Merge pull request #1 from alessandromr/initial-commit

onelogin-auth-cli initial commit

.gitignore

@@ -0,0 +1,3 @@
+.idea
+config.yaml
+onelogin-auth-cli

cmd/list.go

@@ -0,0 +1,28 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+)
+
+// listCmd represents the list command
+var listCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List all roles and accounts available",
+	Run: func(cmd *cobra.Command, args []string) {
+		fmt.Println("Roles:")
+		for k, v := range config.Roles {
+			fmt.Printf("[%d] %s\n", k, v)
+		}
+
+		fmt.Println("Accounts:")
+		for k, v := range config.Accounts {
+			fmt.Printf("[%d] %s\n", k, v)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(listCmd)
+}

cmd/login.go

@@ -0,0 +1,166 @@
+package cmd
+
+import (
+	"fmt"
+	"log"
+	intAWS "onelogin-auth-cli/internal/aws"
+	"onelogin-auth-cli/internal/onelogin"
+	"onelogin-auth-cli/utils"
+	"os"
+	"strconv"
+
+	"github.com/spf13/cobra"
+)
+
+// loginCmd represents the login command
+var loginCmd = &cobra.Command{
+	Use:   "login",
+	Short: "Login command",
+	Run: func(cmd *cobra.Command, args []string) {
+		var role, account *int
+		var err error
+		var assertionPayload string
+
+		//Get Role and Accounts from parameters or from keyboard input
+		if len(args) != 2 {
+			role, err = getRole(config.Roles)
+			account, err = getAccount(config.Accounts)
+		} else {
+			roleNum, err := strconv.Atoi(args[0])
+			if err != nil {
+				fmt.Println("Role must be a number")
+				os.Exit(1)
+			}
+			accountNum, err := strconv.Atoi(args[1])
+			if err != nil {
+				fmt.Println("Account must be a number")
+				os.Exit(1)
+			}
+			if roleNum > len(config.Roles)-1 {
+				fmt.Println("Invalid Role")
+				os.Exit(1)
+			}
+			if accountNum > len(config.Accounts)-1 {
+				fmt.Println("Invalid Account")
+				os.Exit(1)
+			}
+			role = &roleNum
+			account = &accountNum
+			fmt.Println("Role: ", config.Roles[*role])
+			fmt.Println("Account: ", config.Accounts[*account].Name)
+		}
+		appID := config.Accounts[*account].AppID
+
+		//Get OneLogin access Token
+		token, err := onelogin.GetAccessToken(config.Onelogin.ClientID, config.Onelogin.ClientSecret)
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		//Get email and password from keyboard input
+		email, err := utils.PromptForString("Email")
+		if err != nil {
+			log.Fatalln(err)
+		}
+		password, err := utils.PromptForSecretString("Password")
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		//SAML Assertion and MFA Devices retrieval
+		assertionResponse, err := onelogin.SAMLAssertion(token, email, password, appID, config.Onelogin.AccountName)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		//MFA Device verification
+		var deviceID *int
+		if assertionResponse.Status.Message == "MFA is required for this user" {
+			fmt.Println("MFA Required, select a device:")
+			deviceID, err = getDeviceID(assertionResponse.Data[0].Devices)
+			if err != nil {
+				log.Fatalln(err)
+			}
+			mfaCode, err := utils.PromptForSecretString("MFA Code")
+			if err != nil {
+				log.Fatalln(err)
+			}
+			verificationResponse, err := onelogin.VerifyFactor(token, *deviceID, appID, assertionResponse.Data[0].StateToken, mfaCode)
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			assertionPayload = verificationResponse.Data
+		}
+
+		//AssumeRole With SAML on AWS
+		accountID := config.Accounts[*account].AccountID
+		profileName := config.Accounts[*account].ProfileName
+		result, err := intAWS.AssumeRoleWithSAML(accountID, config.Roles[*role], assertionPayload)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		intAWS.SetCredentials(
+			*result.Credentials.AccessKeyId,
+			*result.Credentials.SecretAccessKey,
+			*result.Credentials.SessionToken,
+			config.DefaultRegion,
+			profileName,
+		)
+		fmt.Printf("Successfully setted credentials for: %s\n", profileName)
+	},
+}
+
+func getRole(roles []string) (*int, error) {
+
+	roleName, err := utils.PromptSelect("Role", config.Roles)
+	if err != nil {
+		return nil, err
+	}
+	for k, v := range roles {
+		if v == roleName {
+			return &k, nil
+		}
+	}
+	return nil, fmt.Errorf("Role not found")
+}
+
+func getAccount(accounts []Account) (*int, error) {
+	var accountsName []string
+	for _, v := range accounts {
+		accountsName = append(accountsName, v.Name)
+	}
+	accountName, err := utils.PromptSelect("Account", accountsName)
+	if err != nil {
+		return nil, err
+	}
+	for k, v := range accounts {
+		if v.Name == accountName {
+			return &k, nil
+		}
+	}
+	return nil, fmt.Errorf("Account not found")
+}
+
+func getDeviceID(devices []onelogin.Device) (*int, error) {
+	var deviceTypes []string
+	for _, v := range devices {
+		deviceTypes = append(deviceTypes, v.DeviceType)
+	}
+	selectedDeviceType, err := utils.PromptSelect("MFA Device", deviceTypes)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	for _, v := range devices {
+		if v.DeviceType == selectedDeviceType {
+			return &v.DeviceId, nil
+		}
+	}
+	return nil, fmt.Errorf("No device found")
+}
+
+func init() {
+	rootCmd.AddCommand(loginCmd)
+}

cmd/root.go

@@ -0,0 +1,62 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"log"
+)
+
+type Config struct {
+	Onelogin      OneLoginConf
+	Accounts      []Account `yaml:"accounts"`
+	Roles         []string  `yaml:"roles"`
+	DefaultRegion string    `yaml:"defaultRegion"`
+}
+
+type OneLoginConf struct {
+	ClientID     string `yaml:"onelogin-client-id"`
+	ClientSecret string `yaml:"onelogin-client-secret"`
+	AccountName  string `yaml:"onelogin-account"`
+}
+type Account struct {
+	Name        string `yaml:"name"`
+	AppID       string `yaml:"appID"`
+	AccountID   string `yaml:"accountID"`
+	ProfileName string `yaml:"profileName"`
+}
+
+var config Config
+
+// rootCmd represents the base command when called without any subcommands
+var rootCmd = &cobra.Command{
+	Use:   "onelogin-auth",
+	Short: "OneLogin authenticatio CLI Tool",
+}
+
+func Execute() {
+	cobra.CheckErr(rootCmd.Execute())
+}
+
+func init() {
+	var err error
+	config, err = LoadConfig("./")
+	if err != nil {
+		log.Fatalln(err)
+	}
+}
+
+func LoadConfig(path string) (config Config, err error) {
+	viper.AddConfigPath(path)
+	viper.SetConfigName("config")
+	viper.SetConfigType("yaml")
+
+	viper.AutomaticEnv()
+
+	err = viper.ReadInConfig()
+	if err != nil {
+		return
+	}
+
+	err = viper.Unmarshal(&config)
+	return
+}

config.yaml.example

@@ -0,0 +1,13 @@
+onelogin:
+  clientID: clientID of API credential with "Authentication only"
+  clientSecret: client Secret of API credential
+  accountName: onelogin account name
+accounts:
+  - name: myapp-prod
+    appID: onelogin app id (e.g. 123456)
+    accountID: AWS account ID
+    profileName: AWS IAM profile to store credentials in (in ~/.aws/credentials)
+roles:
+  - iam-role-1 # role that is configured in onelogin and IAM to use with the onelogin identity provider
+  - iam-role-2
+defaultRegion: us-east-1

go.mod

@@ -0,0 +1,31 @@
+module onelogin-auth-cli
+
+go 1.17
+
+require (
+	github.com/onelogin/onelogin-go-sdk v1.1.19
+	github.com/spf13/cobra v1.2.1
+	github.com/spf13/viper v1.9.0
+)
+
+require (
+	github.com/aws/aws-sdk-go v1.42.23 // indirect
+	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/manifoldco/promptui v0.9.0 // indirect
+	github.com/mitchellh/mapstructure v1.4.2 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/subosito/gotenv v1.2.0 // indirect
+	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf // indirect
+	golang.org/x/text v0.3.6 // indirect
+	gopkg.in/ini.v1 v1.63.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)