fix: add clear and specific commands

Author: dnitsch

Makefile

@@ -1,5 +1,5 @@
 NAME := aws-cli-auth
-VERSION := v0.2.0
+VERSION := v0.3.0
 REVISION := $(shell git rev-parse --short HEAD)
 
 LDFLAGS := -ldflags="-s -w -X \"github.com/dnitsch/aws-cli-auth/version.Version=$(VERSION)\" -X \"github.com/dnitsch/aws-cli-auth/version.Revision=$(REVISION)\" -extldflags -static"
@@ -35,9 +35,7 @@ clean:
 cross-build:
 	for os in darwin linux windows; do \
 	    [ $$os = "windows" ] && EXT=".exe"; \
-		for arch in amd64 arm64; do \
-			GOOS=$$os GOARCH=$$arch CGO_ENABLED=0 go build -o dist/$(NAME)-$$os-$$arch$$EXT .; \
-		done; \
+		GOOS=$$os CGO_ENABLED=0 go build -a -tags netgo -installsuffix netgo $(LDFLAGS) -o dist/$(NAME)-$$os$$EXT .; \
 	done
 
 .PHONY: deps

README.md

@@ -16,6 +16,8 @@ By default the tool creates the session name - which can be audited including th
 
 - Even though a datadir is created to store the chromium session data it is advised to still open settings and save the username/password manually the first time you are presented with the login screen.
 
+- Some login forms if not done correctly according to chrome specs and do not specify `type` on the HTML tag with `username` Chromium will not pick it up
+
 ## Install
 
 Download from [Releases page](https://github.com/dnitsch/aws-cli-auth/releases).
@@ -30,22 +32,24 @@ sudo mv aws-cli-auth /usr/local/bin
 
 ## Usage
 
-```bash
-CLI tool for retrieving AWS temporary credentials using SAML providers. 
+```
+CLI tool for retrieving AWS temporary credentials using SAML providers, or specified method of retrieval - i.e. force AWS_WEB_IDENTITY.
+Useful in situations like CI jobs or containers where multiple env vars might be present.
 Stores them under the $HOME/.aws/credentials file under a specified path or returns the crednetial_process payload for use in config
 
 Usage:
   aws-cli-auth [command]
 
 Available Commands:
-  completion  Generate the autocompletion script for the specified shell
-  help        Help about any command
-  saml        Get AWS credentials and out to stdout
+  aws-cli-auth Clears any stored credentials in the OS secret store
+  completion   Generate the autocompletion script for the specified shell
+  help         Help about any command
+  saml         Get AWS credentials and out to stdout
+  specific     Initiates a specific crednetial provider [WEB_ID]
 
 Flags:
       --cfg-section string   config section name in the yaml config file
   -h, --help                 help for aws-cli-auth
-  -k, --kill-rod             If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over - this will clean them up forcefully
   -r, --role string          Set the role you want to assume when SAML or OIDC process completes
   -s, --store-profile        By default the credentials are returned to stdout to be used by the credential_process. Set this flag to instead store the credentials under a named profile section
 
@@ -54,9 +58,7 @@ Use "aws-cli-auth [command] --help" for more information about a command.
 
 ### SAML 
 
-
-
-```bash
+```
 Get AWS credentials and out to stdout through your SAML provider authentication.
 
 Usage:
@@ -119,9 +121,12 @@ credential_process=aws-cli-auth saml -p https://your-idp.com/idp/foo?PARTNER=urn
 
 Notice the missing `-s` | `--store-profile` flag
 
+### Use in CI
+
+
 ## Licence
  WFTPL
 
-## Acknowldgements
+## Acknowledgements
   - [Hiroyuki Wada](https://github.com/wadahiro) [package](https://github.com/openstandia/aws-cli-oidc) 
   - [Mark Wolfe](https://github.com/wolfeidau) [package](https://github.com/Versent/saml2aws)

cmd/clear.go

@@ -0,0 +1,33 @@
+package cmd
+
+import (
+	"github.com/dnitsch/aws-cli-auth/internal/util"
+	"github.com/dnitsch/aws-cli-auth/internal/web"
+	"github.com/spf13/cobra"
+)
+
+var (
+	force    bool
+	clearCmd = &cobra.Command{
+		Use:   "aws-cli-auth clear-cache",
+		Short: "Clears any stored credentials in the OS secret store",
+		Run:   clear,
+	}
+)
+
+func init() {
+	cobra.OnInitialize(initConfig)
+	clearCmd.PersistentFlags().BoolVarP(&force, "force", "f", false, "If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over - this will clean them up forcefully")
+	rootCmd.AddCommand(clearCmd)
+}
+
+func clear(cmd *cobra.Command, args []string) {
+	if force {
+		if err := web.ClearCache(); err != nil {
+			util.Exit(err)
+		}
+		util.Writeln("Chromium Cache cleared")
+	}
+	util.Clear()
+
+}

cmd/root.go

@@ -16,8 +16,9 @@ var (
 	killHangingProcess bool
 	rootCmd            = &cobra.Command{
 		Use:   "aws-cli-auth",
-		Short: "CLI tool for retrieving AWS temporary credentials using  SAML providers",
-		Long: `CLI tool for retrieving AWS temporary credentials using SAML providers. 
+		Short: "CLI tool for retrieving AWS temporary credentials",
+		Long: `CLI tool for retrieving AWS temporary credentials using SAML providers, or specified method of retrieval - i.e. force AWS_WEB_IDENTITY.
+Useful in situations like CI jobs or containers where multiple env vars might be present.
 Stores them under the $HOME/.aws/credentials file under a specified path or returns the crednetial_process payload for use in config`,
 	}
 )
@@ -33,7 +34,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&role, "role", "r", "", "Set the role you want to assume when SAML or OIDC process completes")
 	rootCmd.PersistentFlags().StringVarP(&cfgSectionName, "cfg-section", "", "", "config section name in the yaml config file")
 	rootCmd.PersistentFlags().BoolVarP(&storeInProfile, "store-profile", "s", false, "By default the credentials are returned to stdout to be used by the credential_process. Set this flag to instead store the credentials under a named profile section")
-	rootCmd.PersistentFlags().BoolVarP(&killHangingProcess, "kill-rod", "k", false, "If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over - this will clean them up forcefully")
+	// rootCmd.PersistentFlags().BoolVarP(&killHangingProcess, "kill-rod", "k", false, "If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over - this will clean them up forcefully")
 }
 
 func initConfig() {

cmd/saml.go

@@ -1,8 +1,8 @@
 package cmd
 
 import (
+	"github.com/dnitsch/aws-cli-auth/internal/auth"
 	"github.com/dnitsch/aws-cli-auth/internal/config"
-	"github.com/dnitsch/aws-cli-auth/internal/saml"
 	"github.com/spf13/cobra"
 )
 
@@ -38,6 +38,6 @@ func getSaml(cmd *cobra.Command, args []string) {
 		BaseConfig:   config.BaseConfig{StoreInProfile: storeInProfile, Role: role, CfgSectionName: cfgSectionName, DoKillHangingProcess: killHangingProcess},
 	}
 
-	saml.GetSamlCreds(conf)
+	auth.GetSamlCreds(conf)
 
 }

cmd/specific.go

@@ -0,0 +1,47 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/dnitsch/aws-cli-auth/internal/auth"
+	"github.com/dnitsch/aws-cli-auth/internal/config"
+	"github.com/dnitsch/aws-cli-auth/internal/util"
+	"github.com/spf13/cobra"
+)
+
+var (
+	method      string
+	specificCmd = &cobra.Command{
+		Use:   "specific <flags>",
+		Short: "Initiates a specific crednetial provider [WEB_ID]",
+		Run:   specific,
+	}
+)
+
+// var strategy map[string]func
+
+func init() {
+	specificCmd.PersistentFlags().StringVarP(&method, "method", "m", "", "If aws-cli-auth exited improprely in a previous run there is a chance that there could be hanging processes left over - this will clean them up forcefully")
+	rootCmd.AddCommand(specificCmd)
+}
+
+func specific(cmd *cobra.Command, args []string) {
+	var awsCreds *util.AWSCredentials
+	var err error
+	if method != "" {
+		switch method {
+		case "WEB_ID":
+
+			awsCreds, err = auth.LoginAwsWebToken(os.Getenv("USER"))
+			if err != nil {
+				util.Exit(err)
+			}
+		default:
+			util.Exit(fmt.Errorf("Unsupported Method: %s", method))
+		}
+	}
+	config := config.SamlConfig{BaseConfig: config.BaseConfig{StoreInProfile: storeInProfile}}
+
+	util.SetCredentials(awsCreds, config)
+}

internal/auth/awssts.go

@@ -0,0 +1,87 @@
+package auth
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/sts"
+	"github.com/dnitsch/aws-cli-auth/internal/config"
+	"github.com/dnitsch/aws-cli-auth/internal/util"
+	"github.com/pkg/errors"
+)
+
+// AWSRole aws role attributes
+type AWSRole struct {
+	RoleARN      string
+	PrincipalARN string
+	Name         string
+}
+
+// LoginStsSaml exchanges saml response for STS creds
+func LoginStsSaml(samlResponse string, role *util.AWSRole) (*util.AWSCredentials, error) {
+	sess, err := session.NewSession()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create session")
+	}
+
+	svc := sts.New(sess)
+
+	params := &sts.AssumeRoleWithSAMLInput{
+		PrincipalArn:    aws.String(role.PrincipalARN), // Required
+		RoleArn:         aws.String(role.RoleARN),      // Required
+		SAMLAssertion:   aws.String(samlResponse),      // Required
+		DurationSeconds: aws.Int64(3600),
+	}
+
+	resp, err := svc.AssumeRoleWithSAML(params)
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to retrieve STS credentials using SAML")
+	}
+
+	return &util.AWSCredentials{
+		AWSAccessKey:    aws.StringValue(resp.Credentials.AccessKeyId),
+		AWSSecretKey:    aws.StringValue(resp.Credentials.SecretAccessKey),
+		AWSSessionToken: aws.StringValue(resp.Credentials.SessionToken),
+		PrincipalARN:    aws.StringValue(resp.AssumedRoleUser.Arn),
+		Expires:         resp.Credentials.Expiration.Local(),
+	}, nil
+}
+
+func LoginAwsWebToken(username string) (*util.AWSCredentials, error) {
+	// var role string
+	sess, err := session.NewSession()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create session")
+	}
+
+	svc := sts.New(sess)
+	r, exists := os.LookupEnv(config.AWS_ROLE_ARN)
+	if !exists {
+		util.Exit(fmt.Errorf("Role Var Not Found"))
+	}
+	token, err := util.GetWebIdTokenFileContents()
+	if err != nil {
+		util.Exit(err)
+	}
+	sessionName := util.SessionName(username, config.SELF_NAME)
+	input := &sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          &r,
+		RoleSessionName:  &sessionName,
+		WebIdentityToken: &token,
+	}
+
+	resp, err := svc.AssumeRoleWithWebIdentity(input)
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to retrieve STS credentials using SAML")
+	}
+
+	return &util.AWSCredentials{
+		AWSAccessKey:    aws.StringValue(resp.Credentials.AccessKeyId),
+		AWSSecretKey:    aws.StringValue(resp.Credentials.SecretAccessKey),
+		AWSSessionToken: aws.StringValue(resp.Credentials.SessionToken),
+		PrincipalARN:    aws.StringValue(resp.AssumedRoleUser.Arn),
+		Expires:         resp.Credentials.Expiration.Local(),
+	}, nil
+}

internal/saml/saml.go internal/auth/saml.gointernal/saml/saml.go renamed to internal/auth/saml.go

@@ -1,4 +1,4 @@
-package saml
+package auth
 
 import (
 	"fmt"

internal/config/config.go

@@ -1,6 +1,8 @@
 package config
 
 const SELF_NAME = "aws-cli-auth"
+const WEB_ID_TOKEN_VAR = "AWS_WEB_IDENTITY_TOKEN_FILE"
+const AWS_ROLE_ARN = "AWS_ROLE_ARN"
 
 type BaseConfig struct {
 	Role                 string