From 099cf04f9bf9e1e57af5a62707356907443842a3 Mon Sep 17 00:00:00 2001 From: pcmxgti <16561338+pcmxgti@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:01:39 -0500 Subject: [PATCH] Fix: Step-up checks too narrow --- pyproject.toml | 2 +- tokendito/__init__.py | 2 +- tokendito/__main__.py | 2 +- tokendito/aws.py | 2 +- tokendito/okta.py | 18 ++++++++++++------ tokendito/tokendito.py | 2 +- tokendito/user.py | 7 +------ 7 files changed, 18 insertions(+), 17 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 9d131ffa..d77300ee 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ exclude_lines = [ "break", "except KeyboardInterrupt:", "if __name__ == .__main__.:", - "if __package__ is None:", + "if not __package__:", "logger.debug", "pragma: no cover", "print..Invalid input, try again...", diff --git a/tokendito/__init__.py b/tokendito/__init__.py index d8c54ddf..16f12b07 100644 --- a/tokendito/__init__.py +++ b/tokendito/__init__.py @@ -1,7 +1,7 @@ # vim: set filetype=python ts=4 sw=4 # -*- coding: utf-8 -*- """Tokendito module initialization.""" -__version__ = "2.3.3" +__version__ = "2.3.4" __title__ = "tokendito" __description__ = "Get AWS STS tokens from Okta SSO" __long_description_content_type__ = "text/markdown" diff --git a/tokendito/__main__.py b/tokendito/__main__.py index 99bff005..1c7e7cd9 100755 --- a/tokendito/__main__.py +++ b/tokendito/__main__.py @@ -7,7 +7,7 @@ def main(args=None): # needed for console script """Packge entry point.""" - if __package__ is None: + if not __package__: import os.path path = os.path.dirname(os.path.dirname(__file__)) diff --git a/tokendito/aws.py b/tokendito/aws.py index d7ada323..3f2fc833 100644 --- a/tokendito/aws.py +++ b/tokendito/aws.py @@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls): saml_xml = okta.extract_saml_response(saml_response_string) if not saml_xml: state_token = okta.extract_state_token(saml_response_string) - if "Extra Verification" in saml_response_string and state_token: + if state_token: logger.info(f"Step-Up authentication required for {url}.") if okta.step_up_authenticate(config, state_token): return authenticate_to_roles(config, urls) diff --git a/tokendito/okta.py b/tokendito/okta.py index fd18f2c3..ead588f5 100644 --- a/tokendito/okta.py +++ b/tokendito/okta.py @@ -250,7 +250,6 @@ def send_saml_response(config, saml_response): # Get the 'sid' value from the reponse cookies. sid = response.cookies.get("sid", None) - logger.debug(f"New sid is {sid}") # If 'sid' is present, mask its value for logging purposes. if sid: @@ -555,6 +554,12 @@ def authorize_request(oauth2_config, oauth2_session_data): params=payload, ) + idx = HTTP_client.session.cookies.get("idx", None) + if idx: + user.add_sensitive_value_to_be_masked(idx) + else: + logger.debug("We did not find an 'idx' entry in the cookies.") + authorize_code = get_authorize_code(response, session_token) return authorize_code @@ -676,15 +681,16 @@ def idp_authenticate(config): logger.error("Okta auth failed: unknown type.") sys.exit(1) - if is_saml2_authentication(auth_properties): - # We may loop thru the saml2 servers until - # we find the authentication server. - saml2_authenticate(config, auth_properties) - elif local_authentication_enabled(auth_properties): + # Possible recursion ahead. The exit condition should be the first if statement. + if local_authentication_enabled(auth_properties): session_token = local_authenticate(config) # authentication sends us a token # which we then put in our session cookies create_authn_cookies(config.okta["org"], session_token) + elif is_saml2_authentication(auth_properties): + # We may loop thru the saml2 servers until + # we find the authentication server. + saml2_authenticate(config, auth_properties) else: logger.error( f"{auth_properties['type']} login via IdP Discovery is not currently supported" diff --git a/tokendito/tokendito.py b/tokendito/tokendito.py index 85cc3747..9b9d523a 100755 --- a/tokendito/tokendito.py +++ b/tokendito/tokendito.py @@ -7,7 +7,7 @@ def main(args=None): # needed for console script """Packge entry point.""" - if __package__ is None: + if not __package__: import os.path path = os.path.dirname(os.path.dirname(__file__)) diff --git a/tokendito/user.py b/tokendito/user.py index 8172c381..40457d24 100644 --- a/tokendito/user.py +++ b/tokendito/user.py @@ -76,12 +76,7 @@ def cmd_interface(args): # get authentication and authorization cookies from okta okta.access_control(config) - logger.debug( - f""" - about to call discover_tile - we have client cookies: {HTTP_client.session.cookies} - """ - ) + if config.okta["tile"]: tile_label = "" config.okta["tile"] = (config.okta["tile"], tile_label)