From 5af2b9ee5a7ac72195000d5f2f6d24b57b69490b Mon Sep 17 00:00:00 2001 From: Jason DINKEL Date: Thu, 29 Nov 2018 09:51:05 +0100 Subject: [PATCH 001/296] Fixing a typo --- choco/VERIFICATION.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/choco/VERIFICATION.txt b/choco/VERIFICATION.txt index 02109c0a6..0b4e283e8 100644 --- a/choco/VERIFICATION.txt +++ b/choco/VERIFICATION.txt @@ -2,7 +2,7 @@ VERIFICATION Verification is intended to assist the Chocolatey moderators and community in verifying that this package's contents are trustworthy. -The installer has been automatically built from source whch can be found on +The installer has been automatically built from source which can be found on and can be verified like this: 1. Download the release version from @@ -11,4 +11,4 @@ and can be verified like this: - Use chocolatey utility 'checksum.exe' Compare the checksums there with the checksum of the local binary in C:\ProgramData\Chocolatey\lib\saml2aws\src\saml2aws.exe -File 'LICENSE.txt' is obtained from . \ No newline at end of file +File 'LICENSE.txt' is obtained from . From c0449d8d9045cd805d7dedceb2596cda097562c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Aug 2021 05:30:58 +0000 Subject: [PATCH 002/296] Bump github.com/google/uuid from 1.2.0 to 1.3.0 Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.2.0...v1.3.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 5 ++--- go.sum | 11 ++++------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index ce3e397e5..f210e9fba 100644 --- a/go.mod +++ b/go.mod @@ -16,16 +16,15 @@ require ( github.com/danieljoos/wincred v1.1.0 github.com/dvsekhvalnov/jose2go v1.5.0 // indirect github.com/godbus/dbus v4.1.0+incompatible // indirect - github.com/google/uuid v1.2.0 + github.com/google/uuid v1.3.0 github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d github.com/kr/text v0.2.0 // indirect - github.com/magefile/mage v1.11.0 // indirect github.com/marshallbrekka/go-u2fhost v0.0.0-20210111072507-3ccdec8c8105 github.com/mattn/go-colorable v0.1.8 // indirect github.com/mitchellh/go-homedir v1.1.0 github.com/mxschmitt/playwright-go v0.1100.0 github.com/pkg/errors v0.9.1 - github.com/sirupsen/logrus v1.7.1 + github.com/sirupsen/logrus v1.8.1 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/smartystreets/assertions v1.0.0 // indirect github.com/smartystreets/goconvey v1.6.4 // indirect diff --git a/go.sum b/go.sum index 0cffc246b..28e05cb80 100644 --- a/go.sum +++ b/go.sum @@ -72,8 +72,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= -github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= @@ -112,9 +112,6 @@ github.com/kr/pty v1.1.4/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/magefile/mage v1.10.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= -github.com/magefile/mage v1.11.0 h1:C/55Ywp9BpgVVclD3lRnSYCwXTYxmSppIgLeDYlNuls= -github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/marshallbrekka/go-u2fhost v0.0.0-20210111072507-3ccdec8c8105 h1:Si3VAYdC1ZtA58UsDXxlkbpF5EMWxoCJP9gn1cYQ+vc= github.com/marshallbrekka/go-u2fhost v0.0.0-20210111072507-3ccdec8c8105/go.mod h1:VyqGj5jbZtzHO11cS7rkDh/owr/rNCEM98IhQwWvmXg= @@ -158,8 +155,8 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/sirupsen/logrus v1.7.1 h1:rsizeFmZP+GYwyb4V6t6qpG7ZNWzA2bvgW/yC2xHCcg= -github.com/sirupsen/logrus v1.7.1/go.mod h1:4GuYW9TZmE769R5STWrRakJc4UqQ3+QQ95fyz7ENv1A= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= From 531a2551fda4f91c75f11f1771d84d976c603a7d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Aug 2021 05:31:28 +0000 Subject: [PATCH 003/296] Bump github.com/beevik/etree from 1.0.1 to 1.1.0 Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0. - [Release notes](https://github.com/beevik/etree/releases) - [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md) - [Commits](https://github.com/beevik/etree/compare/v1.0.1...v1.1.0) --- updated-dependencies: - dependency-name: github.com/beevik/etree dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fde88b987..311b87b7e 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect github.com/avast/retry-go v2.6.0+incompatible github.com/aws/aws-sdk-go v1.40.9 - github.com/beevik/etree v1.0.1 + github.com/beevik/etree v1.1.0 github.com/danieljoos/wincred v1.1.0 github.com/dvsekhvalnov/jose2go v1.5.0 // indirect github.com/godbus/dbus v4.1.0+incompatible // indirect diff --git a/go.sum b/go.sum index 757a69e8e..7a920d445 100644 --- a/go.sum +++ b/go.sum @@ -28,8 +28,8 @@ github.com/aws/aws-sdk-go v1.40.9 h1:pMq7LecsVESBgCfYrJFy/MELrOXbM0QmCr5I3wh6tLQ github.com/aws/aws-sdk-go v1.40.9/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/bearsh/hid v1.3.0 h1:GLNa8hvEzJxzQEEpheDUr2SivvH7iwTrJrDhFKutfX8= github.com/bearsh/hid v1.3.0/go.mod h1:KbQByg8WfPr92v7aaKAHTtZUEVG7e2XRpcF8+TopQv8= -github.com/beevik/etree v1.0.1 h1:lWzdj5v/Pj1X360EV7bUudox5SRipy4qZLjY0rhb0ck= -github.com/beevik/etree v1.0.1/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= +github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= +github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= From 113240196a98fb944fa173a5cce0d753c6f4a646 Mon Sep 17 00:00:00 2001 From: Piotr Kowalski Date: Mon, 6 Sep 2021 10:56:04 +0200 Subject: [PATCH 004/296] Find tokens by regex --- aws_role.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/aws_role.go b/aws_role.go index c843f9b8f..60ff2246b 100644 --- a/aws_role.go +++ b/aws_role.go @@ -2,6 +2,7 @@ package saml2aws import ( "fmt" + "regexp" "strings" ) @@ -29,7 +30,8 @@ func ParseAWSRoles(roles []string) ([]*AWSRole, error) { } func parseRole(role string) (*AWSRole, error) { - tokens := strings.Split(role, ",") + r, _ := regexp.Compile("arn:([^:\n]*):([^:\n]*):([^:\n]*):([^:\n]*):(([^:/\n]*)[:/])?([^:,\n]*)") + tokens := r.FindAllString(role, -1) if len(tokens) != 2 { return nil, fmt.Errorf("Invalid role string only %d tokens", len(tokens)) From 7b6c68ea2d7a551e88e3d6b4e844987946d2bca2 Mon Sep 17 00:00:00 2001 From: Randy Stauner Date: Tue, 19 Oct 2021 07:49:10 -0700 Subject: [PATCH 005/296] Execute command directly without sh -c When the args are concatenated there is a loss of fidelity: arguments with spaces will be split and any special characters will be evaluated by the shell. If we simply execute the provided command it will propagate correctly and it can always be wrapped in a shell on the command line if that behavior is desired. fixes #236 --- pkg/shell/shell.go | 10 ++++------ pkg/shell/shell_test.go | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/pkg/shell/shell.go b/pkg/shell/shell.go index 1a2e158a1..6853a0675 100644 --- a/pkg/shell/shell.go +++ b/pkg/shell/shell.go @@ -5,20 +5,18 @@ package shell import ( "os" "os/exec" - "strings" ) // ExecShellCmd exec shell command using the default shell func ExecShellCmd(cmdline []string, envVars []string) error { + return prepCmd(cmdline, envVars).Run() +} - c := strings.Join(cmdline, " ") - - cs := []string{"/bin/sh", "-c", c} +func prepCmd(cs []string, envVars []string) *exec.Cmd { cmd := exec.Command(cs[0], cs[1:]...) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr cmd.Env = append(os.Environ(), envVars...) - - return cmd.Run() + return cmd } diff --git a/pkg/shell/shell_test.go b/pkg/shell/shell_test.go index 096035fcf..5217f02dc 100644 --- a/pkg/shell/shell_test.go +++ b/pkg/shell/shell_test.go @@ -3,6 +3,7 @@ package shell import ( + "strings" "testing" "github.com/stretchr/testify/assert" @@ -15,3 +16,27 @@ func TestExecShellCmd(t *testing.T) { assert.Nil(t, err) } + +func TestPrepCmd(t *testing.T) { + + cmd := prepCmd([]string{"echo", "some$TESTTEST", "one two"}, []string{"TESTTEST=123"}) + + var out strings.Builder + cmd.Stdout = &out + err := cmd.Run() + assert.Nil(t, err) + + assert.Equal(t, "some$TESTTEST one two\n", out.String(), "no eval, spaces preserved") +} + +func TestPrepCmdShell(t *testing.T) { + cmd := prepCmd([]string{"sh", "-c", "echo some$TESTTEST one two"}, []string{"TESTTEST=123"}) + + var out strings.Builder + cmd.Stdout = &out + err := cmd.Run() + assert.Nil(t, err) + + assert.Equal(t, "some123 one two\n", out.String(), "var evaled, spaces squashed") + +} From 7a769f53b13200bf01542794ea6ffeec98be11be Mon Sep 17 00:00:00 2001 From: Pedro Goncalves Date: Sat, 20 Nov 2021 10:44:27 +0100 Subject: [PATCH 006/296] Okta MFA - Present name of MFA. Prompt when multiple of same type are found --- pkg/provider/okta/okta.go | 40 +++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index 042f029c6..dd6f28eae 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -598,10 +598,13 @@ func getStateTokenFromOktaPageBody(responseBody string) (string, error) { return strings.Replace(match[1], `\x2D`, "-", -1), nil } -func parseMfaIdentifer(json string, arrayPosition int) string { +func parseMfaIdentifer(json string, arrayPosition int) (string, string){ mfaProvider := gjson.Get(json, fmt.Sprintf("_embedded.factors.%d.provider", arrayPosition)).String() factorType := strings.ToUpper(gjson.Get(json, fmt.Sprintf("_embedded.factors.%d.factorType", arrayPosition)).String()) - return fmt.Sprintf("%s %s", mfaProvider, factorType) + // Okta gives names to some authentication methods + // displaying this name is useful when there's multiple auths of the same type. e.g. multiple FIDO options + authName := gjson.Get(json, fmt.Sprintf("_embedded.factors.%d.profile.authenticatorName", arrayPosition)).String() + return fmt.Sprintf("%s %s", mfaProvider, factorType), fmt.Sprintf("%s", authName) } func (oc *Client) handleFormRedirect(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) { @@ -665,7 +668,7 @@ func getMfaChallengeContext(oc *Client, mfaOption int, resp string) (*mfaChallen stateToken := gjson.Get(resp, "stateToken").String() factorID := gjson.Get(resp, fmt.Sprintf("_embedded.factors.%d.id", mfaOption)).String() oktaVerify := gjson.Get(resp, fmt.Sprintf("_embedded.factors.%d._links.verify.href", mfaOption)).String() - mfaIdentifer := parseMfaIdentifer(resp, mfaOption) + mfaIdentifer, _ := parseMfaIdentifer(resp, mfaOption) logger.WithField("factorID", factorID).WithField("oktaVerify", oktaVerify).WithField("mfaIdentifer", mfaIdentifer).Debug("MFA") @@ -725,16 +728,41 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails, mfaOption := 0 var mfaOptions []string for i := range gjson.Get(resp, "_embedded.factors").Array() { - identifier := parseMfaIdentifer(resp, i) + identifier, authName := parseMfaIdentifer(resp, i) if val, ok := supportedMfaOptions[identifier]; ok { - mfaOptions = append(mfaOptions, val) + // If the authentication method as a name, we add it to the MFA option. + // This makes it possible to identify which method to choose + if len(authName) > 0 { + mfaOptions = append(mfaOptions, val + " - " + authName) + } else { + mfaOptions = append(mfaOptions, val) + } + } else { mfaOptions = append(mfaOptions, "UNSUPPORTED: "+identifier) } } if strings.ToUpper(oc.mfa) != "AUTO" { - mfaOption = findMfaOption(oc.mfa, mfaOptions, 0) + var mfaOptionsMatches []string + // Collect all options that match the chosen MFA + // It will be more than 1 when there's multiple MFA of the same type configured - e.g.: multiple FIDO methods + for _, option := range mfaOptions { + if strings.HasPrefix(strings.ToUpper(option), oc.mfa) { + mfaOptionsMatches = append(mfaOptionsMatches, option) + } + } + // If multiple MFA of the same type are found, we prompt the user to pick which one to use + if len(mfaOptionsMatches) > 1 { + matchOptionIndex := prompter.Choose(fmt.Sprintf("Multiple %s MFA options found. Select which MFA option to use", oc.mfa), mfaOptionsMatches) + for i := range mfaOptions { + if mfaOptions[i] == mfaOptionsMatches[matchOptionIndex] { + mfaOption = i + } + } + } else { + mfaOption = findMfaOption(oc.mfa, mfaOptions, 0) + } } else if len(mfaOptions) > 1 { mfaOption = prompter.Choose("Select which MFA option to use", mfaOptions) } From e3b54259c3ffc0edfff2f6ad0d0bcb7c8d88d8b6 Mon Sep 17 00:00:00 2001 From: Nick Vollmar Date: Tue, 22 Feb 2022 15:36:32 -0600 Subject: [PATCH 007/296] feat(googleapps): add support for 'extra number' in device push challenges --- pkg/provider/googleapps/googleapps.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/provider/googleapps/googleapps.go b/pkg/provider/googleapps/googleapps.go index e2ad9e1c7..a2f50ec2f 100644 --- a/pkg/provider/googleapps/googleapps.go +++ b/pkg/provider/googleapps/googleapps.go @@ -440,7 +440,17 @@ func (kc *Client) loadChallengePage(submitURL string, referer string, authForm u return kc.loadResponsePage(secondActionURL, submitURL, responseForm) case strings.Contains(secondActionURL, "challenge/dp/"): // handle device push challenge - log.Print("Check your phone - after you have confirmed response press ENTER to continue.") + var extraNumber string + doc.Find("div[jsname=feLNVc]").Each(func(_ int, s *goquery.Selection) { + extraNumber = s.Text() + }) + if extraNumber == "" { + log.Print("Check your phone and tap 'Yes' on the prompt. Then press ENTER to continue.") + } else { + log.Println("Check your phone and tap 'Yes' on the prompt, then tap the number:") + log.Printf("\t%v\n", extraNumber) + log.Println("Then press ENTER to continue.") + } _, err := bufio.NewReader(os.Stdin).ReadBytes('\n') if err != nil { return nil, errors.Wrap(err, "error reading new line \\n") From 7e37817642748a7cb4eaf4721f02ddac141ad28f Mon Sep 17 00:00:00 2001 From: Rodolfo Matos Date: Fri, 25 Feb 2022 14:59:19 +0100 Subject: [PATCH 008/296] onelogin: use the /api/2/saml_assertion API Replaces the use of the /api/1/saml_assertion with its successor. OneLogin has communicated that the /api/1/saml_assertion has been deprecated and should have been removed in Feb 2021. https://developers.onelogin.com/api-docs/1/saml-assertions/generate-saml-assertion --- pkg/provider/onelogin/onelogin.go | 56 ++++++++++++++----------------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/pkg/provider/onelogin/onelogin.go b/pkg/provider/onelogin/onelogin.go index 291fd9217..9a2ece804 100644 --- a/pkg/provider/onelogin/onelogin.go +++ b/pkg/provider/onelogin/onelogin.go @@ -29,8 +29,7 @@ const ( MessageMFARequired = "MFA is required for this user" MessageSuccess = "Success" - TypePending = "pending" - TypeSuccess = "success" + MessagePending = "Authentication pending" ) // ProviderName constant holds the name of the OneLogin IDP. @@ -113,7 +112,7 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) return "", errors.Wrap(err, "error encoding authreq") } - authSubmitURL := fmt.Sprintf("https://%s/api/1/saml_assertion", host) + authSubmitURL := fmt.Sprintf("https://%s/api/2/saml_assertion", host) req, err := http.NewRequest("POST", authSubmitURL, &authBody) if err != nil { @@ -125,7 +124,7 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) logger.Debug("Requesting SAML Assertion") - // request the SAML assertion. For more details check https://developers.onelogin.com/api-docs/1/saml-assertions/generate-saml-assertion + // request the SAML assertion. For more details check https://developers.onelogin.com/api-docs/2/saml-assertions/generate-saml-assertion res, err := c.Client.Do(req) if err != nil { return "", errors.Wrap(err, "error retrieving auth response") @@ -142,11 +141,9 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) logger.Debug("SAML Assertion response code:", res.StatusCode) logger.Debug("SAML Assertion response body:", resp) - authError := gjson.Get(resp, "status.error").Bool() - authMessage := gjson.Get(resp, "status.message").String() - authType := gjson.Get(resp, "status.type").String() - if authError || authType != TypeSuccess { - return "", errors.New(authMessage) + authMessage := gjson.Get(resp, "message").String() + if res.StatusCode != 200 { + return "", fmt.Errorf("HTTP %v: %s", res.StatusCode, authMessage) } authData := gjson.Get(resp, "data") @@ -159,9 +156,6 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) } samlAssertion = authData.String() case MessageMFARequired: - if !authData.IsArray() { - return "", errors.New("invalid MFA data returned") - } logger.Debug("Verifying MFA") samlAssertion, err = verifyMFA(c, oauthToken, c.AppID, resp) if err != nil { @@ -209,15 +203,15 @@ func addContentHeaders(r *http.Request) { } // verifyMFA is used to either prompt to user for one time password or request approval using push notification. -// For more details check https://developers.onelogin.com/api-docs/1/saml-assertions/verify-factor +// For more details check https://developers.onelogin.com/api-docs/2/saml-assertions/verify-factor func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { - stateToken := gjson.Get(resp, "data.0.state_token").String() + stateToken := gjson.Get(resp, "state_token").String() // choose an mfa option if there are multiple enabled var option int var mfaOptions []string var preselected bool mfaOptionsCounter := make(map[string]int) - for n, id := range gjson.Get(resp, "data.0.devices.#.device_type").Array() { + for n, id := range gjson.Get(resp, "devices.#.device_type").Array() { identifier := id.String() if v, ok := supportedMfaOptions[identifier]; ok { val := v @@ -240,10 +234,10 @@ func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { option = prompter.Choose("Select which MFA option to use", mfaOptions) } - factorID := gjson.Get(resp, fmt.Sprintf("data.0.devices.%d.device_id", option)).String() - callbackURL := gjson.Get(resp, "data.0.callback_url").String() - mfaIdentifer := gjson.Get(resp, fmt.Sprintf("data.0.devices.%d.device_type", option)).String() - mfaDeviceID := gjson.Get(resp, fmt.Sprintf("data.0.devices.%d.device_id", option)).String() + factorID := gjson.Get(resp, fmt.Sprintf("devices.%d.device_id", option)).String() + callbackURL := gjson.Get(resp, "callback_url").String() + mfaIdentifer := gjson.Get(resp, fmt.Sprintf("devices.%d.device_type", option)).String() + mfaDeviceID := gjson.Get(resp, fmt.Sprintf("devices.%d.device_id", option)).String() logger.WithField("factorID", factorID).WithField("callbackURL", callbackURL).WithField("mfaIdentifer", mfaIdentifer).Debug("MFA") @@ -281,7 +275,7 @@ func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { } resp = string(body) if gjson.Get(resp, "status.error").Bool() { - msg := gjson.Get(resp, "status.message").String() + msg := gjson.Get(resp, "message").String() return "", errors.New(msg) } } @@ -313,16 +307,16 @@ func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { resp = string(body) - message := gjson.Get(resp, "status.message").String() - if gjson.Get(resp, "status.error").Bool() { - return "", errors.New(message) + message := gjson.Get(resp, "message").String() + if res.StatusCode != 200 || message != MessageSuccess { + return "", fmt.Errorf("HTTP %v: %s", res.StatusCode, message) } return gjson.Get(resp, "data").String(), nil case IdentifierOneLoginProtectMfa: // set the body payload to disable further push notifications (i.e. set do_not_notify to true) - // https://developers.onelogin.com/api-docs/1/saml-assertions/verify-factor + // https://developers.onelogin.com/api-docs/2/saml-assertions/verify-factor var verifyBody bytes.Buffer err := json.NewEncoder(&verifyBody).Encode(VerifyRequest{AppID: appID, DeviceID: mfaDeviceID, DoNotNotify: true, StateToken: stateToken}) if err != nil { @@ -356,25 +350,25 @@ func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { return "", errors.Wrap(err, "error retrieving body from response") } - message := gjson.Get(string(body), "status.message").String() + message := gjson.Get(string(body), "message").String() // on 'error' status - if gjson.Get(string(body), "status.error").Bool() { - return "", errors.New(message) + if res.StatusCode != 200 { + return "", fmt.Errorf("HTTP %v: %s", res.StatusCode, message) } - switch gjson.Get(string(body), "status.type").String() { - case TypePending: + switch true { + case strings.Contains(message, MessagePending): time.Sleep(time.Second) logger.Debug("Waiting for user to authorize login") - case TypeSuccess: + case message == MessageSuccess: log.Println(" Approved") return gjson.Get(string(body), "data").String(), nil default: log.Println(" Error:") - return "", errors.New("unsupported response from OneLogin, please raise ticket with saml2aws") + return "", fmt.Errorf("HTTP %v: %s", res.StatusCode, message) } } } From 3c300a7f8fef7c2cd0db67a3a93dcb800ddf9f1b Mon Sep 17 00:00:00 2001 From: Andre Soares Date: Fri, 11 Mar 2022 13:56:24 -0300 Subject: [PATCH 009/296] Add LOCKED_OUT error message --- pkg/provider/okta/okta.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index 042f029c6..d3a119e27 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -474,12 +474,14 @@ func (oc *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) return "", err } - // mfa required - if authStatus == "MFA_REQUIRED" { + switch authStatus { + case "MFA_REQUIRED": oktaSessionToken, err = verifyMfa(oc, oktaOrgHost, loginDetails, primaryAuthResp) if err != nil { return "", errors.Wrap(err, "error verifying MFA") } + case "LOCKED_OUT": + return "", errors.New("the account is locked") } // if user disabled sessions, default to using standard login WITHOUT sessions From 2be5a3b1d09b2437dd5708404c21a8352b93dd73 Mon Sep 17 00:00:00 2001 From: Christian Meyer Date: Wed, 23 Mar 2022 23:41:16 +0100 Subject: [PATCH 010/296] refactored AzureAD authentication for AWS IAM federation --- pkg/provider/aad/aad.go | 1470 +++++++++++++++++---------------------- 1 file changed, 638 insertions(+), 832 deletions(-) diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go index 0c2607097..6f738d290 100644 --- a/pkg/provider/aad/aad.go +++ b/pkg/provider/aad/aad.go @@ -19,7 +19,6 @@ import ( "github.com/versent/saml2aws/v2/pkg/creds" "github.com/versent/saml2aws/v2/pkg/prompter" "github.com/versent/saml2aws/v2/pkg/provider" - "golang.org/x/net/html" ) // Client wrapper around AzureAD enabling authentication and retrieval of assertions @@ -30,11 +29,13 @@ type Client struct { idpAccount *cfg.IDPAccount } -// Autogenerate startSAML Response struct -// some case, some fields is not exists -type startSAMLResponse struct { +// Autogenerated ConvergedSignIn Response struct +// for some cases, some fields may not exist +type ConvergedSignInResponse struct { FShowPersistentCookiesWarning bool `json:"fShowPersistentCookiesWarning"` + URLMsaSignUp string `json:"urlMsaSignUp"` URLMsaLogout string `json:"urlMsaLogout"` + URLOtherIdpForget string `json:"urlOtherIdpForget"` ShowCantAccessAccountLink bool `json:"showCantAccessAccountLink"` URLGitHubFed string `json:"urlGitHubFed"` FShowSignInWithGitHubOnlyOnCredPicker bool `json:"fShowSignInWithGitHubOnlyOnCredPicker"` @@ -42,10 +43,10 @@ type startSAMLResponse struct { IShowResendCodeDelay int `json:"iShowResendCodeDelay"` SSMSCtryPhoneData string `json:"sSMSCtryPhoneData"` FUseInlinePhoneNumber bool `json:"fUseInlinePhoneNumber"` + FDetectBrowserCapabilities bool `json:"fDetectBrowserCapabilities"` URLSessionState string `json:"urlSessionState"` URLResetPassword string `json:"urlResetPassword"` URLMsaResetPassword string `json:"urlMsaResetPassword"` - URLLogin string `json:"urlLogin"` URLSignUp string `json:"urlSignUp"` URLGetCredentialType string `json:"urlGetCredentialType"` URLGetOneTimeCode string `json:"urlGetOneTimeCode"` @@ -53,11 +54,6 @@ type startSAMLResponse struct { URLForget string `json:"urlForget"` URLDisambigRename string `json:"urlDisambigRename"` URLGoToAADError string `json:"urlGoToAADError"` - URLDssoStatus string `json:"urlDssoStatus"` - URLFidoHelp string `json:"urlFidoHelp"` - URLFidoLogin string `json:"urlFidoLogin"` - URLPostAad string `json:"urlPostAad"` - URLPostMsa string `json:"urlPostMsa"` URLPIAEndAuth string `json:"urlPIAEndAuth"` FCBShowSignUp bool `json:"fCBShowSignUp"` FKMSIEnabled bool `json:"fKMSIEnabled"` @@ -82,388 +78,162 @@ type startSAMLResponse struct { ErrorSubcode string `json:"error_subcode"` State string `json:"state"` } `json:"oCancelPostParams"` - IAllowedIdentities int `json:"iAllowedIdentities"` - IRemoteNgcPollingType int `json:"iRemoteNgcPollingType"` - IsGlobalTenant bool `json:"isGlobalTenant"` - FIsFidoSupported bool `json:"fIsFidoSupported"` - FUseNewNoPasswordTypes bool `json:"fUseNewNoPasswordTypes"` - IMaxStackForKnockoutAsyncComponents int `json:"iMaxStackForKnockoutAsyncComponents"` - StrCopyrightTxt string `json:"strCopyrightTxt"` - FShowButtons bool `json:"fShowButtons"` - URLCdn string `json:"urlCdn"` - URLFooterTOU string `json:"urlFooterTOU"` - URLFooterPrivacy string `json:"urlFooterPrivacy"` - URLPost string `json:"urlPost"` - URLRefresh string `json:"urlRefresh"` - URLCancel string `json:"urlCancel"` - IPawnIcon int `json:"iPawnIcon"` - IPollingInterval int `json:"iPollingInterval"` - SPOSTUsername string `json:"sPOST_Username"` - SFT string `json:"sFT"` - SFTName string `json:"sFTName"` - SSessionIdentifierName string `json:"sSessionIdentifierName"` - SCtx string `json:"sCtx"` - IProductIcon int `json:"iProductIcon"` - URLReportPageLoad string `json:"urlReportPageLoad"` - StaticTenantBranding interface{} `json:"staticTenantBranding"` - OAppCobranding struct { - } `json:"oAppCobranding"` - IBackgroundImage int `json:"iBackgroundImage"` - ArrSessions []interface{} `json:"arrSessions"` - FUseConstantPolling bool `json:"fUseConstantPolling"` - FUseFlowTokenAsCanary bool `json:"fUseFlowTokenAsCanary"` - FApplicationInsightsEnabled bool `json:"fApplicationInsightsEnabled"` - IApplicationInsightsEnabledPercentage int `json:"iApplicationInsightsEnabledPercentage"` - URLSetDebugMode string `json:"urlSetDebugMode"` - FEnableCSSAnimation bool `json:"fEnableCssAnimation"` - FAllowGrayOutLightBox bool `json:"fAllowGrayOutLightBox"` - FIsRemoteNGCSupported bool `json:"fIsRemoteNGCSupported"` - Scid int `json:"scid"` - Hpgact int `json:"hpgact"` - Hpgid int `json:"hpgid"` - Pgid string `json:"pgid"` - APICanary string `json:"apiCanary"` - Canary string `json:"canary"` - CorrelationID string `json:"correlationId"` - SessionID string `json:"sessionId"` - Locale struct { - Mkt string `json:"mkt"` - Lcid int `json:"lcid"` - } `json:"locale"` - SlMaxRetry int `json:"slMaxRetry"` - SlReportFailure bool `json:"slReportFailure"` - Strings struct { - Desktopsso struct { - Authenticatingmessage string `json:"authenticatingmessage"` - } `json:"desktopsso"` - } `json:"strings"` - Enums struct { - ClientMetricsModes struct { - None int `json:"None"` - SubmitOnPost int `json:"SubmitOnPost"` - SubmitOnRedirect int `json:"SubmitOnRedirect"` - InstrumentPlt int `json:"InstrumentPlt"` - } `json:"ClientMetricsModes"` - } `json:"enums"` - Urls struct { - Instr struct { - Pageload string `json:"pageload"` - Dssostatus string `json:"dssostatus"` - } `json:"instr"` - } `json:"urls"` - Browser struct { - Ltr int `json:"ltr"` - Other int `json:"_Other"` - Full int `json:"Full"` - REOther int `json:"RE_Other"` - B struct { - Name string `json:"name"` - Major int `json:"major"` - Minor int `json:"minor"` - } `json:"b"` - Os struct { - Name string `json:"name"` - Version string `json:"version"` - } `json:"os"` - V int `json:"V"` - } `json:"browser"` - Watson struct { - URL string `json:"url"` - Bundle string `json:"bundle"` - Sbundle string `json:"sbundle"` - Fbundle string `json:"fbundle"` - ResetErrorPeriod int `json:"resetErrorPeriod"` - MaxCorsErrors int `json:"maxCorsErrors"` - MaxInjectErrors int `json:"maxInjectErrors"` - MaxErrors int `json:"maxErrors"` - MaxTotalErrors int `json:"maxTotalErrors"` - ExpSrcs []string `json:"expSrcs"` - EnvErrorRedirect bool `json:"envErrorRedirect"` - EnvErrorURL string `json:"envErrorUrl"` - } `json:"watson"` - Loader struct { - CdnRoots []string `json:"cdnRoots"` - } `json:"loader"` - ServerDetails struct { - Slc string `json:"slc"` - Dc string `json:"dc"` - Ri string `json:"ri"` - Ver struct { - V []int `json:"v"` - } `json:"ver"` - Rt string `json:"rt"` - Et int `json:"et"` - } `json:"serverDetails"` - Country string `json:"country"` - FBreakBrandingSigninString bool `json:"fBreakBrandingSigninString"` - Bsso struct { - Type string `json:"type"` - Reason string `json:"reason"` - } `json:"bsso"` - URLNoCookies string `json:"urlNoCookies"` - FTrimChromeBssoURL bool `json:"fTrimChromeBssoUrl"` + IRemoteNgcPollingType int `json:"iRemoteNgcPollingType"` + FUseNewNoPasswordTypes bool `json:"fUseNewNoPasswordTypes"` + URLAadSignup string `json:"urlAadSignup"` + URLOidcDiscoveryEndpointFormat string `json:"urlOidcDiscoveryEndpointFormat"` + URLTenantedEndpointFormat string `json:"urlTenantedEndpointFormat"` + SCloudInstanceName string `json:"sCloudInstanceName"` + FShowSignInOptionsAsButton bool `json:"fShowSignInOptionsAsButton"` + FUpdateLoginHint bool `json:"fUpdateLoginHint"` + IMaxStackForKnockoutAsyncComponents int `json:"iMaxStackForKnockoutAsyncComponents"` + FShowButtons bool `json:"fShowButtons"` + URLCdn string `json:"urlCdn"` + URLDefaultFavicon string `json:"urlDefaultFavicon"` + URLFooterTOU string `json:"urlFooterTOU"` + URLFooterPrivacy string `json:"urlFooterPrivacy"` + URLPost string `json:"urlPost"` + URLRefresh string `json:"urlRefresh"` + URLCancel string `json:"urlCancel"` + URLResume string `json:"urlResume"` + IPawnIcon int `json:"iPawnIcon"` + IPollingInterval int `json:"iPollingInterval"` + SPOSTUsername string `json:"sPOST_Username"` + SFT string `json:"sFT"` + SFTName string `json:"sFTName"` + SSessionIdentifierName string `json:"sSessionIdentifierName"` + SCtx string `json:"sCtx"` + IProductIcon int `json:"iProductIcon"` + URLReportPageLoad string `json:"urlReportPageLoad"` + ArrSessions []interface{} `json:"arrSessions"` + FIsRemoteNGCSupported bool `json:"fIsRemoteNGCSupported"` + URLLogin string `json:"urlLogin"` + URLDssoStatus string `json:"urlDssoStatus"` + FUseSameSite bool `json:"fUseSameSite"` + IAllowedIdentities int `json:"iAllowedIdentities"` + IsGlobalTenant bool `json:"isGlobalTenant"` + FOfflineAccountVisible bool `json:"fOfflineAccountVisible"` + ScriptNonce string `json:"scriptNonce"` + FEnableUserStateFix bool `json:"fEnableUserStateFix"` + FAccessPassSupported bool `json:"fAccessPassSupported"` + FShowAccessPassPeek bool `json:"fShowAccessPassPeek"` + FUpdateSessionPollingLogic bool `json:"fUpdateSessionPollingLogic"` + Scid int `json:"scid"` + Hpgact int `json:"hpgact"` + Hpgid int `json:"hpgid"` + Pgid string `json:"pgid"` + APICanary string `json:"apiCanary"` + Canary string `json:"canary"` + CorrelationID string `json:"correlationId"` + SessionID string `json:"sessionId"` + SlMaxRetry int `json:"slMaxRetry"` + SlReportFailure bool `json:"slReportFailure"` + Country string `json:"country"` + URLNoCookies string `json:"urlNoCookies"` + FTrimChromeBssoURL bool `json:"fTrimChromeBssoUrl"` + InlineMode int `json:"inlineMode"` } -// Autogenerate password login response -// some case, some fields is not exists -type passwordLoginResponse struct { - ArrUserProofs []userProof `json:"arrUserProofs"` - FHideIHaveCodeLink bool `json:"fHideIHaveCodeLink"` - OPerAuthPollingInterval map[string]float64 `json:"oPerAuthPollingInterval"` - FProofIndexedByType bool `json:"fProofIndexedByType"` - URLBeginAuth string `json:"urlBeginAuth"` - URLEndAuth string `json:"urlEndAuth"` - ISAMode int `json:"iSAMode"` - ITrustedDeviceCheckboxConfig int `json:"iTrustedDeviceCheckboxConfig"` - IMaxPollAttempts int `json:"iMaxPollAttempts"` - IPollingTimeout int `json:"iPollingTimeout"` - IPollingBackoffInterval float64 `json:"iPollingBackoffInterval"` - IRememberMfaDuration float64 `json:"iRememberMfaDuration"` - STrustedDeviceCheckboxName string `json:"sTrustedDeviceCheckboxName"` - SAuthMethodInputFieldName string `json:"sAuthMethodInputFieldName"` - ISAOtcLength int `json:"iSAOtcLength"` - ITotpOtcLength int `json:"iTotpOtcLength"` - URLMoreInfo string `json:"urlMoreInfo"` - FShowViewDetailsLink bool `json:"fShowViewDetailsLink"` - FAlwaysUpdateFTInSasEnd bool `json:"fAlwaysUpdateFTInSasEnd"` - IMaxStackForKnockoutAsyncComponents int `json:"iMaxStackForKnockoutAsyncComponents"` - StrCopyrightTxt string `json:"strCopyrightTxt"` - FShowButtons bool `json:"fShowButtons"` - URLCdn string `json:"urlCdn"` - URLFooterTOU string `json:"urlFooterTOU"` - URLFooterPrivacy string `json:"urlFooterPrivacy"` - URLPost string `json:"urlPost"` - URLCancel string `json:"urlCancel"` - IPawnIcon int `json:"iPawnIcon"` - IPollingInterval int `json:"iPollingInterval"` - SPOSTUsername string `json:"sPOST_Username"` - SFT string `json:"sFT"` - SFTName string `json:"sFTName"` - SCtx string `json:"sCtx"` - DynamicTenantBranding []struct { - Locale int `json:"Locale"` - Illustration string `json:"Illustration"` - UserIDLabel string `json:"UserIdLabel"` - KeepMeSignedInDisabled bool `json:"KeepMeSignedInDisabled"` - UseTransparentLightBox bool `json:"UseTransparentLightBox"` - } `json:"dynamicTenantBranding"` - OAppCobranding struct { - } `json:"oAppCobranding"` - IBackgroundImage int `json:"iBackgroundImage"` - FUseConstantPolling bool `json:"fUseConstantPolling"` - FUseFlowTokenAsCanary bool `json:"fUseFlowTokenAsCanary"` - FApplicationInsightsEnabled bool `json:"fApplicationInsightsEnabled"` - IApplicationInsightsEnabledPercentage int `json:"iApplicationInsightsEnabledPercentage"` - URLSetDebugMode string `json:"urlSetDebugMode"` - FEnableCSSAnimation bool `json:"fEnableCssAnimation"` - FAllowGrayOutLightBox bool `json:"fAllowGrayOutLightBox"` - FIsRemoteNGCSupported bool `json:"fIsRemoteNGCSupported"` - Scid int `json:"scid"` - Hpgact int `json:"hpgact"` - Hpgid int `json:"hpgid"` - Pgid string `json:"pgid"` - APICanary string `json:"apiCanary"` - Canary string `json:"canary"` - CorrelationID string `json:"correlationId"` - SessionID string `json:"sessionId"` - Locale struct { - Mkt string `json:"mkt"` - Lcid int `json:"lcid"` - } `json:"locale"` - SlMaxRetry int `json:"slMaxRetry"` - SlReportFailure bool `json:"slReportFailure"` - Strings struct { - Desktopsso struct { - Authenticatingmessage string `json:"authenticatingmessage"` - } `json:"desktopsso"` - } `json:"strings"` - Enums struct { - ClientMetricsModes struct { - None int `json:"None"` - SubmitOnPost int `json:"SubmitOnPost"` - SubmitOnRedirect int `json:"SubmitOnRedirect"` - InstrumentPlt int `json:"InstrumentPlt"` - } `json:"ClientMetricsModes"` - } `json:"enums"` - Urls struct { - Instr struct { - Pageload string `json:"pageload"` - Dssostatus string `json:"dssostatus"` - } `json:"instr"` - } `json:"urls"` - Browser struct { - Ltr int `json:"ltr"` - Other int `json:"_Other"` - Full int `json:"Full"` - REOther int `json:"RE_Other"` - B struct { - Name string `json:"name"` - Major int `json:"major"` - Minor int `json:"minor"` - } `json:"b"` - Os struct { - Name string `json:"name"` - Version string `json:"version"` - } `json:"os"` - V int `json:"V"` - } `json:"browser"` - Watson struct { - URL string `json:"url"` - Bundle string `json:"bundle"` - Sbundle string `json:"sbundle"` - Fbundle string `json:"fbundle"` - ResetErrorPeriod int `json:"resetErrorPeriod"` - MaxCorsErrors int `json:"maxCorsErrors"` - MaxInjectErrors int `json:"maxInjectErrors"` - MaxErrors int `json:"maxErrors"` - MaxTotalErrors int `json:"maxTotalErrors"` - ExpSrcs []string `json:"expSrcs"` - EnvErrorRedirect bool `json:"envErrorRedirect"` - EnvErrorURL string `json:"envErrorUrl"` - } `json:"watson"` - Loader struct { - CdnRoots []string `json:"cdnRoots"` - } `json:"loader"` - ServerDetails struct { - Slc string `json:"slc"` - Dc string `json:"dc"` - Ri string `json:"ri"` - Ver struct { - V []int `json:"v"` - } `json:"ver"` - Rt string `json:"rt"` - Et int `json:"et"` - } `json:"serverDetails"` - Country string `json:"country"` - FBreakBrandingSigninString bool `json:"fBreakBrandingSigninString"` - URLNoCookies string `json:"urlNoCookies"` - FTrimChromeBssoURL bool `json:"fTrimChromeBssoUrl"` +// Autogenerated GetCredentialType Request struct +// for some cases, some fields may not exist +type GetCredentialTypeRequest struct { + Username string `json:"username"` + IsOtherIdpSupported bool `json:"isOtherIdpSupported"` + CheckPhones bool `json:"checkPhones"` + IsRemoteNGCSupported bool `json:"isRemoteNGCSupported"` + IsCookieBannerShown bool `json:"isCookieBannerShown"` + IsFidoSupported bool `json:"isFidoSupported"` + OriginalRequest string `json:"originalRequest"` + Country string `json:"country"` + Forceotclogin bool `json:"forceotclogin"` + IsExternalFederationDisallowed bool `json:"isExternalFederationDisallowed"` + IsRemoteConnectSupported bool `json:"isRemoteConnectSupported"` + FederationFlags int `json:"federationFlags"` + IsSignup bool `json:"isSignup"` + FlowToken string `json:"flowToken"` + IsAccessPassSupported bool `json:"isAccessPassSupported"` } -// Autogenerated skip mfa login response -type SkipMfaResponse struct { - URLPostRedirect string `json:"urlPostRedirect"` - URLSkipMfaRegistration string `json:"urlSkipMfaRegistration"` - URLMoreInfo string `json:"urlMoreInfo"` - SProofUpToken string `json:"sProofUpToken"` - SProofUpTokenName string `json:"sProofUpTokenName"` - SProofUpAuthState string `json:"sProofUpAuthState"` - SCanaryToken string `json:"sCanaryToken"` - IRemainingDaysToSkipMfaRegistration int `json:"iRemainingDaysToSkipMfaRegistration"` +// Autogenerated GetCredentialType Response struct +// for some cases, some fields may not exist +type GetCredentialTypeResponse struct { + Username string `json:"Username"` + Display string `json:"Display"` + IfExistsResult int `json:"IfExistsResult"` + IsUnmanaged bool `json:"IsUnmanaged"` + ThrottleStatus int `json:"ThrottleStatus"` + Credentials struct { + PrefCredential int `json:"PrefCredential"` + HasPassword bool `json:"HasPassword"` + RemoteNgcParams interface{} `json:"RemoteNgcParams"` + FidoParams interface{} `json:"FidoParams"` + SasParams interface{} `json:"SasParams"` + CertAuthParams interface{} `json:"CertAuthParams"` + GoogleParams interface{} `json:"GoogleParams"` + FacebookParams interface{} `json:"FacebookParams"` + FederationRedirectURL string `json:"FederationRedirectUrl"` + } `json:"Credentials"` + FlowToken string `json:"FlowToken"` + IsSignupDisallowed bool `json:"IsSignupDisallowed"` + APICanary string `json:"apiCanary"` +} + +// Autogenerated Authentication Response struct +// for some cases, some fields may not exist +type AuthenticationResponse struct { IMaxStackForKnockoutAsyncComponents int `json:"iMaxStackForKnockoutAsyncComponents"` - StrCopyrightTxt string `json:"strCopyrightTxt"` FShowButtons bool `json:"fShowButtons"` URLCdn string `json:"urlCdn"` + URLDefaultFavicon string `json:"urlDefaultFavicon"` URLFooterTOU string `json:"urlFooterTOU"` URLFooterPrivacy string `json:"urlFooterPrivacy"` URLPost string `json:"urlPost"` - URLCancel string `json:"urlCancel"` IPawnIcon int `json:"iPawnIcon"` SPOSTUsername string `json:"sPOST_Username"` SFT string `json:"sFT"` SFTName string `json:"sFTName"` + SCtx string `json:"sCtx"` SCanaryTokenName string `json:"sCanaryTokenName"` - DynamicTenantBranding []struct { - Locale int `json:"Locale"` - Illustration string `json:"Illustration"` - UserIDLabel string `json:"UserIdLabel"` - KeepMeSignedInDisabled bool `json:"KeepMeSignedInDisabled"` - UseTransparentLightBox bool `json:"UseTransparentLightBox"` - } `json:"dynamicTenantBranding"` - OAppCobranding struct { - } `json:"oAppCobranding"` - IBackgroundImage int `json:"iBackgroundImage"` - FUseConstantPolling bool `json:"fUseConstantPolling"` - FUseFlowTokenAsCanary bool `json:"fUseFlowTokenAsCanary"` - FApplicationInsightsEnabled bool `json:"fApplicationInsightsEnabled"` - IApplicationInsightsEnabledPercentage int `json:"iApplicationInsightsEnabledPercentage"` - URLSetDebugMode string `json:"urlSetDebugMode"` - FEnableCSSAnimation bool `json:"fEnableCssAnimation"` - FAllowGrayOutLightBox bool `json:"fAllowGrayOutLightBox"` - FIsRemoteNGCSupported bool `json:"fIsRemoteNGCSupported"` - Scid int `json:"scid"` - Hpgact int `json:"hpgact"` - Hpgid int `json:"hpgid"` - Pgid string `json:"pgid"` - APICanary string `json:"apiCanary"` - Canary string `json:"canary"` - CorrelationID string `json:"correlationId"` - SessionID string `json:"sessionId"` - Locale struct { - Mkt string `json:"mkt"` - Lcid int `json:"lcid"` - } `json:"locale"` - SlMaxRetry int `json:"slMaxRetry"` - SlReportFailure bool `json:"slReportFailure"` - Strings struct { - Desktopsso struct { - Authenticatingmessage string `json:"authenticatingmessage"` - } `json:"desktopsso"` - } `json:"strings"` - Enums struct { - ClientMetricsModes struct { - None int `json:"None"` - SubmitOnPost int `json:"SubmitOnPost"` - SubmitOnRedirect int `json:"SubmitOnRedirect"` - InstrumentPlt int `json:"InstrumentPlt"` - } `json:"ClientMetricsModes"` - } `json:"enums"` - Urls struct { - Instr struct { - Pageload string `json:"pageload"` - Dssostatus string `json:"dssostatus"` - } `json:"instr"` - } `json:"urls"` - Browser struct { - Ltr int `json:"ltr"` - Other int `json:"_Other"` - Full int `json:"Full"` - REOther int `json:"RE_Other"` - B struct { - Name string `json:"name"` - Major int `json:"major"` - Minor int `json:"minor"` - } `json:"b"` - Os struct { - Name string `json:"name"` - Version string `json:"version"` - } `json:"os"` - V int `json:"V"` - } `json:"browser"` - Watson struct { - URL string `json:"url"` - Bundle string `json:"bundle"` - Sbundle string `json:"sbundle"` - Fbundle string `json:"fbundle"` - ResetErrorPeriod int `json:"resetErrorPeriod"` - MaxCorsErrors int `json:"maxCorsErrors"` - MaxInjectErrors int `json:"maxInjectErrors"` - MaxErrors int `json:"maxErrors"` - MaxTotalErrors int `json:"maxTotalErrors"` - ExpSrcs []string `json:"expSrcs"` - EnvErrorRedirect bool `json:"envErrorRedirect"` - EnvErrorURL string `json:"envErrorUrl"` - } `json:"watson"` - Loader struct { - CdnRoots []string `json:"cdnRoots"` - } `json:"loader"` - ServerDetails struct { - Slc string `json:"slc"` - Dc string `json:"dc"` - Ri string `json:"ri"` - Ver struct { - V []int `json:"v"` - } `json:"ver"` - Rt string `json:"rt"` - Et int `json:"et"` - } `json:"serverDetails"` - Country string `json:"country"` - FBreakBrandingSigninString bool `json:"fBreakBrandingSigninString"` - URLNoCookies string `json:"urlNoCookies"` - FTrimChromeBssoURL bool `json:"fTrimChromeBssoUrl"` + FIsRemoteNGCSupported bool `json:"fIsRemoteNGCSupported"` + FUseSameSite bool `json:"fUseSameSite"` + IsGlobalTenant bool `json:"isGlobalTenant"` + FOfflineAccountVisible bool `json:"fOfflineAccountVisible"` + ScriptNonce string `json:"scriptNonce"` + FEnableUserStateFix bool `json:"fEnableUserStateFix"` + FShowAccessPassPeek bool `json:"fShowAccessPassPeek"` + FUpdateSessionPollingLogic bool `json:"fUpdateSessionPollingLogic"` + Scid int `json:"scid"` + Hpgact int `json:"hpgact"` + Hpgid int `json:"hpgid"` + Pgid string `json:"pgid"` + APICanary string `json:"apiCanary"` + Canary string `json:"canary"` + CorrelationID string `json:"correlationId"` + SessionID string `json:"sessionId"` + SlMaxRetry int `json:"slMaxRetry"` + SlReportFailure bool `json:"slReportFailure"` + Country string `json:"country"` + URLNoCookies string `json:"urlNoCookies"` + FTrimChromeBssoURL bool `json:"fTrimChromeBssoUrl"` + InlineMode int `json:"inlineMode"` } -// mfa request +// Converged Response struct +type ConvergedResponse struct { + ArrUserProofs []userProof `json:"arrUserProofs"` + URLSkipMfaRegistration string `json:"urlSkipMfaRegistration"` + OPerAuthPollingInterval map[string]float64 `json:"oPerAuthPollingInterval"` + URLBeginAuth string `json:"urlBeginAuth"` + URLEndAuth string `json:"urlEndAuth"` + URLPost string `json:"urlPost"` + SPOSTUsername string `json:"sPOST_Username"` + SFT string `json:"sFT"` + SFTName string `json:"sFTName"` + SCtx string `json:"sCtx"` + Pgid string `json:"pgid"` +} + +// MFA Request struct type mfaRequest struct { AuthMethodID string `json:"AuthMethodId"` Method string `json:"Method"` @@ -473,7 +243,7 @@ type mfaRequest struct { AdditionalAuthData string `json:"AdditionalAuthData,omitempty"` } -// mfa response +// MFA Response struct type mfaResponse struct { Success bool `json:"Success"` ResultValue string `json:"ResultValue"` @@ -488,122 +258,6 @@ type mfaResponse struct { Timestamp time.Time `json:"Timestamp"` } -// Autogenerate ProcessAuth response -// some case, some fields is not exists -type processAuthResponse struct { - IMaxStackForKnockoutAsyncComponents int `json:"iMaxStackForKnockoutAsyncComponents"` - StrCopyrightTxt string `json:"strCopyrightTxt"` - FShowButtons bool `json:"fShowButtons"` - URLCdn string `json:"urlCdn"` - URLFooterTOU string `json:"urlFooterTOU"` - URLFooterPrivacy string `json:"urlFooterPrivacy"` - URLPost string `json:"urlPost"` - IPawnIcon int `json:"iPawnIcon"` - SPOSTUsername string `json:"sPOST_Username"` - SFT string `json:"sFT"` - SFTName string `json:"sFTName"` - SCtx string `json:"sCtx"` - SCanaryTokenName string `json:"sCanaryTokenName"` - DynamicTenantBranding []struct { - Locale int `json:"Locale"` - Illustration string `json:"Illustration"` - UserIDLabel string `json:"UserIdLabel"` - KeepMeSignedInDisabled bool `json:"KeepMeSignedInDisabled"` - UseTransparentLightBox bool `json:"UseTransparentLightBox"` - } `json:"dynamicTenantBranding"` - OAppCobranding struct { - } `json:"oAppCobranding"` - IBackgroundImage int `json:"iBackgroundImage"` - FUseConstantPolling bool `json:"fUseConstantPolling"` - FUseFlowTokenAsCanary bool `json:"fUseFlowTokenAsCanary"` - FApplicationInsightsEnabled bool `json:"fApplicationInsightsEnabled"` - IApplicationInsightsEnabledPercentage int `json:"iApplicationInsightsEnabledPercentage"` - URLSetDebugMode string `json:"urlSetDebugMode"` - FEnableCSSAnimation bool `json:"fEnableCssAnimation"` - FAllowGrayOutLightBox bool `json:"fAllowGrayOutLightBox"` - FIsRemoteNGCSupported bool `json:"fIsRemoteNGCSupported"` - Scid int `json:"scid"` - Hpgact int `json:"hpgact"` - Hpgid int `json:"hpgid"` - Pgid string `json:"pgid"` - APICanary string `json:"apiCanary"` - Canary string `json:"canary"` - CorrelationID string `json:"correlationId"` - SessionID string `json:"sessionId"` - Locale struct { - Mkt string `json:"mkt"` - Lcid int `json:"lcid"` - } `json:"locale"` - SlMaxRetry int `json:"slMaxRetry"` - SlReportFailure bool `json:"slReportFailure"` - Strings struct { - Desktopsso struct { - Authenticatingmessage string `json:"authenticatingmessage"` - } `json:"desktopsso"` - } `json:"strings"` - Enums struct { - ClientMetricsModes struct { - None int `json:"None"` - SubmitOnPost int `json:"SubmitOnPost"` - SubmitOnRedirect int `json:"SubmitOnRedirect"` - InstrumentPlt int `json:"InstrumentPlt"` - } `json:"ClientMetricsModes"` - } `json:"enums"` - Urls struct { - Instr struct { - Pageload string `json:"pageload"` - Dssostatus string `json:"dssostatus"` - } `json:"instr"` - } `json:"urls"` - Browser struct { - Ltr int `json:"ltr"` - Other int `json:"_Other"` - Full int `json:"Full"` - REOther int `json:"RE_Other"` - B struct { - Name string `json:"name"` - Major int `json:"major"` - Minor int `json:"minor"` - } `json:"b"` - Os struct { - Name string `json:"name"` - Version string `json:"version"` - } `json:"os"` - V int `json:"V"` - } `json:"browser"` - Watson struct { - URL string `json:"url"` - Bundle string `json:"bundle"` - Sbundle string `json:"sbundle"` - Fbundle string `json:"fbundle"` - ResetErrorPeriod int `json:"resetErrorPeriod"` - MaxCorsErrors int `json:"maxCorsErrors"` - MaxInjectErrors int `json:"maxInjectErrors"` - MaxErrors int `json:"maxErrors"` - MaxTotalErrors int `json:"maxTotalErrors"` - ExpSrcs []string `json:"expSrcs"` - EnvErrorRedirect bool `json:"envErrorRedirect"` - EnvErrorURL string `json:"envErrorUrl"` - } `json:"watson"` - Loader struct { - CdnRoots []string `json:"cdnRoots"` - } `json:"loader"` - ServerDetails struct { - Slc string `json:"slc"` - Dc string `json:"dc"` - Ri string `json:"ri"` - Ver struct { - V []int `json:"v"` - } `json:"ver"` - Rt string `json:"rt"` - Et int `json:"et"` - } `json:"serverDetails"` - Country string `json:"country"` - FBreakBrandingSigninString bool `json:"fBreakBrandingSigninString"` - URLNoCookies string `json:"urlNoCookies"` - FTrimChromeBssoURL bool `json:"fTrimChromeBssoUrl"` -} - // A given method for a user to prove their indentity type userProof struct { AuthMethodID string `json:"authMethodId"` @@ -642,328 +296,363 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) // startSAML startURL := fmt.Sprintf("%s/applications/redirecttofederatedapplication.aspx?Operation=LinkedSignIn&applicationId=%s", ac.idpAccount.URL, ac.idpAccount.AppID) - res, err := ac.client.Get(startURL) + convergedSignInResponse, res, err := ac.requestConvergedSignIn(startURL) if err != nil { - return samlAssertion, errors.Wrap(err, "error retrieving form") + return samlAssertion, errors.Wrap(err, "error processing ConvergedSignIn request") } - // data is embedded javascript object - // - */ - isEnabledConditonalAccess := strings.HasPrefix(resBodyStr, "Working...") && strings.Contains(resBodyStr, "name=\"flowtoken\"") + if ac.isHiddenForm(resBodyStr) { + resBodyStr, _, err = ac.reProcessForm(resBodyStr) + if err != nil { + return samlAssertion, errors.Wrap(err, "error processing hiddenform") + } + } - if isSkippedMFA || isEnabledConditonalAccess { - // require reprocess - if strings.Contains(resBodyStr, " - var loginPasswordJson string - if strings.Contains(resBodyStr, "$Config") { - loginPasswordJson = ac.getJsonFromConfig(resBodyStr) + if ac.isHiddenForm(resBodyStr) { + resBodyStr, res, err = ac.reProcessForm(resBodyStr) + if err != nil { + return samlAssertion, errors.Wrap(err, "error processing hiddenform") } - resBodyStr, err = ac.processAuth(loginPasswordJson, res) + } + + if strings.Contains(resBodyStr, "arrUserProofs") { + resBodyStr, err = ac.processAuth(resBodyStr, res) if err != nil { return samlAssertion, err } } - node, _ := html.Parse(strings.NewReader(resBodyStr)) - doc := goquery.NewDocumentFromNode(node) - - // data in input tag - authForm := url.Values{} - var authSubmitURL string - - doc.Find("input").Each(func(i int, s *goquery.Selection) { - name, ok := s.Attr("name") - if !ok { - return + for i := 0; i < 2; i++ { + // SAMLResponse should come in a form + samlAssertion, err = ac.getSamlAssertion(resBodyStr) + if err != nil { + return samlAssertion, errors.Wrap(err, "failed to read SAMLResponse") } - value, ok := s.Attr("value") - if !ok { - return + + if samlAssertion != "" { + return samlAssertion, nil } - authForm.Set(name, value) - }) - doc.Find("form").Each(func(i int, s *goquery.Selection) { - action, ok := s.Attr("action") - if !ok { - return + // form does not contain SAMLResponse, aim to get it from the submit response + if i < 1 { + resBodyStr, _, err = ac.reProcessForm(resBodyStr) + if err != nil { + return samlAssertion, errors.Wrap(err, "error processing hiddenform") + } } - authSubmitURL = action - }) + } - if authSubmitURL == "" { - return samlAssertion, fmt.Errorf("unable to locate IDP oidc form submit URL") + return samlAssertion, errors.New("failed get SAMLAssertion") +} + +func (ac *Client) requestConvergedSignIn(url string) (ConvergedSignInResponse, *http.Response, error) { + var res *http.Response + var err error + var resBodyStr string + var convergedSignInResponse ConvergedSignInResponse + + res, err = ac.client.Get(url) + if err != nil { + return convergedSignInResponse, res, errors.Wrap(err, "error retrieving ConvergedSignIn form") + } + + resBodyStr, _ = ac.responseBodyAsString(res.Body) + + if err := json.Unmarshal([]byte(ac.getJsonFromConfig(resBodyStr)), &convergedSignInResponse); err != nil { + return convergedSignInResponse, res, errors.Wrap(err, "ConvergedSignIn response unmarshal error") + } + + return convergedSignInResponse, res, nil +} + +func (ac *Client) requestGetCredentialType(refererUrl string, loginDetails *creds.LoginDetails, convergedSignInResponse ConvergedSignInResponse) (GetCredentialTypeResponse, *http.Response, error) { + var res *http.Response + var getCredentialTypeResponse GetCredentialTypeResponse + + reqBodyObj := GetCredentialTypeRequest{ + Username: loginDetails.Username, + IsOtherIdpSupported: true, + CheckPhones: false, + IsRemoteNGCSupported: false, + IsCookieBannerShown: false, + IsFidoSupported: false, + OriginalRequest: convergedSignInResponse.SCtx, + FlowToken: convergedSignInResponse.SFT, + } + reqBodyJson, err := json.Marshal(reqBodyObj) + if err != nil { + return getCredentialTypeResponse, res, errors.Wrap(err, "failed to build GetCredentialType request JSON") } - req, err := http.NewRequest("POST", authSubmitURL, strings.NewReader(authForm.Encode())) + req, err := http.NewRequest("POST", convergedSignInResponse.URLGetCredentialType, strings.NewReader(string(reqBodyJson))) if err != nil { - return samlAssertion, errors.Wrap(err, "error building authentication request") + return getCredentialTypeResponse, res, errors.Wrap(err, "error building GetCredentialType request") } - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + req.Header.Add("canary", convergedSignInResponse.APICanary) + req.Header.Add("client-request-id", convergedSignInResponse.CorrelationID) + req.Header.Add("hpgact", fmt.Sprint(convergedSignInResponse.Hpgact)) + req.Header.Add("hpgid", fmt.Sprint(convergedSignInResponse.Hpgid)) + req.Header.Add("hpgrequestid", convergedSignInResponse.SessionID) + req.Header.Add("Referer", refererUrl) - ac.client.EnableFollowRedirect() res, err = ac.client.Do(req) if err != nil { - return samlAssertion, errors.Wrap(err, "error retrieving oidc login form results") + return getCredentialTypeResponse, res, errors.Wrap(err, "error retrieving GetCredentialType results") } - // get saml assertion - oidcResponse, err := ioutil.ReadAll(res.Body) + err = json.NewDecoder(res.Body).Decode(&getCredentialTypeResponse) if err != nil { - return samlAssertion, errors.Wrap(err, "oidc login response error") + return getCredentialTypeResponse, res, errors.Wrap(err, "error decoding GetCredentialType results") } - oidcResponseStr := string(oidcResponse) + return getCredentialTypeResponse, res, nil +} - // data is embedded javascript - // window.location = 'https:/..../?SAMLRequest=......' - oidcResponseList := strings.Split(oidcResponseStr, ";") - var SAMLRequestURL string - for _, v := range oidcResponseList { - if strings.Contains(v, "SAMLRequest") { - startURLPos := strings.Index(v, "https://") - endURLPos := strings.Index(v[startURLPos:], "'") - if endURLPos == -1 { - endURLPos = strings.Index(v[startURLPos:], "\"") - } - SAMLRequestURL = v[startURLPos : startURLPos+endURLPos] - } +func (ac *Client) processADFSAuthentication(federationUrl string, loginDetails *creds.LoginDetails) (AuthenticationResponse, *http.Response, error) { + var res *http.Response + var err error + var resBodyStr string + var authenticationResponse AuthenticationResponse + var formValues url.Values + var formSubmitUrl string + var req *http.Request - } - if SAMLRequestURL == "" { - return samlAssertion, fmt.Errorf("unable to locate SAMLRequest URL") + res, err = ac.client.Get(federationUrl) + if err != nil { + return authenticationResponse, res, errors.Wrap(err, "error retrieving ADFS url") } - req, err = http.NewRequest("GET", SAMLRequestURL, nil) + resBodyStr, _ = ac.responseBodyAsString(res.Body) + + formValues, formSubmitUrl, err = ac.reSubmitFormData(resBodyStr) if err != nil { - return samlAssertion, errors.Wrap(err, "error building get request") + return authenticationResponse, res, errors.Wrap(err, "failed to parse ADFS login form") } - res, err = ac.client.Do(req) + if formSubmitUrl == "" { + return authenticationResponse, res, fmt.Errorf("unable to locate ADFS form submit URL") + } + + formValues.Set("UserName", loginDetails.Username) + formValues.Set("Password", loginDetails.Password) + formValues.Set("AuthMethod", "FormsAuthentication") + + req, err = http.NewRequest("POST", ac.fullUrl(res, formSubmitUrl), strings.NewReader(formValues.Encode())) if err != nil { - return samlAssertion, errors.Wrap(err, "error retrieving oidc login form results") + return authenticationResponse, res, errors.Wrap(err, "error building ADFS login request") } - // if mfa skipped then get $Config and urlSkipMfaRegistration - // get urlSkipMfaRegistraition to return saml assertion - resBodyStr, err = ac.responseBodyAsString(res.Body) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + + res, err = ac.client.Do(req) if err != nil { - return samlAssertion, errors.Wrap(err, "error oidc login response read") + return authenticationResponse, res, errors.Wrap(err, "error retrieving ADFS login results") } - if strings.Contains(resBodyStr, "arrUserProofs") { - // data is embedded javascript object - // + + + + + + + + + +
+

JavaScript required

+

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

+

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

+
+ +
+
+
+
+
+
+ +
+
+ +
+ + + +
+
Sign in
+ +
+
+ +
+ +
+
+ + +
+ +
+ + +
+ +
+ Sign in +
+
+ +
+ +
+
+ + + + +
+
+ +
+ introduction +
+ + +
+ +
+ +
+
+
+
+
+ +
+
+
+ + + + + + diff --git a/pkg/provider/aad/testdata/ADFStrust.html b/pkg/provider/aad/testdata/ADFStrust.html new file mode 100644 index 000000000..4819c5a5f --- /dev/null +++ b/pkg/provider/aad/testdata/ADFStrust.html @@ -0,0 +1 @@ +Working...
\ No newline at end of file diff --git a/pkg/provider/aad/testdata/BeginAuth.json b/pkg/provider/aad/testdata/BeginAuth.json new file mode 100644 index 000000000..bd38ad592 --- /dev/null +++ b/pkg/provider/aad/testdata/BeginAuth.json @@ -0,0 +1 @@ +{"Success":true,"ResultValue":"Success","Message":null,"AuthMethodId":"OneWaySMS","ErrCode":0,"Retry":false,"FlowToken":"{{.SFT}}","Ctx":"{{.Ctx}}","SessionId":"{{.SessionId}}","CorrelationId":"{{.ClientRequestId}}","Timestamp":"2020-01-01T00:00:00Z","Entropy":0} \ No newline at end of file diff --git a/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html b/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html new file mode 100644 index 000000000..045e1facd --- /dev/null +++ b/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html @@ -0,0 +1,73 @@ + + + + + + + Sign in to your account + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/pkg/provider/aad/testdata/ConvergedSignIn.html b/pkg/provider/aad/testdata/ConvergedSignIn.html new file mode 100644 index 000000000..5d1779633 --- /dev/null +++ b/pkg/provider/aad/testdata/ConvergedSignIn.html @@ -0,0 +1,75 @@ + + + + + + + Sign in to your account + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/pkg/provider/aad/testdata/ConvergedTFA.html b/pkg/provider/aad/testdata/ConvergedTFA.html new file mode 100644 index 000000000..f55cb0400 --- /dev/null +++ b/pkg/provider/aad/testdata/ConvergedTFA.html @@ -0,0 +1,74 @@ + + + + + + + Sign in to your account + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/pkg/provider/aad/testdata/EndAuth.json b/pkg/provider/aad/testdata/EndAuth.json new file mode 100644 index 000000000..bd38ad592 --- /dev/null +++ b/pkg/provider/aad/testdata/EndAuth.json @@ -0,0 +1 @@ +{"Success":true,"ResultValue":"Success","Message":null,"AuthMethodId":"OneWaySMS","ErrCode":0,"Retry":false,"FlowToken":"{{.SFT}}","Ctx":"{{.Ctx}}","SessionId":"{{.SessionId}}","CorrelationId":"{{.ClientRequestId}}","Timestamp":"2020-01-01T00:00:00Z","Entropy":0} \ No newline at end of file diff --git a/pkg/provider/aad/testdata/GetCredentialType_adfs.json b/pkg/provider/aad/testdata/GetCredentialType_adfs.json new file mode 100644 index 000000000..adadb936f --- /dev/null +++ b/pkg/provider/aad/testdata/GetCredentialType_adfs.json @@ -0,0 +1 @@ +{"Username":"{{.UserName}}","Display":"{{.UserName}}","IfExistsResult":0,"IsUnmanaged":false,"ThrottleStatus":1,"Credentials":{"PrefCredential":4,"HasPassword":true,"RemoteNgcParams":null,"FidoParams":null,"SasParams":null,"CertAuthParams":null,"GoogleParams":null,"FacebookParams":null,"FederationRedirectUrl":"{{.UrlFederationRedirect}}"},"EstsProperties":{"UserTenantBranding":[{"Locale":0,"BannerLogo":"https://via.placeholder.com/280x60.png","TileLogo":"https://via.placeholder.com/240x240.png","TileDarkLogo":"https://via.placeholder.com/240x240.png","UserIdLabel":"someone@example.com","KeepMeSignedInDisabled":false,"UseTransparentLightBox":false,"LayoutTemplateConfig":{"showHeader":false,"headerLogo":"","layoutType":0,"hideCantAccessYourAccount":false,"hideForgotMyPassword":false,"hideResetItNow":false,"hideAccountResetCredentials":false,"showFooter":true,"hideTOU":false,"hidePrivacy":false},"CustomizationFiles":{"strings":{"adminConsent":"","attributeCollection":"","authenticatorNudgeScreen":"","conditionalAccess":""},"customCssUrl":""}}],"DomainType":4},"FlowToken":"{{.SFT}}","IsSignupDisallowed":true,"apiCanary":"{{.ApiCanary}}"} \ No newline at end of file diff --git a/pkg/provider/aad/testdata/GetCredentialType_default.json b/pkg/provider/aad/testdata/GetCredentialType_default.json new file mode 100644 index 000000000..ef5811a92 --- /dev/null +++ b/pkg/provider/aad/testdata/GetCredentialType_default.json @@ -0,0 +1 @@ +{"Username":"{{.UserName}}","Display":"{{.UserName}}","IfExistsResult":0,"IsUnmanaged":false,"ThrottleStatus":0,"Credentials":{"PrefCredential":1,"HasPassword":true,"RemoteNgcParams":null,"FidoParams":null,"SasParams":null,"CertAuthParams":null,"GoogleParams":null,"FacebookParams":null},"EstsProperties":{"UserTenantBranding":null,"DomainType":3},"FlowToken":"{{.SFT}}","IsSignupDisallowed":true,"apiCanary":"{{.ApiCanary}}"} \ No newline at end of file diff --git a/pkg/provider/aad/testdata/HiddenForm.html b/pkg/provider/aad/testdata/HiddenForm.html new file mode 100644 index 000000000..b47150d3c --- /dev/null +++ b/pkg/provider/aad/testdata/HiddenForm.html @@ -0,0 +1 @@ +Working...
\ No newline at end of file diff --git a/pkg/provider/aad/testdata/KmsiInterrupt.html b/pkg/provider/aad/testdata/KmsiInterrupt.html new file mode 100644 index 000000000..a4eb86a1d --- /dev/null +++ b/pkg/provider/aad/testdata/KmsiInterrupt.html @@ -0,0 +1,73 @@ + + + + + + + Sign in to your account + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/pkg/provider/aad/testdata/SAMLRequest.html b/pkg/provider/aad/testdata/SAMLRequest.html new file mode 100644 index 000000000..9d39c270b --- /dev/null +++ b/pkg/provider/aad/testdata/SAMLRequest.html @@ -0,0 +1,211 @@ + + + + + + + + + + + + +
+
+ + + +
+ + + + + + + + + + + + +
+ + + + +
+
+
+
+ +
+
+
+ +
+ + + + + +
+ +
+
+
+
+
+ +
+ +
+
+
+ + + + + + + + +
+ + + + diff --git a/pkg/provider/aad/testdata/SAMLResponse.html b/pkg/provider/aad/testdata/SAMLResponse.html new file mode 100644 index 000000000..be028ef01 --- /dev/null +++ b/pkg/provider/aad/testdata/SAMLResponse.html @@ -0,0 +1 @@ +Working...
\ No newline at end of file diff --git a/pkg/provider/aad/testdata/SAMLResponse.xml b/pkg/provider/aad/testdata/SAMLResponse.xml new file mode 100644 index 000000000..aaba12d27 --- /dev/null +++ b/pkg/provider/aad/testdata/SAMLResponse.xml @@ -0,0 +1,94 @@ + + https://sts.windows.net/25f4519b-eca5-405d-b516-123af862c268/ + + + + + + https://sts.windows.net/25f4519b-eca5-405d-b516-123af862c268/ + + + + + + + + + + + ba0vLeerzPU5SlBzNMQ95WNLauGojdAZBDdCPMJmUNI= + + + QE4db1da3PKU583Q0mm9MRpLaogENs95eWSkc8RvtU3kYwOVHpFtcVyG0wti54sc72V7rWSr3UoIGysgx_-3UJch_oG1JJi7IdNLhbFBx-PVxtAKvIdMkSM8tXRLuEtkNUB760jQAmie43Che8j47JdyWp4nh19QTDHjpH2vW9zldp-mhlLtl_QQQ-lJPd-LWC3A4xS0a81fenApzq4KvOY4zghapNih_dZOH6OO_UBgq_fyZ-x7gDiHin4UeySsaHQEBPr_mx5t6ilteSjm3J6HKlVVw9HNhmgry80UJkuVZ-7nWfgaawNjHDtG2UXN9k5oT0hCokMG7SlcPVKLqA== + + + MIIC8DCCAdigAwIBAgIQV3utGUh+Q55I54g7Y8RkUjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xOTA4MDgwNzA1MDBaFw0yMjA4MDgwNzAyMTlaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApO5wQVjdzEx2/j5gNrUh94wpBni4wNmRI3tKoSWJpRjnnlhwHSiiAWo7KX924owbbc8m+aqZ/dt7gdyADl02dJN5vjYwHy0rJoitC6j9hVHd/Fz7QOOhlaLwtxKfp7bgzvLYw3/HsAFbnJxwQWdddiPm6+2b903tdUehV9lR7LgLwa8pYA8ybnV/8KrgB9zwDi8c+h0Od3+SLvheCagOLmPZBc3u2YkW6BRLt3HIdT75Rv5G81ak3yKdmpjelIgcj/39x/g5K4xTYYJz8x/a8xdy1tax46Vr0h7xfg3YkuYy/kcs6JGilQEVsA/NVmAGPl7W7uu03CCFsi5Xc8aIXwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBiVFSvDRTGqlgnBaQjrdaN3GanD+vggrz8rzm+ccdFi72xkRKMmAxePVcgYNZWl4pZgXitQOa9otE4gxzLFQEXpShj/xgomZ1orF5Fx2DIP/TtHn+6BGK4pi/QsSDWqOx33lDnPjXY6Ouiyz4GoY50l6UfXzwyCiYBoI/r0Paf5bLSF9gV0aJInFswG28lXDsUydXKsByrprqvYpWX6lplRf/SgCmCf8l9eApk+558cWtIlUn1mDzYxt8z7X8xhBYXyg6193wz4A2ULhfB7No/bO6WDlaaK2YN1VSpjRdwDKpKiR2yy3kJRJl1IO8szqIYPKcrdTwGBNRDix1UEwdR + + + + + exampleuser@exampledomain.com + + + + + + + https://signin.aws.amazon.com/saml + + + + + 25f4519b-eca5-405d-b516-123af862c268 + + + 5159e491-c7a1-4c67-bff9-666cdab9a60b + + + Doe, John + + + https://sts.windows.net/25f4519b-eca5-405d-b516-123af862c268/ + + + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + http://schemas.microsoft.com/claims/multipleauthn + + + arn:aws:iam::012345678901:role/example_role,arn:aws:iam::012345678901:saml-provider/EXAMPLE_PROVIDER + arn:aws:iam::123456789012:role/example_role,arn:aws:iam::123456789012:saml-provider/EXAMPLE_PROVIDER + + + John + + + Doe + + + john.doe@exampledomain.com + + + exampleuser@exampledomain.com + + + arn:aws:iam::012345678901:role/example_role,arn:aws:iam::012345678901:saml-provider/EXAMPLE_PROVIDER + arn:aws:iam::123456789012:role/example_role,arn:aws:iam::123456789012:saml-provider/EXAMPLE_PROVIDER + + + exampleuser@exampledomain.com + + + exampleuser + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + + + + \ No newline at end of file From b044230ac8a2ba5544ecf6927a4947a364910cef Mon Sep 17 00:00:00 2001 From: Joey McDaniel <17505625+jmctune@users.noreply.github.com> Date: Mon, 25 Apr 2022 09:38:37 -0500 Subject: [PATCH 016/296] Add js_enabled to bgresponse. --- pkg/provider/googleapps/googleapps.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/provider/googleapps/googleapps.go b/pkg/provider/googleapps/googleapps.go index e2ad9e1c7..bf2f4b82c 100644 --- a/pkg/provider/googleapps/googleapps.go +++ b/pkg/provider/googleapps/googleapps.go @@ -238,7 +238,7 @@ func (kc *Client) loadFirstPage(loginDetails *creds.LoginDetails) (string, url.V if loginPageV1 { // Login page v1 postForm = url.Values{ - "bgresponse": []string{"js_disabled"}, + "bgresponse": []string{"js_enabled"}, "checkConnection": []string{""}, "checkedDomains": []string{"youtube"}, "continue": []string{authForm.Get("continue")}, @@ -277,7 +277,7 @@ func (kc *Client) loadFirstPage(loginDetails *creds.LoginDetails) (string, url.V "Email": []string{""}, "Passwd": []string{""}, "TrustDevice": []string{"on"}, - "bgresponse": []string{"js_disabled"}, + "bgresponse": []string{"js_enabled"}, } for _, k := range []string{"TL", "gxf"} { if v, ok := authForm[k]; ok { From d122ec02e80a2f0962b70d3e893f47a6b12ae3a7 Mon Sep 17 00:00:00 2001 From: Leo Liu Date: Mon, 25 Apr 2022 23:25:48 +0800 Subject: [PATCH 017/296] Fill in csrf token from cookies --- pkg/provider/pingfed/pingfed.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/provider/pingfed/pingfed.go b/pkg/provider/pingfed/pingfed.go index 16e6c7cc0..742afd507 100644 --- a/pkg/provider/pingfed/pingfed.go +++ b/pkg/provider/pingfed/pingfed.go @@ -68,7 +68,7 @@ func (ac *Client) follow(ctx context.Context, req *http.Request) (string, error) if err != nil { return "", errors.Wrap(err, "error following") } - doc, err := goquery.NewDocumentFromReader(res.Body) + doc, err := goquery.NewDocumentFromResponse(res) if err != nil { return "", errors.Wrap(err, "failed to build document from response") } @@ -153,6 +153,13 @@ func (ac *Client) handleOTP(ctx context.Context, doc *goquery.Document) (context return ctx, nil, errors.Wrap(err, "error extracting OTP form") } + for _, v := range ac.client.Jar.Cookies(doc.Url) { + if v.Name == ".csrf" { + form.Values.Set("csrfToken", v.Value) + break + } + } + token := prompter.StringRequired("Enter passcode") form.Values.Set("otp", token) req, err := form.BuildRequest() From bc0b9a66779e614a0dd9a472923a178715ed088c Mon Sep 17 00:00:00 2001 From: Mark Wolfe Date: Fri, 29 Apr 2022 15:45:13 +1000 Subject: [PATCH 018/296] chore(linter): update linter and some associated fixes --- .github/workflows/go.yml | 2 +- Makefile | 22 +++++----------------- pkg/shell/shell.go | 1 + pkg/shell/shell_test.go | 1 + 4 files changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index bbb163c98..0d5f01c56 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -46,7 +46,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v2 with: - version: v1.42.0 + version: v1.45.2 release-build: name: release-build diff --git a/Makefile b/Makefile index bb31ec9c6..3dac85ed8 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ ARCH=$(shell uname -m) VERSION=2.28.0 ITERATION := 1 -GOLANGCI_VERSION = 1.32.0 +GOLANGCI_VERSION = 1.45.2 GORELEASER_VERSION = 0.157.0 SOURCE_FILES?=$$(go list ./... | grep -v /vendor/) @@ -14,31 +14,19 @@ BIN_DIR := $(CURDIR)/bin ci: prepare test -$(BIN_DIR)/golangci-lint: $(BIN_DIR)/golangci-lint-${GOLANGCI_VERSION} - @ln -sf golangci-lint-${GOLANGCI_VERSION} $(BIN_DIR)/golangci-lint -$(BIN_DIR)/golangci-lint-${GOLANGCI_VERSION}: - @curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | BINARY=golangci-lint bash -s -- v${GOLANGCI_VERSION} - @mv $(BIN_DIR)/golangci-lint $@ - -$(BIN_DIR)/goreleaser: $(BIN_DIR)/goreleaser-${GORELEASER_VERSION} - @ln -sf goreleaser-${GORELEASER_VERSION} $(BIN_DIR)/goreleaser -$(BIN_DIR)/goreleaser-${GORELEASER_VERSION}: - @curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | BINARY=goreleaser bash -s -- v${GORELEASER_VERSION} - @mv $(BIN_DIR)/goreleaser $@ - mod: @go mod download @go mod tidy .PHONY: mod -lint: $(BIN_DIR)/golangci-lint +lint: @echo "--- lint all the things" - @$(BIN_DIR)/golangci-lint run ./... + @docker run --rm -v $(shell pwd):/app -w /app golangci/golangci-lint:v$(GOLANGCI_VERSION) golangci-lint run -v .PHONY: lint -lint-fix: $(BIN_DIR)/golangci-lint +lint-fix: @echo "--- lint all the things" - @$(BIN_DIR)/golangci-lint run --fix ./... + @docker run --rm -v $(shell pwd):/app -w /app golangci/golangci-lint:v$(GOLANGCI_VERSION) golangci-lint run -v --fix .PHONY: lint-fix fmt: lint-fix diff --git a/pkg/shell/shell.go b/pkg/shell/shell.go index 1a2e158a1..f5dd70f43 100644 --- a/pkg/shell/shell.go +++ b/pkg/shell/shell.go @@ -1,3 +1,4 @@ +//go:build !windows // +build !windows package shell diff --git a/pkg/shell/shell_test.go b/pkg/shell/shell_test.go index 096035fcf..5959b6fb1 100644 --- a/pkg/shell/shell_test.go +++ b/pkg/shell/shell_test.go @@ -1,3 +1,4 @@ +//go:build !windows // +build !windows package shell From 4786882569bbd8e4959e8d26cc4176a6e4a4ace2 Mon Sep 17 00:00:00 2001 From: Eli Atzaba Date: Mon, 2 May 2022 16:53:59 -0700 Subject: [PATCH 019/296] added support for browser-type --- README.md | 2 ++ cmd/saml2aws/main.go | 1 + pkg/cfg/cfg.go | 1 + pkg/flags/flags.go | 5 +++++ pkg/provider/browser/browser.go | 9 ++++++++- 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4fda2277c..a70fd5757 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,8 @@ Flags: -a, --idp-account="default" The name of the configured IDP account. (env: SAML2AWS_IDP_ACCOUNT) --idp-provider=IDP-PROVIDER The configured IDP provider. (env: SAML2AWS_IDP_PROVIDER) + --browser-type=BROWSER-TYPE + The browser type to use when IDP provider is set to 'Browser'. (env: SAML2AWS_BROWSER_TYPE) --mfa=MFA The name of the mfa. (env: SAML2AWS_MFA) -s, --skip-verify Skip verification of server certificate. (env: SAML2AWS_SKIP_VERIFY) --url=URL The URL of the SAML IDP server used to login. (env: SAML2AWS_URL) diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index d6ee181e3..7edffd576 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -70,6 +70,7 @@ func main() { app.Flag("config", "Path/filename of saml2aws config file (env: SAML2AWS_CONFIGFILE)").Envar("SAML2AWS_CONFIGFILE").StringVar(&commonFlags.ConfigFile) app.Flag("idp-account", "The name of the configured IDP account. (env: SAML2AWS_IDP_ACCOUNT)").Envar("SAML2AWS_IDP_ACCOUNT").Short('a').Default("default").StringVar(&commonFlags.IdpAccount) app.Flag("idp-provider", "The configured IDP provider. (env: SAML2AWS_IDP_PROVIDER)").Envar("SAML2AWS_IDP_PROVIDER").EnumVar(&commonFlags.IdpProvider, "Akamai", "AzureAD", "ADFS", "ADFS2", "Browser", "GoogleApps", "Ping", "JumpCloud", "Okta", "OneLogin", "PSU", "KeyCloak", "F5APM", "Shibboleth", "ShibbolethECP", "NetIQ", "Auth0") + app.Flag("browser-type", "The configured browser type when the IDP provider is set to Browser. (env: SAML2AWS_BROWSER_TYPE)").Envar("SAML2AWS_BROWSER_TYPE").EnumVar(&commonFlags.BrowserType, "chrome", "chrome-beta", "chrome-dev", "chrome-canary", "msedge", "msedge-beta", "msedge-dev", "msedge-canary") app.Flag("mfa", "The name of the mfa. (env: SAML2AWS_MFA)").Envar("SAML2AWS_MFA").StringVar(&commonFlags.MFA) app.Flag("skip-verify", "Skip verification of server certificate. (env: SAML2AWS_SKIP_VERIFY)").Envar("SAML2AWS_SKIP_VERIFY").Short('s').BoolVar(&commonFlags.SkipVerify) app.Flag("url", "The URL of the SAML IDP server used to login. (env: SAML2AWS_URL)").Envar("SAML2AWS_URL").StringVar(&commonFlags.URL) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 79b5945b4..25f64d9a1 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -36,6 +36,7 @@ type IDPAccount struct { URL string `ini:"url"` Username string `ini:"username"` Provider string `ini:"provider"` + BrowserType string `ini:"browser_type"` // used by 'Browser' Provider MFA string `ini:"mfa"` SkipVerify bool `ini:"skip_verify"` Timeout int `ini:"timeout"` diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 7a3beb6fa..2a32714e1 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -12,6 +12,7 @@ type CommonFlags struct { ConfigFile string IdpAccount string IdpProvider string + BrowserType string MFA string MFAToken string URL string @@ -71,6 +72,10 @@ func ApplyFlagOverrides(commonFlags *CommonFlags, account *cfg.IDPAccount) { account.Provider = commonFlags.IdpProvider } + if commonFlags.IdpProvider == "Browser" && commonFlags.BrowserType != "" { + account.BrowserType = commonFlags.BrowserType + } + if commonFlags.MFA != "" { account.MFA = commonFlags.MFA } diff --git a/pkg/provider/browser/browser.go b/pkg/provider/browser/browser.go index d2947bfee..1df8bc760 100644 --- a/pkg/provider/browser/browser.go +++ b/pkg/provider/browser/browser.go @@ -2,6 +2,7 @@ package browser import ( "errors" + "fmt" "net/url" "github.com/mxschmitt/playwright-go" @@ -14,11 +15,12 @@ var logger = logrus.WithField("provider", "browser") // Client client for browser based Identity Provider type Client struct { + idpAccount *cfg.IDPAccount } // New create new browser based client func New(idpAccount *cfg.IDPAccount) (*Client, error) { - return &Client{}, nil + return &Client{idpAccount: idpAccount}, nil } func (cl *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) { @@ -33,6 +35,11 @@ func (cl *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) Headless: playwright.Bool(false), } + if cl.idpAccount.BrowserType != "" { + logger.Info(fmt.Sprintf("Setting browser type: %s", cl.idpAccount.BrowserType)) + launchOptions.Channel = playwright.String(cl.idpAccount.BrowserType) + } + // currently using Chromium as it is widely supported for Identity providers // // this is a sandboxed browser window so password managers and addons are separate From 89e7f4abf5c85c7d748c5e00d3ab7638faf54ec4 Mon Sep 17 00:00:00 2001 From: Chris Reeves Date: Fri, 6 May 2022 12:43:50 +0100 Subject: [PATCH 020/296] Fix Duo authentication failure with Shib provider Duo now appears to require the Accept-Language header to be present, otherwise it will produce an error. Fixes #818 --- pkg/provider/shibboleth/shibboleth.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/provider/shibboleth/shibboleth.go b/pkg/provider/shibboleth/shibboleth.go index 678afbbb0..a9d058ee1 100644 --- a/pkg/provider/shibboleth/shibboleth.go +++ b/pkg/provider/shibboleth/shibboleth.go @@ -196,6 +196,7 @@ func verifyDuoMfa(oc *Client, loginDetails *creds.LoginDetails, duoHost string, req.URL.RawQuery = q.Encode() req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + req.Header.Add("Accept-Language", "en-us,en;q=0.5") res, err := oc.client.Do(req) if err != nil { From d457de2ead280b5f019e2fcff357b2e8b754e40e Mon Sep 17 00:00:00 2001 From: Chris Reeves Date: Fri, 6 May 2022 12:47:49 +0100 Subject: [PATCH 021/296] Update README for Shibboleth provider Now tested against Shibboleth 4.2.1 --- pkg/provider/shibboleth/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/provider/shibboleth/README.md b/pkg/provider/shibboleth/README.md index 8b79d8cc9..29ff9db3d 100644 --- a/pkg/provider/shibboleth/README.md +++ b/pkg/provider/shibboleth/README.md @@ -16,4 +16,4 @@ https://idp.example.com/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon: * Tested on: * Shibboleth 3.3 with Duo MFA; - * Shibboleth 4.0.1 with Duo MFA and CSRF tokens. + * Shibboleth 4.0.1, 4.2.1 with Duo MFA and CSRF tokens. From e305650f0527d8ee82d761bc4d0251b75fd13093 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Dry=C5=9B?= Date: Mon, 16 May 2022 14:18:01 +0200 Subject: [PATCH 022/296] verifyMfa should return error on no token When verifyMfa receives no session token from the remote token, it should fail immidietly. This way saml2aws is able to use the whole response payload to explain to the user, what went wrong. Status field can contain meaningful information like 'PASSWORD_EXPIRED'. Before this change, if origin returned to answer, the error returned to the user would be: "Error authenticating to IdP.: unable to create an okta session, nil input". --- pkg/provider/okta/okta.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index 042f029c6..7ce292d2d 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -778,6 +778,14 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails, } resp = string(body) + sessionToken := gjson.Get(resp, "sessionToken").String() + if sessionToken == "" { + status := gjson.Get(resp, "status").String() + if status != "" { + return "", errors.Errorf("response does not contain session token, received status is: %q", status) + } + return "", errors.Errorf("response does not contain session token") + } return gjson.Get(resp, "sessionToken").String(), nil From bd8ae8bfb5cc7b2386c632094fca6f510b994b0b Mon Sep 17 00:00:00 2001 From: dmarcotte Date: Wed, 18 May 2022 15:42:08 -0400 Subject: [PATCH 023/296] Add Entropy to mfaBegin Response & struct --- pkg/provider/aad/aad.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go index 0c2607097..606e2131c 100644 --- a/pkg/provider/aad/aad.go +++ b/pkg/provider/aad/aad.go @@ -486,6 +486,7 @@ type mfaResponse struct { SessionID string `json:"SessionId"` CorrelationID string `json:"CorrelationId"` Timestamp time.Time `json:"Timestamp"` + Entropy string `json:"Entropy"` } // Autogenerate ProcessAuth response @@ -977,7 +978,7 @@ func (ac *Client) getMfaFlowToken(mfas []userProof, loginPasswordResp passwordLo mfaReq.AdditionalAuthData = verifyCode } if mfaReq.AuthMethodID == "PhoneAppNotification" && i == 0 { - log.Println("Phone approval required.") + log.Println("Phone approval required. Entropy is: " + mfaResp.Entropy) } mfaReqJson, err := json.Marshal(mfaReq) if err != nil { From 3f9221ecbf1b75f52b4baac511cb1071fe879dec Mon Sep 17 00:00:00 2001 From: dmarcotte Date: Wed, 18 May 2022 18:20:17 -0400 Subject: [PATCH 024/296] Adjust Entropy (int instead of String) and rework formatting. --- pkg/provider/aad/aad.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go index 606e2131c..a9183e187 100644 --- a/pkg/provider/aad/aad.go +++ b/pkg/provider/aad/aad.go @@ -486,7 +486,7 @@ type mfaResponse struct { SessionID string `json:"SessionId"` CorrelationID string `json:"CorrelationId"` Timestamp time.Time `json:"Timestamp"` - Entropy string `json:"Entropy"` + Entropy int `json:"Entropy"` } // Autogenerate ProcessAuth response @@ -978,7 +978,7 @@ func (ac *Client) getMfaFlowToken(mfas []userProof, loginPasswordResp passwordLo mfaReq.AdditionalAuthData = verifyCode } if mfaReq.AuthMethodID == "PhoneAppNotification" && i == 0 { - log.Println("Phone approval required. Entropy is: " + mfaResp.Entropy) + log.Printf("Phone approval required. Entropy is: %d", mfaResp.Entropy) } mfaReqJson, err := json.Marshal(mfaReq) if err != nil { From 9896a82e65d15045bd97780066df476da42d3266 Mon Sep 17 00:00:00 2001 From: dmarcotte Date: Thu, 19 May 2022 19:56:03 -0400 Subject: [PATCH 025/296] change module name? --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 169c09ce6..e91ad1986 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/versent/saml2aws/v2 +module github.com/marcottedan/saml2aws/v2 go 1.17 From 3944868677760a23fca68f824265d9dbd969efa4 Mon Sep 17 00:00:00 2001 From: dmarcotte Date: Thu, 19 May 2022 20:18:19 -0400 Subject: [PATCH 026/296] Bump to go 1.18 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 169c09ce6..45cf0b33e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/versent/saml2aws/v2 -go 1.17 +go 1.18 require ( github.com/99designs/keyring v1.1.6 From 55b34ffefdd0adc2cc37efddc355cf9fb1d9db4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Thu, 19 May 2022 22:03:42 -0400 Subject: [PATCH 027/296] Bump Golang to 1.18 for Appveyor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gábor Lipták --- .appveyor/appveyor.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.appveyor/appveyor.yml b/.appveyor/appveyor.yml index 0b4b2728e..c4edc5e76 100644 --- a/.appveyor/appveyor.yml +++ b/.appveyor/appveyor.yml @@ -6,7 +6,8 @@ environment: secure: 3kWTz99Qj+ipyaR73CxcJeGRRbmk84MF2ERDu6MyY10cjHAi6s3AVZ2Ccoa+Ioyt appName: saml2aws install: -- set PATH=C:\msys64\mingw64\bin;%PATH% +- set PATH=C:\msys64\mingw64\bin;C:\go118\bin;%PATH% +- set GOROOT=C:\go118 - ps: >- $VerbosePreference = 'Continue' From 7ba431a018a23cf619e5740a759438e4fd93c0ae Mon Sep 17 00:00:00 2001 From: dmarcotte Date: Fri, 20 May 2022 11:24:44 -0400 Subject: [PATCH 028/296] Add support for Entropy in MFA response + quick test --- go.mod | 1 + go.sum | 5 ++--- pkg/provider/aad/aad.go | 6 +++++- pkg/provider/aad/aad_test.go | 37 ++++++++++++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 pkg/provider/aad/aad_test.go diff --git a/go.mod b/go.mod index 86c971f48..ecf289112 100644 --- a/go.mod +++ b/go.mod @@ -22,6 +22,7 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.7.0 github.com/tidwall/gjson v1.13.0 + github.com/versent/saml2aws/v2 v2.35.0 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd gopkg.in/ini.v1 v1.66.3 ) diff --git a/go.sum b/go.sum index be8e98b4b..71a7df083 100644 --- a/go.sum +++ b/go.sum @@ -93,7 +93,6 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc= github.com/keybase/go-keychain v0.0.0-20211119201326-e02f34051621 h1:aMQ7pA4f06yOVXSulygyGvy4xA94fyzjUGs0iqQdMOI= github.com/keybase/go-keychain v0.0.0-20211119201326-e02f34051621/go.mod h1:enrU/ug069Om7vWxuFE6nikLI2BZNwevMiGSo43Kt5w= -github.com/keybase/go.dbus v0.0.0-20200324223359-a94be52c0b03/go.mod h1:a8clEhrrGV/d76/f9r2I41BwANMihfZYV9C223vaxqE= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -164,7 +163,6 @@ github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoH github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/tidwall/gjson v1.13.0 h1:3TFY9yxOQShrvmjdM76K+jc66zJeT6D3/VFFYCGQf7M= @@ -175,6 +173,8 @@ github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/versent/saml2aws/v2 v2.35.0 h1:3IMuRWxrtb8id0Rz3TcdH8tx5XYFzIj0TXBjxS0qM/w= +github.com/versent/saml2aws/v2 v2.35.0/go.mod h1:ZGX2eg23eINLc7VBkqdDbRs6oqVLwbPW9kTJwM1Jjko= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= @@ -215,7 +215,6 @@ golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go index a9183e187..6fdaa652d 100644 --- a/pkg/provider/aad/aad.go +++ b/pkg/provider/aad/aad.go @@ -978,7 +978,11 @@ func (ac *Client) getMfaFlowToken(mfas []userProof, loginPasswordResp passwordLo mfaReq.AdditionalAuthData = verifyCode } if mfaReq.AuthMethodID == "PhoneAppNotification" && i == 0 { - log.Printf("Phone approval required. Entropy is: %d", mfaResp.Entropy) + if mfaResp.Entropy == 0 { + log.Println("Phone approval required.") + } else { + log.Printf("Phone approval required. Entropy is: %d", mfaResp.Entropy) + } } mfaReqJson, err := json.Marshal(mfaReq) if err != nil { diff --git a/pkg/provider/aad/aad_test.go b/pkg/provider/aad/aad_test.go new file mode 100644 index 000000000..c276498e9 --- /dev/null +++ b/pkg/provider/aad/aad_test.go @@ -0,0 +1,37 @@ +package aad + +import ( + "encoding/json" + "github.com/sirupsen/logrus" + "testing" +) + +func TestAad_UnmarshallMfaResponseWithEntropy(t *testing.T) { + + mfaBeginJsonWithEntropy := []byte("{\"Success\":true,\"ResultValue\":\"Success\",\"Message\":null,\"AuthMethodId\":\"PhoneAppNotification\",\"ErrCode\":0,\"Retry\":false,\"FlowToken\":\"AQABAAEAAAD--DLA3VO7QrddgJg7Wevr5BtzS6C3muY2iOn2W5Nxhyz_B2nFLqOhdxngHgZWDXZHBx6mK27MN6N26J1oz7ydOnsuY3EfEWr5SHToI1N-NpdxotuKfqh6ssxejlKzEaCeYZ1AymWu3DENP9TEo0Pxnd6Vbd7H7soUMjW2-m2ykU1R7bCqcIQiGCF9NX2wmRVm5ia2SzPy1J3rU9nAKnppmiJoyT0yP-U24Jsty7Dje52s-ddFHkjtupiV-R3_JMx4c2KDAfJYabwAWy1Ra1UsxZbSwMkRwhacS46Y9pmztFuSeF6_opIV2H6xNogk2usNnFqJLqT-ibgy2qkJvot07XGH0leN7n-C2oLnziAWpdcC96xracZ16qtTWD6xeBFyM9s-BpHqPfo4Te1a9xlyT3-tlF2qtgUMJSnGN-Ipe21w2pm6mngKL0o1umeyrgz-CXMrGW_sDHUK1D7RqzmZzvh8ZVUBI8bB9os2QFxDypdZfv2qJSTyydJBOM_GDYG_cJ7jcaxonNmSGBDIZTXRlgtzqI3bw43e_NrULuCE2XBj4-nFaNMnEsUfFvSW35po1cLRcDPHoTCUaIdQBU6w0VsuRizMuX7o7y_Nngoc66XNg6XnPtgN0JyQqkyPUPYRRe5pNv7X_9KINtxCitkq5-9PsIIta74GfSehldSJpdI3pi_AhTBHPxtw8caBrySB4PiA7uLC8a3smdYm_cPPeSmsCGRgotRDxooo-FA2hOtCZ52PmlMzjdjmk5719WA_afK9D4MxGt8EmNonI9939XWprUNW2dTc7nQ7asjMo3BonGpP1LfbMIhZ7goD0rGtWNEqIdRifShaFffcKaKcmHtbBeOLWfnUm1PQ-0P0RGHCOh8jMJROn56KjB8djDKHKrvKKjvhVff-P91L_nNVOlqU0GWmWfwhSR279HOtsiQnHVFjnS9Qn0bAjpgf33caLTKebYH6CoUnorCkRHbh44gONFi2rQhOFH_fNKr_Wx6eRlrSj7LZIx20pgSG1RCi4QlVW6fv4Kkk-omRkRwmLrbpdqleoisRMBeyEAKRWk86M2VEyRwIGWakBQbSTkOTb5RENDxwz_VFwcqPkgpuIJzpOoG2p3YhLeqKgEAX5SAA\",\"Ctx\":\"rQQIARAAlVM_rNtEHH5-eQ19iFdQxQITlTohNe_OjtvmQUvjxI7jFzuJ_9tDke1z8P8zthMnGTt1QpW6IbEgxNCxU9XpsXZAFQygjkwsSNCpI46eSiW2fsN3p7vvvt_d6ft92oIdeHIVnMO7tuNz8l7PXqO4_O4H3dnVn27_cJf_Tv3494u3u48fETCoqrw8OT52PA8vs6rjeFW48lFY-F6Fi02nDjOE69LZLgu_4-H0-AlBPCeIPwni0f4VeJ2mAN27AUHHD7FIYjh2y_7SO53Lk6FUreoX--9P-8sqIHeEi3Drv9w_XOAi_TLHZfVt65eDae5nYzTAWdYU7OxkflaFnlOFOJsVOPeLKvTLW_15v8F4R8IkExJ7lGxsQwJf1xxGvFx7W7yakFxkkT3oZvOl1ew5pv2fzqUEepKh3E3lFaKkpoi-sRU6ckmwskymdkdJZJly7pL0dkK98UejXmobcuKlHGjGwOOZ0jGkAI2SlRvSgUcx3Rno1bYpnK9FUHQMumi0qmOgpWJ00__5C_YQJhLJrkVVDsUBqKXoK2qizqE9YitLTSJ7AGhbtWp7aG3EVIhENfZVikncOInnZG_ppnqEBvTQJeVkkry5q24Ked3ncknnZvZwTJmwRyN-Dnx2zaNEMjUgBCZIFs15WuN6Y2Wrx1rEUiJkMlXXZ_MUGSpLQ9FAhpfWXZTStk6i0gE24xqcLupspUNOUVR5qIIxcGMp1kA-mPLc1tM5Rlb7azEOVlImF1Mt3vp6482zW1XDUB2tTzUFxo4GIztBoQP0yjVtSklRYRmwMIGwsMB6MM-CBTLygToSKIVPplOegSLFGZpqF3LzVjHRFTkWu7qOlCkrK82_VBIMxlaiizaLIpPsPm61m5ymOHvWutTkJwvRJ3mBF2Hi_9H6CKVO4eGq8u-UvtdEusZFXO5y_fyAeHVAfH-h6ZLffvzwn4eff3bn4eLo3rXelb1nF44nqAzimyMLlxq8Xhr0jQimclY4mInJGZLcmXczq91TU3LFW9QJfNAmHrTbf7f3779DPD18-x67997Rxb3Lh4fK5ov75ckL_uxo79WlX5-enT35-Zu_-H8B0\",\"SessionId\":\"21036f6c-f348-4396-ae7b-2afaf476eb29\",\"CorrelationId\":\"c1245034-a43e-485e-9d54-1ad8083e34b2\",\"Timestamp\":\"2022-05-20T15:15:11Z\",\"Entropy\":88}") + var mfaResp mfaResponse + + if err := json.Unmarshal(mfaBeginJsonWithEntropy, &mfaResp); err != nil { + logrus.Error("Found an error while unmarshalling") + t.Fail() + } + + if mfaResp.Entropy != 88 { + t.Errorf("Entropy is %d and should have been 88", mfaResp.Entropy) + } +} + +func TestAad_UnmarshallMfaResponseWithoutEntropy(t *testing.T) { + + mfaBeginJsonWithEntropy := []byte("{\"Success\":true,\"ResultValue\":\"Success\",\"Message\":null,\"AuthMethodId\":\"PhoneAppNotification\",\"ErrCode\":0,\"Retry\":false,\"FlowToken\":\"AQABAAEAAAD--DLA3VO7QrddgJg7Wevr5BtzS6C3muY2iOn2W5Nxhyz_B2nFLqOhdxngHgZWDXZHBx6mK27MN6N26J1oz7ydOnsuY3EfEWr5SHToI1N-NpdxotuKfqh6ssxejlKzEaCeYZ1AymWu3DENP9TEo0Pxnd6Vbd7H7soUMjW2-m2ykU1R7bCqcIQiGCF9NX2wmRVm5ia2SzPy1J3rU9nAKnppmiJoyT0yP-U24Jsty7Dje52s-ddFHkjtupiV-R3_JMx4c2KDAfJYabwAWy1Ra1UsxZbSwMkRwhacS46Y9pmztFuSeF6_opIV2H6xNogk2usNnFqJLqT-ibgy2qkJvot07XGH0leN7n-C2oLnziAWpdcC96xracZ16qtTWD6xeBFyM9s-BpHqPfo4Te1a9xlyT3-tlF2qtgUMJSnGN-Ipe21w2pm6mngKL0o1umeyrgz-CXMrGW_sDHUK1D7RqzmZzvh8ZVUBI8bB9os2QFxDypdZfv2qJSTyydJBOM_GDYG_cJ7jcaxonNmSGBDIZTXRlgtzqI3bw43e_NrULuCE2XBj4-nFaNMnEsUfFvSW35po1cLRcDPHoTCUaIdQBU6w0VsuRizMuX7o7y_Nngoc66XNg6XnPtgN0JyQqkyPUPYRRe5pNv7X_9KINtxCitkq5-9PsIIta74GfSehldSJpdI3pi_AhTBHPxtw8caBrySB4PiA7uLC8a3smdYm_cPPeSmsCGRgotRDxooo-FA2hOtCZ52PmlMzjdjmk5719WA_afK9D4MxGt8EmNonI9939XWprUNW2dTc7nQ7asjMo3BonGpP1LfbMIhZ7goD0rGtWNEqIdRifShaFffcKaKcmHtbBeOLWfnUm1PQ-0P0RGHCOh8jMJROn56KjB8djDKHKrvKKjvhVff-P91L_nNVOlqU0GWmWfwhSR279HOtsiQnHVFjnS9Qn0bAjpgf33caLTKebYH6CoUnorCkRHbh44gONFi2rQhOFH_fNKr_Wx6eRlrSj7LZIx20pgSG1RCi4QlVW6fv4Kkk-omRkRwmLrbpdqleoisRMBeyEAKRWk86M2VEyRwIGWakBQbSTkOTb5RENDxwz_VFwcqPkgpuIJzpOoG2p3YhLeqKgEAX5SAA\",\"Ctx\":\"rQQIARAAlVM_rNtEHH5-eQ19iFdQxQITlTohNe_OjtvmQUvjxI7jFzuJ_9tDke1z8P8zthMnGTt1QpW6IbEgxNCxU9XpsXZAFQygjkwsSNCpI46eSiW2fsN3p7vvvt_d6ft92oIdeHIVnMO7tuNz8l7PXqO4_O4H3dnVn27_cJf_Tv3494u3u48fETCoqrw8OT52PA8vs6rjeFW48lFY-F6Fi02nDjOE69LZLgu_4-H0-AlBPCeIPwni0f4VeJ2mAN27AUHHD7FIYjh2y_7SO53Lk6FUreoX--9P-8sqIHeEi3Drv9w_XOAi_TLHZfVt65eDae5nYzTAWdYU7OxkflaFnlOFOJsVOPeLKvTLW_15v8F4R8IkExJ7lGxsQwJf1xxGvFx7W7yakFxkkT3oZvOl1ew5pv2fzqUEepKh3E3lFaKkpoi-sRU6ckmwskymdkdJZJly7pL0dkK98UejXmobcuKlHGjGwOOZ0jGkAI2SlRvSgUcx3Rno1bYpnK9FUHQMumi0qmOgpWJ00__5C_YQJhLJrkVVDsUBqKXoK2qizqE9YitLTSJ7AGhbtWp7aG3EVIhENfZVikncOInnZG_ppnqEBvTQJeVkkry5q24Ked3ncknnZvZwTJmwRyN-Dnx2zaNEMjUgBCZIFs15WuN6Y2Wrx1rEUiJkMlXXZ_MUGSpLQ9FAhpfWXZTStk6i0gE24xqcLupspUNOUVR5qIIxcGMp1kA-mPLc1tM5Rlb7azEOVlImF1Mt3vp6482zW1XDUB2tTzUFxo4GIztBoQP0yjVtSklRYRmwMIGwsMB6MM-CBTLygToSKIVPplOegSLFGZpqF3LzVjHRFTkWu7qOlCkrK82_VBIMxlaiizaLIpPsPm61m5ymOHvWutTkJwvRJ3mBF2Hi_9H6CKVO4eGq8u-UvtdEusZFXO5y_fyAeHVAfH-h6ZLffvzwn4eff3bn4eLo3rXelb1nF44nqAzimyMLlxq8Xhr0jQimclY4mInJGZLcmXczq91TU3LFW9QJfNAmHrTbf7f3779DPD18-x67997Rxb3Lh4fK5ov75ckL_uxo79WlX5-enT35-Zu_-H8B0\",\"SessionId\":\"21036f6c-f348-4396-ae7b-2afaf476eb29\",\"CorrelationId\":\"c1245034-a43e-485e-9d54-1ad8083e34b2\",\"Timestamp\":\"2022-05-20T15:15:11Z\"}") + var mfaResp mfaResponse + + if err := json.Unmarshal(mfaBeginJsonWithEntropy, &mfaResp); err != nil { + logrus.Error("Found an error while unmarshalling") + t.Fail() + } + + if mfaResp.Entropy != 0 { + t.Errorf("Entropy is %d and should have been 0", mfaResp.Entropy) + } +} From bcd6a14997fa198954c904079307081c65bff575 Mon Sep 17 00:00:00 2001 From: dmarcotte Date: Fri, 20 May 2022 11:29:45 -0400 Subject: [PATCH 029/296] Adjust unit test --- pkg/provider/aad/aad_test.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/pkg/provider/aad/aad_test.go b/pkg/provider/aad/aad_test.go index c276498e9..1a9e91f6f 100644 --- a/pkg/provider/aad/aad_test.go +++ b/pkg/provider/aad/aad_test.go @@ -2,7 +2,6 @@ package aad import ( "encoding/json" - "github.com/sirupsen/logrus" "testing" ) @@ -12,8 +11,7 @@ func TestAad_UnmarshallMfaResponseWithEntropy(t *testing.T) { var mfaResp mfaResponse if err := json.Unmarshal(mfaBeginJsonWithEntropy, &mfaResp); err != nil { - logrus.Error("Found an error while unmarshalling") - t.Fail() + t.Error("Found an error while unmarshalling") } if mfaResp.Entropy != 88 { @@ -27,8 +25,7 @@ func TestAad_UnmarshallMfaResponseWithoutEntropy(t *testing.T) { var mfaResp mfaResponse if err := json.Unmarshal(mfaBeginJsonWithEntropy, &mfaResp); err != nil { - logrus.Error("Found an error while unmarshalling") - t.Fail() + t.Error("Found an error while unmarshalling") } if mfaResp.Entropy != 0 { From aa85e861869e92ea1a0fa13328cb88a1f5491b64 Mon Sep 17 00:00:00 2001 From: Ugur Zongur Date: Fri, 24 Jun 2022 17:51:52 +0000 Subject: [PATCH 030/296] Add multiple authenticator support for Keycloak This change enables usage of more than one authenticators in KeyCloak. It tries all the authenticators one-by-one until one of them succeeds. Previously only the first Authenticator was respected. Resolves #838 --- .../example/mfapage2authenticators.html | 93 +++++++++++++++++++ pkg/provider/keycloak/keycloak.go | 64 +++++++++---- pkg/provider/keycloak/keycloak_test.go | 61 ++++++++++-- 3 files changed, 193 insertions(+), 25 deletions(-) create mode 100644 pkg/provider/keycloak/example/mfapage2authenticators.html diff --git a/pkg/provider/keycloak/example/mfapage2authenticators.html b/pkg/provider/keycloak/example/mfapage2authenticators.html new file mode 100644 index 000000000..f64557d38 --- /dev/null +++ b/pkg/provider/keycloak/example/mfapage2authenticators.html @@ -0,0 +1,93 @@ + + + + + + + + + + Log in to Keycloak + + + + + + + + + + +
+
+ +
+
Keycloak
+
+
+ + +
+
+ + + + +
+
+
+
+ + \ No newline at end of file diff --git a/pkg/provider/keycloak/keycloak.go b/pkg/provider/keycloak/keycloak.go index f1f3db0c1..eb8c47c90 100644 --- a/pkg/provider/keycloak/keycloak.go +++ b/pkg/provider/keycloak/keycloak.go @@ -28,6 +28,12 @@ type Client struct { client *provider.HTTPClient } +type authContext struct { + mfaToken string + authenticatorIndex uint + authenticatorIndexValid bool +} + // New create a new KeyCloakClient func New(idpAccount *cfg.IDPAccount) (*Client, error) { @@ -45,7 +51,10 @@ func New(idpAccount *cfg.IDPAccount) (*Client, error) { // Authenticate logs into KeyCloak and returns a SAML response func (kc *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) { + return kc.doAuthenticate(&authContext{loginDetails.MFAToken, 0, true}, loginDetails) +} +func (kc *Client) doAuthenticate(authCtx *authContext, loginDetails *creds.LoginDetails) (string, error) { authSubmitURL, authForm, err := kc.getLoginForm(loginDetails) if err != nil { return "", errors.Wrap(err, "error retrieving login form from idp") @@ -70,7 +79,7 @@ func (kc *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) return "", errors.Wrap(err, "unable to locate IDP totp form submit URL") } - doc, err = kc.postTotpForm(totpSubmitURL, loginDetails.MFAToken, doc) + doc, err = kc.postTotpForm(authCtx, totpSubmitURL, doc) if err != nil { return "", errors.Wrap(err, "error posting totp form") } @@ -91,7 +100,11 @@ func (kc *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) } } - return extractSamlResponse(doc), nil + samlResponse, err := extractSamlResponse(doc) + if err != nil && authCtx.authenticatorIndexValid { + return kc.doAuthenticate(authCtx, loginDetails) + } + return samlResponse, err } func extractWebauthnParameters(doc *goquery.Document) (credentialIDs []string, challenge string, rpID string, err error) { @@ -188,16 +201,16 @@ func (kc *Client) postLoginForm(authSubmitURL string, authForm url.Values) ([]by return data, nil } -func (kc *Client) postTotpForm(totpSubmitURL string, mfaToken string, doc *goquery.Document) (*goquery.Document, error) { +func (kc *Client) postTotpForm(authCtx *authContext, totpSubmitURL string, doc *goquery.Document) (*goquery.Document, error) { otpForm := url.Values{} - if mfaToken == "" { - mfaToken = prompter.RequestSecurityCode("000000") + if authCtx.mfaToken == "" { + authCtx.mfaToken = prompter.RequestSecurityCode("000000") } doc.Find("input").Each(func(i int, s *goquery.Selection) { - updateOTPFormData(otpForm, s, mfaToken) + updateOTPFormData(authCtx, otpForm, s) }) req, err := http.NewRequest("POST", totpSubmitURL, strings.NewReader(otpForm.Encode())) @@ -207,6 +220,11 @@ func (kc *Client) postTotpForm(totpSubmitURL string, mfaToken string, doc *goque req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + // Check if the next authenticator is available + authCtx.authenticatorIndex = authCtx.authenticatorIndex + 1 + nextAuthenticatorSelector := fmt.Sprintf("input#%s", generateAuthenticatorElementId(authCtx.authenticatorIndex)) + authCtx.authenticatorIndexValid = doc.Find(nextAuthenticatorSelector).Length() == 1 + res, err := kc.client.Do(req) if err != nil { return nil, errors.Wrap(err, "error retrieving content") @@ -315,25 +333,23 @@ func extractSubmitURL(doc *goquery.Document) (string, error) { return submitURL, nil } -func extractSamlResponse(doc *goquery.Document) string { - var samlAssertion string +func extractSamlResponse(doc *goquery.Document) (string, error) { + var samlAssertion = "" + var err = fmt.Errorf("unable to locate saml response field") doc.Find("input").Each(func(i int, s *goquery.Selection) { name, ok := s.Attr("name") if ok && name == "SAMLResponse" { val, ok := s.Attr("value") if !ok { - log.Fatalf("unable to locate saml assertion value") + err = fmt.Errorf("unable to locate saml assertion value") + return } + err = nil samlAssertion = val } }) - - if samlAssertion == "" { - log.Fatalf("unable to locate saml response field") - } - - return samlAssertion + return samlAssertion, err } func containsTotpForm(doc *goquery.Document) bool { @@ -375,7 +391,7 @@ func updateKeyCloakFormData(authForm url.Values, s *goquery.Selection, user *cre } } -func updateOTPFormData(otpForm url.Values, s *goquery.Selection, token string) { +func updateOTPFormData(authCtx *authContext, otpForm url.Values, s *goquery.Selection) { name, ok := s.Attr("name") // log.Printf("name = %s ok = %v", name, ok) if !ok { @@ -385,9 +401,21 @@ func updateOTPFormData(otpForm url.Values, s *goquery.Selection, token string) { lname := strings.ToLower(name) // search otp field at Keycloak >= 8.0.1 if strings.Contains(lname, "totp") { - otpForm.Add(name, token) + otpForm.Add(name, authCtx.mfaToken) } else if strings.Contains(lname, "otp") { - otpForm.Add(name, token) + otpForm.Add(name, authCtx.mfaToken) + } else if strings.Contains(lname, "selectedcredentialid") { + id, ok := s.Attr("id") + if ok && id == generateAuthenticatorElementId(authCtx.authenticatorIndex) { + val, ok := s.Attr("value") + if ok { + otpForm.Add(name, val) + } + } } } + +func generateAuthenticatorElementId(authenticatorIndex uint) string { + return fmt.Sprintf("kc-otp-credential-%d", authenticatorIndex) +} diff --git a/pkg/provider/keycloak/keycloak_test.go b/pkg/provider/keycloak/keycloak_test.go index b951bab6d..0f5151bd5 100644 --- a/pkg/provider/keycloak/keycloak_test.go +++ b/pkg/provider/keycloak/keycloak_test.go @@ -114,7 +114,9 @@ func TestClient_postTotpForm(t *testing.T) { })) defer ts.Close() - doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data)) + mfapage, err := ioutil.ReadFile("example/mfapage.html") + require.Nil(t, err) + doc, err := goquery.NewDocumentFromReader(bytes.NewReader(mfapage)) require.Nil(t, err) pr := &mocks.Prompter{} @@ -122,12 +124,14 @@ func TestClient_postTotpForm(t *testing.T) { pr.Mock.On("RequestSecurityCode", "000000").Return("123456") - mfaToken := "" + authCtx := &authContext{"", 0, true} opts := &provider.HTTPClientOptions{IsWithRetries: false} kc := Client{client: &provider.HTTPClient{Client: http.Client{}, Options: opts}} - _, err = kc.postTotpForm(ts.URL, mfaToken, doc) + _, err = kc.postTotpForm(authCtx, ts.URL, doc) require.Nil(t, err) + require.Equal(t, false, authCtx.authenticatorIndexValid) + require.Equal(t, "123456", authCtx.mfaToken) pr.Mock.AssertCalled(t, "RequestSecurityCode", "000000") } @@ -142,18 +146,59 @@ func TestClient_postTotpFormWithProvidedMFAToken(t *testing.T) { })) defer ts.Close() - doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data)) + mfapage, err := ioutil.ReadFile("example/mfapage.html") + require.Nil(t, err) + doc, err := goquery.NewDocumentFromReader(bytes.NewReader(mfapage)) + require.Nil(t, err) + + pr := &mocks.Prompter{} + prompter.SetPrompter(pr) + + authCtx := &authContext{"123456", 0, true} + opts := &provider.HTTPClientOptions{IsWithRetries: false} + kc := Client{client: &provider.HTTPClient{Client: http.Client{}, Options: opts}} + + _, err = kc.postTotpForm(authCtx, ts.URL, doc) + require.Nil(t, err) + require.Equal(t, false, authCtx.authenticatorIndexValid) + require.Equal(t, "123456", authCtx.mfaToken) + + pr.Mock.AssertNumberOfCalls(t, "RequestSecurityCode", 0) +} + +func TestClient_postTotpFormWithMultipleAuthenticators(t *testing.T) { + data, err := ioutil.ReadFile("example/assertion.html") + require.Nil(t, err) + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + _, _ = w.Write(data) + })) + defer ts.Close() + + mfapage, err := ioutil.ReadFile("example/mfapage2authenticators.html") + require.Nil(t, err) + doc, err := goquery.NewDocumentFromReader(bytes.NewReader(mfapage)) require.Nil(t, err) pr := &mocks.Prompter{} prompter.SetPrompter(pr) - mfaToken := "123456" + authCtx := &authContext{"123456", 0, true} opts := &provider.HTTPClientOptions{IsWithRetries: false} kc := Client{client: &provider.HTTPClient{Client: http.Client{}, Options: opts}} - _, err = kc.postTotpForm(ts.URL, mfaToken, doc) + _, err = kc.postTotpForm(authCtx, ts.URL, doc) require.Nil(t, err) + require.Equal(t, uint(1), authCtx.authenticatorIndex) + require.Equal(t, true, authCtx.authenticatorIndexValid) + require.Equal(t, "123456", authCtx.mfaToken) + + _, err = kc.postTotpForm(authCtx, ts.URL, doc) + require.Nil(t, err) + require.Equal(t, uint(2), authCtx.authenticatorIndex) + require.Equal(t, false, authCtx.authenticatorIndexValid) + require.Equal(t, "123456", authCtx.mfaToken) + pr.Mock.AssertNumberOfCalls(t, "RequestSecurityCode", 0) } @@ -164,7 +209,9 @@ func TestClient_extractSamlResponse(t *testing.T) { doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data)) require.Nil(t, err) - require.Equal(t, extractSamlResponse(doc), "abc123") + samlResponse, err := extractSamlResponse(doc) + require.Nil(t, err) + require.Equal(t, samlResponse, "abc123") } func TestClient_containsTotpForm(t *testing.T) { From ad23a3ecd2c38ce7be6ca2e99d758d926c45d231 Mon Sep 17 00:00:00 2001 From: Dan Boitnott Date: Sat, 9 Jul 2022 09:10:20 -0500 Subject: [PATCH 031/296] fix gh-845: handle relative URL in authSubmitURL --- pkg/provider/adfs/adfs.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/provider/adfs/adfs.go b/pkg/provider/adfs/adfs.go index a150299af..d39334368 100644 --- a/pkg/provider/adfs/adfs.go +++ b/pkg/provider/adfs/adfs.go @@ -88,6 +88,19 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) if authSubmitURL == "" { return samlAssertion, fmt.Errorf("unable to locate IDP authentication form submit URL") + } else if strings.HasPrefix(authSubmitURL, "/") { + // + // The server returned a relative URL. Make it absolute. + // + parsedUrl, err := url.Parse(adfsURL) + if err != nil { + return "", errors.Wrap(err, "failed to parse ADFS URL") + } + parsedPath, err := url.Parse(authSubmitURL) + if err != nil { + return "", errors.Wrap(err, "failed to parse authSubmitURL fragment") + } + authSubmitURL = parsedUrl.ResolveReference(parsedPath).String() } doc, err = ac.submit(authSubmitURL, authForm) From 192440d43ec3c5b4d28457f28db775e584d65488 Mon Sep 17 00:00:00 2001 From: Dan Boitnott Date: Sat, 9 Jul 2022 09:45:14 -0500 Subject: [PATCH 032/296] fix gh-847: Fixes malformed Kmsi value in form --- pkg/provider/adfs/adfs.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/provider/adfs/adfs.go b/pkg/provider/adfs/adfs.go index a150299af..4497be0c0 100644 --- a/pkg/provider/adfs/adfs.go +++ b/pkg/provider/adfs/adfs.go @@ -86,6 +86,19 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) authSubmitURL = action }) + // Trim whitespace and discard empty values from Kmsi field + if val, ok := authForm["Kmsi"]; ok { + var trimmedKmsi []string + var t string + for _, s := range val { + t = strings.TrimSpace(s) + if len(t) > 0 { + trimmedKmsi = append(trimmedKmsi, t) + } + } + authForm["Kmsi"] = trimmedKmsi + } + if authSubmitURL == "" { return samlAssertion, fmt.Errorf("unable to locate IDP authentication form submit URL") } From 6362b417956c87d78ee0a0a3572b10a65032645d Mon Sep 17 00:00:00 2001 From: Joey McDaniel <17505625+jmctune@users.noreply.github.com> Date: Mon, 11 Jul 2022 13:44:40 -0500 Subject: [PATCH 033/296] bgresponse change needs to be enabled again when passing to the challenge function. --- pkg/provider/googleapps/googleapps.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/provider/googleapps/googleapps.go b/pkg/provider/googleapps/googleapps.go index bf2f4b82c..7e8e6ad1f 100644 --- a/pkg/provider/googleapps/googleapps.go +++ b/pkg/provider/googleapps/googleapps.go @@ -326,6 +326,8 @@ func (kc *Client) loadLoginPage(submitURL string, referer string, authForm url.V func (kc *Client) loadChallengePage(submitURL string, referer string, authForm url.Values, loginDetails *creds.LoginDetails) (*goquery.Document, error) { + authForm.Set("bgresponse", "js_enabled") + req, err := http.NewRequest("POST", submitURL, strings.NewReader(authForm.Encode())) if err != nil { return nil, errors.Wrap(err, "error retrieving login form") From 7c05d6570d3ff0a4fa24534380d89e1df10240db Mon Sep 17 00:00:00 2001 From: Sriram Venkatesh Date: Mon, 18 Jul 2022 12:40:07 +1200 Subject: [PATCH 034/296] =?UTF-8?q?feat(keyring):=20=E2=9C=A8=20Add=20supp?= =?UTF-8?q?ort=20to=20set=20diff=20backend?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prior to this change, you were not able to set the keyring backend to your preferred keyring. This mean it was up to `saml2aws` figure out what the appropriate backend to use depending on the operating system, and a priority list of backends that are supported. After this change, you can use the environment variable `SAML2AWS_KEYRING_BACKEND` to set it to whatever keyring backend you want. However, this setting is only available for Linux operating systems (unless this feature is required for other operating systems). This hopefully allows headless systems such as WSL to set their backend to a keyring that doesn't rely on X11 and DBus (such as pass). This hopefully resolves the following issues: - #563 - #582 - #561 --- README.md | 61 +++++++++++++++++++++-- cmd/saml2aws/commands/login_linux.go | 9 +++- helper/linuxkeyring/linuxkeyring_linux.go | 17 +++++-- pkg/cfg/cfg.go | 3 ++ 4 files changed, 83 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4fda2277c..672b3750b 100644 --- a/README.md +++ b/README.md @@ -385,10 +385,65 @@ To use this credential, call the AWS CLI with the --profile option (e.g. aws --p ``` ## Advanced Configuration +### Windows Subsystem Linux (WSL) Configuration +If you are using WSL1 or WSL2, you might get the following error when attempting to save the credentials into the keychain -Configuring multiple accounts with custom role and profile in `~/.aws/config` with goal being isolation between infra code when deploying to these environments. This setup assumes you're using separate roles and probably AWS accounts for `dev` and `test` and is designed to help operations staff avoid accidentally deploying to the wrong AWS account in complex environments. Note that this method configures SAML authentication to each AWS account directly (in this case different AWS accounts). In the example below, separate authentication values are configured for AWS accounts 'profile=customer-dev/awsAccount=was 121234567890' and 'profile=customer-test/awsAccount=121234567891' +``` + No such interface “org.freedesktop.DBus.Properties” on object at path / +``` + +This happens because the preferred keyring back-end - uses the `gnome-keyring` by default - which requires X11 - and if you are not using Windows 11 with support for Linux GUI applications - this can be difficult without [configuring a X11 forward](https://stackoverflow.com/questions/61110603/how-to-set-up-working-x11-forwarding-on-wsl2). + +There are 2 preferred approaches to workaround this issue: + +#### Option 1: Disable Keychain +You can apply the `--disable-keychain` flag when using both the `configure` and `login` commands. Using this flag means that your credentials (such as your password to your IDP, or in the case of Okta the Okta Session Token) will not save to your keychain - and be skipped entierly. This means you will be required to enter your username and password each time you invoke the `login` command. + +#### Option 2: Configure Pass to be the default keyring +There are a few steps involved with this option - however this option will save your credentials (such as your password to your IDP, and session tokens etc) into the `pass`[https://www.passwordstore.org/] keyring. The `pass` keyring is the standard Unix password manager. This option was *heavily inspired* by a similar issue in [aws-vault](https://github.com/99designs/aws-vault/issues/683) + +To configure pass to be the default keyring the following steps will need to be completed (assuming you are using Ubuntu 20.04 LTS): + +1. Install the pass backend and update gnupg, which encrypts passwords +```bash +sudo apt-get update && sudo apt-get install -y pass gnupg +``` + +2. Generate a key with gpg (gnupg) and take note of your public key +```bash +gpg --gen-key +``` -### Dev Account Setup +The output of the gpg command will output the something similar to the following: +``` +public and secret key created and signed. + +pub rsa3072 2021-04-22 [SC] [expires: 2023-04-22] + 844E426A53A64C2A916CBD1F522014D5FDBF6E3D +uid Meir Gabay +sub rsa3072 2021-04-22 [E] [expires: 2023-04-22] +``` + +3. Create a storage key in pass from the previously generated public (pub) key +```bash +pass init +``` +during the `init` process you'll be requested to enter the passphrase provided in step 2 + +4. Now, configure `saml2aws` to use the `pass` keyring. This can be done by setting the `SAML2AWS_KEYRING_BACKEND` environment variable to be `pass`. You'll need to also set the `GPG_TTY` to your current tty which means you can set the variable to `"$( tty )"` + +which means the following can be added into your profile +``` +export SAML2AWS_KEYRING_BACKEND=pass +export GPG_TTY="$( tty )" +``` + +5. Profit! Now when you run login/configure commands - you'll be promoted once to enter your passphrase - and your credentials will be saved into your keyring! + + +### Configuring Multiple Accounts +Configuring multiple accounts with custom role and profile in `~/.aws/config` with goal being isolation between infra code when deploying to these environments. This setup assumes you're using separate roles and probably AWS accounts for `dev` and `test` and is designed to help operations staff avoid accidentally deploying to the wrong AWS account in complex environments. Note that this method configures SAML authentication to each AWS account directly (in this case different AWS accounts). In the example below, separate authentication values are configured for AWS accounts 'profile=customer-dev/awsAccount=was 121234567890' and 'profile=customer-test/awsAccount=121234567891' +#### Dev Account Setup To setup the dev account run the following and enter URL, username and password, and assign a standard role to be automatically selected on login. @@ -415,7 +470,7 @@ region = us-east-1 To use this you will need to export `AWS_DEFAULT_PROFILE=customer-dev` environment variable to target `dev`. -### Test Account Setup +#### Test Account Setup To setup the test account run the following and enter URL, username and password. diff --git a/cmd/saml2aws/commands/login_linux.go b/cmd/saml2aws/commands/login_linux.go index b051a0f79..94a4d30fb 100644 --- a/cmd/saml2aws/commands/login_linux.go +++ b/cmd/saml2aws/commands/login_linux.go @@ -1,12 +1,19 @@ package commands import ( + "os" + "github.com/versent/saml2aws/v2/helper/credentials" "github.com/versent/saml2aws/v2/helper/linuxkeyring" + "github.com/versent/saml2aws/v2/pkg/cfg" ) func init() { - if keyringHelper, err := linuxkeyring.NewKeyringHelper(); err == nil { + c := linuxkeyring.Configuration{ + Backend: os.Getenv(cfg.KeyringBackEnvironmentVariableName), + } + + if keyringHelper, err := linuxkeyring.NewKeyringHelper(c); err == nil { credentials.CurrentHelper = keyringHelper } } diff --git a/helper/linuxkeyring/linuxkeyring_linux.go b/helper/linuxkeyring/linuxkeyring_linux.go index 719b2e2be..123e7c787 100644 --- a/helper/linuxkeyring/linuxkeyring_linux.go +++ b/helper/linuxkeyring/linuxkeyring_linux.go @@ -14,8 +14,12 @@ type KeyringHelper struct { keyring keyring.Keyring } -func NewKeyringHelper() (*KeyringHelper, error) { - kr, err := keyring.Open(keyring.Config{ +type Configuration struct { + Backend string +} + +func NewKeyringHelper(config Configuration) (*KeyringHelper, error) { + c := keyring.Config{ AllowedBackends: []keyring.BackendType{ keyring.KWalletBackend, keyring.SecretServiceBackend, @@ -23,7 +27,14 @@ func NewKeyringHelper() (*KeyringHelper, error) { }, LibSecretCollectionName: "login", PassPrefix: "saml2aws", - }) + } + + // set the only allowed backend to be backend configured + if config.Backend != "" { + c.AllowedBackends = []keyring.BackendType{keyring.BackendType(config.Backend)} + } + + kr, err := keyring.Open(c) if err != nil { return nil, err diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 79b5945b4..ccfb19cc4 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -27,6 +27,9 @@ const ( // DefaultProfile this is the default profile name used to save the credentials in the aws cli DefaultProfile = "saml" + + // Environment Variable used to define the Keyring Backend for Linux based distro + KeyringBackEnvironmentVariableName = "SAML2AWS_KEYRING_BACKEND" ) // IDPAccount saml IDP account From 7807cf3c235fd023b71f90d82792eef4b4437dee Mon Sep 17 00:00:00 2001 From: Mark Wolfe Date: Thu, 21 Jul 2022 13:31:22 +1000 Subject: [PATCH 035/296] chore(deps): upgrade go to 1.18 and deps --- .github/workflows/go.yml | 6 +-- .github/workflows/release.yml | 2 +- go.mod | 25 ++++++------ go.sum | 75 +++++++++++++++++------------------ 4 files changed, 54 insertions(+), 54 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 0d5f01c56..024ac5ec9 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go 1.x uses: actions/setup-go@v2 with: - go-version: 1.17.x + go-version: 1.18.x - name: Check out code into the Go module directory uses: actions/checkout@v2 @@ -38,7 +38,7 @@ jobs: - name: Set up Go 1.x uses: actions/setup-go@v2 with: - go-version: 1.17.x + go-version: 1.18.x - name: Check out code into the Go module directory uses: actions/checkout@v2 @@ -56,7 +56,7 @@ jobs: - name: Set up Go 1.x uses: actions/setup-go@v2 with: - go-version: 1.17.x + go-version: 1.18.x - name: Check out code into the Go module directory uses: actions/checkout@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b6d9847ef..be7f776f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: - name: Set up Go 1.x uses: actions/setup-go@v2 with: - go-version: 1.17.x + go-version: 1.18.x - name: Check out code into the Go module directory uses: actions/checkout@v2 diff --git a/go.mod b/go.mod index 169c09ce6..82f225175 100644 --- a/go.mod +++ b/go.mod @@ -1,15 +1,15 @@ module github.com/versent/saml2aws/v2 -go 1.17 +go 1.18 require ( - github.com/99designs/keyring v1.1.6 - github.com/AlecAivazis/survey/v2 v2.3.2 + github.com/99designs/keyring v1.2.1 + github.com/AlecAivazis/survey/v2 v2.3.5 github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e github.com/PuerkitoBio/goquery v1.8.0 github.com/alecthomas/kingpin v2.2.6+incompatible github.com/avast/retry-go v3.0.0+incompatible - github.com/aws/aws-sdk-go v1.42.44 + github.com/aws/aws-sdk-go v1.44.59 github.com/beevik/etree v1.1.0 github.com/danieljoos/wincred v1.1.2 github.com/google/uuid v1.3.0 @@ -18,22 +18,23 @@ require ( github.com/mitchellh/go-homedir v1.1.0 github.com/mxschmitt/playwright-go v0.1400.0 github.com/pkg/errors v0.9.1 - github.com/sirupsen/logrus v1.8.1 + github.com/sirupsen/logrus v1.9.0 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 - github.com/stretchr/testify v1.7.0 - github.com/tidwall/gjson v1.13.0 + github.com/stretchr/testify v1.8.0 + github.com/tidwall/gjson v1.14.1 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd - gopkg.in/ini.v1 v1.66.3 + gopkg.in/ini.v1 v1.66.6 ) require ( + github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect github.com/andybalholm/cascadia v1.3.1 // indirect github.com/bearsh/hid v1.3.0 // indirect github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/dvsekhvalnov/jose2go v0.0.0-20200901110807-248326c1351b // indirect + github.com/dvsekhvalnov/jose2go v1.5.0 // indirect github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect github.com/gorilla/websocket v1.4.2 // indirect github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect @@ -44,13 +45,13 @@ require ( github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect github.com/mtibben/percent v0.2.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/stretchr/objx v0.2.0 // indirect + github.com/stretchr/objx v0.4.0 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 // indirect - golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect + golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect - gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index be8e98b4b..ee8ddca7b 100644 --- a/go.sum +++ b/go.sum @@ -1,13 +1,15 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/99designs/keyring v1.1.6 h1:kVDC2uCgVwecxCk+9zoCt2uEL6dt+dfVzMvGgnVcIuM= -github.com/99designs/keyring v1.1.6/go.mod h1:16e0ds7LGQQcT59QqkTg72Hh5ShM51Byv5PEmW6uoRU= -github.com/AlecAivazis/survey/v2 v2.3.2 h1:TqTB+aDDCLYhf9/bD2TwSO8u8jDSmMUd2SUVO4gCnU8= -github.com/AlecAivazis/survey/v2 v2.3.2/go.mod h1:TH2kPCDU3Kqq7pLbnCWwZXDBjnhZtmsCle5EiYDJ2fg= +github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs= +github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4= +github.com/99designs/keyring v1.2.1 h1:tYLp1ULvO7i3fI5vE21ReQuj99QFSs7lGm0xWyJo87o= +github.com/99designs/keyring v1.2.1/go.mod h1:fc+wB5KTk9wQ9sDx0kFXB3A0MaeGHM9AwRStKOQ5vOA= +github.com/AlecAivazis/survey/v2 v2.3.5 h1:A8cYupsAZkjaUmhtTYv3sSqc7LO5mp1XDfqe5E/9wRQ= +github.com/AlecAivazis/survey/v2 v2.3.5/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI= github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e h1:ZU22z/2YRFLyf/P4ZwUYSdNCWsMEI0VeyrFoI2rAhJQ= github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8 h1:xzYJEypr/85nBpB11F9br+3HUrpgb+fcm5iADzXXYEw= -github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= +github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s= +github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/goquery v1.8.0 h1:PJTF7AmFCFKk1N6V6jmKfrNH9tV5pNE6lZMkG0gta/U= github.com/PuerkitoBio/goquery v1.8.0/go.mod h1:ypIiRMtY7COPGk+I/YbZLbxsxn9g5ejnI2HSMtkjZvI= @@ -22,8 +24,8 @@ github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEq github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0= github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY= -github.com/aws/aws-sdk-go v1.42.44 h1:vPlF4cUsdN5ETfvb7ewZFbFZyB6Rsfndt3kS2XqLXKo= -github.com/aws/aws-sdk-go v1.42.44/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc= +github.com/aws/aws-sdk-go v1.44.59 h1:bkdnNsMvMhFmNLqKDAJ6rKR+S0hjOt/3AIJp2mxOK9o= +github.com/aws/aws-sdk-go v1.44.59/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/bearsh/hid v1.3.0 h1:GLNa8hvEzJxzQEEpheDUr2SivvH7iwTrJrDhFKutfX8= github.com/bearsh/hid v1.3.0/go.mod h1:KbQByg8WfPr92v7aaKAHTtZUEVG7e2XRpcF8+TopQv8= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= @@ -38,7 +40,8 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= +github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI= +github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0= github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0= github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964 h1:y5HC9v93H5EPKqaS1UYVg1uYah5Xf51mBfIoWehClUQ= @@ -48,8 +51,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/dvsekhvalnov/jose2go v0.0.0-20200901110807-248326c1351b h1:HBah4D48ypg3J7Np4N+HY/ZR76fx3HEUGxDU6Uk39oQ= -github.com/dvsekhvalnov/jose2go v0.0.0-20200901110807-248326c1351b/go.mod h1:7BvyPhdbLxMXIYTFPLsyJRFMsKmOZnQmzh6Gb+uquuM= +github.com/dvsekhvalnov/jose2go v1.5.0 h1:3j8ya4Z4kMCwT5nXIKFSV84YS+HdqSSO0VsTQxaLAeM= +github.com/dvsekhvalnov/jose2go v1.5.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -79,8 +82,8 @@ github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8 github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0= github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174 h1:WlZsjVhE8Af9IcZDGgJGQpNflI3+MJSBhsgT5PCtzBQ= -github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174/go.mod h1:DqJ97dSdRW1W22yXSB90986pcOyQ7r45iio1KN2ez1A= +github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog= +github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= @@ -90,20 +93,15 @@ github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= -github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc= github.com/keybase/go-keychain v0.0.0-20211119201326-e02f34051621 h1:aMQ7pA4f06yOVXSulygyGvy4xA94fyzjUGs0iqQdMOI= github.com/keybase/go-keychain v0.0.0-20211119201326-e02f34051621/go.mod h1:enrU/ug069Om7vWxuFE6nikLI2BZNwevMiGSo43Kt5w= -github.com/keybase/go.dbus v0.0.0-20200324223359-a94be52c0b03/go.mod h1:a8clEhrrGV/d76/f9r2I41BwANMihfZYV9C223vaxqE= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.4 h1:5Myjjh3JY/NaAi4IsUbHADytDyl1VE1Y9PXDlL+P/VQ= -github.com/kr/pty v1.1.4/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= @@ -124,6 +122,8 @@ github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ib github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxschmitt/playwright-go v0.1400.0 h1:HL8dbxcVEobE+pNjASeYGJJRmd4+9gyu/51XO7d3qF0= github.com/mxschmitt/playwright-go v0.1400.0/go.mod h1:kUvZFgMneRGknVLtC2DKQ42lhZiCmWzxgBdGwjC0vkw= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -145,8 +145,8 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= -github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= @@ -159,16 +159,16 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= -github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/tidwall/gjson v1.13.0 h1:3TFY9yxOQShrvmjdM76K+jc66zJeT6D3/VFFYCGQf7M= -github.com/tidwall/gjson v1.13.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/tidwall/gjson v1.14.1 h1:iymTbGkQBhveq21bEvAQ81I0LEBork8BFe1CUZXdyuo= +github.com/tidwall/gjson v1.14.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= @@ -183,8 +183,6 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 h1:3zb4D3T4G8jdExgVU/95+vQXfpEPiMdCaZgmGVxjNHM= golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -196,7 +194,6 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -211,14 +208,14 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= @@ -239,10 +236,11 @@ google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZi google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/ini.v1 v1.66.3 h1:jRskFVxYaMGAMUbN0UZ7niA9gzL9B49DOqE78vg0k3w= -gopkg.in/ini.v1 v1.66.3/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= +gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI= +gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -251,6 +249,7 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 481183c648d5d4fa4fbe4fcfc4b423377dcec8d4 Mon Sep 17 00:00:00 2001 From: Alexandru Bumbacea Date: Thu, 21 Jul 2022 19:12:08 +0300 Subject: [PATCH 036/296] Fix ADFS auth when using MFA with number matching Based on usage it looks like p#instruction is populated via javascript after page load. The entropy number is not present in the p#instructions element. https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match --- pkg/provider/adfs/adfs.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/provider/adfs/adfs.go b/pkg/provider/adfs/adfs.go index d39334368..a109b7db6 100644 --- a/pkg/provider/adfs/adfs.go +++ b/pkg/provider/adfs/adfs.go @@ -135,7 +135,15 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) doc.Find("input").Each(func(i int, s *goquery.Selection) { updatePassthroughFormData(azureForm, s) }) - sel := doc.Find("p#instructions") + sel := doc.Find("p#validEntropyNumber") + if sel.Index() != -1 { + if instructions != sel.Text() { + instructions = sel.Text() + log.Println("Open your Microsoft Authenticator app and tap the number you see below to sign in.") + log.Println(instructions) + } + } + sel = doc.Find("p#instructions") if sel.Index() != -1 { if instructions != sel.Text() { instructions = sel.Text() From 39c7a59b932822b600e744b5e8763c456346a466 Mon Sep 17 00:00:00 2001 From: Eloi Barti Date: Thu, 11 Aug 2022 20:40:17 +0200 Subject: [PATCH 037/296] fix: rename needed flags for Onelogin --- cmd/saml2aws/commands/configure.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/saml2aws/commands/configure.go b/cmd/saml2aws/commands/configure.go index feddd6f64..a8f9fc7c2 100644 --- a/cmd/saml2aws/commands/configure.go +++ b/cmd/saml2aws/commands/configure.go @@ -88,7 +88,7 @@ func storeCredentials(configFlags *flags.CommonFlags, account *cfg.IDPAccount) e } if account.Provider == onelogin.ProviderName { if configFlags.ClientID == "" || configFlags.ClientSecret == "" { - log.Println("OneLogin provider requires --client_id and --client_secret flags to be set.") + log.Println("OneLogin provider requires --client-id and --client-secret flags to be set.") os.Exit(1) } if err := credentials.SaveCredentials(path.Join(account.URL, OneLoginOAuthPath), configFlags.ClientID, configFlags.ClientSecret); err != nil { From 2f9e25af1c482e7d5bc2b143349ec74c0ea61655 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Sat, 13 Aug 2022 16:06:50 -0400 Subject: [PATCH 038/296] Use Visual Studio 2019 for Appveyor --- .appveyor/appveyor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.appveyor/appveyor.yml b/.appveyor/appveyor.yml index c4edc5e76..50849831f 100644 --- a/.appveyor/appveyor.yml +++ b/.appveyor/appveyor.yml @@ -1,4 +1,5 @@ skip_non_tags: true +image: Visual Studio 2019 clone_folder: c:\gopath\src\github.com\versent\saml2aws environment: GOPATH: c:\gopath From f8642d749c3cf743ddffd57f86e7690ba94c3244 Mon Sep 17 00:00:00 2001 From: Isobe Kazuhiko Date: Mon, 22 Aug 2022 22:47:58 +0900 Subject: [PATCH 039/296] Support Number Challenge --- pkg/provider/okta/okta.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index 042f029c6..02295622f 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -806,6 +806,12 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails, return "", err } body = updatedContext.challengeResponseBody + if gjson.Get(body, "status").String() == "MFA_CHALLENGE" { + correctAnswer := gjson.Get(body, "_embedded.factor._embedded.challenge.correctAnswer").String() + if correctAnswer != "" { + log.Printf("Correct Answer: %s", correctAnswer) + } + } case "TIMEOUT": log.Println(" Timeout") From 6aa2bf6dd921a45e957f12da7e33e43fea466e6c Mon Sep 17 00:00:00 2001 From: Nick Vollmar Date: Fri, 26 Aug 2022 00:34:29 -0500 Subject: [PATCH 040/296] Add test case --- .../example/challenge-extra-number.html | 96 +++++++++++++++++++ pkg/provider/googleapps/googleapps.go | 19 ++-- pkg/provider/googleapps/googleapps_test.go | 16 ++++ 3 files changed, 124 insertions(+), 7 deletions(-) create mode 100644 pkg/provider/googleapps/example/challenge-extra-number.html diff --git a/pkg/provider/googleapps/example/challenge-extra-number.html b/pkg/provider/googleapps/example/challenge-extra-number.html new file mode 100644 index 000000000..67dcbc6b5 --- /dev/null +++ b/pkg/provider/googleapps/example/challenge-extra-number.html @@ -0,0 +1,96 @@ + + + + + + Google Accounts + + + +
+
+
+
+
+
+
+
+
+

2-Step Verification

+

This extra step shows it’s really you trying to sign in

+
+
+
+
Open the Gmail app on Nicholas’s iPhone
Google sent a notification to your Nicholas’s iPhone. Open the Gmail app, tap Yes on the prompt, then tap 89 on your phone to verify it’s you.
89

After you’ve finished on your phone, press the button below.

Don’t ask again on this device
 +
+
+
+
+
+
+
nick@example.comUse a different account
+
+
+
+ +
+
+
+
+
+ + diff --git a/pkg/provider/googleapps/googleapps.go b/pkg/provider/googleapps/googleapps.go index 9673fc683..340cc826e 100644 --- a/pkg/provider/googleapps/googleapps.go +++ b/pkg/provider/googleapps/googleapps.go @@ -440,17 +440,14 @@ func (kc *Client) loadChallengePage(submitURL string, referer string, authForm u return kc.loadResponsePage(secondActionURL, submitURL, responseForm) case strings.Contains(secondActionURL, "challenge/dp/"): // handle device push challenge - var extraNumber string - doc.Find("div[jsname=feLNVc]").Each(func(_ int, s *goquery.Selection) { - extraNumber = s.Text() - }) - if extraNumber == "" { - log.Print("Check your phone and tap 'Yes' on the prompt. Then press ENTER to continue.") - } else { + if extraNumber := extractDevicePushExtraNumber(doc); extraNumber != "" { log.Println("Check your phone and tap 'Yes' on the prompt, then tap the number:") log.Printf("\t%v\n", extraNumber) log.Println("Then press ENTER to continue.") + } else { + log.Print("Check your phone and tap 'Yes' on the prompt. Then press ENTER to continue.") } + _, err := bufio.NewReader(os.Stdin).ReadBytes('\n') if err != nil { return nil, errors.Wrap(err, "error reading new line \\n") @@ -807,3 +804,11 @@ func isAppId(val string) string { } return appId } + +func extractDevicePushExtraNumber(doc *goquery.Document) string { + extraNumber := "" + doc.Find("div[jsname=feLNVc]").Each(func(_ int, s *goquery.Selection) { + extraNumber = s.Text() + }) + return extraNumber +} diff --git a/pkg/provider/googleapps/googleapps_test.go b/pkg/provider/googleapps/googleapps_test.go index 8f9d314ec..ee74247a8 100644 --- a/pkg/provider/googleapps/googleapps_test.go +++ b/pkg/provider/googleapps/googleapps_test.go @@ -117,3 +117,19 @@ func TestWrongPassword(t *testing.T) { txt := doc.Selection.Find("#" + passwordErrorId).Text() require.NotEqual(t, "", txt) } + +func TestExtractDevicePushExtraNumber(t *testing.T) { + data1, err := ioutil.ReadFile("example/challenge-extra-number.html") + require.Nil(t, err) + doc1, err := goquery.NewDocumentFromReader(bytes.NewReader(data1)) + require.Nil(t, err) + require.Equal(t, "89", extractDevicePushExtraNumber(doc1)) + + for _, filename := range []string{"example/challenge-prompt.html", "example/challenge-totp.html"} { + data2, err := ioutil.ReadFile(filename) + require.Nil(t, err) + doc2, err := goquery.NewDocumentFromReader(bytes.NewReader(data2)) + require.Nil(t, err) + require.Equal(t, "", extractDevicePushExtraNumber(doc2)) + } +} From 6c7191355aaf2fd63999318ae2a5b8d358cba4bc Mon Sep 17 00:00:00 2001 From: Jesse Kinkead Date: Mon, 5 Sep 2022 15:33:09 -0700 Subject: [PATCH 041/296] Use the same output for surveys as for logs. Add a package variable to hold the survey output writer and a setter for it. Add a helper to generate a survey option using the writer for stdout. Initialize the survey output to be the same as for the log module. --- cmd/saml2aws/main.go | 2 ++ pkg/prompter/survey.go | 27 +++++++++++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index d6ee181e3..bc15a7594 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -12,6 +12,7 @@ import ( "github.com/sirupsen/logrus" "github.com/versent/saml2aws/v2/cmd/saml2aws/commands" "github.com/versent/saml2aws/v2/pkg/flags" + "github.com/versent/saml2aws/v2/pkg/prompter" ) var ( @@ -46,6 +47,7 @@ func buildCmdList(s kingpin.Settings) (target *[]string) { func main() { log.SetOutput(os.Stderr) + prompter.SetOutputWriter(os.Stderr) log.SetFlags(0) logrus.SetOutput(os.Stderr) diff --git a/pkg/prompter/survey.go b/pkg/prompter/survey.go index 686a835fb..35485d539 100644 --- a/pkg/prompter/survey.go +++ b/pkg/prompter/survey.go @@ -3,14 +3,29 @@ package prompter import ( "errors" "fmt" + "os" survey "github.com/AlecAivazis/survey/v2" + survey_terminal "github.com/AlecAivazis/survey/v2/terminal" ) +// outputWriter is where for all prompts will be printed. Defaults to os.Stder. +var outputWriter survey_terminal.FileWriter = os.Stderr + // CliPrompter used to prompt for cli input type CliPrompter struct { } +// SetOutputWriter sets the output writer to use for all survey operations +func SetOutputWriter(writer survey_terminal.FileWriter) { + outputWriter = writer +} + +// stdioOption returns the IO option to use for survey functions +func stdioOption() survey.AskOpt { + return survey.WithStdio(os.Stdin, outputWriter, os.Stderr) +} + // NewCli builds a new cli prompter func NewCli() *CliPrompter { return &CliPrompter{} @@ -22,7 +37,7 @@ func (cli *CliPrompter) RequestSecurityCode(pattern string) string { prompt := &survey.Input{ Message: fmt.Sprintf("Security Token [%s]", pattern), } - _ = survey.AskOne(prompt, &token, survey.WithValidator(survey.Required)) + _ = survey.AskOne(prompt, &token, survey.WithValidator(survey.Required), stdioOption()) return token } @@ -34,7 +49,7 @@ func (cli *CliPrompter) ChooseWithDefault(pr string, defaultValue string, option Options: options, Default: defaultValue, } - _ = survey.AskOne(prompt, &selected, survey.WithValidator(survey.Required)) + _ = survey.AskOne(prompt, &selected, survey.WithValidator(survey.Required), stdioOption()) // return the selected element index for i, option := range options { @@ -52,7 +67,7 @@ func (cli *CliPrompter) Choose(pr string, options []string) int { Message: pr, Options: options, } - _ = survey.AskOne(prompt, &selected, survey.WithValidator(survey.Required)) + _ = survey.AskOne(prompt, &selected, survey.WithValidator(survey.Required), stdioOption()) // return the selected element index for i, option := range options { @@ -70,7 +85,7 @@ func (cli *CliPrompter) String(pr string, defaultValue string) string { Message: pr, Default: defaultValue, } - _ = survey.AskOne(prompt, &val) + _ = survey.AskOne(prompt, &val, stdioOption()) return val } @@ -80,7 +95,7 @@ func (cli *CliPrompter) StringRequired(pr string) string { prompt := &survey.Input{ Message: pr, } - _ = survey.AskOne(prompt, &val, survey.WithValidator(survey.Required)) + _ = survey.AskOne(prompt, &val, survey.WithValidator(survey.Required), stdioOption()) return val } @@ -90,6 +105,6 @@ func (cli *CliPrompter) Password(pr string) string { prompt := &survey.Password{ Message: pr, } - _ = survey.AskOne(prompt, &val) + _ = survey.AskOne(prompt, &val, stdioOption()) return val } From 36a432663ecacd653a77c5a3122cc72d13e9e3e7 Mon Sep 17 00:00:00 2001 From: myunggijung Date: Thu, 8 Sep 2022 10:14:08 +0900 Subject: [PATCH 042/296] fix infinite loop for keycloak --- pkg/provider/keycloak/keycloak.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/pkg/provider/keycloak/keycloak.go b/pkg/provider/keycloak/keycloak.go index eb8c47c90..faebc79fe 100644 --- a/pkg/provider/keycloak/keycloak.go +++ b/pkg/provider/keycloak/keycloak.go @@ -101,7 +101,7 @@ func (kc *Client) doAuthenticate(authCtx *authContext, loginDetails *creds.Login } samlResponse, err := extractSamlResponse(doc) - if err != nil && authCtx.authenticatorIndexValid { + if err != nil && authCtx.authenticatorIndexValid && passwordValid(doc) { return kc.doAuthenticate(authCtx, loginDetails) } return samlResponse, err @@ -352,6 +352,18 @@ func extractSamlResponse(doc *goquery.Document) (string, error) { return samlAssertion, err } +func passwordValid(doc *goquery.Document) bool { + var valid = true + doc.Find("span#input-error").Each(func(i int, s *goquery.Selection) { + text := s.Text() + if strings.Contains(text, "Invalid username or password.") { + valid = false + return + } + }) + return valid +} + func containsTotpForm(doc *goquery.Document) bool { // search totp field at Keycloak < 8.0.1 totpIndex := doc.Find("input#totp").Index() From 146fea1b38985237403540631fbc5a5bec2787a5 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 16:40:17 -0500 Subject: [PATCH 043/296] add support for building Windows MSI --- .github/win-msi/out/.gitignore | 2 ++ .github/win-msi/src/saml2aws.wxs | 28 ++++++++++++++++++ .github/win-msi/wix.sh | 3 ++ .github/workflows/release.yml | 50 +++++++++++++++++++++++++++++++- 4 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 .github/win-msi/out/.gitignore create mode 100644 .github/win-msi/src/saml2aws.wxs create mode 100644 .github/win-msi/wix.sh diff --git a/.github/win-msi/out/.gitignore b/.github/win-msi/out/.gitignore new file mode 100644 index 000000000..1287e9bd7 --- /dev/null +++ b/.github/win-msi/out/.gitignore @@ -0,0 +1,2 @@ +** +!.gitignore diff --git a/.github/win-msi/src/saml2aws.wxs b/.github/win-msi/src/saml2aws.wxs new file mode 100644 index 000000000..f1b2c8571 --- /dev/null +++ b/.github/win-msi/src/saml2aws.wxs @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/.github/win-msi/wix.sh b/.github/win-msi/wix.sh new file mode 100644 index 000000000..cbf8dc092 --- /dev/null +++ b/.github/win-msi/wix.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +candle src/saml2aws.wxs -dSaml2AwsVer=${VERSION} -o "out/" +light -sval "out/saml2aws.wixobj" -o "out/saml2aws_${VERSION}_windows_amd64.msi" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index be7f776f2..eadd358e1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ on: jobs: release: name: release - runs-on: macOS-latest + runs-on: macos-latest steps: - name: Set up Go 1.x @@ -26,3 +26,51 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + windows-msi: + name: Build Windows MSI and upload to release + runs-on: ubuntu-latest + needs: [release] + env: + INSTALLER: win-msi + BIN: win-msi/src/bin + WIXIMG: dactiv/wix@sha256:17d232708589641f5632f9a1ff9463ad087b192cea7b8e6012d2b47ec6af5f6c + steps: + - name: Strip v from version tag + run: | + VER=${{ github.ref }} + VERSION=${VER//v} + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_EVENT + + - name: Set up Go 1.x + uses: actions/setup-go@v2 + with: + go-version: 1.17.x + + - name: Check out code + uses: actions/checkout@v2 + + - name: Retrieve the release asset + id: asset + uses: robinraju/release-downloader@4bdb8ee081c9ee08a35320794dd461312ac9e4ad # v1.3 + with: + tag: ${{ github.ref }} + file: ${{ env.ASSET }} + out-file-path: ${{ env.BIN }} + + - name: Unzip asset + working-directory: ${{ env.BIN }} + run: unzip "${ASSET}" + + - name: Build MSI + run: | + # container does not run as root + chmod -R o+rw "${INSTALLER}" + + cat "${INSTALLER}/wix.sh" | docker run --rm -i -e VERSION -v "${INSTALLER}:/wix" ${WIXIMG} /bin/sh + + - name: Upload the asset to the release + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14 / v1 + with: + files: ${{ env.INSTALLER }}/out/*.msi From 7cfcc685915d9009564ab0c02ddafd991efae2eb Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 16:41:39 -0500 Subject: [PATCH 044/296] fix paths --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eadd358e1..68a479d6a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,8 +32,8 @@ jobs: runs-on: ubuntu-latest needs: [release] env: - INSTALLER: win-msi - BIN: win-msi/src/bin + INSTALLER: .github/win-msi + BIN: .github/win-msi/src/bin WIXIMG: dactiv/wix@sha256:17d232708589641f5632f9a1ff9463ad087b192cea7b8e6012d2b47ec6af5f6c steps: - name: Strip v from version tag From 37981185738fc69125777631f58d5840b1ae86fc Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 16:49:14 -0500 Subject: [PATCH 045/296] fix env file --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68a479d6a..6a2706af2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: VER=${{ github.ref }} VERSION=${VER//v} echo "VERSION=$VERSION" >> $GITHUB_ENV - echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_EVENT + echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_ENV - name: Set up Go 1.x uses: actions/setup-go@v2 From 4a4bdadfeb457f79c18fdd6223b4e34e5f57a57a Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 16:58:39 -0500 Subject: [PATCH 046/296] fix download action parameter --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a2706af2..beb3bf6b9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,7 +56,7 @@ jobs: uses: robinraju/release-downloader@4bdb8ee081c9ee08a35320794dd461312ac9e4ad # v1.3 with: tag: ${{ github.ref }} - file: ${{ env.ASSET }} + fileName: ${{ env.ASSET }} out-file-path: ${{ env.BIN }} - name: Unzip asset From 3c44353c4b14b8b8e4fdf126d360c6d022e0b36c Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 17:12:54 -0500 Subject: [PATCH 047/296] fix repository parameter --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index beb3bf6b9..40873d116 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -55,6 +55,7 @@ jobs: id: asset uses: robinraju/release-downloader@4bdb8ee081c9ee08a35320794dd461312ac9e4ad # v1.3 with: + repository: ${{ github.repository }} tag: ${{ github.ref }} fileName: ${{ env.ASSET }} out-file-path: ${{ env.BIN }} From 01c61f6809f5cd6036bbb2a2cc77e42a596d9767 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 17:39:37 -0500 Subject: [PATCH 048/296] fix tag references --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 40873d116..d3ccfc3f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Strip v from version tag run: | - VER=${{ github.ref }} + VER=${GITHUB_REF/refs\/tags\//} VERSION=${VER//v} echo "VERSION=$VERSION" >> $GITHUB_ENV echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_ENV @@ -56,7 +56,7 @@ jobs: uses: robinraju/release-downloader@4bdb8ee081c9ee08a35320794dd461312ac9e4ad # v1.3 with: repository: ${{ github.repository }} - tag: ${{ github.ref }} + tag: ${{ env:VER }} fileName: ${{ env.ASSET }} out-file-path: ${{ env.BIN }} From ee6f185aa3766fe35e428541b1045e5d5a2fd095 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 17:40:22 -0500 Subject: [PATCH 049/296] typo --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d3ccfc3f6..bfb42ee1b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,7 +56,7 @@ jobs: uses: robinraju/release-downloader@4bdb8ee081c9ee08a35320794dd461312ac9e4ad # v1.3 with: repository: ${{ github.repository }} - tag: ${{ env:VER }} + tag: ${{ env.VER }} fileName: ${{ env.ASSET }} out-file-path: ${{ env.BIN }} From 45be97bd0fe4cdf554601baada8ec9d46f058b2a Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 17:49:29 -0500 Subject: [PATCH 050/296] fix tag again --- .github/workflows/release.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bfb42ee1b..540601871 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,7 @@ on: jobs: release: + if: 'false' # testing name: release runs-on: macos-latest steps: @@ -30,7 +31,7 @@ jobs: windows-msi: name: Build Windows MSI and upload to release runs-on: ubuntu-latest - needs: [release] + # needs: [release] env: INSTALLER: .github/win-msi BIN: .github/win-msi/src/bin @@ -40,6 +41,7 @@ jobs: run: | VER=${GITHUB_REF/refs\/tags\//} VERSION=${VER//v} + echo "VER_TAG=$VER" >> $GITHUB_ENV echo "VERSION=$VERSION" >> $GITHUB_ENV echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_ENV @@ -56,7 +58,7 @@ jobs: uses: robinraju/release-downloader@4bdb8ee081c9ee08a35320794dd461312ac9e4ad # v1.3 with: repository: ${{ github.repository }} - tag: ${{ env.VER }} + tag: ${{ env.VER_TAG }} fileName: ${{ env.ASSET }} out-file-path: ${{ env.BIN }} From d616ccf89d512f005de721a11e0a0e657e0b3c87 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 17:54:15 -0500 Subject: [PATCH 051/296] use full paths --- .github/workflows/release.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 540601871..b33487ee8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,8 +33,8 @@ jobs: runs-on: ubuntu-latest # needs: [release] env: - INSTALLER: .github/win-msi - BIN: .github/win-msi/src/bin + INSTALLER: ${{ github.workspace }}/.github/win-msi + BIN: ${{ github.workspace }}/.github/win-msi/src/bin WIXIMG: dactiv/wix@sha256:17d232708589641f5632f9a1ff9463ad087b192cea7b8e6012d2b47ec6af5f6c steps: - name: Strip v from version tag @@ -45,11 +45,6 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_ENV - - name: Set up Go 1.x - uses: actions/setup-go@v2 - with: - go-version: 1.17.x - - name: Check out code uses: actions/checkout@v2 From e9c36410d91aca79bbe7f839cb4a6694be93634c Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 18:14:07 -0500 Subject: [PATCH 052/296] workflow dispatch --- .github/workflows/release.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b33487ee8..8cbe77178 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,12 +4,17 @@ on: push: tags: - '*' + workflow_dispatch: + inputs: + tag: + description: The tag to run against. If release exists, only the MSI builder runs. + required: true jobs: release: - if: 'false' # testing name: release runs-on: macos-latest + if: github.event_name != 'workflow_dispatch' steps: - name: Set up Go 1.x @@ -31,7 +36,8 @@ jobs: windows-msi: name: Build Windows MSI and upload to release runs-on: ubuntu-latest - # needs: [release] + needs: [release] + if: needs.release.result == 'success' || needs.release.result == 'skipped' env: INSTALLER: ${{ github.workspace }}/.github/win-msi BIN: ${{ github.workspace }}/.github/win-msi/src/bin From 9bf90ceffa719479cfd94dc2a568a1103868e78b Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 18:15:12 -0500 Subject: [PATCH 053/296] better description --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cbe77178..4684a3b9e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: inputs: tag: - description: The tag to run against. If release exists, only the MSI builder runs. + description: The tag to run against. This trigger only runs the MSI builder. required: true jobs: From ad42b302a5e3d5db99f66489741109c637b67b98 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 18:18:46 -0500 Subject: [PATCH 054/296] needs conditional --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4684a3b9e..cd0a95b97 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,7 +37,9 @@ jobs: name: Build Windows MSI and upload to release runs-on: ubuntu-latest needs: [release] - if: needs.release.result == 'success' || needs.release.result == 'skipped' + if: >- # https://github.com/actions/runner/issues/491 + always() && + (needs.release.result == 'success' || needs.release.result == 'skipped') env: INSTALLER: ${{ github.workspace }}/.github/win-msi BIN: ${{ github.workspace }}/.github/win-msi/src/bin From 106519e861974fcb38dda728e92e898df7d04426 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 18:23:22 -0500 Subject: [PATCH 055/296] tag fixups --- .github/workflows/release.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd0a95b97..1d115182d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,10 +45,16 @@ jobs: BIN: ${{ github.workspace }}/.github/win-msi/src/bin WIXIMG: dactiv/wix@sha256:17d232708589641f5632f9a1ff9463ad087b192cea7b8e6012d2b47ec6af5f6c steps: - - name: Strip v from version tag + - name: Normalize tag values run: | - VER=${GITHUB_REF/refs\/tags\//} + if [[ "${{ github.event_name }}" == "workflow_dispatch "]] ; then + VER=${{ github.event.inputs.tag }} + else + VER=${GITHUB_REF/refs\/tags\//} + fi + VERSION=${VER//v} + echo "VER_TAG=$VER" >> $GITHUB_ENV echo "VERSION=$VERSION" >> $GITHUB_ENV echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_ENV @@ -79,4 +85,5 @@ jobs: - name: Upload the asset to the release uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14 / v1 with: + tag_name: ${{ env.VER_TAG }} files: ${{ env.INSTALLER }}/out/*.msi From 430d80fc7346f28bbe1cd2ef5b11edf1b1dddec5 Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Thu, 3 Feb 2022 18:25:12 -0500 Subject: [PATCH 056/296] bash me --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1d115182d..d1ddec7b3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Normalize tag values run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch "]] ; then + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]] ; then VER=${{ github.event.inputs.tag }} else VER=${GITHUB_REF/refs\/tags\//} From 2ce9149a092b48b4e4a83be55695484d37b2e68b Mon Sep 17 00:00:00 2001 From: Brian Scholer <1260690+briantist@users.noreply.github.com> Date: Tue, 3 May 2022 17:44:53 -0400 Subject: [PATCH 057/296] Update .github/workflows/release.yml --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d1ddec7b3..dbaee85e6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,7 +60,7 @@ jobs: echo "ASSET=saml2aws_${VERSION}_windows_amd64.zip" >> $GITHUB_ENV - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Retrieve the release asset id: asset From 61764498af90fd58b4813f47bd077b7172cd0b3b Mon Sep 17 00:00:00 2001 From: John Paton Date: Mon, 26 Sep 2022 16:43:43 +0200 Subject: [PATCH 058/296] Allow double quotes around stateToken Solves Versent/saml2aws#864 --- pkg/provider/okta/okta.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index d3a119e27..7d8771782 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -592,7 +592,7 @@ func (oc *Client) follow(ctx context.Context, req *http.Request, loginDetails *c } func getStateTokenFromOktaPageBody(responseBody string) (string, error) { - re := regexp.MustCompile("var stateToken = '(.*)';") + re := regexp.MustCompile("var stateToken = [\"|'](.*)[\"|'];") match := re.FindStringSubmatch(responseBody) if len(match) < 2 { return "", errors.New("cannot find state token") From 4fe3b147f8f70830831a22fab79a00452ae0f9e6 Mon Sep 17 00:00:00 2001 From: Tim Underwood Date: Wed, 16 Nov 2022 13:24:29 -0800 Subject: [PATCH 059/296] README.md - Added note about SigV4A support --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 672b3750b..db2717cb6 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ Aside from Okta, most of the providers in this project are using screen scraping 1. AWS defaults to session tokens being issued with a duration of up to 3600 seconds (1 hour), this can now be configured as per [Enable Federated API Access to your AWS Resources for up to 12 hours Using IAM Roles](https://aws.amazon.com/blogs/security/enable-federated-api-access-to-your-aws-resources-for-up-to-12-hours-using-iam-roles/) and `--session-duration` flag. 2. Every SAML provider is different, the login process, MFA support is pluggable and therefore some work may be needed to integrate with your identity server +3. By default, the temporary security credentials returned **do not support SigV4A**. If you need SigV4A support then you must set the `AWS_STS_REGIONAL_ENDPOINTS` enviornment variable to `regional` when calling `saml2aws` so that [aws-sdk-go](https://github.com/aws/aws-sdk-go) uses a regional STS endpoint instead of the global one. See the note at the bottom of [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html#signature-versions) and [AWS STS Regionalized endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html). ## Install From 065d87a625391c37a12c7956a44bdcb850dc16cc Mon Sep 17 00:00:00 2001 From: Marcus Crane Date: Mon, 21 Nov 2022 14:22:05 +1300 Subject: [PATCH 060/296] Always use OneLogin host instead of trusting callback URL --- pkg/provider/onelogin/onelogin.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/provider/onelogin/onelogin.go b/pkg/provider/onelogin/onelogin.go index 9a2ece804..6914054b1 100644 --- a/pkg/provider/onelogin/onelogin.go +++ b/pkg/provider/onelogin/onelogin.go @@ -157,7 +157,7 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) samlAssertion = authData.String() case MessageMFARequired: logger.Debug("Verifying MFA") - samlAssertion, err = verifyMFA(c, oauthToken, c.AppID, resp) + samlAssertion, err = verifyMFA(c, oauthToken, c.AppID, host, resp) if err != nil { return "", errors.Wrap(err, "error verifying MFA") } @@ -204,7 +204,7 @@ func addContentHeaders(r *http.Request) { // verifyMFA is used to either prompt to user for one time password or request approval using push notification. // For more details check https://developers.onelogin.com/api-docs/2/saml-assertions/verify-factor -func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { +func verifyMFA(oc *Client, oauthToken, appID, host, resp string) (string, error) { stateToken := gjson.Get(resp, "state_token").String() // choose an mfa option if there are multiple enabled var option int @@ -235,7 +235,7 @@ func verifyMFA(oc *Client, oauthToken, appID, resp string) (string, error) { } factorID := gjson.Get(resp, fmt.Sprintf("devices.%d.device_id", option)).String() - callbackURL := gjson.Get(resp, "callback_url").String() + callbackURL := fmt.Sprintf("https://%s/api/2/saml_assertion/verify_factor", host) mfaIdentifer := gjson.Get(resp, fmt.Sprintf("devices.%d.device_type", option)).String() mfaDeviceID := gjson.Get(resp, fmt.Sprintf("devices.%d.device_id", option)).String() From c2502af872ec954a1028fbdc6df03972f79c641a Mon Sep 17 00:00:00 2001 From: Marcus Crane Date: Mon, 21 Nov 2022 14:25:22 +1300 Subject: [PATCH 061/296] Add a comment about callback URL --- pkg/provider/onelogin/onelogin.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/provider/onelogin/onelogin.go b/pkg/provider/onelogin/onelogin.go index 6914054b1..c4b87b28e 100644 --- a/pkg/provider/onelogin/onelogin.go +++ b/pkg/provider/onelogin/onelogin.go @@ -235,6 +235,9 @@ func verifyMFA(oc *Client, oauthToken, appID, host, resp string) (string, error) } factorID := gjson.Get(resp, fmt.Sprintf("devices.%d.device_id", option)).String() + // We always use the host here instead of the value of the callback_url field as + // some tenants may be erroneously routed to different regions causing a + // 400 Bad Request to appear whereas the host URL always resolves to the nearest region. callbackURL := fmt.Sprintf("https://%s/api/2/saml_assertion/verify_factor", host) mfaIdentifer := gjson.Get(resp, fmt.Sprintf("devices.%d.device_type", option)).String() mfaDeviceID := gjson.Get(resp, fmt.Sprintf("devices.%d.device_id", option)).String() From b9d7709eebbac52096f58a96ca38fb3058aaf1b9 Mon Sep 17 00:00:00 2001 From: Takuma Hashimoto Date: Tue, 29 Nov 2022 00:52:48 +0900 Subject: [PATCH 062/296] Support OneLogin v2 saml-assertion ip_address https://developers.onelogin.com/api-docs/2/saml-assertions/generate-saml-assertion --- cmd/saml2aws/commands/login.go | 7 +++++++ cmd/saml2aws/commands/login_test.go | 4 ++-- cmd/saml2aws/main.go | 2 ++ pkg/cfg/cfg.go | 1 + pkg/creds/creds.go | 1 + pkg/flags/flags.go | 5 +++++ pkg/provider/onelogin/onelogin.go | 2 +- 7 files changed, 19 insertions(+), 3 deletions(-) diff --git a/cmd/saml2aws/commands/login.go b/cmd/saml2aws/commands/login.go index 86fe3ffd0..97bbb7bd9 100644 --- a/cmd/saml2aws/commands/login.go +++ b/cmd/saml2aws/commands/login.go @@ -217,6 +217,13 @@ func resolveLoginDetails(account *cfg.IDPAccount, loginFlags *flags.LoginExecFla loginDetails.ClientSecret = loginFlags.CommonFlags.ClientSecret } + // if you supply an mfa_ip_address in a flag or an IDP account it takes precedence + if account.MFAIPAddress != "" { + loginDetails.MFAIPAddress = account.MFAIPAddress + } else if loginFlags.CommonFlags.MFAIPAddress != "" { + loginDetails.MFAIPAddress = loginFlags.CommonFlags.MFAIPAddress + } + // log.Printf("loginDetails %+v", loginDetails) // if skip prompt was passed just pass back the flag values diff --git a/cmd/saml2aws/commands/login_test.go b/cmd/saml2aws/commands/login_test.go index 0e29f3640..bca0442cf 100644 --- a/cmd/saml2aws/commands/login_test.go +++ b/cmd/saml2aws/commands/login_test.go @@ -15,7 +15,7 @@ import ( func TestResolveLoginDetailsWithFlags(t *testing.T) { - commonFlags := &flags.CommonFlags{URL: "https://id.example.com", Username: "wolfeidau", Password: "testtestlol", MFAToken: "123456", SkipPrompt: true} + commonFlags := &flags.CommonFlags{URL: "https://id.example.com", Username: "wolfeidau", Password: "testtestlol", MFAIPAddress: "127.0.0.1", MFAToken: "123456", SkipPrompt: true} loginFlags := &flags.LoginExecFlags{CommonFlags: commonFlags} idpa := &cfg.IDPAccount{ @@ -27,7 +27,7 @@ func TestResolveLoginDetailsWithFlags(t *testing.T) { loginDetails, err := resolveLoginDetails(idpa, loginFlags) assert.Empty(t, err) - assert.Equal(t, &creds.LoginDetails{Username: "wolfeidau", Password: "testtestlol", URL: "https://id.example.com", MFAToken: "123456"}, loginDetails) + assert.Equal(t, &creds.LoginDetails{Username: "wolfeidau", Password: "testtestlol", URL: "https://id.example.com", MFAToken: "123456", MFAIPAddress: "127.0.0.1"}, loginDetails) } func TestOktaResolveLoginDetailsWithFlags(t *testing.T) { diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index d6ee181e3..8bb042448 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -90,6 +90,7 @@ func main() { cmdConfigure.Flag("client-id", "OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID)").Envar("ONELOGIN_CLIENT_ID").StringVar(&commonFlags.ClientID) cmdConfigure.Flag("client-secret", "OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)").Envar("ONELOGIN_CLIENT_SECRET").StringVar(&commonFlags.ClientSecret) cmdConfigure.Flag("subdomain", "OneLogin subdomain of your company account. (env: ONELOGIN_SUBDOMAIN)").Envar("ONELOGIN_SUBDOMAIN").StringVar(&commonFlags.Subdomain) + cmdConfigure.Flag("mfa-ip-address", "IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)").Envar("ONELOGIN_MFA_IP_ADDRESS").StringVar(&commonFlags.MFAIPAddress) cmdConfigure.Flag("profile", "The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE)").Envar("SAML2AWS_PROFILE").Short('p').StringVar(&commonFlags.Profile) cmdConfigure.Flag("resource-id", "F5APM SAML resource ID of your company account. (env: SAML2AWS_F5APM_RESOURCE_ID)").Envar("SAML2AWS_F5APM_RESOURCE_ID").StringVar(&commonFlags.ResourceID) cmdConfigure.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) @@ -107,6 +108,7 @@ func main() { cmdLogin.Flag("duo-mfa-option", "The MFA option you want to use to authenticate with").Envar("SAML2AWS_DUO_MFA_OPTION").EnumVar(&loginFlags.DuoMFAOption, "Passcode", "Phone Call", "Duo Push") cmdLogin.Flag("client-id", "OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID)").Envar("ONELOGIN_CLIENT_ID").StringVar(&commonFlags.ClientID) cmdLogin.Flag("client-secret", "OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET)").Envar("ONELOGIN_CLIENT_SECRET").StringVar(&commonFlags.ClientSecret) + cmdLogin.Flag("mfa-ip-address", "IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS)").Envar("ONELOGIN_MFA_IP_ADDRESS").StringVar(&commonFlags.MFAIPAddress) cmdLogin.Flag("force", "Refresh credentials even if not expired.").BoolVar(&loginFlags.Force) cmdLogin.Flag("credential-process", "Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message.").BoolVar(&loginFlags.CredentialProcess) cmdLogin.Flag("credentials-file", "The file that will cache the credentials retrieved from AWS. When not specified, will use the default AWS credentials file location. (env: SAML2AWS_CREDENTIALS_FILE)").Envar("SAML2AWS_CREDENTIALS_FILE").StringVar(&commonFlags.CredentialsFile) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index ccfb19cc4..8ab18fd75 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -40,6 +40,7 @@ type IDPAccount struct { Username string `ini:"username"` Provider string `ini:"provider"` MFA string `ini:"mfa"` + MFAIPAddress string `ini:"mfa_ip_address"` // used by OneLogin SkipVerify bool `ini:"skip_verify"` Timeout int `ini:"timeout"` AmazonWebservicesURN string `ini:"aws_urn"` diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go index e006216ba..0f846ff02 100644 --- a/pkg/creds/creds.go +++ b/pkg/creds/creds.go @@ -4,6 +4,7 @@ package creds type LoginDetails struct { ClientID string // used by OneLogin ClientSecret string // used by OneLogin + MFAIPAddress string // used by OneLogin Username string Password string MFAToken string diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 7a3beb6fa..9c741cb94 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -13,6 +13,7 @@ type CommonFlags struct { IdpAccount string IdpProvider string MFA string + MFAIPAddress string MFAToken string URL string Username string @@ -75,6 +76,10 @@ func ApplyFlagOverrides(commonFlags *CommonFlags, account *cfg.IDPAccount) { account.MFA = commonFlags.MFA } + if commonFlags.MFAIPAddress != "" { + account.MFAIPAddress = commonFlags.MFAIPAddress + } + if commonFlags.AmazonWebservicesURN != "" { account.AmazonWebservicesURN = commonFlags.AmazonWebservicesURN } diff --git a/pkg/provider/onelogin/onelogin.go b/pkg/provider/onelogin/onelogin.go index c4b87b28e..9c37f112e 100644 --- a/pkg/provider/onelogin/onelogin.go +++ b/pkg/provider/onelogin/onelogin.go @@ -105,7 +105,7 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) logger.Debug("Retrieved OneLogin OAuth token:", oauthToken) - authReq := AuthRequest{Username: loginDetails.Username, Password: loginDetails.Password, AppID: c.AppID, Subdomain: c.Subdomain} + authReq := AuthRequest{Username: loginDetails.Username, Password: loginDetails.Password, AppID: c.AppID, Subdomain: c.Subdomain, IPAddress: loginDetails.MFAIPAddress} var authBody bytes.Buffer err = json.NewEncoder(&authBody).Encode(authReq) if err != nil { From 911662c9deba99a3861cbf41b0cc4fdb1c21d12d Mon Sep 17 00:00:00 2001 From: Takuma Hashimoto Date: Thu, 1 Dec 2022 18:33:42 +0900 Subject: [PATCH 063/296] add usage for mfa-ip-address --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index db2717cb6..2a7de25f5 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,8 @@ Commands: --client-secret=CLIENT-SECRET OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET) --subdomain=SUBDOMAIN OneLogin subdomain of your company account. (env: ONELOGIN_SUBDOMAIN) + --mfa-ip-address=MFA-IP-ADDRESS + IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS) -p, --profile=PROFILE The AWS profile to save the temporary credentials. (env: SAML2AWS_PROFILE) --resource-id=RESOURCE-ID F5APM SAML resource ID of your company account. (env: SAML2AWS_F5APM_RESOURCE_ID) --config=CONFIG Path/filename of saml2aws config file (env: SAML2AWS_CONFIGFILE) @@ -196,6 +198,8 @@ Commands: --client-id=CLIENT-ID OneLogin client id, used to generate API access token. (env: ONELOGIN_CLIENT_ID) --client-secret=CLIENT-SECRET OneLogin client secret, used to generate API access token. (env: ONELOGIN_CLIENT_SECRET) + --mfa-ip-address=MFA-IP-ADDRESS + IP address whitelisting defined in OneLogin MFA policies. (env: ONELOGIN_MFA_IP_ADDRESS) --force Refresh credentials even if not expired. --credential-process Enables AWS Credential Process support by outputting credentials to STDOUT in a JSON message. --credentials-file=CREDENTIALS-FILE From 6620c45a099e753e44a350c1f11a17768cf6234f Mon Sep 17 00:00:00 2001 From: Eli Atzaba Date: Tue, 10 Jan 2023 13:31:07 -0800 Subject: [PATCH 064/296] added support for Firefox and Webkit --- cmd/saml2aws/main.go | 2 +- pkg/provider/browser/browser.go | 19 ++++++++++++++----- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index 7edffd576..95bd2f651 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -70,7 +70,7 @@ func main() { app.Flag("config", "Path/filename of saml2aws config file (env: SAML2AWS_CONFIGFILE)").Envar("SAML2AWS_CONFIGFILE").StringVar(&commonFlags.ConfigFile) app.Flag("idp-account", "The name of the configured IDP account. (env: SAML2AWS_IDP_ACCOUNT)").Envar("SAML2AWS_IDP_ACCOUNT").Short('a').Default("default").StringVar(&commonFlags.IdpAccount) app.Flag("idp-provider", "The configured IDP provider. (env: SAML2AWS_IDP_PROVIDER)").Envar("SAML2AWS_IDP_PROVIDER").EnumVar(&commonFlags.IdpProvider, "Akamai", "AzureAD", "ADFS", "ADFS2", "Browser", "GoogleApps", "Ping", "JumpCloud", "Okta", "OneLogin", "PSU", "KeyCloak", "F5APM", "Shibboleth", "ShibbolethECP", "NetIQ", "Auth0") - app.Flag("browser-type", "The configured browser type when the IDP provider is set to Browser. (env: SAML2AWS_BROWSER_TYPE)").Envar("SAML2AWS_BROWSER_TYPE").EnumVar(&commonFlags.BrowserType, "chrome", "chrome-beta", "chrome-dev", "chrome-canary", "msedge", "msedge-beta", "msedge-dev", "msedge-canary") + app.Flag("browser-type", "The configured browser type when the IDP provider is set to Browser. (env: SAML2AWS_BROWSER_TYPE)").Envar("SAML2AWS_BROWSER_TYPE").EnumVar(&commonFlags.BrowserType, "firefox", "webkit", "chrome", "chrome-beta", "chrome-dev", "chrome-canary", "msedge", "msedge-beta", "msedge-dev", "msedge-canary") app.Flag("mfa", "The name of the mfa. (env: SAML2AWS_MFA)").Envar("SAML2AWS_MFA").StringVar(&commonFlags.MFA) app.Flag("skip-verify", "Skip verification of server certificate. (env: SAML2AWS_SKIP_VERIFY)").Envar("SAML2AWS_SKIP_VERIFY").Short('s').BoolVar(&commonFlags.SkipVerify) app.Flag("url", "The URL of the SAML IDP server used to login. (env: SAML2AWS_URL)").Envar("SAML2AWS_URL").StringVar(&commonFlags.URL) diff --git a/pkg/provider/browser/browser.go b/pkg/provider/browser/browser.go index 1df8bc760..bee22288e 100644 --- a/pkg/provider/browser/browser.go +++ b/pkg/provider/browser/browser.go @@ -35,15 +35,24 @@ func (cl *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) Headless: playwright.Bool(false), } - if cl.idpAccount.BrowserType != "" { - logger.Info(fmt.Sprintf("Setting browser type: %s", cl.idpAccount.BrowserType)) - launchOptions.Channel = playwright.String(cl.idpAccount.BrowserType) + browserTypeName := cl.idpAccount.BrowserType + if browserTypeName != "" { + logger.Info(fmt.Sprintf("Setting browser type: %s", browserTypeName)) + launchOptions.Channel = playwright.String(browserTypeName) } - // currently using Chromium as it is widely supported for Identity providers + // default browser is Chromium as it is widely supported for Identity providers, it can also be set to the other playwright browsers: Firefox and WebKit + browserType := pw.Chromium + if browserTypeName == "firefox" { + browserType = pw.Firefox + } else if browserTypeName == "webkit" { + browserType = pw.WebKit + } + + // currently using the main browsers supported by Playwright: Chromium, Firefox or Webkit // // this is a sandboxed browser window so password managers and addons are separate - browser, err := pw.Chromium.Launch(launchOptions) + browser, err := browserType.Launch(launchOptions) if err != nil { return "", err } From 62fabce354b1bf07a20170521fd22e712075ad58 Mon Sep 17 00:00:00 2001 From: Eli Atzaba Date: Wed, 11 Jan 2023 12:12:39 -0800 Subject: [PATCH 065/296] Set BrowserType without Idp-provider restriction --- pkg/flags/flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 2a32714e1..d25aadcbd 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -72,7 +72,7 @@ func ApplyFlagOverrides(commonFlags *CommonFlags, account *cfg.IDPAccount) { account.Provider = commonFlags.IdpProvider } - if commonFlags.IdpProvider == "Browser" && commonFlags.BrowserType != "" { + if commonFlags.BrowserType != "" { account.BrowserType = commonFlags.BrowserType } From c21240b2cf0ec93d7f0bfd1646d796df8299edb8 Mon Sep 17 00:00:00 2001 From: charltona <2724511+charltona@users.noreply.github.com> Date: Wed, 18 Jan 2023 09:46:01 +1000 Subject: [PATCH 066/296] Allow Symantec VIP to be passed as param for OTP method for okta signin --- saml2aws.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/saml2aws.go b/saml2aws.go index 010c42aca..678085380 100644 --- a/saml2aws.go +++ b/saml2aws.go @@ -37,10 +37,10 @@ var MFAsByProvider = ProviderList{ "Ping": []string{"Auto"}, // automatically detects PingID "PingOne": []string{"Auto"}, // automatically detects PingID "JumpCloud": []string{"Auto", "TOTP", "WEBAUTHN", "DUO", "PUSH"}, - "Okta": []string{"Auto", "PUSH", "DUO", "SMS", "TOTP", "OKTA", "FIDO", "YUBICO TOKEN:HARDWARE"}, // automatically detects DUO, SMS, ToTP, and FIDO - "OneLogin": []string{"Auto", "OLP", "SMS", "TOTP", "YUBIKEY"}, // automatically detects OneLogin Protect, SMS and ToTP - "KeyCloak": []string{"Auto"}, // automatically detects ToTP - "GoogleApps": []string{"Auto"}, // automatically detects ToTP + "Okta": []string{"Auto", "PUSH", "DUO", "SMS", "TOTP", "OKTA", "FIDO", "YUBICO TOKEN:HARDWARE", "SYMANTEC"}, // automatically detects DUO, SMS, ToTP, and FIDO + "OneLogin": []string{"Auto", "OLP", "SMS", "TOTP", "YUBIKEY"}, // automatically detects OneLogin Protect, SMS and ToTP + "KeyCloak": []string{"Auto"}, // automatically detects ToTP + "GoogleApps": []string{"Auto"}, // automatically detects ToTP "Shibboleth": []string{"Auto", "None"}, "F5APM": []string{"Auto"}, "Akamai": []string{"Auto", "DUO", "SMS", "EMAIL", "TOTP"}, From cc5d3f9380ad5b9f9843926fd4df62d816969230 Mon Sep 17 00:00:00 2001 From: falms Date: Tue, 14 Feb 2023 21:56:33 +0900 Subject: [PATCH 067/296] fix googleapps login use form data returned by server instead of hard-coded values --- pkg/provider/googleapps/googleapps.go | 78 +++------------------------ 1 file changed, 8 insertions(+), 70 deletions(-) diff --git a/pkg/provider/googleapps/googleapps.go b/pkg/provider/googleapps/googleapps.go index 7e8e6ad1f..3f99f089c 100644 --- a/pkg/provider/googleapps/googleapps.go +++ b/pkg/provider/googleapps/googleapps.go @@ -55,8 +55,12 @@ func (kc *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) return "", errors.Wrap(err, "error loading first page") } + // Google supports only JavaScript-enabled clients + authForm.Set("bgresponse", "js_enabled") + authForm.Set("Email", loginDetails.Username) + // Post email address w/o password, then Get the password-input page passwordURL, passwordForm, err := kc.loadLoginPage(authURL+"?hl=en&loc=US", loginDetails.URL+"&hl=en&loc=US", authForm) if err != nil { return "", errors.Wrap(err, "error loading login page") @@ -64,23 +68,12 @@ func (kc *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) logger.Debugf("loginURL: %s", passwordURL) - authForm.Set("Passwd", loginDetails.Password) + passwordForm.Set("Passwd", loginDetails.Password) + passwordForm.Set("TrustDevice", "on") referingURL := passwordURL - if _, rawIdPresent := passwordForm["rawidentifier"]; rawIdPresent { - authForm.Set("rawidentifier", loginDetails.Username) - referingURL = authURL - } - - if v, tlPresent := passwordForm["TL"]; tlPresent { - authForm.Set("TL", v[0]) - } - if v, gxfPresent := passwordForm["gxf"]; gxfPresent { - authForm.Set("gxf", v[0]) - } - - responseDoc, err := kc.loadChallengePage(passwordURL+"?hl=en&loc=US", referingURL, authForm, loginDetails) + responseDoc, err := kc.loadChallengePage(passwordURL+"?hl=en&loc=US", referingURL, passwordForm, loginDetails) if err != nil { return "", errors.Wrap(err, "error loading challenge page") } @@ -231,62 +224,7 @@ func (kc *Client) loadFirstPage(loginDetails *creds.LoginDetails) (string, url.V return "", nil, errors.Wrap(err, "failed to build login form data") } - _, loginPageV1 := authForm["GALX"] - - var postForm url.Values - // using a field which is known to be in the original login page - if loginPageV1 { - // Login page v1 - postForm = url.Values{ - "bgresponse": []string{"js_enabled"}, - "checkConnection": []string{""}, - "checkedDomains": []string{"youtube"}, - "continue": []string{authForm.Get("continue")}, - "gxf": []string{authForm.Get("gxf")}, - "identifier-captcha-input": []string{""}, - "identifiertoken": []string{""}, - "identifiertoken_audio": []string{""}, - "ltmpl": []string{"popup"}, - "oauth": []string{"1"}, - "Page": []string{authForm.Get("Page")}, - "Passwd": []string{""}, - "PersistentCookie": []string{"yes"}, - "ProfileInformation": []string{""}, - "pstMsg": []string{"0"}, - "sarp": []string{"1"}, - "scc": []string{"1"}, - "SessionState": []string{authForm.Get("SessionState")}, - "signIn": []string{authForm.Get("signIn")}, - "_utf8": []string{authForm.Get("_utf8")}, - "GALX": []string{authForm.Get("GALX")}, - } - } else { - // Login page v2 - postForm = url.Values{ - "challengeId": []string{"1"}, - "challengeType": []string{"1"}, - "continue": []string{authForm.Get("continue")}, - "scc": []string{"1"}, - "sarp": []string{"1"}, - "checkeddomains": []string{"youtube"}, - "checkConnection": []string{"youtube:930:1"}, - "pstMessage": []string{"1"}, - "oauth": []string{authForm.Get("oauth")}, - "flowName": []string{authForm.Get("flowName")}, - "faa": []string{"1"}, - "Email": []string{""}, - "Passwd": []string{""}, - "TrustDevice": []string{"on"}, - "bgresponse": []string{"js_enabled"}, - } - for _, k := range []string{"TL", "gxf"} { - if v, ok := authForm[k]; ok { - postForm.Set(k, v[0]) - } - } - } - - return submitURL, postForm, err + return submitURL, authForm, err } func (kc *Client) loadLoginPage(submitURL string, referer string, authForm url.Values) (string, url.Values, error) { From b89d840f8c22746db4a463f6301e026542e23d22 Mon Sep 17 00:00:00 2001 From: Mark Wolfe Date: Fri, 17 Feb 2023 08:25:14 +1100 Subject: [PATCH 068/296] sorted out go mod changes from upstream --- go.mod | 2 +- go.sum | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index b0c0d53db..503b80325 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.9.0 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 - github.com/stretchr/testify v1.7.0 + github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.13.0 github.com/versent/saml2aws/v2 v2.35.0 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd diff --git a/go.sum b/go.sum index 2713211cc..ff83ac0c0 100644 --- a/go.sum +++ b/go.sum @@ -162,14 +162,12 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/tidwall/gjson v1.14.1 h1:iymTbGkQBhveq21bEvAQ81I0LEBork8BFe1CUZXdyuo= -github.com/tidwall/gjson v1.14.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.13.0 h1:3TFY9yxOQShrvmjdM76K+jc66zJeT6D3/VFFYCGQf7M= +github.com/tidwall/gjson v1.13.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= @@ -213,6 +211,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From a2d27433fd81b94c800a10ec934b1bfefbc80345 Mon Sep 17 00:00:00 2001 From: Mark Wolfe Date: Fri, 17 Feb 2023 08:59:27 +1100 Subject: [PATCH 069/296] fixes for merge of gomod changes and some formating updates --- cmd/saml2aws/commands/login_darwin.go | 1 + go.mod | 3 +-- go.sum | 2 -- helper/osxkeychain/keychain.go | 1 + helper/osxkeychain/osxkeychain.go | 1 + helper/osxkeychain/osxkeychain_test.go | 1 + pkg/cookiejar/jar.go | 6 +++--- pkg/cookiejar/jar_test.go | 19 ++++++++++--------- pkg/provider/auth0/auth0.go | 2 +- pkg/provider/f5apm/f5apm.go | 2 +- saml.go | 10 +++++----- 11 files changed, 25 insertions(+), 23 deletions(-) diff --git a/cmd/saml2aws/commands/login_darwin.go b/cmd/saml2aws/commands/login_darwin.go index 14b4d9bbe..c2d036354 100644 --- a/cmd/saml2aws/commands/login_darwin.go +++ b/cmd/saml2aws/commands/login_darwin.go @@ -1,3 +1,4 @@ +//go:build darwin && cgo // +build darwin,cgo package commands diff --git a/go.mod b/go.mod index 503b80325..12b788a3d 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/marcottedan/saml2aws/v2 +module github.com/versent/saml2aws/v2 go 1.18 @@ -22,7 +22,6 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.13.0 - github.com/versent/saml2aws/v2 v2.35.0 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd gopkg.in/ini.v1 v1.66.6 ) diff --git a/go.sum b/go.sum index ff83ac0c0..7470f8040 100644 --- a/go.sum +++ b/go.sum @@ -174,8 +174,6 @@ github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/versent/saml2aws/v2 v2.35.0 h1:3IMuRWxrtb8id0Rz3TcdH8tx5XYFzIj0TXBjxS0qM/w= -github.com/versent/saml2aws/v2 v2.35.0/go.mod h1:ZGX2eg23eINLc7VBkqdDbRs6oqVLwbPW9kTJwM1Jjko= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= diff --git a/helper/osxkeychain/keychain.go b/helper/osxkeychain/keychain.go index 3a9ec5ba7..555655f02 100644 --- a/helper/osxkeychain/keychain.go +++ b/helper/osxkeychain/keychain.go @@ -1,3 +1,4 @@ +//go:build darwin && cgo // +build darwin,cgo package osxkeychain diff --git a/helper/osxkeychain/osxkeychain.go b/helper/osxkeychain/osxkeychain.go index cc0f951b0..93e2bcdf3 100644 --- a/helper/osxkeychain/osxkeychain.go +++ b/helper/osxkeychain/osxkeychain.go @@ -1,3 +1,4 @@ +//go:build darwin && cgo // +build darwin,cgo package osxkeychain diff --git a/helper/osxkeychain/osxkeychain_test.go b/helper/osxkeychain/osxkeychain_test.go index de9cda899..78b85337c 100644 --- a/helper/osxkeychain/osxkeychain_test.go +++ b/helper/osxkeychain/osxkeychain_test.go @@ -1,3 +1,4 @@ +//go:build darwin && cgo // +build darwin,cgo // Copyright (c) 2016 David Calavera diff --git a/pkg/cookiejar/jar.go b/pkg/cookiejar/jar.go index 62e5b26ec..2c3b569f8 100644 --- a/pkg/cookiejar/jar.go +++ b/pkg/cookiejar/jar.go @@ -18,9 +18,9 @@ import ( ) // PublicSuffixList provides the public suffix of a domain. For example: -// - the public suffix of "example.com" is "com", -// - the public suffix of "foo1.foo2.foo3.co.uk" is "co.uk", and -// - the public suffix of "bar.pvt.k12.ma.us" is "pvt.k12.ma.us". +// - the public suffix of "example.com" is "com", +// - the public suffix of "foo1.foo2.foo3.co.uk" is "co.uk", and +// - the public suffix of "bar.pvt.k12.ma.us" is "pvt.k12.ma.us". // // Implementations of PublicSuffixList must be safe for concurrent use by // multiple goroutines. diff --git a/pkg/cookiejar/jar_test.go b/pkg/cookiejar/jar_test.go index fc1462d0d..5262d2154 100644 --- a/pkg/cookiejar/jar_test.go +++ b/pkg/cookiejar/jar_test.go @@ -20,8 +20,9 @@ var tNow = time.Date(2013, 1, 1, 12, 0, 0, 0, time.UTC) // testPSL implements PublicSuffixList with just two rules: "co.uk" // and the default rule "*". // The implementation has two intentional bugs: -// PublicSuffix("www.buggy.psl") == "xy" -// PublicSuffix("www2.buggy.psl") == "com" +// +// PublicSuffix("www.buggy.psl") == "xy" +// PublicSuffix("www2.buggy.psl") == "com" type testPSL struct{} func (testPSL) String() string { @@ -358,13 +359,13 @@ func mustParseURL(s string) *url.URL { } // jarTest encapsulates the following actions on a jar: -// 1. Perform SetCookies with fromURL and the cookies from setCookies. -// (Done at time tNow + 0 ms.) -// 2. Check that the entries in the jar matches content. -// (Done at time tNow + 1001 ms.) -// 3. For each query in tests: Check that Cookies with toURL yields the -// cookies in want. -// (Query n done at tNow + (n+2)*1001 ms.) +// 1. Perform SetCookies with fromURL and the cookies from setCookies. +// (Done at time tNow + 0 ms.) +// 2. Check that the entries in the jar matches content. +// (Done at time tNow + 1001 ms.) +// 3. For each query in tests: Check that Cookies with toURL yields the +// cookies in want. +// (Query n done at tNow + (n+2)*1001 ms.) type jarTest struct { description string // The description of what this test is supposed to test fromURL string // The full URL of the request from which Set-Cookie headers where received diff --git a/pkg/provider/auth0/auth0.go b/pkg/provider/auth0/auth0.go index d67266c7e..385a5476d 100644 --- a/pkg/provider/auth0/auth0.go +++ b/pkg/provider/auth0/auth0.go @@ -86,7 +86,7 @@ type sessionInfo struct { csrf string } -//authCallbackRequest represents Auth0 authentication callback request +// authCallbackRequest represents Auth0 authentication callback request type authCallbackRequest struct { method string url string diff --git a/pkg/provider/f5apm/f5apm.go b/pkg/provider/f5apm/f5apm.go index a57a69555..cb03c5034 100644 --- a/pkg/provider/f5apm/f5apm.go +++ b/pkg/provider/f5apm/f5apm.go @@ -24,7 +24,7 @@ import ( var logger = logrus.WithField("provider", "f5apm") -//Client client for F5 APM +// Client client for F5 APM type Client struct { provider.ValidateBase diff --git a/saml.go b/saml.go index 001e01c9a..282aedd86 100644 --- a/saml.go +++ b/saml.go @@ -16,15 +16,15 @@ const ( responseTag = "Response" ) -//ErrMissingElement is the error type that indicates an element and/or attribute is -//missing. It provides a structured error that can be more appropriately acted -//upon. +// ErrMissingElement is the error type that indicates an element and/or attribute is +// missing. It provides a structured error that can be more appropriately acted +// upon. type ErrMissingElement struct { Tag, Attribute string } -//ErrMissingAssertion indicates that an appropriate assertion element could not -//be found in the SAML Response +// ErrMissingAssertion indicates that an appropriate assertion element could not +// be found in the SAML Response var ( ErrMissingAssertion = ErrMissingElement{Tag: assertionTag} ) From 03bc092bc12e8b52b5a165372b6a09faaeb20715 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Feb 2023 22:40:51 +0000 Subject: [PATCH 070/296] Bump github.com/tidwall/gjson from 1.14.1 to 1.14.4 Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.14.1 to 1.14.4. - [Release notes](https://github.com/tidwall/gjson/releases) - [Commits](https://github.com/tidwall/gjson/compare/v1.14.1...v1.14.4) --- updated-dependencies: - dependency-name: github.com/tidwall/gjson dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 12b788a3d..ee719f705 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/sirupsen/logrus v1.9.0 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.7.1 - github.com/tidwall/gjson v1.13.0 + github.com/tidwall/gjson v1.14.4 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd gopkg.in/ini.v1 v1.66.6 ) diff --git a/go.sum b/go.sum index 7470f8040..89673f6a4 100644 --- a/go.sum +++ b/go.sum @@ -166,8 +166,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/tidwall/gjson v1.13.0 h1:3TFY9yxOQShrvmjdM76K+jc66zJeT6D3/VFFYCGQf7M= -github.com/tidwall/gjson v1.13.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM= +github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= From 3adcd871f4e54e9608c499aebd5175fc11432f94 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Feb 2023 20:58:19 +0000 Subject: [PATCH 071/296] Bump github.com/aws/aws-sdk-go from 1.44.59 to 1.44.205 Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.59 to 1.44.205. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.59...v1.44.205) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 12 ++++++------ go.sum | 36 ++++++++++++++++++++++++------------ 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 12b788a3d..fae625fc9 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/PuerkitoBio/goquery v1.8.0 github.com/alecthomas/kingpin v2.2.6+incompatible github.com/avast/retry-go v3.0.0+incompatible - github.com/aws/aws-sdk-go v1.44.59 + github.com/aws/aws-sdk-go v1.44.205 github.com/beevik/etree v1.1.0 github.com/danieljoos/wincred v1.1.2 github.com/google/uuid v1.3.0 @@ -22,7 +22,7 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.13.0 - golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd + golang.org/x/net v0.1.0 gopkg.in/ini.v1 v1.66.6 ) @@ -48,10 +48,10 @@ require ( github.com/stretchr/objx v0.4.0 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect - golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 // indirect - golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect + golang.org/x/sys v0.1.0 // indirect + golang.org/x/term v0.1.0 // indirect + golang.org/x/text v0.4.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 7470f8040..06bfd058d 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,8 @@ github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEq github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0= github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY= -github.com/aws/aws-sdk-go v1.44.59 h1:bkdnNsMvMhFmNLqKDAJ6rKR+S0hjOt/3AIJp2mxOK9o= -github.com/aws/aws-sdk-go v1.44.59/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.44.205 h1:q23NJXgLPIuBMn4zaluWWz57HPP5z7Ut8ZtK1D3N9bs= +github.com/aws/aws-sdk-go v1.44.205/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/bearsh/hid v1.3.0 h1:GLNa8hvEzJxzQEEpheDUr2SivvH7iwTrJrDhFKutfX8= github.com/bearsh/hid v1.3.0/go.mod h1:KbQByg8WfPr92v7aaKAHTtZUEVG7e2XRpcF8+TopQv8= github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs= @@ -176,59 +176,71 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 h1:3zb4D3T4G8jdExgVU/95+vQXfpEPiMdCaZgmGVxjNHM= -golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= From fb6836febb9794e7d328e9df99d945ec7dc83f65 Mon Sep 17 00:00:00 2001 From: Jared Szechy Date: Tue, 21 Feb 2023 09:16:33 -0500 Subject: [PATCH 072/296] linting --- pkg/provider/okta/okta.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index dd6f28eae..d472ce42e 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -598,13 +598,13 @@ func getStateTokenFromOktaPageBody(responseBody string) (string, error) { return strings.Replace(match[1], `\x2D`, "-", -1), nil } -func parseMfaIdentifer(json string, arrayPosition int) (string, string){ +func parseMfaIdentifer(json string, arrayPosition int) (string, string) { mfaProvider := gjson.Get(json, fmt.Sprintf("_embedded.factors.%d.provider", arrayPosition)).String() factorType := strings.ToUpper(gjson.Get(json, fmt.Sprintf("_embedded.factors.%d.factorType", arrayPosition)).String()) // Okta gives names to some authentication methods // displaying this name is useful when there's multiple auths of the same type. e.g. multiple FIDO options authName := gjson.Get(json, fmt.Sprintf("_embedded.factors.%d.profile.authenticatorName", arrayPosition)).String() - return fmt.Sprintf("%s %s", mfaProvider, factorType), fmt.Sprintf("%s", authName) + return fmt.Sprintf("%s %s", mfaProvider, factorType), authName } func (oc *Client) handleFormRedirect(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) { @@ -733,7 +733,7 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails, // If the authentication method as a name, we add it to the MFA option. // This makes it possible to identify which method to choose if len(authName) > 0 { - mfaOptions = append(mfaOptions, val + " - " + authName) + mfaOptions = append(mfaOptions, val+" - "+authName) } else { mfaOptions = append(mfaOptions, val) } From d347d029c10b1d7764e40077e09d49cb25cb77f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 Feb 2023 08:39:50 +0000 Subject: [PATCH 073/296] Bump golang.org/x/text from 0.3.7 to 0.3.8 Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.7 to 0.3.8. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.3.7...v0.3.8) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 4 ++-- go.sum | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 12b788a3d..068d61a44 100644 --- a/go.mod +++ b/go.mod @@ -49,9 +49,9 @@ require ( github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 // indirect - golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect + golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/text v0.3.8 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 7470f8040..259efdcd9 100644 --- a/go.sum +++ b/go.sum @@ -213,8 +213,9 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= @@ -222,8 +223,9 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 0ee4082a1bdabeb8505b858a9f05599212326c32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 25 Feb 2023 01:58:13 +0000 Subject: [PATCH 074/296] Bump golang.org/x/crypto from 0.0.0-20200323165209-0ec3e9974c59 to 0.1.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20200323165209-0ec3e9974c59 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 10 +++++----- go.sum | 18 ++++++++++-------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index 12b788a3d..0147cb1ed 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.13.0 - golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd + golang.org/x/net v0.1.0 gopkg.in/ini.v1 v1.66.6 ) @@ -48,10 +48,10 @@ require ( github.com/stretchr/objx v0.4.0 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect - golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 // indirect - golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/crypto v0.1.0 // indirect + golang.org/x/sys v0.1.0 // indirect + golang.org/x/term v0.1.0 // indirect + golang.org/x/text v0.4.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 7470f8040..bc605aaa4 100644 --- a/go.sum +++ b/go.sum @@ -182,19 +182,19 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 h1:3zb4D3T4G8jdExgVU/95+vQXfpEPiMdCaZgmGVxjNHM= -golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -205,7 +205,6 @@ golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -213,17 +212,20 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 08a0a70fb1afc96211317560245c783fbe7d24aa Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 9 Feb 2023 08:59:01 +0800 Subject: [PATCH 075/296] feat: update goreleaser config for linux builds to support U2F We need the hidraw tag and to enable CGO for linux builds. This is a requirement of the go-u2fhost dependency. See https://github.com/marshallbrekka/go-u2fhost#linux for details. Building with hidraw support also requires libudev headers. i.e. sudo apt install libudev-dev This change also updates the github workflows to build on ubuntu-latest for CGO support on Linux. --- .github/workflows/go.yml | 3 +++ .github/workflows/release.yml | 7 +++++-- .goreleaser.yml | 8 ++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 024ac5ec9..5a106d66e 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -61,6 +61,9 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@v2 + - name: Install dependency required for linux builds + run: sudo apt-get update && sudo apt-get install -y libudev-dev + - name: GoReleaser uses: goreleaser/goreleaser-action@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index be7f776f2..a114c8f71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,12 +3,12 @@ name: release on: push: tags: - - '*' + - '*' jobs: release: name: release - runs-on: macOS-latest + runs-on: ubuntu-latest steps: - name: Set up Go 1.x @@ -19,6 +19,9 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@v2 + - name: Install dependency required for linux builds + run: sudo apt-get update && sudo apt-get install -y libudev-dev + - name: GoReleaser uses: goreleaser/goreleaser-action@v2 with: diff --git a/.goreleaser.yml b/.goreleaser.yml index 393f7c395..488869598 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -17,6 +17,14 @@ builds: - amd64 - arm64 - arm + overrides: + - goos: linux + goarch: amd64 + goamd64: v1 + tags: + - hidraw + env: + - CGO_ENABLED=1 archives: - format: tar.gz wrap_in_directory: false From 05476c11a4c3de7bde029b10ad7c279a0b68de29 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 9 Feb 2023 09:57:24 +0800 Subject: [PATCH 076/296] chore: update build documentation --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index 2a7de25f5..b5d47ca2a 100644 --- a/README.md +++ b/README.md @@ -633,6 +633,8 @@ region = us-east-1 ``` ## Building +### macOS + To build this software on osx clone to the repo to `$GOPATH/src/github.com/versent/saml2aws` and ensure you have `$GOPATH/bin` in your `$PATH`. ``` @@ -657,6 +659,26 @@ Before raising a PR please run the linter. make lint-fix ``` +### Linux + +To build this software on Debian/Ubuntu, you need to install a build dependency: + +``` +sudo apt install libudev-dev +``` + +You also need [GoReleaser](https://github.com/goreleaser/goreleaser) installed, and the binary (or a symlink) in `bin/goreleaser`. + +``` +ln -s $(command -v goreleaser) bin/goreleaser +``` + +Then you can build: + +``` +make build +``` + ## Environment vars The exec sub command will export the following environment variables. From ca58526c71fab2f735581762c59e75f869d6ad66 Mon Sep 17 00:00:00 2001 From: Mark Gerard Date: Wed, 1 Mar 2023 08:57:49 +1000 Subject: [PATCH 077/296] Revert the release build to use macos-latest - This functionality was broken in #951 - Since we are using OSX toolchain, we need macos-X to build Co-authored-by: Mark Wolfe --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a114c8f71..56c60fb99 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ on: jobs: release: name: release - runs-on: ubuntu-latest + runs-on: macos-latest steps: - name: Set up Go 1.x From 196f8be04d2a61d2a67ba8fdb9a3147feab4eb9b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Mar 2023 01:38:11 +0000 Subject: [PATCH 078/296] Bump golang.org/x/net from 0.0.0-20220127200216-cd36cc0744dd to 0.7.0 Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220127200216-cd36cc0744dd to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 7130fa5bf..606e57665 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.14.4 - golang.org/x/net v0.1.0 + golang.org/x/net v0.7.0 gopkg.in/ini.v1 v1.66.6 ) @@ -49,9 +49,9 @@ require ( github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect golang.org/x/crypto v0.1.0 // indirect - golang.org/x/sys v0.1.0 // indirect - golang.org/x/term v0.1.0 // indirect - golang.org/x/text v0.4.0 // indirect + golang.org/x/sys v0.5.0 // indirect + golang.org/x/term v0.5.0 // indirect + golang.org/x/text v0.7.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index ea637df26..7d432b40c 100644 --- a/go.sum +++ b/go.sum @@ -193,8 +193,8 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -213,19 +213,19 @@ golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 84a56e0f481116123fa6fb88f406993f4d75a3e9 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 9 Feb 2023 08:59:01 +0800 Subject: [PATCH 079/296] feat: split goreleaser config for macOS and linux builds This split is required because the hidraw tag and CGO is required for linux builds. This is a requirement of the go-u2fhost dependency. See https://github.com/marshallbrekka/go-u2fhost#linux for details. Similarly, macOS binaries must be built on macOS. This change also updates the github workflows to support the new split goreleaser config. --- .github/workflows/go.yml | 10 ++++-- .github/workflows/release.yml | 13 ++++++-- .goreleaser.macos-latest.yml | 32 +++++++++++++++++++ ...easer.yml => .goreleaser.ubuntu-latest.yml | 1 - 4 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 .goreleaser.macos-latest.yml rename .goreleaser.yml => .goreleaser.ubuntu-latest.yml (97%) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 5a106d66e..38aad7c90 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -50,7 +50,12 @@ jobs: release-build: name: release-build - runs-on: ubuntu-latest + strategy: + matrix: + os: + - ubuntu-latest + - macos-latest + runs-on: ${{ matrix.os }} steps: - name: Set up Go 1.x @@ -62,10 +67,11 @@ jobs: uses: actions/checkout@v2 - name: Install dependency required for linux builds + if: matrix.os == 'ubuntu-latest' run: sudo apt-get update && sudo apt-get install -y libudev-dev - name: GoReleaser uses: goreleaser/goreleaser-action@v2 with: version: latest - args: build --snapshot --rm-dist + args: build --snapshot --rm-dist --config .goreleaser.${{ matrix.os }}.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56c60fb99..976d489d9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,15 @@ on: jobs: release: name: release - runs-on: macos-latest + strategy: + # the goreleaser and the Github release API doesn't handle concurrent + # access well, so run goreleaser serially + max-parallel: 1 + matrix: + os: + - ubuntu-latest + - macos-latest + runs-on: ${{ matrix.os }} steps: - name: Set up Go 1.x @@ -20,12 +28,13 @@ jobs: uses: actions/checkout@v2 - name: Install dependency required for linux builds + if: matrix.os == 'ubuntu-latest' run: sudo apt-get update && sudo apt-get install -y libudev-dev - name: GoReleaser uses: goreleaser/goreleaser-action@v2 with: version: latest - args: release --rm-dist + args: release --rm-dist --config .goreleaser.${{ matrix.os }}.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.macos-latest.yml b/.goreleaser.macos-latest.yml new file mode 100644 index 000000000..874b3cca4 --- /dev/null +++ b/.goreleaser.macos-latest.yml @@ -0,0 +1,32 @@ +--- +project_name: saml2aws + +builds: +- main: ./cmd/saml2aws/main.go + binary: saml2aws + flags: + - -trimpath + - -v + ldflags: + - -s -w -X main.Version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} + goos: + - darwin + goarch: + - amd64 + - arm64 + - arm + overrides: + - goos: linux + goarch: amd64 + goamd64: v1 + tags: + - hidraw + env: + - CGO_ENABLED=1 +archives: + - format: tar.gz + wrap_in_directory: false + # remove README and LICENSE + files: + - LICENSE.md + - README.md diff --git a/.goreleaser.yml b/.goreleaser.ubuntu-latest.yml similarity index 97% rename from .goreleaser.yml rename to .goreleaser.ubuntu-latest.yml index 488869598..1caecf6ac 100644 --- a/.goreleaser.yml +++ b/.goreleaser.ubuntu-latest.yml @@ -11,7 +11,6 @@ builds: - -s -w -X main.Version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} goos: - windows - - darwin - linux goarch: - amd64 From f5a1c4bbed5a5b3f62d561b57babf0e66674f968 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 1 Mar 2023 09:48:37 +0800 Subject: [PATCH 080/296] fix: update Makefile for new goreleaser config files --- Makefile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3dac85ed8..5bcf4a70b 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,6 @@ NAME=saml2aws ARCH=$(shell uname -m) +OS=$(shell uname) VERSION=2.28.0 ITERATION := 1 @@ -36,7 +37,13 @@ install: .PHONY: mod build: $(BIN_DIR)/goreleaser - $(BIN_DIR)/goreleaser build --snapshot --rm-dist +ifeq ($(OS),Darwin) + $(BIN_DIR)/goreleaser build --snapshot --rm-dist --config $(CURDIR)/.goreleaser.macos-latest.yml +else ifeq ($(OS),Linux) + $(BIN_DIR)/goreleaser build --snapshot --rm-dist --config $(CURDIR)/.goreleaser.ubuntu-latest.yml +else + $(error Unsupported build OS: $(OS)) +endif .PHONY: build clean: From bbe8a018bc0aa1af50bd794505848b19c48ae384 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Mar 2023 03:55:46 +0000 Subject: [PATCH 081/296] Bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 Bumps [gopkg.in/ini.v1](https://github.com/go-ini/ini) from 1.66.6 to 1.67.0. - [Release notes](https://github.com/go-ini/ini/releases) - [Commits](https://github.com/go-ini/ini/compare/v1.66.6...v1.67.0) --- updated-dependencies: - dependency-name: gopkg.in/ini.v1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index bee99e15d..2e0c4a95e 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.14.4 golang.org/x/net v0.7.0 - gopkg.in/ini.v1 v1.66.6 + gopkg.in/ini.v1 v1.67.0 ) require ( diff --git a/go.sum b/go.sum index f84cbd748..6906893a4 100644 --- a/go.sum +++ b/go.sum @@ -183,6 +183,7 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -196,7 +197,8 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -217,18 +219,23 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -248,8 +255,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI= -gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= From 86b22ab45f33dd4316bb2456bd73dbe4545f3176 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 3 Mar 2023 12:19:38 +0800 Subject: [PATCH 082/296] fix: use OS-specific checksum files --- .goreleaser.macos-latest.yml | 2 ++ .goreleaser.ubuntu-latest.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.goreleaser.macos-latest.yml b/.goreleaser.macos-latest.yml index 874b3cca4..cbbb1d0fc 100644 --- a/.goreleaser.macos-latest.yml +++ b/.goreleaser.macos-latest.yml @@ -30,3 +30,5 @@ archives: files: - LICENSE.md - README.md +checksum: + name_template: "{{ .ProjectName }}_{{ .Version }}_darwin_checksums.txt" diff --git a/.goreleaser.ubuntu-latest.yml b/.goreleaser.ubuntu-latest.yml index 1caecf6ac..cd396e081 100644 --- a/.goreleaser.ubuntu-latest.yml +++ b/.goreleaser.ubuntu-latest.yml @@ -34,3 +34,5 @@ archives: files: - LICENSE.md - README.md +checksum: + name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt" From 7b7088b971677ae768468ab08195f4b9f48ca0e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Fri, 3 Mar 2023 20:31:47 -0500 Subject: [PATCH 083/296] Bump golangci-lint to v1.51.2 --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 38aad7c90..6ca9a053b 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -46,7 +46,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v2 with: - version: v1.45.2 + version: v1.51.2 release-build: name: release-build From 7caed04504ff2940591b74690879a75b29254e5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Fri, 3 Mar 2023 20:42:57 -0500 Subject: [PATCH 084/296] Add GHA to dependabot config --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1bb13ea22..1e0337155 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,9 @@ updates: interval: "weekly" labels: - "type: dependencies" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + labels: + - "type: dependencies" From c0ae40a7beb0e3d1139d5ef2c2baf4a6e530f0c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Fri, 3 Mar 2023 21:39:20 -0500 Subject: [PATCH 085/296] Replace deprecated ioutil MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gábor Lipták --- aws_account.go | 4 +-- aws_account_test.go | 4 +-- cmd/saml2aws/commands/console.go | 4 +-- cmd/saml2aws/main.go | 6 ++--- pkg/awsconfig/awsconfig.go | 3 +-- pkg/page/form_test.go | 4 +-- pkg/provider/aad/aad.go | 9 +++---- pkg/provider/adfs2/ntlm.go | 4 +-- pkg/provider/adfs2/rsa.go | 4 +-- pkg/provider/adfs2/rsa_test.go | 5 ++-- pkg/provider/akamai/akamai.go | 26 +++++++++--------- pkg/provider/auth0/auth0.go | 10 +++---- pkg/provider/f5apm/f5apm.go | 6 ++--- pkg/provider/f5apm/f5apm_test.go | 10 +++---- pkg/provider/googleapps/googleapps_test.go | 6 ++--- pkg/provider/jumpcloud/jumpcloud.go | 20 +++++++------- pkg/provider/jumpcloud/jumpcloud_protect.go | 3 +-- pkg/provider/keycloak/keycloak.go | 4 +-- pkg/provider/keycloak/keycloak_test.go | 28 +++++++++---------- pkg/provider/netiq/netiq_test.go | 30 ++++++++++----------- pkg/provider/okta/okta.go | 28 +++++++++---------- pkg/provider/onelogin/onelogin.go | 12 ++++----- pkg/provider/pingfed/pingfed.go | 4 +-- pkg/provider/pingfed/pingfed_test.go | 21 ++++++++------- pkg/provider/pingone/pingone.go | 4 +-- pkg/provider/pingone/pingone_test.go | 4 +-- pkg/provider/shibboleth/shibboleth.go | 14 +++++----- pkg/provider/shibbolethecp/shibbolethecp.go | 5 ++-- pkg/samlcache/samlcache.go | 7 +++-- pkg/samlcache/samlcache_test.go | 5 ++-- saml_test.go | 14 +++++----- 31 files changed, 151 insertions(+), 157 deletions(-) diff --git a/aws_account.go b/aws_account.go index bdf7e83d6..ff28c3abf 100644 --- a/aws_account.go +++ b/aws_account.go @@ -3,7 +3,7 @@ package saml2aws import ( "bytes" "fmt" - "io/ioutil" + "io" "net/http" "net/url" @@ -24,7 +24,7 @@ func ParseAWSAccounts(audience string, samlAssertion string) ([]*AWSAccount, err return nil, errors.Wrap(err, "error retrieving AWS login form") } - data, err := ioutil.ReadAll(res.Body) + data, err := io.ReadAll(res.Body) if err != nil { return nil, errors.Wrap(err, "error retrieving AWS login body") } diff --git a/aws_account_test.go b/aws_account_test.go index 9ea4ec11c..b5c86c43b 100644 --- a/aws_account_test.go +++ b/aws_account_test.go @@ -1,14 +1,14 @@ package saml2aws import ( - "io/ioutil" + "os" "testing" "github.com/stretchr/testify/assert" ) func TestExtractAWSAccounts(t *testing.T) { - data, err := ioutil.ReadFile("testdata/saml.html") + data, err := os.ReadFile("testdata/saml.html") assert.Nil(t, err) accounts, err := ExtractAWSAccounts(data) diff --git a/cmd/saml2aws/commands/console.go b/cmd/saml2aws/commands/console.go index cf11bf0d3..70e1f20d6 100644 --- a/cmd/saml2aws/commands/console.go +++ b/cmd/saml2aws/commands/console.go @@ -3,7 +3,7 @@ package commands import ( "encoding/json" "fmt" - "io/ioutil" + "io" "log" "net/http" "net/url" @@ -136,7 +136,7 @@ func federatedLogin(creds *awsconfig.AWSCredentials, consoleFlags *flags.Console } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return err } diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go index 8bb042448..ccb3f4d3f 100644 --- a/cmd/saml2aws/main.go +++ b/cmd/saml2aws/main.go @@ -2,7 +2,7 @@ package main import ( "crypto/tls" - "io/ioutil" + "io" "log" "net/http" "os" @@ -172,8 +172,8 @@ func main() { } if *quiet { - log.SetOutput(ioutil.Discard) - logrus.SetOutput(ioutil.Discard) + log.SetOutput(io.Discard) + logrus.SetOutput(io.Discard) } // Set the default transport settings so all http clients will pick them up. diff --git a/pkg/awsconfig/awsconfig.go b/pkg/awsconfig/awsconfig.go index 4d7317b19..b1bfef9dc 100644 --- a/pkg/awsconfig/awsconfig.go +++ b/pkg/awsconfig/awsconfig.go @@ -1,7 +1,6 @@ package awsconfig import ( - "io/ioutil" "os" "path" "path/filepath" @@ -143,7 +142,7 @@ func (p *CredentialsProvider) ensureConfigExists() error { logger.WithField("dir", dir).Debug("Dir created") // create an base config file - err = ioutil.WriteFile(filename, []byte("["+p.Profile+"]"), 0600) + err = os.WriteFile(filename, []byte("["+p.Profile+"]"), 0600) if err != nil { return err } diff --git a/pkg/page/form_test.go b/pkg/page/form_test.go index 8b0656edc..00bfcdf3a 100644 --- a/pkg/page/form_test.go +++ b/pkg/page/form_test.go @@ -2,8 +2,8 @@ package page import ( "bytes" - "io/ioutil" "net/url" + "os" "testing" "github.com/PuerkitoBio/goquery" @@ -11,7 +11,7 @@ import ( ) func TestNewFormFromDocument(t *testing.T) { - data, err := ioutil.ReadFile("example/multi-form.html") + data, err := os.ReadFile("example/multi-form.html") require.Nil(t, err) doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data)) diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go index 6fdaa652d..84ea17a9a 100644 --- a/pkg/provider/aad/aad.go +++ b/pkg/provider/aad/aad.go @@ -6,7 +6,6 @@ import ( "encoding/json" "fmt" "io" - "io/ioutil" "log" "net/http" "net/url" @@ -764,7 +763,7 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) } // get saml assertion - oidcResponse, err := ioutil.ReadAll(res.Body) + oidcResponse, err := io.ReadAll(res.Body) if err != nil { return samlAssertion, errors.Wrap(err, "oidc login response error") } @@ -1122,10 +1121,10 @@ func (ac *Client) processMfaAuth(mfaResp mfaResponse, loginPasswordResp password } // data is embeded javascript object // + + + + diff --git a/pkg/provider/aad/testdata/LoginEmbeddedJsonNoLineBreak.html b/pkg/provider/aad/testdata/LoginEmbeddedJsonNoLineBreak.html new file mode 100644 index 000000000..6b6795d05 --- /dev/null +++ b/pkg/provider/aad/testdata/LoginEmbeddedJsonNoLineBreak.html @@ -0,0 +1,12 @@ + + + + + + + From 49cc43f7f00d95a7df2df18e3cc9702ce6375c9a Mon Sep 17 00:00:00 2001 From: Sergei Kasatkin <490653+kstkn@users.noreply.github.com> Date: Thu, 23 Mar 2023 10:44:28 +0100 Subject: [PATCH 123/296] Fix the fixture file names --- pkg/provider/aad/testdata/LoginEmbeddedJsonLineBreak.html | 3 ++- pkg/provider/aad/testdata/LoginEmbeddedJsonNoLineBreak.html | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/provider/aad/testdata/LoginEmbeddedJsonLineBreak.html b/pkg/provider/aad/testdata/LoginEmbeddedJsonLineBreak.html index b617f1f6e..6b6795d05 100644 --- a/pkg/provider/aad/testdata/LoginEmbeddedJsonLineBreak.html +++ b/pkg/provider/aad/testdata/LoginEmbeddedJsonLineBreak.html @@ -1,7 +1,8 @@ + $Config={"name": "value&with ampersand"}; + //]]> + $Config={"name": "value&with ampersand"};//]]> + + + + From 92c3a10d738fb86bc024b5d1cdbb6696d0d00095 Mon Sep 17 00:00:00 2001 From: Sergei Kasatkin <490653+kstkn@users.noreply.github.com> Date: Thu, 23 Mar 2023 11:20:38 +0100 Subject: [PATCH 127/296] Fix the test fixture to be actually useful --- pkg/provider/aad/testdata/LoginEmbeddedJsonExtraJavascript.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/provider/aad/testdata/LoginEmbeddedJsonExtraJavascript.html b/pkg/provider/aad/testdata/LoginEmbeddedJsonExtraJavascript.html index 2ab2ead62..c3c6f5775 100644 --- a/pkg/provider/aad/testdata/LoginEmbeddedJsonExtraJavascript.html +++ b/pkg/provider/aad/testdata/LoginEmbeddedJsonExtraJavascript.html @@ -1,7 +1,7 @@ + + + + +