def _get_app_roles(self): user = self._configuration["AWS_OKTA_USER"] organization = self._configuration["AWS_OKTA_ORGANIZATION"] okta = Okta( user_name=user, user_pass=self._authenticate.get_pass(), organization=organization, factor=self._configuration["AWS_OKTA_FACTOR"], silent=self._configuration["AWS_OKTA_SILENT"], no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"]) self._configuration["AWS_OKTA_USER"] = '' self._configuration["AWS_OKTA_PASS"] = '' if self._configuration["AWS_OKTA_APPLICATION"]: application_url = self._configuration["AWS_OKTA_APPLICATION"] else: applications = okta.get_applications() application_url = prompt.get_item( items=applications, label="AWS application", key=self._configuration["AWS_OKTA_APPLICATION"]) saml_response = okta.get_saml_response(application_url=application_url) saml_assertion = saml.get_saml_assertion(saml_response=saml_response) aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion, accounts_filter=self._configuration.get( 'AWS_OKTA_ACCOUNT_ALIAS', None)) return aws_roles, saml_assertion, application_url, okta.user_name, okta.organization
def test_okta_get_applications(self, mock_print_tty, mock_makedirs, mock_open, mock_chmod): responses.add(responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_TOKEN_RESPONSE)) responses.add(responses.POST, 'https://organization.okta.com/api/v1/sessions', json=json.loads(SESSION_RESPONSE)) responses.add(responses.GET, 'https://organization.okta.com/api/v1/users/me/appLinks', json=json.loads(APPLICATIONS_RESPONSE)) okta = Okta(user_name="user_name", user_pass="******", organization="organization.okta.com") applications = okta.get_applications() expected_applications = OrderedDict([ ('AWS', 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270' ), ('AWS GOV', 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/272' ) ]) self.assertEqual(applications, expected_applications)
def _get_credentials(self): # Do NOT load credentials from ENV or ~/.aws/credentials client = boto3.client( 'sts', aws_access_key_id='', aws_secret_access_key='', aws_session_token='', region_name=self._configuration["AWS_OKTA_REGION"]) okta = Okta( user_name=self._configuration["AWS_OKTA_USER"], user_pass=self._authenticate.get_pass(), organization=self._configuration["AWS_OKTA_ORGANIZATION"], factor=self._configuration["AWS_OKTA_FACTOR"], silent=self._configuration["AWS_OKTA_SILENT"], no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"]) self._configuration["AWS_OKTA_USER"] = '' self._configuration["AWS_OKTA_PASS"] = '' if self._configuration["AWS_OKTA_APPLICATION"]: application_url = self._configuration["AWS_OKTA_APPLICATION"] else: applications = okta.get_applications() application_url = prompt.get_item( items=applications, label="AWS application", key=self._configuration["AWS_OKTA_APPLICATION"]) saml_response = okta.get_saml_response(application_url=application_url) saml_assertion = saml.get_saml_assertion(saml_response=saml_response) aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion, accounts_filter=self._configuration.get( 'AWS_OKTA_ACCOUNT_ALIAS', None)) aws_role = prompt.get_item(items=aws_roles, label="AWS Role", key=self._configuration["AWS_OKTA_ROLE"]) print_tty("Role: {}".format(aws_role.role_arn), silent=self._configuration["AWS_OKTA_SILENT"]) response = client.assume_role_with_saml( RoleArn=aws_role.role_arn, PrincipalArn=aws_role.principal_arn, SAMLAssertion=saml_assertion, DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"])) expiration = ( response['Credentials']['Expiration'].isoformat().replace( "+00:00", "Z")) response['Credentials']['Expiration'] = expiration return response