github.com/versent/saml2aws@v2.17.0+incompatible/cmd/saml2aws/commands/exec.go

github.com/versent/saml2aws@v2.17.0+incompatible/cmd/saml2aws/commands/exec.go (about)

     1  package commands
     2  
     3  import (
     4  	"fmt"
     5  	"time"
     6  
     7  	"github.com/aws/aws-sdk-go/aws/awserr"
     8  	"github.com/aws/aws-sdk-go/aws/session"
     9  	"github.com/aws/aws-sdk-go/service/sts"
    10  	"github.com/pkg/errors"
    11  	"github.com/versent/saml2aws/pkg/awsconfig"
    12  	"github.com/versent/saml2aws/pkg/flags"
    13  	"github.com/versent/saml2aws/pkg/shell"
    14  )
    15  
    16  // Exec execute the supplied command after seeding the environment
    17  func Exec(execFlags *flags.LoginExecFlags, cmdline []string) error {
    18  
    19  	if len(cmdline) < 1 {
    20  		return fmt.Errorf("Command to execute required")
    21  	}
    22  
    23  	account, err := buildIdpAccount(execFlags)
    24  	if err != nil {
    25  		return errors.Wrap(err, "error building login details")
    26  	}
    27  
    28  	sharedCreds := awsconfig.NewSharedCredentials(account.Profile)
    29  
    30  	// this checks if the credentials file has been created yet
    31  	// can only really be triggered if saml2aws exec is run on a new
    32  	// system prior to creating $HOME/.aws
    33  	exist, err := sharedCreds.CredsExists()
    34  	if err != nil {
    35  		return errors.Wrap(err, "error loading credentials")
    36  	}
    37  	if !exist {
    38  		fmt.Println("unable to load credentials, login required to create them")
    39  		return nil
    40  	}
    41  
    42  	awsCreds, err := sharedCreds.Load()
    43  	if err != nil {
    44  		return errors.Wrap(err, "error loading credentials")
    45  	}
    46  
    47  	if awsCreds.Expires.Sub(time.Now()) < 0 {
    48  		return errors.New("error aws credentials have expired")
    49  	}
    50  
    51  	ok, err := checkToken(account.Profile)
    52  	if err != nil {
    53  		return errors.Wrap(err, "error validating token")
    54  	}
    55  
    56  	if !ok {
    57  		err = Login(execFlags)
    58  	}
    59  	if err != nil {
    60  		return errors.Wrap(err, "error logging in")
    61  	}
    62  
    63  	return shell.ExecShellCmd(cmdline, shell.BuildEnvVars(awsCreds, account, execFlags))
    64  }
    65  
    66  func checkToken(profile string) (bool, error) {
    67  	sess, err := session.NewSessionWithOptions(session.Options{
    68  		Profile: profile,
    69  	})
    70  	if err != nil {
    71  		return false, err
    72  	}
    73  
    74  	svc := sts.New(sess)
    75  
    76  	params := &sts.GetCallerIdentityInput{}
    77  
    78  	_, err = svc.GetCallerIdentity(params)
    79  	if err != nil {
    80  		if awsErr, ok := err.(awserr.Error); ok {
    81  			if awsErr.Code() == "ExpiredToken" || awsErr.Code() == "NoCredentialProviders" {
    82  				return false, nil
    83  			}
    84  		}
    85  
    86  		return false, err
    87  	}
    88  
    89  	//fmt.Fprintln(os.Stderr, "Running command as:", aws.StringValue(resp.Arn))
    90  	return true, nil
    91  }