Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to specify SAML response from local file #92

Merged
merged 1 commit into from
May 10, 2018
Merged

Allow to specify SAML response from local file #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions aws_adfs/authenticator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from . import roles_assertion_extractor


def authenticate(config, username=None, password=None):
def authenticate(config, username=None, password=None, assertfile=None):

response, session = html_roles_fetcher.fetch_html_encoded_roles(
adfs_host=config.adfs_host,
Expand All @@ -24,7 +24,7 @@ def authenticate(config, username=None, password=None):

aggregated_principal_roles = None
if response.status_code == 200:
extract_strategy = _strategy(response, config, session)
extract_strategy = _strategy(response, config, session, assertfile)

principal_roles, assertion, aws_session_duration = extract_strategy()

Expand Down Expand Up @@ -95,7 +95,7 @@ def _aggregate_roles_by_account_alias(session,
return aggregated_accounts


def _strategy(response, config, session):
def _strategy(response, config, session, assertfile=None):

html_response = ET.fromstring(response.text, ET.HTMLParser())

Expand All @@ -113,8 +113,16 @@ def _symantec_vip_extractor():
def extract():
return symantec_vip_access.extract(html_response, config.ssl_verification, session)
return extract

def _file_extractor():
def extract():
return roles_assertion_extractor.extract_file(assertfile)
return extract

chosen_strategy = _plain_extractor
if assertfile is None:
chosen_strategy = _plain_extractor
else:
chosen_strategy = _file_extractor

if _is_duo_authentication(html_response):
chosen_strategy = _duo_extractor
Expand Down
8 changes: 7 additions & 1 deletion aws_adfs/login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@
help='Define the amount of seconds you want to establish your STS session, e.g. aws-adfs login --session-duration 3600',
type=int,
)
@click.option(
'--assertfile',
help='Use SAML assertion response from a local file'
)
def login(
profile,
region,
Expand All @@ -99,6 +103,7 @@ def login(
printenv,
role_arn,
session_duration,
assertfile
):
"""
Authenticates an user with active directory credentials
Expand All @@ -117,7 +122,7 @@ def login(
_verification_checks(config)

# Try re-authenticating using an existing ADFS session
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config)
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, assertfile=assertfile)

# If we fail to get an assertion, prompt for credentials and try again
if assertion is None:
Expand All @@ -136,6 +141,7 @@ def login(
del username
password = '########################################'
del password

if(role_arn is not None):
config.role_arn = role_arn
principal_arn, config.role_arn = role_chooser.choose_role_to_assume(config, principal_roles)
Expand Down
32 changes: 32 additions & 0 deletions aws_adfs/roles_assertion_extractor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import os
import base64
import click
import lxml.etree as ET
Expand Down Expand Up @@ -45,3 +46,34 @@ def extract(html):
aws_session_duration = int(element.text)

return principal_roles, assertion, aws_session_duration

def extract_file(file):
if not os.path.exists(file) or not os.path.isfile(file):
click.echo('SAML assertion file was not found or invalid: {}'.format(file), err=True)
exit(-1)

assertion = ''

with open(file, "r+") as f:
assertion = f.read()

# Parse the returned assertion and extract the authorized roles
saml = ET.fromstring(base64.b64decode(assertion))

# Find all roles offered by the assertion
raw_roles = saml.findall(
'.//{*}Attribute[@Name="https://aws.amazon.com/SAML/Attributes/Role"]/{*}AttributeValue'
)
aws_roles = [element.text.split(',') for element in raw_roles]

# Note the format of the attribute value is provider_arn, role_arn
principal_roles = [role for role in aws_roles if ':saml-provider/' in role[0]]

aws_session_duration = default_session_duration
# Retrieve session duration
for element in saml.findall(
'.//{*}Attribute[@Name="https://aws.amazon.com/SAML/Attributes/SessionDuration"]/{*}AttributeValue'
):
aws_session_duration = int(element.text)

return principal_roles, assertion, aws_session_duration