fix: clear-cache pass username as per requirements of lib (#18)

* fix: clear-cache pass username as per requirements of lib

+semver: feat

add clean up to launcher and browser

* fix: put back delete file for cache clear

* fix: add consts

* fix: bump version

* fix: add global safe directory

* fix: add compile time consts in helpers
fix: ~~user supplied duration will be applied to the last role in the chain~~ API sessions only allow a maximum of an hour

fix: add validations to flags

* fix: add tests to command
add additional notes to flags
remove millisecond precision in timeout

Author: dnitsch

.github/workflows/build.yml

@@ -16,11 +16,14 @@ jobs:
         with:
           fetch-depth: 0
       - name: Install GitVersion
-        uses: gittools/actions/gitversion/setup@v0
+        uses: gittools/actions/gitversion/setup@v1
         with:
           versionSpec: '5.x'
+      - name: set global dir
+        run: git config --system --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Set SemVer Version
-        uses: gittools/actions/gitversion/execute@v0
+        uses: gittools/actions/gitversion/execute@v1
         id: gitversion
 
       - name: echo VERSIONS

.github/workflows/pr.yml

@@ -15,12 +15,15 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: set global dir
+        run: git config --system --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Install GitVersion
-        uses: gittools/actions/gitversion/setup@v0
+        uses: gittools/actions/gitversion/setup@v1
         with:
           versionSpec: '5.x'
       - name: Set SemVer Version
-        uses: gittools/actions/gitversion/execute@v0
+        uses: gittools/actions/gitversion/execute@v1
         id: gitversion
   pr:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -19,11 +19,15 @@ jobs:
         with:
           fetch-depth: 0
       - name: Install GitVersion
-        uses: gittools/actions/gitversion/setup@v0
+        uses: gittools/actions/gitversion/setup@v1
         with:
           versionSpec: '5.x'
+
+      - name: set global dir
+        run: git config --system --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Set SemVer Version
-        uses: gittools/actions/gitversion/execute@v0
+        uses: gittools/actions/gitversion/execute@v1
         id: gitversion
 
       - name: echo VERSIONS

Makefile

@@ -9,9 +9,10 @@ LDFLAGS := -ldflags="-s -w -X \"github.com/$(OWNER)/$(NAME)/cmd.Version=$(VERSIO
 .PHONY: test test_ci tidy install buildprep build buildmac buildwin
 
 test: test_prereq
-	go test ./... -v -mod=readonly -coverprofile=.coverage/out -race && \
-	cat .coverage/out | go-junit-report > .coverage/report-junit.xml && \
-	gocov convert .coverage/out | gocov-xml > .coverage/report-cobertura.xml
+	go test ./... -v -mod=readonly -coverprofile=.coverage/out -race > .coverage/test.out ; \
+	cat .coverage/test.out | go-junit-report > .coverage/report-junit.xml ; \
+	gocov convert .coverage/out | gocov-xml > .coverage/report-cobertura.xml ; \
+	cat .coverage/test.out
 
 test_ci:
 	go test ./... -mod=readonly

cmd/clear.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"os/user"
 
 	"github.com/dnitsch/aws-cli-auth/internal/credentialexchange"
 	"github.com/dnitsch/aws-cli-auth/internal/web"
@@ -11,7 +12,7 @@ import (
 
 var (
 	force    bool
-	clearCmd = &cobra.Command{
+	ClearCmd = &cobra.Command{
 		Use:   "clear-cache <flags>",
 		Short: "Clears any stored credentials in the OS secret store",
 		RunE:  clear,
@@ -20,29 +21,41 @@ var (
 
 func init() {
 	cobra.OnInitialize(samlInitConfig)
-	clearCmd.PersistentFlags().BoolVarP(&force, "force", "f", false, "If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over - this will clean them up forcefully")
-	rootCmd.AddCommand(clearCmd)
+	ClearCmd.PersistentFlags().BoolVarP(&force, "force", "f", false, `If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over.
+
+This will forcefully all chromium processes.
+
+If you are on a windows machine and also use chrome as your current/main browser this will also kill those processes. 
+
+Use with caution.
+`)
+	RootCmd.AddCommand(ClearCmd)
 }
 
 func clear(cmd *cobra.Command, args []string) error {
-
+	user, err := user.Current()
+	if err != nil {
+		return err
+	}
 	secretStore, err := credentialexchange.NewSecretStore("",
 		fmt.Sprintf("%s-%s", credentialexchange.SELF_NAME, credentialexchange.RoleKeyConverter("")),
-		os.TempDir(), "")
+		os.TempDir(), user.Username)
+
 	if err != nil {
 		return err
 	}
 
 	if force {
 		w := &web.Web{}
-		w.WithConfig(web.NewWebConf(datadir))
-		if err := w.ClearCache(); err != nil {
+		if err := w.ForceKill(datadir); err != nil {
 			return err
 		}
 		fmt.Fprint(os.Stderr, "Chromium Cache cleared")
 	}
 
-	secretStore.ClearAll()
+	if err := secretStore.ClearAll(); err != nil {
+		fmt.Fprint(os.Stderr, err.Error())
+	}
 
 	if err := os.Remove(credentialexchange.ConfigIniFile("")); err != nil {
 		return err

cmd/cmd_test.go

@@ -0,0 +1,75 @@
+package cmd_test
+
+import (
+	"bytes"
+	"io"
+	"testing"
+
+	"github.com/dnitsch/aws-cli-auth/cmd"
+)
+
+func Test_helpers_for_command(t *testing.T) {
+	ttests := map[string]struct{}{
+		"clear-cache": {},
+		"saml":        {},
+		"specific":    {},
+	}
+	for name := range ttests {
+		t.Run(name, func(t *testing.T) {
+			cmdArgs := []string{name, "--help"}
+			b := new(bytes.Buffer)
+			o := new(bytes.Buffer)
+			cmd := cmd.RootCmd
+			cmd.SetArgs(cmdArgs)
+			cmd.SetErr(b)
+			cmd.SetOut(o)
+			cmd.Execute()
+			err, _ := io.ReadAll(b)
+			if len(err) > 0 {
+				t.Fatal("got err, wanted nil")
+			}
+			out, _ := io.ReadAll(o)
+			if len(out) <= 0 {
+				t.Fatalf("got empty, wanted a help message")
+			}
+		})
+	}
+}
+
+func Test_Saml(t *testing.T) {
+	t.Skip()
+	t.Run("standard non sso should fail with incorrect saml URLs", func(t *testing.T) {
+		cmdArgs := []string{"saml", "-p",
+			"https://httpbin.org/anything/app123",
+			"--principal",
+			"arn:aws:iam::1234111111111:saml-provider/provider1",
+			"--role",
+			"arn:aws:iam::1234111111111:role/Role-ReadOnly",
+			"--role-chain",
+			"arn:aws:iam::1234111111111:role/Kubernetes-Cluster-Administrators",
+			"--saml-timeout", "1",
+			"-d",
+			"14400",
+			"--reload-before",
+			"120"}
+		b := new(bytes.Buffer)
+		o := new(bytes.Buffer)
+		cmd := cmd.RootCmd
+		cmd.SetArgs(cmdArgs)
+		cmd.SetErr(b)
+		cmd.SetOut(o)
+		if err := cmd.Execute(); err == nil {
+			t.Error("got nil, wanted an error")
+		}
+		// err, _ := io.ReadAll(b)
+		// fmt.Println(string(err))
+		// if len(err) <= 0 {
+		// 	t.Fatal("got nil, wanted an error")
+		// }
+		// out, _ := io.ReadAll(o)
+		// fmt.Println(string(out))
+		// if len(out) <= 0 {
+		// 	t.Fatalf("got empty, wanted a help message")
+		// }
+	})
+}

cmd/root.go

@@ -20,7 +20,8 @@ var (
 	role               string
 	roleChain          []string
 	verbose            bool
-	rootCmd            = &cobra.Command{
+	duration           int
+	RootCmd            = &cobra.Command{
 		Use:   "aws-cli-auth",
 		Short: "CLI tool for retrieving AWS temporary credentials",
 		Long: `CLI tool for retrieving AWS temporary credentials using SAML providers, or specified method of retrieval - i.e. force AWS_WEB_IDENTITY.
@@ -31,17 +32,21 @@ Stores them under the $HOME/.aws/credentials file under a specified path or retu
 )
 
 func Execute(ctx context.Context) {
-	if err := rootCmd.ExecuteContext(ctx); err != nil {
+	if err := RootCmd.ExecuteContext(ctx); err != nil {
 		fmt.Errorf("cli error: %v", err)
 		os.Exit(1)
 	}
 	os.Exit(0)
 }
 
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&role, "role", "r", "", "Set the role you want to assume when SAML or OIDC process completes")
-	rootCmd.PersistentFlags().StringSliceVarP(&roleChain, "role-chain", "", []string{}, "If specified it will assume the roles from the base credentials, in order they are specified in")
-	rootCmd.PersistentFlags().StringVarP(&cfgSectionName, "cfg-section", "", "", "config section name in the yaml config file")
-	rootCmd.PersistentFlags().BoolVarP(&storeInProfile, "store-profile", "s", false, "By default the credentials are returned to stdout to be used by the credential_process. Set this flag to instead store the credentials under a named profile section")
-	rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Verbose output")
+	RootCmd.PersistentFlags().StringSliceVarP(&roleChain, "role-chain", "", []string{}, "If specified it will assume the roles from the base credentials, in order they are specified in")
+	RootCmd.PersistentFlags().BoolVarP(&storeInProfile, "store-profile", "s", false, `By default the credentials are returned to stdout to be used by the credential_process. 
+	Set this flag to instead store the credentials under a named profile section. You can then reference that profile name via the CLI or for use in an SDK`)
+	RootCmd.PersistentFlags().StringVarP(&cfgSectionName, "cfg-section", "", "", "Config section name in the default AWS credentials file. To enable priofi")
+	// When specifying store in profile the config section name must be provided
+	RootCmd.MarkFlagsRequiredTogether("store-profile", "cfg-section")
+	RootCmd.PersistentFlags().IntVarP(&duration, "max-duration", "d", 900, `Override default max session duration, in seconds, of the role session [900-43200]. 
+NB: This cannot be higher than the 3600 as the API does not allow for AssumeRole for sessions longer than an hour`)
+	RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Verbose output")
 }

cmd/saml.go

@@ -20,6 +20,16 @@ var (
 	ErrUnableToCreateSession = errors.New("sts - cannot start a new session")
 )
 
+const (
+	UserEndpoint          = "https://portal.sso.%s.amazonaws.com/user"
+	CredsEndpoint         = "https://portal.sso.%s.amazonaws.com/federation/credentials/"
+	SsoCredsEndpointQuery = "?account_id=%s&role_name=%s&debug=true"
+)
+
+var (
+	ssoRoleAccount, ssoRoleName string
+)
+
 var (
 	providerUrl        string
 	principalArn       string
@@ -30,9 +40,9 @@ var (
 	ssoUserEndpoint    string
 	ssoFedCredEndpoint string
 	datadir            string
-	duration           int
+	samlTimeout        int32
 	reloadBeforeTime   int
-	samlCmd            = &cobra.Command{
+	SamlCmd            = &cobra.Command{
 		Use:   "saml <SAML ProviderUrl>",
 		Short: "Get AWS credentials and out to stdout",
 		Long:  `Get AWS credentials and out to stdout through your SAML provider authentication.`,
@@ -41,26 +51,46 @@ var (
 			if reloadBeforeTime != 0 && reloadBeforeTime > duration {
 				return fmt.Errorf("reload-before: %v, must be less than duration (-d): %v", reloadBeforeTime, duration)
 			}
+			if len(ssoRole) > 0 {
+				sr := strings.Split(ssoRole, ":")
+				if len(sr) != 2 {
+					return fmt.Errorf("incorrectly formatted role for AWS SSO - must only be ACCOUNT:ROLE_NAME")
+				}
+				ssoRoleAccount, ssoRoleName = sr[0], sr[1]
+			}
 			return nil
 		},
 	}
 )
 
 func init() {
 	cobra.OnInitialize(samlInitConfig)
-	samlCmd.PersistentFlags().StringVarP(&providerUrl, "provider", "p", "", "Saml Entity StartSSO Url")
-	samlCmd.MarkPersistentFlagRequired("provider")
-	samlCmd.PersistentFlags().StringVarP(&principalArn, "principal", "", "", "Principal Arn of the SAML IdP in AWS")
-	samlCmd.PersistentFlags().StringVarP(&acsUrl, "acsurl", "a", "https://signin.aws.amazon.com/saml", "Override the default ACS Url, used for checkin the post of the SAMLResponse")
-	samlCmd.PersistentFlags().StringVarP(&ssoUserEndpoint, "sso-user-endpoint", "", "https://portal.sso.%s.amazonaws.com/user", "UserEndpoint in a go style fmt.Sprintf string with a region placeholder")
-	samlCmd.PersistentFlags().StringVarP(&ssoRole, "sso-role", "", "", "Sso Role name must be in this format - 12345678910:PowerUser")
-	samlCmd.PersistentFlags().StringVarP(&ssoFedCredEndpoint, "sso-fed-endpoint", "", "https://portal.sso.%s.amazonaws.com/federation/credentials/", "FederationCredEndpoint in a go style fmt.Sprintf string with a region placeholder")
-	samlCmd.PersistentFlags().StringVarP(&ssoRegion, "sso-region", "", "eu-west-1", "If using SSO, you must set the region")
-	samlCmd.PersistentFlags().IntVarP(&duration, "max-duration", "d", 900, "Override default max session duration, in seconds, of the role session [900-43200]")
-	samlCmd.PersistentFlags().BoolVarP(&isSso, "is-sso", "", false, `Enables the new AWS User portal login. 
+	SamlCmd.PersistentFlags().StringVarP(&providerUrl, "provider", "p", "", `Saml Entity StartSSO Url.
+This is the URL your Idp will make the first call to e.g.: https://company-xyz.okta.com/home/amazon_aws/12345SomeRandonId6789
+`)
+	SamlCmd.MarkPersistentFlagRequired("provider")
+	SamlCmd.PersistentFlags().StringVarP(&principalArn, "principal", "", "", `Principal Arn of the SAML IdP in AWS
+You should find it in the IAM portal e.g.: arn:aws:iam::1234567891012:saml-provider/MyCompany-Idp
+`)
+	// samlCmd.MarkPersistentFlagRequired("principal")
+	SamlCmd.PersistentFlags().StringVarP(&role, "role", "r", "", `Set the role you want to assume when SAML or OIDC process completes`)
+	SamlCmd.PersistentFlags().StringVarP(&acsUrl, "acsurl", "a", "https://signin.aws.amazon.com/saml", "Override the default ACS Url, used for checkin the post of the SAMLResponse")
+	SamlCmd.PersistentFlags().StringVarP(&ssoUserEndpoint, "sso-user-endpoint", "", UserEndpoint, "UserEndpoint in a go style fmt.Sprintf string with a region placeholder")
+	SamlCmd.PersistentFlags().StringVarP(&ssoRole, "sso-role", "", "", "Sso Role name must be in this format - 12345678910:PowerUser")
+	SamlCmd.PersistentFlags().StringVarP(&ssoFedCredEndpoint, "sso-fed-endpoint", "", CredsEndpoint, "FederationCredEndpoint in a go style fmt.Sprintf string with a region placeholder")
+	SamlCmd.PersistentFlags().StringVarP(&ssoRegion, "sso-region", "", "eu-west-1", "If using SSO, you must set the region")
+	SamlCmd.PersistentFlags().BoolVarP(&isSso, "is-sso", "", false, `Enables the new AWS User portal login. 
 If this flag is specified the --sso-role must also be specified.`)
-	samlCmd.PersistentFlags().IntVarP(&reloadBeforeTime, "reload-before", "", 0, "Triggers a credentials refresh before the specified max-duration. Value provided in seconds. Should be less than the max-duration of the session")
-	rootCmd.AddCommand(samlCmd)
+	SamlCmd.PersistentFlags().IntVarP(&reloadBeforeTime, "reload-before", "", 0, "Triggers a credentials refresh before the specified max-duration. Value provided in seconds. Should be less than the max-duration of the session")
+	//
+	SamlCmd.MarkFlagsMutuallyExclusive("role", "sso-role")
+	// samlCmd.MarkFlagsMutuallyExclusive("principal", "sso-role")
+	// Non-SSO flow for SAML
+	SamlCmd.MarkFlagsRequiredTogether("principal", "role")
+	// SSO flow for SAML
+	SamlCmd.MarkFlagsRequiredTogether("is-sso", "sso-role", "sso-region")
+	SamlCmd.PersistentFlags().Int32VarP(&samlTimeout, "saml-timeout", "", 120, "Timeout in seconds, before the operation of waiting for a response is cancelled via the chrome driver")
+	RootCmd.AddCommand(SamlCmd)
 }
 
 func getSaml(cmd *cobra.Command, args []string) error {
@@ -91,14 +121,9 @@ func getSaml(cmd *cobra.Command, args []string) error {
 
 	saveRole := role
 	if isSso {
-		sr := strings.Split(ssoRole, ":")
-		if len(sr) != 2 {
-			return fmt.Errorf("incorrectly formatted role for AWS SSO - must only be ACCOUNT:ROLE_NAME")
-		}
 		saveRole = ssoRole
-
-		conf.SsoUserEndpoint = fmt.Sprintf("https://portal.sso.%s.amazonaws.com/user", conf.SsoRegion)
-		conf.SsoCredFedEndpoint = fmt.Sprintf("https://portal.sso.%s.amazonaws.com/federation/credentials/", conf.SsoRegion) + fmt.Sprintf("?account_id=%s&role_name=%s&debug=true", sr[0], sr[1])
+		conf.SsoUserEndpoint = fmt.Sprintf(UserEndpoint, conf.SsoRegion)
+		conf.SsoCredFedEndpoint = fmt.Sprintf(CredsEndpoint, conf.SsoRegion) + fmt.Sprintf(SsoCredsEndpointQuery, ssoRoleAccount, ssoRoleName)
 	}
 
 	datadir := path.Join(credentialexchange.HomeDir(), fmt.Sprintf(".%s-data", credentialexchange.SELF_NAME))
@@ -121,7 +146,7 @@ func getSaml(cmd *cobra.Command, args []string) error {
 	}
 	svc := sts.NewFromConfig(cfg)
 
-	return cmdutils.GetCredsWebUI(ctx, svc, secretStore, conf, web.NewWebConf(datadir))
+	return cmdutils.GetCredsWebUI(ctx, svc, secretStore, conf, web.NewWebConf(datadir).WithTimeout(samlTimeout))
 }
 
 func samlInitConfig() {