Merge branch 'master' into bugfix/dw_add_number_challeng

Author: mapkon

.dockerignore

@@ -0,0 +1 @@
+.buildtemp

.github/workflows/go.yml

@@ -24,7 +24,6 @@ jobs:
 
       - name: Test
         run: |
-          go run github.com/playwright-community/playwright-go/cmd/playwright install
           go test -v ./... -coverprofile=${{ matrix.os }}_coverage.txt -covermode=atomic
 
       - name: Upload coverage report
@@ -53,7 +52,8 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.51.2
+          version: v1.53.2
+          args: --timeout=2m
 
   coverage:
     name: coverage
@@ -81,6 +81,7 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
+          - ubuntu-20.04
           - macos-latest
     runs-on: ${{ matrix.os }}
     steps:
@@ -93,7 +94,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install dependency required for linux builds
-        if: matrix.os == 'ubuntu-latest'
+        if: matrix.os == 'ubuntu-20.04'
         run: sudo apt-get update && sudo apt-get install -y libudev-dev
 
       - name: GoReleaser

.github/workflows/release.yml

@@ -20,9 +20,11 @@ jobs:
       matrix:
         os:
         - ubuntu-latest
+        - ubuntu-20.04
         - macos-latest
     runs-on: ${{ matrix.os }}
     if: github.event_name != 'workflow_dispatch'
+    permissions: write-all
     steps:
 
     - name: Set up Go 1.x
@@ -34,20 +36,33 @@ jobs:
       uses: actions/checkout@v3
 
     - name: Install dependency required for linux builds
-      if: matrix.os == 'ubuntu-latest'
+      if: matrix.os == 'ubuntu-20.04'
       run: sudo apt-get update && sudo apt-get install -y libudev-dev
 
+    - name: Add Lowercase Repository Name to Environment
+      run: |
+        echo REPOSITORY_NAME_LOWERCASE=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+
+    - uses: "docker/login-action@v2"
+      if: matrix.os == 'ubuntu-20.04'
+      with:
+        registry: "ghcr.io"
+        username: "${{ github.actor }}"
+        password: "${{ secrets.GITHUB_TOKEN }}"
     - name: GoReleaser
       uses: goreleaser/goreleaser-action@v4
       with:
         version: latest
         args: release --clean --config .goreleaser.${{ matrix.os }}.yml
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        IMAGE_NAME: ${{ env.REPOSITORY_NAME_LOWERCASE }}
 
   windows-msi:
     name: Build Windows MSI and upload to release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: [release]
     if: >-  # https://github.com/actions/runner/issues/491
       always() &&
@@ -76,7 +91,7 @@ jobs:
 
     - name: Retrieve the release asset
       id: asset
-      uses: robinraju/release-downloader@768b85c8d69164800db5fc00337ab917daf3ce68  # v1.7
+      uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51  # v1.8
       with:
         repository: ${{ github.repository }}
         tag: ${{ env.VER_TAG }}

.gitignore

@@ -20,3 +20,4 @@ bin/
 
 # direnv
 .envrc
+.buildtemp

.golangci.yaml

@@ -2,13 +2,10 @@ linters:
   disable-all: true
   enable:
     - goimports
-    - deadcode
     - errcheck
     - gosimple
     - govet
     - ineffassign
     - staticcheck
-    - structcheck
     - typecheck
     - unused
-    - varcheck

.goreleaser.macos-latest.yml

@@ -15,14 +15,6 @@ builds:
     - amd64
     - arm64
     - arm
-  overrides:
-    - goos: linux
-      goarch: amd64
-      goamd64: v1
-      tags:
-        - hidraw
-      env:
-        - CGO_ENABLED=1
 archives:
   - format: tar.gz
     wrap_in_directory: false

.goreleaser.ubuntu-20.04.yml

@@ -0,0 +1,94 @@
+---
+project_name: saml2aws-u2f
+
+builds:
+- id: saml2aws
+  main: ./cmd/saml2aws/main.go
+  binary: saml2aws
+  flags:
+    - -trimpath
+    - -v
+  ldflags:
+    - -s -w -X main.Version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}
+  goos:
+    - linux
+  goarch:
+    - amd64
+  overrides:
+    - goos: linux
+      goarch: amd64
+      goamd64: v1
+      tags:
+        - hidraw
+      env:
+        - CGO_ENABLED=1
+- id: saml2aws-static
+  main: ./cmd/saml2aws/main.go
+  binary: saml2aws
+  flags:
+    - -trimpath
+    - -v
+  ldflags:
+    - -s -w -X main.Version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -extldflags "-static"
+  goos:
+    - linux
+  goarch:
+    - amd64
+    - arm64
+    - arm
+  env:
+    - CGO_ENABLED=0
+archives:
+  - id: saml2aws
+    format: tar.gz
+    builds: [saml2aws]
+    wrap_in_directory: false
+    # remove README and LICENSE
+    files:
+      - LICENSE.md
+      - README.md
+  - id: saml2aws-static
+    format: tar.gz
+    builds: [saml2aws-static]
+    wrap_in_directory: false
+    # remove README and LICENSE
+    files:
+      - LICENSE.md
+      - README.md
+    name_template: "{{ .ProjectName }}_static_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+checksum:
+  name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
+dockers:
+  - id: amd64
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+    - saml2aws-static
+    image_templates:
+      - ghcr.io/{{ .Env.IMAGE_NAME }}:{{ .Version }}-amd64
+      - ghcr.io/{{ .Env.IMAGE_NAME }}:latest-amd64
+    build_flag_templates:
+        - "--build-arg=BASE_IMAGE_ARCH=static-debian11"
+        - "--platform=linux/amd64"
+  - id: arm64
+    goos: linux
+    goarch: arm64
+    use: buildx
+    ids:
+    - saml2aws-static
+    image_templates:
+      - ghcr.io/{{ .Env.IMAGE_NAME }}:{{ .Version }}-arm64
+      - ghcr.io/{{ .Env.IMAGE_NAME }}:latest-arm64
+    build_flag_templates:
+        - "--build-arg=BASE_IMAGE_ARCH=static:latest-arm64"
+        - "--platform=linux/arm64"
+docker_manifests:
+  - name_template: ghcr.io/{{ .Env.IMAGE_NAME }}:{{ .Version }}
+    image_templates:
+    - ghcr.io/{{ .Env.IMAGE_NAME }}:{{ .Version }}-amd64
+    - ghcr.io/{{ .Env.IMAGE_NAME }}:{{ .Version }}-arm64
+  - name_template: ghcr.io/{{ .Env.IMAGE_NAME }}:latest
+    image_templates:
+    - ghcr.io/{{ .Env.IMAGE_NAME }}:latest-amd64
+    - ghcr.io/{{ .Env.IMAGE_NAME }}:latest-arm64

.goreleaser.ubuntu-latest.yml

@@ -20,10 +20,8 @@ builds:
     - goos: linux
       goarch: amd64
       goamd64: v1
-      tags:
-        - hidraw
       env:
-        - CGO_ENABLED=1
+        - CGO_ENABLED=0
 archives:
   - format: tar.gz
     wrap_in_directory: false

Dockerfile

@@ -0,0 +1,4 @@
+ARG BASE_IMAGE_ARCH=static-debian11
+FROM gcr.io/distroless/$BASE_IMAGE_ARCH
+COPY saml2aws /
+ENTRYPOINT ["/saml2aws"]

Dockerfile.build

@@ -0,0 +1,37 @@
+# base image
+FROM ubuntu:jammy
+ENV TZ=Australia/Sydney
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+# add arm64 architecture
+RUN apt-get update
+RUN dpkg --add-architecture arm64
+
+## arch-qualify the current repositories
+RUN sed -i "s/deb h/deb [arch=amd64] h/g" /etc/apt/sources.list
+
+## add arm64's repos
+RUN echo "# arm64 repositories" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy universe" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates universe" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy multiverse" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates multiverse" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security universe" >> /etc/apt/sources.list
+RUN echo "deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security multiverse" >> /etc/apt/sources.list
+
+RUN apt-get update && apt-get install -y build-essential git ca-certificates golang libudev-dev curl gnupg lsb-release curl gcc-arm* binutils-arm-linux-gnueabi crossbuild-essential-arm64 wget
+
+RUN echo \
+      "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
+      $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+RUN apt-get update && apt-get install -y docker-ce-cli
+# Replicate install of the same version of Golang that we are using in Github actions
+RUN wget  https://go.dev/dl/go1.20.2.linux-amd64.tar.gz && tar -C /usr/local -xzf go1.20.2.linux-amd64.tar.gz && rm go1.20.2.linux-amd64.tar.gz
+RUN go install github.com/goreleaser/goreleaser@latest
+ENV GOROOT="/usr/local/go"
+ENV PATH="/root/go/bin:$GOROOT/bin:${PATH}"

Makefile

@@ -1,10 +1,9 @@
 NAME=saml2aws
 ARCH=$(shell uname -m)
-OS=$(shell uname)
+OS?=$(shell uname)
 ITERATION := 1
 
 GOLANGCI_VERSION = 1.45.2
-
 GORELEASER := $(shell command -v goreleaser 2> /dev/null)
 
 SOURCE_FILES?=$$(go list ./... | grep -v /vendor/)
@@ -13,6 +12,15 @@ TEST_OPTIONS?=
 
 BIN_DIR := $(CURDIR)/bin
 
+# Choose the right config file for the OS
+ifeq ($(OS),Darwin)
+   CONFIG_FILE?=$(CURDIR)/.goreleaser.macos-latest.yml
+else ifeq ($(OS),Linux)
+   CONFIG_FILE?=$(CURDIR)/.goreleaser.ubuntu-20.04.yml
+else
+   $(error Unsupported build OS: $(OS))
+endif
+
 ci: prepare test
 
 mod:
@@ -41,16 +49,13 @@ build:
 ifndef GORELEASER
     $(error "goreleaser is not available please install and ensure it is on PATH")
 endif
-
-ifeq ($(OS),Darwin)
-	goreleaser build --snapshot --clean --config $(CURDIR)/.goreleaser.macos-latest.yml
-else ifeq ($(OS),Linux)
-	goreleaser build --snapshot --clean --config $(CURDIR)/.goreleaser.ubuntu-latest.yml
-else
-	$(error Unsupported build OS: $(OS))
-endif
+	goreleaser build --snapshot --clean --config $(CONFIG_FILE)
 .PHONY: build
 
+release-local: $(BIN_DIR)/goreleaser
+	goreleaser release --snapshot --rm-dist --config $(CONFIG_FILE)
+.PHONY: release-local
+
 clean:
 	@rm -fr ./build
 .PHONY: clean
@@ -64,3 +69,15 @@ test:
 	@echo "--- test all the things"
 	@go test -cover ./...
 .PHONY: test
+
+# It can be difficult to set up and test everything locally.  Using this target you can build and run a docker container
+# that has all the tools you need to build and test saml2aws.  This is particularly useful on Mac as it allows the Linux
+# and Docker builds to be tested.
+# Note: By necessity, this target mounts the Docker socket into the container.  This is a security risk and should not
+# be used on a production system.
+# Note: Files written by the container will be owned by root.  This is a limitation of the Docker socket mount.
+# You may need to run `docker run --privileged --rm tonistiigi/binfmt --install all` to enable the buildx plugin.
+docker-build-environment:
+	docker build --platform=amd64 -t saml2aws/build -f Dockerfile.build .
+	docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -e BUILDX_CONFIG=$(PWD)/.buildtemp -e GOPATH=$(PWD)/.buildtemp -e GOTMPDIR=$(PWD)/.buildtemp -e GOCACHE=$(PWD)/.buildtemp/.cache -e GOENV=$(PWD)/.buildtemp/env -v $(PWD):$(PWD) -w $(PWD) saml2aws/build:latest
+.PHONY: docker-build-environment

README.md

@@ -114,12 +114,17 @@ saml2aws --version
 While brew is available for Linux you can also run the following without using a package manager.
 
 ```
+mkdir -p ~/.local/bin
 CURRENT_VERSION=$(curl -Ls https://api.github.com/repos/Versent/saml2aws/releases/latest | grep 'tag_name' | cut -d'v' -f2 | cut -d'"' -f1)
 wget -c "https://github.com/Versent/saml2aws/releases/download/v${CURRENT_VERSION}/saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz" -O - | tar -xzv -C ~/.local/bin
 chmod u+x ~/.local/bin/saml2aws
 hash -r
 saml2aws --version
 ```
+If U2F support is required then there are separate builds for this - use the following download URL instead:
+```
+wget -c "https://github.com/Versent/saml2aws/releases/download/v${CURRENT_VERSION}/saml2aws-u2f_${CURRENT_VERSION}_linux_amd64.tar.gz" -O - | tar -xzv -C ~/.local/bin
+```
 
 #### Using Make
 
@@ -244,6 +249,7 @@ Commands:
                                  The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)
         --cache-saml             Caches the SAML response (env: SAML2AWS_CACHE_SAML)
         --cache-file=CACHE-FILE  The location of the SAML cache file (env: SAML2AWS_SAML_CACHE_FILE)
+        --download-browser-driver  Automatically download browsers for Browser IDP. (env: SAML2AWS_AUTO_BROWSER_DOWNLOAD)
         --disable-sessions         Do not use Okta sessions. Uses Okta sessions by default. (env: SAML2AWS_OKTA_DISABLE_SESSIONS)
         --disable-remember-device  Do not remember Okta MFA device. Remembers MFA device by default. (env: SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE)
 
@@ -540,6 +546,18 @@ region                  = us-east-1
 
 To use this you will need to export `AWS_DEFAULT_PROFILE=customer-test` environment variable to target `test`.
 
+### Playwright Browser Drivers for Browser IDP
+
+If you are using the Browser Identity Provider, on first invocation of `saml2aws login` you need to remember to install
+the browser drivers in order for playwright-go to work. Otherwise you will see the following error message:
+
+`Error authenticating to IDP.: could not start driver: fork/exec  ... no such file or directory`
+
+To install the drivers, you can:
+* Pass `--download-browser-driver` to `saml2aws login`
+* Set in your shell environment `SAML2AWS_AUTO_BROWSER_DOWNLOAD=true`
+* Set `download_browser_driver = true` in your saml2aws config file, i.e. `~/.saml2aws`
+
 ## Advanced Configuration (Multiple AWS account access but SAML authenticate against a single 'SSO' AWS account)
 
 Example: