alibabacloud_account.go

package saml2alibabacloud

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"

	"github.com/pkg/errors"
)

// AlibabaCloudAccount holds the AlibabaCloud account name and roles
type AlibabaCloudAccount struct {
	Name  string
	Roles []*RamRole
}

type RoleList struct {
	AccountAliasList map[string]string `json:"AccountAliasList"`
	RelayState       string            `json:"RelayState"`
	SAMLResponse     string            `json:"SamlResponse"`
	RoleInfoList     map[string][]struct {
		AccountId   string `json:"accountId"`
		ProviderArn string `json:"providerArn"`
		Raw         string `json:"raw"`
		RoleArn     string `json:"roleArn"`
		RoleName    string `json:"roleName"`
	}
}

// ParseAlibabaCloudAccounts extract the AlibabaCloud accounts from the saml assertion
func ParseAlibabaCloudAccounts(audience string, samlAssertion string) ([]*AlibabaCloudAccount, error) {
	res, err := http.PostForm(audience, url.Values{"SAMLResponse": {samlAssertion}})
	if err != nil {
		return nil, errors.Wrap(err, "error retrieving AlibabaCloud login form")
	}

	data, err := ioutil.ReadAll(res.Body)
	if err != nil {
		return nil, errors.Wrap(err, "error retrieving AlibabaCloud login body")
	}

	return ExtractAlibabaCloudAccounts(data)
}

// ExtractAlibabaCloudAccounts extract the accounts from the AlibabaCloud login html page
func ExtractAlibabaCloudAccounts(data []byte) ([]*AlibabaCloudAccount, error) {
	accounts := []*AlibabaCloudAccount{}

	html := string(data)
	if strings.Contains(html, "ROLE_SSO_PAGE:") {
		startIndex := strings.Index(html, "ROLE_SSO_PAGE:") + len("ROLE_SSO_PAGE:") + 1
		endIndex := startIndex + strings.Index(html[startIndex:], "\"}]}},") + 5
		roleListJson := html[startIndex:endIndex]

		var roleList RoleList
		if err := json.Unmarshal([]byte(roleListJson), &roleList); err != nil {
			return nil, errors.Wrap(err, "Role selection page response unmarshal error")
		}

		for accountId, accountRoleList := range roleList.RoleInfoList {
			account := new(AlibabaCloudAccount)
			account.Name = fmt.Sprintf("%s(%s)", roleList.AccountAliasList[accountId], accountId)
			for _, roleInfo := range accountRoleList {
				role := new(RamRole)
				role.Name = roleInfo.RoleName
				role.RoleARN = roleInfo.RoleArn
				role.PrincipalARN = roleInfo.ProviderArn
				account.Roles = append(account.Roles, role)
			}
			accounts = append(accounts, account)
		}
		return accounts, nil
	}

	return nil, errors.New("cannot find any roles")
}

// AssignPrincipals assign principal from roles
func AssignPrincipals(ramRoles []*RamRole, alibabacloudAccounts []*AlibabaCloudAccount) {

	principalARNs := make(map[string]string)
	for _, ramRole := range ramRoles {
		principalARNs[ramRole.RoleARN] = ramRole.PrincipalARN
	}

	for _, account := range alibabacloudAccounts {
		for _, ramRole := range account.Roles {
			ramRole.PrincipalARN = principalARNs[ramRole.RoleARN]
		}
	}

}

// LocateRole locate role by name
func LocateRole(ramRoles []*RamRole, roleName string) (*RamRole, error) {
	for _, ramRole := range ramRoles {
		if ramRole.RoleARN == roleName {
			return ramRole, nil
		}
	}

	return nil, fmt.Errorf("supplied `RoleArn` not found in saml assertion: %s", roleName)
}