Skip to content

Commit

Permalink
Fix: Step-up checks too narrow
Browse files Browse the repository at this point in the history
  • Loading branch information
pcmxgti committed Dec 7, 2023
1 parent f39ce92 commit 099cf04
Show file tree
Hide file tree
Showing 7 changed files with 18 additions and 17 deletions.
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ exclude_lines = [
"break",
"except KeyboardInterrupt:",
"if __name__ == .__main__.:",
"if __package__ is None:",
"if not __package__:",
"logger.debug",
"pragma: no cover",
"print..Invalid input, try again...",
Expand Down
2 changes: 1 addition & 1 deletion tokendito/__init__.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# vim: set filetype=python ts=4 sw=4
# -*- coding: utf-8 -*-
"""Tokendito module initialization."""
__version__ = "2.3.3"
__version__ = "2.3.4"
__title__ = "tokendito"
__description__ = "Get AWS STS tokens from Okta SSO"
__long_description_content_type__ = "text/markdown"
Expand Down
2 changes: 1 addition & 1 deletion tokendito/__main__.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

def main(args=None): # needed for console script
"""Packge entry point."""
if __package__ is None:
if not __package__:
import os.path

path = os.path.dirname(os.path.dirname(__file__))
Expand Down
2 changes: 1 addition & 1 deletion tokendito/aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls):
saml_xml = okta.extract_saml_response(saml_response_string)
if not saml_xml:
state_token = okta.extract_state_token(saml_response_string)
if "Extra Verification" in saml_response_string and state_token:
if state_token:
logger.info(f"Step-Up authentication required for {url}.")
if okta.step_up_authenticate(config, state_token):
return authenticate_to_roles(config, urls)
Expand Down
18 changes: 12 additions & 6 deletions tokendito/okta.py
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,6 @@ def send_saml_response(config, saml_response):

# Get the 'sid' value from the reponse cookies.
sid = response.cookies.get("sid", None)
logger.debug(f"New sid is {sid}")

# If 'sid' is present, mask its value for logging purposes.
if sid:
Expand Down Expand Up @@ -555,6 +554,12 @@ def authorize_request(oauth2_config, oauth2_session_data):
params=payload,
)

idx = HTTP_client.session.cookies.get("idx", None)
if idx:
user.add_sensitive_value_to_be_masked(idx)
else:
logger.debug("We did not find an 'idx' entry in the cookies.")

authorize_code = get_authorize_code(response, session_token)
return authorize_code

Expand Down Expand Up @@ -676,15 +681,16 @@ def idp_authenticate(config):
logger.error("Okta auth failed: unknown type.")
sys.exit(1)

if is_saml2_authentication(auth_properties):
# We may loop thru the saml2 servers until
# we find the authentication server.
saml2_authenticate(config, auth_properties)
elif local_authentication_enabled(auth_properties):
# Possible recursion ahead. The exit condition should be the first if statement.
if local_authentication_enabled(auth_properties):
session_token = local_authenticate(config)
# authentication sends us a token
# which we then put in our session cookies
create_authn_cookies(config.okta["org"], session_token)
elif is_saml2_authentication(auth_properties):
# We may loop thru the saml2 servers until
# we find the authentication server.
saml2_authenticate(config, auth_properties)
else:
logger.error(
f"{auth_properties['type']} login via IdP Discovery is not currently supported"
Expand Down
2 changes: 1 addition & 1 deletion tokendito/tokendito.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

def main(args=None): # needed for console script
"""Packge entry point."""
if __package__ is None:
if not __package__:
import os.path

path = os.path.dirname(os.path.dirname(__file__))
Expand Down
7 changes: 1 addition & 6 deletions tokendito/user.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,7 @@ def cmd_interface(args):

# get authentication and authorization cookies from okta
okta.access_control(config)
logger.debug(
f"""
about to call discover_tile
we have client cookies: {HTTP_client.session.cookies}
"""
)

if config.okta["tile"]:
tile_label = ""
config.okta["tile"] = (config.okta["tile"], tile_label)
Expand Down

0 comments on commit 099cf04

Please sign in to comment.