forked from segmentio/aws-okta
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcred-process.go
142 lines (116 loc) · 3.63 KB
/
cred-process.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
package cmd
import (
"encoding/json"
"fmt"
"os"
"time"
"github.com/99designs/keyring"
analytics "github.com/segmentio/analytics-go"
"github.com/segmentio/aws-okta/lib"
"github.com/spf13/cobra"
)
const credProcessVersion = 1
var pretty bool
type credProcess struct {
Version int `json:"Version"`
AccessKeyID string `json:"AccessKeyId"`
SecretAccessKey string `json:"SecretAccessKey"`
SessionToken string `json:"SessionToken"`
Expiration string `json:"Expiration"`
}
// credProcessCmd represents the cred-process command
var credProcessCmd = &cobra.Command{
Use: "cred-process <profile>",
Short: "cred-process generates a credential_process ready output",
RunE: credProcessRun,
Example: "[profile foo]\ncredential_process = aws-okta cred-process profile",
ValidArgs: listProfileNames(mustListProfiles()),
}
func init() {
RootCmd.AddCommand(credProcessCmd)
credProcessCmd.Flags().DurationVarP(&sessionTTL, "session-ttl", "t", time.Hour, "Expiration time for okta role session")
credProcessCmd.Flags().DurationVarP(&assumeRoleTTL, "assume-role-ttl", "a", time.Hour, "Expiration time for assumed role")
credProcessCmd.Flags().BoolVarP(&pretty, "pretty", "p", false, "Pretty print display")
}
func credProcessRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return ErrTooFewArguments
}
profile := args[0]
config, err := lib.NewConfigFromEnv()
if err != nil {
return err
}
profiles, err := config.Parse()
if err != nil {
return err
}
if _, ok := profiles[profile]; !ok {
return fmt.Errorf("Profile '%s' not found in your aws config. Use list command to see configured profiles", profile)
}
updateMfaConfig(cmd, profiles, profile, &mfaConfig)
// check profile for both session durations if not explicitly set
if !cmd.Flags().Lookup("assume-role-ttl").Changed {
if err := updateDurationFromConfigProfile(profiles, profile, "assume_role_ttl", &assumeRoleTTL); err != nil {
fmt.Fprintln(os.Stderr, "warning: could not parse assume_role_ttl from profile config")
}
}
if !cmd.Flags().Lookup("session-ttl").Changed {
if err := updateDurationFromConfigProfile(profiles, profile, "session_ttl", &sessionTTL); err != nil {
fmt.Fprintln(os.Stderr, "warning: could not parse session_ttl from profile config")
}
}
opts := lib.ProviderOptions{
MFAConfig: mfaConfig,
Profiles: profiles,
SessionDuration: sessionTTL,
AssumeRoleDuration: assumeRoleTTL,
}
var allowedBackends []keyring.BackendType
if backend != "" {
allowedBackends = append(allowedBackends, keyring.BackendType(backend))
}
kr, err := lib.OpenKeyring(allowedBackends)
if err != nil {
return err
}
if analyticsEnabled && analyticsClient != nil {
analyticsClient.Enqueue(analytics.Track{
UserId: username,
Event: "Ran Command",
Properties: analytics.NewProperties().
Set("backend", backend).
Set("aws-okta-version", version).
Set("profile", profile).
Set("command", "cred-process"),
})
}
opts.SessionCacheSingleItem = flagSessionCacheSingleItem
p, err := lib.NewProvider(kr, profile, opts)
if err != nil {
return err
}
creds, err := p.Retrieve()
if err != nil {
return err
}
// builds the result struct
cp := credProcess{
Version: credProcessVersion,
AccessKeyID: creds.AccessKeyID,
SecretAccessKey: creds.SecretAccessKey,
SessionToken: creds.SessionToken,
Expiration: p.GetExpiration().Format(time.RFC3339),
}
var output []byte
if pretty {
output, err = json.MarshalIndent(cp, "", " ")
} else {
output, err = json.Marshal(cp)
}
if err != nil {
return err
}
fmt.Println(string(output))
return nil
}