From 74ea4061d89a446a5323ee5faeced021d0a9479e Mon Sep 17 00:00:00 2001 From: Raphael Londner Date: Fri, 6 Jan 2017 11:34:48 -0800 Subject: [PATCH] Config file update fix (#22) * Config file update fix Removed check on role_arn value being blank or not since this interferes with the default profile update (which might not need a role_arn value in the ~/.aws/config file). This parameter will not be updated if blank in the WriteNewRoleToAssume function anyway. * Added cross account role debug log --- .gitignore | 2 + src/main/java/com/okta/tools/awscli.java | 99 ++++++++++++------------ 2 files changed, 50 insertions(+), 51 deletions(-) diff --git a/.gitignore b/.gitignore index 2061768..453491e 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,5 @@ lib/aws-java-sdk-1.10.74.jar lib/aws-java-sdk-1.11.37.jar .idea/workspace.xml + +target/classes/log4j2.xml diff --git a/src/main/java/com/okta/tools/awscli.java b/src/main/java/com/okta/tools/awscli.java index dca9aca..461adef 100644 --- a/src/main/java/com/okta/tools/awscli.java +++ b/src/main/java/com/okta/tools/awscli.java @@ -73,7 +73,7 @@ public class awscli { private static String awsIamSecret = null; private static AuthApiClient authClient; - private static final String DefaultProfileName = "default"; + private static final String DefaultProfileName = "default"; private static FactorsApiClient factorClient; private static UserApiClient userClient; @@ -407,6 +407,8 @@ private static AssumeRoleWithSAMLResult assumeAWSRole(String resultSAML) { String principalArn = principalArns.get(selection); String roleArn = roleArns.get(selection); crossAccountRoleName = roleArn.substring(roleArn.indexOf("/") + 1); + logger.debug("Cross-account role is " + crossAccountRoleName); + //creates empty AWS credentials to prevent the AWSSecurityTokenServiceClient object from unintentionally loading the previous profile we just created BasicAWSCredentials awsCreds = new BasicAWSCredentials("", ""); @@ -488,9 +490,9 @@ private static void GetRoleToAssume(String roleName) { if (inlinePolicies.size() > 1) { //ask the user to select one policy if there are more than one - logger.debug("Inline Policies: " + inlinePolicies.toString()); + logger.debug("Inline Policies: " + inlinePolicies.toString()); - selectedPolicyRank = SelectPolicy(inlinePolicies); + selectedPolicyRank = SelectPolicy(inlinePolicies); } //Have to set the role name and the policy name (both are mandatory fields @@ -553,14 +555,13 @@ private static String ProcessPolicyDocument(String policyDoc) { } } if (resource != null) { - if(resource.isArray()) { //if we're handling a policy with an array of AssumeRole attributes + if (resource.isArray()) { //if we're handling a policy with an array of AssumeRole attributes ArrayList lstRoles = new ArrayList(); - for(final JsonNode node: resource) { + for (final JsonNode node : resource) { lstRoles.add(node.asText()); } strRoleToAssume = SelectRole(lstRoles); - } - else { + } else { strRoleToAssume = resource.textValue(); logger.debug("Role to assume: " + roleToAssume); } @@ -590,7 +591,7 @@ private static String SelectRole(List lstRoles) { //Prompt user for policy selection int selection = numSelection(lstRoles.size()); - if(selection < 0 && lstRoles.size() > selection) { + if (selection < 0 && lstRoles.size() > selection) { System.out.println("\nYou entered an invalid number. Please try again."); return SelectRole(lstRoles); } @@ -652,13 +653,11 @@ private static void UpdateCredentialsFile(String profileName, String awsAccessKe //if we end up here, it means we were able to find a matching profile PopulateCredentialsFile(profileNameWithBrackets, awsAccessKey, awsSecretKey, awsSessionToken); } - } - catch(AmazonClientException ace) { - //this could happen if the default profile doesn't have a valid AWS Access Key ID + } catch (AmazonClientException ace) { + //this could happen if the default profile doesn't have a valid AWS Access Key ID //in this case, error would be "Unable to load credentials into profile [default]: AWS Access Key ID is not specified." PopulateCredentialsFile(profileNameWithBrackets, awsAccessKey, awsSecretKey, awsSessionToken); - } - catch (IllegalArgumentException iae) { + } catch (IllegalArgumentException iae) { //if we end up here, it means we were not able to find a matching profile so we need to append one PopulateCredentialsFile(profileNameWithBrackets, awsAccessKey, awsSecretKey, awsSessionToken); //FileWriter fileWriter = new FileWriter(System.getProperty("user.home") + "/.aws/credentials", true); @@ -719,54 +718,52 @@ private static void PopulateCredentialsFile(String profileNameLine, String awsAc private static void UpdateConfigFile(String profileName, String roleToAssume) throws IOException { - if (roleToAssume != null && !roleToAssume.equals("")) { - File inFile = new File(System.getProperty("user.home") + "/.aws/config"); + File inFile = new File(System.getProperty("user.home") + "/.aws/config"); - FileInputStream fis = new FileInputStream(inFile); - BufferedReader br = new BufferedReader(new InputStreamReader(fis)); - File tempFile = new File(inFile.getAbsolutePath() + ".tmp"); - PrintWriter pw = new PrintWriter(new FileWriter(tempFile)); + FileInputStream fis = new FileInputStream(inFile); + BufferedReader br = new BufferedReader(new InputStreamReader(fis)); + File tempFile = new File(inFile.getAbsolutePath() + ".tmp"); + PrintWriter pw = new PrintWriter(new FileWriter(tempFile)); - //first, we add our refreshed profile - WriteNewRoleToAssume(pw, profileName, roleToAssume); + //first, we add our refreshed profile + WriteNewRoleToAssume(pw, profileName, roleToAssume); - String line = null; - int lineCounter = 0; - boolean bFileStart = true; + String line = null; + int lineCounter = 0; + boolean bFileStart = true; - //second, we're copying all the other profiles from the original config file - while ((line = br.readLine()) != null) { + //second, we're copying all the other profiles from the original config file + while ((line = br.readLine()) != null) { - if (line.contains(profileName)) { - //we found the section we must replace but we don't necessarily know how many lines we need to skip - while ((line = br.readLine()) != null) { - if (line.startsWith("[")) { - pw.println(line); //this is a new profile line, so we're copying it - break; - } - } - } else { - if ((!line.contains(profileName) && !line.equalsIgnoreCase("\n"))) { - pw.println(line); - logger.debug(line); + if (line.contains(profileName)) { + //we found the section we must replace but we don't necessarily know how many lines we need to skip + while ((line = br.readLine()) != null) { + if (line.startsWith("[")) { + pw.println(line); //this is a new profile line, so we're copying it + break; } } + } else { + if ((!line.contains(profileName) && !line.equalsIgnoreCase("\n"))) { + pw.println(line); + logger.debug(line); + } + } - } + } - pw.flush(); - pw.close(); - br.close(); + pw.flush(); + pw.close(); + br.close(); - //delete the original credentials file - if (!inFile.delete()) { - System.out.println("Could not delete original config file"); - } else { - // Rename the new file to the filename the original file had. - if (!tempFile.renameTo(inFile)) - System.out.println("Could not rename file"); - } + //delete the original credentials file + if (!inFile.delete()) { + System.out.println("Could not delete original config file"); + } else { + // Rename the new file to the filename the original file had. + if (!tempFile.renameTo(inFile)) + System.out.println("Could not rename file"); } } @@ -781,8 +778,8 @@ public static void WriteNewProfile(PrintWriter pw, String profileNameLine, Strin } public static void WriteNewRoleToAssume(PrintWriter pw, String profileName, String roleToAssume) { + pw.println("[profile " + profileName + "]"); - //writer.println("[" + credentialsProfileName + "]"); if (roleToAssume != null && !roleToAssume.equals("")) pw.println("role_arn=" + roleToAssume); pw.println("source_profile=" + profileName);