fix: add time spefication before a reload is done

user specified reload before int
changed type to int from int64 and only cast in a place where it needs to be converted
added unit test

Author: dnitsch

cmd/saml.go

@@ -1,31 +1,44 @@
 package cmd
 
 import (
+	"fmt"
+
 	"github.com/dnitsch/aws-cli-auth/internal/auth"
 	"github.com/dnitsch/aws-cli-auth/internal/config"
 	"github.com/dnitsch/aws-cli-auth/internal/util"
 	"github.com/spf13/cobra"
 )
 
 var (
-	providerUrl  string
-	principalArn string
-	acsUrl       string
-	role         string
-	duration     int64
-	samlCmd      = &cobra.Command{
+	providerUrl      string
+	principalArn     string
+	acsUrl           string
+	role             string
+	duration         int
+	reloadBeforeTime int
+	samlCmd          = &cobra.Command{
 		Use:   "saml <SAML ProviderUrl>",
 		Short: "Get AWS credentials and out to stdout",
 		Long:  `Get AWS credentials and out to stdout through your SAML provider authentication.`,
 		Run:   getSaml,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if reloadBeforeTime != 0 && reloadBeforeTime > duration {
+				return fmt.Errorf("reload-before: %v, must be less than duration (-d): %v", reloadBeforeTime, duration)
+			}
+			return nil
+		},
 	}
 )
 
 func init() {
 	samlCmd.PersistentFlags().StringVarP(&providerUrl, "provider", "p", "", "Saml Entity StartSSO Url")
+	samlCmd.MarkPersistentFlagRequired("provider")
 	samlCmd.PersistentFlags().StringVarP(&principalArn, "principal", "", "", "Principal Arn of the SAML IdP in AWS")
+	samlCmd.MarkPersistentFlagRequired("principal")
 	samlCmd.PersistentFlags().StringVarP(&acsUrl, "acsurl", "a", "https://signin.aws.amazon.com/saml", "Override the default ACS Url, used for checkin the post of the SAMLResponse")
-	samlCmd.PersistentFlags().Int64VarP(&duration, "max-duration", "d", 900, "Override default max session duration, in seconds, of the role session [900-43200]")
+	samlCmd.PersistentFlags().IntVarP(&duration, "max-duration", "d", 900, "Override default max session duration, in seconds, of the role session [900-43200]")
+	samlCmd.MarkPersistentFlagRequired("max-duration")
+	samlCmd.PersistentFlags().IntVarP(&reloadBeforeTime, "reload-before", "", 0, "Triggers a credentials refresh before the specified max-duration. Value provided in seconds. Should be less than the max-duration of the session")
 	rootCmd.AddCommand(samlCmd)
 }
 
@@ -35,7 +48,13 @@ func getSaml(cmd *cobra.Command, args []string) {
 		PrincipalArn: principalArn,
 		Duration:     duration,
 		AcsUrl:       acsUrl,
-		BaseConfig:   config.BaseConfig{StoreInProfile: storeInProfile, Role: role, CfgSectionName: cfgSectionName, DoKillHangingProcess: killHangingProcess},
+		BaseConfig: config.BaseConfig{
+			StoreInProfile:       storeInProfile,
+			Role:                 role,
+			CfgSectionName:       cfgSectionName,
+			DoKillHangingProcess: killHangingProcess,
+			ReloadBeforeTime:     reloadBeforeTime,
+		},
 	}
 
 	auth.GetSamlCreds(conf)

internal/auth/awssts.go

@@ -33,7 +33,7 @@ func LoginStsSaml(samlResponse string, role *util.AWSRole) (*util.AWSCredentials
 		PrincipalArn:    aws.String(role.PrincipalARN), // Required
 		RoleArn:         aws.String(role.RoleARN),      // Required
 		SAMLAssertion:   aws.String(samlResponse),      // Required
-		DurationSeconds: aws.Int64(role.Duration),
+		DurationSeconds: aws.Int64(int64(role.Duration)),
 	}
 
 	resp, err := svc.AssumeRoleWithSAML(params)

internal/auth/saml.go

@@ -23,7 +23,7 @@ func GetSamlCreds(conf config.SamlConfig) {
 	// Try to reuse stored credential in secret
 	awsCreds, err = secretStore.AWSCredential()
 
-	if !util.IsValid(awsCreds) || err != nil {
+	if !util.IsValid(awsCreds, conf.BaseConfig.ReloadBeforeTime) || err != nil {
 		webBrowser = web.New()
 
 		t, err := webBrowser.GetSamlLogin(conf)

internal/config/config.go

@@ -12,12 +12,13 @@ type BaseConfig struct {
 	CfgSectionName       string
 	StoreInProfile       bool
 	DoKillHangingProcess bool
+	ReloadBeforeTime     int
 }
 
 type SamlConfig struct {
 	BaseConfig   BaseConfig
 	ProviderUrl  string
 	PrincipalArn string
 	AcsUrl       string
-	Duration     int64
+	Duration     int
 }

internal/util/helper.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"strings"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
@@ -25,7 +26,7 @@ func HomeDir() string {
 }
 
 func ConfigIniFile(basePath string) string {
-	var base = ""
+	var base string
 	if basePath != "" {
 		base = basePath
 	} else {
@@ -105,8 +106,12 @@ func GetWebIdTokenFileContents() (string, error) {
 	return string(content), nil
 }
 
-func IsValid(cred *AWSCredentials) bool {
-	if cred == nil {
+// IsValid checks current credentials and
+// returns them if they are still valid
+// if reloadTimeBefore is less than time left on the creds
+// then it will re-request a login
+func IsValid(currentCreds *AWSCredentials, relaodBeforeTime int) bool {
+	if currentCreds == nil {
 		return false
 	}
 
@@ -117,9 +122,9 @@ func IsValid(cred *AWSCredentials) bool {
 	}
 
 	creds := credentials.NewStaticCredentialsFromCreds(credentials.Value{
-		AccessKeyID:     cred.AWSAccessKey,
-		SecretAccessKey: cred.AWSSecretKey,
-		SessionToken:    cred.AWSSessionToken,
+		AccessKeyID:     currentCreds.AWSAccessKey,
+		SecretAccessKey: currentCreds.AWSSecretKey,
+		SessionToken:    currentCreds.AWSSessionToken,
 	})
 
 	svc := sts.New(sess, aws.NewConfig().WithCredentials(creds))
@@ -132,7 +137,17 @@ func IsValid(cred *AWSCredentials) bool {
 		Writeln("The previous credential isn't valid")
 	}
 
-	return err == nil
+	return err == nil && !reloadBeforeExpiry(currentCreds.Expires, relaodBeforeTime)
+}
+
+// reloadBeforeExpiry returns true if the time
+// to expiry is less than the specified time in seconds
+// false if there is more than required time in seconds
+// before needing to recycle credentials
+func reloadBeforeExpiry(expiry time.Time, reloadBeforeSeconds int) bool {
+	now := time.Now()
+	diff := expiry.Sub(now)
+	return diff.Seconds() < float64(reloadBeforeSeconds)
 }
 
 // WriteIniSection update ini sections in own config file

internal/util/helper_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"testing"
+	"time"
 
 	"github.com/dnitsch/aws-cli-auth/internal/config"
 	ini "gopkg.in/ini.v1"
@@ -52,3 +53,25 @@ func TestCreateEntryInIni(t *testing.T) {
 		t.Errorf("Not found nothing to do")
 	}
 }
+
+func TestReloadBeforeExpirySuccess(t *testing.T) {
+
+	expiry := (time.Now()).Add(time.Second * 305)
+
+	got := reloadBeforeExpiry(expiry, 300)
+
+	if got {
+		t.Errorf("Expected %v, got: %v", false, got)
+	}
+}
+
+func TestReloadBeforeExpiryNeedToRefresh(t *testing.T) {
+
+	expiry := (time.Now()).Add(time.Second * 299)
+
+	got := reloadBeforeExpiry(expiry, 300)
+
+	if !got {
+		t.Errorf("Expected %v, got: %v", false, got)
+	}
+}

internal/util/types.go

@@ -17,5 +17,5 @@ type AWSRole struct {
 	RoleARN      string
 	PrincipalARN string
 	Name         string
-	Duration     int64
+	Duration     int
 }