From 28047520685b80a737206b34c393546202ea17c7 Mon Sep 17 00:00:00 2001
From: Aaron Turner <synfinatic@gmail.com>
Date: Sat, 19 Aug 2023 17:25:38 -0700
Subject: [PATCH] Add `AuthUrlAction` to override `UrlAction` for SSO auth

This basically reverts #491 and goes back to unique Firefox
containers for each SSO provider/AWS SSO instance.  The
AuthUrlAction does allow you to pick a single SSO instance
to use your default browser via `open` to re-use the existing
session cookies you might already have.

Fixes: #524
---
 CHANGELOG.md       |  3 +++
 docs/config.md     |  7 +++++++
 sso/awssso_auth.go |  9 +++++++--
 sso/config.go      | 10 ++++++++++
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ffd97e0a..a7851236 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@
 
  * Guided setup is now more simple unless user provides the `--advanced` flag #530
  * Guided setup now strips leading and trailing spaces for string input
+ * Revert #491 so SSO auth uses Firefox containers
 
 ### New Features
 
@@ -25,6 +26,8 @@
  * `config-profiles` now supports the `--aws-config` flag
  * Added [ecs list](docs/ecs-server.md#listing-profiles) command to list
     profiles in named slots #517
+ * Add [AuthUrlAction](docs/config.md#AuthUrlAction) to override [UrlAction](docs/config.md#UrlAction)
+    during SSO Authentication. #524
 
 ## [v1.12.0] - 2023-08-12
 
diff --git a/docs/config.md b/docs/config.md
index 176c169a..1975a379 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -15,6 +15,7 @@ SSOConfig:
         SSORegion: <AWS Region where AWS SSO is deployed>
         StartUrl: <URL for AWS SSO Portal>
         DefaultRegion: <AWS_DEFAULT_REGION>
+        AuthUrlAction: [clip|exec|print|printurl|open|granted-containers|open-url-in-container]
         Accounts:  # optional block for specifying tags & overrides
             <AccountId>:
                 Name: <Friendly Name of Account>
@@ -129,6 +130,12 @@ selected (most specific to most generic):
  1. At the AWS SSO Instance level: `SSOConfig -> <AWS SSO Instance>`
  1. At the config file level (default is `us-east-1`)
 
+### AuthUrlAction
+
+Override the global [UrlAction](#urlaction) when authenticating with your SSO provider
+to retrieve an AWS SSO token.  Generally only useful when you wish to use your default
+browser with one `SSOConfig` block to re-use your existing SSO browser authentication cookie.
+
 ### Accounts
 
 The `Accounts` block is completely optional!  The only purpose of this block
diff --git a/sso/awssso_auth.go b/sso/awssso_auth.go
index 00edd3d9..2de1f61e 100644
--- a/sso/awssso_auth.go
+++ b/sso/awssso_auth.go
@@ -110,8 +110,13 @@ func (as *AWSSSO) reauthenticate() error {
 		return fmt.Errorf("Unable to get device auth info from AWS SSO: %s", err.Error())
 	}
 
-	urlOpener := url.NewHandleUrl(url.SSOAuthAction(as.urlAction), auth.VerificationUriComplete,
-		as.browser, as.urlExecCommand)
+	action := as.urlAction
+	if as.SSOConfig.AuthUrlAction != url.Undef {
+		// specific action for authentication?
+		action = as.SSOConfig.AuthUrlAction
+	}
+
+	urlOpener := url.NewHandleUrl(action, auth.VerificationUriComplete, as.browser, as.urlExecCommand)
 	urlOpener.ContainerSettings(as.StoreKey(), DEFAULT_AUTH_COLOR, DEFAULT_AUTH_ICON)
 
 	if err = urlOpener.Open(); err != nil {
diff --git a/sso/config.go b/sso/config.go
index 8ee3b383..cc07260a 100644
--- a/sso/config.go
+++ b/sso/config.go
@@ -23,6 +23,7 @@ import (
 	"strings"
 
 	"github.com/synfinatic/aws-sso-cli/internal/tags"
+	"github.com/synfinatic/aws-sso-cli/internal/url"
 	"github.com/synfinatic/aws-sso-cli/internal/utils"
 )
 
@@ -33,6 +34,10 @@ type SSOConfig struct {
 	StartUrl      string                 `koanf:"StartUrl" yaml:"StartUrl"`
 	Accounts      map[string]*SSOAccount `koanf:"Accounts" yaml:"Accounts,omitempty"` // key must be a string to avoid parse errors!
 	DefaultRegion string                 `koanf:"DefaultRegion" yaml:"DefaultRegion,omitempty"`
+
+	// overrides for this SSO Instance
+	AuthUrlAction url.Action `koanf:"AuthUrlAction" yaml:"AuthUrlAction,omitempty"`
+
 	// passed to AWSSSO from our Settings
 	MaxBackoff int `koanf:"-" yaml:"-"`
 	MaxRetry   int `koanf:"-" yaml:"-"`
@@ -62,6 +67,11 @@ type SSORole struct {
 func (c *SSOConfig) Refresh(s *Settings) {
 	c.MaxBackoff = s.MaxBackoff
 	c.MaxRetry = s.MaxRetry
+
+	if c.AuthUrlAction == url.Undef {
+		c.AuthUrlAction = s.UrlAction
+	}
+
 	for accountId, a := range c.Accounts {
 		a.SetParentConfig(c)
 		for roleName, r := range a.Roles {