Add --passwd to support piping password via stdin

Viasat · May 7, 2018 · 37df754 · 37df754
1 parent da6795f
commit 37df754
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/alohomora/req.py b/alohomora/req.py
@@ -79,10 +79,11 @@ def login_two_factor(self, response):
 
 class DuoRequestsProvider(WebProvider):
  """A requests-based provider of authentication data"""
- def __init__(self, idp_url, auth_method=None):
+ def __init__(self, idp_url, auth_method=None, allow_interactive=True):
  self.session = None
  self.idp_url = idp_url
  self.auth_method = auth_method
+ self.allow_interactive = allow_interactive
 
  def login_one_factor(self, username, password):
  self.session = requests.Session()
@@ -287,6 +288,8 @@ def _get_duo_device(self, soup):
  devices = [dev for dev in devices if dev.value in supported_devices]
  LOG.debug("Acceptable devices: %s" % devices)
  if len(devices) > 1:
+ if not self.allow_interactive:
+ alohomora.die("Refusing to prompt for duo device")
  device = alohomora._prompt_for_a_thing(
  'Please select the device you want to authenticate with:',
  devices,
@@ -311,6 +314,8 @@ def _get_auth_factor(self, soup, device):
  factors = [factor for factor in factors if self.auth_method in factor.lower()]
 
  if len(factors) > 1:
+ if not self.allow_interactive:
+ alohomora.die("Refusing to prompt for authentication method")
  factor_name = alohomora._prompt_for_a_thing(
  'Please select an authentication method',
  factors)

diff --git a/bin/alohomora b/bin/alohomora
@@ -87,6 +87,10 @@ class Main(object):
  parser.add_argument("--idp-name",
  help="Name of your SAML IdP, as registered with AWS",
  default='sso')
+ parser.add_argument("--passwd",
+ help="Where to find the password",
+ choices=['stdin', 'getpass'],
+ default='getpass')
  self.options = parser.parse_args()
 
  #
@@ -119,7 +123,10 @@ class Main(object):
  if(not username):
  alohomora.die("Oops, don't forget to provide a username")
 
- password = getpass.getpass()
+ if('stdin' == self._get_config('passwd', 'getpass')):
+ password = sys.stdin.readline().rstrip('\n')
+ else:
+ password = getpass.getpass()
 
  idp_url = self._get_config('idp-url', None)
  if(not idp_url):
@@ -130,7 +137,9 @@ class Main(object):
  #
  # Authenticate the user
  #
- provider = alohomora.req.DuoRequestsProvider(idp_url, auth_method)
+ allow_interactive=('stdin' != self._get_config('passwd', 'getpass'))
+ provider = alohomora.req.DuoRequestsProvider(
+ idp_url, auth_method, allow_interactive=allow_interactive)
  (okay, response) = provider.login_one_factor(username, password)
  assertion = None
 
@@ -164,6 +173,9 @@ class Main(object):
  role_arn = "arn:aws:iam::%s:role/%s" % (account_id, role_name)
  principal_arn = "arn:aws:iam::%s:saml-provider/%s" % (account_id, idp_name)
  else:
+ if('stdin' == self._get_config('passwd', 'getpass')):
+ alohomora.die("Refusing to prompt for role when using --passwd stdin")
+
  selectedrole = alohomora._prompt_for_a_thing(
  "Please choose the role you would like to assume:",
  awsroles,