UI and testing enhancements.

.github/workflows/build_nix.yml

@@ -7,6 +7,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - name: Install git
+        run: sudo apt-get -y install git
       - uses: actions/checkout@v3
       - uses: cachix/install-nix-action@v17
         with:

.github/workflows/cicd.yml

@@ -14,14 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [ 3.6, 3.7, 3.8, 3.9 ]
+        python-version: [ 3.7, 3.8, 3.9, 3.x ]
 
     steps:
       - uses: actions/checkout@v2
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Install git
+        run: sudo apt-get -y install git
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip

Dockerfile

@@ -1,16 +1,18 @@
-FROM python:3.8-alpine
+FROM python:3.10-alpine
 
 WORKDIR /opt/gimme-aws-creds
 
 COPY . .
 
 RUN apk --update add libgcc
 
-ENV PACKAGES="gcc musl-dev python3-dev libffi-dev openssl-dev cargo"
+ENV PACKAGES="gcc musl-dev python3-dev libffi-dev openssl-dev cargo git"
 
-RUN apk --update add $PACKAGES \
-    && pip install --upgrade pip setuptools-rust \
-    && python setup.py install \
-    && apk del --purge $PACKAGES
+RUN apk --update add $PACKAGES
+RUN pip install --upgrade pip setuptools-rust
+RUN pip install .
+RUN pip install -r requirements_dev.txt
+RUN pytest tests
+RUN apk del --purge $PACKAGES
 
 ENTRYPOINT ["/usr/local/bin/gimme-aws-creds"]

Makefile

@@ -5,4 +5,6 @@ docker-build:
 	docker build -t gimme-aws-creds .
 
 test: docker-build
-	nosetests -vv tests
+
+local_test:
+	pytest -v tests

README.md

@@ -169,7 +169,7 @@ A configuration wizard will prompt you to enter the necessary configuration para
 - aws_default_duration = This is optional. Lifetime for temporary credentials, in seconds. Defaults to 1 hour (3600)
 - app_url - If using 'appurl' setting for gimme_creds_server, this sets the url to the aws application configured in Okta. It is typically something like <https://something.okta[preview].com/home/amazon_aws/app_instance_id/something>
 - okta_username - use this username to authenticate
-- preferred_mfa_type - automatically select a particular  device when prompted for MFA:
+- preferred_mfa_type - automatically select a particular device when prompted for MFA:
   - push - Okta Verify App push or DUO push (depends on okta supplied provider type)
   - token:software:totp - OTP using the Okta Verify App
   - token:hardware - OTP using hardware like Yubikey
@@ -182,6 +182,8 @@ A configuration wizard will prompt you to enter the necessary configuration para
 - include_path - (optional) Includes full role path to the role name in AWS credential profile name. (default: n).  If `y`: `<acct>-/some/path/administrator`. If `n`: `<acct>-administrator`
 - remember_device - y or n. If yes, the MFA device will be remembered by Okta service for a limited time. This option can also be set interactively in the command line using `-m` or `--remember-device`
 - output_format - `json` , `export` or `windows`, determines default credential output format, can be also specified by `--output-format FORMAT` and `-o FORMAT`.
+- use_keyring - y or n.  Defaults to y.  If n, use of the system keyring for password storage is disabled.
+- disable_session - y or n.  Defaults to n.  If y, disables using the session token between gimmie-aws-creds invocations.
 
 ## Configuration File
 

gimme_aws_creds/aws.py

@@ -10,7 +10,7 @@
 See the License for the specific language governing permissions and* limitations under the License.*
 """
 import base64
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
 
 import requests
 from bs4 import BeautifulSoup
@@ -39,7 +39,7 @@ def __init__(self, verify_ssl_certs=True):
         # Allow up to 5 retries on requests to AWS in case we have network issues
         self._http_client = requests.Session()
         retries = Retry(total=5, backoff_factor=1,
-                        method_whitelist=['POST'])
+                        allowed_methods=['POST'])
         self._http_client.mount('https://', HTTPAdapter(max_retries=retries))
 
     def get_signinpage(self, saml_token, saml_target_url):
@@ -48,7 +48,7 @@ def get_signinpage(self, saml_token, saml_target_url):
             'SAMLResponse': saml_token,
             'RelayState': ''
         }
-        
+
         response = self._http_client.post(
             saml_target_url,
             data=payload,
@@ -58,7 +58,7 @@ def get_signinpage(self, saml_token, saml_target_url):
 
     def _enumerate_saml_roles(self, assertion, saml_target_url):
         signin_page = self.get_signinpage(assertion, saml_target_url)
-        
+
         """ using the assertion to fetch aws sign-in page, parse it and return aws sts creds """
         role_pairs = []
         root = ET.fromstring(base64.b64decode(assertion))
@@ -80,10 +80,10 @@ def _enumerate_saml_roles(self, assertion, saml_target_url):
                 raise errors.GimmeAWSCredsError('Parsing error on {}'.format(role_pair))
             else:
                 table[role] = idp
-        
+
         # init parser
         soup = BeautifulSoup(signin_page, 'html.parser')
-        
+
         # find all roles
         roles = soup.find_all("div", attrs={"class": "saml-role"})
         # Normalize pieces of string;
@@ -120,7 +120,7 @@ def _display_role(roles):
             if not current_account == last_account:
                 role_strs.append(current_account)
                 last_account = current_account
-                
+
             role_strs.append('      [ {} ]: {}'.format(i, role.friendly_role_name))
 
         return role_strs

gimme_aws_creds/config.py

@@ -175,7 +175,7 @@ def get_args(self):
             self.roles = [role.strip() for role in args.roles.split(',') if role.strip()]
         self.conf_profile = args.profile or 'DEFAULT'
 
-    def _handle_config(self, config, profile_config, include_inherits = True):
+    def _handle_config(self, config, profile_config, include_inherits=True):
         if "inherits" in profile_config.keys() and include_inherits:
             self.ui.message("Using inherited config: " + profile_config["inherits"])
             if profile_config["inherits"] not in config:
@@ -189,7 +189,7 @@ def _handle_config(self, config, profile_config, include_inherits = True):
         else:
             return profile_config
 
-    def get_config_dict(self, include_inherits = True):
+    def get_config_dict(self, include_inherits=True):
         """returns the conf dict from the okta config file"""
         # Check to see if config file exists, if not complain and exit
         # If config file does exist return config dict from file
@@ -225,6 +225,8 @@ def update_config_file(self):
                 aws_default_duration = Default AWS session duration (3600)
                 preferred_mfa_type = Select this MFA device type automatically
                 include_path - (optional) includes that full role path to the role name for profile
+                use_keyring - Enables or disables use of the system keyring
+                disable_session - Disables persistent sessions.
 
         """
         config = configparser.ConfigParser()
@@ -249,6 +251,8 @@ def update_config_file(self):
             'aws_default_duration': '3600',
             'device_token': '',
             'output_format': 'export',
+            'use_keyring': 'y',
+            'disable_session': 'n',
         }
 
         # See if a config file already exists.
@@ -293,6 +297,9 @@ def update_config_file(self):
         else:
             config_dict['cred_profile'] = defaults['cred_profile']
 
+        config_dict['use_keyring'] = self.get_use_keyring(defaults['use_keyring'])
+        config_dict['disable_session'] = self.get_disable_session(defaults['disable_session'])
+
         self.write_config_file(config_dict)
 
     def write_config_file(self, config_dict):
@@ -538,6 +545,30 @@ def _get_remember_device(self, default_entry):
             except ValueError:
                 ui.default.warning("Remember the MFA device must be either y or n.")
 
+    def _get_use_keyring(self, default_entry):
+        """Option to use the system keyring"""
+        ui.default.message(
+            "Do you want to use the system keyring?\n"
+            "Please answer y or n.")
+        while True:
+            try:
+                return self._get_user_input_yes_no(
+                    "Use system keyring", default_entry)
+            except ValueError:
+                ui.default.warning("Remember the value must be either y or n.")
+
+    def _get_disable_session(self, default_entry):
+        """Option to disable storing and using the session token between invocations."""
+        ui.default.message(
+            "Do you want to disable storing and using the session token between invocations?\n"
+            "Please answer y or n.")
+        while True:
+            try:
+                return self._get_user_input_yes_no(
+                    "Disable session token storage", default_entry)
+            except ValueError:
+                ui.default.warning("Remember the value must be either y or n.")
+
     def _get_user_input(self, message, default=None):
         """formats message to include default and then prompts user for input
         via keyboard with message. Returns user's input or if user doesn't

gimme_aws_creds/errors.py

@@ -70,6 +70,10 @@ class NoFIDODeviceFoundError(Exception):
     pass
 
 
+class NoEligibleFIDODeviceFoundError(Exception):
+    pass
+
+
 class FIDODeviceTimeoutError(Exception):
     pass
 

gimme_aws_creds/main.py

@@ -21,8 +21,8 @@
 # extras
 import boto3
 from botocore.exceptions import ClientError
-from okta.framework.ApiClient import ApiClient
-from okta.framework.OktaError import OktaError
+from okta.api_client import APIClient
+from okta.errors.error import Error as OktaError
 
 # local imports
 from . import errors, ui
@@ -239,8 +239,8 @@ def _get_aws_account_info(okta_org_url, okta_api_key, username):
         """ Call the Okta User API and process the results to return
         just the information we need for gimme_aws_creds"""
         # We need access to the entire JSON response from the Okta APIs, so we need to
-        # use the low-level ApiClient instead of UsersClient and AppInstanceClient
-        users_client = ApiClient(okta_org_url, okta_api_key, pathname='/api/v1/users')
+        # use the low-level APIClient instead of UsersClient and AppInstanceClient
+        users_client = APIClient(okta_org_url, okta_api_key, pathname='/api/v1/users')
 
         # Get User information
         try:
@@ -505,7 +505,7 @@ def conf_dict(self):
         :rtype: dict
         """
         # noinspection PyUnusedLocal
-        config = self.config
+        config = self.config # noqa
         return self._cache['conf_dict']
 
     @property
@@ -556,6 +556,16 @@ def okta(self):
 
         okta.set_remember_device(self.config.remember_device
                                  or self.conf_dict.get('remember_device', False))
+
+        if self.conf_dict.get('use_keyring') in ('n', 'false', 'False'):
+            okta.set_use_keyring(False)
+        else:
+            okta.set_use_keyring(True)
+
+        if self.conf_dict.get('disable_session', 'False') not in ('y', 'true', 'True'):
+            if self.conf_dict.get('session_token') is not None and self.conf_dict.get('session_username') is not None:
+                okta.set_session_token(self.conf_dict.get('session_username'), self.conf_dict.get('session_token'))
+
         return okta
 
     def get_resolver(self):
@@ -575,6 +585,13 @@ def device_token(self):
     def set_auth_session(self, auth_session):
         self._cache['auth_session'] = auth_session
 
+        okta = self._cache['okta']
+        base_config = self.config.get_config_dict(include_inherits=False)
+        base_config['session_username'] = auth_session['username']
+        base_config['session_token'] = auth_session['session']
+        self.config.write_config_file(base_config)
+        okta.set_session_token(base_config.get('session_username'), base_config.get('session_token'))
+
     @property
     def auth_session(self):
         if 'auth_session' in self._cache:
@@ -794,7 +811,7 @@ def _run(self):
         self.handle_action_store_json_creds()
         self.handle_action_list_roles()
         self.handle_setup_fido_authenticator()
-  
+
         # for each data item, if we have an override on output, prioritize that
         # if we do not, prioritize writing credentials to file if that is in our
         # configuration. If we are not writing to a credentials file, use whatever
@@ -841,7 +858,6 @@ def write_result_action(self, action, data):
             self.ui.result("export AWS_SECURITY_TOKEN=" +
                            data['credentials']['aws_security_token'])
 
-
     def handle_action_configure(self):
         # Create/Update config when configure arg set
         if not self.config.action_configure:
@@ -879,7 +895,7 @@ def handle_action_register_device(self):
                 self.ui.notify('*** You may be prompted for MFA more than once for this run.\n')
 
             auth_result = self.auth_session
-            base_config = self.config.get_config_dict(include_inherits = False)
+            base_config = self.config.get_config_dict(include_inherits=False)
             base_config['device_token'] = auth_result['device_token']
             self.config.write_config_file(base_config)
             self.okta.device_token = base_config['device_token']
@@ -905,7 +921,10 @@ def handle_setup_fido_authenticator(self):
 
             self.okta.set_preferred_mfa_type(None)
             credential_id, user = self.okta.setup_fido_authenticator()
+            alias = self.ui.input('Alias for webauthn token: ')
+            if alias == "":
+                alias = None
 
             registered_authenticators = RegisteredAuthenticators(self.ui)
-            registered_authenticators.add_authenticator(credential_id, user)
+            registered_authenticators.add_authenticator(credential_id, user, alias)
             raise errors.GimmeAWSCredsExitSuccess()