Exemple #1
0
        protected override void ProcessRecord()
        {
            try
            {
                NetworkCredential networkCredential = null;
                if (this.Credential != null)
                {
                    base.WriteVerbose(Lang.UseGivenNetworkCredentials);
                    networkCredential = this.Credential.GetNetworkCredential();
                }

                ServicePointManager.SecurityProtocol = this.SecurityProtocol;
                IbmIam2AwsSamlScreenScrape aad2Aws = new IbmIam2AwsSamlScreenScrape(this)
                {
                    ErrorClass   = this.ErrorClass,
                    ErrorElement = this.ErrorElement,
                    Proxy        = this.GetWebProxy(),
                    Credentials  = networkCredential,
                    Logger       = (m, t) =>
                    {
                        switch (t)
                        {
                        case LogType.Debug:
                            this.WriteVerbose(m);
                            break;

                        case LogType.Info:
                            this.Host.UI.WriteLine(m);
                            //_cmdlet.WriteInformation(new InformationRecord(m, ""));
                            break;

                        case LogType.Warning:
                            this.WriteWarning(m);
                            break;

                        case LogType.Error:
                            this.WriteError(new ErrorRecord(new Exception(m), "5000", ErrorCategory.NotSpecified, this));
                            break;
                        }
                    }
                };

                var assertion = aad2Aws.RetrieveSAMLAssertion(IbmIamEndpoint);
                var roles     = aad2Aws.GetRolesFromAssertion();

                if (AwsAccountId != null && AwsAccountId.Length > 0)
                {
                    roles = roles.Where(r => AwsAccountId.Contains(r.PrincipalArn.AccountId, StringComparer.OrdinalIgnoreCase)).ToArray();
                }


                foreach (var role in roles)
                {
                    this.WriteObject(role);
                }
            }
            catch (IbmIamErrorException ex)
            {
                base.WriteError(new ErrorRecord(ex, ex.ErrorCode, ErrorCategory.NotSpecified, this));
            }
            catch (IbmIamPasswordExpiredException ex)
            {
                base.WriteError(new ErrorRecord(ex, "PasswordExpired", ErrorCategory.AuthenticationError, this));
            }
            catch (Exception ex)
            {
                base.WriteError(new ErrorRecord(new ArgumentException(string.Format(CultureInfo.CurrentCulture, Lang.ErrorUnableSetCredentials, ex.Message), ex), "ArgumentException", ErrorCategory.InvalidArgument, this));
            }
        }
        protected override void ProcessRecord()
        {
            try
            {
                string            preselectedPrincipalAndRoleARN = null;
                NetworkCredential networkCredential = null;
                if (this.Credential != null)
                {
                    base.WriteVerbose(Lang.UseGivenNetworkCredentials);
                    networkCredential = this.Credential.GetNetworkCredential();
                }
                bool hasPrinARN = this.ParameterWasBound(nameof(PrincipalARN)) && !string.IsNullOrWhiteSpace(this.PrincipalARN);
                bool hasRoleARN = this.ParameterWasBound(nameof(RoleARN)) && !string.IsNullOrWhiteSpace(this.RoleARN);
                if (hasPrinARN != hasRoleARN)
                {
                    this.ThrowExecutionError(Lang.PrincipalRequiredWithRole, this);
                }
                if (hasPrinARN & hasRoleARN)
                {
                    preselectedPrincipalAndRoleARN = $"{this.RoleARN},{this.PrincipalARN}";
                }

                ServicePointManager.SecurityProtocol = this.SecurityProtocol;
                IbmIam2AwsSamlScreenScrape ibm2Aws = new IbmIam2AwsSamlScreenScrape(this)
                {
                    ErrorClass   = this.ErrorClass,
                    ErrorElement = this.ErrorElement,
                    Proxy        = this.GetWebProxy(),
                    Credentials  = networkCredential,
                    Logger       = (m, t) =>
                    {
                        switch (t)
                        {
                        case LogType.Debug:
                            this.WriteVerbose(m);
                            break;

                        case LogType.Info:
                            this.Host.UI.WriteLine(m);
                            //_cmdlet.WriteInformation(new InformationRecord(m, ""));
                            break;

                        case LogType.Warning:
                            this.WriteWarning(m);
                            break;

                        case LogType.Error:
                            this.WriteError(new ErrorRecord(new Exception(m), "5000", ErrorCategory.NotSpecified, this));
                            break;
                        }
                    }
                };

                var assertion = ibm2Aws.RetrieveSAMLAssertion(IbmIamEndpoint);
                var roles     = ibm2Aws.GetRolesFromAssertion();

                if (this.StoreAllRoles)
                {
                    if (AwsAccountId != null && AwsAccountId.Length > 0)
                    {
                        roles = roles.Where(r => AwsAccountId.Contains(r.PrincipalArn.AccountId, StringComparer.OrdinalIgnoreCase)).ToArray();
                    }

                    foreach (var role in roles)
                    {
                        this.WriteVerbose($"Getting [{role.PrincipalArn}] tokens using [{role.RoleArn}]");
                        try
                        {
                            var aRole = this.ExecuteCmdletInPipeline <dynamic>("Use-STSRoleWithSAML", new
                            {
                                SAMLAssertion     = ibm2Aws.Assertion,
                                RoleArn           = role.RoleArn.OriginalString,
                                PrincipalArn      = role.PrincipalArn.OriginalString,
                                DurationInSeconds = 60 * this.TokenDurationInMinutes
                            }).FirstOrDefault();
                            this.WriteObject(new StoredInfo
                            {
                                AssertionDoc = assertion,
                                Expires      = aRole.Credentials.Expiration,
                                PrincipalArn = role.PrincipalArn,
                                RoleArn      = role.RoleArn,
                                StoreAs      = this.StoreAs ?? role.RoleArn.Resource
                            });
                            base.WriteVerbose($"Saving role '{role.Value}' to profile '{role.RoleArn.Resource}'.");
                            var home = this.GetVariableValue("HOME") as string;
                            _ = this.ExecuteCmdletInPipeline("Set-AWSCredential", new
                            {
                                ProfileLocation = Path.Combine(home, ".aws", "credentials"),
                                AccessKey       = aRole.Credentials.AccessKeyId,
                                SecretKey       = aRole.Credentials.SecretAccessKey,
                                aRole.Credentials.SessionToken,
                                StoreAs = role.RoleArn.Resource
                            });
                        }
                        //catch (ExpiredTokenException ex)
                        //{
                        //    this.WriteVerbose($"Could not Assume Role: {role.RoleArn.Resource}");
                        //    this.WriteVerbose("Attempting to Refresh Token");
                        //    // Updating Assertion Document
                        //    sAMLAssertion = _awsAuthController.GetSAMLAssertion(endpoint.EndpointUri.ToString(), networkCredential, endpoint.AuthenticationType.ToString());
                        //    this.WriteVerbose("Retrying this operation");
                        //    creds = AssumeRole(sts, config, role.RoleArn.Resource, sAMLAssertion, role, this.TokenDurationInMinutes);
                        //    this.WriteVerbose($"RetryResult: {creds}");
                        //}
                        catch (Exception ex)
                        {
                            this.WriteError(new ErrorRecord(ex, "5000", ErrorCategory.NotSpecified, this));
                        }
                    }
                }
                else
                {
                    StoredInfo sendToPipeline = this.SelectAndStoreProfileForRole(assertion, roles, preselectedPrincipalAndRoleARN);
                    base.WriteObject(sendToPipeline);
                }
            }
            catch (IbmIamErrorException ex)
            {
                base.WriteError(new ErrorRecord(ex, ex.ErrorCode, ErrorCategory.NotSpecified, this));
            }
            catch (IbmIamPasswordExpiredException ex)
            {
                base.WriteError(new ErrorRecord(ex, "PasswordExpired", ErrorCategory.AuthenticationError, this));
            }
            catch (Exception ex)
            {
                base.WriteError(new ErrorRecord(new ArgumentException("Unable to set credentials: " + ex.Message, ex), "ArgumentException", ErrorCategory.InvalidArgument, this));
            }
        }