-
Notifications
You must be signed in to change notification settings - Fork 817
/
ykman.go
52 lines (43 loc) · 1.32 KB
/
ykman.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
package prompt
import (
"fmt"
"log"
"os"
"os/exec"
"strings"
)
// YkmanProvider runs ykman to generate a OATH-TOTP token from the Yubikey device
// To set up ykman, first run `ykman oath accounts add`
func YkmanMfaProvider(mfaSerial string) (string, error) {
args := []string{}
yubikeyOathCredName := os.Getenv("YKMAN_OATH_CREDENTIAL_NAME")
if yubikeyOathCredName == "" {
yubikeyOathCredName = mfaSerial
}
// Get the serial number of the yubikey device to use.
yubikeyDeviceSerial := os.Getenv("YKMAN_OATH_DEVICE_SERIAL")
if yubikeyDeviceSerial != "" {
// If the env var was set, extend args to support passing the serial.
args = append(args, "--device", yubikeyDeviceSerial)
}
// default to v4 and above
switch os.Getenv("AWS_VAULT_YKMAN_VERSION") {
case "1", "2", "3":
args = append(args, "oath", "code", "--single", yubikeyOathCredName)
default:
args = append(args, "oath", "accounts", "code", "--single", yubikeyOathCredName)
}
log.Printf("Fetching MFA code using `ykman %s`", strings.Join(args, " "))
cmd := exec.Command("ykman", args...)
cmd.Stderr = os.Stderr
out, err := cmd.Output()
if err != nil {
return "", fmt.Errorf("ykman: %w", err)
}
return strings.TrimSpace(string(out)), nil
}
func init() {
if _, err := exec.LookPath("ykman"); err == nil {
Methods["ykman"] = YkmanMfaProvider
}
}