added flag to disable cache lookup and saving (#695)

* added flag to disable cache lookup and saving

* added flag in credential process

* apply suggestion

pkg/assume/assume.go

@@ -287,6 +287,7 @@ func AssumeCommand(c *cli.Context) error {
 		Duration:     time.Hour,
 		MFATokenCode: assumeFlags.String("mfa-token"),
 		Args:         assumeFlags.StringSlice("pass-through"),
+		DisableCache: assumeFlags.Bool("no-cache"),
 	}
 
 	// attempt to get session duration from profile

pkg/assume/entrypoint.go

@@ -54,6 +54,7 @@ func GlobalFlags() []cli.Flag {
 		&cli.StringFlag{Name: "reason", Usage: "Provide a reason for requesting access to the role"},
 		&cli.BoolFlag{Name: "confirm", Aliases: []string{"y"}, Usage: "Skip confirmation prompts for access requests"},
 		&cli.BoolFlag{Name: "wait", Usage: "When using Granted with Common Fate the assume will halt while waiting for the access request to be approved."},
+		&cli.BoolFlag{Name: "no-cache", Usage: "Disables caching of session credentials and forces a refresh", EnvVars: []string{"GRANTED_NO_CACHE"}},
 	}
 }
 

pkg/cfaws/assumer_aws_sso.go

@@ -154,13 +154,17 @@ func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Cred
 	ssoTokenKey := rootProfile.SSOStartURL() + c.AWSConfig.SSOSessionName
 	// if the profile has an sso user configured then suffix the sso token storage key to ensure unique logins
 	secureSSOTokenStorage := securestorage.NewSecureSSOTokenStorage()
-	cachedToken := secureSSOTokenStorage.GetValidSSOToken(ctx, ssoTokenKey)
-	// check if profile has a valid plaintext sso access token
-	plainTextToken := GetValidSSOTokenFromPlaintextCache(rootProfile.SSOStartURL())
 
-	// store token to storage to avoid multiple logins
-	if plainTextToken != nil {
-		secureSSOTokenStorage.StoreSSOToken(ssoTokenKey, *plainTextToken)
+	var cachedToken *securestorage.SSOToken
+	var plainTextToken *securestorage.SSOToken
+	if !configOpts.DisableCache {
+		cachedToken = secureSSOTokenStorage.GetValidSSOToken(ctx, ssoTokenKey)
+		// check if profile has a valid plaintext sso access token
+		plainTextToken = GetValidSSOTokenFromPlaintextCache(rootProfile.SSOStartURL())
+		// store token to storage to avoid multiple logins
+		if plainTextToken != nil {
+			secureSSOTokenStorage.StoreSSOToken(ssoTokenKey, *plainTextToken)
+		}
 	}
 
 	var accessToken *string
@@ -197,7 +201,10 @@ func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Cred
 			return aws.Credentials{}, err
 		}
 
-		secureSSOTokenStorage.StoreSSOToken(ssoTokenKey, *newSSOToken)
+		if !configOpts.DisableCache {
+			secureSSOTokenStorage.StoreSSOToken(ssoTokenKey, *newSSOToken)
+		}
+
 		cachedToken = newSSOToken
 	}
 

pkg/cfaws/profiles.go

@@ -26,6 +26,7 @@ type ConfigOpts struct {
 	Args                       []string
 	ShouldRetryAssuming        *bool
 	MFATokenCode               string
+	DisableCache               bool
 }
 
 type Profile struct {

pkg/granted/credential_process.go

@@ -43,6 +43,7 @@ var CredentialProcess = cli.Command{
 		&cli.StringFlag{Name: "url"},
 		&cli.DurationFlag{Name: "window", Value: 15 * time.Minute},
 		&cli.BoolFlag{Name: "auto-login", Usage: "automatically open the configured browser to log in if needed"},
+		&cli.BoolFlag{Name: "no-cache", Usage: "Disables caching of session credentials and forces a refresh", EnvVars: []string{"GRANTED_NO_CACHE"}},
 	},
 	Action: func(c *cli.Context) error {
 		cfg, err := config.Load()
@@ -55,7 +56,8 @@ var CredentialProcess = cli.Command{
 		secureSessionCredentialStorage := securestorage.NewSecureSessionCredentialStorage()
 		clio.Debugw("running credential process with config", "profile", profileName, "url", c.String("url"), "window", c.Duration("window"), "disableCredentialProcessCache", cfg.DisableCredentialProcessCache)
 
-		useCache := !cfg.DisableCredentialProcessCache
+		cliNoCache := c.Bool("no-cache")
+		useCache := !(cfg.DisableCredentialProcessCache || cliNoCache)
 
 		if useCache {
 			// try and look up session credentials from the secure storage cache.