bin: update get-aws-login to be more sudo-like

.local/bin/get-aws-login

@@ -1,78 +1,191 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+function log {
+  if [ -t 1 ]; then
+    echo "$@" >&2
+  fi
+}
 
 # ignore existing credentials
 unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 
-profile=$1
-duration=${2:-28800}
-mfa_serial_number=$(aws configure get mfa_serial)
-if [ "$profile" != "default" ]; then
-  if ! role_arn=$(aws configure get "profile.$profile.role_arn"); then
-    echo "role_arn not set for profile $profile"
-    echo "run aws configure set profile.$profile.role_arn <role arn>"
-    exit 1
-  fi
-fi
+output="eval"
+duration=900
+use_cache=1
 
-read -srp "Password: " password
->&2 echo ""
+eval set -- "$(getopt -o p:d:o: --long profile:,duration:,output: -- "$@")"
+while true; do
+  case "$1" in
+    -p|--profile)
+      profile=$2
+      shift 2
+      ;;
+    -d|--duration)
+      if [ -n "$2" ]; then
+        duration=$2
+        use_cache=0
+      fi
+      shift 2
+      ;;
+    -o|--output)
+      if [ -n "$2" ]; then
+        output=$2
+      fi
+      shift 2
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      echo "Internal error!"
+      exit 1
+  esac
+done
 
-use_cache=0
-cache_gpg="$XDG_RUNTIME_DIR/aws-$profile.gpg"
-if [ -z "${2:-}" ]; then
-  use_cache=1
-fi
+cache_key="aws-$profile"
+cache_gpg="$XDG_RUNTIME_DIR/$cache_key.gpg"
 
-function get_credentials {
-  keepassxc-cli show -q "$KEEPASS_FILE" "$KEEPASS_AWS_ENTRY" -a "$1" <<< "$password"
+function get_from_keepassxc {
+  keepassxc-cli show -q "$KEEPASS_FILE" "$KEEPASS_AWS_ENTRY" -a "$1" <<< "$2"
 }
 
-function get_cached {
-  if [ "$use_cache" -eq 0 ]; then
+function get_role_arn {
+  if ! aws configure get "profile.$profile.source_role_arn"; then
+    log "source_role_arn not set for profile $profile"
+    log "run aws configure set profile.$profile.source_role_arn <role arn>"
     return 1
   fi
+}
+
+function get_cached_long_term_credentials {
   if [ ! -f "$cache_gpg" ]; then
-    >&2 echo "No cached credentials, requesting new"
+    log "No cached long-term credentials, requesting new"
     return 1
   fi
-  if ! cached=$(gpg --batch -d --passphrase "$password" "$cache_gpg"); then
-    >&2 echo "Error getting cached credentials"
-    exit 1
+
+  if ! cached=$(gpg --batch -d --passphrase-file <(echo "$password") "$cache_gpg" 2>/dev/null); then
+    log "Error getting cached long-term credentials"
+    return 2
   fi
+
   expiration=$(date -d "$(jq -r '.Credentials.Expiration' <<< "$cached")" +%s)
   if [ "$expiration" -lt "$(date +%s)" ]; then
-    >&2 echo "Cached credentials expired, requesting new"
+    log "Cached long-term credentials expired, requesting new"
     return 1
   fi
 
-  >&2 echo "Using cached credentials, expires $(date -d "@$expiration" +%H:%M)"
   echo "$cached"
 }
 
-AWS_ACCESS_KEY_ID=$(get_credentials UserName)
-AWS_SECRET_ACCESS_KEY=$(get_credentials Password)
+function get_long_term_credentials {
+  local duration
+  local password
+  duration="$1"
+  if ! password=$(zenity --password --timeout=60 2> /dev/null); then
+    log "Failed to get password"
+    return 1
+  fi
+
+  credentials=$(get_cached_long_term_credentials)
+  retcode=$?
+  if [ $retcode -eq 2 ]; then
+    exit 1
+  elif [ $retcode -eq 1 ]; then
+    if ! role_arn=$(get_role_arn); then
+      return 1
+    fi
+
+    if ! AWS_ACCESS_KEY_ID=$(get_from_keepassxc UserName "$password"); then
+      log "Failed to open vault"
+      exit 1
+    fi
+    if ! AWS_SECRET_ACCESS_KEY=$(get_from_keepassxc Password "$password"); then
+      log "Failed to open vault"
+      exit 1
+    fi
 
-if ! credentials=$(get_cached); then
-  export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+    export AWS_PROFILE=default
 
-  read -rp "MFA: " mfa
+    mfa_serial_number=$(aws configure get mfa_serial)
 
-  if [ "$profile" = "default" ]; then
-    credentials=$(aws sts get-session-token --serial-number $mfa_serial_number --token-code "$mfa" --duration-seconds "$duration")
-  else
-    credentials=$(aws sts assume-role --serial-number $mfa_serial_number --token-code "$mfa" --role-arn "$role_arn" --role-session-name "$(hostname)" --duration-seconds "$duration")
+    if ! mfa=$(zenity --entry --text=MFA 2> /dev/null); then
+      log "Failed to get MFA"
+      return 1
+    fi
+
+    if credentials=$(aws sts assume-role --serial-number "$mfa_serial_number" --token-code "$mfa" --role-arn "$role_arn" --role-session-name "$(hostname)" --duration-seconds "$duration"); then
+      gpg --batch -c --passphrase-file <(echo "$password") <<< "$credentials" > "$cache_gpg"
+    else
+      return 1
+    fi
   fi
 
-  if [ "$use_cache" -eq 1 ]; then
-    gpg --batch -c --passphrase "$password" <<< "$credentials" > "$cache_gpg"
+  echo "$credentials"
+}
+
+function get_cached_short_term_credentials {
+  if [ "$use_cache" -eq 0 ]; then
+    return 1
   fi
-fi
 
+  keyctl pipe "%user:$cache_key" 2>/dev/null
+}
+
+function get_short_term_credentials {
+  if ! credentials=$(get_cached_short_term_credentials); then
+    if ! role_arn=$(get_role_arn); then
+      return 1
+    fi
+
+    if ! long_term_credentials="$(get_long_term_credentials 43200)"; then
+      return 1
+    fi
+
+    AWS_ACCESS_KEY_ID=$(jq -r .Credentials.AccessKeyId <<<"$long_term_credentials")
+    AWS_SECRET_ACCESS_KEY=$(jq -r .Credentials.SecretAccessKey <<<"$long_term_credentials")
+    AWS_SESSION_TOKEN=$(jq -r .Credentials.SessionToken <<<"$long_term_credentials")
+
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+
+    if credentials=$(aws sts assume-role --role-arn "$role_arn" --role-session-name "$(hostname)" --duration-seconds "$duration"); then
+      keyctl padd user "$cache_key" @s <<<"$credentials" >/dev/null
+      keyctl timeout "%user:$cache_key" "$duration" >/dev/null
+    else
+      return 1
+    fi
+  fi
+
+  echo "$credentials"
+}
+
+while keyctl read '%user:lock' >/dev/null 2>&1; do
+  sleep 1
+done
+keyctl add user lock lock @s >/dev/null 2>&1
 
-jq -r '.Credentials | @sh "
+function finish {
+  keyctl revoke '%user:lock' 2>&1
+}
+
+trap finish EXIT
+
+if [ "$duration" -gt 3600 ]; then
+  if ! credentials=$(get_long_term_credentials "$duration"); then
+    exit 1
+  fi
+else
+  if ! credentials=$(get_short_term_credentials); then
+    exit 1
+  fi
+fi
+
+if [ "$output" = "credential_process" ]; then
+  jq '.Credentials | .Version=1' <<< "$credentials"
+else
+  jq <<< "$credentials" -r '.Credentials | @sh "
 export AWS_ACCESS_KEY_ID=\(.AccessKeyId)
 export AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)
-export AWS_SESSION_TOKEN=\(.SessionToken)
-"' <<< "$credentials"
+export AWS_SESSION_TOKEN=\(.SessionToken)"'
+fi