0.4.0, implement pynentry and retries

meeuw · Aug 5, 2020 · 2fd1239 · 2fd1239
1 parent f264ac6
commit 2fd1239
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 18 deletions.
diff --git a/aws_credential_process.py b/aws_credential_process.py
@@ -13,11 +13,14 @@
 import configparser
 import os
 import logging
+import shutil
+import time
 
 import click
 import keyring
 import boto3
 import ykman.cli.__main__
+import pynentry
 
 # Restore logger, set by ykman.cli.__main__ import
 logging.disable(logging.NOTSET)
@@ -235,6 +238,7 @@ def get_credentials(section):
 @click.option("--assume-role-arn")
 @click.option("--force-renew", is_flag=True, default=False)
 @click.option("--credentials-section", default="default")
+@click.option("--pin-entry", default="pinentry")
 @click.option("--log-file")
 def main(
     access_key_id,
@@ -246,6 +250,7 @@ def main(
     assume_role_arn=None,
     force_renew=False,
     credentials_section="default",
+    pin_entry="pinentry",
     log_file=None,
 ):
     """
@@ -279,20 +284,28 @@ def main(
     access_key = AWSCred(access_key_id, secret_access_key)
 
     def token_code():
-        token_code = None
-        if mfa_oath_slot:
-            stdout, _ = ykman_main("oath", "code", "-s", mfa_oath_slot)
-
-            if len(stdout) == 1:
-                (token_code,) = stdout
-
-        if not token_code:
-            token_code = str(
-                click.prompt(
-                    "Cannot get token code from Yubi key, please enter manually",
-                    type=int,
-                )
-            )
+        for _ in range(5):
+            token_code = None
+            if mfa_oath_slot:
+                stdout, _ = ykman_main("oath", "code", "-s", mfa_oath_slot)
+
+                if len(stdout) == 1:
+                    (token_code,) = stdout
+
+            if not token_code and shutil.which(pin_entry):
+                with pynentry.PynEntry(executable=pin_entry) as p:
+                    p.description = (
+                        f"Couldn't get a OATH code for {mfa_oath_slot}, please enter manually.\n"
+                        "Confirm as empty or cancel to retry using yubikey."
+                    )
+                    p.prompt = "aws-credential-process"
+                    try:
+                        token_code = p.get_pin()
+                    except pynentry.PinEntryCancelled:
+                        token_code = None
+            else:
+                time.sleep(1)
+
         return token_code
 
     mfa_session_request = (

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "aws-credential-process"
-version = "0.3.0"
+version = "0.4.0"
 description = "AWS Credential Process"
 authors = ["Dick Marinus <[email protected]>"]
 readme = "README.md"
@@ -13,6 +13,7 @@ boto3 = "^1.10"
 keyring = "^19.2"
 yubikey-manager = "3.1.1"
 click = "^7.0"
+pynentry = "^0.1.3"
 
 [tool.poetry.dev-dependencies]
 pytest = "^4.6"