brightspace / bmx Goto Github PK

Before returning creds from ~/.bmx/credentials, credentialsutil should check that they have not expired. If they're expired, then return None.

It doesn't know if the username has changed, e.g., via the --username option.

Possible contacts:
Juno
Mark T.
Donn B.

We'll need these later: whenever the command is successful, we want to write the creds to ~/.bmx/credentials, keyed by account/role.

... and keep its AWS_* variables up-to-date as they expire and need renewal?

Related to #34.

When we write, specify version: 1.0.0.

When we read, if no version or version 1.0.0 is specified, then we proceed; otherwise we fail.

Related to #14. The config file can hold values like username, account name, role, etc...

The command will get a new STS token and write it to ~/.bmx/credentials.

Remove the bmx-X ones.

When BMX uses a token, it should check to see when the token will expire. If it will expire "soon" (a configurabe duration), then BMX should ask AWS for a new one while the old one still works.

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an CLI option for the AWS account, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)

When writing out the creds file, look for and remove expired entries.

Assuming that developers already have the AWS CLI and that they won't want BMX to sort out the dependency for them was a bad idea.

Integrating BMX with the CLI is a big pain point during installation. Although the CLI might already be installed, it will be for a different version of Python, etc...

Just list the CLI as a dependency and have Pip install it if need be.

#4 added support for TOTP MFA, where this issue adds SMS MFA.

After this issue is fixed, when a user requires MFA, and

1. they have registered with both TOTP and SMS, then we should show a menu and let the user choose,
2. they have registered with one of TOTP and SMS, then we should not show a menu, but just prompt for the value (TOTP vs SMS should be identified in the prompt.)
3. they have registered with neither, then BMX should fail.

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an environment variable for username, which BMX will use if no CLI option is provided.

Re-use Okta session to prevent multiple username/password entries. Suggestion taken from #5

We should include the changes for 0.0.2 and the upcoming 1.0.0.

BMX currently only supports primary username/password authentication.

https://github.com/okta/okta-sdk-python/blob/master/okta/AuthClient.py#L44

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an CLI option for the AWS role, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an CLI option for the AWS account, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an environment variable for the AWS account, which BMX will use if no CLI option is provided. (BMX should fail if the env var is invalid.)

Related to #34.

Rather than try to be robust during reading and writing, validate the credentials file before using it. (This expands on checking the version, which @nsimone implemented in #64 .)

We can use a schema validator like Rx or Schema. To get the most out of schema validation, we might want to change the 'credentials' -> '' -> '' mapping to a list of credentials, where each credential has an account and role field:

credentials:
  - account: <account #1>
    role: <role #2>
    SecretAccessKey: ...
  - account: <account #2>
    ...

In this case, here is an Rx example of a valid schema:

{
	"type": "//rec",
	"optional": {
		"version": {
			"type": "//str",
			"value": "1.0.0"
		},
		"meta": {
			"type": "//rec",
			"required": {
				"default": {
					"type": "//rec",
					"required": {
						"account": "//str",
						"role": "//str"
					}
				}
			}
		},
		"credentials": {
			"type": "//arr",
			"length": { "min": 1 },
			"contents": {
				"type": "//rec",
				"required": {
					"account": "//str",
					"role": "//str",
					"AccessKeyId": "//str",
					"SecretAccessKey": "//str",
					"SessionToken": "//str",
				},
				"optional": {
					"Expiration": "//str"
				},
			},
		},
	},
}

I actually don't see an Rx impl for Python, so YMMV there. It had a live demo, which I used to build this schema, but we might need to use a different validator.

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an environment variable for the AWS-account role, which BMX will use if no CLI option is provided. (BMX should fail if the environment variable is invalid.)

If the option is specified and identifies an existing role, then the user is not prompted for a a role. Otherwise, the user is prompted.

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an CLI option for the AWS account, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)

If SSO is not possible, there may be a possibility of using headless chrome to fetch an Okta auth token.

... so that we can print a friendly message when we hit an error, instead of a stack trace.

bmx print --username <username> --account <account> --role <role> -p

Traceback (most recent call last):
  File "C:\Users\cstavropoulos\AppData\Local\Programs\Python\Python36\Scripts\bmx-script.py", line 9, in <module>
    load_entry_point('bmx', 'console_scripts', 'bmx')()
  File "c:\d2l\bmx\bmx\bmx.py", line 51, in main
    return known_args.func(unknown_args)
  File "c:\d2l\bmx\bmx\bmxprint.py", line 125, in cmd
    print(format_credentials(known_args, credentials))
  File "c:\d2l\bmx\bmx\bmxprint.py", line 89, in format_credentials
    formatted_credentials = powershell_format_credentials(credentials)
  File "c:\d2l\bmx\bmx\bmxprint.py", line 78, in powershell_format_credentials
    credentials['AccessKeyId'],
TypeError: 'AwsCredentials' object is not subscriptable

Looks like the format of the credentials object changed and wasn't accounted for in bmx print. The tests have a hardcoded response coming from StsUtil so it would have been missed by the tests.

... to other creds, instead of duplicating an account/role's creds in the default section.

Like in SamlHacker. I think three will do:

1. json
2. powershell
3. bash

Once a command has retrieved credentials, it should cache them in ~/.bmx/credentials. Key the entries by account/role.

version: 1.0.0
credentials:
  <account>:
    <role>: <creds map>

Use this file to store credentials, instead of ~/.aws/credentials; then pass values to the AWS CLI using environment variables.

We want a configuration chain like:

1. CLI option, or
2. Environment variable, or
3. RC file, or
4. live prompt.

Add an CLI option for the AWS role, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)