Skip to content

Commit

Permalink
Merge pull request #364 from DavidTanner/updateAwsSdk
Browse files Browse the repository at this point in the history
Updating to use the AWS 2.0 SDK
  • Loading branch information
bdemers authored Jul 29, 2021
2 parents ca70e8a + 715eb49 commit 2f3a60a
Show file tree
Hide file tree
Showing 22 changed files with 213 additions and 158 deletions.
18 changes: 18 additions & 0 deletions .github/workflows/pull_request.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: PR Build and Test

on:
pull_request

jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 14
uses: actions/setup-java@v1
with:
java-version: 14
java-package: jdk+fx
architecture: x64
- name: Run package
run: mvn --batch-mode --update-snapshots verify
1 change: 0 additions & 1 deletion .idea/.name

This file was deleted.

1 change: 1 addition & 0 deletions .idea/encodings.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions .idea/jarRepositories.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .idea/misc.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions .idea/modules.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Readme.MD
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ Here is the list of parameters that can be environment variables or settings in
- ```OKTA_ENV_MODE``` set to **true** to run sub-command with **AWS_ACCESS_KEY_ID**, **AWS_SECRET_ACCESS_KEY**, and **AWS_SESSION_TOKEN** env vars set. Temporary credentials are shared in memory and kept off disk in this mode. (default: **false**)
- ```OKTA_BROWSER_AUTH``` set to **true** to use integrated web browser for authentication (default: **false**)
- ```OKTA_COOKIES_PATH``` is directory path to store cookies.properties for Okta. This is particularly useful when running this tool in many concurrent processes like you might with **OKTA_ENV_MODE** (default: ~/.okta)
- ```OKTA_PROFILE``` is the name of the AWS profile to create/reuse. May also be specified on the commandline by ```--profile```. (default: get AWS profile name based on per-session STS user name)
- ```OKTA_PROFILE``` is the name of the AWS profile to create/reuse. (default: get AWS profile name based on per-session STS user name)
- ```OKTA_AWS_REGION``` is the default AWS region to store with the created profile.
- ```OKTA_AWS_ROLE_TO_ASSUME``` is the IAM Role ARN to use. If present will try to match okta account's retrieved role list and use it. Will still prompt if no match found. (ex: **arn:aws:iam::123456789012:role/EC2-Admins**)
- ```OKTA_STS_DURATION``` is the duration the role will be assumed, in seconds. The maximum session duration allowed by AWS is 12 hours and this needs to be set on the role as well. Defaults to 1hr.
Expand Down
16 changes: 6 additions & 10 deletions THIRD_PARTY_NOTICES
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
This document contains third party open source licenses and notices for the Okta AWS CLI Assume Role Tool product. Certain licenses and notices may appear in other parts of the product in accordance with the applicable license requirements.

The Okta product that this document references does not necessarily use all the open source software packages referred to below and may also only use portions of a given package.
The Okta product that this document references does not necessarily use all the open source software packages referred to below and may also only use portions of a given package.

Third Party Notices
-------------------
Expand Down Expand Up @@ -39,19 +39,15 @@ See Open Source Licenses below for complete copy of the Apache 2.0 license

AWS Java SDK
Version (if any):
1.11.515
2.15.69 https://github.com/aws/aws-sdk-java-v2/tree/2.15.69
Brief Description:
The AWS SDK for Java enables Java developers to easily work with Amazon
Web Services and build scalable solutions with Amazon S3, Amazon
DynamoDB, Amazon Glacier, and more.

AWS SDK for Java

Copyright 2010-2014 Amazon.com, Inc. or its affiliates. All Rights Reserved.

This product includes software developed by Amazon Technologies, Inc (http://www.amazon.com/).

See Open Source Licenses below for complete copy of the Apache 2.0 license
https://github.com/aws/aws-sdk-java-v2/blob/2.15.69/LICENSE.txt

-------------------

Expand Down Expand Up @@ -562,10 +558,10 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI

Disclaimer and Limitation of Liability

Disclaimer. OKTA AND ITS SUPPLIERS HEREBY DISCLAIM ALL (AND HAVE NOT AUTHORIZED ANYONE TO MAKE ANY) WARRANTIES EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO OPEN SOURCE SOFTWARE, TITLE, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE PARTIES ARE NOT RELYING AND HAVE NOT RELIED ON ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER REGARDING OKTA AND OKTA MAKES NO WARRANTY REGARDING ANY THIRD PARTY SOFTWARE.
Disclaimer. OKTA AND ITS SUPPLIERS HEREBY DISCLAIM ALL (AND HAVE NOT AUTHORIZED ANYONE TO MAKE ANY) WARRANTIES EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO OPEN SOURCE SOFTWARE, TITLE, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE PARTIES ARE NOT RELYING AND HAVE NOT RELIED ON ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER REGARDING OKTA AND OKTA MAKES NO WARRANTY REGARDING ANY THIRD PARTY SOFTWARE.

Limitation of Liability. OKTA AND ITS SUPPLIERS, SHALL NOT BE RESPONSIBLE OR LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY ARISING OUT OF OR RELATED TO OPEN SOURCE SOFWARE (A) FOR ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) FOR ANY LOST PROFITS OR REVENUES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, WHETHER OR NOT A OKTA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
IN NO EVENT WILL OKTA NOR ITS SUPPLIER’S AGGREGATE AND CUMULATIVE LIABILITY FOR ANY CLAIMS ARISING OUT OF OR RELATED TO OPEN SOURCE SOFTWARE EXCEED ONE HUNDRED DOLLARS ($100).
Limitation of Liability. OKTA AND ITS SUPPLIERS, SHALL NOT BE RESPONSIBLE OR LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY ARISING OUT OF OR RELATED TO OPEN SOURCE SOFWARE (A) FOR ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) FOR ANY LOST PROFITS OR REVENUES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, WHETHER OR NOT A OKTA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
IN NO EVENT WILL OKTA NOR ITS SUPPLIER’S AGGREGATE AND CUMULATIVE LIABILITY FOR ANY CLAIMS ARISING OUT OF OR RELATED TO OPEN SOURCE SOFTWARE EXCEED ONE HUNDRED DOLLARS ($100).

Any provisions provided by Okta which differ from those in any third party license are provided by Okta alone.

Expand Down
12 changes: 2 additions & 10 deletions bin/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -132,22 +132,14 @@ mkdir -p "${PREFIX}/bin"
# Create withokta command
cat <<EOF >"${PREFIX}/bin/withokta"
#!/bin/bash
command="\$1"
profile=\$2
shift;
shift;
if [ "$1" == "logout" ]
then
command="logout"
fi
if [ -n "\$https_proxy" ]; then
readonly URI_REGEX='^(([^:/?#]+):)?(//((([^:/?#]+)@)?([^:/?#]+)(:([0-9]+))?))?(/([^?#]*))(\?([^#]*))?(#(.*))?'
[[ \$https_proxy =~ \${URI_REGEX} ]] && PROXY_CONFIG="-Dhttps.proxyHost=\${BASH_REMATCH[7]} -Dhttps.proxyPort=\${BASH_REMATCH[9]}"
fi
env OKTA_PROFILE=\$profile java \${PROXY_CONFIG} \\
java \${PROXY_CONFIG} \\
-Djava.util.logging.config.file=${PREFIX}/logging.properties \\
-classpath ${PREFIX}/okta-aws-cli.jar \\
com.okta.tools.WithOkta \$command "\$@"
com.okta.tools.WithOkta \$@
EOF
chmod +x "${PREFIX}/bin/withokta"

Expand Down
29 changes: 19 additions & 10 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@

<groupId>com.okta.developer</groupId>
<artifactId>okta-aws-cli</artifactId>
<version>2.0.5</version>
<version>3.0.0-SNAPSHOT</version>
<packaging>jar</packaging>

<repositories>
Expand All @@ -33,28 +33,37 @@

<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<aws-java-sdk.version>1.11.515</aws-java-sdk.version>
<okta.version>1.2.0</okta.version>
<json.version>20180813</json.version>
<aws-java-sdk.version>2.15.69</aws-java-sdk.version>
<json.version>20200518</json.version>
<commons-configuration2.version>2.7</commons-configuration2.version>
<httpcomponents-httpclient.version>4.5.13</httpcomponents-httpclient.version>
<junit.jupiter.version>5.4.0</junit.jupiter.version>
<ini4j.version>0.5.4</ini4j.version>
<jsoup.version>1.11.3</jsoup.version>
<opensaml.version>3.4.2</opensaml.version>
<opensaml.version>3.4.5</opensaml.version>
<slf4j.version>1.7.26</slf4j.version>
<openjfx.version>12.0.1</openjfx.version>
</properties>

<dependencies>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<groupId>software.amazon.awssdk</groupId>
<artifactId>protocol-core</artifactId>
<version>${aws-java-sdk.version}</version>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sts</artifactId>
<groupId>software.amazon.awssdk</groupId>
<artifactId>aws-json-protocol</artifactId>
<version>${aws-java-sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>iam</artifactId>
<version>${aws-java-sdk.version}</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>sts</artifactId>
<version>${aws-java-sdk.version}</version>
</dependency>
<dependency>
Expand Down Expand Up @@ -188,7 +197,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.2.0</version>
<version>3.2.4</version>
<executions>
<execution>
<phase>package</phase>
Expand Down
30 changes: 14 additions & 16 deletions src/main/java/com/okta/tools/AWSCredentialsUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -18,28 +18,26 @@
import java.io.IOException;
import java.time.Instant;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLResult;
import com.amazonaws.services.securitytoken.model.Credentials;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlResponse;
import software.amazon.awssdk.services.sts.model.Credentials;

public interface AWSCredentialsUtil {

static AWSCredentials getAWSCredential() throws IOException, InterruptedException {
AssumeRoleWithSAMLResult samlResult = OktaAwsCliAssumeRole.withEnvironment(OktaAwsConfig.loadEnvironment()).getAssumeRoleWithSAMLResult(Instant.now());
static AwsSessionCredentials getAWSCredential() throws IOException, InterruptedException {
AssumeRoleWithSamlResponse samlResult = OktaAwsCliAssumeRole.withEnvironment(OktaAwsConfig.loadEnvironment()).getAssumeRoleWithSAMLResult(Instant.now());

Credentials credentials = samlResult.getCredentials();
Credentials credentials = samlResult.credentials();

return new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
return AwsSessionCredentials.create(credentials.accessKeyId(), credentials.secretAccessKey(), credentials.sessionToken());
}
static AWSSessionCredentials getAWSCredential (OktaAwsCliEnvironment environment) throws IOException, InterruptedException {
AssumeRoleWithSAMLResult samlResult = OktaAwsCliAssumeRole.withEnvironment(environment).getAssumeRoleWithSAMLResult(Instant.now());
Credentials credentials = samlResult.getCredentials();
return new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());

static AwsSessionCredentials getAWSCredential (OktaAwsCliEnvironment environment) throws IOException, InterruptedException {
AssumeRoleWithSamlResponse samlResult = OktaAwsCliAssumeRole.withEnvironment(environment).getAssumeRoleWithSAMLResult(Instant.now());

Credentials credentials = samlResult.credentials();

return AwsSessionCredentials.create(credentials.accessKeyId(), credentials.secretAccessKey(), credentials.sessionToken());
}

}
34 changes: 17 additions & 17 deletions src/main/java/com/okta/tools/OktaAwsCliAssumeRole.java
Original file line number Diff line number Diff line change
Expand Up @@ -20,21 +20,21 @@
import java.time.temporal.ChronoUnit;
import java.util.Optional;

import com.amazonaws.services.securitytoken.model.Credentials;
import com.okta.tools.authentication.*;
import com.okta.tools.helpers.*;
import com.okta.tools.saml.OktaAppClient;
import com.okta.tools.saml.OktaAppClientImpl;
import org.apache.commons.lang.StringUtils;

import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLResult;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlResponse;
import com.okta.tools.models.Profile;
import com.okta.tools.models.Session;
import com.okta.tools.saml.OktaSaml;
import software.amazon.awssdk.services.sts.model.Credentials;

final class OktaAwsCliAssumeRole {
private OktaAwsCliEnvironment environment;
final private OktaAwsCliEnvironment environment;

private SessionHelper sessionHelper;
private RoleHelper roleHelper;
Expand Down Expand Up @@ -103,10 +103,10 @@ RunResult run(Instant startInstant) throws IOException, InterruptedException {

RunResult runResult = new RunResult();
runResult.profileName = profileSAMLResult.profileName;
Credentials credentials = profileSAMLResult.assumeRoleWithSAMLResult.getCredentials();
runResult.accessKeyId = credentials.getAccessKeyId();
runResult.secretAccessKey = credentials.getSecretAccessKey();
runResult.sessionToken = credentials.getSessionToken();
Credentials credentials = profileSAMLResult.assumeRoleWithSAMLResult.credentials();
runResult.accessKeyId = credentials.accessKeyId();
runResult.secretAccessKey = credentials.secretAccessKey();
runResult.sessionToken = credentials.sessionToken();

return runResult;
}
Expand All @@ -118,7 +118,7 @@ class RunResult {
String sessionToken;
}

AssumeRoleWithSAMLResult getAssumeRoleWithSAMLResult(Instant startInstant) throws IOException, InterruptedException {
AssumeRoleWithSamlResponse getAssumeRoleWithSAMLResult(Instant startInstant) throws IOException, InterruptedException {
init();

environment.awsRoleToAssume = currentProfile.map(profile1 -> profile1.roleArn).orElse(environment.awsRoleToAssume);
Expand All @@ -130,9 +130,9 @@ AssumeRoleWithSAMLResult getAssumeRoleWithSAMLResult(Instant startInstant) throw

private ProfileSAMLResult doRequest(Instant startInstant) throws IOException, InterruptedException {
String samlResponse = oktaSaml.getSamlResponse();
AssumeRoleWithSAMLRequest assumeRequest = roleHelper.chooseAwsRoleToAssume(samlResponse);
Instant sessionExpiry = startInstant.plus((long) assumeRequest.getDurationSeconds() - (long) 30, ChronoUnit.SECONDS);
AssumeRoleWithSAMLResult assumeResult = roleHelper.assumeChosenAwsRole(assumeRequest);
AssumeRoleWithSamlRequest assumeRequest = roleHelper.chooseAwsRoleToAssume(samlResponse);
Instant sessionExpiry = startInstant.plus((long) assumeRequest.durationSeconds() - (long) 30, ChronoUnit.SECONDS);
AssumeRoleWithSamlResponse assumeResult = roleHelper.assumeChosenAwsRole(assumeRequest);

String profileName = profileHelper.getProfileName(assumeResult);
if (!environment.oktaEnvMode) {
Expand All @@ -143,19 +143,19 @@ private ProfileSAMLResult doRequest(Instant startInstant) throws IOException, In
return new ProfileSAMLResult(assumeResult, profileName);
}

private void updateConfig(AssumeRoleWithSAMLRequest assumeRequest, Instant sessionExpiry, String profileName) throws IOException {
private void updateConfig(AssumeRoleWithSamlRequest assumeRequest, Instant sessionExpiry, String profileName) throws IOException {
environment.oktaProfile = profileName;
environment.awsRoleToAssume = assumeRequest.getRoleArn();
environment.awsRoleToAssume = assumeRequest.roleArn();
sessionHelper.addOrUpdateProfile(sessionExpiry);
sessionHelper.updateCurrentSession(sessionExpiry, profileName);
}

// Holds the values for the profile name and SAML result shared by CLI and SDK implementations
private class ProfileSAMLResult {
static private class ProfileSAMLResult {
String profileName;
AssumeRoleWithSAMLResult assumeRoleWithSAMLResult;
AssumeRoleWithSamlResponse assumeRoleWithSAMLResult;

ProfileSAMLResult(AssumeRoleWithSAMLResult pAssumeRoleWithSAMLResult, String pProfileName) {
ProfileSAMLResult(AssumeRoleWithSamlResponse pAssumeRoleWithSAMLResult, String pProfileName) {
assumeRoleWithSAMLResult = pAssumeRoleWithSAMLResult;
profileName = pProfileName;
}
Expand Down
6 changes: 4 additions & 2 deletions src/main/java/com/okta/tools/OktaAwsCliEnvironment.java
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
*/
package com.okta.tools;

import software.amazon.awssdk.regions.Region;

public class OktaAwsCliEnvironment {
public final boolean browserAuth;
public final String oktaOrg;
Expand All @@ -28,7 +30,7 @@ public class OktaAwsCliEnvironment {
public String awsRoleToAssume;

public int stsDuration;
public final String awsRegion;
public final Region awsRegion;
public final String oktaMfaChoice;
public boolean oktaEnvMode;

Expand All @@ -42,7 +44,7 @@ public OktaAwsCliEnvironment()
public OktaAwsCliEnvironment(boolean browserAuth, String oktaOrg,
String oktaUsername, InterruptibleSupplier<String> oktaPassword, String oktaCookiesPath,
String oktaProfile, String oktaAwsAppUrl, String awsRoleToAssume,
int stsDuration, String awsRegion,
int stsDuration, Region awsRegion,
String oktaMfaChoice, boolean oktaEnvMode, String oktaIgnoreSaml) {
this.browserAuth = browserAuth;
this.oktaOrg = oktaOrg;
Expand Down
Loading

0 comments on commit 2f3a60a

Please sign in to comment.