fix: clean up

Author: dnitsch

cmd/saml.go

@@ -79,10 +79,6 @@ func newSamlCmd(r *Root) {
 				return err
 			}
 
-			allRoles := credentialexchange.MergeRoleChain(flags.Role, r.rootFlags.RoleChain, flags.IsSso)
-
-			conf.BaseConfig.RoleChain = allRoles
-
 			// now we want to overwrite anything set via the command line
 			saveRole := flags.Role
 			if flags.IsSso {
@@ -93,6 +89,8 @@ func newSamlCmd(r *Root) {
 					SsoCredsEndpointQuery, sc.ssoRoleAccount, sc.ssoRoleName)
 			}
 
+			allRoles := credentialexchange.MergeRoleChain(conf.BaseConfig.Role, conf.BaseConfig.RoleChain, flags.IsSso)
+
 			if len(allRoles) > 0 {
 				saveRole = allRoles[len(allRoles)-1]
 			}
@@ -105,21 +103,23 @@ func newSamlCmd(r *Root) {
 			}
 
 			// we want to remove any AWS_* env vars that could interfere with the default config
-			for _, envVar := range []string{"AWS_PROFILE", "AWS_ACCESS_KEY_ID",
-				"AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"} {
-				os.Unsetenv(envVar)
-			}
+			// for _, envVar := range []string{"AWS_PROFILE", "AWS_ACCESS_KEY_ID",
+			// 	"AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"} {
+			// 	os.Unsetenv(envVar)
+			// }
 
 			awsConf, err := config.LoadDefaultConfig(ctx)
 			if err != nil {
 				return fmt.Errorf("failed to create session %s, %w", err, ErrUnableToCreateSession)
 			}
 
 			svc := sts.NewFromConfig(awsConf)
-			webConfig := web.NewWebConf(r.Datadir).WithTimeout(flags.SamlTimeout)
-			webConfig.CustomChromeExecutable = flags.CustomExecutablePath
+			webConfig := web.NewWebConf(r.Datadir).
+				WithTimeout(flags.SamlTimeout).
+				WithCustomExecutable(conf.BaseConfig.BrowserExecutablePath)
 
 			return cmdutils.GetCredsWebUI(ctx, svc, secretStore, *conf, webConfig)
+
 		},
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			if flags.ReloadBeforeTime != 0 && flags.ReloadBeforeTime > r.rootFlags.Duration {
@@ -183,11 +183,15 @@ func samlInitConfig(customPath string) (*ini.File, error) {
 }
 
 func ConfigFromFlags(fileConfig *credentialexchange.CredentialConfig, rf *RootCmdFlags, sf *SamlCmdFlags, user string) error {
-
+	d := fileConfig.Duration
+	// 900 is the default
+	if rf.Duration != 900 {
+		d = rf.Duration
+	}
 	flagSamlConf := &credentialexchange.CredentialConfig{
 		ProviderUrl:  sf.ProviderUrl,
 		PrincipalArn: sf.PrincipalArn,
-		Duration:     rf.Duration,
+		Duration:     d,
 		AcsUrl:       sf.AcsUrl,
 		IsSso:        sf.IsSso,
 		SsoRegion:    sf.SsoRegion,
@@ -198,7 +202,7 @@ func ConfigFromFlags(fileConfig *credentialexchange.CredentialConfig, rf *RootCm
 		StoreInProfile: rf.StoreInProfile,
 		Role:           sf.Role,
 		// RoleChain is added in the command function
-		// RoleChain:        allRoles,
+		RoleChain:        rf.RoleChain,
 		Username:         user,
 		CfgSectionName:   rf.CfgSectionName,
 		ReloadBeforeTime: sf.ReloadBeforeTime,
@@ -207,10 +211,13 @@ func ConfigFromFlags(fileConfig *credentialexchange.CredentialConfig, rf *RootCm
 	if err := mergo.Merge(&fileConfig.BaseConfig, flagBaseConfig, mergo.WithOverride); err != nil {
 		return err
 	}
+
 	baseConf := fileConfig.BaseConfig
 	if err := mergo.Merge(fileConfig, flagSamlConf, mergo.WithOverride, mergo.WithOverrideEmptySlice); err != nil {
 		return err
 	}
+
 	fileConfig.BaseConfig = baseConf
+	fileConfig.Duration = d
 	return nil
 }

docs/usage.md

@@ -101,6 +101,45 @@ To give it a quick test.
 aws sts get-caller-identity --profile=nonprod_saml_admin
 ```
 
+### Configuration file
+
+You can specify the same parameters through the INI config file.
+
+```ini
+; global config will be applied to config sections
+[config]
+browser-executable-path = "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser"
+duration = 3600
+provider-url = https://my-idp-url.com
+; 
+; you can specify the below on the top level config 
+; NB: it does make more sense to have these in the specific sections
+; anything set in the specific section will overwrite the global property
+; anything set in the commandline will overwrite the conf file property
+; 
+; role = main-assume-role
+; role-chain = chain-role1,chain-role2
+; principal = 
+; is-sso = 
+; sso-region = 
+; sso-role = 
+; is-sso-endpoint = 
+
+; Specific section overrides
+[config.cfg-section-name]
+role = arn:aws:iam::123456789101:role/IdP-admin
+role-chain = arn:aws:iam::123456789101:role/SSO-admin
+principal = arn:aws:iam::123456789101:saml-provider/GoogleIdP
+provider-url = https://accounts.google.com/o/saml2/initsso?idpid=abc123&spid=1234567&forceauthn=false
+; is-sso = false
+; sso-region = eu-west-1
+; sso-role = 
+; is-sso-endpoint = 
+
+; generated by aws-cli-auth
+[role]
+```
+
 ## AWS SSO Portal
 
 **NOW** Includes support for AWS User Portal, largely remains the same with a few exceptions/additions:

internal/credentialexchange/config.go

@@ -29,13 +29,3 @@ type CredentialConfig struct {
 	SsoUserEndpoint    string `ini:"is-sso-endpoint"`
 	SsoCredFedEndpoint string
 }
-
-// --cfg-section aws_travelodge_ssvc
-// --store-profile
-// -p "https://accounts.google.com/o/saml2/initsso?idpid=C03uqod6r&spid=759219486523&forceauthn=false"
-// --principal "arn:aws:iam::881490129763:saml-provider/GoogleIdP"
-// --role "arn:aws:iam::881490129763:role/IdP-admin"
-// --role-chain "arn:aws:iam::881490129763:role/SSO-admin"
-// -d 3600
-// --reload-before 120
-// --executable-path="/Applications/Brave Browser.app/Contents/MacOS/Brave Browser"

internal/web/web.go

@@ -56,6 +56,11 @@ func (wc *WebConfig) WithNoSandbox() *WebConfig {
 	return wc
 }
 
+func (wc *WebConfig) WithCustomExecutable(browserPath string) *WebConfig {
+	wc.CustomChromeExecutable = browserPath
+	return wc
+}
+
 type Web struct {
 	conf     *WebConfig
 	launcher *launcher.Launcher