-
-
Notifications
You must be signed in to change notification settings - Fork 151
Expand file tree
/
Copy pathauth_exec.go
More file actions
254 lines (220 loc) · 9.29 KB
/
auth_exec.go
File metadata and controls
254 lines (220 loc) · 9.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
package cmd
import (
"context"
"errors"
"fmt"
"os"
"os/exec"
"strings"
"syscall"
"github.com/spf13/cobra"
"github.com/spf13/viper"
errUtils "github.com/cloudposse/atmos/errors"
cfg "github.com/cloudposse/atmos/pkg/config"
envpkg "github.com/cloudposse/atmos/pkg/env"
log "github.com/cloudposse/atmos/pkg/logger"
"github.com/cloudposse/atmos/pkg/schema"
"github.com/cloudposse/atmos/pkg/ui"
)
// authExecCmd executes a command with authentication environment variables.
var authExecCmd = &cobra.Command{
Use: "exec",
Short: "Execute a command with authentication environment variables.",
Long: "Execute a command with the authenticated identity's environment variables set. Use `--` to separate Atmos flags from the command's native arguments.",
Example: ` # Run terraform with the authenticated identity
atmos auth exec -- terraform plan -var-file=env.tfvars`,
Args: cobra.MinimumNArgs(1),
DisableFlagParsing: true,
FParseErrWhitelist: struct{ UnknownFlags bool }{UnknownFlags: false},
RunE: executeAuthExecCommand,
}
// executeAuthExecCommand is the main execution function for auth exec command.
func executeAuthExecCommand(cmd *cobra.Command, args []string) error {
handleHelpRequest(cmd, args)
// Skip stack validation since auth exec only needs auth configuration, not stack manifests.
checkAtmosConfig(WithStackValidation(false))
return executeAuthExecCommandCore(cmd, args)
}
// executeAuthExecCommandCore contains the core business logic for auth exec, separated for testability.
func executeAuthExecCommandCore(cmd *cobra.Command, args []string) error {
// Extract Atmos flags without using pflag parser to avoid issues with "--" end-of-flags marker.
// When DisableFlagParsing is true, manually parsing can incorrectly treat "--" as a flag value.
identityValue, commandArgs := extractIdentityFlag(args)
// Validate command args before attempting authentication.
if len(commandArgs) == 0 {
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrNoCommandSpecified, errUtils.ErrInvalidSubcommand)
}
// Load atmos configuration (processStacks=false since auth commands don't require stack manifests)
atmosConfig, err := cfg.InitCliConfig(schema.ConfigAndStacksInfo{}, false)
if err != nil {
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrFailedToInitializeAtmosConfig, err)
}
// Create auth manager
authManager, err := createAuthManager(&atmosConfig.Auth, atmosConfig.CliConfigPath)
if err != nil {
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrFailedToInitializeAuthManager, err)
}
// Get identity from extracted flag or use default.
// identityValue will be:
// - "" if --identity was not provided
// - IdentityFlagSelectValue if --identity was provided without a value
// - the actual value if --identity=value or --identity value was provided
var identityName string
if identityValue != "" {
// Flag was explicitly provided on command line.
identityName = identityValue
} else {
// Flag not provided on command line - fall back to viper (config/env).
identityName = viper.GetString(IdentityFlagName)
}
// Check if user wants to interactively select identity.
forceSelect := identityName == IdentityFlagSelectValue
if identityName == "" || forceSelect {
defaultIdentity, err := authManager.GetDefaultIdentity(forceSelect)
if err != nil {
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrNoDefaultIdentity, err)
}
identityName = defaultIdentity
}
// Try to use cached credentials first (passive check, no prompts).
// Only authenticate if cached credentials are not available or expired.
ctx := context.Background()
_, err = authManager.GetCachedCredentials(ctx, identityName)
if err != nil {
log.Debug("No valid cached credentials found, authenticating", "identity", identityName, "error", err)
// No valid cached credentials - perform full authentication.
_, err = authManager.Authenticate(ctx, identityName)
if err != nil {
// Check for user cancellation - return clean error without wrapping.
if errors.Is(err, errUtils.ErrUserAborted) {
return errUtils.ErrUserAborted
}
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrAuthenticationFailed, err)
}
}
// Prepare shell environment with file-based credentials.
// Start with current OS environment + global env from atmos.yaml and let PrepareShellEnvironment configure auth.
// PrepareShellEnvironment sanitizes the env (removes IRSA/credential vars) and adds auth vars.
baseEnv := envpkg.MergeGlobalEnv(os.Environ(), atmosConfig.Env)
envList, err := authManager.PrepareShellEnvironment(ctx, identityName, baseEnv)
if err != nil {
return fmt.Errorf("failed to prepare command environment: %w", err)
}
// Execute the command with the sanitized environment directly.
// The envList already includes os.Environ() (sanitized) + auth vars,
// so we pass it as the complete subprocess environment.
err = executeCommandWithEnv(commandArgs, envList)
if err != nil {
// For any subprocess error, provide a tip about refreshing credentials.
// This helps users when AWS tokens are expired or invalid.
printAuthExecTip(identityName)
return err
}
return nil
}
// executeCommandWithEnv executes a command with a complete environment.
// The env parameter should be a fully prepared environment (e.g., from PrepareShellEnvironment).
// It is used directly as the subprocess environment without re-reading os.Environ().
func executeCommandWithEnv(args []string, env []string) error {
if len(args) == 0 {
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrNoCommandSpecified, errUtils.ErrInvalidSubcommand)
}
// Prepare the command.
cmdName := args[0]
cmdArgs := args[1:]
// Look for the command in PATH.
cmdPath, err := exec.LookPath(cmdName)
if err != nil {
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrCommandNotFound, err)
}
// Execute the command with the provided environment directly.
execCmd := exec.Command(cmdPath, cmdArgs...)
execCmd.Env = env
execCmd.Stdin = os.Stdin
execCmd.Stdout = os.Stdout
execCmd.Stderr = os.Stderr
// Run the command and wait for completion
err = execCmd.Run()
if err != nil {
// If it's an exit error, propagate as a typed error so the root can exit with the same code.
if exitError, ok := err.(*exec.ExitError); ok {
if status, ok := exitError.Sys().(syscall.WaitStatus); ok {
// Return a typed error so the root can os.Exit(status.ExitStatus()).
return errUtils.ExitCodeError{Code: status.ExitStatus()}
}
}
return fmt.Errorf(errUtils.ErrWrapFormat, errUtils.ErrSubcommandFailed, err)
}
return nil
}
// extractIdentityFlag extracts the --identity flag value from args and returns the remaining command args.
// This function properly handles the "--" end-of-flags marker:
// - "--identity value -- cmd" -> identityValue="value", commandArgs=["cmd"].
// - "--identity -- cmd" -> identityValue=IdentityFlagSelectValue (user wants interactive selection), commandArgs=["cmd"].
// - "--identity" -> identityValue=IdentityFlagSelectValue, commandArgs=[].
// - "-- cmd" -> identityValue="", commandArgs=["cmd"].
// - "cmd" -> identityValue="", commandArgs=["cmd"].
func extractIdentityFlag(args []string) (identityValue string, commandArgs []string) {
var identityFlagSeen bool
var skipNext bool
for i := 0; i < len(args); i++ {
arg := args[i]
// Handle skipping the next arg (it was consumed as a flag value).
if skipNext {
skipNext = false
continue
}
// Once we see "--", everything after is command args.
if arg == "--" {
// If --identity was seen but not yet assigned a value, use select value.
if identityFlagSeen && identityValue == "" {
identityValue = IdentityFlagSelectValue
}
// Everything after "--" is command args.
commandArgs = append(commandArgs, args[i+1:]...)
break
}
// Check for --identity=value format.
if strings.HasPrefix(arg, "--identity=") {
identityValue = strings.TrimPrefix(arg, "--identity=")
if identityValue == "" {
identityValue = IdentityFlagSelectValue
}
identityFlagSeen = true
continue
}
// Check for --identity or -i flag.
if arg == "--identity" || arg == "-i" {
identityFlagSeen = true
// Check if next arg exists and is not a flag or "--".
if i+1 < len(args) && !strings.HasPrefix(args[i+1], "-") && args[i+1] != "--" {
// Next arg is the value.
identityValue = args[i+1]
skipNext = true
} else {
// No value provided - user wants interactive selection.
identityValue = IdentityFlagSelectValue
}
continue
}
// Not a recognized Atmos flag - treat as command arg.
commandArgs = append(commandArgs, arg)
}
// If --identity was seen but we never hit "--" and no value was set, use select value.
if identityFlagSeen && identityValue == "" {
identityValue = IdentityFlagSelectValue
}
return identityValue, commandArgs
}
// printAuthExecTip prints a helpful tip when auth exec fails.
func printAuthExecTip(identityName string) {
ui.Writeln("")
ui.Info("Tip: If credentials are expired, refresh with:")
ui.Writef(" atmos auth login --identity %s\n", identityName)
}
func init() {
// NOTE: --identity flag is inherited from parent authCmd (PersistentFlags in cmd/auth.go:27).
// DO NOT redefine it here - that would create a duplicate local flag that shadows the parent.
// Identity flag completion is already added by parent authCmd (cmd/auth.go:45).
authCmd.AddCommand(authExecCmd)
}