crowbar 0.4.10

Securily generates temporary AWS credentials through Identity Providers using SAML
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

use crate::credentials::aws::AwsCredentials;
use anyhow::Result;
use std::collections::HashMap;
use std::env;
use std::process::Child as ExecutorResult;
use std::process::{Command, Stdio};

pub struct Executor {
    command: Option<Vec<String>>,
    credentials: AwsCredentials,
    stdout: Stdio,
    stderr: Stdio,
    stdin: Stdio,
}

impl Default for Executor {
    fn default() -> Executor {
        Executor {
            command: None,
            credentials: AwsCredentials::default(),
            stdout: Stdio::inherit(),
            stderr: Stdio::inherit(),
            stdin: Stdio::inherit(),
        }
    }
}

impl Executor {
    pub fn set_command(mut self, command: Vec<String>) -> Self {
        self.command = Some(command);
        self
    }

    pub fn set_credentials(mut self, credentials: AwsCredentials) -> Self {
        self.credentials = credentials;
        self
    }

    pub fn run(self) -> Result<ExecutorResult> {
        let mut variables: HashMap<String, Option<String>> = self.credentials.into();
        // We don't want to pollute the environment with the expiration time
        variables.remove_entry("expiration");

        let variables: HashMap<String, String> = variables
            .iter()
            .map(|(k, v)| (format!("AWS_{}", k.to_uppercase()), v.clone().unwrap()))
            .collect();

        let command = self.command.unwrap().join(" ");
        let shell = shell()?;

        Command::new(&shell[0])
            .arg(&shell[1])
            .arg(command)
            .stdin(self.stdin)
            .stderr(self.stderr)
            .stdout(self.stdout)
            .envs(variables)
            .spawn()
            .map_err(|e| e.into())
    }
}

fn shell() -> Result<Vec<String>> {
    if cfg!(windows) {
        Ok(vec!["cmd.exe".into(), "/C".into()])
    } else if let Ok(shell) = env::var("SHELL") {
        Ok(vec![shell, "-c".into()])
    } else {
        Ok(vec!["/bin/bash".into(), "-c".into()])
    }
}

#[cfg(test)]
mod test {
    use super::*;

    #[test]
    fn runs_with_credentials() -> Result<()> {
        let variable = os_specific_var("AWS_ACCESS_KEY_ID");
        let result = get_stdout_for_variable(variable)?;

        assert_eq!(String::from("some_key"), result.trim());

        Ok(())
    }

    #[test]
    fn removes_expiration() -> Result<()> {
        let variable = os_specific_var("AWS_EXPIRATION");
        let result = get_stdout_for_variable(variable)?;
        assert_ne!("some_key", result.trim());

        Ok(())
    }

    fn create_credentials() -> AwsCredentials {
        AwsCredentials {
            version: 1,
            access_key_id: Some("some_key".to_string()),
            secret_access_key: Some("some_secret".to_string()),
            session_token: Some("some_token".to_string()),
            expiration: Some("2038-01-01T10:10:10Z".to_string()),
        }
    }

    fn os_specific_var(s: &str) -> String {
        if cfg!(windows) {
            format!("%{}%", s)
        } else {
            format!("\"${{{}}}\"", s)
        }
    }

    fn get_stdout_for_variable(variable: String) -> Result<String> {
        let variable = format!("echo {}", variable);
        let command = Some(vec![variable]);
        let credentials = create_credentials();
        let executor = Executor {
            command,
            credentials,
            stdout: Stdio::piped(),
            ..Default::default()
        };

        let result = executor.run()?.wait_with_output()?;

        Ok(String::from_utf8_lossy(&result.stdout).into())
    }
}