Merge pull request #8 from duplocloud/release/0.4.1

Release v0.4.1

.gitignore

@@ -1,3 +1,4 @@
+*.exe
 .idea/
 *.log
 test/

Makefile

@@ -1,10 +1,10 @@
-VERSION=0.3.3
+VERSION=0.4.1
 
 default: all
 
 .PHONY:
 clean:
-	rm -f duplo-aws-credential-process
+	rm -f duplo-aws-credential-process *.exe
 
 install: all
 	sudo install -o root -m 755 duplo-aws-credential-process /usr/local/bin/duplo-aws-credential-process

cmd/duplo-aws-credential-process/interactive.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -11,90 +12,123 @@ import (
 	"github.com/skratchdot/open-golang/open"
 )
 
-type tokenResult struct {
-	token string
+type TokenResult struct {
+	Token string `json:"token"`
+	OTP   string `json:"otp,omitempty"`
 	err   error
 }
 
-func tokenViaPost(baseUrl string, timeout time.Duration) (string, error) {
+func handlerTokenViaPost(baseUrl string, res http.ResponseWriter, req *http.Request) (completed bool, bytes []byte) {
+	var err error
+	status := "ok"
+
+	// Only allow the specified Duplo to give us creds.
+	res.Header().Add("Access-Control-Allow-Origin", baseUrl)
+	res.Header().Add("Access-Control-Allow-Headers", "X-Requested-With")
+	res.Header().Add("Access-Control-Allow-Headers", "Accept")
+	res.Header().Add("Access-Control-Allow-Headers", "Content-Type")
+
+	// A POST means we are done, whether good or bad.
+	if req.Method == "POST" {
+		defer req.Body.Close()
+
+		completed = true
+
+		// Authorize the origin, and get the POST body.
+		origin := req.Header.Get("Origin")
+		if origin != baseUrl {
+			err = fmt.Errorf("unauthorized origin: %s", origin)
+		} else {
+			bytes, err = io.ReadAll(req.Body)
+		}
+	}
+
+	// Send the proper response.
+	if completed {
+		if err != nil {
+			res.WriteHeader(500)
+			status = "failed"
+		} else {
+			status = "done"
+		}
+	}
+
+	// TODO: output any errors to the console
+
+	_, _ = fmt.Fprintf(res, "\"%s\"\n", status)
+
+	return
+}
+
+func tokenViaPost(baseUrl string, admin bool, timeout time.Duration) TokenResult {
 
 	// Create the listener on a random port.
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
-		return "", err
+		return TokenResult{err: err}
 	}
 
 	// Get the port being listened to.
 	localPort := listener.Addr().(*net.TCPAddr).Port
 
 	// Run the HTTP server on localhost.
-	done := make(chan tokenResult)
+	done := make(chan TokenResult)
 	go func() {
 		mux := http.NewServeMux()
 
+		// legacy API, with no facility for OTP
 		mux.HandleFunc("/", func(res http.ResponseWriter, req *http.Request) {
-			var bytes []byte
-			var err error
-			completed := false
-			status := "ok"
-
-			// Only allow the specified Duplo to give us creds.
-			res.Header().Add("Access-Control-Allow-Origin", baseUrl)
-
-			// A POST means we are done, whether good or bad.
-			if req.Method == "POST" {
-				defer req.Body.Close()
+			completed, bytes := handlerTokenViaPost(baseUrl, res, req)
 
-				completed = true
-
-				// Authorize the origin, and get the POST body.
-				origin := req.Header.Get("Origin")
-				if origin != baseUrl {
-					err = fmt.Errorf("unauthorized origin: %s", origin)
-				} else {
-					bytes, err = io.ReadAll(req.Body)
-				}
+			// If we are done, send the result to the channel.
+			if completed {
+				done <- TokenResult{Token: string(bytes), err: err}
 			}
+		})
 
-			// Send the proper response.
+		// API with facility for OTP
+		mux.HandleFunc("/v2/callbackWithOtp", func(res http.ResponseWriter, req *http.Request) {
+			completed, bytes := handlerTokenViaPost(baseUrl, res, req)
+
+			// If we are done, send the result to the channel.
 			if completed {
-				if err != nil {
-					res.WriteHeader(500)
-					status = "failed"
+				rp := TokenResult{}
+				if len(bytes) == 0 {
+					rp.err = errors.New("canceled")
 				} else {
-					status = "done"
-					if len(bytes) == 0 {
-						err = errors.New("canceled")
+					err = json.Unmarshal(bytes, &rp)
+					if err != nil {
+						message := fmt.Sprintf("%s: cannot unmarshal response from JSON: %s", "/v2/callbackWithOtp", err.Error())
+						rp.err = errors.New(message)
 					}
 				}
-			}
-			_, _ = fmt.Fprintf(res, "\"%s\"\n", status)
-
-			// If we are done, send the result to the channel.
-			if completed {
-				done <- tokenResult{token: string(bytes), err: err}
+				done <- rp
 			}
 		})
+
 		_ = http.Serve(listener, mux)
 	}()
 
 	// Open the browser.
-	url := fmt.Sprintf("%s/app/user/verify-token?localAppName=duplo-aws-credential-process&localPort=%d", baseUrl, localPort)
+	adminFlag := ""
+	if admin {
+		adminFlag = "&isAdmin=true"
+	}
+	url := fmt.Sprintf("%s/app/user/verify-token?localAppName=duplo-aws-credential-process&localPort=%d%s", baseUrl, localPort, adminFlag)
 	err = open.Run(url)
 	dieIf(err, "failed to open interactive browser session")
 
 	// Wait for the token result, and return it.
 	select {
 	case tokenResult := <-done:
-		return tokenResult.token, tokenResult.err
+		return tokenResult
 	case <-time.After(timeout):
-		return "", errors.New("timed out")
+		return TokenResult{err: errors.New("timed out")}
 	}
 }
 
-func mustTokenInteractive(host string) string {
-	token, err := tokenViaPost(host, 180*time.Second)
-	dieIf(err, "failed to get token from interactive browser session")
-
-	return token
+func mustTokenInteractive(host string, admin bool) (tokenResult TokenResult) {
+	tokenResult = tokenViaPost(host, admin, 180*time.Second)
+	dieIf(tokenResult.err, "failed to get token from interactive browser session")
+	return
 }

cmd/duplo-aws-credential-process/main.go

@@ -62,18 +62,22 @@ func outputCreds(creds *AwsConfigOutput, cacheKey string) {
 	os.Stdout.WriteString("\n")
 }
 
-func mustDuploClient(host, token string, interactive bool) *duplocloud.Client {
+func mustDuploClient(host, token string, interactive, admin bool) *duplocloud.Client {
+	otp := ""
+
 	// Possibly get a token from an interactive process.
 	if token == "" {
 		if !interactive {
 			log.Fatalf("%s: --token not specified and --interactive mode is disabled", os.Args[0])
 		}
 
-		token = mustTokenInteractive(host)
+		tokenResult := mustTokenInteractive(host, admin)
+		token = tokenResult.Token
+		otp = tokenResult.OTP
 	}
 
 	// Create the client.
-	client, err := duplocloud.NewClient(host, token)
+	client, err := duplocloud.NewClientWithOtp(host, token, otp)
 	dieIf(err, "invalid arguments")
 
 	return client
@@ -90,6 +94,7 @@ func main() {
 	host := flag.String("host", "", "Duplo API base URL")
 	token := flag.String("token", "", "Duplo API token")
 	admin := flag.Bool("admin", false, "Get admin credentials")
+	duploOps := flag.Bool("duplo-ops", false, "Get Duplo operations credentials")
 	tenantID := flag.String("tenant", "", "Get credentials for the given tenant")
 	debug := flag.Bool("debug", false, "Turn on verbose (debugging) output")
 	noCache = flag.Bool("no-cache", false, "Disable caching (not recommended)")
@@ -103,7 +108,7 @@ func main() {
 			version = "(dev build)"
 		}
 		if commit == "" {
-			commit = "(x)"
+			commit = "unknown"
 		}
 		fmt.Printf("%s version %s (git commit %s)\n", os.Args[0], version, commit)
 		os.Exit(0)
@@ -137,12 +142,28 @@ func main() {
 
 		// Otherwise, get the credentials from Duplo.
 		if creds == nil {
-			client := mustDuploClient(*host, *token, *interactive)
+			client := mustDuploClient(*host, *token, *interactive, true)
 			result, err := client.AdminGetJITAwsCredentials()
 			dieIf(err, "failed to get credentials")
 			creds = convertCreds(result)
 		}
 
+	} else if *duploOps {
+
+		// Build the cache key
+		cacheKey = strings.Join([]string{strings.TrimPrefix(*host, "https://"), "duplo-ops"}, ",")
+
+		// Try to find credentials from the cache.
+		creds = cacheGetAwsConfigOutput(cacheKey)
+
+		// Otherwise, get the credentials from Duplo.
+		if creds == nil {
+			client := mustDuploClient(*host, *token, *interactive, true)
+			result, err := client.AdminAwsGetJitAccess("duplo-ops")
+			dieIf(err, "failed to get credentials")
+			creds = convertCreds(result)
+		}
+
 	} else if tenantID == nil || *tenantID == "" {
 
 		// Tenant credentials require an additional argument.
@@ -158,11 +179,15 @@ func main() {
 
 		// Otherwise, get the credentials from Duplo.
 		if creds == nil {
-			client := mustDuploClient(*host, *token, *interactive)
+			client := mustDuploClient(*host, *token, *interactive, false)
 
 			// If it doesn't look like a UUID, get the tenant ID from the name.
 			if len(*tenantID) < 32 {
+				var err error
 				tenant, err := client.GetTenantByNameForUser(*tenantID)
+				if tenant == nil {
+					err = errors.New("no such tenant available to your user")
+				}
 				dieIf(err, fmt.Sprintf("%s: tenant not found", *tenantID))
 				tenantID = &tenant.TenantID
 			}

duplocloud/api.go

@@ -19,8 +19,33 @@ type UserTenant struct {
 	PlanID      string `json:"PlanID"`
 }
 
-// AdminGetAwsCredentials retrieves just-in-time admin AWS credentials via the Duplo API.
+// AdminAwsGetJitAccess retrieves just-in-time admin AWS credentials for the requested role via the Duplo API.
+func (c *Client) AdminAwsGetJitAccess(role string) (*AwsJitCredentials, ClientError) {
+	creds := AwsJitCredentials{}
+	err := c.getAPI("AdminAwsGetJitAccess()", fmt.Sprintf("v3/admin/aws/jitAccess/%s", role), &creds)
+	if err != nil {
+		return nil, err
+	}
+	return &creds, nil
+}
+
+// AdminGetJITAwsCredentials retrieves just-in-time admin AWS credentials via the Duplo API.
 func (c *Client) AdminGetJITAwsCredentials() (*AwsJitCredentials, ClientError) {
+	creds, err := c.AdminAwsGetJitAccess("admin")
+
+	// Fallback to legacy API
+	if err != nil && err.Status() == 404 {
+		creds, err = c.LegacyAdminGetJITAwsCredentials()
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	return creds, err
+}
+
+// LegacyAdminGetJITAwsCredentials retrieves just-in-time admin AWS credentials via the Duplo API.
+func (c *Client) LegacyAdminGetJITAwsCredentials() (*AwsJitCredentials, ClientError) {
 	creds := AwsJitCredentials{}
 	err := c.getAPI("AdminGetJITAwsCredentials()", "adminproxy/GetJITAwsConsoleAccessUrl", &creds)
 	if err != nil {
@@ -29,7 +54,7 @@ func (c *Client) AdminGetJITAwsCredentials() (*AwsJitCredentials, ClientError) {
 	return &creds, nil
 }
 
-// TenantGetAwsCredentials retrieves just-in-time AWS credentials for a tenant via the Duplo API.
+// TenantGetJITAwsCredentials retrieves just-in-time AWS credentials for a tenant via the Duplo API.
 func (c *Client) TenantGetJITAwsCredentials(tenantID string) (*AwsJitCredentials, ClientError) {
 	creds := AwsJitCredentials{}
 	err := c.getAPI(

duplocloud/client.go

@@ -14,6 +14,7 @@ type Client struct {
 	HTTPClient *http.Client
 	HostURL    string
 	Token      string
+	OTP        string
 }
 
 // NewClient creates a new Duplo API client
@@ -29,6 +30,15 @@ func NewClient(host, token string) (*Client, error) {
 	return nil, fmt.Errorf("missing config for Duplo 'host' and/or 'token'")
 }
 
+// NewClientWithOtp creates a new Duplo API client with an OTP code
+func NewClientWithOtp(host, token, otp string) (c *Client, err error) {
+	c, err = NewClient(host, token)
+	if err == nil && c != nil && otp != "" {
+		c.OTP = otp
+	}
+	return
+}
+
 type clientError struct {
 	message  string
 	status   int
@@ -163,6 +173,9 @@ func (c *Client) doAPI(verb string, apiName string, apiPath string, rp interface
 		logf(TRACE, "%s: cannot build request: %s", apiName, err.Error())
 		return nil
 	}
+	if c.OTP != "" {
+		req.Header.Set("otpcode", c.OTP)
+	}
 
 	// Call the API and get the response.
 	body, httpErr := c.doRequest(req)