Skip to content

Commit

Permalink
Merge pull request #1183 from 99designs/preference-stored-creds
Browse files Browse the repository at this point in the history
Preference stored credentials over other credential sources
  • Loading branch information
mtibben authored Mar 9, 2023
2 parents 276270c + ef2b8b9 commit d25afcf
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 102 deletions.
32 changes: 0 additions & 32 deletions vault/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -680,35 +680,3 @@ func (c *ProfileConfig) GetSessionTokenDuration() time.Duration {
}
return c.NonChainedGetSessionTokenDuration
}

func (c *ProfileConfig) Validate() error {
if c.HasSSOSession() && !c.HasSSOStartURL() {
return fmt.Errorf("profile '%s' has sso_session but no sso_start_url", c.ProfileName)
}

n := 0
if c.HasSSOStartURL() {
n++
}
if c.HasWebIdentity() {
n++
}
if c.HasCredentialProcess() {
n++
}
if c.HasSourceProfile() {
n++
}
if c.HasRole() &&
// these cases require the role to be set in addition, so it's part of
// their credential.
!c.HasSourceProfile() &&
!c.HasWebIdentity() {
n++
}
if n > 1 {
return fmt.Errorf("profile '%s' has more than one source of credentials", c.ProfileName)
}

return nil
}
46 changes: 0 additions & 46 deletions vault/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -616,49 +616,3 @@ source_profile = interim
t.Fatalf("Expected transitive_session_tags to be empty, got %+v", baseConfig.TransitiveSessionTags)
}
}

func TestValidConfigValidation(t *testing.T) {
f := newConfigFile(t, []byte(`
[profile foo]
region = eu-west-1
mfa_serial = arn:aws:iam::9999999999999:mfa/david
[profile foo:staging]
role_arn = arn:aws:iam::1111111111111:role/admin
source_profile = foo
region = eu-west-2
mfa_serial = arn:aws:iam::9999999999999:mfa/david
[profile foo:production]
role_arn = arn:aws:iam::1111111111111:role/admin
source_profile = foo
region = eu-west-2
mfa_serial = arn:aws:iam::9999999999999:mfa/david
credential_process = true
[profile withwebidentity]
role_arn = arn:aws:iam::123457890:role/foo
web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw
`))
defer os.Remove(f)
configFile, _ := vault.LoadConfig(f)
configLoader := &vault.ConfigLoader{File: configFile}

config, _ := configLoader.GetProfileConfig("foo:staging")
err := config.Validate()
if err != nil {
t.Fatalf("Should have validated: %v", err)
}

config, _ = configLoader.GetProfileConfig("foo:production")
err = config.Validate()
if err == nil {
t.Fatalf("Should have failed validation: %v", err)
}

config, _ = configLoader.GetProfileConfig("withwebidentity")
err = config.Validate()
if err != nil {
t.Fatalf("Should have validated withwebidentity: %v", err)
}
}
46 changes: 22 additions & 24 deletions vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,46 +237,44 @@ type tempCredsCreator struct {
chainedMfa string
}

func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig) (sourcecredsProvider aws.CredentialsProvider, err error) {
if config.HasSourceProfile() {
log.Printf("profile %s: sourcing credentials from profile %s", config.ProfileName, config.SourceProfile.ProfileName)
return t.GetProviderForProfile(config.SourceProfile)
}

hasStoredCredentials, err := t.Keyring.Has(config.ProfileName)
if err != nil {
return nil, err
}

func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig, hasStoredCredentials bool) (sourcecredsProvider aws.CredentialsProvider, err error) {
if hasStoredCredentials {
log.Printf("profile %s: using stored credentials", config.ProfileName)
return NewMasterCredentialsProvider(t.Keyring, config.ProfileName), nil
}

if config.HasSourceProfile() {
log.Printf("profile %s: sourcing credentials from profile %s", config.ProfileName, config.SourceProfile.ProfileName)
return t.GetProviderForProfile(config.SourceProfile)
}

return nil, fmt.Errorf("profile %s: credentials missing", config.ProfileName)
}

func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
if err := config.Validate(); err != nil {
hasStoredCredentials, err := t.Keyring.Has(config.ProfileName)
if err != nil {
return nil, err
}

if config.HasSSOStartURL() {
log.Printf("profile %s: using SSO role credentials", config.ProfileName)
return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
}
if !hasStoredCredentials {
if config.HasSSOStartURL() {
log.Printf("profile %s: using SSO role credentials", config.ProfileName)
return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
}

if config.HasWebIdentity() {
log.Printf("profile %s: using web identity", config.ProfileName)
return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
}
if config.HasWebIdentity() {
log.Printf("profile %s: using web identity", config.ProfileName)
return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
}

if config.HasCredentialProcess() {
log.Printf("profile %s: using credential process", config.ProfileName)
return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
if config.HasCredentialProcess() {
log.Printf("profile %s: using credential process", config.ProfileName)
return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
}
}

sourcecredsProvider, err := t.getSourceCreds(config)
sourcecredsProvider, err := t.getSourceCreds(config, hasStoredCredentials)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit d25afcf

Please sign in to comment.