From e8c80176c237971acb7a1fca8d11c83da35c1e0c Mon Sep 17 00:00:00 2001 From: pcmxgti <16561338+pcmxgti@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:01:39 -0500 Subject: [PATCH] Fix: Step-up checks too narrow --- pyproject.toml | 2 +- tokendito/__init__.py | 2 +- tokendito/__main__.py | 2 +- tokendito/aws.py | 2 +- tokendito/http_client.py | 6 ++++++ tokendito/okta.py | 14 +++++++++++--- tokendito/tokendito.py | 2 +- tokendito/user.py | 7 +------ 8 files changed, 23 insertions(+), 14 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 9d131ffa..d77300ee 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ exclude_lines = [ "break", "except KeyboardInterrupt:", "if __name__ == .__main__.:", - "if __package__ is None:", + "if not __package__:", "logger.debug", "pragma: no cover", "print..Invalid input, try again...", diff --git a/tokendito/__init__.py b/tokendito/__init__.py index d8c54ddf..9b7f8b13 100644 --- a/tokendito/__init__.py +++ b/tokendito/__init__.py @@ -1,7 +1,7 @@ # vim: set filetype=python ts=4 sw=4 # -*- coding: utf-8 -*- """Tokendito module initialization.""" -__version__ = "2.3.3" +__version__ = "2.4.0" __title__ = "tokendito" __description__ = "Get AWS STS tokens from Okta SSO" __long_description_content_type__ = "text/markdown" diff --git a/tokendito/__main__.py b/tokendito/__main__.py index 99bff005..1c7e7cd9 100755 --- a/tokendito/__main__.py +++ b/tokendito/__main__.py @@ -7,7 +7,7 @@ def main(args=None): # needed for console script """Packge entry point.""" - if __package__ is None: + if not __package__: import os.path path = os.path.dirname(os.path.dirname(__file__)) diff --git a/tokendito/aws.py b/tokendito/aws.py index d7ada323..3f2fc833 100644 --- a/tokendito/aws.py +++ b/tokendito/aws.py @@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls): saml_xml = okta.extract_saml_response(saml_response_string) if not saml_xml: state_token = okta.extract_state_token(saml_response_string) - if "Extra Verification" in saml_response_string and state_token: + if state_token: logger.info(f"Step-Up authentication required for {url}.") if okta.step_up_authenticate(config, state_token): return authenticate_to_roles(config, urls) diff --git a/tokendito/http_client.py b/tokendito/http_client.py index 872c5a6b..843a22ea 100644 --- a/tokendito/http_client.py +++ b/tokendito/http_client.py @@ -81,6 +81,7 @@ def get(self, url, params=None, headers=None, allow_redirects=True): def post(self, url, data=None, json=None, headers=None, params=None, return_json=False): """Perform a POST request.""" + response = None logger.debug(f"POST to {url}") try: response = self.session.post(url, data=data, json=json, params=params, headers=headers) @@ -95,6 +96,11 @@ def post(self, url, data=None, json=None, headers=None, params=None, return_json return response except requests.RequestException as e: logger.error(f"Error during POST request to {url}. Error: {e}") + if response: + logger.debug(f"Response Headers: {response.headers}") + logger.debug(f"Response Text: {response.text}") + else: + logger.debug("No response received") sys.exit(1) except Exception as err: logger.error(f"The post request to {url} failed with {err}") diff --git a/tokendito/okta.py b/tokendito/okta.py index 53448a3a..55e4b3a8 100644 --- a/tokendito/okta.py +++ b/tokendito/okta.py @@ -129,9 +129,11 @@ def get_saml_request(auth_properties): response = HTTP_client.get(url, headers=headers) # Extract the required parameters from the SAML request. + post_url = extract_form_post_url(response.text) + base_url = user.get_base_url(post_url) saml_request = { - "base_url": user.get_base_url(extract_form_post_url(response.text)), - "post_url": extract_form_post_url(response.text), + "base_url": base_url, + "post_url": post_url, "relay_state": extract_saml_relaystate(response.text), "request": extract_saml_request(response.text, raw=True), } @@ -263,7 +265,6 @@ def send_saml_response(config, saml_response): # Get the 'sid' value from the reponse cookies. sid = response.cookies.get("sid", None) - logger.debug(f"New sid is {sid}") # If 'sid' is present, mask its value for logging purposes. if sid: @@ -564,6 +565,12 @@ def authorize_request(oauth2_config, oauth2_session_data): params=payload, ) + idx = HTTP_client.session.cookies.get("idx", None) + if idx: + user.add_sensitive_value_to_be_masked(idx) + else: + logger.debug("We did not find an 'idx' entry in the cookies.") + authorize_code = get_authorize_code(response, session_token) return authorize_code @@ -699,6 +706,7 @@ def idp_authenticate(config): logger.error("Okta auth failed: unknown type.") sys.exit(1) + # Possible recursion ahead. The exit condition should be the first if statement. if local_authentication_enabled(auth_properties): session_token = local_authenticate(config) # authentication sends us a token diff --git a/tokendito/tokendito.py b/tokendito/tokendito.py index 85cc3747..9b9d523a 100755 --- a/tokendito/tokendito.py +++ b/tokendito/tokendito.py @@ -7,7 +7,7 @@ def main(args=None): # needed for console script """Packge entry point.""" - if __package__ is None: + if not __package__: import os.path path = os.path.dirname(os.path.dirname(__file__)) diff --git a/tokendito/user.py b/tokendito/user.py index 7e14cc59..be88f39b 100644 --- a/tokendito/user.py +++ b/tokendito/user.py @@ -79,12 +79,7 @@ def cmd_interface(args): # get authentication and authorization cookies from okta okta.access_control(config) - logger.debug( - f""" - about to call discover_tile - we have client cookies: {HTTP_client.session.cookies} - """ - ) + if config.okta["tile"]: tile_label = "" config.okta["tile"] = (config.okta["tile"], tile_label)