def saml_enum_account_aliases(auth_response: AuthnResponse) -> Dict[str, str]:
"""
Return the mapping between AWS Account IDs and their aliases.
"""
return dict(
pair.split(",") for pair in auth_response.get_identity()
["https://github.com/eliezio/sari/AccountAlias"])
def saml_enum_aws_roles(
auth_response: AuthnResponse) -> Dict[str, Tuple[str, str]]:
"""
Return the Role/Principal pairs defined stored as a pair of attributes in the SAML assertion.
:return: a dictionary that maps an AWS account to a pair RoleARN/PrincipalARN.
"""
def group_by_account(role_arn,
provider_arn) -> Tuple[str, Tuple[str, str]]:
acc1 = get_aws_account_from_arn(role_arn)
acc2 = get_aws_account_from_arn(provider_arn)
if acc1 != acc2:
raise ValueError(f"Account mismatch: ${acc1} != ${acc2}")
return acc1, (role_arn, provider_arn)
# See
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute
return dict([
group_by_account(*pair.split(","))
for pair in auth_response.get_identity()
["https://aws.amazon.com/SAML/Attributes/Role"]
])
