ag-awsauth 0.0.1

package/LICENSE.md

@@ -0,0 +1,11 @@
+ISC License
+---
+
+ag-awsauth - Copyright 2021 Andrei Gec
+check out https://github.com/andreigec/ag-awsauth or https://gec.dev for more info
+
+---
+
+Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1,9 @@
+# ag-awsauth
+
+## Usage
+
+npm i -g awsauth
+
+awsauth -c
+
+awsauth

package/bin/awsauth.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+var lib = require('../dist/index.js');
+void lib.run();

package/dist/config.d.ts

@@ -0,0 +1,8 @@
+export declare const logPath = "log.txt";
+export declare const stsDurationSeconds: number;
+export declare const nativeStsDurationSeconds: number;
+export declare const identityCenterRegion: () => string;
+export declare const ssoStartUrl: () => string;
+export declare const targetRegion: () => string;
+export declare const validateConfig: () => boolean;
+export declare const runConfig: () => void;

package/dist/config.js

@@ -0,0 +1,45 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runConfig = exports.validateConfig = exports.targetRegion = exports.ssoStartUrl = exports.identityCenterRegion = exports.nativeStsDurationSeconds = exports.stsDurationSeconds = exports.logPath = void 0;
+const envfile_1 = require("envfile");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+exports.logPath = 'log.txt';
+exports.stsDurationSeconds = 60 * 60 * 4; //4h
+exports.nativeStsDurationSeconds = 60 * 60 * 1; //1h
+const identityCenterRegion = () => process.env.identityCenterRegion;
+exports.identityCenterRegion = identityCenterRegion;
+const ssoStartUrl = () => process.env.ssoStartUrl;
+exports.ssoStartUrl = ssoStartUrl;
+const targetRegion = () => process.env.targetRegion;
+exports.targetRegion = targetRegion;
+const validateConfig = () => {
+    if (!(0, exports.identityCenterRegion)() || !(0, exports.ssoStartUrl)() || !(0, exports.targetRegion)()) {
+        return false;
+    }
+    return true;
+};
+exports.validateConfig = validateConfig;
+const runConfig = () => {
+    const pn = path_1.default.resolve(__dirname + '/../.env');
+    if (!fs_1.default.existsSync(pn)) {
+        fs_1.default.writeFileSync(pn, '');
+    }
+    const c = (0, envfile_1.parse)(fs_1.default.readFileSync(pn).toString());
+    if (!c.ssoStartUrl) {
+        c.ssoStartUrl = ' //eg https://d-xxx.awsapps.com/start';
+    }
+    if (!c.targetRegion) {
+        c.targetRegion = ' //eg ap-southeast-1';
+    }
+    if (!c.identityCenterRegion) {
+        c.identityCenterRegion = ' //eg us-east-1';
+    }
+    fs_1.default.writeFileSync(pn, (0, envfile_1.stringify)(c));
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    require('child_process').exec(`start "" "${pn}"`);
+};
+exports.runConfig = runConfig;

package/dist/direct.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/direct.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const dotenv_1 = require("dotenv");
+const _1 = require(".");
+(0, dotenv_1.config)();
+void (0, _1.run)();

package/dist/helpers/awsconfig.d.ts

@@ -0,0 +1,3 @@
+import { IAwsCreds, IAwsCredsRaw } from '../types';
+export declare const getAwsCredentials: () => Promise<Record<string, IAwsCredsRaw>>;
+export declare const updateAwsCredentials: (p: IAwsCreds | undefined) => Promise<void>;

package/dist/helpers/awsconfig.js

@@ -0,0 +1,52 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.updateAwsCredentials = exports.getAwsCredentials = void 0;
+const shared_ini_file_loader_1 = require("@aws-sdk/shared-ini-file-loader");
+//@ts-ignore
+const getCredentialsFilepath_1 = require("@aws-sdk/shared-ini-file-loader/dist-cjs/getCredentialsFilepath");
+const log_1 = require("ag-common/dist/common/helpers/log");
+const fs_1 = __importDefault(require("fs"));
+const ini_1 = require("ini");
+const getAwsCredentials = () => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, shared_ini_file_loader_1.loadSharedConfigFiles)();
+    const creds = config.credentialsFile;
+    if (!creds.default) {
+        creds.default = {};
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const ret = creds;
+    return ret;
+});
+exports.getAwsCredentials = getAwsCredentials;
+const updateAwsCredentials = (p) => __awaiter(void 0, void 0, void 0, function* () {
+    const creds = yield (0, exports.getAwsCredentials)();
+    if (!p) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        creds.default = {};
+    }
+    else {
+        creds.default.region = p.region;
+        creds.default.aws_access_key_id = p.accessKeyId;
+        creds.default.aws_secret_access_key = p.secretAccessKey;
+        creds.default.aws_session_token = p.sessionToken;
+        creds.default.aws_access_token = p.accessToken;
+        creds.default.aws_sso_authn = p.ssoAuthn;
+    }
+    const newcreds = (0, ini_1.stringify)(creds);
+    (0, log_1.info)(`saving updated default creds to .aws/credentials`);
+    const credspath = (0, getCredentialsFilepath_1.getCredentialsFilepath)();
+    fs_1.default.writeFileSync(credspath, newcreds);
+});
+exports.updateAwsCredentials = updateAwsCredentials;

package/dist/helpers/browser.d.ts

@@ -0,0 +1,12 @@
+export declare const closeBrowser: () => Promise<void>;
+export declare const launchBrowser: () => Promise<void>;
+export declare const goToPage: (url: string) => Promise<import("puppeteer").Page>;
+export declare function getMFA(p: {
+    verificationUriComplete: string;
+    creds: {
+        username: string;
+        password: string;
+    };
+}): Promise<{
+    ssoAuthn: string;
+}>;

package/dist/helpers/browser.js

@@ -0,0 +1,163 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getMFA = exports.goToPage = exports.launchBrowser = exports.closeBrowser = void 0;
+const log_1 = require("ag-common/dist/common/helpers/log");
+const sleep_1 = require("ag-common/dist/common/helpers/sleep");
+const puppeteer_1 = require("puppeteer");
+const input_1 = require("./input");
+let browser;
+const closeBrowser = () => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        if (!browser) {
+            return;
+        }
+        yield browser.close();
+        browser = undefined;
+    }
+    catch (e) {
+        (0, log_1.warn)('error closing browser:', e);
+    }
+});
+exports.closeBrowser = closeBrowser;
+const launchBrowser = () => __awaiter(void 0, void 0, void 0, function* () {
+    const opt = {
+        defaultViewport: { height: 1000, width: 500 },
+        headless: true,
+        ignoreHTTPSErrors: true,
+        devtools: false,
+    };
+    if (!opt.args) {
+        opt.args = [];
+    }
+    opt.args.push('--disable-features=AudioServiceOutOfProcess');
+    opt.args.push('--disable-features=AudioServiceOutOfProcessKillAtHang');
+    opt.args.push('--disable-software-rasterizer');
+    opt.args.push('--disable-gpu');
+    opt.args.push('--disable-dev-shm-usage');
+    yield (0, exports.closeBrowser)();
+    (0, log_1.debug)('launch browser, opt=', opt);
+    browser = (yield (0, puppeteer_1.launch)(opt));
+    (0, log_1.debug)('browser created');
+});
+exports.launchBrowser = launchBrowser;
+const goToPage = (url) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        if (!browser) {
+            yield (0, exports.launchBrowser)();
+        }
+        if (!browser) {
+            throw new Error('no browser');
+        }
+        (0, log_1.info)(`go to page:${url}`);
+        const page = yield browser.newPage();
+        yield page.goto(url, {
+            waitUntil: ['networkidle2'],
+            timeout: 10000,
+        });
+        return page;
+    }
+    catch (e) {
+        const em = 'browser error:' + e.toString();
+        (0, log_1.error)(em);
+        throw new Error(em);
+    }
+});
+exports.goToPage = goToPage;
+function getMFA(p) {
+    var _a;
+    return __awaiter(this, void 0, void 0, function* () {
+        //go to browser site for auth
+        (0, log_1.info)('start mfa');
+        const page = yield (0, exports.goToPage)(p.verificationUriComplete);
+        (0, log_1.info)('username block');
+        yield page.waitForSelector('#username-input');
+        yield page.focus('#username-input input');
+        yield page.keyboard.type(p.creds.username);
+        yield page.$eval('#username-submit-button button', (el) => el.click());
+        //
+        (0, log_1.info)('password block');
+        yield page.waitForSelector('#password-input');
+        yield page.focus('#password-input input');
+        yield page.keyboard.type(p.creds.password);
+        yield page.$eval('#password-submit-button button', (el) => el.click());
+        yield (0, sleep_1.sleep)(250);
+        yield page.waitForNetworkIdle({ idleTime: 250 });
+        //
+        try {
+            const messageDiv = yield page.waitForSelector('.awsui-alert-message', {
+                timeout: 2000,
+            });
+            const value = yield page.evaluate((el) => { var _a; return (_a = el === null || el === void 0 ? void 0 : el.textContent) !== null && _a !== void 0 ? _a : ''; }, messageDiv);
+            if (value) {
+                throw new Error(value);
+            }
+        }
+        catch (e) {
+            const em = e.toString();
+            if (!em.includes('exceeded')) {
+                const em2 = `creds error:` + em;
+                (0, log_1.error)(em2);
+                throw new Error(em2);
+            }
+        }
+        //
+        let retry = true;
+        do {
+            (0, log_1.info)('mfa block');
+            const { mfa } = (0, input_1.enterMFA)();
+            yield page.waitForSelector('#input-0');
+            yield page.focus('#input-0 input');
+            yield page.keyboard.type(mfa);
+            yield page.$eval('.awsui-signin-button-container button', (el) => el.click());
+            //
+            try {
+                yield (0, sleep_1.sleep)(250);
+                yield page.waitForNetworkIdle({ idleTime: 250 });
+                const messageDiv = yield page.waitForSelector('.awsui-alert-message', {
+                    timeout: 2000,
+                });
+                const value = yield page.evaluate((el) => { var _a; return (_a = el === null || el === void 0 ? void 0 : el.textContent) !== null && _a !== void 0 ? _a : ''; }, messageDiv);
+                if (value) {
+                    throw new Error(value);
+                }
+                retry = false;
+            }
+            catch (e) {
+                const em = e.toString();
+                if (!em.includes('exceeded')) {
+                    const em2 = `mfa error:` + em + ' retry';
+                    (0, log_1.error)(em2);
+                }
+                else {
+                    retry = false;
+                }
+            }
+        } while (retry);
+        //
+        yield (0, sleep_1.sleep)(3000);
+        yield page.waitForNetworkIdle({ idleTime: 250 });
+        yield page.waitForSelector('#cli_login_button', { timeout: 5000 });
+        yield page.$eval('#cli_login_button', (el) => el.click());
+        yield (0, sleep_1.sleep)(250);
+        yield page.waitForNetworkIdle({ idleTime: 250 });
+        yield page.waitForSelector('.awsui-icon-variant-success', { timeout: 5000 });
+        (0, log_1.warn)('mfa success');
+        const cookies = yield (page === null || page === void 0 ? void 0 : page.cookies());
+        const ssoAuthn = (_a = cookies === null || cookies === void 0 ? void 0 : cookies.find((c) => c.name === 'x-amz-sso_authn')) === null || _a === void 0 ? void 0 : _a.value;
+        if (!ssoAuthn) {
+            throw new Error('no aws authn');
+        }
+        yield (0, exports.closeBrowser)();
+        return { ssoAuthn };
+    });
+}
+exports.getMFA = getMFA;

package/dist/helpers/input.d.ts

@@ -0,0 +1,10 @@
+import { IAppInstance, IApplicationArgs } from '../types';
+export declare function chooseAppInstance(ai: IAppInstance[], args: IApplicationArgs): Promise<IAppInstance>;
+export declare function readArguments(): Promise<IApplicationArgs>;
+export declare function enterCreds(): {
+    username: string;
+    password: string;
+};
+export declare function enterMFA(): {
+    mfa: string;
+};

package/dist/helpers/input.js

@@ -0,0 +1,86 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.enterMFA = exports.enterCreds = exports.readArguments = exports.chooseAppInstance = void 0;
+const log_1 = require("ag-common/dist/common/helpers/log");
+const string_1 = require("ag-common/dist/common/helpers/string");
+const cli_select_1 = __importDefault(require("cli-select"));
+const readline_sync_1 = require("readline-sync");
+const yargs_1 = __importDefault(require("yargs"));
+const helpers_1 = require("yargs/helpers");
+const valueRenderer = (a) => `${a.name} [${a.id}]`;
+function chooseAppInstance(ai, args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let ret;
+        if (args.applicationfilter) {
+            ret = ai.find((a) => (0, string_1.containsInsensitive)(valueRenderer(a), args.applicationfilter));
+            if (!ret) {
+                throw new Error('didnt find application with filter');
+            }
+        }
+        if (ret) {
+            (0, log_1.info)(`preselecting ${valueRenderer(ret)} from input ${args.applicationfilter}`);
+            return ret;
+        }
+        (0, log_1.info)('Choose app instance to connect to');
+        const res = yield (0, cli_select_1.default)({
+            values: ai,
+            valueRenderer,
+        });
+        return res.value;
+    });
+}
+exports.chooseAppInstance = chooseAppInstance;
+function readArguments() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { applicationfilter, verbose, wipe, config } = yield (0, yargs_1.default)((0, helpers_1.hideBin)(process.argv))
+            .help('h')
+            .alias('h', 'help')
+            .option('applicationfilter', {
+            alias: 'af',
+            type: 'string',
+            description: 'Will select account that matches passed in string',
+        })
+            .boolean('verbose')
+            .alias('v', 'verbose')
+            .default('verbose', true)
+            .boolean('wipe')
+            .alias('w', 'wipe')
+            .default('wipe', false)
+            .boolean('config')
+            .alias('c', 'config')
+            .default('config', false)
+            .parse();
+        return { applicationfilter, verbose, wipe, config };
+    });
+}
+exports.readArguments = readArguments;
+function enterCreds() {
+    const username = (0, readline_sync_1.question)('Enter username:');
+    const password = (0, readline_sync_1.question)('Enter password:', {
+        hideEchoBack: true,
+    });
+    return { username, password };
+}
+exports.enterCreds = enterCreds;
+function enterMFA() {
+    return {
+        mfa: (0, readline_sync_1.question)('Enter MFA code:', {
+            min: 6,
+            max: 6,
+            hideEchoBack: true,
+        }),
+    };
+}
+exports.enterMFA = enterMFA;

package/dist/helpers/oidc.d.ts

@@ -0,0 +1,5 @@
+import { IAwsCreds } from '../types';
+export declare function requestMFA(p: {
+    identityCenterRegion: string;
+    ssoStartUrl: string;
+}): Promise<IAwsCreds>;

package/dist/helpers/oidc.js

@@ -0,0 +1,81 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestMFA = void 0;
+const client_sso_oidc_1 = require("@aws-sdk/client-sso-oidc");
+const log_1 = require("ag-common/dist/common/helpers/log");
+const sleep_1 = require("ag-common/dist/common/helpers/sleep");
+const config_1 = require("../config");
+const browser_1 = require("./browser");
+const input_1 = require("./input");
+function requestMFA(p) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const sso_oidc = new client_sso_oidc_1.SSOOIDCClient({ region: p.identityCenterRegion });
+        (0, log_1.warn)('starting MFA flow');
+        const creds = (0, input_1.enterCreds)();
+        const rcc = yield sso_oidc.send(new client_sso_oidc_1.RegisterClientCommand({
+            clientName: creds.username,
+            clientType: 'public',
+        }));
+        const sda = yield sso_oidc.send(new client_sso_oidc_1.StartDeviceAuthorizationCommand({
+            clientId: rcc.clientId,
+            clientSecret: rcc.clientSecret,
+            startUrl: p.ssoStartUrl,
+        }));
+        if (!sda.verificationUriComplete) {
+            throw new Error('no verif url');
+        }
+        const { ssoAuthn } = yield (0, browser_1.getMFA)({
+            verificationUriComplete: sda.verificationUriComplete,
+            creds,
+        });
+        let accessToken;
+        //keep trying to receive auth until user clicks, or timeout
+        let trycount = 0;
+        do {
+            if (trycount > 3) {
+                throw new Error('too many fails');
+            }
+            trycount += 1;
+            try {
+                const ctc = yield sso_oidc.send(new client_sso_oidc_1.CreateTokenCommand({
+                    clientId: rcc.clientId,
+                    clientSecret: rcc.clientSecret,
+                    code: sda.userCode,
+                    deviceCode: sda.deviceCode,
+                    grantType: 'urn:ietf:params:oauth:grant-type:device_code',
+                }));
+                accessToken = ctc.accessToken;
+                if (!accessToken) {
+                    throw new Error('no access token');
+                }
+            }
+            catch (e) {
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                const es = e.toString();
+                if (!es.includes('AuthorizationPendingException')) {
+                    throw e;
+                }
+                (0, log_1.warn)('waiting for device approval...');
+                yield (0, sleep_1.sleep)(5000);
+            }
+        } while (!accessToken);
+        return {
+            accessToken,
+            ssoAuthn,
+            region: (0, config_1.identityCenterRegion)(),
+            accessKeyId: '',
+            secretAccessKey: '',
+            sessionToken: '',
+        };
+    });
+}
+exports.requestMFA = requestMFA;

package/dist/helpers/sso.d.ts

@@ -0,0 +1,21 @@
+import { IAppInstance, IAwsCreds } from '../types';
+export declare const getAssumedRole: (p: {
+    accessToken: string;
+    accountId?: string;
+}) => Promise<{
+    accountId: string;
+    roleName: string;
+}>;
+export declare const getOIDCCredentialsFromAccessToken: (p: {
+    accessToken: string;
+    ssoAuthn: string;
+}) => Promise<IAwsCreds>;
+export declare function appInstances(p: {
+    ssoAuthn: string;
+}): Promise<IAppInstance[]>;
+export declare function getSamlAssertion(p: IAwsCreds, instance: IAppInstance): Promise<{
+    samlAssertion: string;
+    providerArn: string;
+    roleArn: string;
+}>;
+export declare const tryExistingCredentials: () => Promise<IAwsCreds | undefined>;

package/dist/helpers/sso.js

@@ -0,0 +1,137 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tryExistingCredentials = exports.getSamlAssertion = exports.appInstances = exports.getOIDCCredentialsFromAccessToken = exports.getAssumedRole = void 0;
+const client_sso_1 = require("@aws-sdk/client-sso");
+const log_1 = require("ag-common/dist/common/helpers/log");
+const string_1 = require("ag-common/dist/common/helpers/string");
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const config_1 = require("../config");
+const awsconfig_1 = require("./awsconfig");
+const sts_1 = require("./sts");
+const getAssumedRole = (p) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a, _b, _c, _d;
+    const sso = new client_sso_1.SSOClient({ region: (0, config_1.identityCenterRegion)() });
+    let accountId = p.accountId;
+    if (!accountId) {
+        const accounts = yield sso.send(new client_sso_1.ListAccountsCommand({ accessToken: p.accessToken }));
+        accountId = (_b = (_a = accounts.accountList) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.accountId;
+    }
+    if (!accountId) {
+        throw new Error('no account id');
+    }
+    const rolesResult = yield sso.send(new client_sso_1.ListAccountRolesCommand({
+        accessToken: p.accessToken,
+        accountId,
+    }));
+    const roles = ((_d = (_c = rolesResult.roleList) === null || _c === void 0 ? void 0 : _c.map((r) => ({
+        accountId: r.accountId || '',
+        roleName: r.roleName || '',
+    }))) === null || _d === void 0 ? void 0 : _d.filter((r) => r.accountId && r.roleName)) || [];
+    if (roles.length === 0) {
+        throw new Error('no roles can be assumed');
+    }
+    if (roles.length > 1) {
+        throw new Error('too many roles' + JSON.stringify(roles, null, 2));
+    }
+    const role = roles[0];
+    return role;
+});
+exports.getAssumedRole = getAssumedRole;
+const getOIDCCredentialsFromAccessToken = (p) => __awaiter(void 0, void 0, void 0, function* () {
+    const sso = new client_sso_1.SSOClient({ region: (0, config_1.identityCenterRegion)() });
+    const role = yield (0, exports.getAssumedRole)({ accessToken: p.accessToken });
+    const ssoResp = yield sso.send(new client_sso_1.GetRoleCredentialsCommand(Object.assign(Object.assign({}, role), { accessToken: p.accessToken })));
+    const rc = ssoResp.roleCredentials;
+    if (!(rc === null || rc === void 0 ? void 0 : rc.accessKeyId) ||
+        !(rc === null || rc === void 0 ? void 0 : rc.expiration) ||
+        !(rc === null || rc === void 0 ? void 0 : rc.secretAccessKey) ||
+        !(rc === null || rc === void 0 ? void 0 : rc.sessionToken)) {
+        throw new Error('role creds undefined:' + JSON.stringify(rc, null, 2));
+    }
+    return Object.assign(Object.assign({}, p), { accessKeyId: rc.accessKeyId, secretAccessKey: rc.secretAccessKey, sessionToken: rc.sessionToken, region: (0, config_1.identityCenterRegion)() });
+});
+exports.getOIDCCredentialsFromAccessToken = getOIDCCredentialsFromAccessToken;
+function appInstances(p) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const ai = (yield (yield (0, node_fetch_1.default)(`https://portal.sso.${(0, config_1.identityCenterRegion)()}.amazonaws.com/instance/appinstances`, { headers: { 'x-amz-sso_bearer_token': p.ssoAuthn } })).json());
+        if (!(ai === null || ai === void 0 ? void 0 : ai.result)) {
+            throw new Error('appinstance error' + JSON.stringify(ai, null, 2));
+        }
+        return ai.result;
+    });
+}
+exports.appInstances = appInstances;
+function getSamlAssertion(p, instance) {
+    var _a, _b;
+    return __awaiter(this, void 0, void 0, function* () {
+        const det = (yield (yield (0, node_fetch_1.default)(`https://portal.sso.${(0, config_1.identityCenterRegion)()}.amazonaws.com/instance/appinstance/${instance.id}/profiles`, { headers: { 'x-amz-sso_bearer_token': p.ssoAuthn } })).json());
+        const asserturl = (_b = (_a = det === null || det === void 0 ? void 0 : det.result) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.url;
+        if (!asserturl) {
+            throw new Error('assertion url cant be found');
+        }
+        const assertion = (yield (yield (0, node_fetch_1.default)(asserturl, {
+            headers: { 'x-amz-sso_bearer_token': p.ssoAuthn },
+        })).json());
+        const decoded = (0, string_1.fromBase64)(assertion.encodedResponse);
+        const res = new RegExp(/<saml2:AttributeValue xmlns:xsi="http:\/\/www.w3.org\/2001\/XMLSchema-instance" xsi:type="xsd:string">(arn.*?)</gim).exec(decoded);
+        if (!(res === null || res === void 0 ? void 0 : res[1])) {
+            throw new Error('bad saml');
+        }
+        const [providerArn, roleArn] = res[1].split(',');
+        return { samlAssertion: assertion.encodedResponse, providerArn, roleArn };
+    });
+}
+exports.getSamlAssertion = getSamlAssertion;
+const tryExistingCredentials = () => __awaiter(void 0, void 0, void 0, function* () {
+    const credraw = yield (0, awsconfig_1.getAwsCredentials)();
+    if (!credraw.default.aws_access_token) {
+        return undefined;
+    }
+    let credentials = {
+        accessKeyId: credraw.default.aws_access_key_id,
+        secretAccessKey: credraw.default.aws_secret_access_key,
+        sessionToken: credraw.default.aws_session_token,
+        accessToken: credraw.default.aws_access_token,
+        ssoAuthn: credraw.default.aws_sso_authn,
+        region: (0, config_1.identityCenterRegion)(),
+    };
+    const v = yield (0, sts_1.validateCredentials)(credentials);
+    if (v) {
+        return credentials;
+    }
+    if (credraw.default.aws_access_token && credraw.default.aws_sso_authn) {
+        try {
+            (0, log_1.info)('trying oidc refresh');
+            credentials = yield (0, exports.getOIDCCredentialsFromAccessToken)({
+                accessToken: credraw.default.aws_access_token,
+                ssoAuthn: credraw.default.aws_sso_authn,
+            });
+            return credentials;
+        }
+        catch (e) {
+            //
+            (0, log_1.info)('access token or sso expired, need to wipe', e);
+        }
+    }
+    return {
+        accessToken: '',
+        ssoAuthn: '',
+        region: (0, config_1.identityCenterRegion)(),
+        accessKeyId: '',
+        secretAccessKey: '',
+        sessionToken: '',
+    };
+});
+exports.tryExistingCredentials = tryExistingCredentials;

package/dist/helpers/sts.d.ts

@@ -0,0 +1,24 @@
+import { IAwsCreds, SearchMetadata } from '../types';
+export declare function validateCredentials(credentials: IAwsCreds): Promise<{
+    accountId: string;
+    principalArn: string;
+} | undefined>;
+export declare function getApplicationCreds(p: {
+    originCreds: IAwsCreds;
+    targetRegion: string;
+    samlAssertion: string;
+    providerArn: string;
+    roleArn: string;
+}): Promise<IAwsCreds>;
+export declare function directStsAssume(p: {
+    credentials: IAwsCreds;
+    targetRegion: string;
+    metadata: SearchMetadata;
+}): Promise<{
+    region: string;
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string;
+    accessToken: string;
+    ssoAuthn: string;
+}>;

package/dist/helpers/sts.js

@@ -0,0 +1,98 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.directStsAssume = exports.getApplicationCreds = exports.validateCredentials = void 0;
+const client_sts_1 = require("@aws-sdk/client-sts");
+const log_1 = require("ag-common/dist/common/helpers/log");
+const config_1 = require("../config");
+const sso_1 = require("./sso");
+function validateCredentials(credentials) {
+    var _a, _b;
+    return __awaiter(this, void 0, void 0, function* () {
+        const sts = new client_sts_1.STS({
+            credentials,
+            region: credentials.region,
+        });
+        try {
+            const stub = yield sts.getCallerIdentity({});
+            yield (0, sso_1.appInstances)(credentials);
+            if (((_b = (_a = stub === null || stub === void 0 ? void 0 : stub.$metadata) === null || _a === void 0 ? void 0 : _a.httpStatusCode) !== null && _b !== void 0 ? _b : 500) < 400 &&
+                stub.Account &&
+                stub.Arn) {
+                (0, log_1.info)(`test cached credentials OK`);
+                return { accountId: stub.Account, principalArn: stub.Arn };
+            }
+        }
+        catch (e) {
+            const es = e.toString();
+            if (es.includes('expired')) {
+                (0, log_1.warn)('creds have expired');
+            }
+            (0, log_1.warn)('other saml error:' + es);
+            return undefined;
+        }
+    });
+}
+exports.validateCredentials = validateCredentials;
+function getApplicationCreds(p) {
+    var _a, _b, _c, _d;
+    return __awaiter(this, void 0, void 0, function* () {
+        const sts = new client_sts_1.STS({
+            credentials: p.originCreds,
+            region: p.targetRegion,
+        });
+        const ret = yield sts.assumeRoleWithSAML({
+            PrincipalArn: p.providerArn,
+            RoleArn: p.roleArn,
+            SAMLAssertion: p.samlAssertion,
+            DurationSeconds: config_1.stsDurationSeconds,
+        });
+        if (((_a = ret.$metadata.httpStatusCode) !== null && _a !== void 0 ? _a : 500) >= 400) {
+            (0, log_1.error)('bad assume saml role', ret);
+            throw new Error('bad assume saml role');
+        }
+        if (!((_b = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _b === void 0 ? void 0 : _b.AccessKeyId) ||
+            !((_c = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _c === void 0 ? void 0 : _c.SecretAccessKey) ||
+            !((_d = ret === null || ret === void 0 ? void 0 : ret.Credentials) === null || _d === void 0 ? void 0 : _d.SessionToken)) {
+            throw new Error('no creds');
+        }
+        return Object.assign(Object.assign({}, p.originCreds), { region: p.targetRegion, accessKeyId: ret.Credentials.AccessKeyId, secretAccessKey: ret.Credentials.SecretAccessKey, sessionToken: ret.Credentials.SessionToken });
+    });
+}
+exports.getApplicationCreds = getApplicationCreds;
+function directStsAssume(p) {
+    var _a, _b, _c, _d;
+    return __awaiter(this, void 0, void 0, function* () {
+        const role = yield (0, sso_1.getAssumedRole)({
+            accessToken: p.credentials.accessToken,
+            accountId: p.metadata.AccountId,
+        });
+        const sts = new client_sts_1.STS({
+            credentials: p.credentials,
+            region: p.targetRegion,
+        });
+        const ar = yield sts.assumeRole({
+            RoleArn: `arn:aws:iam::${role.accountId}:role/${role.roleName}`,
+            RoleSessionName: 'awsauth',
+            DurationSeconds: config_1.nativeStsDurationSeconds,
+        });
+        if (((_a = ar.$metadata.httpStatusCode) !== null && _a !== void 0 ? _a : 500) >= 400) {
+            throw new Error('assume role error' + JSON.stringify(ar, null, 2));
+        }
+        if (!((_b = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _b === void 0 ? void 0 : _b.AccessKeyId) ||
+            !((_c = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _c === void 0 ? void 0 : _c.SecretAccessKey) ||
+            !((_d = ar === null || ar === void 0 ? void 0 : ar.Credentials) === null || _d === void 0 ? void 0 : _d.SessionToken)) {
+            throw new Error('no creds');
+        }
+        return Object.assign(Object.assign({}, p.credentials), { region: p.targetRegion, accessKeyId: ar.Credentials.AccessKeyId, secretAccessKey: ar.Credentials.SecretAccessKey, sessionToken: ar.Credentials.SessionToken });
+    });
+}
+exports.directStsAssume = directStsAssume;

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+import { IApplicationArgs } from './types';
+export declare function main(args: IApplicationArgs): Promise<void>;
+export declare function run(): Promise<void>;

package/dist/index.js

@@ -0,0 +1,110 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.run = exports.main = void 0;
+/* eslint-disable padding-line-between-statements */
+const log_1 = require("ag-common/dist/common/helpers/log");
+const dotenv_1 = require("dotenv");
+const fs_1 = __importDefault(require("fs"));
+const config_1 = require("./config");
+const awsconfig_1 = require("./helpers/awsconfig");
+const input_1 = require("./helpers/input");
+const oidc_1 = require("./helpers/oidc");
+const sso_1 = require("./helpers/sso");
+const sts_1 = require("./helpers/sts");
+(0, dotenv_1.config)();
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const beep = require('node-beep');
+function main(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        (0, log_1.SetLogLevel)(args.verbose ? 'INFO' : 'WARN');
+        (0, log_1.SetLogShim)((...a1) => {
+            // eslint-disable-next-line no-console
+            console.log(...a1);
+            try {
+                fs_1.default.appendFileSync(config_1.logPath, JSON.stringify(a1, null, 2));
+            }
+            catch (e) {
+                //
+            }
+        });
+        if (args.config) {
+            (0, log_1.info)('running config');
+            (0, config_1.runConfig)();
+            return;
+        }
+        if (!(0, config_1.validateConfig)()) {
+            console.error('please run config (-c)');
+            return;
+        }
+        if (args.wipe) {
+            (0, log_1.info)('wiping args');
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            yield (0, awsconfig_1.updateAwsCredentials)(undefined);
+            return;
+        }
+        let credentials = yield (0, sso_1.tryExistingCredentials)();
+        if (!(credentials === null || credentials === void 0 ? void 0 : credentials.accessToken) || !(credentials === null || credentials === void 0 ? void 0 : credentials.ssoAuthn)) {
+            (0, log_1.info)('no creds, get access token through manual sign in');
+            credentials = yield (0, oidc_1.requestMFA)({
+                identityCenterRegion: (0, config_1.identityCenterRegion)(),
+                ssoStartUrl: (0, config_1.ssoStartUrl)(),
+            });
+            (0, log_1.info)('get oidc creds');
+            credentials = yield (0, sso_1.getOIDCCredentialsFromAccessToken)(credentials);
+        }
+        //
+        (0, log_1.info)('save aws creds to file');
+        yield (0, awsconfig_1.updateAwsCredentials)(credentials);
+        (0, log_1.info)('get app instances and display');
+        const instances = yield (0, sso_1.appInstances)(credentials);
+        const instance = yield (0, input_1.chooseAppInstance)(instances, args);
+        let debugRole = '';
+        if (instance.searchMetadata) {
+            (0, log_1.info)('account is native aws, directly  connecting');
+            credentials = yield (0, sts_1.directStsAssume)({
+                credentials,
+                targetRegion: (0, config_1.targetRegion)(),
+                metadata: instance.searchMetadata,
+            });
+            debugRole = instance.searchMetadata.AccountId;
+        }
+        else {
+            (0, log_1.info)('account is external app, getting saml');
+            const samlDetails = yield (0, sso_1.getSamlAssertion)(credentials, instance);
+            credentials = yield (0, sts_1.getApplicationCreds)(Object.assign(Object.assign({}, samlDetails), { originCreds: credentials, targetRegion: (0, config_1.targetRegion)() }));
+            debugRole = samlDetails.roleArn;
+        }
+        yield (0, awsconfig_1.updateAwsCredentials)(credentials);
+        (0, log_1.warn)(`successfully authed into ${debugRole}`);
+    });
+}
+exports.main = main;
+function run() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const args = yield (0, input_1.readArguments)();
+            yield main(args);
+            beep(1);
+        }
+        catch (e) {
+            (0, log_1.error)('error:' + e);
+            beep(2);
+            if (e === null || e === void 0 ? void 0 : e.toString) {
+                (0, log_1.error)('error:' + e.toString());
+            }
+        }
+    });
+}
+exports.run = run;

package/dist/types.d.ts

@@ -0,0 +1,55 @@
+export interface IAwsCreds {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string;
+    region: string;
+    accessToken: string;
+    ssoAuthn: string;
+}
+export interface IAwsCredsRaw {
+    region: string;
+    aws_access_key_id: string;
+    aws_secret_access_key: string;
+    aws_session_token: string;
+    aws_access_token: string;
+    aws_sso_authn: string;
+    aws_application_id: string;
+}
+export interface IAppInstances {
+    result: IAppInstance[];
+}
+export interface IAppInstance {
+    id: string;
+    name: string;
+    description: string;
+    applicationId: string;
+    applicationName: string;
+    icon: string;
+    searchMetadata?: SearchMetadata;
+}
+export interface SearchMetadata {
+    AccountId: string;
+    AccountName: string;
+    AccountEmail: string;
+}
+export interface IAppInstanceDetails {
+    result: IAppInstanceDetailsResult[];
+}
+export interface IAppInstanceDetailsResult {
+    id: string;
+    name: string;
+    description: string;
+    url: string;
+    protocol: string;
+}
+export interface ISamlAssertion {
+    encodedResponse: string;
+    destination: string;
+    prettyPrintedXml: string;
+}
+export interface IApplicationArgs {
+    applicationfilter?: string;
+    verbose: boolean;
+    wipe: boolean;
+    config: boolean;
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "ag-awsauth",
+  "description": "auth to aws sso/iamv2 easily",
+  "main": "dist/index.js",
+  "author": "andrei gec (andreigec@hotmail.com)",
+  "license": "ISC",
+  "private": false,
+  "version": "0.0.1",
+  "preferGlobal": true,
+  "bin": {
+    "awsauth": "./bin/awsauth.js"
+  },
+  "files": [
+    "bin/**/*",
+    "dist/**/*",
+    "README.md",
+    "LICENSE.md"
+  ],
+  "dependencies": {
+    "@aws-sdk/client-sso": "3.271.0",
+    "@aws-sdk/client-sso-oidc": "3.271.0",
+    "@aws-sdk/client-sts": "3.271.0",
+    "@aws-sdk/shared-ini-file-loader": "3.271.0",
+    "ag-common": "0.0.412",
+    "cli-select": "1.1.2",
+    "dotenv": "16.0.3",
+    "envfile": "6.18.0",
+    "esbuild": "0.17.8",
+    "eslint-config-e7npm": "0.0.8",
+    "ini": "3.0.1",
+    "node-beep": "0.0.3",
+    "node-fetch": "2.6.9",
+    "puppeteer": "19.7.0",
+    "readline-sync": "1.4.10",
+    "ts-node": "10.9.1",
+    "typescript": "4.9.5",
+    "yargs": "17.6.2"
+  },
+  "devDependencies": {
+    "@types/ini": "1.3.31",
+    "@types/node": "18.13.0",
+    "@types/node-fetch": "2.6.2",
+    "@types/readline-sync": "1.4.4",
+    "@types/yargs": "17.0.22"
+  },
+  "engines": {
+    "node": ">=16.0.0",
+    "yarn": "use pnpm",
+    "npm": "use pnpm",
+    "pnpm": ">=3"
+  },
+  "scripts": {
+    "format": "eslint --ext .ts,.tsx ./src --fix",
+    "lint": "tsc && eslint --ext .ts,.tsx ./src",
+    "start": "ts-node src/direct.ts",
+    "build": "tsc"
+  }
+}