def _get_credentials(self):
# Do NOT load credentials from ENV or ~/.aws/credentials
client = boto3.client(
'sts',
aws_access_key_id='',
aws_secret_access_key='',
aws_session_token='',
region_name=self._configuration["AWS_OKTA_REGION"])
aws_roles, saml_assertion, _application_url, _user, _organization = self._get_app_roles(
)
aws_role = prompt.get_item(items=aws_roles,
label="AWS Role",
key=self._configuration["AWS_OKTA_ROLE"])
print_tty("Role: {}".format(aws_role.role_arn),
silent=self._configuration["AWS_OKTA_SILENT"])
response = client.assume_role_with_saml(
RoleArn=aws_role.role_arn,
PrincipalArn=aws_role.principal_arn,
SAMLAssertion=saml_assertion,
DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"]))
expiration = (
response['Credentials']['Expiration'].isoformat().replace(
"+00:00", "Z"))
response['Credentials']['Expiration'] = expiration
return response
def _get_credentials(self):
# Do NOT load credentials from ENV or ~/.aws/credentials
client = boto3.client(
'sts',
aws_access_key_id='',
aws_secret_access_key='',
aws_session_token='',
region_name=self._configuration["AWS_OKTA_REGION"])
okta = Okta(
user_name=self._configuration["AWS_OKTA_USER"],
user_pass=self._authenticate.get_pass(),
organization=self._configuration["AWS_OKTA_ORGANIZATION"],
factor=self._configuration["AWS_OKTA_FACTOR"],
silent=self._configuration["AWS_OKTA_SILENT"],
no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"])
self._configuration["AWS_OKTA_USER"] = ''
self._configuration["AWS_OKTA_PASS"] = ''
if self._configuration["AWS_OKTA_APPLICATION"]:
application_url = self._configuration["AWS_OKTA_APPLICATION"]
else:
applications = okta.get_applications()
application_url = prompt.get_item(
items=applications,
label="AWS application",
key=self._configuration["AWS_OKTA_APPLICATION"])
saml_response = okta.get_saml_response(application_url=application_url)
saml_assertion = saml.get_saml_assertion(saml_response=saml_response)
aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion,
accounts_filter=self._configuration.get(
'AWS_OKTA_ACCOUNT_ALIAS', None))
aws_role = prompt.get_item(items=aws_roles,
label="AWS Role",
key=self._configuration["AWS_OKTA_ROLE"])
print_tty("Role: {}".format(aws_role.role_arn),
silent=self._configuration["AWS_OKTA_SILENT"])
response = client.assume_role_with_saml(
RoleArn=aws_role.role_arn,
PrincipalArn=aws_role.principal_arn,
SAMLAssertion=saml_assertion,
DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"]))
expiration = (
response['Credentials']['Expiration'].isoformat().replace(
"+00:00", "Z"))
response['Credentials']['Expiration'] = expiration
return response
def get_saml_assertion(saml_response=None):
soup = BeautifulSoup(saml_response, features="lxml")
for input_tag in soup.find_all('input'):
if input_tag.get('name') == 'SAMLResponse':
return input_tag.get('value')
print_tty("ERROR: SAMLResponse tag was not found!")
sys.exit(1)
def test_unix_print_tty_indent(self, mock_io, mock_os, mock_conextlib2,
mock_import_msvcrt):
mock_import_msvcrt.side_effect = ImportError
mock_stack = MagicMock()
mock_conextlib2.ExitStack.return_value.__enter__.return_value = mock_stack # noqa
mock_text_wrapper = MagicMock()
mock_io.TextIOWrapper.return_value = mock_text_wrapper
print_tty.print_tty("STRING", indents=1, newline=False)
mock_os.open.assert_called_once()
mock_stack.enter_context.called_once_with(mock_text_wrapper)
mock_text_wrapper.write.assert_called_once_with(u' STRING')
mock_text_wrapper.flush.assert_called_once()
def test_unix_print_tty(self, mock_io, mock_os, mock_conextlib2,
mock_import_msvcrt):
mock_import_msvcrt.side_effect = ImportError
mock_stack = MagicMock()
mock_conextlib2.ExitStack.return_value = mock_stack
mock_text_wrapper = MagicMock()
mock_io.TextIOWrapper.return_value = mock_text_wrapper
calls = [call(u'STRING'), call(u'\n')]
print_tty.print_tty("STRING")
mock_text_wrapper.write.assert_has_calls(calls)
mock_os.open.assert_called_once()
def test_unix_print_tty_print_no_newline(self, mock_io, mock_os,
mock_conextlib2, mock_print,
mock_import_msvcrt):
mock_import_msvcrt.side_effect = ImportError
mock_stack = MagicMock()
mock_conextlib2.ExitStack.return_value.__enter__.return_value = mock_stack # noqa
mock_text_wrapper = MagicMock()
mock_io.TextIOWrapper.return_value = mock_text_wrapper
mock_os.open.side_effect = OSError
print_tty.print_tty("STRING", newline=False)
mock_print.write.assert_called_once_with("STRING")
mock_stack.close.assert_called_once()
mock_text_wrapper.write.assert_not_called()
def test_win_print_tty(self, mock_import_msvcrt):
mock_msvcrt = MagicMock()
mock_import_msvcrt.return_value = mock_msvcrt
calls = ([], [])
for char in list("STRING\r\n"):
calls[0].append(call(char))
calls[1].append(call(bytes(char.encode())))
print_tty.print_tty("STRING")
try:
mock_msvcrt.putch.assert_has_calls(calls[0])
except AssertionError:
mock_msvcrt.putch.assert_has_calls(calls[1])
def get_aws_roles(saml_assertion=None, accounts_filter=None):
aws_roles = OrderedDict()
role_principals = {}
decoded_saml = base64.b64decode(saml_assertion)
xml_saml = ElementTree.fromstring(decoded_saml)
saml_attributes = xml_saml.iter(SAML_ATTRIBUTE)
for saml_attribute in saml_attributes:
if saml_attribute.get('Name') == SAML_ATTRIBUTE_ROLE:
saml_attribute_values = saml_attribute.iter(
SAML_ATTRIBUTE_VALUE
)
for saml_attribute_value in saml_attribute_values:
if not saml_attribute_value.text:
print_tty("ERROR: No accounts found in SAMLResponse!")
sys.exit(1)
principal_arn, role_arn = saml_attribute_value.text.split(',')
role_principals[role_arn] = principal_arn
# Skip get_account_roles if only one role returned.
if len(role_principals) > 1:
account_roles = get_account_roles(saml_assertion=saml_assertion)
for account_role in account_roles:
account_name = account_role.account_name
if accounts_filter is not None and len(accounts_filter) > 0:
account_name_alias = account_name.split(" ")[1]
if not fnmatch(account_name_alias, accounts_filter):
continue
role_arn = account_role.role_arn
account_role.principal_arn = role_principals[role_arn]
if account_name not in aws_roles:
aws_roles[account_name] = {}
aws_roles[account_name][role_arn] = account_role
else:
account_role = AWSRole()
for role_arn, principal_arn in six.iteritems(role_principals):
account_role.role_arn = role_arn
account_role.principal_arn = principal_arn
aws_roles["default"] = {}
aws_roles["default"][role_arn] = account_role
return aws_roles
def __init__(
self,
user_name=None,
user_pass=None,
organization=None,
factor=None,
silent=None,
no_okta_cache=None
):
self.user_name = user_name
self.silent = silent
self.factor = factor
self.session = requests.Session()
self.organization = organization
self.okta_session_id = None
self.cache_file_path = self.get_cache_file_path()
okta_session = None
if not no_okta_cache:
okta_session = self.get_okta_session()
if okta_session:
self.read_aop_from_okta_session(okta_session)
self.refresh_okta_session_id(
okta_session=okta_session
)
if not self.organization:
print_tty(string="Organization: ", newline=False)
self.organization = input()
if not self.user_name:
print_tty(string="UserName: "******"UserName: "******"Organization: ", newline=False)
self.organization = input()
self.okta_single_use_token = self.get_okta_single_use_token(
user_name=self.user_name,
user_pass=user_pass
)
self.get_okta_session_id()
def call(self, endpoint=None, headers=None, json_payload=None):
print_tty(
"Info: Calling {}".format(endpoint),
silent=self.silent
)
try:
if json_payload is not None:
return self.session.post(
endpoint,
json=json_payload,
headers=headers,
timeout=10
)
else:
return self.session.get(
endpoint,
headers=headers,
timeout=10
)
except ConnectTimeout:
print_tty("Error: Timed Out")
sys.exit(1)
except ConnectionError:
print_tty("Error: Connection Error")
sys.exit(1)
def send_error(response=None, json=True, exit=True):
print_tty("Error: Status Code: {}".format(response.status_code))
if json:
response_json = response.json()
if "status" in response_json:
print_tty("Error: Status: {}".format(response_json['status']))
if "errorSummary" in response_json:
print_tty("Error: Summary: {}".format(
response_json['errorSummary']))
else:
print_tty("Error: Invalid JSON")
if exit:
sys.exit(1)
def payload():
print_tty("Hardware Token: ", newline=False)
return {"passCode": input()}
