diff --git a/pyproject.toml b/pyproject.toml index 9d131ff..d77300e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ exclude_lines = [ "break", "except KeyboardInterrupt:", "if __name__ == .__main__.:", - "if __package__ is None:", + "if not __package__:", "logger.debug", "pragma: no cover", "print..Invalid input, try again...", diff --git a/tokendito/__init__.py b/tokendito/__init__.py index d8c54dd..16f12b0 100644 --- a/tokendito/__init__.py +++ b/tokendito/__init__.py @@ -1,7 +1,7 @@ # vim: set filetype=python ts=4 sw=4 # -*- coding: utf-8 -*- """Tokendito module initialization.""" -__version__ = "2.3.3" +__version__ = "2.3.4" __title__ = "tokendito" __description__ = "Get AWS STS tokens from Okta SSO" __long_description_content_type__ = "text/markdown" diff --git a/tokendito/__main__.py b/tokendito/__main__.py index 99bff00..1c7e7cd 100755 --- a/tokendito/__main__.py +++ b/tokendito/__main__.py @@ -7,7 +7,7 @@ def main(args=None): # needed for console script """Packge entry point.""" - if __package__ is None: + if not __package__: import os.path path = os.path.dirname(os.path.dirname(__file__)) diff --git a/tokendito/aws.py b/tokendito/aws.py index d7ada32..3f2fc83 100644 --- a/tokendito/aws.py +++ b/tokendito/aws.py @@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls): saml_xml = okta.extract_saml_response(saml_response_string) if not saml_xml: state_token = okta.extract_state_token(saml_response_string) - if "Extra Verification" in saml_response_string and state_token: + if state_token: logger.info(f"Step-Up authentication required for {url}.") if okta.step_up_authenticate(config, state_token): return authenticate_to_roles(config, urls) diff --git a/tokendito/okta.py b/tokendito/okta.py index fd18f2c..ead588f 100644 --- a/tokendito/okta.py +++ b/tokendito/okta.py @@ -250,7 +250,6 @@ def send_saml_response(config, saml_response): # Get the 'sid' value from the reponse cookies. sid = response.cookies.get("sid", None) - logger.debug(f"New sid is {sid}") # If 'sid' is present, mask its value for logging purposes. if sid: @@ -555,6 +554,12 @@ def authorize_request(oauth2_config, oauth2_session_data): params=payload, ) + idx = HTTP_client.session.cookies.get("idx", None) + if idx: + user.add_sensitive_value_to_be_masked(idx) + else: + logger.debug("We did not find an 'idx' entry in the cookies.") + authorize_code = get_authorize_code(response, session_token) return authorize_code @@ -676,15 +681,16 @@ def idp_authenticate(config): logger.error("Okta auth failed: unknown type.") sys.exit(1) - if is_saml2_authentication(auth_properties): - # We may loop thru the saml2 servers until - # we find the authentication server. - saml2_authenticate(config, auth_properties) - elif local_authentication_enabled(auth_properties): + # Possible recursion ahead. The exit condition should be the first if statement. + if local_authentication_enabled(auth_properties): session_token = local_authenticate(config) # authentication sends us a token # which we then put in our session cookies create_authn_cookies(config.okta["org"], session_token) + elif is_saml2_authentication(auth_properties): + # We may loop thru the saml2 servers until + # we find the authentication server. + saml2_authenticate(config, auth_properties) else: logger.error( f"{auth_properties['type']} login via IdP Discovery is not currently supported" diff --git a/tokendito/tokendito.py b/tokendito/tokendito.py index 85cc374..9b9d523 100755 --- a/tokendito/tokendito.py +++ b/tokendito/tokendito.py @@ -7,7 +7,7 @@ def main(args=None): # needed for console script """Packge entry point.""" - if __package__ is None: + if not __package__: import os.path path = os.path.dirname(os.path.dirname(__file__)) diff --git a/tokendito/user.py b/tokendito/user.py index 8172c38..40457d2 100644 --- a/tokendito/user.py +++ b/tokendito/user.py @@ -76,12 +76,7 @@ def cmd_interface(args): # get authentication and authorization cookies from okta okta.access_control(config) - logger.debug( - f""" - about to call discover_tile - we have client cookies: {HTTP_client.session.cookies} - """ - ) + if config.okta["tile"]: tile_label = "" config.okta["tile"] = (config.okta["tile"], tile_label)