Store OAuth2.0 tokens remotely in AWS Secrets Manager

LICENSE

@@ -1,121 +1,13 @@
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
-    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
-    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
-    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
-    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
-    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
-    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
-    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
-    HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
-  i. the right to reproduce, adapt, distribute, perform, display,
-     communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
-     likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
-     subject to the limitations in paragraph 4(a), below;
-  v. rights protecting the extraction, dissemination, use and reuse of data
-     in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
-     European Parliament and of the Council of 11 March 1996 on the legal
-     protection of databases, and under any national implementation
-     thereof, including any amended or successor version of such
-     directive); and
-vii. other similar, equivalent or corresponding rights throughout the
-     world based on applicable law or treaty, and any national
-     implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
-    surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
-    warranties of any kind concerning the Work, express, implied,
-    statutory or otherwise, including without limitation warranties of
-    title, merchantability, fitness for a particular purpose, non
-    infringement, or the absence of latent or other defects, accuracy, or
-    the present or absence of errors, whether or not discoverable, all to
-    the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
-    that may apply to the Work or any use thereof, including without
-    limitation any person's Copyright and Related Rights in the Work.
-    Further, Affirmer disclaims responsibility for obtaining any necessary
-    consents, permissions or other rights required for any use of the
-    Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
-    party to this document and has no duty or obligation with respect to
-    this CC0 or use of the Work.
+Zero-Clause BSD
+===============
+
+Permission to use, copy, modify, and/or distribute this software for
+any purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL
+WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
+FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

README.md

@@ -16,70 +16,78 @@ For more information about the Email OAuth 2.0 Proxy, see the README in [simonro
 
 **THIS SOFTWARE COMES WITH NO WARRANTY OR GUARANTEE REGARDING THE PRICE OF YOUR CLOUD USAGE.** The price you face is determined by AWS, and may be higher or lower depending on your Free Tier availability, email client settings, pricing changes by Amazon, etc.
 
-I am paying ***approximately US$4.15 per month***, based on the prices I observed for my own usage in June 2022:
+I am paying ***approximately US$4.55 per month***, based on the prices I observed for my own usage in June 2022:
 * $5/year paid upfront for a .link domain registered on Route 53
-   * As of 2022-06-11, the cheapest TLD is .click at $3/year *but it has no WHOIS privacy protection*.
-   * As of 2022-06-11, the second-cheapest TLD is .link at $5/year **and it has WHOIS privacy protection**.
+    * As of 2022-06-11, the cheapest TLD is .click at $3/year *but it has no WHOIS privacy protection*.
+    * As of 2022-06-11, the second-cheapest TLD is .link at $5/year **and it has WHOIS privacy protection**.
 * $0.50/month for a Route 53 hosted zone
 * $3.07/month for a t4g EC2 instance (cheapest instance type)
 * $0.16/month for a 2GB EBS volume
+* $0.40/month for one secret in AWS Secrets Manager
 
 ## Installation
 
 ### Pre-requisites:
 
 * An AWS account, with the [AWS CLI](https://aws.amazon.com/cli/) configured on your local machine.
-   * You must have an AWS profile configured on your computer with admin access to your account, or at a minimum, sufficient privileges to manage the AWS resources used by this Terraform config.
-   * The default profile will be used, although [an alternative profile can be specified](https://github.com/michaelstepner/email-oauth2-proxy-aws/blob/6c31fef7bbc091b1f756ce969fb60bb951786e29/terraform/variables.tf#L5).
+    * You must have an AWS profile configured on your computer with admin access to your account, or at a minimum, sufficient privileges to manage the AWS resources used by this Terraform config.
+    * The default profile will be used, although [an alternative profile can be specified](https://github.com/michaelstepner/email-oauth2-proxy-aws/blob/6c31fef7bbc091b1f756ce969fb60bb951786e29/terraform/variables.tf#L5).
 * A local installation of [Terraform](https://www.terraform.io/downloads).
 
 ### Installation steps:
+
 1. Manually [register a domain using AWS Route 53](https://us-east-1.console.aws.amazon.com/route53/home#DomainRegistration).
-   * It may take a few minutes to a few hours for Amazon to complete the domain registration. There may be manual steps involved, such as validating your email address.
+    * It may take a few minutes to a few hours for Amazon to complete the domain registration. There may be manual steps involved, such as validating your email address.
+
 2. From the AWS Console, navigate to [Route 53: Hosted Zones](https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones#). Note down the "Hosted zone ID" for your chosen domain, which you will need in step 5.
+
 3. Clone this repository onto your local computer.
+
 4. Make a copy of the `terraform/config_example.tfvars` file, save it under a new name, and fill in the values with your own configuration settings.
-   * You can consult the readme in [simonrob/email-oauth2-proxy](https://github.com/simonrob/email-oauth2-proxy#readme) for more details about the `email_oauth2_proxy_config` settings.
-   * There are additional settings that can be configured, which may not be detailed in the example file. The full list of config settings is in [variables.tf](https://github.com/michaelstepner/email-oauth2-proxy-aws/blob/main/terraform/variables.tf).
+    * You can consult the readme in [simonrob/email-oauth2-proxy](https://github.com/simonrob/email-oauth2-proxy#readme) for more details about the `email_oauth2_proxy_config` settings.
+    * There are additional settings that can be configured, which may not be detailed in the example file. The full list of config settings is in [variables.tf](https://github.com/michaelstepner/email-oauth2-proxy-aws/blob/main/terraform/variables.tf).
+
 5. Using a terminal, navigate to the `terraform` subdirectory of this repo and run the following commands, replacing ALL_CAPS values with your own:
-```
-terraform init
-terraform import -var-file=YOUR_CONFIG.tfvars aws_route53_zone.primary ZONE_ID_FROM_STEP_2
-```
+    ```
+    terraform init
+    terraform import -var-file=YOUR_CONFIG.tfvars aws_route53_zone.primary ZONE_ID_FROM_STEP_2
+    ```
+
 6. You are now ready to create the AWS server. Using a terminal, in the `terraform` subdirectory of this repo, run the following command. Terraform will prompt you to review the resources that will be created, then type `yes` to confirm.
-```
-terraform apply -var-file=YOUR_CONFIG.tfvars
-```
-7. Using a terminal on your local computer, run `ssh -L 8080:127.0.0.1:8080 ec2-user@<PUBLIC_IP OR DOMAIN_FULL_NAME>`
-   * This will connect to the email-oauth2-proxy server, while also forwarding its port 8080 to your local computer for OAuth2 authentication purposes.
-8. On the remote server you just SSH-ed into, run:
-```
-tmux
-cd email-oauth2-proxy/
-PYSTRAY_BACKEND=dummy python3 emailproxy.py --no-gui --local-server-auth --config-file personal.config
-```
-9. In your email client, configure SMTP using the server settings:
-   * Outgoing SMTP server: `DOMAIN_FULL_NAME`
-   * Port: `465`
-   * Username: `YOUR_EMAIL_ADDRESS`
-   * Password: `ANY_STRING_OF_YOUR_CHOICE`
-10. When your email client attempts to connect to the SMTP server, you should see an authentication request appear in the email-oauth2-proxy server log via your SSH session. It will look like the text below. Copy and paste the URL from your terminal into your local browser, then complete the authentication prompts.
-```
-YYYY-MM-DD HH:MM:SS: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account [email protected]
-YYYY-MM-DD HH:MM:SS: Please visit the following URL to authenticate account [email protected]: URL
-```
-11. After you've completed the authentication prompts in your local browser, you should see the successful authentication appear in the email-oauth2-proxy server log via your SSH session. It will look like the text below. At this point you can close your local browser tab. Your email client should be able to successfully connect to the SMTP server and send outgoing emails. 
-```
-YYYY-MM-DD HH:MM:SS: SMTP ('1.2.3.4', 5678) [ Successfully authenticated SMTP connection - releasing session ]
-```
-12. In your terminal connected to the remote server, leave the email-oauth2-proxy server running while detaching from the tmux session by typing `Ctrl`+`b` then `d`. You can now log out of the remote server. It will continue running the email-oauth2-proxy server in the background.
+    ```
+    terraform apply -var-file=YOUR_CONFIG.tfvars
+    ```
+
+7. Using a terminal on your local computer, run the following command. This will display a live view of the email-oauth2-proxy logs, while also forwarding port 8080 on the server to your local computer for OAuth2 authentication purposes.
+    ```
+    ssh -L 8080:127.0.0.1:8080 ec2-user@<PUBLIC_IP OR DOMAIN_FULL_NAME> journalctl --follow -u emailproxy
+    ```
+
+8. In your email client, configure SMTP using the server settings:
+    * Outgoing SMTP server: `DOMAIN_FULL_NAME`
+    * Port: `465`
+    * Username: `YOUR_EMAIL_ADDRESS`
+    * Password: `ANY_STRING_OF_YOUR_CHOICE`
+
+9. When your email client attempts to connect to the SMTP server, you should see an authentication request appear in the email-oauth2-proxy server log via your SSH session. It will look like the text below. Copy and paste the URL from your terminal into your local browser, then complete the authentication prompts.
+    ```
+    Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account [email protected]
+    Please visit the following URL to authenticate account [email protected]: URL
+    ```
+
+10. After you've completed the authentication prompts in your local browser, you should see the successful authentication appear in the email-oauth2-proxy server log via your SSH session. It will look like the text below. At this point you can close your local browser tab. Your email client should be able to successfully connect to the SMTP server and send outgoing emails.
+    ```
+    SMTP ('1.2.3.4', 5678; [email protected]) [ Successfully authenticated SMTP connection - releasing session ]
+    ```
+
+11. You can now log out of the remote server by typing `Ctrl`+`c` to end your SSH session. It will continue running the email-oauth2-proxy server in the background.
 
 ### Limitations
 
 * Your TLS certificate from Let's Encrypt will expire automatically after 90 days.
-* After 60 to 90 days, you can renew the certificate by restarting the installation steps from Step 6 (`terraform apply ...`).
-   * If any settings (such as the TLS certificate) have changed, this will destroy the existing server and create a brand new server.
-   * You will therefore need to proceed through all the subsequent installation steps.
+* After 60 to 90 days, you can renew the certificate by re-running installation step 6 (`terraform apply ...`).
+    * If any settings (such as the TLS certificate) have changed, this will destroy the existing server and create a brand new server.
+    * You should not need to re-authenticate (installation steps 7-11), because your OAuth 2.0 tokens are stored persistently in AWS Secrets Manager. Your authentication is not lost when the server is destroyed and re-created.
 
 ## Contributing
 
@@ -92,14 +100,14 @@ If you have a **feature request**, it is unlikely that I will be able to impleme
 ### To Do
 
 - [x] [Use certificate](https://github.com/simonrob/email-oauth2-proxy/blob/b26c7b4d25f431e2a1ea12a30667cb9746401211/emailproxy.config#L28) to secure the connection between email client and proxy server
-- [ ] [Automatically launch](https://github.com/simonrob/email-oauth2-proxy/issues/2#issuecomment-839713677) `email-oauth2-proxy` and configure OAuth2 token without SSHing into the server
-- [ ] Add support for storing OAuth 2 tokens using a secrets manager (e.g. AWS, Github or Terraform) instead of locally, so it persists across servers
+- [x] Add support for storing OAuth2 tokens using a secrets manager (e.g. AWS Secrets Manager) instead of locally, so it persists across servers
+- [x] [Automatically launch](https://github.com/simonrob/email-oauth2-proxy/issues/2#issuecomment-839713677) `email-oauth2-proxy` on server via `systemctl`
 - [ ] Add support for automatically rotating TLS certificate, which expires automatically after 90 days
 
 ## License
 
-All of the files in this repository are released to the public domain under a [CC0 license](https://creativecommons.org/publicdomain/zero/1.0/) to permit the widest possible reuse.
+All of the files in this repository are open source and can be freely reused, as described in the [0BSD license](https://choosealicense.com/licenses/0bsd/).
 
 ## Acknowledgements
 
-This project only exists thanks to [Simon Robinson](https://github.com/simonrob)'s excellent work on [email-oauth2-proxy](https://github.com/simonrob/email-oauth2-proxy). His generous answers in the Issues on that project were invaluable in the development of this project.
+This project only exists thanks to [Simon Robinson](https://github.com/simonrob)'s excellent work on [email-oauth2-proxy](https://github.com/simonrob/email-oauth2-proxy). His generous answers in the Github Issues on that project, along with his review and contributions to [PR 114](https://github.com/simonrob/email-oauth2-proxy/pull/114), were invaluable in the development of this project.

terraform/config_example.tfvars

@@ -32,6 +32,9 @@ timezone = "America/New_York"
 
 # Config file for email-oauth2-proxy
 # For documentation see: https://github.com/simonrob/email-oauth2-proxy
+# In your personal .tfvars file:
+#   - values in *** three asterisks *** should be manually replaced
+#   - values in {{double braces}} should be left as-is, and will be automatically populated on the server
 email_oauth2_proxy_config = <<-EOT
 [SMTP-1465]
 server_address = smtp.office365.com