From 471968fd07e21571e89a24f45079d6b4290a5cf5 Mon Sep 17 00:00:00 2001 From: Tavis Rudd Date: Thu, 16 Mar 2023 17:26:21 -0700 Subject: [PATCH 1/2] Add explicit removal notice + instructions for --prompt=pass It's a bit verbose / copy-pasta as I couldn't figure out a good way to pre-validate EnumVars before their own option validation kicks in. --- cli/global.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/cli/global.go b/cli/global.go index 21eb311c9..d39ceb2a5 100644 --- a/cli/global.go +++ b/cli/global.go @@ -5,6 +5,7 @@ import ( "io" "log" "os" + "strings" "github.com/99designs/aws-vault/v7/prompt" "github.com/99designs/aws-vault/v7/vault" @@ -115,7 +116,26 @@ func ConfigureGlobals(app *kingpin.Application) *AwsVault { app.Flag("prompt", fmt.Sprintf("Prompt driver to use %v", promptsAvailable)). Envar("AWS_VAULT_PROMPT"). - EnumVar(&a.promptDriver, promptsAvailable...) + StringVar(&a.promptDriver) + app.PreAction(func(c *kingpin.ParseContext) error { + value := a.promptDriver + if value == "" { + return nil + } + if value == "pass" { + kingpin.Fatalf( + "--prompt=pass / AWS_VAULT_PROMPT=pass has been removed in v7.0.0 for security reasons." + + "\nSee https://github.com/99designs/aws-vault/pull/1006#issuecomment-1233508808 for details." + + "\nIf you wish to continue using it, " + + "add `mfa_process = pass otp ` to profiles in your ~/.aws/config file.") + } + for _, v := range promptsAvailable { + if v == value { + return nil + } + } + return fmt.Errorf("--prompt value must be one of %s, got '%s'", strings.Join(promptsAvailable, ","), a.promptDriver) + }) app.Flag("keychain", "Name of macOS keychain to use, if it doesn't exist it will be created"). Default("aws-vault"). From 9a3590b5935994b658f6f956b56b2e65313de5d3 Mon Sep 17 00:00:00 2001 From: Michael Tibben Date: Sat, 18 Mar 2023 10:57:20 +1100 Subject: [PATCH 2/2] Update help message --- cli/global.go | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/cli/global.go b/cli/global.go index d39ceb2a5..10561f82d 100644 --- a/cli/global.go +++ b/cli/global.go @@ -117,20 +117,18 @@ func ConfigureGlobals(app *kingpin.Application) *AwsVault { app.Flag("prompt", fmt.Sprintf("Prompt driver to use %v", promptsAvailable)). Envar("AWS_VAULT_PROMPT"). StringVar(&a.promptDriver) - app.PreAction(func(c *kingpin.ParseContext) error { - value := a.promptDriver - if value == "" { + + app.Validate(func(app *kingpin.Application) error { + if a.promptDriver == "" { return nil } - if value == "pass" { - kingpin.Fatalf( - "--prompt=pass / AWS_VAULT_PROMPT=pass has been removed in v7.0.0 for security reasons." + - "\nSee https://github.com/99designs/aws-vault/pull/1006#issuecomment-1233508808 for details." + - "\nIf you wish to continue using it, " + - "add `mfa_process = pass otp ` to profiles in your ~/.aws/config file.") + if a.promptDriver == "pass" { + kingpin.Fatalf("--prompt=pass (or AWS_VAULT_PROMPT=pass) has been removed from aws-vault as using TOTPs without " + + "a dedicated device goes against security best practices. If you wish to continue using pass, " + + "add `mfa_process = pass otp ` to profiles in your ~/.aws/config file.") } for _, v := range promptsAvailable { - if v == value { + if v == a.promptDriver { return nil } }