loganbibby
diff --git a/‎.gitignore
+133 b/‎.gitignore
+133
diff --git a/‎LICENSE
+21 b/‎LICENSE
+21
diff --git a/‎README.md
+49 b/‎README.md
+49
diff --git a/‎requirements.txt
+1 b/‎requirements.txt
+1
diff --git a/‎src/marvin/__init__.py b/‎src/marvin/__init__.py
diff --git a/‎src/marvin/aws.py
+104 b/‎src/marvin/aws.py
+104
diff --git a/‎src/marvin/cli.py
+70 b/‎src/marvin/cli.py
+70
@@ -0,0 +1,133 @@
+# App-specific
+
+.idea
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Logan Bibby
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,49 @@
+# Marvin, the AWS MFA helper bot
+
+Marvin is a Python CLI for refreshing and checking your AWS sessions that require MFA. 
+
+## Installation
+
+_Note: Marvin relies on the `aws` CLI to be installed and accessible from PATH._
+
+1. Clone this repo and go into the directory
+2. Create a virtual environment (`python -m venv .venv`) and activate (`source .venv/bin/activate` or `.venv\Scripts\activate` on Windows)
+3. Install requirements (`pip install -r requirements.txt`)
+
+## AWS Credentials File
+
+For each of the profiles you want to manage with Marvin, it must be already setup in `~/.aws/credentials`. Each profile requires two profiles in that file: the session profile and key profile.
+
+The key profile requires the following settings: `aws_access_key_id`, `aws_secret_access_key`, and `mfa_serial` (your MFA device ARN).
+
+The session profile is named based on the key profile's name followed by `_fetch` -- so a key profile called `default` would have a session profile called `default_fetch`. 
+
+Expirations and other data is saved in `~/.aws/config`.
+
+## Commands
+
+All commands run from `src/run.py` and can be invoked using `python src/run.py <command>` or `src/run.py` if the file has executable permission. 
+
+### `check`
+Check a profile's expiration.
+
+Required argument: `key_profile`
+
+Optional parameter: `--session-profile`
+
+### `refresh`
+Refresh a session's token. 
+
+Required argument: `key_profile`
+
+Optional parameters: `--session-profile`, `--duration` (in seconds, defaults to 36 hours), and `--token` (an MFA token).
+
+## To-Do
+
+* Better integration with `aws`
+* Ability to list profiles
+* Check status of all profiles
+
+## Version
+
+* `0.1` - Initial release
@@ -0,0 +1 @@
+click==8.1.3
@@ -0,0 +1,104 @@
+import subprocess
+import json
+import re
+
+import click
+
+from .exceptions import *
+
+
+error_response = re.compile(r"^An error occurred \((\w+)\) when calling the \w+ operation: (.+)$")
+
+
+class AWSResponse(object):
+    def __init__(self, cmd, cmd_group, output, is_json=True, cmd_name=None, cmd_opts=None, cmd_pmt=None):
+        self.command = cmd
+        self.command_group = cmd_group
+        self.command_name = cmd_name
+        self.command_options = cmd_opts
+        self.command_parameters = cmd_pmt
+        self.output = output
+
+        self.value = self.output.stdout.strip()
+
+        self.is_success = True
+        self.error_text = None
+        self.error_code = None
+
+        error = error_response.match(self.value)
+
+        if error:
+            self.is_success = False
+            self.error_text = error.group(2)
+            self.error_code = error.group(1)
+        elif is_json:
+            if self.value.startswith("{") or self.value.startswith("["):
+                self.value = json.loads(self.value)
+            else:
+                self.is_success = False
+                self.error_text = self.value
+                self.error_code = "invalid_json_response"
+
+
+class AWSClient(object):
+    CONFIGURE = "configure"
+    STS = "sts"
+
+    def __init__(self, debug=True):
+        self.aws_cli = "aws"
+        self.debug = debug
+
+    def run_command(self, cmd_group, cmd_name=None, *args, **kwargs):
+        cmd = [self.aws_cli, cmd_group]
+
+        if cmd_name:
+            cmd.append(cmd_name)
+
+        if len(args):
+            cmd += args
+
+        for key, value in kwargs.items():
+            key = key.replace("_", "-")
+            cmd.append(f'--{key}="{value}"')
+
+        cmd = " ".join(cmd)
+
+        if self.debug:
+            click.echo(f"Running command: {cmd}")
+
+        output = subprocess.run(
+            cmd,
+            text=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            shell=True
+        )
+
+        response = AWSResponse(cmd=cmd, cmd_group=cmd_group, cmd_name=cmd_name, cmd_opts=args, cmd_pmt=kwargs,
+                               output=output, is_json=kwargs.get("output") == "json")
+
+        if self.debug:
+            click.echo(f'Command output: "{response.value}"')
+
+        return response
+
+    def get_profile_value(self, profile, key):
+        return self.run_command(self.CONFIGURE, "get", key, profile=profile).value
+
+    def set_profile_value(self, profile, key, value):
+        return self.run_command(self.CONFIGURE, "set", key, value, profile=profile).is_success
+
+    def get_session_token(self, profile, token, duration, mfa_device):
+        response = self.run_command(self.STS, "get-session-token", profile=profile, output="json",
+                                    duration_seconds=duration, token_code=token, serial_number=mfa_device)
+
+        if not response.is_success:
+            if response.error_code == "AccessDenied" and "MultiFactorAuthentication failed" in response.error_text:
+                raise InvalidToken()
+            if "Invalid length for parameter TokenCode" in response.error_text:
+                raise InvalidTokenLength(response.error_text[-2:].strip())
+
+        return response
+
+
+client = AWSClient()
@@ -0,0 +1,70 @@
+import click
+
+from .client import Client
+from .aws import client as aws
+from .exceptions import *
+
+
+banner = """
+ __   __ _______ ______   __   __ ___ __    _ 
+|  |_|  |   _   |    _ | |  | |  |   |  |  | |
+|       |  |_|  |   | || |  |_|  |   |   |_| |
+|       |       |   |_||_|       |   |       |
+|       |       |    __  |       |   |  _    |
+| ||_|| |   _   |   |  | ||     ||   | | |   |
+|_|   |_|__| |__|___|  |_| |___| |___|_|  |__|
+"""
+
+
+@click.group
+@click.option("-d", "--debug", is_flag=True)
+def cli(debug):
+    click.secho(banner, fg="magenta")
+    click.secho(
+        "Hello! My name is Marvin and I'll handle your\nAWS multi-factor authentication session for AWS CLI.",
+        fg="magenta"
+    )
+    click.echo("")
+
+    aws.debug = debug
+
+
+@cli.command()
+@click.argument("key_profile")
+@click.option("--session-profile", default=None)
+@click.option("--token")
+@click.option("--duration", type=int)
+def refresh(**kwargs):
+    client = Client(**kwargs)
+
+    if client.is_refresh_needed and not client.mfa_token:
+        client.prompt_for_mfa_token()
+
+    while True:
+        try:
+            click.echo("")
+            if client.update_session_token():
+                click.secho(f"Your session information for {client.key_profile.name} has been updated!", fg="green")
+                click.secho(f"The session will expire in {client.key_profile.expires_in_hours} hours", fg="green")
+            else:
+                click.secho("Unable to refresh your session", fg="red")
+            break
+        except InvalidToken as e:
+            click.secho(str(e), fg="red")
+            click.echo("")
+            client.prompt_for_mfa_token()
+
+
+@cli.command()
+@click.argument("key_profile")
+@click.option("--session-profile", default=None)
+def check(**kwargs):
+    client = Client(**kwargs)
+
+    if client.is_refresh_needed:
+        click.secho(f"Your {client.session_name} session is active and will expire in "
+                    f"{client.key_profile.expires_in_hours} hours",
+                    fg="green")
+    else:
+        click.secho(f"Your {client.session_name} session expired {abs(client.key_profile.expires_in_hours)} hours ago "
+                    f"and needs to be refreshed.", fg="red")