From 3ab9dff62ed0164287aaeaa3cb27ad0b15ce27c4 Mon Sep 17 00:00:00 2001 From: Andrew Shannon Brown Date: Tue, 7 Jul 2020 16:19:56 -0700 Subject: [PATCH 1/5] Set O_TRUNC when re-writing credentials file (#292) This should keep old crud from being included at the end of the file if it shrinks. --- cmd/write-to-credentials.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/write-to-credentials.go b/cmd/write-to-credentials.go index 893ce46..b5a8c6b 100644 --- a/cmd/write-to-credentials.go +++ b/cmd/write-to-credentials.go @@ -125,7 +125,7 @@ func writeToCredentialsRun(cmd *cobra.Command, args []string) error { section.Key("aws_session_token").SetValue(creds.SessionToken) section.Key("aws_security_token").SetValue(creds.SessionToken) - credFile, err := os.OpenFile(credFilePath, os.O_WRONLY, 0600) + credFile, err := os.OpenFile(credFilePath, os.O_WRONLY|os.O_TRUNC, 0600) if err != nil { return err } From 05089ad645c12f452baec9fb17f6321a081f2f9a Mon Sep 17 00:00:00 2001 From: Evan Culver Date: Wed, 22 Jul 2020 02:31:58 -0700 Subject: [PATCH 2/5] Fix session ID handling --- lib/duo.go | 9 ++++++--- lib/okta.go | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/duo.go b/lib/duo.go index 5daaa23..9b18d20 100644 --- a/lib/duo.go +++ b/lib/duo.go @@ -28,10 +28,12 @@ type DuoClient struct { Callback string Device string StateToken string + FactorID string } type StatusResp struct { Response struct { + SessionID string `json:"sid"` U2FSignRequest []struct { Version string `json:"version"` Challenge string `json:"challenge"` @@ -57,12 +59,13 @@ type PromptResp struct { Stat string `json:"stat"` } -func NewDuoClient(host, signature, callback string) *DuoClient { +func NewDuoClient(host, signature, callback, factorID string) *DuoClient { return &DuoClient{ Host: host, Signature: signature, Device: "phone1", Callback: callback, + FactorID: factorID, } } @@ -460,7 +463,7 @@ func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp, if status.Response.Result == "SUCCESS" { if status.Response.ResultURL != "" { - auth, err = d.DoRedirect(status.Response.ResultURL, sid) + auth, err = d.DoRedirect(status.Response.ResultURL, status.Response.SessionID) } else { auth = status.Response.Cookie } @@ -514,7 +517,7 @@ func (d *DuoClient) DoCallback(auth string) (err error) { client := &http.Client{} - callbackData := "stateToken=" + d.StateToken + "&sig_response=" + sigResp + callbackData := "id=" + d.FactorID + "&stateToken=" + d.StateToken + "&sig_response=" + sigResp req, err = http.NewRequest("POST", d.Callback, bytes.NewReader([]byte(callbackData))) if err != nil { return diff --git a/lib/okta.go b/lib/okta.go index 98b531a..f17cf86 100644 --- a/lib/okta.go +++ b/lib/okta.go @@ -232,7 +232,7 @@ func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Durat // Clear DT cookie before starting AuthN flow again. Bug #279. o.CookieJar.SetCookies(o.BaseURL, []*http.Cookie{ { - Name: "DT", + Name: "DT", MaxAge: -1, }, }) @@ -412,6 +412,7 @@ func (o *OktaClient) postChallenge(payload []byte, oktaFactorProvider string, ok Callback: f.Embedded.Verification.Links.Complete.Href, Device: o.MFAConfig.DuoDevice, StateToken: o.UserAuth.StateToken, + FactorID: f.Id, } log.Debugf("Host:%s\nSignature:%s\nStateToken:%s\n", From 98c40a4dfeee54596aa5f5130364f88b8ebdeb90 Mon Sep 17 00:00:00 2001 From: Nick Irvine Date: Wed, 22 Jul 2020 17:09:28 -0700 Subject: [PATCH 3/5] fix: add dual duo sid API support (#294) --- lib/duo.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/duo.go b/lib/duo.go index 9b18d20..a6760a2 100644 --- a/lib/duo.go +++ b/lib/duo.go @@ -463,7 +463,14 @@ func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp, if status.Response.Result == "SUCCESS" { if status.Response.ResultURL != "" { - auth, err = d.DoRedirect(status.Response.ResultURL, status.Response.SessionID) + // DUO appears to waver on whether a session ID should come back + // in the response here, if it does, it should be used in the redirect + // before calling the Okta callback. + if status.Response.SessionID != "" { + sid = status.Response.SessionID + } + log.Debugf("Redirecting: %s; sid: %s", status.Response.ResultURL, sid) + auth, err = d.DoRedirect(status.Response.ResultURL, sid) } else { auth = status.Response.Cookie } From dbe349306f34dcadafb843615ebf3d52e58027b7 Mon Sep 17 00:00:00 2001 From: Will Gardner Date: Wed, 30 Sep 2020 19:10:39 +0100 Subject: [PATCH 4/5] Calculate OktaClient Content-Length correctly (#300) Fixes: #298 --- lib/okta.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/okta.go b/lib/okta.go index f17cf86..e08af12 100644 --- a/lib/okta.go +++ b/lib/okta.go @@ -553,7 +553,6 @@ func GetFactorId(f *OktaUserAuthnFactor) (id string, err error) { func (o *OktaClient) Get(method string, path string, data []byte, recv interface{}, format string) (err error) { var res *http.Response - var body []byte var header http.Header var client http.Client @@ -596,7 +595,7 @@ func (o *OktaClient) Get(method string, path string, data []byte, recv interface ProtoMinor: 1, Header: header, Body: ioutil.NopCloser(bytes.NewReader(data)), - ContentLength: int64(len(body)), + ContentLength: int64(len(data)), } if res, err = client.Do(req); err != nil { From b95754212a09a0fbd75cf5a650f4a5feb20fbae4 Mon Sep 17 00:00:00 2001 From: Nick Irvine Date: Thu, 8 Oct 2020 10:49:02 -0700 Subject: [PATCH 5/5] Update issue templates --- .github/ISSUE_TEMPLATE/critical-bug-report.md | 39 +++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 10 +++++ 2 files changed, 49 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/critical-bug-report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/critical-bug-report.md b/.github/ISSUE_TEMPLATE/critical-bug-report.md new file mode 100644 index 0000000..a07a43f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/critical-bug-report.md @@ -0,0 +1,39 @@ +--- +name: Critical Bug report +about: A problem the severely affects existing functionality or security +title: '' +labels: bug +assignees: '' + +--- + +**Note: [aws-okta is on indefinite hiatus](https://github.com/segmentio/aws-okta/issues/278); only critical bugs will be addressed.** (Delete this header upon submission.) + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. MacOS 14.11] + - Version [e.g. 1.0.1]. `aws-okta version` will tell you this. + - Installation method [e.g. homebrew, RPM/DEB from our PackageCloud, download from Github Release] + +**Reproducibility** +- Can you reliably reproduce this issue or is it intermittent? +- Can others in your Okta org reproduce it? +- Can others outside your Okta org reproduce it? + +**Additional context** +- When did it start happening? diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..1166050 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,10 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: 'close me: feature requests not accepted' +labels: '' +assignees: '' + +--- + +**[aws-okta is on indefinite hiatus](https://github.com/segmentio/aws-okta/issues/278) and is not accepting feature requests or PRs.**