def run(self): """ Pulling it all together to make the CLI """ config = Config() config.get_args() # Create/Update config when configure arg set if config.configure is True: config.update_config_file() exit() # get the config dict conf_dict = config.get_config_dict() if not conf_dict.get('okta_org_url'): print( 'No Okta organization URL in configuration. Try running --config again.' ) exit(1) if not conf_dict.get('gimme_creds_server'): print( 'No Gimme-Creds server URL in configuration. Try running --config again.' ) exit(1) okta = OktaClient(conf_dict['okta_org_url'], config.verify_ssl_certs) if config.resolve == True: self.resolver = AwsResolver(config.verify_ssl_certs) else: if conf_dict.get('resolve_aws_alias') and str( conf_dict['resolve_aws_alias']) == 'True': self.resolver = AwsResolver(config.verify_ssl_certs) if config.username is not None: okta.set_username(config.username) else: if conf_dict.get('okta_username'): okta.set_username(conf_dict['okta_username']) if conf_dict.get('preferred_mfa_type'): okta.set_preferred_mfa_type(conf_dict['preferred_mfa_type']) if config.mfa_code is not None: okta.set_mfa_code(config.mfa_code) # AWS Default session duration .... if conf_dict.get('aws_default_duration'): config.aws_default_duration = int( conf_dict['aws_default_duration']) else: config.aws_default_duration = 3600 # Call the Okta APIs and proces data locally if conf_dict.get('gimme_creds_server') == 'internal': # Okta API key is required when calling Okta APIs internally if config.api_key is None: print('OKTA_API_KEY environment variable not found!') exit(1) # Authenticate with Okta auth_result = okta.auth_session() print("Authentication Success! Getting AWS Accounts") aws_results = self._get_aws_account_info(conf_dict['okta_org_url'], config.api_key, auth_result['username']) elif conf_dict.get('gimme_creds_server') == 'appurl': # bypass lambda & API call # Apps url is required when calling with appurl if conf_dict.get('app_url'): config.app_url = conf_dict['app_url'] if config.app_url is None: print('app_url is not defined in your config !') exit(1) # Authenticate with Okta auth_result = okta.auth_session() print("Authentication Success! Getting AWS Accounts") # build app list aws_results = [] newAppEntry = {} newAppEntry['id'] = "fakeid" # not used anyway newAppEntry['name'] = "fakelabel" #not used anyway newAppEntry['links'] = {} newAppEntry['links']['appLink'] = config.app_url aws_results.append(newAppEntry) # Use the gimme_creds_lambda service else: if not conf_dict.get('client_id'): print( 'No OAuth Client ID in configuration. Try running --config again.' ) if not conf_dict.get('okta_auth_server'): print( 'No OAuth Authorization server in configuration. Try running --config again.' ) # Authenticate with Okta and get an OAuth access token okta.auth_oauth(conf_dict['client_id'], authorization_server=conf_dict['okta_auth_server'], access_token=True, id_token=False, scopes=['openid']) # Add Access Tokens to Okta-protected requests okta.use_oauth_access_token(True) print("Authentication Success! Calling Gimme-Creds Server...") aws_results = self._call_gimme_creds_server( okta, conf_dict['gimme_creds_server']) aws_app = self._get_selected_app(conf_dict.get('aws_appname'), aws_results) saml_data = okta.get_saml_response(aws_app['links']['appLink']) # aws_signin_page = aws_signin.get_signinpage(saml_data['SAMLResponse']) roles = self.resolver._enumerate_saml_roles(saml_data['SAMLResponse'], saml_data['TargetUrl']) aws_role = self._get_selected_role(conf_dict.get('aws_rolename'), roles) aws_partition = self._get_partition_from_saml_acs( saml_data['TargetUrl']) for _, role in enumerate(roles): # Skip irrelevant roles if aws_role != 'all' and aws_role not in role.role: continue try: aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, config.aws_default_duration) except ClientError as ex: if ex.response['Error'][ 'Message'] == 'The requested DurationSeconds exceeds the MaxSessionDuration set for this role.': print( "The requested session duration was too long for this role. Falling back to 1 hour." ) aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, 3600) deriv_profname = re.sub('arn:aws:iam:.*/', '', role.role) # check if write_aws_creds is true if so # get the profile name and write out the file if str(conf_dict['write_aws_creds']) == 'True': # set the profile name # Note if there are multiple roles, and 'default' is # selected it will be overwritten multiple times and last role # wins. if conf_dict['cred_profile'].lower() == 'default': profile_name = 'default' elif conf_dict['cred_profile'].lower() == 'role': profile_name = deriv_profname else: profile_name = conf_dict['cred_profile'] # Write out the AWS Config file print('writing role {} to {}'.format(role.role, self.AWS_CONFIG)) self._write_aws_creds(profile_name, aws_creds['AccessKeyId'], aws_creds['SecretAccessKey'], aws_creds['SessionToken']) else: #Print out temporary AWS credentials. Credentials are printed to stderr to simplify #redirection for use in automated scripts print("export AWS_ACCESS_KEY_ID=" + aws_creds['AccessKeyId'], file=sys.stderr) print("export AWS_SECRET_ACCESS_KEY=" + aws_creds['SecretAccessKey'], file=sys.stderr) print("export AWS_SESSION_TOKEN=" + aws_creds['SessionToken'], file=sys.stderr) print("export AWS_SECURITY_TOKEN=" + aws_creds['SessionToken'], file=sys.stderr) config.clean_up()
def setUp_client(self, okta_org_url, verify_ssl_certs): client = OktaClient(ui.default, okta_org_url, verify_ssl_certs) client.req_session = requests return client
def run(self): """ Pulling it all together to make the CLI """ config = Config() config.get_args() # Create/Update config when configure arg set if config.configure is True: config.update_config_file() exit() # get the config dict conf_dict = config.get_config_dict() if not conf_dict.get('okta_org_url'): print( 'No Okta organization URL in configuration. Try running --config again.' ) exit(1) if not conf_dict.get('gimme_creds_server'): print( 'No Gimme-Creds server URL in configuration. Try running --config again.' ) exit(1) okta = OktaClient(conf_dict['okta_org_url'], config.verify_ssl_certs) if config.username is not None: okta.set_username(config.username) else: if conf_dict.get('okta_username'): okta.set_username(conf_dict['okta_username']) # Call the Okta APIs and proces data locally if conf_dict.get('gimme_creds_server') == 'internal': # Okta API key is required when calling Okta APIs internally if config.api_key is None: print('OKTA_API_KEY environment variable not found!') exit(1) # Authenticate with Okta auth_result = okta.auth_session() print("Authentication Success! Getting AWS Accounts") aws_results = self._get_aws_account_info(conf_dict['okta_org_url'], config.api_key, auth_result['username']) # Use the gimme_creds_lambda service else: if not conf_dict.get('client_id'): print( 'No OAuth Client ID in configuration. Try running --config again.' ) if not conf_dict.get('okta_auth_server'): print( 'No OAuth Authorization server in configuration. Try running --config again.' ) # Authenticate with Okta and get an OAuth access token okta.auth_oauth(conf_dict['client_id'], authorization_server=conf_dict['okta_auth_server'], access_token=True, id_token=False, scopes=['openid']) # Add Access Tokens to Okta-protected requests okta.use_oauth_access_token(True) print("Authentication Success! Calling Gimme-Creds Server...") aws_results = self._call_gimme_creds_server( okta, conf_dict['gimme_creds_server']) aws_app = self._get_selected_app(conf_dict.get('aws_appname'), aws_results) saml_data = okta.get_saml_response(aws_app['links']['appLink']) roles = self._enumerate_saml_roles(saml_data['SAMLResponse']) aws_role = self._get_selected_role(conf_dict.get('aws_rolename'), roles) aws_partition = self._get_partition_from_saml_acs( saml_data['TargetUrl']) for _, role in enumerate(roles): # Skip irrelevant roles if aws_role != 'all' and aws_role not in role.role: continue aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role) deriv_profname = re.sub('arn:aws:iam:.*/', '', role.role) # check if write_aws_creds is true if so # get the profile name and write out the file if str(conf_dict['write_aws_creds']) == 'True': # set the profile name # Note if there are multiple roles, and 'default' is # selected it will be overwritten multiple times and last role # wins. if conf_dict['cred_profile'].lower() == 'default': profile_name = 'default' elif conf_dict['cred_profile'].lower() == 'role': profile_name = deriv_profname else: profile_name = conf_dict['cred_profile'] # Write out the AWS Config file print('writing role {} to {}'.format(role.role, self.AWS_CONFIG)) self._write_aws_creds(profile_name, aws_creds['AccessKeyId'], aws_creds['SecretAccessKey'], aws_creds['SessionToken']) else: #Print out temporary AWS credentials. Credentials are printed to stderr to simplify #redirection for use in automated scripts print("export AWS_ACCESS_KEY_ID=" + aws_creds['AccessKeyId'], file=sys.stderr) print("export AWS_SECRET_ACCESS_KEY=" + aws_creds['SecretAccessKey'], file=sys.stderr) print("export AWS_SESSION_TOKEN=" + aws_creds['SessionToken'], file=sys.stderr) config.clean_up()