allcloud-io / clisso Goto Github PK

Moving from dep to Golang modules can make dependency management and building easier. It's nice to be able to simply git clone && make anywhere, without thinking about GOPATH etc.

Hello,

in my setup I have many different AWS accounts and each account has many roles. I am running into this issue with version 0.7.0 where if I get a credential from one account it works but if I try to get a credential from a different account right after I receive the error

Could not get temporary credentials: generating SAML assertion: doing HTTP request: 401 Unauthorized

It seems that if i delete the credential from my aws config as well as remove the clisso config and set it up again I am able to generate the other credential. It seems it can only be one at a time for some reason.
Thanks!

I have a OneLogin account connected to several AWS accounts. The OneLogin integration works fine from the OneLogin UI.

However, when I try to 'get' an AWS account, I get the following error:

$ clisso get stage
Could not get temporary credentials: generating SAML assertion: doing HTTP request: 400 Bad Request

I have gone through the steps to create a provider and the app, neither of which generated any errors.

Any idea what is going on here? Some configuration error in OneLogin?

Maybe the OneLogin embedding API can help: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user

When selecting an invalid index, the app will panic.

Add support for getting temp credentials using aws sts assume-role (without SAML).

README isn't up to date at the moment.

Things which need to be present:

• Overview
• Installation
• Usage
• Developing
• Caveats
• TODO

one of my users keep getting this error when after entering the password.
we are using the latest clisso version with onelogin and aws.

on my Mac i'm able to use the clisso without problems.

thanks,

With this API for spinner, it would be easy to forget to call Stop() when handling errors and spin forever.

Maybe it could be changed to a function to help you rememeber to clean up?

s.Run(func() {
  // after this runs the spinner is stopped
})

Max H

Originally posted by @pullrequest[bot] in #96 (comment)

Most of the times we are working with more than one app at the same time. At the moment, to get credentials one needs to call clisso get appname for each app and introduce the password (and the otp if configured) for each call.

This is redundant and my proposal is to add the possibility to either call get with multiple app names (ex: clisso get appname1 appname2 appname3) or cache the authentication (for let's say 30 sec).

WDYT?

There does not seem to be a way to do something like https://github.com/onelogin/onelogin-python-aws-assume-role/blob/master/accounts.yaml.template
It would be nice, if you could give names to the ARNs you choose from, so you don't have to go by the account ID.

• Separate stdout/stderr
• Enable silent mode for | sh
• Add spinner
• Terminal colors

Hi @allcloud-jonathan,

Could you please rename this release https://github.com/allcloud-io/clisso/releases/tag/0.7.0 so that its name matches the previous ones?

Thanks.

Storing passwords in system keychains would ensure that lost/ compromised machines don't leak onelogin passwords (or: if they do, it's not down to this tool).

A simple implementation could use runtime.GOOS to determine the OS and infer keychains from there (a good jumping off point would be via: https://github.com/tmc/keyring) and then default to the config file/ asking should it be unable to access any).

It would be nice to be able to run clisso config generate to generate a sample config file.

It would be nice to be able to run clisso config generate to generate a sample config file.

Since we're adding Homebrew support, we might want to start committing the vendor directory to ensure deterministic builds on target machines when installing with Homebrew.

Need to choose a suitable OSS license and add license info to source.

This may be outside the scope of this PR, but consider abstracting these Regex patterns into their own functions to easier test them individually.

Evan K

Originally posted by @pullrequest[bot] in #96 (comment)

clisso apps create ...

At the moment, when trying to run clisso get when the ~/.aws directory doesn't exist, Clisso exits with the following error:

Error processing credentials: writing credentials to file: open /Users/<user>/.aws/credentials: no such file or directory

It is probably safe to create this directory if it doesn't exist, and perhaps show a warning to the user. The ~/.aws/credentials file is already created automatically if it doesn't exist.

This is with 2FA turned on. Think it can be pretty easily reproduced. The --debug flag would be useful as while a 500 error is their problem, they won't support it without:

Just generate data showing all the input parameters and the full HTTP header data that is returned when you get that 500 internal server error response from OneLogin.

Given that onelogin/ aws saml reponses return necessary ARNs, extract these and use them to generate credentials rather than hardcoding them in config.

Where multiple ARNs exist, such as is the case with the onelogin multi-account app, present a form for a user to select from.

This approach is used in onelogin reference implementations of pulling AWS creds:

1. https://developers.onelogin.com/api-docs/1/samples/aws-cli
2. https://github.com/onelogin/onelogin-aws-cli-assume-role/blob/master/onelogin-aws-assume-role-cli/src/main/java/com/onelogin/aws/assume/role/cli/OneloginAWSCLI.java#L222-L241

Everything I use Clisso get, I have to set up the AWS region again. Can there be a way to set this up in the provider? I can't seem to use the "region" for this as it seems that it is used for something else.

At the moment we have no e2e tests for Clisso. It would be extremely valuable to be able to verify the application actually works, possibly on every pull request etc.

I was thinking about adding a directory for e2e tests, and using the built-in Golang testing library to spawn a Clisso process with various arguments, then verifying the process' stdout and result (credentials written to shell / file etc.).

Ideally we should have a way of doing so without communicating with real resources. The OneLogin API can probably be mocked easily using a simple HTTP server with pre-configured responses. Mocking AWS IAM may be slightly more complicated (but maybe something like this or this could help?).

Need to start versioning the project, including displaying version info on clisso version.

It could be very useful to have a --debug flag on Clisso which would cause the app to log for example HTTP requests.

https://github.com/allcloud-io/clisso/blob/master/onelogin/get.go#L95
Need to check the JSON we got in the response to know if we got challenged for MFA.

We could use an interface to eliminate the code duplication above and have something like the following:

p := NewProvider(pType)
creds, err := p.Get()
...

The concrete provider type would be constructed based on the invoked command.

Present errors with better information to the user.

YAML can be annoying to deal with for some users. Might want to consider making the config format friendlier.

Need to print the app name in the output of clisso get, especially when running the command without arguments (that is - when getting the selected app).

https://developers.onelogin.com/api-docs/1/multi-factor-authentication/activate-factor

The following line breaks master:

It was probably supposed to be log.Fatalf().

Current implementation allows only 1hr max. It would be great if this could be increased.

Hello,
I'm trying to setup the clisso on my windows machine. The okta is configured with the MFA (okta verify). I tried various ways to get the temp token. It accepts my password and challenges for the MFA (OTP from my MFA device - Okta verify app) and then gets the following error
"Could not get temporary credentials: EOF"

Here are the various commands that I tried
C:\Program Files\clisso-windows-386.exe>clisso.exe get okta
Please enter my-provider password:
Please enter the OTP from your MFA device: 951212
Could not get temporary credentials: EOF

C:\Program Files\clisso-windows-386.exe>clisso.exe get okta -w "C:\Users\dinesh.katariya.aws\credentials"
Please enter my-provider password:
Please enter the OTP from your MFA device: 412350
Could not get temporary credentials: EOF

C:\Program Files\clisso-windows-386.exe>clisso.exe get okta -s
Please enter my-provider password:
Please enter the OTP from your MFA device: 009326
Could not get temporary credentials: EOF

Need to see if there is a convenient (and secure!) way to query the OneLogin API for existing applications for the user. This could save having to configure applications in the config file.

This point in the code is very deeply nested within if statements, which makes it difficult to tell if the error handling is correct.

Maybe you could extract this into a helper function? Extracting this code into a smaller helper function, maybe something likefetchMFA(), could reduce the complexity of this code and make it less error-prone.

Max H

Originally posted by @pullrequest[bot] in #96 (comment)

Add a -version flag, or maybe a command (clisso version).

We should first return on error, then continue normal flow without else.