From 4a026ce884c5ff707d3cd3c3b148874562c1c0ff Mon Sep 17 00:00:00 2001
From: Evan Johnson <evan@segment.com>
Date: Wed, 15 Nov 2017 11:46:45 -0800
Subject: [PATCH 1/3] Allow assuming a source profiles.

If the source profile is itself, then don't do the second assume.
Instead, just jump in to the okta enabled role.
---
 lib/provider.go | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/lib/provider.go b/lib/provider.go
index 5a2a371d..866ac1e4 100644
--- a/lib/provider.go
+++ b/lib/provider.go
@@ -102,15 +102,20 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
 		(*session.AccessKeyId)[len(*session.AccessKeyId)-4:],
 		session.Expiration.Sub(time.Now()).String())
 
-	if role, ok := p.profiles[p.profile]["role_arn"]; ok {
-		session, err = p.assumeRoleFromSession(session, role)
-		if err != nil {
-			return credentials.Value{}, err
+	// If sourceProfile returns the same source then we do not need to assume a
+	// second role. Not assuming a second role allows us to assume IDP enabled
+	// roles directly.
+	if source != sourceProfile(p.profile, p.profiles) {
+		if role, ok := p.profiles[p.profile]["role_arn"]; ok {
+			session, err = p.assumeRoleFromSession(session, role)
+			if err != nil {
+				return credentials.Value{}, err
+			}
+
+			log.Debugf("using role %s expires in %s",
+				(*session.AccessKeyId)[len(*session.AccessKeyId)-4:],
+				session.Expiration.Sub(time.Now()).String())
 		}
-
-		log.Debugf("using role %s expires in %s",
-			(*session.AccessKeyId)[len(*session.AccessKeyId)-4:],
-			session.Expiration.Sub(time.Now()).String())
 	}
 
 	p.SetExpiration(*session.Expiration, window)

From 2204a5b36d0206c2884c423f1021134045774ad8 Mon Sep 17 00:00:00 2001
From: Evan Johnson <evan@segment.com>
Date: Wed, 15 Nov 2017 16:46:35 -0800
Subject: [PATCH 2/3] Use p.profile instead of source.

p.profile is the chosen profile that is typed in.
It should coorespond to an aws config profile. In
the case that the profile's source profile is itself
then we have found an idp enabled role and we should
just log in to it instead of performing a second hop
---
 lib/provider.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/provider.go b/lib/provider.go
index 866ac1e4..77d7fef4 100644
--- a/lib/provider.go
+++ b/lib/provider.go
@@ -105,7 +105,7 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
 	// If sourceProfile returns the same source then we do not need to assume a
 	// second role. Not assuming a second role allows us to assume IDP enabled
 	// roles directly.
-	if source != sourceProfile(p.profile, p.profiles) {
+	if p.profile != sourceProfile(p.profile, p.profiles) {
 		if role, ok := p.profiles[p.profile]["role_arn"]; ok {
 			session, err = p.assumeRoleFromSession(session, role)
 			if err != nil {

From 091f19157d034537ba4493e1950ea34e4134259e Mon Sep 17 00:00:00 2001
From: Evan Johnson <evan@segment.com>
Date: Wed, 15 Nov 2017 16:59:02 -0800
Subject: [PATCH 3/3] Don't re-call `sourceProfile`

---
 lib/provider.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/provider.go b/lib/provider.go
index 77d7fef4..16226b30 100644
--- a/lib/provider.go
+++ b/lib/provider.go
@@ -105,7 +105,7 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
 	// If sourceProfile returns the same source then we do not need to assume a
 	// second role. Not assuming a second role allows us to assume IDP enabled
 	// roles directly.
-	if p.profile != sourceProfile(p.profile, p.profiles) {
+	if p.profile != source {
 		if role, ok := p.profiles[p.profile]["role_arn"]; ok {
 			session, err = p.assumeRoleFromSession(session, role)
 			if err != nil {