YubiKey support

[punmechanic]

This pull request replaces our existing authentication model with YubiKey-only support.

Changelist

Global changes

• The --quiet flag has been adjusted to cause all output of keyconjurer to be machine/scripting-friendly when it is specified. Extraneous messages to stdout are removed when --quiet is provided.
• The environment variable KEYCONJURERFLAGS may now be set with flags to be applied to KC when it is executed, i.e KEYCONJURERFLAGS='--quiet'.
• The environment variable DEBUG, when set to 1, will cause KeyConjurer to output basic information about the requests it makes, such as their HTTP Method, Path and response code.
• AD credentials are no longer used.

keyconjurer login

• No longer requests the user for their credentials. A URL is presented to stdout which can be pasted into a web browser for the user to visit.
• The user may pipe the output of keyconjurer login to a file to enable them to open a browser from a headless session in the following manner: keyconjurer login | tee url.txt; open $(cat url.txt).
• The user may provide the --url-only or --quiet flag to emit only the URL.
• No longer automatically fetches accounts.
• Logging in now generates OAuth2 access and id tokens which are now stored in the configuration file. These tokens last one hour, but any AWS sessions created by them may still last an hour; the tokens are only used for retrieving accounts with keyconjurer accounts and retrieving credentials with keyconjurer get.

keyconjurer accounts

• New flag: --no-refresh. Only emits the accounts as-is and doesn't update them.
• Output is now in CSV format instead of an ASCII table.

keyconjurer get

• Users are no longer permitted to enter an account ID or name that is not in the account cache. The user will instead be instructed to executed keyconjurer accounts. This prevents an issue where KeyConjurer would submit the account name as-is to Okta and cause confusing error messages if that account was not in the cache.
  • The user may bypass this behavior with --bypass-cache if they are certain that they want to do this.
• Users may now specify a region to get credentials for with the --region flag.
• TODO: Tencent Cloud is currently not supported.

keyconjurer providers

• Has been removed.

keyconjurer roles

• Is now implemented correctly and will return the roles a user has access to for a specific account. It follows the same rules as keyconjurer get for account resolution. Roles are output one per line.

keyconjurer --version / keyconjurer -v

• Now only ever emits a single line in the format: keyconjurer-${os}-${arch} ${version} ${iso8601-timestamp}.

The Frontend

The frontend has not been updated for these changes and is going to be replaced with one that instructs the user on how to download and use the CLI. At Riot, browser-based access to the application makes up 3% of total requests; it's not worth the effort to maintain.

Lambda functions

• get_user_data, get_aws_creds and list_providers have been removed.
• A new function, list_applications, has been added which lists all the users applications when given a valid Okta OIDC token.

Code organization changes

• Lambda functions are now located in the ./lambda/ folder.
• The CLI remains in the ./cli folder.
• The API folder has been removed and its members either moved inline, removed, or moved to ./internal/api as appropriate.
• The ./providers folder, which contained the legacy implementations of Duo and Okta, have been removed.
• Unified interfaces between Tencent and AWS were leaky and have been removed; consumers now choose the appropriate implementation at the call site instead.
• The terraform code has been split into modules located at ./terraform/modules. These modules are intended to be composable in case you want to only deploy specific portions of the application. The ./terraform/modules/kitchensink module still exists to do a deployment of everything.
• Makefiles have been consolidated into a single root Makefile. The Makefiles located within cli, frontend and api have been removed.
• Makefiles no longer require all environment variables to be specified before running any target within them. Environment variables are now only required when building a target that requires them.
• Common Makefile targets were added to the root for ease of onboarding: test, clean, build and upload.

[punmechanic]

This should be squashed and merge after the outstanding Okta bug is resolved and Tencent Cloud support implemented. It is otherwise ready for a merge.