credentials

end

end

def load_profile

ini = IniParser.parse(File.read(path))

ini[profile_name] || {}

end

end

# This credential provider tries to get credentials from the EC2

# metadata service.

class EC2Provider

# Raised when an http response is recieved with a non 200

# http status code.

# @api private

class FailedRequestError < StandardError; end

# These are the errors we trap when attempting to talk to the

# instance metadata service. Any of these imply the service

# is not present, no responding or some other non-recoverable

# error.

# @api private

FAILURES = [

FailedRequestError,

Errno::EHOSTUNREACH,

Errno::ECONNREFUSED,

SocketError,

Timeout::Error,

]

include Provider

# @param [Hash] options

# @option options [String] :ip_address ('169.254.169.254')

# @option options [Integer] :port (80)

# @option options [Integer] :retries (0) Number of times to

# retry retrieving credentials.

# @option options [Float] :http_open_timeout (1)

# @option options [Float] :http_read_timeout (1)

# @option options [Object] :http_debug_output (nil) HTTP wire

# traces are sent to this object. You can specify something

# like $stdout.

def initialize options = {}

@ip_address = options[:ip_address] || '169.254.169.254'

@port = options[:port] || 80

@retries = options[:retries] || 0

@http_open_timeout = options[:http_open_timeout] || 1

@http_read_timeout = options[:http_read_timeout] || 1

@http_debug_output = options[:http_debug_output]

end

# @return [String] Defaults to '169.254.169.254'.

attr_accessor :ip_address

# @return [Integer] Defaults to port 80.

attr_accessor :port

# @return [Integer] Defaults to 0

attr_accessor :retries

# @return [Float]

attr_accessor :http_open_timeout

# @return [Float]

attr_accessor :http_read_timeout

# @return [Object,nil]

attr_accessor :http_debug_output

# @return [Time,nil]

attr_accessor :credentials_expiration

# Refresh provider if existing credentials will be expired in 15 min

# @return [Hash] Returns a hash of credentials containg at least

# the `:access_key_id` and `:secret_access_key`. The hash may

# also contain a `:session_token`.

#

# @raise [Errors::MissingCredentialsError] Raised when the

# `:access_key_id` or the `:secret_access_key` can not be found.

#

def credentials

refresh if near_expiration?

super

end

protected

def near_expiration?

if @credentials_expiration.nil?

true

elsif @credentials_expiration.utc <= (Time.now.utc + (15 * 60))

true

else

false

end

end

# (see Provider#get_credentials)

def get_credentials

retries_left = retries

begin

http = Net::HTTP.new(ip_address, port, nil)

http.open_timeout = http_open_timeout

http.read_timeout = http_read_timeout

http.set_debug_output(http_debug_output) if

http_debug_output

http.start

# get the first/default instance profile name

path = '/latest/meta-data/iam/security-credentials/'

profile_name = get(http, path).lines.map(&:strip).first

# get the session details from the instance profile name

path << profile_name

session = JSON.parse(get(http, path))

http.finish

credentials = {}

credentials[:access_key_id] = session['AccessKeyId']

credentials[:secret_access_key] = session['SecretAccessKey']

credentials[:session_token] = session['Token']

@credentials_expiration = Time.parse(session['Expiration'])

credentials

rescue *FAILURES => e

if retries_left > 0

sleep_time = 2 ** (retries - retries_left)

Kernel.sleep(sleep_time)

retries_left -= 1

retry

else

{}

end

end

end

# Makes an HTTP Get request with the given path. If a non-200

# response is received, then a FailedRequestError is raised.

# a {FailedRequestError} is raised.

# @param [Net::HTTPSession] session

# @param [String] path

# @raise [FailedRequestError]

# @return [String] Returns the http response body.

def get session, path

response = session.request(Net::HTTP::Get.new(path))

if response.code.to_i == 200

response.body

else

raise FailedRequestError

end

end

end

# # Session Credential Provider

#

# The session provider consumes long term credentials (`:access_key_id`

# and `:secret_access_key`) and requests a session from STS.

# It then returns the short term credential set from STS.

#

# Calling {#refresh} causes the session provider to request a new

# set of credentials.

#

# This session provider is currently only used for DynamoDB which

# requires session credentials.

class SessionProvider

include Provider

@create_mutex = Mutex.new

class << self

# @param [Hash] long_term_credentials A hash of credentials with

# `:access_key_id` and `:secret_access_key` (but not

# `:session_token`).

def for long_term_credentials

@create_mutex.synchronize do

@session_providers ||= {}

@session_providers[long_term_credentials[:access_key_id]] =

self.new(long_term_credentials)

end

end

# Creation of SessionProviders *must* happen behind the mutex and

# we want to reuse session providers for the same access key id.

protected :new

end

# @param [Hash] long_term_credentials A hash of credentials with

# `:access_key_id` and `:secret_access_key` (but not

# `:session_token`).

def initialize long_term_credentials

@static = StaticProvider.new(long_term_credentials)

if @static.session_token

raise ArgumentError, 'invalid option :session_token'

end

@session_mutex = Mutex.new

end

# Aliasing the refresh method so we can call it from the refresh

# method defined in this class.

alias_method :orig_refresh, :refresh

protected :orig_refresh

# (see Provider#refresh)

def refresh

refresh_session

orig_refresh

end

protected

# (see Provider#get_credentials)

def get_credentials

session = cached_session

if session.nil?

refresh_session

session = cached_session

end

session.credentials

end

# Replaces the cached STS session with a new one.

# @return [nil]

def refresh_session

sts = AWS::STS.new(@static.credentials.merge(:use_ssl => true))

@session_mutex.synchronize do

@session = sts.new_session

end

nil

end

# @return [nil,STS::Session] Returns nil if a session has not

# already been started.

def cached_session

local_session = nil

@session_mutex.synchronize do

local_session = @session

end

local_session

end

end

# An auto-refreshing credential provider that works by assuming

# a role via {AWS::STS#assume_role}.

#

# provider = AWS::Core::CredentialProviders::AssumeRoleProvider.new(

# sts: AWS::STS.new(access_key_id:'AKID', secret_access_key:'SECRET'),

# # assume role options:

# role_arn: "linked::account::arn",

# role_session_name: "session-name"

# )

#

# ec2 = AWS::EC2.new(credential_provider:provider)

#

# If you omit the `:sts` option, a new {STS} service object will be

# constructed and it will use the default credential provider

# from {Aws.config}.

#

class AssumeRoleProvider

include Provider

# @option options [AWS::STS] :sts (STS.new) An instance of {AWS::STS}.

# This is used to make the API call to assume role.

# @option options [required, String] :role_arn

# @option options [required, String] :role_session_name

# @option options [String] :policy

# @option options [Integer] :duration_seconds

# @option options [String] :external_id

def initialize(options = {})

@options = options.dup

@sts = @options.delete(:sts) || STS.new

end

def credentials

refresh if near_expiration?

super

end

private

def near_expiration?

@expiration && @expiration.utc <= Time.now.utc + 5 * 60

end

def get_credentials

role = @sts.assume_role(@options)

@expiration = role[:credentials][:expiration]

role[:credentials]

end

end

# Returns a set of fake credentials, should only be used for testing.

class FakeProvider < StaticProvider

# @param [Hash] options

# @option options [Boolean] :with_session_token (false) When `true` a

# fake session token will also be provided.

def initialize options = {}

options[:access_key_id] ||= fake_access_key_id

options[:secret_access_key] ||= fake_secret_access_key

if options.delete(:with_session_token)

options[:session_token] ||= fake_session_token

end

super

end

protected

def fake_access_key_id

"AKIA" + random_chars(16).upcase

end

def fake_secret_access_key

random_chars(40)

end

def fake_session_token

random_chars(260)

end

def random_chars count

chars = ('0'..'9').to_a + ('a'..'z').to_a + ('A'..'Z').to_a

(1..count).map{ chars[rand(chars.size)] }.join

end

end

end

end