commit wip updates

0x416e746f6e · 0x416e746f6e · commit 87dec440cc2d · 2024-06-20T19:14:51.000+03:00
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,11 @@
 # AWS
 
 cli/cache
+
+# Logs
+
+*.log
+
+# Temporary files
+
+.temp
diff --git a/get-1fa-credentials.sh b/get-1fa-credentials.sh
@@ -2,6 +2,23 @@
 
 set -e -o pipefail
 
+# Log the attempt
+TS=$( date +'%Y-%m-%dT%H:%M:%S%z' )
+PID=$$
+ARG=$( ps -ww -o args= -p $PID )
+PARG=$( ps -ww -o args= -p $PPID )
+PPPID=$( ps -o ppid= -p $PPID )
+PPARG=$( ps -ww -o args= -p $PPPID )
+PPPPID=$( ps -o ppid= -p $PPPID )
+PPPARG=$( ps -ww -o args= -p $PPPPID )
+printf '{ "ts": "%s", "grandgrandparent": { "pid": %s, "command": "%s" }, "grandparent": { "pid": %s, "command": "%s" }, "parent": { "pid": %s, "command": "%s" }, "self": { "pid": %s, "command": "%s" } }\n' \
+    "${TS}" \
+    "${PPPPID}" "${PPPARG}" \
+    "${PPPID}" "${PPARG}" \
+    "${PPID}" "${PARG}" \
+    "${PID}" "${ARG}" \
+  >> ${HOME}/.aws/get-1fa-credentials.log
+
 pwd=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 . $pwd/lib.sh
diff --git a/get-2fa-credentials.sh b/get-2fa-credentials.sh
@@ -3,14 +3,40 @@
 set -e -o pipefail
 
 pwd=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
 . $pwd/lib.sh
 
 AWS_SESSION_TOKEN=$( get_2fa_token )
 EXPIRATION=$( printf "${AWS_SESSION_TOKEN}" | jq -r ".Expiration" )
 NOW=$( date -u +"%Y-%m-%dT%H:%M:%S%z" )
 
+if [[ -n "${DEBUG}" ]]; then
+  echo "AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN}" >> ${HOME}/.aws/debug.log
+  echo "EXPIRATION: ${EXPIRATION}" >> ${HOME}/.aws/debug.log
+  echo "NOW: ${NOW}" >> ${HOME}/.aws/debug.log
+fi
+
+# Log the attempt
+PID=$$
+ARG=$( ps -ww -o args= -p $PID )
+PARG=$( ps -ww -o args= -p $PPID | tr '"' '\"' )
+PPPID=$( ps -o ppid= -p $PPID )
+PPARG=$( ps -ww -o args= -p $PPPID | tr '"' '\"' )
+PPPPID=$( ps -o ppid= -p $PPPID )
+PPPARG=$( ps -ww -o args= -p $PPPPID | tr '"' '\"' )
+printf '{ "ts": "%s", "expiration": "%s", "grandgrandparent": { "pid": %s, "command": "%s" }, "grandparent": { "pid": %s, "command": "%s" }, "parent": { "pid": %s, "command": "%s" }, "self": { "pid": %s, "command": "%s" } }\n' \
+    "${NOW}" \
+    "${EXPIRATION}" \
+    "${PPPPID}" "${PPPARG}" \
+    "${PPPID}" "${PPARG}" \
+    "${PPID}" "${PARG}" \
+    "${PID}" "${ARG}" \
+  >> ${HOME}/.aws/get-2fa-credentials.log
+
 if [ "$NOW" \> "$EXPIRATION" ]; then
+  if [[ -n "${DEBUG}" ]]; then
+    echo "Logging in..." >> ${HOME}/.aws/debug.log
+  fi
+
   $pwd/login.sh
   AWS_SESSION_TOKEN=$( get_2fa_token )
 fi
diff --git a/lib.sh b/lib.sh
@@ -20,17 +20,37 @@ function get_2fa_token() {
 function save_2fa_token() {
   local AWS_SESSION_TOKEN=$1
 
-  security delete-generic-password \
-      -l "${AWS_MFA_DEVICE}" \
-      -a "${AWS_MFA_DEVICE}" \
-      -s "${AWS_MFA_DEVICE}" \
-    > /dev/null 2>&1 || true
+  if [[ -n "${DEBUG}" ]]; then
+    echo "New AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN}" >> ${HOME}/.aws/debug.log
+  fi
 
-  security add-generic-password \
-    -l "${AWS_MFA_DEVICE}" \
-    -a "${AWS_MFA_DEVICE}" \
-    -s "${AWS_MFA_DEVICE}" \
-    -w "${AWS_SESSION_TOKEN}"
+  if [[ -z "${DEBUG}" ]]; then
+    security delete-generic-password \
+        -l "${AWS_MFA_DEVICE}" \
+        -a "${AWS_MFA_DEVICE}" \
+        -s "${AWS_MFA_DEVICE}" \
+      > /dev/null 2>&1 || true
+
+    security add-generic-password \
+        -l "${AWS_MFA_DEVICE}" \
+        -a "${AWS_MFA_DEVICE}" \
+        -s "${AWS_MFA_DEVICE}" \
+        -w "${AWS_SESSION_TOKEN}" \
+      > /dev/null 2>&1 || true
+  else
+    security delete-generic-password \
+        -l "${AWS_MFA_DEVICE}" \
+        -a "${AWS_MFA_DEVICE}" \
+        -s "${AWS_MFA_DEVICE}" \
+      >> ${HOME}/.aws/debug.log 2>&1 || true
+
+    security add-generic-password \
+        -l "${AWS_MFA_DEVICE}" \
+        -a "${AWS_MFA_DEVICE}" \
+        -s "${AWS_MFA_DEVICE}" \
+        -w "${AWS_SESSION_TOKEN}" \
+      >> ${HOME}/.aws/debug.log
+    fi
 }
 
 function request_2fa_token() {
diff --git a/login.sh b/login.sh
@@ -2,8 +2,37 @@
 
 set -e -o pipefail
 
+# Log the login attempt
+TS=$( date +'%Y-%m-%dT%H:%M:%S%z' )
+PID=$$
+ARG=$( ps -ww -o args= -p $PID )
+PARG=$( ps -ww -o args= -p $PPID )
+PPPID=$( ps -o ppid= -p $PPID )
+PPARG=$( ps -ww -o args= -p $PPPID )
+PPPPID=$( ps -o ppid= -p $PPPID )
+PPPARG=$( ps -ww -o args= -p $PPPPID )
+printf '{ "ts": "%s", "grandgrandparent": { "pid": %s, "command": "%s" }, "grandparent": { "pid": %s, "command": "%s" }, "parent": { "pid": %s, "command": "%s" }, "self": { "pid": %s, "command": "%s" } }\n' \
+    "${TS}" \
+    "${PPPPID}" "${PPPARG}" \
+    "${PPPID}" "${PPARG}" \
+    "${PPID}" "${PARG}" \
+    "${PID}" "${ARG}" \
+  >> ${HOME}/.aws/login.log
+
+if [[ -f ${HOME}/.aws/login.lock ]]; then
+  if [[ -t 0 ]]; then
+    >&2 echo "Warning: another login attempt might be ongoing in parallel!"
+  else
+    exit 1
+  fi
+fi
+
+touch ${HOME}/.aws/login.lock
+
 pwd=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 . $pwd/lib.sh
 
 save_2fa_token $( request_2fa_token )
+
+rm -f ${HOME}/.aws/login.lock
