fix: add specific stuff

Author: dnitsch

Makefile

@@ -1,5 +1,5 @@
 NAME := aws-cli-auth
-VERSION := v0.3.0
+VERSION := v0.4.0
 REVISION := $(shell git rev-parse --short HEAD)
 
 LDFLAGS := -ldflags="-s -w -X \"github.com/dnitsch/aws-cli-auth/version.Version=$(VERSION)\" -X \"github.com/dnitsch/aws-cli-auth/version.Revision=$(REVISION)\" -extldflags -static"

README.md

@@ -117,7 +117,7 @@ To give it a quick test.
 aws sts get-caller-identity --profile=nonprod_saml_admin
 ```
 
-### Integrate aws-cli
+### AWS Credential Process
 
 [Sourcing credentials with an external process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) describes how to integrate aws-cli with external tool.
 You can use `aws-cli-auth` as the external process. Add the following lines to your `.aws/config` file.

cmd/clear.go

@@ -22,7 +22,10 @@ func init() {
 }
 
 func clear(cmd *cobra.Command, args []string) {
+	web := web.New()
+
 	if force {
+
 		if err := web.ClearCache(); err != nil {
 			util.Exit(err)
 		}

cmd/specific.go

@@ -35,7 +35,7 @@ func specific(cmd *cobra.Command, args []string) {
 	if method != "" {
 		switch method {
 		case "WEB_ID":
-			awsCreds, err = auth.LoginAwsWebToken(os.Getenv("USER"))
+			awsCreds, err = auth.LoginAwsWebToken(os.Getenv("USER")) // TODO: redo this getUser implementation
 			if err != nil {
 				util.Exit(err)
 			}
@@ -45,5 +45,12 @@ func specific(cmd *cobra.Command, args []string) {
 	}
 	config := config.SamlConfig{BaseConfig: config.BaseConfig{StoreInProfile: storeInProfile}}
 
+	if role != "" {
+		awsCreds, err = auth.AssumeRoleWithCreds(awsCreds, os.Getenv("USER"), role)
+		if err != nil {
+			util.Exit(err)
+		}
+	}
+
 	util.SetCredentials(awsCreds, config)
 }

internal/auth/awssts.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/dnitsch/aws-cli-auth/internal/config"
@@ -85,3 +86,37 @@ func LoginAwsWebToken(username string) (*util.AWSCredentials, error) {
 		Expires:         resp.Credentials.Expiration.Local(),
 	}, nil
 }
+
+func AssumeRoleWithCreds(creds *util.AWSCredentials, username, role string) (*util.AWSCredentials, error) {
+	sess, err := session.NewSession()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create session")
+	}
+
+	specificCreds := credentials.NewStaticCredentialsFromCreds(credentials.Value{
+		AccessKeyID:     creds.AWSAccessKey,
+		SecretAccessKey: creds.AWSSecretKey,
+		SessionToken:    creds.AWSSessionToken,
+	})
+
+	svc := sts.New(sess, aws.NewConfig().WithCredentials(specificCreds))
+	sessionName := util.SessionName(username, config.SELF_NAME)
+
+	input := &sts.AssumeRoleInput{
+		RoleArn:         &role,
+		RoleSessionName: &sessionName,
+	}
+	roleCreds, err := svc.AssumeRole(input)
+
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to retrieve STS credentials using Role Provided")
+	}
+
+	return &util.AWSCredentials{
+		AWSAccessKey:    aws.StringValue(roleCreds.Credentials.AccessKeyId),
+		AWSSecretKey:    aws.StringValue(roleCreds.Credentials.SecretAccessKey),
+		AWSSessionToken: aws.StringValue(roleCreds.Credentials.SessionToken),
+		PrincipalARN:    aws.StringValue(roleCreds.AssumedRoleUser.Arn),
+		Expires:         roleCreds.Credentials.Expiration.Local(),
+	}, nil
+}

internal/auth/saml.go

@@ -3,6 +3,7 @@ package auth
 import (
 	"fmt"
 	"os/user"
+	"runtime"
 
 	"github.com/dnitsch/aws-cli-auth/internal/config"
 	"github.com/dnitsch/aws-cli-auth/internal/util"
@@ -15,9 +16,13 @@ func GetSamlCreds(conf config.SamlConfig) {
 		util.Exit(nil)
 	}
 
+	web := web.New()
 	var awsCreds *util.AWSCredentials
 	var err error
 
+	os := runtime.GOOS
+	util.Writeln("Is OS: %s\nAnd conf.BaseConfig.StoreInProfile: %v", os, conf.BaseConfig.StoreInProfile)
+
 	// Try to reuse stored credential in secret
 	if !conf.BaseConfig.StoreInProfile {
 		awsCreds, err = util.AWSCredential(conf.BaseConfig.Role)
@@ -27,11 +32,11 @@ func GetSamlCreds(conf config.SamlConfig) {
 
 		t, err := web.GetSamlLogin(conf)
 		if err != nil {
-			fmt.Printf("Err: %v", err)
+			util.Writeln("Err: %v", err)
 		}
 		user, err := user.Current()
 		if err != nil {
-			fmt.Errorf(err.Error())
+			util.Writeln(err.Error())
 		}
 
 		roleObj := &util.AWSRole{RoleARN: conf.BaseConfig.Role, PrincipalARN: conf.PrincipalArn, Name: util.SessionName(user.Username, config.SELF_NAME), Duration: conf.Duration}

internal/util/secret.go

@@ -30,7 +30,6 @@ func init() {
 	}
 
 	Secret.AWSCredentials = make(map[string]string)
-	Secret.Load()
 }
 
 var secretService = config.SELF_NAME
@@ -126,7 +125,7 @@ func AWSCredential(roleArn string) (*AWSCredentials, error) {
 
 	jsonStr, ok := Secret.AWSCredentials[roleArn]
 	if !ok {
-		return nil, fmt.Errorf("Not found the credential for %s", roleArn)
+		Exit(fmt.Errorf("Not found the credential for %s", roleArn))
 	}
 
 	Writeln("Got credential from OS secret store for %s", roleArn)

internal/web/web.go

@@ -17,31 +17,45 @@ import (
 	ps "github.com/mitchellh/go-ps"
 )
 
-var (
-	datadir = path.Join(util.GetHomeDir(), fmt.Sprintf(".%s-data", config.SELF_NAME))
-)
+type Web struct {
+	datadir  *string
+	launcher *launcher.Launcher
+	browser  *rod.Browser
+}
 
-func GetSamlLogin(conf config.SamlConfig) (string, error) {
+func New() *Web {
+	ddir := path.Join(util.GetHomeDir(), fmt.Sprintf(".%s-data", config.SELF_NAME))
 
 	l := launcher.New().
 		Headless(false).
 		Devtools(false)
 
-	// do not clean up userdata
-
-	// datadir := path.Join(util.GetHomeDir(), fmt.Sprintf(".%s-data", config.SELF_NAME))
-	util.WriteDataDir(datadir)
-	url := l.UserDataDir(datadir).MustLaunch()
+	url := l.UserDataDir(ddir).MustLaunch()
 
 	browser := rod.New().
 		ControlURL(url).
 		MustConnect().NoDefaultDevice()
 
-	defer browser.MustClose()
+	return &Web{
+		datadir:  &ddir,
+		launcher: l,
+		browser:  browser,
+	}
+
+}
+
+func (web *Web) GetSamlLogin(conf config.SamlConfig) (string, error) {
+
+	// do not clean up userdata
+
+	// datadir := path.Join(util.GetHomeDir(), fmt.Sprintf(".%s-data", config.SELF_NAME))
+	util.WriteDataDir(*web.datadir)
+
+	defer web.browser.MustClose()
 
-	page := browser.MustPage(conf.ProviderUrl)
+	page := web.browser.MustPage(conf.ProviderUrl)
 
-	router := browser.HijackRequests()
+	router := web.browser.HijackRequests()
 	defer router.MustStop()
 
 	router.MustAdd(conf.AcsUrl, func(ctx *rod.Hijack) {
@@ -62,9 +76,9 @@ func GetSamlLogin(conf config.SamlConfig) (string, error) {
 
 }
 
-func ClearCache() error {
+func (web *Web) ClearCache() error {
 	errs := []error{}
-	if err := os.Remove(datadir); err != nil {
+	if err := os.Remove(*web.datadir); err != nil {
 		errs = append(errs, err)
 	}
 	if err := checkRodProcess(); err != nil {