The goal of this project is to level up the experience of contributing to Awsaml. Contributors should be confident, which means they can

1. Find something in Awsaml's issues they feel they can work on
2. Get started making changes as easily as possible
3. Know their changes won't break existing functionality
4. Have a high degree of confidence their changes will be accepted
5. Know when accepted changes will be released

Issues related to this project are filed under the "confident-contributors" milestone.

So people can be confident their changes will be accepted into Awsaml, we should provide contributor guidelines in the form of a CONTRIBUTING.md document at the root of the repository. This document should include

• instructions on formatting commit messages in code
• guidelines for scoping changes within a pull request
• instructions on formatting pull requests (see #22)
• links to the documentation for testing (see #18)
• links to the documentation for releases (see #21)

So people can be confident their changes will be accepted into Awsaml, we should provide a pull rquest template in the form of a "PULL_REQUEST_TEMPLATE.md" file at the root of the project. This document should provide instructions on

• referencing related issues
• writing a pull request title
• writing a pull request body
• referencing other contributors

To facilitate account switching, users need a way to log out (see #48) and a way to log back in. The current "remember the last metadata URL used" method isn't sufficient for handling multiple accounts. We should add a "Recent Logins" list to the configuration page. The list should be of the last six URLs successfully used to login.

If a URL in the "SAML Metadata URL" box is already in the list, the existing URL in the list should be moved to the top and the list length shouldn't change. If a URL in the box isn't already in the list, the URL should be added to the top of the list and the list truncated to the last six used URLs.

URLs should be ordered on the configuration page with the most recently used URL at the top of the list. URLs in the list should be selectable and copyable so that users can cut and paste them into the "SAML Metadata URL" box.

The maximum length of the list should be stored as a configuration parameter.

Awsaml's README doesn't currently highlight why it's useful and what it does. We should update the README to include a one paragraph description at the top that describes why Awsaml's useful, what it does, and who should use it.

Once we have the npm test command working (see #33) we can hook up Travis CI so tests are run on pull requests. If we add a ".travis.yaml" file to the root of the project with the following contents, it should work.

language: node_js
sudo: false
script:
  - npm test

We may have to add a ".nvmrc" file to the root of the project with the following contents to tell Travis CI what version of Node to use.

4.4.0

New users have expressed some confusion around running Awsaml. People think they need to set up an identity provider (like Okta) and configure their Amazon account before they can download the binary and run it. We should split the README out into separate documents that cover running Awsaml as a user vs. setting up an identity provider for use with Awsaml. This will also lay the groundwork for being able to provide documentation around identity providers beyond Okta.

Documentation should be Markdown formatted and go into a "docs" folder in the root. The following is probably a good starting point

• docs/usage.md - Covers how to get binaries and run Awsaml
• docs/setup.md - Covers how to get set up an identity provider

The README can then be amended with links to the individual documents.

Audience Restriction is http://localhost:2600/sso/smal but the rest of the URLs are http://localhost:2600/sso/saml.

You can get into a state where the "The SAML metadata is invalid." error message is still visible after you've successfully authenticated.

1. Open Awsaml
2. Enter an invalid metadata URL like https://github.com/
3. Click the "Done" button
4. See the error message?
5. Enter a valid metadata URL
6. Click the "Done" button
7. The error message went away!
8. Login to your identity provider
9. Why is the error message back!?

Awsaml needs a short blurb to go in the "description" field for its GitHub page. This should be a single sentence that sums up why Awsaml's useful and what it does. This same sentence should go in the
package.json file as the "description" field.

We need to design an application icon for Awsaml. The general criteria is that the icon must be readable at a 64x64 pixel resolution. The design should be in SVG format so we can scale it to any needed resolution. The icon should be named "awsaml.svg" and go in the "resources" folder at the root of the project.

Start Awsaml, login, and click the "Refresh" button. Everything works. Lock your computer and go to lunch. Come back from lunch, unlock your computer, and click the "Refresh" button. An uncaught exception is thrown.

Originally reported by: @emcanearney-r7

Using the v1.2.0 Linux release of Awsaml.

Starting up Awsaml renders the following:

Uncaught Exception:
SyntaxError: Unexpected end of input
    at Object.parse (native)
    at Storage.load (/home/emcanearney/apps/awsaml-v1.2.0-linux-x64/resources/app.asar/lib/storage.js:26:22)
    at Storage.get (/home/emcanearney/apps/awsaml-v1.2.0-linux-x64/resources/app.asar/lib/storage.js:57:10)
    at EventEmitter.Application.on (/home/emcanearney/apps/awsaml-v1.2.0-linux-x64/resources/app.asar/app.js:35:33)
    at emitOne (events.js:95:20)
    at EventEmitter.emit (events.js:182:7)

There's very little error handling in Awsaml. For example, if you put an invalid url into the configuration page, all that shows is a dull red border appears around the SAML Metadata URL field.

In addition, there's no handling around exceptions. They bubble up to electron's handling which pops a stacktrace up in a new window.

We should improve both of these things.

Awsaml doesn't currently have any automated testing around it. This creates a barrier to entry for contributors, since it's hard to know if your changes broke anything. We should set up automated tests for Awsaml and have them run by Travis CI when pull requests are created.

Issues related to this project are filed under the "totally-testable" milestone.

If you're creating a production build as part of a release process, you run npm install --production to skip all the development dependencies. The gotcha is that the Electron packaging tools get skipped as well. Those need to move out of the devDependencies section of the package.json file and into the dependencies section. Both the electron-packager and electron-prebuilt modules should move.

There's already an --ignore=node_modules/electron flag in the build process, so we don't have to worry about those packages making it into the released builds.

There are a variety of tiny touch points around branding that would be helpful to have when referencing Awsaml. Both a short and long form description as well as a website with screen shots, download links, and documentation on setup, usage, and where to get help, file issues, etc.

Issues related to this project are filed under the "beautiful-branding" milestone.

Right now, Awsaml only has documentation for Okta as a provider. We should document usage for the other providers that are supported out of the box by Passport-SAML, as well as look into alternative providers like GitHub and Google.

It may also be possible to have Awsaml serve as its own provider. That probably necessitates the refactor from #23. I'm not quite sure what a local Awsaml authentication would look like anyway (YubiKey maybe?).

Issues related to this project are filed under the "prepackaged-providers" milestone.

We need to generate .icns icns for Mac builds. Once we have an icon (see #27) we can convert it to an .icns format. The converted icon should be named "awsaml.icns" and go in the "resources" folder at the root of the project.

Awsaml uses the express-react-views library to render its user interface. This means the UI is static and needs the server to push changes to it. This creates a tight coupling between the process of refreshing tokens and the presentation of those tokens.

Instead, the server should expose a RESTful interface for managing tokens. This would allow the UI to be rewritten as a single page application using React directly. It would also simplify the work needed to support managing tokens for multiple AWS accounts simultaneously. The RESTful interface could support an EC2 metadata like API and enable third-party applications to treat the local desktop environment as an EC2 instance.

Work around this project can be completed in stages without impacting other development.

1. Create a design document describing the RESTful interface (see #24)
2. Implement the RESTful interface while maintaining the existing server API
3. Implement the React UI, providing users a toggle to turn it on and off
4. Deprecate the existing UI and make the React UI the default
5. Remove the existing UI

Issues related to this project are filed under the "restful-refactor" milestone.

Awsaml currently uses the stock Electron icon. To provide better visual distinction between it and other Electron applications, Awsaml should have its own icon. We need several icon file formats to account for all the OSes we support. Plus, the build process needs updated to package the icon.

Issues related to this project are filed under the "iconic-identity" milestone.

Awsaml writes a named profile to ~/.aws/credentials. The user has to know to look there if they want to configure their CLI tools. Awsaml should display the named profile in the UI and provide and example of command line usage as well.

The v1.4.0 notes on building Awsaml don't include anything about running tests. We should update those to include running tests before creating packages.

rm -rf node_modules/
npm install
npm test
npm prune --production
npm run build

Once we have the npm test command working in Travis CI (see #35) we can add lint coverage by extending the "scripts" section of the ".travis.yaml" file with a npm run lint command. The linter should run before the tests are run.

Once the README refactor is done (see #16), we should add documentation that describes how to configure a SimpleSAMLphp provider so it can be used with Awsaml.

You can enter any valid URL in the "SAML Metadata URL" field on the configuration screen. If the data returned isn't valid XML, an uncaught exception is thrown. Try entering "https://www.google.com/" in the configuration screen and then click the "Done" button. See the attached screenshot for the error message that pops up.

npm WARN deprecated [email protected]: electron-prebuilt has been renamed to electron. For more details, see http://electron.atom.io/blog/2016/08/16/npm-install-electron

The electron-prebuilt package has been replaced with electron. See "npm install electron" blog post for more details. We should replace the dependency on electron-prebuilt in package.json with electron.

The AwsCredentials class should be the first piece under test since it's pretty self contained. In particular, the following cases should be tested:

• an error is thrown if $HOME can't be resolved
• an error is thrown if no credentials are provided
• an error is thrown if no profile is provided
• the $HOME/.aws folder is created if it doesn't exist
• the $HOME/.aws folder has permission bits set to 0700
• existing profile information in the credentials file is preserved
• old profile information in the credentials file is overwritten
• access keys are written to aws_access_key_id keys
• secret access keys are written to aws_secret_access_key keys
• session tokens are written to both aws_session_token and aws_secret_token keys

If you enter a valid metadata URL that doesn't exist on the configuration screen, a generic getaddrinfo.ENOTFOUND message is displayed. We should handle that error and provide a more helpful error message. See the attached screenshot for an example where "https://does.not.exist/" was used as the metadata URL.

When I start an awsaml session I get a window that looks like the following:

Not that this is a very likely attack vector, but with that window up, someone could capture the information in that window (with a camera? a really good memory?) and then transfer it to another device and use AWS services impersonating me.

Since awsml conveniently writes that data to ~/.aws/credentials already, it also seems unlikely that anyone would really need to copy and paste it from the awsaml GUI to somewhere else.

So, would you consider a modification in which the access key, secret key and session token info is hidden by default in the awsaml GUI, but could be revealed after clicking on a button?

@rhodgman-r7 @simonirwin-r7 @bturner-r7 and many others agree that a workflow that requires less button presses would be better.

Today (in the v1.3.1.beta.1 prerelease) to log into an account you've already configured with Awsaml the workflow is:

1. Open Awsaml (or press logout if already logged in).
2. Configure the metadata URL in the "configure" field by either:
   • Entering an existing metadata URL by copying and pasting from a "recent login".
   • Entering a brand new metadata URL.
3. Click "Configure".
4. Authenticate with your SAML provider when prompted.
5. Export AWS credentials.

After implementing #49 (recent logins section) the user simply has to press the logout button and repeat these steps to switch accounts.

An improved workflow would be something like:

1. Open Awsaml (or logout).
2. Login (configure Awsaml with SAML) via:
   • Clicking a new "login" button for a given account when you have recent logins.
   • Entering a new metadata URL and clicking "Configure'.
3. Export AWS credentials.

Awsaml's build process uses electron-packager for packaging. We should be able to add the --icon flag to the build process to create a custom application icon. For now, we can leverage the stock Electron
icons and update the build process to inject those. Once we have OS specific icons (see #28, #29, and #30), the build process will pick them up. Icons should go in a "resources" folder in the root of the project.

The long term goal is to have an automated test suite around Awsaml. For now, we should have a step-by-step guide that describes how to build the binary releases and test them. This may entail additional work to set up some kind of development SAML provider.

We're behind on Electron packaging versions. In particular, electron-package v7.0.0 is out, which has a security fix for SSL certificate checks. electron-prebuilt v0.37.6 is out as well. We need to update both of those in the package.json file.

The code-box with generated export ENVAR commands has some trailing white-space characters that break Bash due to slight variations in OS's clipboard semantics AFAIK. On OS X, copy-pasting both lines works as expected. However, on an Ubuntu/Unity desktop, I've observed this breaking the boto/python based aws-cli. Copy-pasting each line individually, being careful not to select past the last printable-character, fixes the issue.

Awsaml currently builds against Electron v0.36.7. However, it's being packaged with v0.34.1. This results in an error when the application is built and launched.

We are currently using awsaml-${session.accountId} as the profile in $HOME/.aws/credentials.

If you are dealing with many AWS accounts or if the accounts you are dealing with have very similar account ids it can become confusing.

This should include changing the call to AwsCredentials.save and updating the refresh view.

We should add something that allows us to check if there's a new release when Awsaml starts and if so, offers the ability to upgrade to the newest version.

Once Travis CI is wired up to run on pull requests (see #35) we can update the README file to include a build status icon. The following Markdown snippet should go at the top of the README right after the "Awsaml" header.

[![Build Status][build-status-image]][build-status-url]

The build-status-image and build-status-url links should be defined at the bottom of the README.

[build-status-image]: https://travis-ci.org/rapid7/awsaml.svg?branch=master
[build-status-url]: https://travis-ci.org/rapid7/awsaml

A RESTful interface for Awsaml should take the following things into consideration

• versioning through a named URL e.g. /v1/...
• support for retrieving individual id, key, and token values
• support for retrieving EC2 instance metadata style security credentials
• support for Awsaml managing multiple AWS accounts simultaneously

The resulting design should be documented in a Markdown formatted file name "docs/restful-api.md".

Once we have a .png icon for Linux (see #30) we need to update the BrowserWindow to include the icon option. This will cause the icon to show up when the application's launched. We'll also need to update the build process to make sure the icon's bundled with the application.

Users need a way to get back to the configuration page without having to close and restart Awsaml. Adding a "Log Out" button to the refresh page provides that control. When clicked, the "Log Out" button should take the user to the /logout end point. The /logout end point should do the following

• Allow the user to access it without being authenticated
• Stop the current refresh interval timer if it's running
• Clear the current session data
• Redirect the user to the configuration page

The package.json file should be updated so that when npm test is run it automatically runs the tests. We can use Mocha as a testing library with Should.js for assertions.

When issues are created, there are no clear guidelines around how to tag them, or what details to include. We should add an issue template that documents what should be included in an issue and recommendations on how to tag it. Note that tagging guidelines imply we come up with a simple sensible tagging scheme.

Current thoughts on a tagging scheme are that things are either "enhancement" or "bug". The documentation should include examples of both and thoughts on how to pick between the two. If you need to put both labels on an issue, it should be split it into separate issues.

Project issues e.g. #17, are special. They are unlabeled and provide descriptive information around milestones.

The current workflow for using Awsaml v1.1.0 with two AWS accounts is:

• Open Awsaml
• Input metadata URL for first account
• Do work in first account
• Close Awsaml
• Open Awsaml
• Input metadata URL for second account
• Do work in second account
• Close Awsaml

This isn't a nice flow and doesn't scale as you add more accounts. Awsaml should have user friendly support for multiple accounts.

To start, we could allow people to name their metadata URLs and have some kind of button on drop down menu for switching. We'd need UI around managing metadata URLs e.g. add new, remove existing, edit existing. Here's a plan for how that can happen; the goal here is to provide incrementally useful functionality.

1. Add a "Log Out" button to the refresh page (see #48)
2. Add a "Recent Logins" list to the configuration page (see #49)

Longer term, we could support maintaining tokens for multiple accounts simultaneously. That longer term bit might be easier if we complete the "RESTful Refactor" project first.

Issues related to this project are filed under the "simply-switchable" milestone.

If you log out of Awsaml by clicking the "Logout" button, the automatic token renewal process stops working. We clear the timer interval to stop the loop, but never start it back up again.

For now, we can fix this by clearing the entryPointUrl attribute (instead of the timer interval) when logging out, and only calling mainWindow.loadURL if the attribute's not null.

We need a landing page for Awsaml that provides a more curated experience than the README of our GitHub project. We can do this with a GitHub.io page. The page should include:

1. Why Awsaml is useful, what it does, and who should use it (see #43)
2. What the latest version is and where Awsaml can be downloaded
3. Links to documentation on configuring Awsaml for administrators

We need to generate .ico icons for Windows builds. Once we have an icon (see #27) we can convert it to an .ico format. The converted icon should be named "awsaml.ico" and go in the "resources" folder at the root of the project.

We need to generate .png icons for Linux builds. Once we have an icon (see #27) we can convert it to a .png format. The converted icon should be named "awsaml.png" and go in the "resources" folder at the root of the project.

Once pull requests are accepted to Awsaml, it'd be nice to know when those changes will be released. We should have documentation (in a "docs/releases.md" file) that describes

• how Awsaml is versioned (semantically)
• when releases happen (every two weeks on Monday)
• where the latest release can be found
• how new releases are built
• how the descriptive information in a release is formatted and populated