fix: initial commit

Author: dnitsch

.gitignore

@@ -23,3 +23,5 @@ vendor/
 
 # IDEs
 .vscode
+
+.ignore*

LICENSE

@@ -0,0 +1,11 @@
+           DO WHAT THE FUCK YOU WANT TO PUBLIC LICENCE
+                   Version 3.1, July 2019
+
+  by Sam Hocevar  <[email protected]>
+     theiostream  <[email protected]>
+     dtf          <[email protected]>
+
+           DO WHAT THE FUCK YOU WANT TO PUBLIC LICENCE
+  TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

Makefile

@@ -0,0 +1,56 @@
+NAME := aws-cli-auth
+VERSION := v0.1.0
+REVISION := $(shell git rev-parse --short HEAD)
+
+LDFLAGS := -ldflags="-s -w -X \"github.com/dnitsch/aws-cli-auth/version.Version=$(VERSION)\" -X \"github.com/dnitsch/aws-cli-auth/version.Revision=$(REVISION)\" -extldflags -static"
+
+.PHONY: test test_ci tidy install buildprep build buildmac buildwin
+
+test: test_prereq
+	go test `go list ./... | grep -v */generated/` -v -mod=readonly -coverprofile=.coverage/out | go-junit-report > .coverage/report-junit.xml && \
+	gocov convert .coverage/out | gocov-xml > .coverage/report-cobertura.xml
+
+test_ci:
+	go test ./... -mod=readonly
+
+test_prereq: 
+	mkdir -p .coverage
+	go install github.com/jstemmer/[email protected] && \
+	go install github.com/axw/gocov/[email protected] && \
+	go install github.com/AlekSi/[email protected]
+
+tidy: install 
+	go mod tidy
+
+install:
+	go mod vendor
+
+.PHONY: clean
+clean:
+	rm -rf bin/*
+	rm -rf dist/*
+	rm -rf vendor/*
+
+.PHONY: cross-build
+cross-build:
+	for os in darwin linux windows; do \
+	    [ $$os = "windows" ] && EXT=".exe"; \
+		for arch in amd64 arm64; do \
+			GOOS=$$os GOARCH=$$arch CGO_ENABLED=0 go build -a -tags netgo -installsuffix netgo $(LDFLAGS) -o dist/$(NAME)-$$os-$$arch$$EXT .; \
+		done; \
+	done
+
+.PHONY: deps
+deps:
+	GO111MODULE=on go mod vendor
+
+.PHONY: dist
+dist:
+	cd dist && \
+	$(DIST_DIRS) cp ../LICENSE {} \; && \
+	$(DIST_DIRS) cp ../README.md {} \; && \
+	$(DIST_DIRS) tar -zcf $(NAME)-$(VERSION)-{}.tar.gz {} \; && \
+	$(DIST_DIRS) zip -r $(NAME)-$(VERSION)-{}.zip {} \; && \
+	cd ..
+
+

README.md

@@ -0,0 +1,126 @@
+# aws-cli-auth
+
+CLI tool for retrieving AWS temporary credentials using OIDC or SAML providers.
+
+Firstly, this package currently deals with SAML only (OIDC to come), however if you have an OIDC IdP provider set up to AWS you can use this [package](https://github.com/openstandia/aws-cli-oidc) and likewise this [package](https://github.com/Versent/saml2aws) for standard SAML AWS integrations.
+
+If, however, you need to support a non standard user journeys enforced by your IdP i.e. a sub company selection within your organization portal, or a selection screen for different MFA providers - PingID or RSA HardToken etc.... you cannot reliably automate the flow or it would have to be too specific.
+
+As such this approach uses [go-rod](https://github.com/go-rod/rod) library to uniformly allow the user to complete any and all auth steps and selections in a managed browser session up to the point of where the SAMLResponse were to be sent to AWS ACS service `https://signin.aws.amazon.com/saml`. Capturing this via hijack request and posting to AWS STS service to exchange this for the temporary credentials.
+
+The advantage of using SAML is that real users can gain access to the AWS Console UI or programatically and audited as the same person in cloudtrail. 
+
+By default the tool creates the session name - which can be audited including the persons username from the localhost.
+
+## Known Issues
+
+- Even though a datadir is created to store the chromium session data it is advised to still open settings and save the username/password manually the first time you are presented with the login screen.
+
+## Install
+
+Download from [Releases page](https://github.com/dnitsch/aws-cli-auth/releases).
+
+MacOS
+
+```bash
+curl -L https://github.com/dnitsch/aws-cli-auth/releases/download/v0.1.0/aws-cli-auth-darwin-amd64 -o aws-cli-auth
+chmod +x aws-cli-auth
+sudo mv aws-cli-auth /usr/local/bin
+```
+
+## Usage
+
+```bash
+CLI tool for retrieving AWS temporary credentials using OIDC or SAML providers. 
+Stores them under the $HOME/.aws/credentials file under a specified path
+
+Usage:
+  aws-cli-auth [command]
+
+Available Commands:
+  completion  Generate the autocompletion script for the specified shell
+  help        Help about any command
+  saml        Get AWS credentials and out to stdout
+
+Flags:
+      --cfg-section string   config section name in the yaml config file
+  -h, --help                 help for aws-cli-auth
+  -r, --role string          Set the role you want to assume when SAML or OIDC process completes
+  -s, --store-profile        By default the credentials are returned to stdout to be used by the credential_process
+
+Use "aws-cli-auth [command] --help" for more information about a command.
+```
+
+### SAML 
+
+
+
+```bash
+Get AWS credentials and out to stdout through your SAML provider authentication.
+
+Usage:
+  aws-cli-auth saml <SAML ProviderUrl> [flags]
+
+Flags:
+  -a, --acsurl string      Override the default ACS Url, used for checkin the post of the SAMLResponse (default "https://signin.aws.amazon.com/saml")
+  -h, --help               help for saml
+  -d, --max-duration int   Override default max session duration, in seconds, of the role session [900-43200] (default 900)
+      --principal string   Principal Arn of the SAML IdP in AWS
+  -p, --provider string    Saml Entity StartSSO Url
+
+Global Flags:
+      --cfg-section string   config section name in the yaml config file
+  -r, --role string          Set the role you want to assume when SAML or OIDC process completes
+  -s, --store-profile        By default the credentials are returned to stdout to be used by the credential_process
+```
+
+Example:
+
+```bash
+aws-cli-auth saml --cfg-section nonprod_saml_admin -p "https://your-idp.com/idp/foo?PARTNER=urn:amazon:webservices" --principal "arn:aws:iam::XXXXXXXXXX:saml-provider/IDP_ENTITY_ID" -r "arn:aws:iam::XXXXXXXXXX:role/Developer" -d 3600 -s
+```
+
+The PartnerId in most IdPs is usually `urn:amazon:webservices` - but you can change this for anything you stored it as.
+
+If successful will store the creds under the specified config section in credentials profile as per below example
+
+```ini
+[default]
+aws_access_key_id     = XXXXX
+aws_secret_access_key = YYYYYYYYY
+
+[another_profile]
+aws_access_key_id     = XXXXX
+aws_secret_access_key = YYYYYYYYY
+
+[nonprod_saml_admin]
+aws_access_key_id     = XXXXXX
+aws_secret_access_key = YYYYYYYYY
+aws_session_token     = ZZZZZZZZZZZZZZZZZZZZ
+```
+
+To give it a quick test.
+
+```bash
+aws sts get-caller-identity --profile=nonprod_saml_admin
+```
+
+<!-- ### Integrate aws-cli
+
+[Sourcing credentials with an external process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) describes how to integrate aws-cli with external tool.
+You can use `aws-cli-auth` as the external process. Add the following lines to your `.aws/config` file.
+
+```
+[profile ]
+credential_process=aws-cli-auth get-cred -p myop -r arn:aws:iam::123456789012:role/developer -j -s -d 43200
+```
+
+Caution: The AWS temporary credentials will be saved into your OS secret store by using `-s` option to reduce authentication each time you use `aws-cli` tool.
+
+## Licence
+
+Licensed under the [MIT](/LICENSE) license. -->
+
+## Acknowldgements
+  - [Hiroyuki Wada](https://github.com/wadahiro) [package](https://github.com/openstandia/aws-cli-oidc) 
+  - [Mark Wolfe](https://github.com/wolfeidau) [package](https://github.com/Versent/saml2aws)

aws-cli-auth.go

@@ -0,0 +1,7 @@
+package main
+
+import "github.com/dnitsch/aws-cli-auth/cmd"
+
+func main() {
+	cmd.Execute()
+}

cmd/root.go

@@ -0,0 +1,57 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/dnitsch/aws-cli-auth/internal/config"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var (
+	cfgSectionName string
+	cfgFile        string
+	storeInProfile bool
+	rootCmd        = &cobra.Command{
+		Use:   "aws-cli-auth",
+		Short: "CLI tool for retrieving AWS temporary credentials using  SAML providers",
+		Long: `CLI tool for retrieving AWS temporary credentials using SAML providers. 
+Stores them under the $HOME/.aws/credentials file under a specified path or returns the crednetial_process payload for use in config`,
+	}
+)
+
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Errorf(err.Error())
+	}
+}
+
+func init() {
+	cobra.OnInitialize(initConfig)
+	rootCmd.PersistentFlags().StringVarP(&role, "role", "r", "", "Set the role you want to assume when SAML or OIDC process completes")
+	rootCmd.PersistentFlags().StringVarP(&cfgSectionName, "cfg-section", "", "", "config section name in the yaml config file")
+	rootCmd.PersistentFlags().BoolVarP(&storeInProfile, "store-profile", "s", false, "By default the credentials are returned to stdout to be used by the credential_process. Set this flag to instead store the credentials under a named profile section")
+}
+
+func initConfig() {
+	if cfgFile != "" {
+		// Use config file from the flag.
+		viper.SetConfigFile(cfgFile)
+	} else {
+		// Find home directory.
+		home, err := os.UserHomeDir()
+		cobra.CheckErr(err)
+
+		// Search config in home directory with name ".cobra" (without extension).
+		viper.AddConfigPath(home)
+		viper.SetConfigType("yaml")
+		viper.SetConfigName(fmt.Sprintf(".%s", config.SELF_NAME))
+	}
+
+	viper.AutomaticEnv()
+	viper.WriteConfig()
+	if err := viper.ReadInConfig(); err == nil {
+		fmt.Println("Using config file:", viper.ConfigFileUsed())
+	}
+}

cmd/saml.go

@@ -0,0 +1,60 @@
+package cmd
+
+import (
+	"fmt"
+	"os/user"
+
+	"github.com/dnitsch/aws-cli-auth/internal/config"
+	"github.com/dnitsch/aws-cli-auth/internal/saml"
+	"github.com/dnitsch/aws-cli-auth/internal/util"
+	"github.com/dnitsch/aws-cli-auth/internal/web"
+	"github.com/spf13/cobra"
+)
+
+var (
+	providerUrl  string
+	principalArn string
+	acsUrl       string
+	role         string
+	duration     int
+	samlCmd      = &cobra.Command{
+		Use:   "saml <SAML ProviderUrl>",
+		Short: "Get AWS credentials and out to stdout",
+		Long:  `Get AWS credentials and out to stdout through your SAML provider authentication.`,
+		Run:   getSaml,
+	}
+)
+
+func init() {
+	samlCmd.PersistentFlags().StringVarP(&providerUrl, "provider", "p", "", "Saml Entity StartSSO Url")
+	samlCmd.PersistentFlags().StringVarP(&principalArn, "principal", "", "", "Principal Arn of the SAML IdP in AWS")
+	samlCmd.PersistentFlags().StringVarP(&acsUrl, "acsurl", "a", "https://signin.aws.amazon.com/saml", "Override the default ACS Url, used for checkin the post of the SAMLResponse")
+	samlCmd.PersistentFlags().IntVarP(&duration, "max-duration", "d", 900, "Override default max session duration, in seconds, of the role session [900-43200]")
+	rootCmd.AddCommand(samlCmd)
+
+}
+
+func getSaml(cmd *cobra.Command, args []string) {
+	if cfgSectionName == "" {
+		util.Writeln("The SAML provider name is required")
+		util.Exit(nil)
+	}
+
+	t, err := web.GetSamlLogin(providerUrl, acsUrl)
+	if err != nil {
+		fmt.Printf("Err: %v", err)
+	}
+	user, err := user.Current()
+	if err != nil {
+		fmt.Errorf(err.Error())
+	}
+
+	roleObj := &util.AWSRole{RoleARN: role, PrincipalARN: principalArn, Name: util.SessionName(user.Username, config.SELF_NAME), Duration: duration}
+
+	creds, err := saml.LoginStsSaml(t, roleObj)
+	if err != nil {
+		fmt.Printf("%v", err)
+	}
+
+	util.SetCredentials(creds, cfgSectionName, storeInProfile)
+}

go.mod

@@ -0,0 +1,37 @@
+module github.com/dnitsch/aws-cli-auth
+
+go 1.17
+
+require (
+	github.com/aws/aws-sdk-go v1.43.12
+	github.com/mitchellh/go-ps v1.0.0
+	github.com/pkg/errors v0.9.1
+	github.com/spf13/cobra v1.3.0
+	github.com/spf13/viper v1.10.1
+)
+
+require (
+	github.com/ysmood/goob v0.3.1 // indirect
+	github.com/ysmood/gson v0.6.4 // indirect
+	github.com/ysmood/leakless v0.7.0 // indirect
+)
+
+require (
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-rod/rod v0.103.0
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/subosito/gotenv v1.2.0 // indirect
+	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/ini.v1 v1.66.2
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)