Merge pull request #77 from britive/develop

v1.3.0

Author: twratl

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 All changes to the package starting with v0.3.1 will be logged here.
 
+## v1.3.0 [2023-03-28]
+#### What's New
+* `pybritive ssh aws ssm-proxy` command
+* `pybritive aws console` command
+
+#### Enhancements
+* Additional `--mode/-m` values
+  * `console`: checkout console access (without having to specify --console/-c`) and print the URL
+  * `browser-mozilla`: checkout console access and open a mozilla browser with the checked out URL
+  * `browser-firefox`: checkout console access and open a firefox browser with the checked out URL
+  * `browser-windows-default`: checkout console access and open a windows default browser with the checked out URL
+  * `browser-macosx`: checkout console access and open a macosx browser with the checked out URL
+  * `browser-safari`: checkout console access and open a safari browser with the checked out URL
+  * `browser-chrome`: checkout console access and open a chrome browser with the checked out URL
+  * `browser-chromium`: checkout console access and open a chromium browser with the checked out URL
+* For the `checkout` command the option `--mode/-m` with values of `browser` and `console` now implicitly indicate that the console version of the profile should be checked out (without having to specify `--console/-c`)
+
+#### Bug Fixes
+* None
+
+#### Dependencies
+* `britive>=2.18.0`
+
+#### Other
+* Addition of Community Projects to the README.
+
 ## v1.2.2 [2023-03-17]
 #### What's New
 * None

README.md

@@ -29,3 +29,9 @@ everywhere.
 https://britive.github.io/python-cli/
 
 
+## Community Projects
+
+Note: Britive, Inc. does not provide support for community projects. Community projects are also not considered when ensuring backwards compatibility for releases. The list below is provided as-is and use of these projects is subject to the licensing/restrictions of each individual project.
+
+* `vim-britive`: https://github.com/pbnj/vim-britive
+

docs/index.md

@@ -258,6 +258,76 @@ Example of use: (`pybritive api method --parameter1 value1 --parameter2 value2 [
 which parameters are expected and which are optional. Parameters with `_` in the name should be translated to `-` when referencing them
 via the CLI.
 
+## `ssh` Command
+
+The `ssh` command facilitates using the native SSH protocol to connect to private cloud servers.
+
+The goal is to allow all functionality offered by the SSH protocol like local port forwarding to access private resources and `scp` to copy files to the remote host.
+
+At launch only AWS EC2 is supported. The requirements for using SSH with EC2 instances are provided below.
+
+* EC2 instance must have the Systems Manager agent installed and operational.
+* EC2 instance must have the EC2 Instance Connect agent installed and operational (if using `--push-public-key`).
+* The caller must have appropriate IAM permissions to start a Session Manager session (for all `--key-source`s) and push a public key via EC2 Instance Connect (if using `--push-public-key`).
+* The caller's environment must have the AWS CLI installed along with the Session Manager plugin.
+* The caller's python environment must have the `boto3` package installed. As `boto3` is not required for the use of `pybritive` it is not automatically installed (if using `--push-public-key`).
+* The caller must use OpenSSH (and the SSH config file). Other SSH implementations are not currently supported.
+
+There are 3 ways that `pybritive` can help proxy an SSH session to a private EC2 instance.
+
+* Using just Session Manager SSH forwarding to establish the network path over which the SSH protocol will operate. It is left to the caller then to handle SSH authentication using whichever mechanism has already been established.
+
+~~~bash
+Host bastion.dev
+	 HostName i-xxxxxxxxxxxxxxxxx.profile[.region]
+	 
+Match host i-*,mi-*
+    User ssm-user
+    ProxyCommand eval $(pybritive ssh aws ssm-proxy --hostname %h --username %r --port-number %p)
+~~~
+
+* Using Session Manager SSH forwarding along with pushing a randomly generated SSH key pair public key via EC2 Instance Connect and identifying the private key via static path in the `IdentityFile` parameter.
+
+~~~bash
+Host bastion.dev
+	 HostName i-xxxxxxxxxxxxxxxxx.profile[.region]
+	 
+Match host i-*,mi-*
+    User ssm-user
+    IdentityFile ~/.britive/ssh/%h.%r.pem
+    ProxyCommand eval $(pybritive ssh aws ssm-proxy --hostname %h --username %r --port-number %p --push-pulbic-key --key-source static)
+~~~
+
+* Using Session Manager SSH forwarding along with pushing a randomly generated SSH key pair public key via EC2 Instance Connect and adding the private key to the `ssh-agent` via `ssh-add` so it is available without having to specify the `IdentityFile` parameter.
+
+~~~bash
+Host bastion.dev
+	 HostName i-xxxxxxxxxxxxxxxxx.profile[.region]
+	 
+Match host i-*,mi-*
+    User ssm-user
+    ProxyCommand eval $(pybritive ssh aws ssm-proxy --hostname %h --username %r --port-number %p --push-pulbic-key --key-source ssh-agent)
+~~~
+
+The `HostName` parameter must be in the appropriate format. That format is
+
+~~~
+[instance-id][.aws-profile-name[.aws-region]]
+~~~
+
+Both `aws-profile-name` and `aws-region` are optional. If `aws-profile-name` is omitted then credentials for Session Manager and EC2 Instance Connect will be sourced from the standard AWS credential provider chain.
+If `aws-region` is omitted then credentials for Session Manager and EC2 Instance Connect will be sourced from the standard AWS region provider chain.
+
+The command `ssh aws config` can be invoked to generate the above `Match` directives.
+
+## `aws` Command
+
+The `aws` command group will hold actions related specifically to AWS. 
+
+The first supported sub-command is `console` which will sign an AWS console URL using programmatic access keys 
+(long-lived IAM User keys or temporary AWS AssumeRole credentials). This will allow you to check out programmatic access 
+for a Britive AWS profile (or any other system which issues AWS access keys) and use the resulting keys to get into the AWS console.
+
 ## Shell Completion
 
 TODO: Provide more automated scripts here to automatically add the required configs to the profiles. For now the below works just fine though.

requirements.txt

@@ -1,4 +1,4 @@
-britive>=2.17.0
+britive>=2.18.0
 certifi>=2022.12.7
 charset-normalizer==2.1.0
 click==8.1.3

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pybritive
-version = 1.2.2
+version = 1.3.0
 author = Britive Inc.
 author_email = support@britive.com
 description = A pure Python CLI for Britive
@@ -26,7 +26,7 @@ install_requires =
     toml
     cryptography~=39.0.1
     python-dateutil
-    britive>=2.17.0
+    britive>=2.18.0
     jmespath
     pyjwt
 

src/pybritive/britive_cli.py

@@ -1,5 +1,6 @@
 import io
 import pathlib
+import uuid
 from britive.britive import Britive
 from .helpers.config import ConfigManager
 from .helpers.credentials import FileCredentialManager, EncryptedFileCredentialManager
@@ -435,6 +436,11 @@ def checkout(self, alias, blocktime, console, justification, mode, maxpolltime,
         response = None
         self.verbose_checkout = verbose
 
+        # these 2 modes implicitly say that console access should be checked out without having to provide
+        # the --console flag
+        if mode in ['browser', 'console']:
+            console = True
+
         self._validate_justification(justification)
 
         if mode == 'awscredentialprocess':
@@ -787,11 +793,214 @@ def _validate_justification(justification: str):
         if justification and len(justification) > 255:
             raise ValueError('justification cannot be longer than 255 characters.')
 
+    def ssh_aws_ssm_proxy(self, username, hostname, push_public_key, port_number, key_source):
+        self.silent = True
+        helper = hostname.split('.')
+        instance_id = helper[0]
+        aws_profile = None  # will drop to using standard aws boto3/cli profile provider chain
+        aws_region = None  # will drop to using standard aws boto3/cli region provider chain
+        if len(helper) > 1:
+            aws_profile = helper[1]
+        if len(helper) > 2:
+            aws_region = helper[2]
+
+        if push_public_key:
+            self._ssh_aws_generate_key(
+                instance_id=instance_id,
+                aws_profile=aws_profile,
+                aws_region=aws_region,
+                username=username,
+                hostname=hostname,
+                key_source=key_source
+            )
+
+        commands = [
+            'aws',
+            'ssm',
+            'start-session',
+            f'--parameters portNumber={port_number}',
+            '--document-name AWS-StartSSHSession',
+            f'--target {instance_id}'
+        ]
+
+        if aws_profile:
+            commands.append(f'--profile {aws_profile}')
+        if aws_region:
+            commands.append(f'--region {aws_region}')
+
+        self.print(' '.join(commands), ignore_silent=True)
+
+    def _ssh_aws_generate_key(self, instance_id, aws_profile, aws_region, username, hostname, key_source):
+        # doing imports here as these packages are not a requirement to use pybritive in general
+
+        # cryptography is already a hard requirement so we know it will eixst
+        from cryptography.hazmat.primitives.asymmetric import rsa
+        from cryptography.hazmat.primitives import serialization
+
+        # these 3 ship with python3.x
+        import glob
+        import time
+        import subprocess
+
+        # this is the one that may not be available so be careful
+        try:
+            import boto3
+        except ImportError:
+            message = 'boto3 package is required. Please ensure the package is installed.'
+            raise click.ClickException(message)
+
+        # we know we will be pushing the key to the instance so establish the
+        # boto3 clients which are required to perform those actions
+        session = boto3.Session(profile_name=aws_profile, region_name=aws_region)
+        eic = session.client('ec2-instance-connect')
+        ec2 = session.client('ec2')
+
+        # now let's create the ephemeral private and public key pair
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=2048
+        )
+
+        pem_private_key = private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+
+        pem_public_key = private_key.public_key().public_bytes(
+            encoding=serialization.Encoding.OpenSSH,
+            format=serialization.PublicFormat.OpenSSH
+        )
+
+        # let's do the right thing and clean up old ephemeral keys
+        ssh_dir = Path(self.config.path).parent.absolute() / 'ssh'
+        ssh_dir.mkdir(exist_ok=True, parents=True)  # create the directory if it doesn't exist already
+        pem_file = None
+        if key_source == 'ssh-agent':
+            # cleanup any old ssh keys that were randomly generated
+            now = int(time.time())
+            for key in glob.glob(f'{str(ssh_dir)}/random-*'):
+                file = key.split('/')[-1].split('.')[0]
+                expiration = int(file.split('-')[2])
+                if expiration < now:
+                    Path(key).unlink(missing_ok=True)
+
+            pem_file = ssh_dir / f'random-{uuid.uuid4().hex}-{now + 60}.pem'
+        elif key_source == 'static':
+            # clean up the specific key if it exists, so we can create a new one
+            pem_file = ssh_dir / f'{hostname}.{username}.pem'
+            pem_file.unlink(missing_ok=True)
+        else:
+            raise ValueError(f'invalid --key-source value {key_source}')
+
+        # we only need to persist the private key locally
+        # as the public key is just pushed to the ec2 instance
+        # as a string in the ec2 instance connect api call (no file
+        # reference)
+        with open(str(pem_file), 'w') as f:
+            f.write(pem_private_key.decode())
+        os.chmod(pem_file, 0o400)
+
+        # now push the key
+        az = ec2.describe_instances(
+            InstanceIds=[instance_id]
+        )['Reservations'][0]['Instances'][0]['Placement']['AvailabilityZone']
+
+        eic.send_ssh_public_key(
+            InstanceId=instance_id,
+            InstanceOSUser=username,
+            SSHPublicKey=pem_public_key.decode(),
+            AvailabilityZone=az
+        )
+
+        # and if we are using ssh-agent we need to add the private key via ssh-add
+        if key_source == 'ssh-agent':
+            subprocess.run(['ssh-add', str(pem_file), '-t', '60', '-q'])
+
+    def ssh_aws_openssh_config(self, push_public_key, key_source):
+        lines = ['Match host i-*,mi-*']
+        if push_public_key:
+            commands = [
+                '\tProxyCommand eval $(pybritive ssh aws ssm-proxy --hostname %h',
+                '--username %r --port-number %p --push-public-key',
+                f'--key-source {key_source})'
+            ]
+            lines.append(' '.join(commands))
+
+            if key_source == 'static':
+                ssh_dir = Path(self.config.path).parent.absolute() / 'ssh'
+                lines.append(f'\tIdentityFile {str(ssh_dir)}/%h.%r.pem')
+        else:
+            line = '\tProxyCommand eval $(pybritive ssh aws ssm-proxy --hostname %h --username %r --port-number %p)'
+            lines.append(line)
+
+        self.print('Add the below Match directive to your SSH config file, after all Host directives.')
+        self.print('This file is generally located at ~/.ssh/config.')
+        self.print('Additional SSH config parameters can be added as required.')
+        self.print('The below directive is the minimum required configuration.')
+        self.print('')
+        self.print('')
+        self.print('\n'.join(lines))
+
+    @staticmethod
+    def aws_console(profile, duration, browser):
+        # doing imports here as these packages are not a requirement to use pybritive in general
+
+        # requests is a hard requirement for pybritive (via britive sdk)
+        # and webbrowser ships with python3.x
+        import requests
+        import webbrowser
+
+        # this is the one that may not be available so be careful
+        try:
+            import boto3
+        except ImportError:
+            message = 'boto3 package is required. Please ensure the package is installed.'
+            raise click.ClickException(message)
+
+        creds = boto3.Session(profile_name=profile).get_credentials()
+        session_id = creds.access_key
+        session_key = creds.secret_key
+        session_token = creds.token
+        json_creds = json.dumps({
+            'sessionId': session_id,
+            'sessionKey': session_key,
+            'sessionToken': session_token
+        })
+
+        # Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
+        # the sign-in action request and the JSON document with temporary credentials as parameters.
 
+        params = {
+            'Action': 'getSigninToken',
+            'SessionDuration': duration,
+            'Session': json_creds
+        }
 
+        url = 'https://signin.aws.amazon.com/federation'
 
+        response = requests.get(url, params=params)
 
+        signin_token = None
+        try:
+            signin_token = json.loads(response.text)
+        except json.decoder.JSONDecodeError:
+            click.ClickException('Credentials have expired or another issue occurred. '
+                                 'Please re-authenticate and try again.')
+
+        params = {
+            'Action': 'login',
+            'Issuer': 'pybritive',
+            'Destination': 'https://console.aws.amazon.com/',
+            'SigninToken': signin_token['SigninToken']
+        }
 
+        # using requests.prepare() here to  help construct the url (with url encoding, etc.)
+        # vs. doing it "manually" - we do not want to actually make a request to the url in python
+        # but use the url to pop open a browser
+        console_url = requests.Request('GET', url, params=params).prepare().url
 
+        browser = webbrowser.get(using=browser)
+        browser.open(console_url)
 
 

src/pybritive/choices/browser.py

@@ -0,0 +1,18 @@
+import click
+
+# eval example: eval $(pybritive checkout test -m env)
+
+browser_choices = click.Choice(
+    [
+        'default'
+        'mozilla',
+        'firefox',
+        'windows-default',
+        'macosx',
+        'safari',
+        'chrome',
+        'chromium'
+    ],
+    case_sensitive=False
+)
+