From b7545e7abe463a12d3e347450056e72ad4e42ed7 Mon Sep 17 00:00:00 2001
From: dazelle <dazelle@localhost.localdomain>
Date: Thu, 23 May 2019 18:17:14 +0900
Subject: [PATCH 1/7] Use fingerprint of identity file during validation
 instead of identity file

---
 blessclient/client.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/blessclient/client.py b/blessclient/client.py
index e8b2439..b30ad6d 100755
--- a/blessclient/client.py
+++ b/blessclient/client.py
@@ -348,12 +348,14 @@ def save_cached_creds(token_data, bless_config):
     with open(cache_file_path, 'w') as cache:
         json.dump(_token_data, cache)
 
-
 def ssh_agent_remove_bless(identity_file):
     DEVNULL = open(os.devnull, 'w')
+    identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file
+
     try:
         current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8')
-        match = re.search(re.escape(identity_file), current)
+        match = re.search(re.escape(identity_fp), current)
+        #match = re.search(re.escape(identity_file), current)
         if match:
             subprocess.check_call(
                 ['ssh-add', '-d', identity_file], stderr=DEVNULL)
@@ -364,9 +366,11 @@ def ssh_agent_remove_bless(identity_file):
 
 def ssh_agent_add_bless(identity_file):
     DEVNULL = open(os.devnull, 'w')
+    identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file
     subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL)
     current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8')
-    if not re.search(re.escape(identity_file), current):
+    #if not re.search(re.escape(identity_file), current):
+    if not re.search(re.escape(identity_fp), current):
         logging.debug("Could not add '{}' to ssh-agent".format(identity_file))
         sys.stderr.write(
             "Couldn't add identity to ssh-agent")

From d0535c984fe76fee128591c7230f333f350f2180 Mon Sep 17 00:00:00 2001
From: dazelle <dazelle@ip-10-0-68-206.ap-northeast-1.compute.internal>
Date: Fri, 24 May 2019 18:46:07 +0900
Subject: [PATCH 2/7] Catch error when privatekey has password

---
 blessclient/client.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/blessclient/client.py b/blessclient/client.py
index b30ad6d..c5c0af0 100755
--- a/blessclient/client.py
+++ b/blessclient/client.py
@@ -367,7 +367,10 @@ def ssh_agent_remove_bless(identity_file):
 def ssh_agent_add_bless(identity_file):
     DEVNULL = open(os.devnull, 'w')
     identity_fp = subprocess.check_output(['ssh-keygen','-lf',identity_file]).decode('UTF-8') #Get SHA256 fingerprint of the identity file
-    subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL)
+    try:
+      subprocess.check_call(['ssh-add', identity_file], stderr=DEVNULL)
+    except Exception:
+        logging.debug("Private Key has password")
     current = subprocess.check_output(['ssh-add', '-l']).decode('UTF-8')
     #if not re.search(re.escape(identity_file), current):
     if not re.search(re.escape(identity_fp), current):

From fbfef28b0d847baf210483662d5d9188c7ea0cfb Mon Sep 17 00:00:00 2001
From: dazzrpm <dazzrpm>
Date: Fri, 14 Jun 2019 19:00:07 +0900
Subject: [PATCH 3/7] Always assume that client kms is on another aws account

---
 blessclient/bless_config.py | 1 +
 blessclient/client.py       | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/blessclient/bless_config.py b/blessclient/bless_config.py
index 05ea153..9665795 100644
--- a/blessclient/bless_config.py
+++ b/blessclient/bless_config.py
@@ -42,6 +42,7 @@ def parse_config_file(self, config_file):
                 'user_session_length': int(config.get('CLIENT', 'user_session_length')),
                 'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')),
                 'update_sshagent': config.getboolean('CLIENT', 'update_sshagent'),
+                'enc_assume_role': config.get('CLIENT', 'mfa_assume_role')
             },
             'BLESS_CONFIG': {
                 'ca_backend': config.get('MAIN', 'ca_backend'),
diff --git a/blessclient/client.py b/blessclient/client.py
index c5c0af0..12f8c08 100755
--- a/blessclient/client.py
+++ b/blessclient/client.py
@@ -735,8 +735,15 @@ def bless(region, nocache, showgui, hostname, bless_config):
 
         if creds:
             save_cached_creds(creds, bless_config)
+
+        enc_creds = aws.sts_client().assume_role(
+            RoleArn=bless_config.get_client_config()['enc_assume_role'],
+            RoleSessionName='enc_assume'
+        )['Credentials']
+        
         kmsauth_token = get_kmsauth_token(
-            creds,
+            #creds,
+            enc_creds,
             kmsauth_config,
             username,
             cache=bless_cache

From 71b59a1e1dd013ddf45c28f469ee5320ec010e6d Mon Sep 17 00:00:00 2001
From: dazzrpm <dazzrpm>
Date: Fri, 14 Jun 2019 19:05:06 +0900
Subject: [PATCH 4/7] Fix naming error

---
 blessclient/bless_config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blessclient/bless_config.py b/blessclient/bless_config.py
index 9665795..1c7fffe 100644
--- a/blessclient/bless_config.py
+++ b/blessclient/bless_config.py
@@ -42,7 +42,7 @@ def parse_config_file(self, config_file):
                 'user_session_length': int(config.get('CLIENT', 'user_session_length')),
                 'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')),
                 'update_sshagent': config.getboolean('CLIENT', 'update_sshagent'),
-                'enc_assume_role': config.get('CLIENT', 'mfa_assume_role')
+                'enc_assume_role': config.get('CLIENT', 'enc_assume_role')
             },
             'BLESS_CONFIG': {
                 'ca_backend': config.get('MAIN', 'ca_backend'),

From f0bd763e7fab2f1c0fd4eefcebc4accc7b961332 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daz=20Ma=C3=B1oso?= <dazellerose.manoso@gmail.com>
Date: Tue, 16 Jul 2019 17:51:41 +0900
Subject: [PATCH 5/7] Fix cross account kms:encryption

---
 blessclient/client.py | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/blessclient/client.py b/blessclient/client.py
index 12f8c08..f64db8f 100755
--- a/blessclient/client.py
+++ b/blessclient/client.py
@@ -161,7 +161,7 @@ def get_blessrole_credentials(iam_client, creds, blessconfig, bless_cache):
     role_creds = mfa_sts_client.assume_role(
         RoleArn=role_arn,
         RoleSessionName='mfaassume',
-        DurationSeconds=blessconfig.get_client_config()['usebless_role_session_length'],
+        DurationSeconds=blessconfig.get_client_config()['usebless_role_session_length']
     )['Credentials']
 
     logging.debug("Role Credentials: {}".format(role_creds))
@@ -729,28 +729,25 @@ def bless(region, nocache, showgui, hostname, bless_config):
                 SerialNumber=mfa_arn,
                 TokenCode=mfa_pin
             )['Credentials']
+
         except (ClientError, ParamValidationError):
+            print(ClientError.response)
             sys.stderr.write("Incorrect MFA, no certificate issued\n")
             sys.exit(1)
 
         if creds:
             save_cached_creds(creds, bless_config)
 
-        enc_creds = aws.sts_client().assume_role(
-            RoleArn=bless_config.get_client_config()['enc_assume_role'],
-            RoleSessionName='enc_assume'
-        )['Credentials']
-        
+        role_creds = get_blessrole_credentials(
+            aws.iam_client(), creds, bless_config, bless_cache)
+
         kmsauth_token = get_kmsauth_token(
-            #creds,
-            enc_creds,
+            role_creds,
             kmsauth_config,
             username,
             cache=bless_cache
         )
         logging.debug("Got kmsauth token: {}".format(kmsauth_token))
-        role_creds = get_blessrole_credentials(
-            aws.iam_client(), creds, bless_config, bless_cache)
 
     bless_lambda = BlessLambda(bless_lambda_config, role_creds, kmsauth_token, region)
 

From f2eec1365e716d0c848bdddffdd0a9e96dc0287c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daz=20Ma=C3=B1oso?= <dazellerose.manoso@gmail.com>
Date: Fri, 19 Jul 2019 12:00:22 +0900
Subject: [PATCH 6/7] Removed temp debug line

---
 blessclient/client.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/blessclient/client.py b/blessclient/client.py
index f64db8f..e840131 100755
--- a/blessclient/client.py
+++ b/blessclient/client.py
@@ -731,7 +731,6 @@ def bless(region, nocache, showgui, hostname, bless_config):
             )['Credentials']
 
         except (ClientError, ParamValidationError):
-            print(ClientError.response)
             sys.stderr.write("Incorrect MFA, no certificate issued\n")
             sys.exit(1)
 

From a7ea7a745cfedbf0319447ac7d9a7a6d88ad8829 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daz=20Ma=C3=B1oso?= <dazellerose.manoso@gmail.com>
Date: Fri, 26 Jul 2019 12:20:05 +0900
Subject: [PATCH 7/7] removed extra config variables

---
 blessclient/bless_config.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/blessclient/bless_config.py b/blessclient/bless_config.py
index 1c7fffe..a46db71 100644
--- a/blessclient/bless_config.py
+++ b/blessclient/bless_config.py
@@ -41,8 +41,7 @@ def parse_config_file(self, config_file):
                 'update_script': config.get('CLIENT', 'update_script'),
                 'user_session_length': int(config.get('CLIENT', 'user_session_length')),
                 'usebless_role_session_length': int(config.get('CLIENT', 'usebless_role_session_length')),
-                'update_sshagent': config.getboolean('CLIENT', 'update_sshagent'),
-                'enc_assume_role': config.get('CLIENT', 'enc_assume_role')
+                'update_sshagent': config.getboolean('CLIENT', 'update_sshagent')
             },
             'BLESS_CONFIG': {
                 'ca_backend': config.get('MAIN', 'ca_backend'),