GitList

feature: add error handling for invalid tokens

Edward Langley authored on 30/09/2019 07:36:04
Showing 3 changed files

aws-access.asd index ae58849..b41d545 100644
src/domain.lisp index 25ab30d..e644474 100644
src/mfa-tool.lisp index 9dac4d1..8a43017 100644

@@ -14,7 +14,9 @@
                                   :serapeum
                                   :ubiquitous
                                   :uiop
                 -                 :yason)
                 +                 :yason
                 +                 :cxml
                 +                 :xpath)
                      :serial t
                      :components ((:module "src"
                                    :serial t

src/domain.lisp

History View file @ 40c2d5d

@@ -7,21 +7,41 @@
                  (defparameter *user_management_account_id* 597974043991)
                 +(defun mfa-serial-number (account user)
                 +  (format nil "arn:aws:iam::~a:mfa/~a"
                 +          account
                 +          user))
+                +
                 +(defun role-arn (account role)
                 +  (format nil "arn:aws:iam::~a:role/cjorganization/~a"
                 +          account
                 +          role))
+                +
                 +(defun read-new-mfa-token ()
                 +  (format *query-io* "~&New MFA token: ")
                 +  (finish-output *query-io*)
                 +  (list (read-line *query-io*)))
                  (defun do-auth (user role token account)
                    (let ((mfa-serial-number
                 -          (format nil "arn:aws:iam::~a:mfa/~a"
                 -                  *user_management_account_id*
                 -                  user))
                 -        (role-arn
                 -          (format nil "arn:aws:iam::~a:role/cjorganization/~a"
                 -                  account
                 -                  role)))
                 -    (aws/sts:assume-role :role-arn role-arn
                 -                         :role-session-name (session-name)
                 -                         :serial-number mfa-serial-number
                 -                         :duration-seconds #.(* 12 60 60)
                 -                         :token-code token)))
                 +          (mfa-serial-number *user_management_account_id*
                 +                             user))
                 +        (role-arn (role-arn account role)))
                 +    (loop
                 +      (restart-case
                 +          (return
                 +            (aws/sts:assume-role :role-arn role-arn
                 +                                 :role-session-name (session-name)
                 +                                 :serial-number mfa-serial-number
                 +                                 :duration-seconds #.(* 12 60 60)
                 +                                 :token-code token))
                 +        (change-mfa-token (new-token)
                 +          :interactive read-new-mfa-token
                 +          (setf token new-token))))))
+                +
                 +(defun change-mfa-token (new-value)
                 +  (when (find-restart 'change-mfa-token)
                 +    (invoke-restart 'change-mfa-token new-value)))
                  (defun get-url (params)
                    (format nil "https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=~a"
@@ -71,3 +91,17 @@
                                                 :url url)
                                  :best-width 1280
                                  :best-height 800))
+                +
                 +(defun sts-error-value (sts-response)
                 +  (let ((parsed-error (dom:first-child
                 +                       (cxml:parse sts-response
                 +                                   (cxml-dom:make-dom-builder)))))
                 +    (flet ((get-node (path)
                 +             (dom:node-value
                 +              (dom:first-child
                 +               (xpath:first-node
                 +                (xpath:with-namespaces (("" "https://sts.amazonaws.com/doc/2011-06-15/"))
                 +                  (xpath:evaluate path parsed-error)))))))
                 +      (values (get-node "//Error/Type")
                 +              (get-node "//Error/Code")
                 +              (get-node "//Error/Message")))))

src/mfa-tool.lisp

History View file @ 40c2d5d

@@ -27,7 +27,23 @@
                          (user-name (capi:text-input-pane-text (user-input interface)))
                          (account (cdr (capi:choice-selected-item (account-selector interface)))))
                      (clear-cookies)
                 -    (multiple-value-bind (signin-token creds) (run-process account user-name token)
                 +    (multiple-value-bind (signin-token creds)
                 +        (handler-bind (((or dexador:http-request-forbidden
                 +                            dexador:http-request-bad-request)
                 +                         (lambda (c)
                 +                           (let ((message (nth-value 2 (sts-error-value (dex:response-body c)))))
                 +                             (multiple-value-bind (new-code completed)
                 +                                 (capi:prompt-for-string (format nil "~a~%Enter new MFA token:"
                 +                                                                 message)
                 +                                                         :ok-check (lambda (v)
                 +                                                                     (and (every 'digit-char-p v)
                 +                                                                          (= (length v) 6))))
                 +                               (if completed
                 +                                   (progn (setf (capi:text-input-pane-text (mfa-input interface))
                 +                                                new-code)
                 +                                          (change-mfa-token new-code))
                 +                                   (capi:abort-callback)))))))
                 +          (run-process account user-name token))
                        (with-open-file (stream (make-pathname :name ""
                                                               :type "cj-aws"
                                                               :defaults (user-homedir-pathname))
@@ -59,12 +75,14 @@
                             (capi:convert-to-screen))))
                      (typep active-interface '(not mfa-tool))))
                 -(defun load-accounts ()
                 +(defun load-accounts (&optional account-source)
                    (yason:parse
                     (alexandria:read-file-into-string
                 -    (merge-pathnames (make-pathname :name "accounts"
                 -                                    :type "json")
                 -                     (bundle-resource-root)))))
                 +    (if account-source
                 +        account-source
                 +        (merge-pathnames (make-pathname :name "accounts"
                 +                                        :type "json")
                 +                         (bundle-resource-root))))))
                  (defun reprocess-accounts (accounts)
                    (let ((accounts (gethash "Accounts" accounts))