Merge pull request #68 from trussworks/cg_no_mfa

Chris Gilmer · web-flow · commit 946a9d314ff1 · 2020-06-30T14:46:34.000-07:00
Allow users to assume MFA device is already configured
diff --git a/README.md b/README.md
@@ -78,6 +78,16 @@ region=us-west-2
 output=json
 ```
 
+### MFA Management
+
+This tool will help create and enable a virtual MFA device. The interface for the MFA device is a QR code
+which will be shown to the user during setup. This QR code can be used with a password manager to provide the
+One Time Passwords (OTP) values asked for in the script.
+
+In the case where the user has a virtual MFA device already set up they can choose not to provision a new one.
+This is done by issuing the `--no-mfa` flag on the command line in conjunction with the regular command from
+above.
+
 ## Development setup
 
 1. First, install these packages: `brew install pre-commit direnv go`
diff --git a/cmd/cli.go b/cmd/cli.go
@@ -27,7 +27,10 @@ const (
 	IAMRoleFlag string = "iam-role"
 
 	// OutputFlag is the Output Flag
-	OutputFlag = "output"
+	OutputFlag string = "output"
+
+	// NoMFAFlag indicates that no MFA device should be configured as one exists
+	NoMFAFlag string = "no-mfa"
 
 	// VerboseFlag is the Verbose Flag
 	VerboseFlag string = "verbose"
diff --git a/cmd/setup.go b/cmd/setup.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -47,8 +48,11 @@ func setupUserInitFlags(flag *pflag.FlagSet) {
 	flag.String(IAMRoleFlag, "", "The IAM role name assigned to the user being setup")
 	flag.String(OutputFlag, "json", "The AWS CLI output format")
 
+	// No MFA Setup
+	flag.Bool(NoMFAFlag, false, "When present do not provision an MFA device, assume one exists")
+
 	// Verbose
-	flag.BoolP(VerboseFlag, "v", false, "log messages at the debug level.")
+	flag.BoolP(VerboseFlag, "v", false, "log messages at the debug level")
 
 	flag.SortFlags = false
 }
@@ -93,6 +97,7 @@ type User struct {
 	SecretAccessKey string
 	QrTempFile      *os.File
 	Keyring         *keyring.Keyring
+	NoMFA           bool
 }
 
 // Setup orchestrates the tasks to create the user's MFA and rotate access
@@ -108,14 +113,21 @@ func (u *User) Setup(logger *log.Logger) {
 		logger.Fatal(err)
 	}
 
-	err = u.CreateVirtualMFADevice(logger)
-	if err != nil {
-		logger.Fatal(err)
-	}
+	if u.NoMFA {
+		err = u.GetMFADevice(logger)
+		if err != nil {
+			logger.Fatal(err)
+		}
+	} else {
+		err = u.CreateVirtualMFADevice(logger)
+		if err != nil {
+			logger.Fatal(err)
+		}
 
-	err = u.EnableVirtualMFADevice(logger)
-	if err != nil {
-		logger.Fatal(err)
+		err = u.EnableVirtualMFADevice(logger)
+		if err != nil {
+			logger.Fatal(err)
+		}
 	}
 
 	err = u.UpdateAWSConfigFile(logger)
@@ -200,6 +212,40 @@ func (u *User) newMFASession(logger *log.Logger) (*session.Session, error) {
 	return mfaSession, nil
 }
 
+// GetMFADevice gets the user's existing virtual MFA device and updates the
+// MFA serial in the profile field.
+func (u *User) GetMFADevice(logger *log.Logger) error {
+	logger.Println("Getting the existing MFA device...")
+
+	sess, err := u.newSession()
+	if err != nil {
+		return fmt.Errorf("unable to get new session: %w", err)
+	}
+	svc := iam.New(sess)
+
+	mfaDeviceInput := &iam.ListMFADevicesInput{
+		UserName: aws.String(u.Name),
+	}
+
+	mfaDeviceOutput, err := svc.ListMFADevices(mfaDeviceInput)
+	if err != nil {
+		return fmt.Errorf("unable to get MFA: %w", err)
+	}
+
+	if len(mfaDeviceOutput.MFADevices) == 0 {
+		return errors.New("no MFA devices registered")
+	}
+	if len(mfaDeviceOutput.MFADevices) > 1 {
+		return errors.New("more than one MFA device registered, no way to choose")
+	}
+	mfaDevice := mfaDeviceOutput.MFADevices[0]
+
+	u.BaseProfile.MFASerial = *mfaDevice.SerialNumber
+	u.RoleProfile.MFASerial = *mfaDevice.SerialNumber
+
+	return nil
+}
+
 // CreateVirtualMFADevice creates the user's virtual MFA device and updates the
 // MFA serial in the profile field.
 func (u *User) CreateVirtualMFADevice(logger *log.Logger) error {
@@ -572,6 +618,7 @@ func setupUserFunction(cmd *cobra.Command, args []string) error {
 	iamUser := v.GetString(IAMUserFlag)
 	iamRole := v.GetString(IAMRoleFlag)
 	output := v.GetString(OutputFlag)
+	noMFA := v.GetBool(NoMFAFlag)
 
 	// Validator used to validate input options for MFA
 	validate = validator.New()
@@ -628,6 +675,7 @@ func setupUserFunction(cmd *cobra.Command, args []string) error {
 		Config:      config,
 		QrTempFile:  tempfile,
 		Keyring:     keyring,
+		NoMFA:       noMFA,
 	}
 	err = checkExistingAWSProfile(baseProfile.Name, config, logger)
 	if err != nil {
