Merge pull request #1183 from 99designs/preference-stored-creds

Preference stored credentials over other credential sources
99designs · Mar 9, 2023 · d25afcf · d25afcf
2 parents 276270c + ef2b8b9
commit d25afcf
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 102 deletions.
diff --git a/vault/config.go b/vault/config.go
@@ -680,35 +680,3 @@ func (c *ProfileConfig) GetSessionTokenDuration() time.Duration {
 	}
 	return c.NonChainedGetSessionTokenDuration
 }
-
-func (c *ProfileConfig) Validate() error {
-	if c.HasSSOSession() && !c.HasSSOStartURL() {
-		return fmt.Errorf("profile '%s' has sso_session but no sso_start_url", c.ProfileName)
-	}
-
-	n := 0
-	if c.HasSSOStartURL() {
-		n++
-	}
-	if c.HasWebIdentity() {
-		n++
-	}
-	if c.HasCredentialProcess() {
-		n++
-	}
-	if c.HasSourceProfile() {
-		n++
-	}
-	if c.HasRole() &&
-		// these cases require the role to be set in addition, so it's part of
-		// their credential.
-		!c.HasSourceProfile() &&
-		!c.HasWebIdentity() {
-		n++
-	}
-	if n > 1 {
-		return fmt.Errorf("profile '%s' has more than one source of credentials", c.ProfileName)
-	}
-
-	return nil
-}
diff --git a/vault/config_test.go b/vault/config_test.go
@@ -616,49 +616,3 @@ source_profile = interim
 		t.Fatalf("Expected transitive_session_tags to be empty, got %+v", baseConfig.TransitiveSessionTags)
 	}
 }
-
-func TestValidConfigValidation(t *testing.T) {
-	f := newConfigFile(t, []byte(`
-[profile foo]
-region         = eu-west-1
-mfa_serial     = arn:aws:iam::9999999999999:mfa/david
-
-[profile foo:staging]
-role_arn       = arn:aws:iam::1111111111111:role/admin
-source_profile = foo
-region         = eu-west-2
-mfa_serial     = arn:aws:iam::9999999999999:mfa/david
-
-[profile foo:production]
-role_arn       = arn:aws:iam::1111111111111:role/admin
-source_profile = foo
-region         = eu-west-2
-mfa_serial     = arn:aws:iam::9999999999999:mfa/david
-credential_process = true
-
-[profile withwebidentity]
-role_arn = arn:aws:iam::123457890:role/foo
-web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw
-`))
-	defer os.Remove(f)
-	configFile, _ := vault.LoadConfig(f)
-	configLoader := &vault.ConfigLoader{File: configFile}
-
-	config, _ := configLoader.GetProfileConfig("foo:staging")
-	err := config.Validate()
-	if err != nil {
-		t.Fatalf("Should have validated: %v", err)
-	}
-
-	config, _ = configLoader.GetProfileConfig("foo:production")
-	err = config.Validate()
-	if err == nil {
-		t.Fatalf("Should have failed validation: %v", err)
-	}
-
-	config, _ = configLoader.GetProfileConfig("withwebidentity")
-	err = config.Validate()
-	if err != nil {
-		t.Fatalf("Should have validated withwebidentity: %v", err)
-	}
-}
diff --git a/vault/vault.go b/vault/vault.go
@@ -237,46 +237,44 @@ type tempCredsCreator struct {
 	chainedMfa string
 }
 
-func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig) (sourcecredsProvider aws.CredentialsProvider, err error) {
-	if config.HasSourceProfile() {
-		log.Printf("profile %s: sourcing credentials from profile %s", config.ProfileName, config.SourceProfile.ProfileName)
-		return t.GetProviderForProfile(config.SourceProfile)
-	}
-
-	hasStoredCredentials, err := t.Keyring.Has(config.ProfileName)
-	if err != nil {
-		return nil, err
-	}
-
+func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig, hasStoredCredentials bool) (sourcecredsProvider aws.CredentialsProvider, err error) {
 	if hasStoredCredentials {
 		log.Printf("profile %s: using stored credentials", config.ProfileName)
 		return NewMasterCredentialsProvider(t.Keyring, config.ProfileName), nil
 	}
 
+	if config.HasSourceProfile() {
+		log.Printf("profile %s: sourcing credentials from profile %s", config.ProfileName, config.SourceProfile.ProfileName)
+		return t.GetProviderForProfile(config.SourceProfile)
+	}
+
 	return nil, fmt.Errorf("profile %s: credentials missing", config.ProfileName)
 }
 
 func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
-	if err := config.Validate(); err != nil {
+	hasStoredCredentials, err := t.Keyring.Has(config.ProfileName)
+	if err != nil {
 		return nil, err
 	}
 
-	if config.HasSSOStartURL() {
-		log.Printf("profile %s: using SSO role credentials", config.ProfileName)
-		return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
-	}
+	if !hasStoredCredentials {
+		if config.HasSSOStartURL() {
+			log.Printf("profile %s: using SSO role credentials", config.ProfileName)
+			return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		}
 
-	if config.HasWebIdentity() {
-		log.Printf("profile %s: using web identity", config.ProfileName)
-		return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
-	}
+		if config.HasWebIdentity() {
+			log.Printf("profile %s: using web identity", config.ProfileName)
+			return NewAssumeRoleWithWebIdentityProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		}
 
-	if config.HasCredentialProcess() {
-		log.Printf("profile %s: using credential process", config.ProfileName)
-		return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		if config.HasCredentialProcess() {
+			log.Printf("profile %s: using credential process", config.ProfileName)
+			return NewCredentialProcessProvider(t.Keyring.Keyring, config, !t.DisableCache)
+		}
 	}
 
-	sourcecredsProvider, err := t.getSourceCreds(config)
+	sourcecredsProvider, err := t.getSourceCreds(config, hasStoredCredentials)
 	if err != nil {
 		return nil, err
 	}