Acs2aws
Installation
Login and retrieve AWS STS Token using a any SAML IDP. Inspired by OAuth2WebServerFlow.
install it yourself as:
$ gem install acs2aws
Usage
Usage:
acs2aws [OPTIONS] SUBCOMMAND [ARG] ...
Parameters:
SUBCOMMAND subcommand
[ARG] ... subcommand arguments
Subcommands:
config configure an SAML settings
refresh retrieve AWS STS token
Options:
-v, --version print version information
-h, --help print help
Quick Start
$ acs2aws config
SAML SP Start Page URL:
https://example.com/auth/aws
Successfully configure.
$ aws2aws refresh
SAML IdP Example
saml_idp is Ruby SAML Identity Provider, best used with Rails.
Add this to your Gemfile:
gem 'saml_idp'
Add to your routes.rb file, for example:
get '/auth/aws', to: 'saml#aws'
get '/saml/auth' => 'saml_idp#new'
get '/saml/metadata' => 'saml_idp#show'
post '/saml/auth' => 'saml_idp#create'
match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
Create a controller that looks like this, customize to your own situation:
# frozen_string_literal: true
class Api::SamlIdpController < SamlIdp::IdpController
def create
current_user = User.find(session[:current_user_id]) rescue nil
if current_user.nil?
redirect_to(auth_path(r: request.fullpath))
else
@saml_response = idp_make_saml_response(current_user)
# noinspection RailsParamDefResolve
# nonprivileged port is 1025-65535
#
# rubocop:disable Sequioacap/SimpleModifierConditional
@acs_url = "http://localhost:#{params[:cli_port]}/saml_acs" if params[:cli_port].present? && params[:cli_port]&.to_i&.between?(1025, 65535)
render 'api/saml_idp/saml_post', layout: false
end
end
private
def idp_make_saml_response(user)
encode_response user
end
def idp_logout
session.delete(:current_user_id)
end
end
# frozen_string_literal: true
class SamlController < ApplicationController
def aws
request = OneLogin::RubySaml::Authrequest.new
redirect_to(request.create(aws_saml_settings, cli_port: params[:cli_port]))
end
private
def current_user
User.find(session[:current_user_id]) rescue nil
end
def aws_saml_settings
= OneLogin::RubySaml::IdpMetadataParser.new
settings = .parse(SamlIdp..signed)
settings.assertion_consumer_service_url = 'https://signin.aws.amazon.com/saml'
settings.issuer = 'https://signin.aws.amazon.com/static/saml-metadata.xml'
settings.name_identifier_format = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
settings
end
end
/app/views/api/saml_idp/saml_post.html.erb:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
</head>
<body onload="document.forms[0].submit();" style="visibility:hidden;">
<%= form_tag(@acs_url.present? ? @acs_url:saml_acs_url) do %>
<%= hidden_field_tag("SAMLResponse", @saml_response) %>
<%= hidden_field_tag("RelayState", params[:RelayState]) %>
<%= submit_tag "Submit" %>
<% end %>
</body>
</html>
Development
After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/0xding/acs2aws. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
License
The gem is available as open source under the terms of the MIT License.
Code of Conduct
Everyone interacting in the Acs2aws project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.