switch AWS_SSO_SESSION_EXPIRATION to RFC3339

.github/dependabot.yml

@@ -9,7 +9,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
-    target-branch: "v2"
+    target-branch: "main"
 
   - package-ecosystem: "docker"
     directory: "/"

.github/workflows/codeql-analysis.yml

@@ -58,18 +58,6 @@ jobs:
       with:
         go-version: '${{ vars.GO_VERSION }}'
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
 
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
@@ -80,15 +68,30 @@ jobs:
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
     #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+    # Initializes the CodeQL tools for scanning.
+#    - name: Initialize CodeQL
+#      uses: github/codeql-action/init@v3
+#      with:
+#        languages: ${{ matrix.language }}
+#        # If you wish to specify custom queries, you can do so here or in a config file.
+#        # By default, queries listed here will override any specified in a config file.
+#        # Prefix the list here with "+" to use these queries and those in the config file.
+#
+#        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+#        # queries: security-extended,security-and-quality
 
-    - name: Build
+    - name: Generate Coverage Report
       run: |
-        make
+        make unittest
     #     echo "Run, Build Application using script"
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: codecov/codecov-action@v3
       with:
-        category: "/language:${{matrix.language}}"
+        token: ${{ secrets.CODECOV_TOKEN }}
+        verbose: false
+        files: ./coverage.out
+        fail_ci_if_error: true
+        env_vars: OS
+        flags: unittests

CHANGELOG.md

@@ -7,6 +7,7 @@
 ### New Features
 
  * Add credentials command #867
+ * Use RFC3339 for AWS_SSO_SESSION_EXPIRATION #837
 
 ### Bugs
 

cmd/aws-sso/process_cmd.go

@@ -86,7 +86,7 @@ func NewCredentialsProcessOutput(creds *storage.RoleCredentials) *CredentialProc
 		AccessKeyId:     x.AccessKeyId,
 		SecretAccessKey: x.SecretAccessKey,
 		SessionToken:    x.SessionToken,
-		Expiration:      x.ExpireISO8601(),
+		Expiration:      x.ExpireString(),
 	}
 	return &c
 }

docs/commands.md

@@ -409,7 +409,7 @@ The following environment variables are specific to `aws-sso`:
  * `AWS_SSO_ROLE_NAME` -- The name of the IAM role
  * `AWS_SSO_ROLE_ARN` -- The full ARN of the IAM role
  * `AWS_SSO_SESSION_EXPIRATION`  -- The date and time when the IAM role
-    credentials will expire
+    credentials will expire in RFC3339 format
  * `AWS_SSO_DEFAULT_REGION` -- Tracking variable for `AWS_DEFAULT_REGION`
  * `AWS_SSO_PROFILE` -- User customizable varible using the
     [ProfileFormat](config.md#profileformat) template

docs/config.md

@@ -569,7 +569,7 @@ advanced debugging.
 
  * `file` - Encrypted local files (OS agnostic and default on Linux)
  * `keychain` - macOS [Keychain](https://support.apple.com/guide/mac-help/use-keychains-to-store-passwords-mchlf375f392/mac) (default on macOS)
- * `kwallet` - [KDE Wallet](https://utils.kde.org/projects/kwalletmanager/)
+ * `kwallet` - [KDE Wallet](https://github.com/KDE/kwalletmanager)
  * `pass` - [pass](https://www.passwordstore.org) (uses GPG on backend)
  * `secret-service` - Freedesktop.org [Secret Service](https://specifications.freedesktop.org/secret-service/latest/re01.html)
  * `wincred` - Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) (default on Windows)

internal/ecs/http.go

@@ -24,7 +24,7 @@ func WriteCreds(w http.ResponseWriter, creds *storage.RoleCredentials) {
 
 	resp := map[string]string{
 		"AccessKeyId":     creds.AccessKeyId,
-		"Expiration":      creds.ExpireISO8601(),
+		"Expiration":      creds.ExpireString(),
 		"RoleArn":         creds.RoleArn(),
 		"SecretAccessKey": creds.SecretAccessKey,
 		"Token":           creds.SessionToken,

internal/ecs/http_test.go

@@ -48,7 +48,7 @@ func TestWriteCreds(t *testing.T) {
 	err := json.NewDecoder(r.Body).Decode(&outCreds)
 	assert.NoError(t, err)
 	assert.Equal(t, "AccessKeyId", outCreds["AccessKeyId"])
-	assert.Equal(t, creds.ExpireISO8601(), outCreds["Expiration"])
+	assert.Equal(t, creds.ExpireString(), outCreds["Expiration"])
 	assert.Equal(t, "arn:aws:iam::000001111111:role/Rolename", outCreds["RoleArn"])
 	assert.Equal(t, "SecretAccessKey", outCreds["SecretAccessKey"])
 	assert.Equal(t, "Token", outCreds["Token"])

internal/storage/storage.go

@@ -86,55 +86,50 @@
 	return time.UnixMilli(r.Expiration).Unix() // yes, millisec
 }
 
-// ExpireString returns the time the creds expire in the format of "2006-01-02 15:04:05.999999999 -0700 MST"
-func (r *RoleCredentials) ExpireString() string {
-	return time.UnixMilli(r.Expiration).String() // yes, millisec
-}
-
 // Expired returns if these role creds have expired or will expire in the next minute
 func (r *RoleCredentials) Expired() bool {
 	now := time.Now().Add(time.Minute).UnixMilli() // yes, millisec
 	return r.Expiration <= now
 }
 
 // Return expire time in ISO8601 / RFC3339 format
-func (r *RoleCredentials) ExpireISO8601() string {
+func (r *RoleCredentials) ExpireString() string {
 	return time.Unix(r.ExpireEpoch(), 0).Format(time.RFC3339)
 }
 
 // AccountIdStr returns our AccountId as a string
 func (r *RoleCredentials) AccountIdStr() string {
 	s, err := utils.AccountIdToString(r.AccountId)
 	if err != nil {
-		log.WithError(err).Fatalf("Unable to parse accountId from AWS role credentials")
+		log.WithError(err).Fatalf("unable to parse accountId from AWS role credentials")
 	}
 	return s
 }
 
 // Validate ensures we have the necessary fields
 func (r *RoleCredentials) Validate() error {
 	if r.RoleName == "" {
-		return fmt.Errorf("Missing roleName")
+		return fmt.Errorf("%s", "missing roleName")
 	}
 
 	if r.AccessKeyId == "" {
-		return fmt.Errorf("Missing accessKeyId")
+		return fmt.Errorf("%s", "missing accessKeyId")
 	}
 
 	if r.SecretAccessKey == "" {
-		return fmt.Errorf("Missing secretAccessKey")
+		return fmt.Errorf("%s", "missing secretAccessKey")
 	}
 
 	if r.AccountId == 0 {
-		return fmt.Errorf("Missing accountId")
+		return fmt.Errorf("%s", "missing accountId")
 	}
 
 	if r.SessionToken == "" {
-		return fmt.Errorf("Missing sessionToken")
+		return fmt.Errorf("%s", "missing sessionToken")
 	}
 
 	if r.Expiration == 0 {
-		return fmt.Errorf("Missing expiration")
+		return fmt.Errorf("%s", "missing expiration")
 	}
 	return nil
 }

internal/storage/storage_test.go

@@ -99,20 +99,10 @@ func TestExpireString(t *testing.T) {
 	x := RoleCredentials{
 		Expiration: 0,
 	}
-	assert.Equal(t, time.Unix(0, 0).String(), x.ExpireString())
-
-	x.Expiration = time.Now().UnixMilli()
-	assert.Equal(t, time.UnixMilli(x.Expiration).String(), x.ExpireString())
-}
-
-func TestExpireISO8601(t *testing.T) {
-	x := RoleCredentials{
-		Expiration: 0,
-	}
-	assert.Equal(t, time.Unix(0, 0).Format(time.RFC3339), x.ExpireISO8601())
+	assert.Equal(t, time.Unix(0, 0).Format(time.RFC3339), x.ExpireString())
 
 	x.Expiration = time.Now().Unix()
-	assert.Equal(t, time.UnixMilli(x.Expiration).Format(time.RFC3339), x.ExpireISO8601())
+	assert.Equal(t, time.UnixMilli(x.Expiration).Format(time.RFC3339), x.ExpireString())
 }
 
 func TestGetArn(t *testing.T) {