Remove analytics and allow region selection

Add Okta server selection, choose server by selecting Okta region.

Remove Okta password from storage. This may be paranoid but only store
the session token and other details in the keychain. When the session
expires the user will have to re-authenticate.

Update the README and Makefile for FiveAI releases.

Signed-off-by: Sean Jones <[email protected]>

Makefile

@@ -4,14 +4,14 @@ LDFLAGS := -ldflags='-X "main.Version=$(VERSION)"'
 release: gh-release govendor clean dist
 	github-release release \
 	--security-token $$GH_LOGIN \
-	--user segmentio \
+	--user fiveai \
 	--repo aws-okta \
 	--tag $(VERSION) \
 	--name $(VERSION)
 
 	github-release upload \
 	--security-token $$GH_LOGIN \
-	--user segmentio \
+	--user fiveai \
 	--repo aws-okta \
 	--tag $(VERSION) \
 	--name aws-okta-$(VERSION)-linux-amd64 \
@@ -20,7 +20,7 @@ release: gh-release govendor clean dist
 release-mac: gh-release govendor clean dist-mac
 	github-release upload \
 	--security-token $$GH_LOGIN \
-	--user segmentio \
+	--user fiveai \
 	--repo aws-okta \
 	--tag $(VERSION) \
 	--name aws-okta-$(VERSION)-darwin-amd64 \

README.md

@@ -7,7 +7,7 @@
 You can install with:
 
 ```bash
-$ go get github.com/segmentio/aws-okta
+$ go get github.com/fiveai/aws-okta
 ```
 
 ## Usage
@@ -109,10 +109,6 @@ $ export CIRCLE_TAG=`git describe --tags`
 $ make release-mac
 ```
 
-## Analytics
-
-`aws-okta` includes some usage analytics code which Segment uses internally for tracking usage of internal tools.  This analytics code is turned off by default, and can only be enabled via a linker flag at build time, which we do not set for public github releases.
-
 ## Internals
 
 ### Authentication process

cmd/add.go

@@ -2,13 +2,11 @@ package cmd
 
 import (
 	"encoding/json"
-	"fmt"
 
 	log "github.com/Sirupsen/logrus"
 
 	"github.com/99designs/keyring"
-	analytics "github.com/segmentio/analytics-go"
-	"github.com/segmentio/aws-okta/lib"
+	"github.com/fiveai/aws-okta/lib"
 	"github.com/spf13/cobra"
 )
 
@@ -23,49 +21,21 @@ func init() {
 	RootCmd.AddCommand(addCmd)
 }
 
-func add(cmd *cobra.Command, args []string) error {
-	var allowedBackends []keyring.BackendType
-	if backend != "" {
-		allowedBackends = append(allowedBackends, keyring.BackendType(backend))
-	}
-	kr, err := lib.OpenKeyring(allowedBackends)
-
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	if analyticsEnabled && analyticsClient != nil {
-		analyticsClient.Enqueue(analytics.Track{
-			UserId: username,
-			Event:  "Ran Command",
-			Properties: analytics.NewProperties().
-				Set("backend", backend).
-				Set("aws-okta-version", version).
-				Set("command", "add"),
-		})
-	}
-
+func AddCredentials(kr keyring.Keyring) error {
 	// Ask username password from prompt
-	organization, err := lib.Prompt("Okta organization", false)
-	if err != nil {
-		return err
-	}
-
-	username, err := lib.Prompt("Okta username", false)
+	server, err := lib.Prompt("Okta Region (emea/us)", false)
 	if err != nil {
 		return err
 	}
 
-	password, err := lib.Prompt("Okta password", true)
+	organization, err := lib.Prompt("Okta organization", false)
 	if err != nil {
 		return err
 	}
-	fmt.Println()
 
 	creds := lib.OktaCreds{
+		Server:       server,
 		Organization: organization,
-		Username:     username,
-		Password:     password,
 	}
 
 	encoded, err := json.Marshal(creds)
@@ -83,6 +53,23 @@ func add(cmd *cobra.Command, args []string) error {
 	if err := kr.Set(item); err != nil {
 		return ErrFailedToSetCredentials
 	}
+	return nil
+}
+
+func add(cmd *cobra.Command, args []string) error {
+	var allowedBackends []keyring.BackendType
+	if backend != "" {
+		allowedBackends = append(allowedBackends, keyring.BackendType(backend))
+	}
+	kr, err := lib.OpenKeyring(allowedBackends)
+
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := AddCredentials(kr); err != nil {
+		return err
+	}
 
 	log.Infof("Added credentials for user %s", username)
 	return nil

cmd/exec.go

@@ -10,8 +10,7 @@ import (
 	"time"
 
 	"github.com/99designs/keyring"
-	analytics "github.com/segmentio/analytics-go"
-	"github.com/segmentio/aws-okta/lib"
+	"github.com/fiveai/aws-okta/lib"
 	"github.com/spf13/cobra"
 )
 
@@ -116,18 +115,6 @@ func execRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if analyticsEnabled && analyticsClient != nil {
-		analyticsClient.Enqueue(analytics.Track{
-			UserId: username,
-			Event:  "Ran Command",
-			Properties: analytics.NewProperties().
-				Set("backend", backend).
-				Set("aws-okta-version", version).
-				Set("profile", profile).
-				Set("command", "exec"),
-		})
-	}
-
 	p, err := lib.NewProvider(kr, profile, opts)
 	if err != nil {
 		return err

cmd/login.go

@@ -10,8 +10,7 @@ import (
 	"time"
 
 	"github.com/99designs/keyring"
-	analytics "github.com/segmentio/analytics-go"
-	"github.com/segmentio/aws-okta/lib"
+	"github.com/fiveai/aws-okta/lib"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 )
@@ -83,18 +82,6 @@ func loginRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if analyticsEnabled && analyticsClient != nil {
-		analyticsClient.Enqueue(analytics.Track{
-			UserId: username,
-			Event:  "Ran Command",
-			Properties: analytics.NewProperties().
-				Set("backend", backend).
-				Set("aws-okta-version", version).
-				Set("profile", profile).
-				Set("command", "login"),
-		})
-	}
-
 	p, err := lib.NewProvider(kr, profile, opts)
 	if err != nil {
 		return err

cmd/root.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/99designs/keyring"
 	log "github.com/Sirupsen/logrus"
-	analytics "github.com/segmentio/analytics-go"
 	"github.com/spf13/cobra"
 )
 
@@ -21,31 +20,25 @@ var (
 
 // global flags
 var (
-	backend           string
-	debug             bool
-	version           string
-	analyticsWriteKey string
-	analyticsEnabled  bool
-	analyticsClient   analytics.Client
-	username          string
+	backend  string
+	debug    bool
+	version  string
+	username string
 )
 
 // RootCmd represents the base command when called without any subcommands
 var RootCmd = &cobra.Command{
-	Use:               "aws-okta",
-	Short:             "aws-okta allows you to authenticate with AWS using your okta credentials",
-	SilenceUsage:      true,
-	SilenceErrors:     true,
-	PersistentPreRun:  prerun,
-	PersistentPostRun: postrun,
+	Use:              "aws-okta",
+	Short:            "aws-okta allows you to authenticate with AWS using your okta credentials",
+	SilenceUsage:     true,
+	SilenceErrors:    true,
+	PersistentPreRun: prerun,
 }
 
 // Execute adds all child commands to the root command sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
-func Execute(vers string, writeKey string) {
+func Execute(vers string) {
 	version = vers
-	analyticsWriteKey = writeKey
-	analyticsEnabled = analyticsWriteKey != ""
 	if err := RootCmd.Execute(); err != nil {
 		fmt.Fprintf(os.Stderr, "%s\n", err)
 		switch err {
@@ -68,26 +61,6 @@ func prerun(cmd *cobra.Command, args []string) {
 	if debug {
 		log.SetLevel(log.DebugLevel)
 	}
-
-	if analyticsEnabled {
-		// set up analytics client
-		analyticsClient, _ = analytics.NewWithConfig(analyticsWriteKey, analytics.Config{
-			BatchSize: 1,
-		})
-
-		username = os.Getenv("USER")
-		analyticsClient.Enqueue(analytics.Identify{
-			UserId: username,
-			Traits: analytics.NewTraits().
-				Set("aws-okta-version", version),
-		})
-	}
-}
-
-func postrun(cmd *cobra.Command, args []string) {
-	if analyticsEnabled && analyticsClient != nil {
-		analyticsClient.Close()
-	}
 }
 
 func init() {

lib/okta.go

@@ -20,12 +20,13 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/segmentio/aws-okta/lib/saml"
+	"gitlab.corp.five.ai/infra/aws-okta/lib/saml"
 )
 
-const (
-	OktaServer = "okta.com"
-)
+var OktaServer = map[string]string{
+	"emea": "okta-emea.com",
+	"us":   "okta.com",
+}
 
 type OktaClient struct {
 	Organization    string
@@ -40,6 +41,7 @@ type OktaClient struct {
 	OktaAwsSAMLUrl  string
 	CookieJar       http.CookieJar
 	BaseURL         *url.URL
+	OktaRegion      string
 }
 
 type SAMLAssertion struct {
@@ -48,14 +50,14 @@ type SAMLAssertion struct {
 }
 
 type OktaCreds struct {
+	Server       string
 	Organization string
 	Username     string
-	Password     string
 }
 
 func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string) (*OktaClient, error) {
 	base, err := url.Parse(fmt.Sprintf(
-		"https://%s.%s", creds.Organization, OktaServer,
+		"https://%s.%s", creds.Organization, OktaServer[creds.Server],
 	))
 	if err != nil {
 		return nil, err
@@ -75,13 +77,26 @@ func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string)
 		})
 	}
 
+	fmt.Println()
+	username, err := Prompt("Okta username", false)
+	if err != nil {
+		return nil, err
+	}
+
+	password, err := Prompt("Okta password", true)
+	if err != nil {
+		return nil, err
+	}
+	fmt.Println()
+
 	return &OktaClient{
 		Organization:   creds.Organization,
-		Username:       creds.Username,
-		Password:       creds.Password,
+		Username:       username,
+		Password:       password,
 		OktaAwsSAMLUrl: oktaAwsSAMLUrl,
 		CookieJar:      jar,
 		BaseURL:        base,
+		OktaRegion:     creds.Server,
 	}, nil
 }
 
@@ -107,6 +122,7 @@ func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Durati
 		log.Debug("Step: 1")
 		err = o.Get("POST", "api/v1/authn", payload, &oktaUserAuthn, "json")
 		if err != nil {
+			fmt.Println(err)
 			return sts.Credentials{}, "", errors.New("Failed to authenticate with okta.  Please check that your credentials have been set correctly with `aws-okta add`")
 		}
 
@@ -355,7 +371,7 @@ func (o *OktaClient) Get(method string, path string, data []byte, recv interface
 	var client http.Client
 
 	url, err := url.Parse(fmt.Sprintf(
-		"https://%s.%s/%s", o.Organization, OktaServer, path,
+		"https://%s.%s/%s", o.Organization, OktaServer[o.OktaRegion], path,
 	))
 	if err != nil {
 		return err

lib/utils.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/segmentio/aws-okta/lib/saml"
+	"gitlab.corp.five.ai/infra/aws-okta/lib/saml"
 	"golang.org/x/net/html"
 )
 

main.go

@@ -1,16 +1,15 @@
 package main
 
 import (
-	"github.com/segmentio/aws-okta/cmd"
+	"github.com/fiveai/aws-okta/cmd"
 )
 
 // These are set via linker flags
 var (
-	Version           = "dev"
-	AnalyticsWriteKey = ""
+	Version = "dev"
 )
 
 func main() {
 	// vars set by linker flags must be strings...
-	cmd.Execute(Version, AnalyticsWriteKey)
+	cmd.Execute(Version)
 }