Add AWS MFA (#23)

Gopkg.toml

@@ -1,11 +1,27 @@
 [[constraint]]
   name = "github.com/aws/aws-sdk-go"
-  version = "1.15.36"
+  version = "1.15.39"
 
 [[constraint]]
   name = "github.com/blang/semver"
   version = "3.5.1"
 
+[[constraint]]
+  branch = "master"
+  name = "github.com/chanzuckerberg/go-kmsauth"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/chanzuckerberg/go-misc"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/hashicorp/go-getter"
+
+[[constraint]]
+  name = "github.com/hashicorp/go-multierror"
+  version = "1.0.0"
+
 [[constraint]]
   name = "github.com/mitchellh/go-homedir"
   version = "1.0.0"
@@ -14,6 +30,10 @@
   name = "github.com/pkg/errors"
   version = "0.8.0"
 
+[[constraint]]
+  name = "github.com/segmentio/go-prompt"
+  branch = "master"
+
 [[constraint]]
   name = "github.com/sirupsen/logrus"
   version = "1.0.6"
@@ -23,25 +43,17 @@
   version = "0.0.3"
 
 [[constraint]]
-  branch = "master"
-  name = "golang.org/x/crypto"
-
-[prune]
-  go-tests = true
-  unused-packages = true
+  name = "github.com/stretchr/testify"
+  version = "1.2.2"
 
 [[constraint]]
   branch = "master"
-  name = "github.com/chanzuckerberg/go-kmsauth"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/chanzuckerberg/go-misc"
+  name = "golang.org/x/crypto"
 
 [[constraint]]
-  name = "github.com/segmentio/go-prompt"
-  branch = "master"
+  name = "gopkg.in/yaml.v2"
+  version = "2.2.1"
 
-[[constraint]]
-  branch = "master"
-  name = "github.com/hashicorp/go-getter"
+[prune]
+  go-tests = true
+  unused-packages = true

cmd/import-config.go

@@ -65,7 +65,6 @@ var importConfigCmd = &cobra.Command{
 		if err != nil {
 			return err
 		}
-		conf.SetPaths(configFileExpanded)
 
 		// Try to use the default id_rsa key
 		conf.ClientConfig.SSHPrivateKey = path.Join(sshDirExpanded, "id_rsa")

cmd/init.go

@@ -24,12 +24,17 @@ var initCmd = &cobra.Command{
 		if err != nil {
 			return errs.ErrMissingConfig
 		}
-		conf := config.DefaultConfig()
+		conf, err := config.DefaultConfig()
+		if err != nil {
+			return err
+		}
+
+		// override the config path if needed
 		configFileExpanded, err := homedir.Expand(configFile)
 		if err != nil {
 			return errors.Wrapf(err, "Could not expand %s", configFile)
 		}
-		conf.SetPaths(configFileExpanded)
+		conf.ClientConfig.ConfigFile = configFileExpanded
 
 		// Ask for some user values
 		conf.ClientConfig.SSHPrivateKey = prompt.StringRequired("path to the ssh private key to use")

cmd/run.go

@@ -1,10 +1,8 @@
 package cmd
 
 import (
-	"fmt"
-	"path"
-
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	bless "github.com/chanzuckerberg/blessclient/pkg/bless"
@@ -30,7 +28,7 @@ var runCmd = &cobra.Command{
 	Short:         "run requests a certificate",
 	SilenceErrors: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		log.Info("Running blessclient")
+		log.Debugf("Running blessclient v%s", util.VersionCacheKey())
 		configFile, err := cmd.Flags().GetString("config")
 		if err != nil {
 			return errs.ErrMissingConfig
@@ -56,24 +54,35 @@ var runCmd = &cobra.Command{
 			return errors.Wrap(err, "Could not create aws session")
 		}
 
+		mfaTokenProvider := util.TokenProvider("AWS MFA token:")
 		var regionErrors error
 		for _, region := range conf.LambdaConfig.Regions {
-			// for things meant to be run as a user
-			userConf := &aws.Config{
+			awsUserSessionProviderConf := &aws.Config{
 				Region: aws.String(region.AWSRegion),
 			}
+			awsSessionProviderClient := cziAWS.New(sess).WithAllServices(awsUserSessionProviderConf)
+
+			awsSessionTokenProvider := cziAWS.NewUserTokenProvider(conf.GetAWSSessionCachePath(), awsSessionProviderClient, mfaTokenProvider)
+			userConf := &aws.Config{
+				Region:      aws.String(region.AWSRegion),
+				Credentials: credentials.NewCredentials(awsSessionTokenProvider),
+			}
 			// for things meant to be run as an assumed role
-			roleCreds := stscreds.NewCredentials(
-				sess,
-				conf.LambdaConfig.RoleARN, func(p *stscreds.AssumeRoleProvider) {
-					p.TokenProvider = stscreds.StdinTokenProvider
-				},
-			)
 			roleConf := &aws.Config{
-				Credentials: roleCreds,
-				Region:      aws.String(region.AWSRegion),
+				Region: aws.String(region.AWSRegion),
+				Credentials: stscreds.NewCredentials(
+					sess,
+					conf.LambdaConfig.RoleARN, func(p *stscreds.AssumeRoleProvider) {
+						p.TokenProvider = stscreds.StdinTokenProvider
+					},
+				),
 			}
-			awsClient := cziAWS.New(sess).WithIAM(userConf).WithLambda(roleConf).WithKMS(userConf)
+
+			awsClient := cziAWS.New(sess).
+				WithIAM(userConf).
+				WithKMS(userConf).
+				WithSTS(userConf).
+				WithLambda(roleConf)
 
 			user, err := awsClient.IAM.GetCurrentUser()
 			if err != nil {
@@ -83,9 +92,6 @@ var runCmd = &cobra.Command{
 				return errors.New("AWS returned nil user")
 			}
 
-			regionCacheFile := fmt.Sprintf("%s.json", region.AWSRegion)
-			regionalKMSAuthCache := path.Join(conf.ClientConfig.KMSAuthCacheDir, util.VersionCacheKey(), regionCacheFile)
-
 			kmsauthContext := &kmsauth.AuthContextV2{
 				From:     *user.UserName,
 				To:       conf.LambdaConfig.FunctionName,
@@ -96,7 +102,7 @@ var runCmd = &cobra.Command{
 				region.KMSAuthKeyID,
 				kmsauth.TokenVersion2,
 				conf.ClientConfig.CertLifetime.AsDuration(),
-				&regionalKMSAuthCache,
+				aws.String(conf.GetKMSAuthCachePath(region.AWSRegion)),
 				kmsauthContext,
 				awsClient,
 			)

pkg/bless/client.go

@@ -94,7 +94,7 @@ func (c *Client) RequestCert() error {
 		return nil
 	}
 
-	log.Infof("Requesting new cert")
+	log.Debug("Requesting new cert")
 	pubKey, err := s.ReadPublicKey()
 	if err != nil {
 		return err

pkg/bless/client_test.go

@@ -10,13 +10,12 @@ import (
 	"testing"
 	"time"
 
-	"github.com/chanzuckerberg/blessclient/pkg/errs"
-
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/aws/aws-sdk-go/service/lambda"
 	"github.com/chanzuckerberg/blessclient/pkg/bless"
 	"github.com/chanzuckerberg/blessclient/pkg/config"
+	"github.com/chanzuckerberg/blessclient/pkg/errs"
 	"github.com/chanzuckerberg/go-kmsauth"
 	cziAws "github.com/chanzuckerberg/go-misc/aws"
 	"github.com/stretchr/testify/assert"
@@ -275,10 +274,11 @@ func testConfig(t *testing.T) (*config.Config, []string) {
 	a.Nil(err)
 
 	conf := &config.Config{
-		ClientConfig: config.ClientConfig{},
+		ClientConfig: config.ClientConfig{
+			ConfigFile: path.Join(dirName, "config.yml"),
+		},
 		LambdaConfig: config.LambdaConfig{},
 	}
-	conf.SetPaths(path.Join(dirName, "config.yml"))
 	conf.ClientConfig.SSHPrivateKey = f.Name()
 	conf.ClientConfig.RemoteUsers = []string{"test-principal"}