Merge pull request #44 from vibrato/unset-flag

Add --unset flag to env command

Author: tristanmorgan

Diff for: i18n/en.yml

@@ -47,6 +47,7 @@ en:
     path: 'The service PATH to open.'
     role: 'The ROLE to assume.'
     secret: 'AWS account secret.'
+    unset: 'Unset environment variables.'
   message:
     keychain: 'Name for new keychain (default: awskeyring)'
     account: 'account name'

Diff for: lib/awskeyring/awsapi.rb

@@ -20,6 +20,16 @@ module Awsapi # rubocop:disable Metrics/ModuleLength
     # AWS Signin url
     AWS_SIGNIN_URL = 'https://signin.aws.amazon.com/federation'.freeze
 
+    # AWS Env vars
+    AWS_ENV_VARS = %w[
+      AWS_ACCESS_KEY_ID
+      AWS_ACCESS_KEY
+      AWS_SECRET_ACCESS_KEY
+      AWS_SECRET_KEY
+      AWS_SECURITY_TOKEN
+      AWS_SESSION_TOKEN
+    ].freeze
+
     # Twelve hours in seconds
     TWELVE_HOUR = (60 * 60 * 12)
     # One hour in seconds
@@ -101,6 +111,35 @@ def self.get_cred_json(key:, secret:, token:, expiry:)
       )
     end
 
+    # Generates Environment Variables for the AWS CLI
+    #
+    # @param [Hash] params including
+    #    [String] account The aws_access_key_id
+    #    [String] secret The aws_secret_access_key
+    #    [String] token The aws_session_token
+    # @return [Hash] env_var hash
+    def self.get_env_array(params = {})
+      env_var = {}
+      env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
+      env_var['AWS_ACCOUNT_NAME'] = params[:account] if params[:account]
+
+      if params[:key]
+        env_var['AWS_ACCESS_KEY_ID'] = params[:key]
+        env_var['AWS_ACCESS_KEY'] = params[:key]
+      end
+
+      if params[:secret]
+        env_var['AWS_SECRET_ACCESS_KEY'] = params[:secret]
+        env_var['AWS_SECRET_KEY'] = params[:secret]
+      end
+
+      if params[:token]
+        env_var['AWS_SECURITY_TOKEN'] = params[:token]
+        env_var['AWS_SESSION_TOKEN'] = params[:token]
+      end
+      env_var
+    end
+
     # Verify Credentials are active and valid
     #
     # @param [String] key The aws_access_key_id

Diff for: lib/awskeyring_command.rb

@@ -65,13 +65,19 @@ def list_role
 
   desc 'env ACCOUNT', I18n.t('env.desc')
   method_option 'no-token', type: :boolean, aliases: '-n', desc: I18n.t('method_option.notoken'), default: false
+  method_option 'unset', type: :boolean, aliases: '-u', desc: I18n.t('method_option.unset'), default: false
   # Print Env vars
   def env(account = nil)
-    account = ask_check(
-      existing: account, message: I18n.t('message.account'), validator: Awskeyring.method(:account_exists)
-    )
-    cred = age_check_and_get(account: account, no_token: options['no-token'])
-    put_env_string(cred)
+    if options['unset']
+      put_env_string(account: nil, key: nil, secret: nil, token: nil)
+    else
+      account = ask_check(
+        existing: account, message: I18n.t('message.account'),
+        validator: Awskeyring.method(:account_exists)
+      )
+      cred = age_check_and_get(account: account, no_token: options['no-token'])
+      put_env_string(cred)
+    end
   end
 
   desc 'json ACCOUNT', I18n.t('json.desc')
@@ -100,7 +106,7 @@ def exec(account, *command)
       exit 1
     end
     cred = age_check_and_get(account: account, no_token: options['no-token'])
-    env_vars = env_vars(cred)
+    env_vars = Awskeyring::Awsapi.get_env_array(cred)
     begin
       pid = Process.spawn(env_vars, command.join(' '))
       Process.wait pid
@@ -419,27 +425,10 @@ def list_arguments(command:)
       self.class.all_commands[command].options.values.map(&:switch_name)
   end
 
-  def env_vars(cred)
-    env_var = {}
-    env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless Awskeyring::Awsapi.region
-    env_var['AWS_ACCOUNT_NAME'] = cred[:account]
-    env_var['AWS_ACCESS_KEY_ID'] = cred[:key]
-    env_var['AWS_ACCESS_KEY'] = cred[:key]
-    env_var['AWS_SECRET_ACCESS_KEY'] = cred[:secret]
-    env_var['AWS_SECRET_KEY'] = cred[:secret]
-    if cred[:token]
-      env_var['AWS_SECURITY_TOKEN'] = cred[:token]
-      env_var['AWS_SESSION_TOKEN'] = cred[:token]
-    end
-    env_var
-  end
-
   def put_env_string(cred)
-    env_var = env_vars(cred)
+    env_var = Awskeyring::Awsapi.get_env_array(cred)
     env_var.each { |var, value| puts "export #{var}=\"#{value}\"" }
-
-    puts 'unset AWS_SECURITY_TOKEN' unless cred[:token]
-    puts 'unset AWS_SESSION_TOKEN' unless cred[:token]
+    Awskeyring::Awsapi::AWS_ENV_VARS.each { |key| puts "unset #{key}" unless env_var.key?(key) }
   end
 
   def ask_check(existing:, message:, secure: false, optional: false, validator: nil)

Diff for: spec/lib/awskeyring/awsapi_spec.rb

@@ -304,6 +304,7 @@
   end
 
   context 'When there is no region set' do
+    let(:role_token) { 'AQoDYXdzEPT//////////wEXAMPLEtc764assume_roleDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMi' }
     let(:sharedcfg) do
       double(
         region: nil
@@ -324,5 +325,23 @@
     it 'can not retrieve the current region' do
       expect(subject.region).to be nil
     end
+
+    it 'returns an array of env vars for the Credential' do
+      expect(subject.get_env_array(
+               account: 'test',
+               key: 'ASIAIOSFODNN7EXAMPLE',
+               secret: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY',
+               token: role_token
+             )).to eq(
+               'AWS_ACCESS_KEY' => 'ASIAIOSFODNN7EXAMPLE',
+               'AWS_ACCESS_KEY_ID' => 'ASIAIOSFODNN7EXAMPLE',
+               'AWS_ACCOUNT_NAME' => 'test',
+               'AWS_DEFAULT_REGION' => 'us-east-1',
+               'AWS_SECRET_ACCESS_KEY' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY',
+               'AWS_SECRET_KEY' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY',
+               'AWS_SECURITY_TOKEN' => role_token,
+               'AWS_SESSION_TOKEN' => role_token
+             )
+    end
   end
 end

Diff for: spec/lib/awskeyring_command_spec.rb

@@ -22,7 +22,7 @@
 
     it 'returns the version number' do
       expect { AwskeyringCommand.start(%w[__version]) }
-        .to output(/\d\.\d\.\d/).to_stdout
+        .to output(/\d+\.\d+\.\d+/).to_stdout
     end
 
     it 'prints autocomplete help text' do
@@ -137,6 +137,20 @@
 export AWS_SECRET_KEY="biglongbase64"
 unset AWS_SECURITY_TOKEN
 unset AWS_SESSION_TOKEN
+)).to_stdout
+    end
+
+    it 'unsets all AWS Access keys' do
+      expect(Awskeyring).to_not receive(:get_valid_creds)
+
+      expect { AwskeyringCommand.start(%w[env --unset]) }
+        .to output(%(export AWS_DEFAULT_REGION="us-east-1"
+unset AWS_ACCESS_KEY_ID
+unset AWS_ACCESS_KEY
+unset AWS_SECRET_ACCESS_KEY
+unset AWS_SECRET_KEY
+unset AWS_SECURITY_TOKEN
+unset AWS_SESSION_TOKEN
 )).to_stdout
     end
   end