Fix: Step-up checks too narrow

dowjones · Dec 19, 2023 · e8c8017 · e8c8017
1 parent 47cf2be
commit e8c8017
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 14 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -7,7 +7,7 @@ exclude_lines = [
     "break",
     "except KeyboardInterrupt:",
     "if __name__ == .__main__.:",
-    "if __package__ is None:",
+    "if not __package__:",
     "logger.debug",
     "pragma: no cover",
     "print..Invalid input, try again...",

diff --git a/tokendito/__init__.py b/tokendito/__init__.py
@@ -1,7 +1,7 @@
 # vim: set filetype=python ts=4 sw=4
 # -*- coding: utf-8 -*-
 """Tokendito module initialization."""
-__version__ = "2.3.3"
+__version__ = "2.4.0"
 __title__ = "tokendito"
 __description__ = "Get AWS STS tokens from Okta SSO"
 __long_description_content_type__ = "text/markdown"

diff --git a/tokendito/__main__.py b/tokendito/__main__.py
@@ -7,7 +7,7 @@
 
 def main(args=None):  # needed for console script
     """Packge entry point."""
-    if __package__ is None:
+    if not __package__:
         import os.path
 
         path = os.path.dirname(os.path.dirname(__file__))

diff --git a/tokendito/aws.py b/tokendito/aws.py
@@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls):
         saml_xml = okta.extract_saml_response(saml_response_string)
         if not saml_xml:
             state_token = okta.extract_state_token(saml_response_string)
-            if "Extra Verification" in saml_response_string and state_token:
+            if state_token:
                 logger.info(f"Step-Up authentication required for {url}.")
                 if okta.step_up_authenticate(config, state_token):
                     return authenticate_to_roles(config, urls)

diff --git a/tokendito/http_client.py b/tokendito/http_client.py
@@ -81,6 +81,7 @@ def get(self, url, params=None, headers=None, allow_redirects=True):
 
     def post(self, url, data=None, json=None, headers=None, params=None, return_json=False):
         """Perform a POST request."""
+        response = None
         logger.debug(f"POST to {url}")
         try:
             response = self.session.post(url, data=data, json=json, params=params, headers=headers)
@@ -95,6 +96,11 @@ def post(self, url, data=None, json=None, headers=None, params=None, return_json
                 return response
         except requests.RequestException as e:
             logger.error(f"Error during POST request to {url}. Error: {e}")
+            if response:
+                logger.debug(f"Response Headers: {response.headers}")
+                logger.debug(f"Response Text: {response.text}")
+            else:
+                logger.debug("No response received")
             sys.exit(1)
         except Exception as err:
             logger.error(f"The post request to {url} failed with {err}")

diff --git a/tokendito/okta.py b/tokendito/okta.py
@@ -129,9 +129,11 @@ def get_saml_request(auth_properties):
     response = HTTP_client.get(url, headers=headers)
 
     # Extract the required parameters from the SAML request.
+    post_url = extract_form_post_url(response.text)
+    base_url = user.get_base_url(post_url)
     saml_request = {
-        "base_url": user.get_base_url(extract_form_post_url(response.text)),
-        "post_url": extract_form_post_url(response.text),
+        "base_url": base_url,
+        "post_url": post_url,
         "relay_state": extract_saml_relaystate(response.text),
         "request": extract_saml_request(response.text, raw=True),
     }
@@ -263,7 +265,6 @@ def send_saml_response(config, saml_response):
 
     # Get the 'sid' value from the reponse cookies.
     sid = response.cookies.get("sid", None)
-    logger.debug(f"New sid is {sid}")
 
     # If 'sid' is present, mask its value for logging purposes.
     if sid:
@@ -564,6 +565,12 @@ def authorize_request(oauth2_config, oauth2_session_data):
         params=payload,
     )
 
+    idx = HTTP_client.session.cookies.get("idx", None)
+    if idx:
+        user.add_sensitive_value_to_be_masked(idx)
+    else:
+        logger.debug("We did not find an 'idx' entry in the cookies.")
+
     authorize_code = get_authorize_code(response, session_token)
     return authorize_code
 
@@ -699,6 +706,7 @@ def idp_authenticate(config):
         logger.error("Okta auth failed: unknown type.")
         sys.exit(1)
 
+    # Possible recursion ahead. The exit condition should be the first if statement.
     if local_authentication_enabled(auth_properties):
         session_token = local_authenticate(config)
         # authentication sends us a token

diff --git a/tokendito/tokendito.py b/tokendito/tokendito.py
@@ -7,7 +7,7 @@
 
 def main(args=None):  # needed for console script
     """Packge entry point."""
-    if __package__ is None:
+    if not __package__:
         import os.path
 
         path = os.path.dirname(os.path.dirname(__file__))

diff --git a/tokendito/user.py b/tokendito/user.py
@@ -79,12 +79,7 @@ def cmd_interface(args):
 
     # get authentication and authorization cookies from okta
     okta.access_control(config)
-    logger.debug(
-        f"""
-        about to call discover_tile
-        we have client cookies: {HTTP_client.session.cookies}
-        """
-    )
+
     if config.okta["tile"]:
         tile_label = ""
         config.okta["tile"] = (config.okta["tile"], tile_label)