Merge pull request #966 from synfinatic/login

Add login command

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## [Unreleased]
 
+### New Features
+
+ * Now require `login` as a seperate step for better security #291
+ * Remove `flush` command.  Use `logout`
+ * `aws-sso` commands other than `cache` and `login` no longer can trigger a cache refresh without
+    update of `~/.aws/config` file
+
 ## [v1.17.0] - 2024-07-10
 
 ### Bugs
@@ -105,12 +112,18 @@
 ### New Features
 
  * Config Wizard now prompts for `ProfileFormat` #590
+ * Add `login` command #291
 
 ### Changes
 
- * Documentation is now built via Docker #587
+ * Documentation is now managed by [mkdocs](https://www.mkdocs.org)
  * Improved demos in documentation #551
  * Update many dependencies
+ * Add dependabot
+
+### Deprecated
+
+ * `aws-sso flush -t sso` should not be used.  Use `aws-sso logout` instead.
 
 ## [v1.14.0] - 2023-10-13
 
@@ -348,7 +361,7 @@
     `ConfigProfilesUrlAction` #387
  * Add support for Granted Containers Firefox plugin #400
  * `UrlAction` and `ConfigProfilesUrlAction` now support `open-url-in-container` and
-	`granted-containers`
+   granted-containers`
 
 ### Changes
 
@@ -391,10 +404,13 @@
  * Renamed the `config` command to update `~/.aws/config` to be `config-profiles`
      which is hopefully more clear
  * `config` command now runs the configuration wizard
- * Deprecated `ConfigUrlAction` option.  Will be automatically upgraded by
-    the `aws-sso config` wizard.
  * `ConfigProfilesUrlAction` replaces `ConfigUrlAction`
 
+### Deprecated
+
+ * `ConfigUrlAction` option.  Will be automatically upgraded by
+    the `aws-sso config` wizard.
+
 ### Bugs
 
  * Fixed setup wizard layout to be less ugly and more consistent.
@@ -513,6 +529,7 @@
 ## [v1.7.0] - 2022-01-09
 
 ### New Features
+
  * Add `Via` and `SSO` to possible `list` command output fields
  * Add `SSO` to list of valid ProfileFormat template variables
  * Improve ProfileFormat documentation
@@ -533,10 +550,12 @@
 ## [v1.6.1] - 2021-12-31
 
 ### New Features
+
  * The `Via` role option is now a searchable tag #199
  * The `tags` command now returns the keys in sorted order
 
 ### Bug Fixes
+
  * Consistently pad AccountID with zeros whenever necessary
  * Detect role chain loops using `Via` #194
  * AccountAlias/AccountName tags are inconsistenly applied/missing #201
@@ -546,29 +565,35 @@
  * cache now handles multiple AWS SSO Instances correctly which fixes numerous issues #219
 
 ### Changes
+
  * Reduce number of warnings #205
 
 ## [v1.6.0] - 2021-12-24
 
 ### Breaking Changes
+
  * Fix issue with missing colon in parsed/generated Role ARNs for missing AWS region #192
 
 ### New Features
+
  * Setup now prompts for `LogLevel`
  * Suppress bogus warning when saving Role credentials in `wincred` store #183
  * Add support for role chaining using `Via` tag #38
  * Cache file is now versioned for better compatibility across versions of `aws-sso` #195
 
 ### Bug Fixes
+
  * Incorrect `--level` value now correctly tells user the correct name of the flag
  * `exec` command now uses `cmd.exe` when no command is specified
 
 ## [v1.5.1] - 2021-12-15
 
 ### New Features
+
  * Setup now prompts for `HistoryMinutes` and `HistoryLimit`
 
 ### Bug Fixes
+
  * Setup now uses a smaller cursor which doesn't hide the character
  * Fix setup bug where the SSO Instance was always called `Default`
  * Setup no longer accepts invalid characters for strings #178
@@ -577,37 +602,43 @@
 ## [v1.5.0] - 2021-12-14
 
 ### New Features
+
  * Add `HistoryMinutes` option to limit history by time, not just count #139
 
 ### Changes
+
  * Now use macOS `login` Keychain instead of `AWSSSOCli` #150
  * All secure storage methods now store a single entry instead of multiple entries
  * Replace `console --use-sts` with `console --prompt` #169
  * Improve password prompting for file based keyring #171
 
 ### Bug Fixes
+
  * file keyring will no longer infinitely prompt for new password
 
 ## [v1.4.0] - 2021-11-25
 
 ### Breaking Changes
+
  * Standardize on `AWS_SSO` prefix for environment variables
  * Remove `--region` flag for `eval` and `exec` commands
  * `console -use-env` is now `console --use-sts` to be more clear
  * Building aws-sso now requires Go v1.17+
 
 ### New Features
+
  * Add a simple wizard to configure aws-sso on first run if no ~/.aws-sso/config.yaml
-	file exists
+   file exists
  * Update interactive selected item color schme to stand our better. #138
  * Add `eval --clear` and `eval --refresh`
  * Add full support for `DefaultRegion` in config.yaml
- * Add `--no-region` flag for `eval and `exec` commands
+ * Add `--no-region` flag for `eval` and `exec` commands
  * Add `process` command for AWS credential_process in ~/.aws/config #157
  * Add `ConsoleDuration` config option #159
  * Improve documentation of environment variables
 
 ### Bug Fixes
+
  * `exec` now updates the ENV vars of the forked processs rather than our own process
  * `eval` no longer prints URLs #145
  * Will no longer overwrite user defined AWS_DEFAULT_REGION #152
@@ -655,10 +686,10 @@
  * Rework how defaults are handled/settings loaded
  * Remove references to `duration` in config which don't do anything
  * Add additional config file options:
-	- UrlAction
-	- LogLevel
-	- LogLines
-	- DefaultSSO
+      * UrlAction
+      * LogLevel
+      * LogLines
+      * DefaultSSO
  * Replace `--print-url` with `--url-action` #81
  * Add support for `DefaultRegion` in config file  #30
  * `console` command now supports `--region`

Makefile

@@ -1,4 +1,4 @@
-PROJECT_VERSION        := 1.17.0
+PROJECT_VERSION        := 2.0.0-beta2
 DOCKER_REPO            := synfinatic
 PROJECT_NAME           := aws-sso
 DOCKER_PROJECT_NAME    := aws-sso-cli-ecs-server

cmd/aws-sso/cache_cmd.go

@@ -25,7 +25,6 @@ import (
 type CacheCmd struct{}
 
 func (cc *CacheCmd) Run(ctx *RunContext) error {
-	awssso := doAuth(ctx)
 	s, err := ctx.Settings.GetSelectedSSO(ctx.Cli.SSO)
 	if err != nil {
 		log.Fatalf("%s", err.Error())
@@ -36,7 +35,7 @@ func (cc *CacheCmd) Run(ctx *RunContext) error {
 		log.Fatalf(err.Error())
 	}
 
-	err = ctx.Settings.Cache.Refresh(awssso, s, ssoName, ctx.Cli.Threads)
+	err = ctx.Settings.Cache.Refresh(AwsSSO, s, ssoName, ctx.Cli.Threads)
 	if err != nil {
 		return fmt.Errorf("unable to refresh role cache: %s", err.Error())
 	}

cmd/aws-sso/console_cmd.go

@@ -38,7 +38,6 @@ import (
 	"github.com/synfinatic/aws-sso-cli/internal/storage"
 	"github.com/synfinatic/aws-sso-cli/internal/url"
 	"github.com/synfinatic/aws-sso-cli/internal/utils"
-	"github.com/synfinatic/aws-sso-cli/sso"
 )
 
 type ConsoleCmd struct {
@@ -74,9 +73,9 @@ func (cc *ConsoleCmd) Run(ctx *RunContext) error {
 
 	// Check our CLI args
 	sci := NewSelectCliArgs(ctx.Cli.Console.Arn, ctx.Cli.Console.AccountId, ctx.Cli.Console.Role, ctx.Cli.Console.Profile)
-	if awssso, err := sci.Update(ctx); err == nil {
+	if err := sci.Update(ctx); err == nil {
 		// successful lookup?
-		return openConsole(ctx, awssso, sci.AccountId, sci.RoleName)
+		return openConsole(ctx, sci.AccountId, sci.RoleName)
 	} else if !errors.Is(err, &NoRoleSelectedError{}) {
 		// invalid arguments, not missing
 		return err
@@ -158,10 +157,9 @@ func consoleViaEnvVars(ctx *RunContext) error {
 }
 
 func consoleViaSDK(ctx *RunContext) error {
-	awssso := doAuth(ctx)
 	rFlat, err := ctx.Settings.Cache.GetSSO().Roles.GetRoleByProfile(ctx.Cli.Console.AwsProfile, ctx.Settings)
 	if err == nil {
-		return openConsole(ctx, awssso, rFlat.AccountId, rFlat.RoleName)
+		return openConsole(ctx, rFlat.AccountId, rFlat.RoleName)
 	}
 
 	region := ctx.Settings.DefaultRegion
@@ -221,7 +219,7 @@ func haveAWSEnvVars(ctx *RunContext) bool {
 }
 
 // opens the AWS console or just prints the URL
-func openConsole(ctx *RunContext, awssso *sso.AWSSSO, accountid int64, role string) error {
+func openConsole(ctx *RunContext, accountid int64, role string) error {
 	region := ctx.Settings.GetDefaultRegion(accountid, role, false)
 	if ctx.Cli.Console.Region != "" {
 		region = ctx.Cli.Console.Region
@@ -237,7 +235,7 @@ func openConsole(ctx *RunContext, awssso *sso.AWSSSO, accountid int64, role stri
 		log.WithError(err).Warnf("Unable to update cache")
 	}
 
-	creds := GetRoleCredentials(ctx, awssso, accountid, role)
+	creds := GetRoleCredentials(ctx, AwsSSO, accountid, role)
 	return openConsoleAccessKey(ctx, creds, duration, region, accountid, role)
 }
 

cmd/aws-sso/credentials_cmd.go

@@ -14,7 +14,6 @@ type CredentialsCmd struct {
 
 func (cc *CredentialsCmd) Run(ctx *RunContext) error {
 	cache := ctx.Settings.Cache.GetSSO()
-	awssso := doAuth(ctx)
 
 	creds := []awsconfig.ProfileCredentials{}
 
@@ -24,7 +23,7 @@ func (cc *CredentialsCmd) Run(ctx *RunContext) error {
 			return err
 		}
 
-		pCreds := GetRoleCredentials(ctx, awssso, roleFlat.AccountId, roleFlat.RoleName)
+		pCreds := GetRoleCredentials(ctx, AwsSSO, roleFlat.AccountId, roleFlat.RoleName)
 
 		creds = append(creds, awsconfig.ProfileCredentials{
 			Profile:         profile,

cmd/aws-sso/ecs_client_cmd.go

@@ -28,7 +28,6 @@ import (
 	"github.com/synfinatic/aws-sso-cli/internal/ecs"
 	"github.com/synfinatic/aws-sso-cli/internal/ecs/client"
 	"github.com/synfinatic/aws-sso-cli/internal/utils"
-	"github.com/synfinatic/aws-sso-cli/sso"
 	"github.com/synfinatic/gotable"
 )
 
@@ -46,9 +45,9 @@ type EcsLoadCmd struct {
 
 func (cc *EcsLoadCmd) Run(ctx *RunContext) error {
 	sci := NewSelectCliArgs(ctx.Cli.Ecs.Load.Arn, ctx.Cli.Ecs.Load.AccountId, ctx.Cli.Ecs.Load.Role, ctx.Cli.Ecs.Load.Profile)
-	if awssso, err := sci.Update(ctx); err == nil {
+	if err := sci.Update(ctx); err == nil {
 		// successful lookup?
-		return ecsLoadCmd(ctx, awssso, sci.AccountId, sci.RoleName)
+		return ecsLoadCmd(ctx, sci.AccountId, sci.RoleName)
 	} else if !errors.Is(err, &NoRoleSelectedError{}) {
 		// invalid arguments, not missing
 		return err
@@ -80,12 +79,12 @@ func (cc *EcsProfileCmd) Run(ctx *RunContext) error {
 }
 
 // Loads our AWS API creds into the ECS Server
-func ecsLoadCmd(ctx *RunContext, awssso *sso.AWSSSO, accountId int64, role string) error {
+func ecsLoadCmd(ctx *RunContext, accountId int64, role string) error {
 	c := newClient(ctx.Cli.Ecs.Load.Server, ctx)
 
-	creds := GetRoleCredentials(ctx, awssso, accountId, role)
+	creds := GetRoleCredentials(ctx, AwsSSO, accountId, role)
 
-	cache := ctx.Settings.Cache.GetSSO() // ctx.Settings.Cache.Refresh(awssso, ssoConfig, ctx.Cli.SSO)
+	cache := ctx.Settings.Cache.GetSSO()
 	rFlat, err := cache.Roles.GetRole(accountId, role)
 	if err != nil {
 		return err

cmd/aws-sso/eval_cmd.go

@@ -82,9 +82,7 @@ func (cc *EvalCmd) Run(ctx *RunContext) error {
 	}
 	region := ctx.Settings.GetDefaultRegion(accountid, role, ctx.Cli.Eval.NoRegion)
 
-	awssso := doAuth(ctx)
-
-	for k, v := range execShellEnvs(ctx, awssso, accountid, role, region) {
+	for k, v := range execShellEnvs(ctx, accountid, role, region) {
 		if isBashLike() {
 			if len(v) == 0 {
 				fmt.Printf("unset %s\n", k)

cmd/aws-sso/exec_cmd.go

@@ -54,9 +54,9 @@ func (cc *ExecCmd) Run(ctx *RunContext) error {
 	}
 
 	sci := NewSelectCliArgs(ctx.Cli.Exec.Arn, ctx.Cli.Exec.AccountId, ctx.Cli.Exec.Role, ctx.Cli.Exec.Profile)
-	if awssso, err := sci.Update(ctx); err == nil {
+	if err := sci.Update(ctx); err == nil {
 		// successful lookup?
-		return execCmd(ctx, awssso, sci.AccountId, sci.RoleName)
+		return execCmd(ctx, sci.AccountId, sci.RoleName)
 	} else if !errors.Is(err, &NoRoleSelectedError{}) {
 		// invalid arguments, not missing
 		return err
@@ -66,7 +66,7 @@ func (cc *ExecCmd) Run(ctx *RunContext) error {
 }
 
 // Executes Cmd+Args in the context of the AWS Role creds
-func execCmd(ctx *RunContext, awssso *sso.AWSSSO, accountid int64, role string) error {
+func execCmd(ctx *RunContext, accountid int64, role string) error {
 	region := ctx.Settings.GetDefaultRegion(ctx.Cli.Exec.AccountId, ctx.Cli.Exec.Role, ctx.Cli.Exec.NoRegion)
 
 	ctx.Settings.Cache.AddHistory(utils.MakeRoleARN(accountid, role))
@@ -83,17 +83,17 @@ func execCmd(ctx *RunContext, awssso *sso.AWSSSO, accountid int64, role string)
 
 	// add the variables we need for AWS to the executor without polluting our
 	// own process
-	for k, v := range execShellEnvs(ctx, awssso, accountid, role, region) {
+	for k, v := range execShellEnvs(ctx, accountid, role, region) {
 		log.Debugf("Setting %s = %s", k, v)
 		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", k, v))
 	}
 	// just do it!
 	return cmd.Run()
 }
 
-func execShellEnvs(ctx *RunContext, awssso *sso.AWSSSO, accountid int64, role, region string) map[string]string {
+func execShellEnvs(ctx *RunContext, accountid int64, role, region string) map[string]string {
 	var err error
-	credsPtr := GetRoleCredentials(ctx, awssso, accountid, role)
+	credsPtr := GetRoleCredentials(ctx, AwsSSO, accountid, role)
 	creds := *credsPtr
 
 	ssoName, _ := ctx.Settings.GetSelectedSSOName(ctx.Cli.SSO)