googleapps: Introduce an option to set challenge preference while login

README.md

@@ -256,20 +256,22 @@ Commands:
   login [<flags>]
     Login to a SAML 2.0 IDP and convert the SAML assertion to an STS token.
 
-    -p, --profile=PROFILE        The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)
+    -p, --profile=PROFILE          The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)
         --duo-mfa-option=DUO-MFA-OPTION
-                                 The MFA option you want to use to authenticate with (supported providers: okta). (env: SAML2AWS_DUO_MFA_OPTION)
-        --client-id=CLIENT-ID    OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID)
+                                   The MFA option you want to use to authenticate with (supported providers: okta). (env: SAML2AWS_DUO_MFA_OPTION)
+        --client-id=CLIENT-ID      OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID)
         --client-secret=CLIENT-SECRET
-                                 OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)
+                                   OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)
         --mfa-ip-address=MFA-IP-ADDRESS
-                                 IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)
-        --force                  Refresh credentials even if not expired.
-        --credential-process     Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message.
+                                   IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)
+        --force                    Refresh credentials even if not expired.
+        --google-challenge=GOOGLE-CHALLENGE ...
+                                   Specific to GoogleApps, a prioritized list of challenge types used during login. This flag can be specified multiple times to set the order of challenges (e.g., --google-challenge=totp --google-challenge=dp).
+        --credential-process       Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message.
         --credentials-file=CREDENTIALS-FILE
-                                 The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)
-        --cache-saml             Caches the SAML response (env: SAML2AWS_CACHE_SAML)
-        --cache-file=CACHE-FILE  The location of the SAML cache file (env: SAML2AWS_SAML_CACHE_FILE)
+                                   The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)
+        --cache-saml               Caches the SAML response (env: SAML2AWS_CACHE_SAML)
+        --cache-file=CACHE-FILE    The location of the SAML cache file (env: SAML2AWS_SAML_CACHE_FILE)
         --download-browser-driver  Automatically download browsers for Browser IDP. (env: SAML2AWS_AUTO_BROWSER_DOWNLOAD)
         --disable-sessions         Do not use Okta sessions. Uses Okta sessions by default. (env: SAML2AWS_OKTA_DISABLE_SESSIONS)
         --disable-remember-device  Do not remember Okta MFA device. Remembers MFA device by default. (env: SAML2AWS_OKTA_DISABLE_REMEMBER_DEVICE)

cmd/saml2aws/commands/login.go

@@ -245,6 +245,11 @@ func resolveLoginDetails(account *cfg.IDPAccount, loginFlags *flags.LoginExecFla
 		loginDetails.ClientSecret = loginFlags.CommonFlags.ClientSecret
 	}
 
+	// if you supply google_challenge in a flag it takes precedence
+	if len(loginFlags.GoogleChallenges) > 0 {
+		loginDetails.GoogleChallenges = loginFlags.GoogleChallenges
+	}
+
 	// if you supply an mfa_ip_address in a flag or an IDP account it takes precedence
 	if account.MFAIPAddress != "" {
 		loginDetails.MFAIPAddress = account.MFAIPAddress
@@ -258,6 +263,10 @@ func resolveLoginDetails(account *cfg.IDPAccount, loginFlags *flags.LoginExecFla
 		loginDetails.DownloadBrowser = account.DownloadBrowser
 	}
 
+	if loginFlags.CommonFlags.MFAToken != "" {
+		loginDetails.MFAToken = loginFlags.CommonFlags.MFAToken
+	}
+
 	// log.Printf("loginDetails %+v", loginDetails)
 
 	// if skip prompt was passed just pass back the flag values

cmd/saml2aws/main.go

@@ -118,6 +118,7 @@ func main() {
 	cmdLogin.Flag("client-secret", "OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)").Envar("ONELOGIN_CLIENT_SECRET").StringVar(&commonFlags.ClientSecret)
 	cmdLogin.Flag("mfa-ip-address", "IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)").Envar("ONELOGIN_MFA_IP_ADDRESS").StringVar(&commonFlags.MFAIPAddress)
 	cmdLogin.Flag("force", "Refresh credentials even if not expired.").BoolVar(&loginFlags.Force)
+	cmdLogin.Flag("google-challenge", "Specific to GoogleApps, a prioritized list of challenge types used during login. This flag can be specified multiple times to set the order of challenges (e.g., --google-challenge=totp --google-challenge=dp).").HintOptions("totp", "ipp", "dp").EnumsVar(&loginFlags.GoogleChallenges, "totp", "ipp", "dp")
 	cmdLogin.Flag("credential-process", "Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message.").BoolVar(&loginFlags.CredentialProcess)
 	cmdLogin.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile)
 	cmdLogin.Flag("cache-saml", "Caches the SAML response (env: SAML2AWS_CACHE_SAML)").Envar("SAML2AWS_CACHE_SAML").BoolVar(&commonFlags.SAMLCache)

pkg/creds/creds.go

@@ -11,6 +11,7 @@ type LoginDetails struct {
 	MFAToken          string
 	DuoMFAOption      string
 	URL               string
-	StateToken        string // used by Okta
-	OktaSessionCookie string // used by Okta
+	StateToken        string   // used by Okta
+	OktaSessionCookie string   // used by Okta
+	GoogleChallenges  []string // used by GoogleApps
 }

pkg/flags/flags.go

@@ -49,6 +49,7 @@ type LoginExecFlags struct {
 	DuoMFAOption      string
 	ExecProfile       string
 	CredentialProcess bool
+	GoogleChallenges  []string
 }
 
 type ConsoleFlags struct {