Add ability to automatically remove an existing inactive key

Author: ikatz-drizly

exe/aws-rotate-keys

@@ -1,5 +1,32 @@
 #!/usr/bin/env ruby
 
 require "aws_rotate_keys"
+require "optparse"
 
-AwsRotateKeys::CLI.call
+# Use some basic parsing to allow command-line overrides of config
+class Parser
+  def self.parse(options)
+    output_options = {
+      delete_inactive: false
+    }
+
+    opt_parser = OptionParser.new do |opts|
+      opts.banner = "Usage: #{File.basename(__FILE__)} [options]"
+
+      opts.on("--delete-inactive", "If the key quota is full but one is inactive, delete that key to make room") do |p|
+        output_options[:delete_inactive] = p
+      end
+
+      opts.on("-h", "--help", "Prints this help") do
+        puts opts
+        exit
+      end
+    end
+
+    opt_parser.parse!(options)
+    output_options
+  end
+end
+
+cli_options = (Parser.parse ARGV)
+AwsRotateKeys::CLI.call(options: cli_options)

lib/aws_rotate_keys/cli.rb

@@ -14,11 +14,13 @@ def self.call(*args)
     def initialize(iam: Aws::IAM::Client.new,
                    credentials_path: "#{Dir.home}/.aws/credentials",
                    stdout: $stdout,
-                   env: ENV)
+                   env: ENV,
+                   options: {})
       @iam = iam
       @credentials_path = credentials_path
       @stdout = stdout
       @env = env
+      @options = options
     end
 
     def call
@@ -31,12 +33,20 @@ def call
       if quota <= access_keys.size
         log "Key set is already at quota limit of #{quota}:"
         log_keylist(access_keys)
-        raise "You must manually delete a key or use one of the command-line overrides"
+
+        inactive_keys = access_keys.select { |k| k["status"] == "Inactive" }
+        if @options[:delete_inactive] && !inactive_keys.empty?
+          log "Deleting oldest inactive access key as requested..."
+          log_keylist(inactive_keys)
+          delete_oldest_access_key(inactive_keys)
+        else
+          raise "You must manually delete a key or use one of the command-line overrides"
         end
       end
 
       log "Creating access key..."
       new_key = create_access_key
+      access_keys = aws_access_keys  # refresh key list
 
       if File.exist?(credentials_path)
         log "Backing up #{credentials_path} to #{credentials_backup_path}..."

spec/aws_rotate_keys_unsuccessfully_spec.rb

@@ -4,6 +4,8 @@
 describe AwsRotateKeys do
   ACTIVE_KEY_ID = "ACTKEEEY".freeze
   INACTIVE_KEY_ID = "INACTKEY".freeze
+  ANOTHER_KEY_ID = "NEWKEEEY".freeze
+  ANOTHER_SECRET = "SECRET123".freeze
 
   class IAMAnotherDouble
     def initialize
@@ -21,6 +23,21 @@ def initialize
       ]
     end
 
+    def create_access_key
+      @keys << Aws::IAM::Types::AccessKeyMetadata.new(
+        access_key_id: ANOTHER_KEY_ID,
+        status: "Active",
+        create_date: Time.new(2017, 3, 1)
+      )
+
+      Aws::IAM::Types::CreateAccessKeyResponse.new(
+        access_key: Aws::IAM::Types::AccessKey.new(
+          access_key_id: ANOTHER_KEY_ID,
+          secret_access_key: ANOTHER_SECRET
+        )
+      )
+    end
+
     def list_access_keys
       Aws::IAM::Types::ListAccessKeysResponse.new(
         access_key_metadata: @keys
@@ -34,6 +51,10 @@ def get_account_summary
         }
       )
     end
+
+    def delete_access_key(access_key_id:)
+      @keys.reject! { |k| k.access_key_id == access_key_id }
+    end
   end
 
   let(:iam_double) { IAMAnotherDouble.new }
@@ -57,4 +78,21 @@ def rotate_keys(args = {})
     end
   end
 
+  context "when at quota with override" do
+    before do
+      expect(iam_double).to receive(:delete_access_key).with(access_key_id: INACTIVE_KEY_ID).and_call_original
+      expect(iam_double).to receive(:delete_access_key).with(access_key_id: ACTIVE_KEY_ID).and_call_original
+      FileUtils.touch(credentials_path)
+    end
+
+    it "deletes both the inactive key and the active key" do
+      credentials_dir = File.dirname(credentials_path)
+      credentials = Dir["#{credentials_dir}/*"]
+      stdout = MyIO.new
+      rotate_keys(stdout: stdout, options: { delete_inactive: true })
+      expect(stdout.to_s).to include "Key set is already at quota limit"
+      expect(stdout.to_s).to include "Deleting oldest inactive access key as requested"
+    end
+  end
+
 end