-
Notifications
You must be signed in to change notification settings - Fork 0
/
list_roles.go
105 lines (82 loc) · 2.47 KB
/
list_roles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package commands
import (
"encoding/base64"
"fmt"
"os"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/versent/saml2aws"
"github.com/versent/saml2aws/helper/credentials"
"github.com/versent/saml2aws/pkg/flags"
)
// List will list available role ARNs
func ListRoles(loginFlags *flags.LoginExecFlags) error {
logger := logrus.WithField("command", "list")
account, err := buildIdpAccount(loginFlags)
if err != nil {
return errors.Wrap(err, "error building login details")
}
loginDetails, err := resolveLoginDetails(account, loginFlags)
if err != nil {
fmt.Printf("%+v\n", err)
os.Exit(1)
}
err = loginDetails.Validate()
if err != nil {
return errors.Wrap(err, "error validating login details")
}
logger.WithField("idpAccount", account).Debug("building provider")
provider, err := saml2aws.NewSAMLClient(account)
if err != nil {
return errors.Wrap(err, "error building IdP client")
}
samlAssertion, err := provider.Authenticate(loginDetails)
if err != nil {
return errors.Wrap(err, "error authenticating to IdP")
}
if samlAssertion == "" {
fmt.Println("Response did not contain a valid SAML assertion")
fmt.Println("Please check your username and password is correct")
os.Exit(1)
}
err = credentials.SaveCredentials(loginDetails.URL, loginDetails.Username, loginDetails.Password)
if err != nil {
return errors.Wrap(err, "error storing password in keychain")
}
data, err := base64.StdEncoding.DecodeString(samlAssertion)
if err != nil {
return errors.Wrap(err, "error decoding saml assertion")
}
roles, err := saml2aws.ExtractAwsRoles(data)
if err != nil {
return errors.Wrap(err, "error parsing aws roles")
}
if len(roles) == 0 {
fmt.Println("No roles to assume")
os.Exit(1)
}
awsRoles, err := saml2aws.ParseAWSRoles(roles)
if err != nil {
return errors.Wrap(err, "error parsing aws roles")
}
if err := listRoles(awsRoles, samlAssertion, loginFlags); err != nil {
return errors.Wrap(err, "Failed to list roles")
}
return nil
}
func listRoles(awsRoles []*saml2aws.AWSRole, samlAssertion string, loginFlags *flags.LoginExecFlags) error {
awsAccounts, err := saml2aws.ParseAWSAccounts(samlAssertion)
if err != nil {
errors.Wrap(err, "error parsing aws role accounts")
}
saml2aws.AssignPrincipals(awsRoles, awsAccounts)
fmt.Println("")
for _, account := range awsAccounts {
fmt.Println(account.Name)
for _, role := range account.Roles {
fmt.Println(role.RoleARN)
}
fmt.Println("")
}
return nil
}