From 9c19e7b85dda8ab21dc6f6e94c31b7227bedf1c3 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni.delafuente@alfresco.com>
Date: Sat, 27 Jan 2018 10:35:25 -0500
Subject: [PATCH] improved load of auth credentials

---
 prowler | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/prowler b/prowler
index fdc985e5..30f4a80f 100755
--- a/prowler
+++ b/prowler
@@ -239,24 +239,20 @@ else
       exit $EXITCODE
 fi
 
-# Check environment if profile provided reads it from creds file, then instance profile
-# if not profile provided loads it from environment variables
+# It checks -p optoin first and use it as profile, if not -p provided then
+# check environment variables and if not, it checks and loads credentials from
+# instance profile (metadata server) if runs in an EC2 instance 
 
 if [[ $PROFILE ]]; then
   PROFILE_OPT="--profile $PROFILE"
-  if [[ ! -f ~/.aws/credentials ]]; then
-    echo -e "\n$RED ERROR!$NORMAL AWS credentials file not found (~/.aws/credentials). Run 'aws configure' first. \n"
-    return 1
-  else
-    # if Prowler runs insinde an AWS instance with IAM instance profile attached
-    INSTANCE_PROFILE=$(curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/)
-    if [[ $INSTANCE_PROFILE ]]; then
-      AWS_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g')
-      AWS_SECRET_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
-      AWS_SESSION_TOKEN=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE}  grep Token| cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
-    fi
-  fi
 else
+  # if Prowler runs insinde an AWS instance with IAM instance profile attached
+  INSTANCE_PROFILE=$(curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/)
+  if [[ $INSTANCE_PROFILE ]]; then
+    AWS_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g')
+    AWS_SECRET_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
+    AWS_SESSION_TOKEN=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE}  grep Token| cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
+  fi
   if [[ $AWS_ACCESS_KEY_ID && $AWS_SECRET_ACCESS_KEY || $AWS_SESSION_TOKEN ]];then
     PROFILE="ENV"
     PROFILE_OPT=""
@@ -1692,9 +1688,9 @@ extra74(){
     for SG_ID in $LIST_OF_SECURITYGROUPS; do
       SG_NO_INGRESS_FILTER=$($AWSCLI ec2 describe-network-interfaces $PROFILE_OPT --region $regx --filters "Name=group-id,Values=$SG_ID" --query "length(NetworkInterfaces)" --output text)
       if [[ $SG_NO_INGRESS_FILTER -ne 0 ]];then
-        textWarn "$regx: $SG_ID has no ingress filtering and it is being used!" "$regx"
+        textWarn "$regx: $SG_ID has not ingress filtering and it is being used!" "$regx"
       else
-        textNotice "$regx: $SG_ID has no ingress filtering but it is not being used" "$regx"
+        textNotice "$regx: $SG_ID has not ingress filtering but it is no being used" "$regx"
       fi
     done
   done