diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index fe6a9637..9c52b93e 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -1,16 +1,15 @@ package main import ( - "crypto/tls" + //"crypto/tls" "io" "log" "net/http" "os" "runtime" - "github.com/alecthomas/kingpin" + "github.com/alecthomas/kong" "github.com/sirupsen/logrus" - "github.com/versent/saml2aws/v2" "github.com/versent/saml2aws/v2/cmd/saml2aws/commands" "github.com/versent/saml2aws/v2/pkg/flags" "github.com/versent/saml2aws/v2/pkg/prompter" @@ -21,32 +20,38 @@ var ( Version = "1.0.0" ) -// The `cmdLineList` type is used to make a `[]string` meet the requirements -// of the kingpin.Value interface -type cmdLineList []string +type CLI struct { + Verbose bool `help:"Enable verbose logging"` + Quiet bool `help:"Silences logs"` -func (i *cmdLineList) Set(value string) error { - *i = append(*i, value) + Configure struct { + flags.CommonFlags + } `cmd:"" help:"Configure a new IDP account"` - return nil -} + Login struct { + flags.LoginExecFlags + } `cmd:"" help:"Login to a SAML 2.0 IDP and convert the SAML assertion to an STS token"` -func (i *cmdLineList) String() string { - return "" -} + Exec struct { + flags.LoginExecFlags + Command []string `arg:"" name:"command" help:"The command to execute"` + } `cmd:"" help:"Exec the supplied command with env vars from STS token"` -func (i *cmdLineList) IsCumulative() bool { - return true -} + Console struct { + flags.ConsoleFlags + } `cmd:"" help:"Console will open the aws console after logging in"` + + ListRoles struct { + flags.LoginExecFlags + } `cmd:"" help:"List available role ARNs"` -func buildCmdList(s kingpin.Settings) (target *[]string) { - target = new([]string) - s.SetValue((*cmdLineList)(target)) - return + Script struct { + flags.LoginExecFlags + Shell string `help:"Type of shell environment" default:"bash" enum:"bash,/bin/sh,powershell,fish,env"` + } `cmd:"" help:"Emit a script that will export environment variables"` } func main() { - log.SetOutput(os.Stderr) prompter.SetOutputWriter(os.Stderr) log.SetFlags(0) @@ -59,152 +64,47 @@ func main() { logrus.SetOutput(os.Stdout) } - app := kingpin.New("saml2aws", "A command line tool to help with SAML access to the AWS token service.") - app.Version(Version) - - // Settings not related to commands - verbose := app.Flag("verbose", "Enable verbose logging").Bool() - quiet := app.Flag("quiet", "silences logs").Bool() - - provider := app.Flag("provider", "This flag is obsolete. See: https://github.com/Versent/saml2aws#configuring-idp-accounts").Short('i').Enum("Akamai", "AzureAD", "ADFS", "ADFS2", "Browser", "Ping", "JumpCloud", "Okta", "OneLogin", "PSU", "KeyCloak") - - // Common (to all commands) settings - commonFlags := new(flags.CommonFlags) - app.Flag("config", "Path/filename of saml2aws config file (env: SAML2AWS_CONFIGFILE)").Envar("SAML2AWS_CONFIGFILE").StringVar(&commonFlags.ConfigFile) - app.Flag("idp-account", "The name of the configured IDP account. (env: SAML2AWS_IDP_ACCOUNT)").Envar("SAML2AWS_IDP_ACCOUNT").Short('a').Default("default").StringVar(&commonFlags.IdpAccount) - app.Flag("idp-provider", "The configured IDP provider. (env: SAML2AWS_IDP_PROVIDER)").Envar("SAML2AWS_IDP_PROVIDER").EnumVar(&commonFlags.IdpProvider, saml2aws.MFAsByProvider.Names()...) - app.Flag("browser-type", "The configured browser type when the IDP provider is set to Browser. if not set 'chromium' will be used. (env: SAML2AWS_BROWSER_TYPE)").Envar("SAML2AWS_BROWSER_TYPE").EnumVar(&commonFlags.BrowserType, "chromium", "firefox", "webkit", "chrome", "chrome-beta", "chrome-dev", "chrome-canary", "msedge", "msedge-beta", "msedge-dev", "msedge-canary") - app.Flag("browser-executable-path", "The configured browser full path when the IDP provider is set to Browser. If set, no browser download will be performed and the executable path will be used instead. (env: SAML2AWS_BROWSER_EXECUTABLE_PATH)").Envar("SAML2AWS_BROWSER_EXECUTABLE_PATH").StringVar(&commonFlags.BrowserExecutablePath) - app.Flag("browser-autofill", "Configures browser to autofill the username and password. (env: SAML2AWS_BROWSER_AUTOFILL)").Envar("SAML2AWS_BROWSER_AUTOFILL").BoolVar(&commonFlags.BrowserAutoFill) - app.Flag("mfa", "The name of the mfa. (env: SAML2AWS_MFA)").Envar("SAML2AWS_MFA").StringVar(&commonFlags.MFA) - app.Flag("skip-verify", "Skip verification of server certificate. (env: SAML2AWS_SKIP_VERIFY)").Envar("SAML2AWS_SKIP_VERIFY").Short('s').BoolVar(&commonFlags.SkipVerify) - app.Flag("url", "The URL of the SAML IDP server used to login. (env: SAML2AWS_URL)").Envar("SAML2AWS_URL").StringVar(&commonFlags.URL) - app.Flag("username", "The username used to login. (env: SAML2AWS_USERNAME)").Envar("SAML2AWS_USERNAME").StringVar(&commonFlags.Username) - app.Flag("password", "The password used to login. (env: SAML2AWS_PASSWORD)").Envar("SAML2AWS_PASSWORD").StringVar(&commonFlags.Password) - app.Flag("mfa-token", "The current MFA token (supported in Keycloak, ADFS, GoogleApps). (env: SAML2AWS_MFA_TOKEN)").Envar("SAML2AWS_MFA_TOKEN").StringVar(&commonFlags.MFAToken) - app.Flag("role", "The ARN of the role to assume. (env: SAML2AWS_ROLE)").Envar("SAML2AWS_ROLE").StringVar(&commonFlags.RoleArn) - app.Flag("policyfile", "The file containing the supplemental AssumeRole policy. (env: SAML2AWS_POLICY_FILE)").Envar("SAML2AWS_POLICY_FILE").StringVar(&commonFlags.PolicyFile) - app.Flag("policyarns", "The ARN of supplemental policies to restrict the token. (env: SAML2AWS_POLICY_ARNS)").Envar("SAML2AWS_POLICY_ARNS").StringVar(&commonFlags.PolicyARNs) - app.Flag("aws-urn", "The URN used by SAML when you login. (env: SAML2AWS_AWS_URN)").Envar("SAML2AWS_AWS_URN").StringVar(&commonFlags.AmazonWebservicesURN) - app.Flag("skip-prompt", "Skip prompting for parameters during login.").BoolVar(&commonFlags.SkipPrompt) - app.Flag("session-duration", "The duration of your AWS Session. (env: SAML2AWS_SESSION_DURATION)").Envar("SAML2AWS_SESSION_DURATION").IntVar(&commonFlags.SessionDuration) - app.Flag("disable-keychain", "Do not use keychain at all. This will also disable Okta sessions & remembering MFA device. (env: SAML2AWS_DISABLE_KEYCHAIN)").Envar("SAML2AWS_DISABLE_KEYCHAIN").BoolVar(&commonFlags.DisableKeychain) - app.Flag("region", "AWS region to use for API requests, e.g. us-east-1, us-gov-west-1, cn-north-1 (env: SAML2AWS_REGION)").Envar("SAML2AWS_REGION").Short('r').StringVar(&commonFlags.Region) - app.Flag("prompter", "The prompter to use for user input (default, pinentry)").StringVar(&commonFlags.Prompter) - - // `configure` command and settings - cmdConfigure := app.Command("configure", "Configure a new IDP account.") - cmdConfigure.Flag("app-id", "OneLogin app id required for SAML assertion. (env: ONELOGIN_APP_ID)").Envar("ONELOGIN_APP_ID").StringVar(&commonFlags.AppID) - cmdConfigure.Flag("client-id", "OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID)").Envar("ONELOGIN_CLIENT_ID").StringVar(&commonFlags.ClientID) - cmdConfigure.Flag("client-secret", "OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)").Envar("ONELOGIN_CLIENT_SECRET").StringVar(&commonFlags.ClientSecret) - cmdConfigure.Flag("subdomain", "OneLogin subdomain of your company account. (env: ONELOGIN_SUBDOMAIN)").Envar("ONELOGIN_SUBDOMAIN").StringVar(&commonFlags.Subdomain) - cmdConfigure.Flag("mfa-ip-address", "IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)").Envar("ONELOGIN_MFA_IP_ADDRESS").StringVar(&commonFlags.MFAIPAddress) - cmdConfigure.Flag("profile", "The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)").Envar("SAML2AWS_PROFILE").Short('p').StringVar(&commonFlags.Profile) - cmdConfigure.Flag("resource-id", "F5APM SAML resource ID of your company account. (env: SAML2AWS_F5APM_RESOURCE_ID)").Envar("SAML2AWS_F5APM_RESOURCE_ID").StringVar(&commonFlags.ResourceID) - cmdConfigure.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) - cmdConfigure.Flag("cache-saml", "Caches the SAML response (env: SAML2AWS_CACHE_SAML)").Envar("SAML2AWS_CACHE_SAML").BoolVar(&commonFlags.SAMLCache) - cmdConfigure.Flag("cache-file", "The location of the SAML cache file (env: SAML2AWS_SAML_CACHE_FILE)").Envar("SAML2AWS_SAML_CACHE_FILE").StringVar(&commonFlags.SAMLCacheFile) - cmdConfigure.Flag("disable-sessions", "Do not use Okta sessions. Uses Okta sessions by default. (env: SAML2AWS_OKTA_DISABLE_SESSIONS)").Envar("SAML2AWS_OKTA_DISABLE_SESSIONS").BoolVar(&commonFlags.DisableSessions) - cmdConfigure.Flag("disable-remember-device", "Do not remember Okta MFA device. Remembers MFA device by default. (env: SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE)").Envar("SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE").BoolVar(&commonFlags.DisableRememberDevice) - configFlags := commonFlags - - // `login` command and settings - cmdLogin := app.Command("login", "Login to a SAML 2.0 IDP and convert the SAML assertion to an STS token.") - loginFlags := new(flags.LoginExecFlags) - loginFlags.CommonFlags = commonFlags - cmdLogin.Flag("profile", "The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)").Short('p').Envar("SAML2AWS_PROFILE").StringVar(&commonFlags.Profile) - cmdLogin.Flag("duo-mfa-option", "The MFA option you want to use to authenticate with (supported providers: okta). (env: SAML2AWS_DUO_MFA_OPTION)").Envar("SAML2AWS_DUO_MFA_OPTION").EnumVar(&loginFlags.DuoMFAOption, "Passcode", "Duo Push") - cmdLogin.Flag("client-id", "OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID)").Envar("ONELOGIN_CLIENT_ID").StringVar(&commonFlags.ClientID) - cmdLogin.Flag("client-secret", "OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)").Envar("ONELOGIN_CLIENT_SECRET").StringVar(&commonFlags.ClientSecret) - cmdLogin.Flag("mfa-ip-address", "IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)").Envar("ONELOGIN_MFA_IP_ADDRESS").StringVar(&commonFlags.MFAIPAddress) - cmdLogin.Flag("force", "Refresh credentials even if not expired.").BoolVar(&loginFlags.Force) - cmdLogin.Flag("credential-process", "Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message.").BoolVar(&loginFlags.CredentialProcess) - cmdLogin.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) - cmdLogin.Flag("cache-saml", "Caches the SAML response (env: SAML2AWS_CACHE_SAML)").Envar("SAML2AWS_CACHE_SAML").BoolVar(&commonFlags.SAMLCache) - cmdLogin.Flag("cache-file", "The location of the SAML cache file (env: SAML2AWS_SAML_CACHE_FILE)").Envar("SAML2AWS_SAML_CACHE_FILE").StringVar(&commonFlags.SAMLCacheFile) - cmdLogin.Flag("download-browser-driver", "Automatically download browsers for Browser IDP. (env: SAML2AWS_AUTO_BROWSER_DOWNLOAD)").Envar("SAML2AWS_AUTO_BROWSER_DOWNLOAD").BoolVar(&loginFlags.DownloadBrowser) - cmdLogin.Flag("disable-sessions", "Do not use Okta sessions. Uses Okta sessions by default. (env: SAML2AWS_OKTA_DISABLE_SESSIONS)").Envar("SAML2AWS_OKTA_DISABLE_SESSIONS").BoolVar(&commonFlags.DisableSessions) - cmdLogin.Flag("disable-remember-device", "Do not remember Okta MFA device. Remembers MFA device by default. (env: SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE)").Envar("SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE").BoolVar(&commonFlags.DisableRememberDevice) - - // `exec` command and settings - cmdExec := app.Command("exec", "Exec the supplied command with env vars from STS token.") - execFlags := new(flags.LoginExecFlags) - execFlags.CommonFlags = commonFlags - cmdExec.Flag("profile", "The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)").Envar("SAML2AWS_PROFILE").Short('p').StringVar(&commonFlags.Profile) - cmdExec.Flag("exec-profile", "The AWS profile to utilize for command execution. Useful to allow the aws cli to perform secondary role assumption. (env: SAML2AWS_EXEC_PROFILE)").Envar("SAML2AWS_EXEC_PROFILE").StringVar(&execFlags.ExecProfile) - cmdExec.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) - cmdLine := buildCmdList(cmdExec.Arg("command", "The command to execute.")) - - // `console` command and settings - cmdConsole := app.Command("console", "Console will open the aws console after logging in.") - consoleFlags := new(flags.ConsoleFlags) - consoleFlags.LoginExecFlags = execFlags - consoleFlags.LoginExecFlags.CommonFlags = commonFlags - cmdConsole.Flag("exec-profile", "The AWS profile to utilize for console execution. (env: SAML2AWS_EXEC_PROFILE)").Envar("SAML2AWS_EXEC_PROFILE").StringVar(&consoleFlags.LoginExecFlags.ExecProfile) - cmdConsole.Flag("profile", "The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)").Envar("SAML2AWS_PROFILE").Short('p').StringVar(&commonFlags.Profile) - cmdConsole.Flag("force", "Refresh credentials even if not expired.").BoolVar(&consoleFlags.LoginExecFlags.Force) - cmdConsole.Flag("link", "Present link to AWS console instead of opening browser").BoolVar(&consoleFlags.Link) - cmdConsole.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) - - // `list` command and settings - cmdListRoles := app.Command("list-roles", "List available role ARNs.") - cmdListRoles.Flag("cache-saml", "Caches the SAML response (env: SAML2AWS_CACHE_SAML)").Envar("SAML2AWS_CACHE_SAML").BoolVar(&commonFlags.SAMLCache) - cmdListRoles.Flag("cache-file", "The location of the SAML cache file (env: SAML2AWS_SAML_CACHE_FILE)").Envar("SAML2AWS_SAML_CACHE_FILE").StringVar(&commonFlags.SAMLCacheFile) - listRolesFlags := new(flags.LoginExecFlags) - listRolesFlags.CommonFlags = commonFlags - - // `script` command and settings - cmdScript := app.Command("script", "Emit a script that will export environment variables.") - scriptFlags := new(flags.LoginExecFlags) - scriptFlags.CommonFlags = commonFlags - cmdScript.Flag("profile", "The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)").Envar("SAML2AWS_PROFILE").Short('p').StringVar(&commonFlags.Profile) - cmdScript.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) - var shell string - cmdScript. - Flag("shell", "Type of shell environment. Options include: bash, /bin/sh, powershell, fish, env"). - Default("bash"). - EnumVar(&shell, "bash", "/bin/sh", "powershell", "fish", "env") - - // Trigger the parsing of the command line inputs via kingpin - command := kingpin.MustParse(app.Parse(os.Args[1:])) - - // will leave this here for a while during upgrade process - if *provider != "" { - log.Println("The --provider flag has been replaced with a new configure command. See https://github.com/versent/saml2aws/v2#adding-idp-accounts") - os.Exit(1) - } - + var cli CLI + ctx := kong.Parse(&cli, + kong.Name("saml2aws"), + kong.Description("A command line tool to help with SAML access to the AWS token service."), + kong.Vars{ + "version": Version, + }, + ) errtpl := "%v\n" - if *verbose { + if cli.Verbose { logrus.SetLevel(logrus.DebugLevel) errtpl = "%+v\n" } - if *quiet { + if cli.Quiet { log.SetOutput(io.Discard) logrus.SetOutput(io.Discard) } // Set the default transport settings so all http clients will pick them up. - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: commonFlags.SkipVerify} + //http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: cli.CommonFlags.SkipVerify} http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment - logrus.WithField("command", command).Debug("Running") + logrus.WithField("command", ctx.Command()).Debug("Running") var err error - switch command { - case cmdScript.FullCommand(): - err = commands.Script(scriptFlags, shell) - case cmdLogin.FullCommand(): - err = commands.Login(loginFlags) - case cmdExec.FullCommand(): - err = commands.Exec(execFlags, *cmdLine) - case cmdConsole.FullCommand(): - err = commands.Console(consoleFlags) - case cmdListRoles.FullCommand(): - err = commands.ListRoles(listRolesFlags) - case cmdConfigure.FullCommand(): - err = commands.Configure(configFlags) + switch ctx.Command() { + case "script": + err = commands.Script(&cli.Script.LoginExecFlags, cli.Script.Shell) + case "login": + err = commands.Login(&cli.Login.LoginExecFlags) + case "exec": + err = commands.Exec(&cli.Exec.LoginExecFlags, cli.Exec.Command) + case "console": + err = commands.Console(&cli.Console.ConsoleFlags) + case "list-roles": + err = commands.ListRoles(&cli.ListRoles.LoginExecFlags) + case "configure": + err = commands.Configure(&cli.Configure.CommonFlags) + default: + err = ctx.Run() } if err != nil { diff --git a/go.mod b/go.mod index 0ca0240d..925bd08d 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/AlecAivazis/survey/v2 v2.3.7 github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e github.com/PuerkitoBio/goquery v1.9.2 - github.com/alecthomas/kingpin v2.2.6+incompatible + github.com/alecthomas/kong v1.4.0 github.com/avast/retry-go v3.0.0+incompatible github.com/aws/aws-sdk-go v1.55.5 github.com/beevik/etree v1.4.1 @@ -32,8 +32,6 @@ require ( require ( github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect - github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect - github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect github.com/andybalholm/cascadia v1.3.2 // indirect github.com/bearsh/hid v1.3.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect diff --git a/go.sum b/go.sum index 4571144a..1a6ac3aa 100644 --- a/go.sum +++ b/go.sum @@ -13,11 +13,13 @@ github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDe github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/goquery v1.9.2 h1:4/wZksC3KgkQw7SQgkKotmKljk0M6V8TUvA8Wb4yPeE= github.com/PuerkitoBio/goquery v1.9.2/go.mod h1:GHPCaP0ODyyxqcNoFGYlAprUFH81NuRPd0GX3Zu2Mvk= -github.com/alecthomas/kingpin v2.2.6+incompatible h1:5svnBTFgJjZvGKyYBtMB0+m5wvrbUHiqye8wRJMlnYI= -github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE= -github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU= +github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0= +github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k= +github.com/alecthomas/kong v1.4.0 h1:UL7tzGMnnY0YRMMvJyITIRX1EpO6RbBRZDNcCevy3HA= +github.com/alecthomas/kong v1.4.0/go.mod h1:p2vqieVMeTAnaC83txKtXe8FLke2X07aruPWXyMPQrU= +github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc= +github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= -github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss= github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU= @@ -88,6 +90,8 @@ github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/B github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw= github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM= +github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 167980f1..5a2a9708 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -6,54 +6,54 @@ import ( // CommonFlags flags common to all of the `saml2aws` commands (except `help`) type CommonFlags struct { - AppID string - ClientID string - ClientSecret string - ConfigFile string - IdpAccount string - IdpProvider string - BrowserType string - BrowserExecutablePath string - BrowserAutoFill bool - MFA string - MFAIPAddress string - MFAToken string - URL string - Username string - Password string - RoleArn string - PolicyFile string - PolicyARNs string - AmazonWebservicesURN string - SessionDuration int - SkipPrompt bool - SkipVerify bool - Profile string - Subdomain string - ResourceID string - DisableKeychain bool - Region string - CredentialsFile string - SAMLCache bool - SAMLCacheFile string - DisableRememberDevice bool - DisableSessions bool - Prompter string + AppID string `help:"OneLogin app id required for SAML assertion" env:"ONELOGIN_APP_ID" optional:""` + ClientID string `help:"OneLogin client id, used to generate API access token" env:"ONELOGIN_CLIENT_ID" optional:""` + ClientSecret string `help:"OneLogin client secret, used to generate API access token" env:"ONELOGIN_CLIENT_SECRET" optional:""` + ConfigFile string `help:"Path/filename of saml2aws config file" env:"SAML2AWS_CONFIGFILE optional:""` + IdpAccount string `help:"The name of the configured IDP account" env:"SAML2AWS_IDP_ACCOUNT" default:"default"` + IdpProvider string `help:"The configured IDP provider" env:"SAML2AWS_IDP_PROVIDER" enum:"Akamai,AzureAD,ADFS,ADFS2,Browser,Ping,JumpCloud,Okta,OneLogin,PSU,KeyCloak," optional:""` + BrowserType string `help:"The configured browser type when the IDP provider is set to Browser" env:"SAML2AWS_BROWSER_TYPE" enum:"chromium,firefox,webkit,chrome,chrome-beta,chrome-dev,chrome-canary,msedge,msedge-beta,msedge-dev,msedge-canary" optional:""` + BrowserExecutablePath string `help:"The configured browser full path when the IDP provider is set to Browser" env:"SAML2AWS_BROWSER_EXECUTABLE_PATH" optional:""` + BrowserAutoFill bool `help:"Configures browser to autofill the username and password" env:"SAML2AWS_BROWSER_AUTOFILL" optional:""` + MFA string `help:"The name of the mfa" env:"SAML2AWS_MFA" optional:""` + SkipVerify bool `help:"Skip verification of server certificate" env:"SAML2AWS_SKIP_VERIFY" optional:""` + URL string `help:"The URL of the SAML IDP server used to login" env:"SAML2AWS_URL" optional:""` + Username string `help:"The username used to login" env:"SAML2AWS_USERNAME" optional:""` + Password string `help:"The password used to login" env:"SAML2AWS_PASSWORD" optional:""` + MFAToken string `help:"The current MFA token" env:"SAML2AWS_MFA_TOKEN" optional:""` + RoleArn string `help:"The ARN of the role to assume" env:"SAML2AWS_ROLE" optional:""` + PolicyFile string `help:"The file containing the supplemental AssumeRole policy" env:"SAML2AWS_POLICY_FILE" optional:""` + PolicyARNs string `help:"The ARN of supplemental policies to restrict the token" env:"SAML2AWS_POLICY_ARNS" optional:""` + AmazonWebservicesURN string `help:"The URN used by SAML when you login" env:"SAML2AWS_AWS_URN" optional:""` + SkipPrompt bool `help:"Skip prompting for parameters during login" optional:""` + SessionDuration int `help:"The duration of your AWS Session" env:"SAML2AWS_SESSION_DURATION" optional:""` + DisableKeychain bool `help:"Do not use keychain at all" env:"SAML2AWS_DISABLE_KEYCHAIN" optional:""` + Subdomain string `help:"OneLogin subdomain of your company account" env:"ONELOGIN_SUBDOMAIN" optional:""` + Profile string `help:"The AWS profile to save the temporary credentials" env:"SAML2AWS_PROFILE" optional:""` + ResourceID string `help:"F5APM SAML resource ID of your company account" env:"SAML2AWS_F5APM_RESOURCE_ID" optional:""` + CredentialsFile string `help:"The file that will cache the credentials retrieved from AWS" env:"SAML2AWS_CREDENTIALS_FILE" optional:""` + SAMLCache bool `help:"Caches the SAML response" env:"SAML2AWS_CACHE_SAML" optional:""` + SAMLCacheFile string `help:"The location of the SAML cache file" env:"SAML2AWS_SAML_CACHE_FILE" optional:""` + DisableSessions bool `help:"Do not use Okta sessions" env:"SAML2AWS_OKTA_DISABLE_SESSIONS" optional:""` + DisableRememberDevice bool `help:"Do not remember Okta MFA device. Remembers MFA device by default." env:"SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE" optional:""` + MFAIPAddress string `help:"IP address whitelisting defined in OneLogin MFA policies" env:"ONELOGIN_MFA_IP_ADDRESS" optional:""` + Region string `help:"AWS region to use for API requests" env:"SAML2AWS_REGION" optional:""` + Prompter string `help:"The prompter to use for user input"` } // LoginExecFlags flags for the Login / Exec commands type LoginExecFlags struct { CommonFlags *CommonFlags - DownloadBrowser bool - Force bool - DuoMFAOption string - ExecProfile string - CredentialProcess bool + DownloadBrowser bool `help:"Automatically download browsers for Browser IDP" env:"SAML2AWS_AUTO_BROWSER_DOWNLOAD" optional:""` + Force bool `help:"Refresh credentials even if not expired" optional:""` + DuoMFAOption string `help:"The MFA option you want to use to authenticate with" env:"SAML2AWS_DUO_MFA_OPTION" enum:"Passcode,Duo Push," default:""` + ExecProfile string `help:"The AWS profile to utilize for command execution" env:"SAML2AWS_EXEC_PROFILE" optional:""` + CredentialProcess bool `help:"Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message" optional:""` } type ConsoleFlags struct { LoginExecFlags *LoginExecFlags - Link bool + Link bool `help:"Present link to AWS console instead of opening browser" optional:""` } // ApplyFlagOverrides overrides IDPAccount with command line settings