Merge branch 'upstream' into master

fiveai · Oct 21, 2020 · fcba67b · fcba67b
2 parents 389ef18 + b957542
commit fcba67b
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 4 deletions.
diff --git a/.github/ISSUE_TEMPLATE/critical-bug-report.md b/.github/ISSUE_TEMPLATE/critical-bug-report.md
@@ -0,0 +1,39 @@
+---
+name: Critical Bug report
+about: A problem the severely affects existing functionality or security
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Note: [aws-okta is on indefinite hiatus](https://github.com/segmentio/aws-okta/issues/278); only critical bugs will be addressed.** (Delete this header upon submission.)
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. MacOS 14.11]
+ - Version [e.g. 1.0.1]. `aws-okta version` will tell you this.
+ - Installation method [e.g. homebrew, RPM/DEB from our PackageCloud, download from Github Release]
+
+**Reproducibility**
+- Can you reliably reproduce this issue or is it intermittent?
+- Can others in your Okta org reproduce it?
+- Can others outside your Okta org reproduce it?
+
+**Additional context**
+- When did it start happening?
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,10 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: 'close me: feature requests not accepted'
+labels: ''
+assignees: ''
+
+---
+
+**[aws-okta is on indefinite hiatus](https://github.com/segmentio/aws-okta/issues/278) and is not accepting feature requests or PRs.**
diff --git a/cmd/write-to-credentials.go b/cmd/write-to-credentials.go
@@ -112,7 +112,7 @@ func writeToCredentialsRun(cmd *cobra.Command, args []string) error {
 	section.Key("aws_session_token").SetValue(creds.SessionToken)
 	section.Key("aws_security_token").SetValue(creds.SessionToken)
 
-	credFile, err := os.OpenFile(credFilePath, os.O_WRONLY, 0600)
+	credFile, err := os.OpenFile(credFilePath, os.O_WRONLY|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}

diff --git a/lib/duo.go b/lib/duo.go
@@ -28,10 +28,12 @@ type DuoClient struct {
 	Callback   string
 	Device     string
 	StateToken string
+	FactorID   string
 }
 
 type StatusResp struct {
 	Response struct {
+		SessionID      string `json:"sid"`
 		U2FSignRequest []struct {
 			Version   string `json:"version"`
 			Challenge string `json:"challenge"`
@@ -57,12 +59,13 @@ type PromptResp struct {
 	Stat string `json:"stat"`
 }
 
-func NewDuoClient(host, signature, callback string) *DuoClient {
+func NewDuoClient(host, signature, callback, factorID string) *DuoClient {
 	return &DuoClient{
 		Host:      host,
 		Signature: signature,
 		Device:    "phone1",
 		Callback:  callback,
+		FactorID:  factorID,
 	}
 }
 
@@ -460,6 +463,13 @@ func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp,
 
 	if status.Response.Result == "SUCCESS" {
 		if status.Response.ResultURL != "" {
+			// DUO appears to waver on whether a session ID should come back
+			// in the response here, if it does, it should be used in the redirect
+			// before calling the Okta callback.
+			if status.Response.SessionID != "" {
+				sid = status.Response.SessionID
+			}
+			log.Debugf("Redirecting: %s; sid: %s", status.Response.ResultURL, sid)
 			auth, err = d.DoRedirect(status.Response.ResultURL, sid)
 		} else {
 			auth = status.Response.Cookie
@@ -514,7 +524,7 @@ func (d *DuoClient) DoCallback(auth string) (err error) {
 
 	client := &http.Client{}
 
-	callbackData := "stateToken=" + d.StateToken + "&sig_response=" + sigResp
+	callbackData := "id=" + d.FactorID + "&stateToken=" + d.StateToken + "&sig_response=" + sigResp
 	req, err = http.NewRequest("POST", d.Callback, bytes.NewReader([]byte(callbackData)))
 	if err != nil {
 		return

diff --git a/lib/okta.go b/lib/okta.go
@@ -232,7 +232,7 @@ func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Durat
 		// Clear DT cookie before starting AuthN flow again. Bug #279.
 		o.CookieJar.SetCookies(o.BaseURL, []*http.Cookie{
 			{
-				Name:  "DT",
+				Name:   "DT",
 				MaxAge: -1,
 			},
 		})
@@ -412,6 +412,7 @@ func (o *OktaClient) postChallenge(payload []byte, oktaFactorProvider string, ok
 					Callback:   f.Embedded.Verification.Links.Complete.Href,
 					Device:     o.MFAConfig.DuoDevice,
 					StateToken: o.UserAuth.StateToken,
+					FactorID:   f.Id,
 				}
 
 				log.Debugf("Host:%s\nSignature:%s\nStateToken:%s\n",