def test_get_saml_assertion(self, mock_sys, mock_print_tty):
mock_sys.exit.side_effect = SystemExit
saml.get_saml_assertion(saml_response=SAML_RESPONSE)
with self.assertRaises(SystemExit):
saml.get_saml_assertion(saml_response="")
mock_print_tty.assert_called_once_with(
"ERROR: SAMLResponse tag was not found!") # noqa
mock_sys.exit.assert_called_once_with(1)
def _get_app_roles(self):
user = self._configuration["AWS_OKTA_USER"]
organization = self._configuration["AWS_OKTA_ORGANIZATION"]
okta = Okta(
user_name=user,
user_pass=self._authenticate.get_pass(),
organization=organization,
factor=self._configuration["AWS_OKTA_FACTOR"],
silent=self._configuration["AWS_OKTA_SILENT"],
no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"])
self._configuration["AWS_OKTA_USER"] = ''
self._configuration["AWS_OKTA_PASS"] = ''
if self._configuration["AWS_OKTA_APPLICATION"]:
application_url = self._configuration["AWS_OKTA_APPLICATION"]
else:
applications = okta.get_applications()
application_url = prompt.get_item(
items=applications,
label="AWS application",
key=self._configuration["AWS_OKTA_APPLICATION"])
saml_response = okta.get_saml_response(application_url=application_url)
saml_assertion = saml.get_saml_assertion(saml_response=saml_response)
aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion,
accounts_filter=self._configuration.get(
'AWS_OKTA_ACCOUNT_ALIAS', None))
return aws_roles, saml_assertion, application_url, okta.user_name, okta.organization
def _get_credentials(self):
# Do NOT load credentials from ENV or ~/.aws/credentials
client = boto3.client(
'sts',
aws_access_key_id='',
aws_secret_access_key='',
aws_session_token='',
region_name=self._configuration["AWS_OKTA_REGION"])
okta = Okta(
user_name=self._configuration["AWS_OKTA_USER"],
user_pass=self._authenticate.get_pass(),
organization=self._configuration["AWS_OKTA_ORGANIZATION"],
factor=self._configuration["AWS_OKTA_FACTOR"],
silent=self._configuration["AWS_OKTA_SILENT"],
no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"])
self._configuration["AWS_OKTA_USER"] = ''
self._configuration["AWS_OKTA_PASS"] = ''
if self._configuration["AWS_OKTA_APPLICATION"]:
application_url = self._configuration["AWS_OKTA_APPLICATION"]
else:
applications = okta.get_applications()
application_url = prompt.get_item(
items=applications,
label="AWS application",
key=self._configuration["AWS_OKTA_APPLICATION"])
saml_response = okta.get_saml_response(application_url=application_url)
saml_assertion = saml.get_saml_assertion(saml_response=saml_response)
aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion,
accounts_filter=self._configuration.get(
'AWS_OKTA_ACCOUNT_ALIAS', None))
aws_role = prompt.get_item(items=aws_roles,
label="AWS Role",
key=self._configuration["AWS_OKTA_ROLE"])
print_tty("Role: {}".format(aws_role.role_arn),
silent=self._configuration["AWS_OKTA_SILENT"])
response = client.assume_role_with_saml(
RoleArn=aws_role.role_arn,
PrincipalArn=aws_role.principal_arn,
SAMLAssertion=saml_assertion,
DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"]))
expiration = (
response['Credentials']['Expiration'].isoformat().replace(
"+00:00", "Z"))
response['Credentials']['Expiration'] = expiration
return response
def test_get_aws_roles(self, mock_requests):
mock_response = MagicMock()
mock_response.text = SIGN_IN_RESPONSE
mock_requests.post.return_value = mock_response
saml_assertion = saml.get_saml_assertion(saml_response=SAML_RESPONSE)
aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion)
self.assertIn("Account: account-one (1)", aws_roles)
self.assertIn("arn:aws:iam::1:role/Role-One",
aws_roles["Account: account-one (1)"]) # noqa
self.assertIn("arn:aws:iam::1:role/Role-Two",
aws_roles["Account: account-one (1)"]) # noqa
self.assertIn("Account: account-two (2)", aws_roles)
self.assertIn("arn:aws:iam::2:role/Role-One",
aws_roles["Account: account-two (2)"]) # noqa