Added logging and proper support for MFA in iam-auth-proxy

hamstah · Jun 26, 2018 · 70d905c · 70d905c
1 parent c4210b5
commit 70d905c
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.8.0
+5.8.1
diff --git a/iam/auth-proxy/README.md b/iam/auth-proxy/README.md
@@ -36,7 +36,7 @@ You want to use IAM as your identity provider for a service as you already use I
 
 # Authentication Flow
 
-The proxy runs on the local machine of the user and negociate an auth cookie with the remote server.
+The proxy runs on the local machine of the user and negotiate an auth cookie with the remote server.
 
 ```
    +-----------+                +---------+                +----------+                +-------+

diff --git a/iam/auth-proxy/main.go b/iam/auth-proxy/main.go
@@ -121,6 +121,7 @@ func main() {
 				encryptionContext := map[string]string{}
 				err = json.Unmarshal(jsonEncryptionContext, &encryptionContext)
 				if err != nil {
+					log.Println(err)
 					return forbidden(r.Request, "Invalid auth headers returned by the server: Can't decode KMS encryption context")
 				}
 
@@ -129,22 +130,31 @@ func main() {
 
 				identity, err := stsClient.GetCallerIdentity(&sts.GetCallerIdentityInput{})
 				if err != nil {
+					log.Println(err)
 					return forbidden(r.Request, "Could not fetch IAM identity to authenticate")
 				}
 
 				if *identity.Account != realm[1] {
 					return forbidden(r.Request, fmt.Sprintf("The IAM identity does not match the server realm (expected: %s)", realm[1]))
 				}
 
-				creds, err := stsClient.GetSessionToken(&sts.GetSessionTokenInput{
+				tokenStsClient := stsClient
+				if *flags.RoleArn != "" || *flags.MFASerialNumber != "" {
+					// get the session token without the session
+					tokenStsClient = sts.New(common.NewSession(*flags.Region))
+				}
+
+				creds, err := tokenStsClient.GetSessionToken(&sts.GetSessionTokenInput{
 					DurationSeconds: aws.Int64(900),
 				})
 				if err != nil {
+					log.Println(err)
 					return forbidden(r.Request, "Could not get a session token")
 				}
 
 				serialized, err := json.Marshal(creds.Credentials)
 				if err != nil {
+					log.Println(err)
 					return forbidden(r.Request, "Could not get a session token")
 				}
 
@@ -160,6 +170,7 @@ func main() {
 					EncryptionContext: awsEncryptionContext,
 				})
 				if err != nil {
+					log.Println(err)
 					return forbidden(r.Request, "Could not get encrypt token")
 				}
 				str := base64.StdEncoding.EncodeToString(kmsRes.CiphertextBlob)