Merge branch 'master' into support_hashicorp_vault

Author: masstamike

blessclient.cfg.sample

@@ -62,6 +62,11 @@ update_script: update_blessclient.sh
 # tokens for when the user assumes the role necessary to call the BLESS Lambda. The default
 # is 3600 seconds (1 hour). The value must be in the range 900-3600.
 
+# update_sshagent: Specifies whether the identity key should be automatically added to the
+running ssh-agent. If this option is set to 'true', the key and the ssh certificate retrieved
+from lambda are added to the agent. If this option is set to 'false', the key is not added
+to the agent. The default is 'true'.
+
 [LAMBDA]
 # user_role: IAM Role that the user will assume, in order to run the BLESS Lambda. This
 # role should be in the same AWS account as your Lambda.

blessclient/bless_config.py

@@ -7,6 +7,7 @@ class BlessConfig(object):
     DEFAULT_CONFIG = {
         'user_session_length': '64800',
         'usebless_role_session_length': '3600',
+        'update_sshagent': 'true',
         'remote_user': None,
     }
 
@@ -39,6 +40,7 @@ def parse_config_file(self, config_file):
                 'update_script': config.get('CLIENT', 'update_script'),
                 'user_session_length': int(config.get('CLIENT', 'user_session_length')),
                 'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')),
+                'update_sshagent': config.getboolean('CLIENT', 'update_sshagent'),
             },
             'BLESS_CONFIG': {
                 'ca_backend': config.get('MAIN', 'ca_backend'),

blessclient/client.py

@@ -793,10 +793,18 @@ def bless(region, nocache, showgui, hostname, bless_config):
         raise LambdaInvocationException(
             'BLESS client did not recieve a valid cert. Instead got: {}'.format(cert))
 
+    # Remove RSA identity from ssh-agent (if it exists)
     ssh_agent_remove_bless(identity_file)
     with open(cert_file, 'w') as cert_file:
         cert_file.write(cert)
-    ssh_agent_add_bless(identity_file)
+
+    # Check if we can skip adding identity into the running ssh-agent
+    if bless_config.get_client_config()['update_sshagent'] is True:
+        ssh_agent_add_bless(identity_file)
+    else:
+        logging.info(
+            "Skipping loading identity into the running ssh-agent "
+            'because this was disabled in the blessclient config.' )
 
     bless_cache.set('certip', my_ip)
     bless_cache.save()

blessclient/tokengui.py

@@ -32,19 +32,10 @@ def doGUI(self, hostname=None):
         self.master.attributes('-topmost', True)
         self.master.focus_force()
         self.e1.focus_set()
+
         if platform.system() == 'Darwin':
-            try:
-                from Cocoa import (
-                    NSRunningApplication,
-                    NSApplicationActivateIgnoringOtherApps
-                )
-
-                app = NSRunningApplication.runningApplicationWithProcessIdentifier_(
-                    os.getpid()
-                )
-                app.activateWithOptions_(NSApplicationActivateIgnoringOtherApps)
-            except ImportError:
-                pass
+            # Hack to get the GUI dialog focused in OSX
+            os.system('/usr/bin/osascript -e \'tell app "Finder" to set frontmost of process "python" to true\'')
 
         mainloop()
 

setup.py

@@ -2,7 +2,7 @@
 
 setup(
     name="blessclient",
-    version="0.2.0",
+    version="0.3.0",
     packages=find_packages(exclude=["test*"]),
     install_requires=[
         'boto3>=1.4.0,<2.0.0',

tests/blessclient/bless_config_test.py

@@ -22,6 +22,7 @@
 ip_urls: http://checkip.amazonaws.com, http://api.ipify.org
 update_script: autoupdate.sh
 user_session_length: 3600
+update_sshagent: false
 
 [LAMBDA]
 user_role: use-bless
@@ -121,6 +122,7 @@ def test_load_config():
             'update_script': 'autoupdate.sh',
             'user_session_length': 3600,
             'usebless_role_session_length': 3600, # comes from BlessConfig.DEFAULT_CONFIG
+            'update_sshagent': False
         },
         'VAULT_CONFIG': {
             'vault_addr': 'https://vault.example.com:1234',
@@ -140,6 +142,8 @@ def test_get_region_alias_from_aws_region(bless_config_test):
 def test_get_configs(bless_config_test):
     client_config = bless_config_test.get_client_config()
     assert 'domain_regex' in client_config
+    assert bool(client_config['update_sshagent']) is False
+    assert type(client_config['update_sshagent']).__name__ == 'bool'
     lambda_config = bless_config_test.get_lambda_config()
     assert 'functionname' in lambda_config
     aws_config = bless_config_test.get_aws_config()