Merge pull request #245 from Theodo-UK/feature/add-mfa-profiles-to-gu…

…ardian Add option to supply mfa token in command line
aleios-cloud · May 12, 2020 · a6312d9 · a6312d9
2 parents 58915e5 + 6143cb2
commit a6312d9
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 5 deletions.
diff --git a/src/CLIMain.js b/src/CLIMain.js
@@ -188,7 +188,11 @@ class Main {
   }
 
   init() {
-    const creds = getAWSCredentials(this.program.profile, this.screen);
+    const creds = getAWSCredentials(
+      this.program.profile,
+      this.program,
+      this.screen
+    );
 
     return creds
       .getPromise()

diff --git a/src/guardian/index.js b/src/guardian/index.js
@@ -20,7 +20,7 @@ const failTitleLog = chalk.redBright.underline.bold;
 
 class GuardianCI {
   constructor(program) {
-    AWS.config.credentials = getAWSCredentials(program.profile);
+    AWS.config.credentials = getAWSCredentials(program.profile, program);
     if (program.region) {
       AWS.config.region = program.region;
     }

diff --git a/src/index.js b/src/index.js
@@ -30,6 +30,7 @@ program
   .option("--sls", "use the serverless framework to execute commands")
   .option("--sam", "use the SAM framework to execute commands")
   .option("-c, --ci", "ci mode for sls-dev-guardian checks")
+  .option("--mfa <mfa>", "mfa token for profiles with mfa authentication")
   .parse(process.argv);
 
 program.location = program.location || process.cwd();

diff --git a/src/services/awsCredentials.js b/src/services/awsCredentials.js
@@ -2,12 +2,31 @@ import AWS from "aws-sdk";
 
 import { promptMfaModal } from "../modals";
 
-function getAWSCredentials(profile, screen) {
+function getAWSCredentials(profile, program, screen) {
+  // Define tokenCodeFn for SharedIniFileCredentials:
+  // Arguments:
+  //  serial - mfa device serial, not used as code is supplied manually
+  //  callback - callback function which takes (err, token) as arguments. Here err isn't used as token is entered manually
+  let mfaCodeFn;
+  if (program.mfa) {
+    // If mfa token defined in cli options, supply to callback and run immediately
+    mfaCodeFn = (serial, callback) => callback(null, program.mfa);
+  } else if (screen) {
+    // promptMfaModal allows user to enter token on screen, and runs callback on entry
+    mfaCodeFn = (serial, callback) => promptMfaModal(callback, screen);
+  } else {
+    // If using Guardian and --mfa not supplied
+    mfaCodeFn = () =>
+      console.error(
+        "In-tool mfa authentication isn't supported for guardian. Please provide your mfa token via the --mfa option"
+      );
+  }
+
   if (profile) {
     process.env.AWS_SDK_LOAD_CONFIG = 1;
     return new AWS.SharedIniFileCredentials({
       profile,
-      tokenCodeFn: (serial, callback) => promptMfaModal(callback, screen),
+      tokenCodeFn: mfaCodeFn,
       callback: (err) => {
         if (err) {
           console.error(`SharedIniFileCreds Error: ${err}`);
@@ -25,7 +44,7 @@ function getAWSCredentials(profile, screen) {
   if (process.env.AWS_PROFILE) {
     return new AWS.SharedIniFileCredentials({
       profile: process.env.AWS_PROFILE,
-      tokenCodeFn: (serial, callback) => promptMfaModal(callback, screen),
+      tokenCodeFn: mfaCodeFn,
       callback: (err) => {
         if (err) {
           console.error(`SharedIniFileCreds Error: ${err}`);