🌱 Add support for password command

- Allow loading of password by command (OKTA_PASSWORD_CMD) - Add documentation for OKTA_PASSWORD_CMD - Provide macOS KeyChain example
tdupreeibp · Aug 21, 2018 · 4d1e456 · 4d1e456
1 parent 4339da8
commit 4d1e456
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 6 deletions.
diff --git a/Readme.MD b/Readme.MD
@@ -115,6 +115,7 @@ Here is the list of parameters that can be environment variables or settings in
  - ```OKTA_ORG``` which is the url of your Okta org (starting with https://).
  - ```OKTA_AWS_APP_URL``` is the url link of your Okta AWS application url (see below for more info) 
  - ```OKTA_USERNAME``` is the username to use. If present will skip username input.
+ - ```OKTA_PASSWORD_CMD``` is the command to fetch your password instead of showing a password prompt. [Read more...](docs/OKTA_PASSWORD_CMD.md) 
  - ```OKTA_BROWSER_AUTH``` set to **true** to use integrated web browser for authentication (default: **false**)
  - ```OKTA_COOKIES_PATH``` is directory path to store cookies.properties for Okta (default: ~/.okta)
  - ```OKTA_PROFILE``` is the name of the AWS profile to create/reuse. May also be specified on the commandline by ```--profile```. (default: get AWS profile name based on per-session STS user name) 

diff --git a/docs/OKTA_PASSWORD_CMD.md b/docs/OKTA_PASSWORD_CMD.md
@@ -0,0 +1,11 @@
+# OKTA_PASSWORD_CMD Documentation
+
+## Help wanted!
+
+Please contribute additional examples for your favored platform or password manager.
+
+## Example: macOS KeyChain
+
+1. Create password entry `security add-generic-password -a $OKTA_USERNAME -s okta-aws-cli -T /usr/bin/security -U`
+2. Launch KeyChain Access and search for **okta-aws-cli**
+3. Set OKTA_PASSWORD_CMD to `security find-generic-password -a $OKTA_USERNAME -s okta-aws-cli -w`
diff --git a/src/main/java/com/okta/tools/OktaAwsConfig.java b/src/main/java/com/okta/tools/OktaAwsConfig.java
@@ -1,18 +1,16 @@
 package com.okta.tools;
 
-import com.okta.tools.authentication.OktaAuthentication;
+import org.apache.commons.lang.SystemUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
+import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Optional;
 import java.util.Properties;
+import java.util.stream.Collectors;
 
 final class OktaAwsConfig {
 
@@ -51,7 +49,7 @@ static OktaAwsCliEnvironment loadEnvironment(String profile) {
  Boolean.valueOf(getEnvOrConfig(properties, "OKTA_BROWSER_AUTH")),
  getEnvOrConfig(properties, "OKTA_ORG"),
  getEnvOrConfig(properties, "OKTA_USERNAME"),
- null,
+ runProgram(getEnvOrConfig(properties, "OKTA_PASSWORD_CMD")),
  getEnvOrConfig(properties, "OKTA_COOKIES_PATH"),
  getProfile(profile, getEnvOrConfig(properties, "OKTA_PROFILE")),
  getEnvOrConfig(properties, "OKTA_AWS_APP_URL"),
@@ -63,6 +61,33 @@ static OktaAwsCliEnvironment loadEnvironment(String profile) {
  );
  }
 
+ private static String runProgram(String oktaPasswordCommand) {
+ if (oktaPasswordCommand == null) return null;
+ ProcessBuilder processBuilder = new ProcessBuilder();
+ if (SystemUtils.IS_OS_WINDOWS) {
+ processBuilder.command("cmd", "/C", oktaPasswordCommand);
+ } else if (SystemUtils.IS_OS_UNIX) {
+ processBuilder.command("sh", "-c", oktaPasswordCommand);
+ }
+ try {
+ Process passwordCommandProcess = processBuilder.start();
+ String password = getOutput(passwordCommandProcess);
+ int exitCode = passwordCommandProcess.waitFor();
+ if (exitCode == 0) return password;
+ throw new IllegalStateException("password command failed with exit code " + exitCode);
+ } catch (IOException | InterruptedException e) {
+ throw new IllegalStateException("password command failed", e);
+ }
+ }
+
+ private static String getOutput(Process process) throws IOException {
+ try (InputStream inputStream = process.getInputStream();
+ InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
+ BufferedReader bufferedReader = new BufferedReader(inputStreamReader)) {
+ return bufferedReader.lines().collect(Collectors.joining("\n"));
+ }
+ }
+
  private static Optional<Path> getConfigFile() {
  Path configInWorkingDir = Paths.get(CONFIG_FILENAME);
  if (Files.isRegularFile(configInWorkingDir)) {