first pass of code written, untested

aws · Nov 10, 2022 · 8d09ba9 · 8d09ba9
1 parent 01cee3e
commit 8d09ba9
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/config/resolve_bearer_token.go b/config/resolve_bearer_token.go
@@ -54,6 +54,8 @@ func resolveBearerAuthTokenProviderChain(ctx context.Context, cfg *aws.Config, c
 
 	var provider smithybearer.TokenProvider
 
+	// if there is a SSOSession section (new format)
+	// or if there is sso_region property or sso_start_url property (legacy format)
 	if sharedConfig.SSOSession != nil || (sharedConfig.SSORegion != "" && sharedConfig.SSOStartURL != "") {
 		ssoSession := sharedConfig.SSOSession
 		if ssoSession == nil {

diff --git a/config/resolve_credentials.go b/config/resolve_credentials.go
@@ -3,6 +3,7 @@ package config
 import (
 	"context"
 	"fmt"
+	"github.com/aws/aws-sdk-go-v2/service/ssooidc"
 	"net/url"
 	"time"
 
@@ -130,6 +131,7 @@ func resolveCredsFromProfile(ctx context.Context, cfg *aws.Config, envConfig *En
 		return assumeWebIdentity(ctx, cfg, sharedConfig.WebIdentityTokenFile, sharedConfig.RoleARN, sharedConfig.RoleSessionName, configs)
 
 	case sharedConfig.hasSSOConfiguration():
+		// isaiah: this func assumes new (not legacy) format
 		err = resolveSSOCredentials(ctx, cfg, sharedConfig, configs)
 
 	case len(sharedConfig.CredentialProcess) != 0:
@@ -173,6 +175,15 @@ func resolveSSOCredentials(ctx context.Context, cfg *aws.Config, sharedConfig *S
 	cfgCopy := cfg.Copy()
 	cfgCopy.Region = sharedConfig.SSORegion
 
+	cachedPath, err := ssocreds.StandardCachedTokenFilepath(sharedConfig.SSOSessionName)
+	if err != nil {
+		oidcClient := ssooidc.NewFromConfig(*cfg)
+		options = append(options, func(o *ssocreds.Options) {
+			o.TokenClient = oidcClient
+			o.CachedTokenFilepath = cachedPath
+		})
+	}
+
 	cfg.Credentials = ssocreds.New(sso.NewFromConfig(cfgCopy), sharedConfig.SSOAccountID, sharedConfig.SSORoleName, sharedConfig.SSOStartURL, options...)
 
 	return nil

diff --git a/config/shared_config.go b/config/shared_config.go
@@ -849,6 +849,7 @@ func (c *SharedConfig) setFromIniSections(profiles map[string]struct{}, profile
 		// First time a profile has been seen, It must either be a assume role
 		// credentials, or SSO. Assert if the credential type requires a role ARN,
 		// the ARN is also set, or validate that the SSO configuration is complete.
+		// TODO: isaiah the below func doesnt do any SSO check. need to fix this
 		if err := c.validateCredentialsConfig(profile); err != nil {
 			return err
 		}
@@ -1132,8 +1133,10 @@ func (c *SharedConfig) hasCredentials() bool {
 	return true
 }
 
+// this func assumes legacy format
 func (c *SharedConfig) hasSSOConfiguration() bool {
 	switch {
+	case len(c.SSOSessionName) != 0:
 	case len(c.SSOAccountID) != 0:
 	case len(c.SSORegion) != 0:
 	case len(c.SSORoleName) != 0:

diff --git a/credentials/ssocreds/sso_credentials_provider.go b/credentials/ssocreds/sso_credentials_provider.go
@@ -45,6 +45,8 @@ type Options struct {
 	// If custom cached token filepath is used, the Provider's startUrl
 	// parameter will be ignored.
 	CachedTokenFilepath string
+
+	TokenClient CreateTokenAPIClient
 }
 
 // Provider is an AWS credential provider that retrieves temporary AWS
@@ -97,8 +99,20 @@ func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
 		return aws.Credentials{}, &InvalidTokenError{}
 	}
 
+	var accessToken *string
+	if p.options.TokenClient != nil {
+		tokenProvider := NewSSOTokenProvider(p.options.TokenClient, p.cachedTokenFilepath)
+		token, err := tokenProvider.RetrieveBearerToken(ctx)
+		if err != nil {
+			return aws.Credentials{}, err
+		}
+		accessToken = &token.Value
+	} else {
+		accessToken = &tokenFile.AccessToken
+	}
+
 	output, err := p.options.Client.GetRoleCredentials(ctx, &sso.GetRoleCredentialsInput{
-		AccessToken: &tokenFile.AccessToken,
+		AccessToken: accessToken,
 		AccountId:   &p.options.AccountID,
 		RoleName:    &p.options.RoleName,
 	})