From e4edb5e39e11cb27cd332987e2d74344ba1ec345 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Date: Fri, 12 Nov 2021 18:30:52 +0100
Subject: [PATCH 1/2] fix(iam-role): IAM assumed role session duration

---
 include/assume_role | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/assume_role b/include/assume_role
index 755213292b..53158ec612 100644
--- a/include/assume_role
+++ b/include/assume_role
@@ -21,6 +21,9 @@ assume_role(){
     # In some cases you will need more than 1h.
     if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then
         SESSION_DURATION_TO_ASSUME="3600"
+    elif [[ "${SESSION_DURATION_TO_ASSUME}" -gt "43200" ]] || [[ "${SESSION_DURATION_TO_ASSUME}" -lt "900" ]]; then
+        echo "$OPTRED ERROR!$OPTNORMAL - Role session duration must be more than 900 seconds and less than 4300 seconds"
+        exit 1
     fi
 
     # temporary file where to store credentials
@@ -52,6 +55,11 @@ assume_role(){
       rm -f $TEMP_STS_ASSUMED_FILE
       EXITCODE=1
       exit $EXITCODE
+    elif [[ "$(grep MaxSessionDuration $TEMP_STS_ASSUMED_FILE)" ]]; then
+      textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}"
+      rm -f $TEMP_STS_ASSUMED_FILE
+      EXITCODE=1
+      exit $EXITCODE
     fi
 
     # assume role command
@@ -80,4 +88,3 @@ assume_role(){
     export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601')
     rm -fr $TEMP_STS_ASSUMED_FILE
 }
-

From 563cd7106022bbe42c0a750d48896d69d9581d49 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Date: Fri, 12 Nov 2021 19:33:22 +0100
Subject: [PATCH 2/2] fix(iam-role): Delete temporary prowler.sts_assumed* if
 error

---
 include/assume_role        | 8 +++++---
 include/credentials_report | 1 +
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/assume_role b/include/assume_role
index 53158ec612..95bd3e0046 100644
--- a/include/assume_role
+++ b/include/assume_role
@@ -52,12 +52,10 @@ assume_role(){
     fi
     if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then
       textFail "Access Denied assuming role $PROWLER_ROLE"
-      rm -f $TEMP_STS_ASSUMED_FILE
       EXITCODE=1
       exit $EXITCODE
     elif [[ "$(grep MaxSessionDuration $TEMP_STS_ASSUMED_FILE)" ]]; then
       textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}"
-      rm -f $TEMP_STS_ASSUMED_FILE
       EXITCODE=1
       exit $EXITCODE
     fi
@@ -86,5 +84,9 @@ assume_role(){
     export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
     export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
     export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601')
-    rm -fr $TEMP_STS_ASSUMED_FILE
+    cleanSTSAssumeFile
 }
+
+cleanSTSAssumeFile() {
+    rm -fr "${TEMP_STS_ASSUMED_FILE}"
+}
\ No newline at end of file
diff --git a/include/credentials_report b/include/credentials_report
index 3741e89a1a..51f145f982 100644
--- a/include/credentials_report
+++ b/include/credentials_report
@@ -43,6 +43,7 @@ cleanTemp(){
   if [[ $KEEPCREDREPORT -ne 1 ]]; then
     rm -fr $TEMP_REPORT_FILE
   fi
+  cleanSTSAssumeFile
 }
 
 # Delete the temporary report file if we get interrupted/terminated