def _get_credentials(self): # Do NOT load credentials from ENV or ~/.aws/credentials client = boto3.client( 'sts', aws_access_key_id='', aws_secret_access_key='', aws_session_token='', region_name=self._configuration["AWS_OKTA_REGION"]) aws_roles, saml_assertion, _application_url, _user, _organization = self._get_app_roles( ) aws_role = prompt.get_item(items=aws_roles, label="AWS Role", key=self._configuration["AWS_OKTA_ROLE"]) print_tty("Role: {}".format(aws_role.role_arn), silent=self._configuration["AWS_OKTA_SILENT"]) response = client.assume_role_with_saml( RoleArn=aws_role.role_arn, PrincipalArn=aws_role.principal_arn, SAMLAssertion=saml_assertion, DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"])) expiration = ( response['Credentials']['Expiration'].isoformat().replace( "+00:00", "Z")) response['Credentials']['Expiration'] = expiration return response
def _get_credentials(self): # Do NOT load credentials from ENV or ~/.aws/credentials client = boto3.client( 'sts', aws_access_key_id='', aws_secret_access_key='', aws_session_token='', region_name=self._configuration["AWS_OKTA_REGION"]) okta = Okta( user_name=self._configuration["AWS_OKTA_USER"], user_pass=self._authenticate.get_pass(), organization=self._configuration["AWS_OKTA_ORGANIZATION"], factor=self._configuration["AWS_OKTA_FACTOR"], silent=self._configuration["AWS_OKTA_SILENT"], no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"]) self._configuration["AWS_OKTA_USER"] = '' self._configuration["AWS_OKTA_PASS"] = '' if self._configuration["AWS_OKTA_APPLICATION"]: application_url = self._configuration["AWS_OKTA_APPLICATION"] else: applications = okta.get_applications() application_url = prompt.get_item( items=applications, label="AWS application", key=self._configuration["AWS_OKTA_APPLICATION"]) saml_response = okta.get_saml_response(application_url=application_url) saml_assertion = saml.get_saml_assertion(saml_response=saml_response) aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion, accounts_filter=self._configuration.get( 'AWS_OKTA_ACCOUNT_ALIAS', None)) aws_role = prompt.get_item(items=aws_roles, label="AWS Role", key=self._configuration["AWS_OKTA_ROLE"]) print_tty("Role: {}".format(aws_role.role_arn), silent=self._configuration["AWS_OKTA_SILENT"]) response = client.assume_role_with_saml( RoleArn=aws_role.role_arn, PrincipalArn=aws_role.principal_arn, SAMLAssertion=saml_assertion, DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"])) expiration = ( response['Credentials']['Expiration'].isoformat().replace( "+00:00", "Z")) response['Credentials']['Expiration'] = expiration return response
def get_saml_assertion(saml_response=None): soup = BeautifulSoup(saml_response, features="lxml") for input_tag in soup.find_all('input'): if input_tag.get('name') == 'SAMLResponse': return input_tag.get('value') print_tty("ERROR: SAMLResponse tag was not found!") sys.exit(1)
def test_unix_print_tty_indent(self, mock_io, mock_os, mock_conextlib2, mock_import_msvcrt): mock_import_msvcrt.side_effect = ImportError mock_stack = MagicMock() mock_conextlib2.ExitStack.return_value.__enter__.return_value = mock_stack # noqa mock_text_wrapper = MagicMock() mock_io.TextIOWrapper.return_value = mock_text_wrapper print_tty.print_tty("STRING", indents=1, newline=False) mock_os.open.assert_called_once() mock_stack.enter_context.called_once_with(mock_text_wrapper) mock_text_wrapper.write.assert_called_once_with(u' STRING') mock_text_wrapper.flush.assert_called_once()
def test_unix_print_tty(self, mock_io, mock_os, mock_conextlib2, mock_import_msvcrt): mock_import_msvcrt.side_effect = ImportError mock_stack = MagicMock() mock_conextlib2.ExitStack.return_value = mock_stack mock_text_wrapper = MagicMock() mock_io.TextIOWrapper.return_value = mock_text_wrapper calls = [call(u'STRING'), call(u'\n')] print_tty.print_tty("STRING") mock_text_wrapper.write.assert_has_calls(calls) mock_os.open.assert_called_once()
def test_unix_print_tty_print_no_newline(self, mock_io, mock_os, mock_conextlib2, mock_print, mock_import_msvcrt): mock_import_msvcrt.side_effect = ImportError mock_stack = MagicMock() mock_conextlib2.ExitStack.return_value.__enter__.return_value = mock_stack # noqa mock_text_wrapper = MagicMock() mock_io.TextIOWrapper.return_value = mock_text_wrapper mock_os.open.side_effect = OSError print_tty.print_tty("STRING", newline=False) mock_print.write.assert_called_once_with("STRING") mock_stack.close.assert_called_once() mock_text_wrapper.write.assert_not_called()
def test_win_print_tty(self, mock_import_msvcrt): mock_msvcrt = MagicMock() mock_import_msvcrt.return_value = mock_msvcrt calls = ([], []) for char in list("STRING\r\n"): calls[0].append(call(char)) calls[1].append(call(bytes(char.encode()))) print_tty.print_tty("STRING") try: mock_msvcrt.putch.assert_has_calls(calls[0]) except AssertionError: mock_msvcrt.putch.assert_has_calls(calls[1])
def get_aws_roles(saml_assertion=None, accounts_filter=None): aws_roles = OrderedDict() role_principals = {} decoded_saml = base64.b64decode(saml_assertion) xml_saml = ElementTree.fromstring(decoded_saml) saml_attributes = xml_saml.iter(SAML_ATTRIBUTE) for saml_attribute in saml_attributes: if saml_attribute.get('Name') == SAML_ATTRIBUTE_ROLE: saml_attribute_values = saml_attribute.iter( SAML_ATTRIBUTE_VALUE ) for saml_attribute_value in saml_attribute_values: if not saml_attribute_value.text: print_tty("ERROR: No accounts found in SAMLResponse!") sys.exit(1) principal_arn, role_arn = saml_attribute_value.text.split(',') role_principals[role_arn] = principal_arn # Skip get_account_roles if only one role returned. if len(role_principals) > 1: account_roles = get_account_roles(saml_assertion=saml_assertion) for account_role in account_roles: account_name = account_role.account_name if accounts_filter is not None and len(accounts_filter) > 0: account_name_alias = account_name.split(" ")[1] if not fnmatch(account_name_alias, accounts_filter): continue role_arn = account_role.role_arn account_role.principal_arn = role_principals[role_arn] if account_name not in aws_roles: aws_roles[account_name] = {} aws_roles[account_name][role_arn] = account_role else: account_role = AWSRole() for role_arn, principal_arn in six.iteritems(role_principals): account_role.role_arn = role_arn account_role.principal_arn = principal_arn aws_roles["default"] = {} aws_roles["default"][role_arn] = account_role return aws_roles
def __init__( self, user_name=None, user_pass=None, organization=None, factor=None, silent=None, no_okta_cache=None ): self.user_name = user_name self.silent = silent self.factor = factor self.session = requests.Session() self.organization = organization self.okta_session_id = None self.cache_file_path = self.get_cache_file_path() okta_session = None if not no_okta_cache: okta_session = self.get_okta_session() if okta_session: self.read_aop_from_okta_session(okta_session) self.refresh_okta_session_id( okta_session=okta_session ) if not self.organization: print_tty(string="Organization: ", newline=False) self.organization = input() if not self.user_name: print_tty(string="UserName: "******"UserName: "******"Organization: ", newline=False) self.organization = input() self.okta_single_use_token = self.get_okta_single_use_token( user_name=self.user_name, user_pass=user_pass ) self.get_okta_session_id()
def call(self, endpoint=None, headers=None, json_payload=None): print_tty( "Info: Calling {}".format(endpoint), silent=self.silent ) try: if json_payload is not None: return self.session.post( endpoint, json=json_payload, headers=headers, timeout=10 ) else: return self.session.get( endpoint, headers=headers, timeout=10 ) except ConnectTimeout: print_tty("Error: Timed Out") sys.exit(1) except ConnectionError: print_tty("Error: Connection Error") sys.exit(1)
def send_error(response=None, json=True, exit=True): print_tty("Error: Status Code: {}".format(response.status_code)) if json: response_json = response.json() if "status" in response_json: print_tty("Error: Status: {}".format(response_json['status'])) if "errorSummary" in response_json: print_tty("Error: Summary: {}".format( response_json['errorSummary'])) else: print_tty("Error: Invalid JSON") if exit: sys.exit(1)
def payload(): print_tty("Hardware Token: ", newline=False) return {"passCode": input()}