Merge pull request #98 from tilfin/feature/target_role_name

Implement target_role_name for base account

README.md

@@ -61,6 +61,8 @@ More complex configurations involve multiple AWS accounts and/or organizations.
 
 - As above, **target roles** can be expressed with a `role_arn` or with both `aws_account_id` and `role_name` and can optionally pass the optional parameters.
 
+- If `target_role_name` is set in **base account**, the value is provided as the default role name for each **target roles**.
+
 ```
 [organization1]
 aws_account_id = your-account-alias
@@ -89,6 +91,22 @@ source_profile = baseaccount2
 [AnotherRole]
 role_name = SomeOtherRole
 aws_account_id = account-3-alias
+
+;
+; target_role_name example
+;
+[Org2-BaseAccount]
+aws_account_id = 222200000000
+target_role_name = Developer
+
+[Org2-Account1-Developer]
+aws_account_id = 222200001111
+source_profile = Org2-BaseAccount
+
+[Org2-Account2-Manager]
+aws_account_id = 222200002222
+role_name = Manager ; overrides target role name
+source_profile = Org2-BaseAccount
 ```
 
 If you sign-in a base account, target roles of the other base accounts are excluded.

options.html

@@ -148,6 +148,7 @@ <h3>Complex Configuration</h3>
    <li><b>If your account is aliased, the alias will be shown in the role dropdown after 'Account:'.  You MUST use that alias as the aws_account_id for the base account instead of the numerical account id or your configuration won't work as expected.</b></li>
    <li>A <b>target role</b> is associated with a <b>base account</b> by the <b>target role</b> specifying a <code>source_profile</code>.</li>
    <li>As above, <b>target roles</b> can be expressed with a <code>role_arn</code> or with both <code>aws_account_id</code> and <code>role_name</code> and can pass the optional parameters.</li>
+   <li>If <code>target_role_name</code> is set in <b>base account</b>, the value is provided as the default role name for each <b>target roles</b>.</li>
   </ul>
   <pre>
 [organization1]
@@ -177,6 +178,22 @@ <h3>Complex Configuration</h3>
 [AnotherRole]
 role_name = SomeOtherRole
 aws_account_id = account-3-alias
+
+;
+; target_role_name example
+;
+[Org2-BaseAccount]
+aws_account_id = 222200000000
+target_role_name = Developer
+
+[Org2-Account1-Developer]
+aws_account_id = 222200001111
+source_profile = Org2-BaseAccount
+
+[Org2-Account2-Manager]
+aws_account_id = 222200002222
+role_name = Manager ; overrides target role name
+source_profile = Org2-BaseAccount
   </pre>
   <p>If you sign-in a base account, target roles of the other base accounts are excluded.</p>
   <p>The 'Show only matching roles' setting is for use with more sophisticated account structures where you're using AWS Organizations with multiple accounts along with AWS Federated Logins via something like Active Directory or Google GSuite.  Common practice is to have a role in the master account that is allowed to assume a role of the same name in other member accounts.  Checking this box means that if you're logged in to the 'Developer' role in the master account, only member accounts with a role_arn ending in 'role/Developer' will be shown.  You won't see roles that your current role can't actually assume.</p>

src/lib/profile_set.js

@@ -15,16 +15,16 @@ class ProfileSet {
         } else {
           destsBySrcMap[item.source_profile] = [item];
         }
-      } else if (item.aws_account_id && item.role_name) {
+      } else if (item.aws_account_id && item.role_name && !item.target_role_name) {
         independentDests.push(item);
       }
     });
 
     let complexDests = [];
-    let baseProfileName = this._getBaseProfileName();
-    if (baseProfileName) {
-      complexDests = this._decideComplexDestProfiles(baseProfileName, destsBySrcMap, { showOnlyMatchingRoles })
-      delete destsBySrcMap[baseProfileName];
+    let baseProfile = this._getBaseProfile();
+    if (baseProfile) {
+      complexDests = this._decideComplexDestProfiles(baseProfile, destsBySrcMap, { showOnlyMatchingRoles })
+      delete destsBySrcMap[baseProfile.profile];
     }
 
     // To display roles on the list
@@ -34,14 +34,19 @@ class ProfileSet {
     this.excludedNames = this._decideExcludedNames(destsBySrcMap)
   }
 
-  _getBaseProfileName() {
+  _getBaseProfile() {
     let baseAccountId = getAccountId('awsc-login-display-name-account');
-    const baseProfile = this.profileByIdMap[baseAccountId];
-    return baseProfile ? baseProfile.profile : null;
+    return this.profileByIdMap[baseAccountId];
   }
 
-  _decideComplexDestProfiles(baseProfileName, destsBySrcMap, { showOnlyMatchingRoles }) {
-    let profiles = destsBySrcMap[baseProfileName] || [];
+  _decideComplexDestProfiles(baseProfile, destsBySrcMap, { showOnlyMatchingRoles }) {
+    let profiles = (destsBySrcMap[baseProfile.profile] || []).map(profile => {
+      if (!profile.role_name) {
+        profile.role_name = baseProfile.target_role_name
+      }
+      return profile
+    })
+
     if (showOnlyMatchingRoles && document.body.className.includes('user-type-federated')) {
       let baseRole = getAssumedRole();
       profiles = profiles.filter(el => el.role_name === baseRole)

test/content.test.js

@@ -3,27 +3,51 @@ describe('Profile', () => {
     fixture.cleanup()
   });
 
-  it('load base aws account is number', () => {
-    fixture.load('aws-account.html');
+  context('aws account is number', () => {
+    beforeEach(() => {
+      fixture.load('aws-account.html');
+    })
 
-    let profileSet = new ProfileSet([
+    it('load base aws account is number', () => {
+        let profileSet = new ProfileSet([
+          { profile: 'target1', aws_account_id: '111122223334',
+            role_name: 'role1', source_profile: 'base1' },
+          { profile: 'target2', aws_account_id: '111122223335',
+            role_name: 'role2', source_profile: 'base1' },
+          { profile: 'base1', aws_account_id: '111100003333' },
+          { profile: 'base2', aws_account_id: '222200001111' },
+          { profile: 'targetex', aws_account_id: '333300001112',
+            role_name: 'roleex' },
+          { profile: 'target4', aws_account_id: '222200001112',
+            role_name: 'role3', source_profile: 'base2' }
+        ]);
+
+      expect(profileSet.destProfiles[0].profile).to.eq('targetex');
+      expect(profileSet.destProfiles[1].profile).to.eq('target1');
+      expect(profileSet.destProfiles[2].profile).to.eq('target2');
+      expect(profileSet.excludedNames[0]).to.eq('target4');
+    })
+
+    it('loads the configuration that contains base account with target_role_name', () => {
+      let profileSet = new ProfileSet([
         { profile: 'target1', aws_account_id: '111122223334',
-          role_name: 'role1', source_profile: 'base1' },
+          role_name: 'Role1', source_profile: 'base1' },
         { profile: 'target2', aws_account_id: '111122223335',
-          role_name: 'role2', source_profile: 'base1' },
-        { profile: 'base1', aws_account_id: '111100003333' },
+          source_profile: 'base1' },
+        { profile: 'base1', aws_account_id: '111100003333', target_role_name: 'DefaultRole' },
         { profile: 'base2', aws_account_id: '222200001111' },
         { profile: 'targetex', aws_account_id: '333300001112',
           role_name: 'roleex' },
         { profile: 'target4', aws_account_id: '222200001112',
           role_name: 'role3', source_profile: 'base2' }
       ]);
-
-    expect(profileSet.destProfiles[0].profile).to.eq('targetex');
-    expect(profileSet.destProfiles[1].profile).to.eq('target1');
-    expect(profileSet.destProfiles[2].profile).to.eq('target2');
-    expect(profileSet.excludedNames[0]).to.eq('target4');
-  });
+
+      expect(profileSet.destProfiles[0].profile).to.eq('targetex');
+      expect(profileSet.destProfiles[1]).to.deep.include({ profile: 'target1', role_name: 'Role1' });
+      expect(profileSet.destProfiles[2]).to.deep.include({ profile: 'target2', role_name: 'DefaultRole' });
+      expect(profileSet.excludedNames[0]).to.eq('target4');
+    })
+  })
 
   it('load base aws account is alias', () => {
     fixture.load('aws-account-alias.html');