A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/segmentio/aws-okta/commit/18e92f729c9df35ed7671361acd27c79e24b402a below:

Persist device token cookie in keystore to prevent repeated MFA… · segmentio/aws-okta@18e92f7 · GitHub

@@ -74,9 +74,16 @@ type OktaCreds struct {

 74 74

Domain string

 75 75

}

 76 76 77 +

type OktaCookies struct {

 78 +

Session string

 79 +

DeviceToken string

 80 +

}

 81 + 77 82

func (c *OktaCreds) Validate(mfaConfig MFAConfig) error {

 78 83

// OktaClient assumes we're doing some AWS SAML calls, but Validate doesn't

 79 -

o, err := NewOktaClient(*c, "", "", mfaConfig)

 84 +

var cookies OktaCookies

 85 + 86 +

o, err := NewOktaClient2(*c, "", cookies, mfaConfig)

 80 87

if err != nil {

 81 88

return err

 82 89

}

@@ -101,6 +108,13 @@ func GetOktaDomain(region string) (string, error) {

 101 108

}

 102 109 103 110

func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string, mfaConfig MFAConfig) (*OktaClient, error) {

 111 +

var cookies OktaCookies

 112 +

cookies.Session = sessionCookie

 113 + 114 +

return NewOktaClient2(creds, oktaAwsSAMLUrl, cookies, mfaConfig)

 115 +

}

 116 + 117 +

func NewOktaClient2(creds OktaCreds, oktaAwsSAMLUrl string, cookies OktaCookies, mfaConfig MFAConfig) (*OktaClient, error) {

 104 118

var domain string

 105 119 106 120

// maintain compatibility for deprecated creds.Organization

@@ -125,11 +139,19 @@ func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string,

 125 139

return nil, err

 126 140

}

 127 141 128 -

if sessionCookie != "" {

 142 +

if cookies.Session != "" {

 129 143

jar.SetCookies(base, []*http.Cookie{

 130 144

{

 131 145

Name: "sid",

 132 -

Value: sessionCookie,

 146 +

Value: cookies.Session,

 147 +

},

 148 +

})

 149 +

}

 150 +

if cookies.DeviceToken != "" {

 151 +

jar.SetCookies(base, []*http.Cookie{

 152 +

{

 153 +

Name: "DT",

 154 +

Value: cookies.DeviceToken,

 133 155

},

 134 156

})

 135 157

}

@@ -187,30 +209,41 @@ func (o *OktaClient) AuthenticateUser() error {

 187 209

return nil

 188 210

}

 189 211 212 +

func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error) {

 213 +

return o.AuthenticateProfileWithRegion(profileARN, duration, "")

 214 +

}

 215 + 190 216

func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration time.Duration, region string) (sts.Credentials, string, error) {

 217 +

creds, cookies, err := o.AuthenticateProfile3(profileARN, duration, region)

 218 + 219 +

return creds, cookies.Session, err

 220 +

}

 221 + 222 +

func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Duration, region string) (sts.Credentials, OktaCookies, error) {

 191 223 192 224

// Attempt to reuse session cookie

 193 225

var assertion SAMLAssertion

 226 +

var oc OktaCookies

 194 227 195 228

err := o.Get("GET", o.OktaAwsSAMLUrl, nil, &assertion, "saml")

 196 229

if err != nil {

 197 230

log.Debug("Failed to reuse session token, starting flow from start")

 198 231 199 232

if err := o.AuthenticateUser(); err != nil {

 200 -

return sts.Credentials{}, "", err

 233 +

return sts.Credentials{}, oc, err

 201 234

}

 202 235 203 236

// Step 3 : Get SAML Assertion and retrieve IAM Roles

 204 237

log.Debug("Step: 3")

 205 238

if err = o.Get("GET", o.OktaAwsSAMLUrl+"?onetimetoken="+o.UserAuth.SessionToken,

 206 239

nil, &assertion, "saml"); err != nil {

 207 -

return sts.Credentials{}, "", err

 240 +

return sts.Credentials{}, oc, err

 208 241

}

 209 242

}

 210 243 211 244

principal, role, err := GetRoleFromSAML(assertion.Resp, profileARN)

 212 245

if err != nil {

 213 -

return sts.Credentials{}, "", err

 246 +

return sts.Credentials{}, oc, err

 214 247

}

 215 248 216 249

// Step 4 : Assume Role with SAML

@@ -239,22 +272,20 @@ func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration t

 239 272

if err != nil {

 240 273

log.WithField("role", role).Errorf(

 241 274

"error assuming role with SAML: %s", err.Error())

 242 -

return sts.Credentials{}, "", err

 275 +

return sts.Credentials{}, oc, err

 243 276

}

 244 277 245 -

var sessionCookie string

 246 278

cookies := o.CookieJar.Cookies(o.BaseURL)

 247 279

for _, cookie := range cookies {

 248 280

if cookie.Name == "sid" {

 249 -

sessionCookie = cookie.Value

 281 +

oc.Session = cookie.Value

 282 +

}

 283 +

if cookie.Name == "DT" {

 284 +

oc.DeviceToken = cookie.Value

 250 285

}

 251 286

}

 252 287 253 -

return *samlResp.Credentials, sessionCookie, nil

 254 -

}

 255 - 256 -

func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error) {

 257 -

return o.AuthenticateProfileWithRegion(profileARN, duration, "")

 288 +

return *samlResp.Credentials, oc, nil

 258 289

}

 259 290 260 291

func selectMFADeviceFromConfig(o *OktaClient) (*OktaUserAuthnFactor, error) {

@@ -464,7 +495,7 @@ func (o *OktaClient) challengeMFA() (err error) {

 464 495 465 496

payload, err = o.preChallenge(oktaFactorId, oktaFactorType)

 466 497 467 -

err = o.Get("POST", "api/v1/authn/factors/"+oktaFactorId+"/verify",

 498 +

err = o.Get("POST", "api/v1/authn/factors/"+oktaFactorId+"/verify?rememberDevice=true",

 468 499

payload, &o.UserAuth, "json",

 469 500

)

 470 501

if err != nil {

@@ -612,32 +643,47 @@ func (p *OktaProvider) Retrieve() (sts.Credentials, string, error) {

 612 643

return sts.Credentials{}, "", errors.New("Failed to get okta credentials from your keyring. Please make sure you have added okta credentials with `aws-okta add`")

 613 644

}

 614 645 615 -

// Check for stored session cookie

 616 -

var sessionCookie string

 646 +

// Check for stored session and device token cookies

 647 +

var cookies OktaCookies

 617 648

cookieItem, err := p.Keyring.Get(p.OktaSessionCookieKey)

 618 649

if err == nil {

 619 -

sessionCookie = string(cookieItem.Data)

 650 +

cookies.Session = string(cookieItem.Data)

 651 +

}

 652 +

cookieItem2, err := p.Keyring.Get("okta-device-token-cookie")

 653 +

if err == nil {

 654 +

cookies.DeviceToken = string(cookieItem2.Data)

 620 655

}

 621 656 622 -

oktaClient, err := NewOktaClient(oktaCreds, p.OktaAwsSAMLUrl, sessionCookie, p.MFAConfig)

 657 +

oktaClient, err := NewOktaClient2(oktaCreds, p.OktaAwsSAMLUrl, cookies, p.MFAConfig)

 623 658

if err != nil {

 624 659

return sts.Credentials{}, "", err

 625 660

}

 626 661 627 -

creds, newSessionCookie, err := oktaClient.AuthenticateProfileWithRegion(p.ProfileARN, p.SessionDuration, p.AwsRegion)

 662 +

creds, newCookies, err := oktaClient.AuthenticateProfile3(p.ProfileARN, p.SessionDuration, p.AwsRegion)

 628 663

if err != nil {

 629 664

return sts.Credentials{}, "", err

 630 665

}

 631 666 667 +

log.Debug("pOktaSessionCookieKey: ", p.OktaSessionCookieKey)

 668 + 632 669

newCookieItem := keyring.Item{

 633 670

Key: p.OktaSessionCookieKey,

 634 -

Data: []byte(newSessionCookie),

 671 +

Data: []byte(newCookies.Session),

 635 672

Label: "okta session cookie",

 636 673

KeychainNotTrustApplication: false,

 637 674

}

 638 675 639 676

p.Keyring.Set(newCookieItem)

 640 677 678 +

newCookieItem2 := keyring.Item{

 679 +

Key: "okta-device-token-cookie",

 680 +

Data: []byte(newCookies.DeviceToken),

 681 +

Label: "okta device token",

 682 +

KeychainNotTrustApplication: false,

 683 +

}

 684 + 685 +

p.Keyring.Set(newCookieItem2)

 686 + 641 687

return creds, oktaCreds.Username, err

 642 688

}

 643 689

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4