Skip to content
This repository has been archived by the owner on Apr 7, 2022. It is now read-only.

Commit

Permalink
Merge pull request #4 from hopkinsth/feature/base-profile
Browse files Browse the repository at this point in the history
support skipping second MFA
  • Loading branch information
hopkinsth committed Jun 7, 2016
2 parents 2a9f9ca + 06e046e commit 20462a6
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 21 deletions.
6 changes: 4 additions & 2 deletions config-loader.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import "fmt"
import "errors"

var badCfgErr = errors.New("Bad configuration file!")
var awsProfileNotFound = errors.New("AWS profile not found!")

var debugCfg = debug.Debug("oktad:config")

Expand Down Expand Up @@ -108,7 +109,8 @@ func loadAwsCfg() (*ini.File, error) {
}

// reads your AWS config file to load the role ARN
// for a specific profile; returns the ARN and an error if any
// for a specific profile; returns the ARN, whether we found your profile,
// and an error if any
func readAwsProfile(name string) (AwsConfig, error) {
var cfg AwsConfig
asec, err := loadAwsCfg()
Expand All @@ -120,7 +122,7 @@ func readAwsProfile(name string) (AwsConfig, error) {
s, err := asec.GetSection(name)
if err != nil {
debugCfg("aws profile read err, %s", err)
return cfg, err
return cfg, awsProfileNotFound
}

if !s.HasKey("role_arn") {
Expand Down
9 changes: 7 additions & 2 deletions creds.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,11 @@ import "github.com/tj/go-debug"
import "github.com/aws/aws-sdk-go/aws/credentials"

var debugCredStore = debug.Debug("oktad:credStore")

var credsNotFound = errors.New("credentials not found!")
var credsExpired = errors.New("credentials expired!")

const BASE_PROFILE_CREDS = "__oktad_base_credentials"

type CredStore map[string]AwsCreds
type AwsCreds struct {
Creds credentials.Value
Expand Down Expand Up @@ -141,7 +142,11 @@ func loadCreds(profile string) (*credentials.Credentials, error) {

creds, ok := allCreds[profile]
if !ok {
return nil, credsNotFound
creds, ok = allCreds[BASE_PROFILE_CREDS]
if !ok {
return nil, credsNotFound
}

}

if time.Now().UnixNano() >= creds.Expiration.UnixNano() {
Expand Down
58 changes: 41 additions & 17 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,10 @@ import "fmt"
import "github.com/jessevdk/go-flags"
import "github.com/tj/go-debug"
import "github.com/peterh/liner"
import "github.com/aws/aws-sdk-go/aws/credentials"
import "time"

const VERSION = "0.5.2"
const VERSION = "0.6.0"

func main() {
var opts struct {
Expand Down Expand Up @@ -38,11 +40,35 @@ func main() {
}

if len(args) <= 0 {
fmt.Println("You must supply a profile name, sorry.")
fmt.Println("Hey, that command won't actually do anything.\n\nSorry.")
return
}

awsProfile := args[0]
acfg, err := readAwsProfile(
fmt.Sprintf("profile %s", awsProfile),
)

var skipSecondRole bool

if err != nil {
//fmt.Println("Error reading your AWS profile!")
debug("error reading AWS profile: %s", err)
if err == awsProfileNotFound {
// if the AWS profile isn't found, we'll assume that
// the user intends to run a command in the first account
// behind their okta auth, rather than assuming role twice
skipSecondRole = true
fmt.Printf(
"We couldn't find an AWS profile named %s,\nso we will AssumeRole into your base account.\n",
awsProfile,
)
awsProfile = BASE_PROFILE_CREDS

args = append([]string{BASE_PROFILE_CREDS}, args...)
}
}

maybeCreds, err := loadCreds(awsProfile)
if err == nil {
debug("found cached credentials, going to use them")
Expand All @@ -56,15 +82,6 @@ func main() {

debug("cred load err %s", err)

acfg, err := readAwsProfile(
fmt.Sprintf("profile %s", awsProfile),
)

if err != nil {
fmt.Println("Error reading your AWS profile!")
debug("error was... %s", err)
}

user, pass, err := readUserPass()
if err != nil {
// if we got an error here, the user bailed on us
Expand Down Expand Up @@ -119,18 +136,25 @@ func main() {
return
}

mainCreds, _, err := assumeFirstRole(acfg, saml)
mainCreds, mExp, err := assumeFirstRole(acfg, saml)
if err != nil {
fmt.Println("Error assuming first role!")
debug("error was %s", err)
return
}

finalCreds, fExp, err := assumeDestinationRole(acfg, mainCreds)
if err != nil {
fmt.Println("Error assuming second role!")
debug("error was %s", err)
return
var finalCreds *credentials.Credentials
var fExp time.Time
if !skipSecondRole {
finalCreds, fExp, err = assumeDestinationRole(acfg, mainCreds)
if err != nil {
fmt.Println("Error assuming second role!")
debug("error was %s", err)
return
}
} else {
finalCreds = mainCreds
fExp = mExp
}

// all was good, so let's save credentials...
Expand Down

0 comments on commit 20462a6

Please sign in to comment.