Updating to use the AWS 2.0 SDK

.github/workflows/pull_request.yaml

@@ -0,0 +1,18 @@
+name: PR Build and Test
+
+on:
+  pull_request
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 14
+        uses: actions/setup-java@v1
+        with:
+          java-version: 14
+          java-package: jdk+fx
+          architecture: x64
+      - name: Run package
+        run: mvn --batch-mode --update-snapshots verify

Readme.MD

@@ -153,7 +153,7 @@ Here is the list of parameters that can be environment variables or settings in
   - ```OKTA_ENV_MODE``` set to **true** to run sub-command with **AWS_ACCESS_KEY_ID**, **AWS_SECRET_ACCESS_KEY**, and **AWS_SESSION_TOKEN** env vars set. Temporary credentials are shared in memory and kept off disk in this mode. (default: **false**)
   - ```OKTA_BROWSER_AUTH``` set to **true** to use integrated web browser for authentication (default: **false**)
   - ```OKTA_COOKIES_PATH``` is directory path to store cookies.properties for Okta. This is particularly useful when running this tool in many concurrent processes like you might with **OKTA_ENV_MODE** (default: ~/.okta)
-  - ```OKTA_PROFILE``` is the name of the AWS profile to create/reuse.  May also be specified on the commandline by ```--profile```. (default: get AWS profile name based on per-session STS user name)  
+  - ```OKTA_PROFILE``` is the name of the AWS profile to create/reuse. (default: get AWS profile name based on per-session STS user name)  
   - ```OKTA_AWS_REGION``` is the default AWS region to store with the created profile.
   - ```OKTA_AWS_ROLE_TO_ASSUME``` is the IAM Role ARN to use. If present will try to match okta account's retrieved role list and use it. Will still prompt if no match found. (ex: **arn:aws:iam::123456789012:role/EC2-Admins**)
   - ```OKTA_STS_DURATION``` is the duration the role will be assumed, in seconds. The maximum session duration allowed by AWS is 12 hours and this needs to be set on the role as well.  Defaults to 1hr.

THIRD_PARTY_NOTICES

@@ -1,6 +1,6 @@
 This document contains third party open source licenses and notices for the Okta AWS CLI Assume Role Tool product. Certain licenses and notices may appear in other parts of the product in accordance with the applicable license requirements.
 
-The Okta product that this document references does not necessarily use all the open source software packages referred to below and may also only use portions of a given package. 
+The Okta product that this document references does not necessarily use all the open source software packages referred to below and may also only use portions of a given package.
 
 Third Party Notices
 -------------------
@@ -39,19 +39,15 @@ See Open Source Licenses below for complete copy of the Apache 2.0 license
 
 AWS Java SDK
 Version (if any):
-1.11.515
+2.15.69 https://github.com/aws/aws-sdk-java-v2/tree/2.15.69
 Brief Description:
 The AWS SDK for Java enables Java developers to easily work with Amazon
 Web Services and build scalable solutions with Amazon S3, Amazon
 DynamoDB, Amazon Glacier, and more.
 
 AWS SDK for Java
 
-Copyright 2010-2014 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
-This product includes software developed by Amazon Technologies, Inc (http://www.amazon.com/).
-
-See Open Source Licenses below for complete copy of the Apache 2.0 license
+https://github.com/aws/aws-sdk-java-v2/blob/2.15.69/LICENSE.txt
 
 -------------------
 
@@ -562,10 +558,10 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 Disclaimer and Limitation of Liability
 
-Disclaimer. OKTA AND ITS SUPPLIERS HEREBY DISCLAIM ALL (AND HAVE NOT AUTHORIZED ANYONE TO MAKE ANY) WARRANTIES EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO OPEN SOURCE SOFTWARE, TITLE, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE PARTIES ARE NOT RELYING AND HAVE NOT RELIED ON ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER REGARDING OKTA AND OKTA MAKES NO WARRANTY REGARDING ANY THIRD PARTY SOFTWARE.   
+Disclaimer. OKTA AND ITS SUPPLIERS HEREBY DISCLAIM ALL (AND HAVE NOT AUTHORIZED ANYONE TO MAKE ANY) WARRANTIES EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO OPEN SOURCE SOFTWARE, TITLE, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE PARTIES ARE NOT RELYING AND HAVE NOT RELIED ON ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER REGARDING OKTA AND OKTA MAKES NO WARRANTY REGARDING ANY THIRD PARTY SOFTWARE.
 
-Limitation of Liability. OKTA AND ITS SUPPLIERS, SHALL NOT BE RESPONSIBLE OR LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY ARISING OUT OF OR RELATED TO OPEN SOURCE SOFWARE (A) FOR ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) FOR ANY LOST PROFITS OR REVENUES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, WHETHER OR NOT A OKTA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
-IN NO EVENT WILL OKTA NOR ITS SUPPLIER’S AGGREGATE AND CUMULATIVE LIABILITY FOR ANY CLAIMS ARISING OUT OF OR RELATED TO OPEN SOURCE SOFTWARE EXCEED ONE HUNDRED DOLLARS ($100). 
+Limitation of Liability. OKTA AND ITS SUPPLIERS, SHALL NOT BE RESPONSIBLE OR LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY ARISING OUT OF OR RELATED TO OPEN SOURCE SOFWARE (A) FOR ERROR OR INTERRUPTION OF USE, LOSS OR INACCURACY OR CORRUPTION OF DATA, (B) FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, RIGHTS, OR TECHNOLOGY, (C) FOR ANY LOST PROFITS OR REVENUES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, WHETHER OR NOT A OKTA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+IN NO EVENT WILL OKTA NOR ITS SUPPLIER’S AGGREGATE AND CUMULATIVE LIABILITY FOR ANY CLAIMS ARISING OUT OF OR RELATED TO OPEN SOURCE SOFTWARE EXCEED ONE HUNDRED DOLLARS ($100).
 
 Any provisions provided by Okta which differ from those in any third party license are provided by Okta alone.
 

bin/install.sh

@@ -132,22 +132,14 @@ mkdir -p "${PREFIX}/bin"
 # Create withokta command
 cat <<EOF >"${PREFIX}/bin/withokta"
 #!/bin/bash
-command="\$1"
-profile=\$2
-shift;
-shift;
-if [ "$1" == "logout" ]
-then
-    command="logout"
-fi
 if [ -n "\$https_proxy" ]; then
     readonly URI_REGEX='^(([^:/?#]+):)?(//((([^:/?#]+)@)?([^:/?#]+)(:([0-9]+))?))?(/([^?#]*))(\?([^#]*))?(#(.*))?'
     [[ \$https_proxy =~ \${URI_REGEX} ]] && PROXY_CONFIG="-Dhttps.proxyHost=\${BASH_REMATCH[7]} -Dhttps.proxyPort=\${BASH_REMATCH[9]}"
 fi
-env OKTA_PROFILE=\$profile java \${PROXY_CONFIG} \\
+java \${PROXY_CONFIG} \\
     -Djava.util.logging.config.file=${PREFIX}/logging.properties \\
     -classpath ${PREFIX}/okta-aws-cli.jar \\
-    com.okta.tools.WithOkta \$command "\$@"
+    com.okta.tools.WithOkta \$@
 EOF
 chmod +x "${PREFIX}/bin/withokta"
 

pom.xml

@@ -20,7 +20,7 @@
 
     <groupId>com.okta.developer</groupId>
     <artifactId>okta-aws-cli</artifactId>
-    <version>2.0.5</version>
+    <version>3.0.0-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <repositories>
@@ -33,28 +33,37 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <aws-java-sdk.version>1.11.515</aws-java-sdk.version>
-        <okta.version>1.2.0</okta.version>
-        <json.version>20180813</json.version>
+        <aws-java-sdk.version>2.15.69</aws-java-sdk.version>
+        <json.version>20200518</json.version>
         <commons-configuration2.version>2.7</commons-configuration2.version>
         <httpcomponents-httpclient.version>4.5.13</httpcomponents-httpclient.version>
         <junit.jupiter.version>5.4.0</junit.jupiter.version>
         <ini4j.version>0.5.4</ini4j.version>
         <jsoup.version>1.11.3</jsoup.version>
-        <opensaml.version>3.4.2</opensaml.version>
+        <opensaml.version>3.4.5</opensaml.version>
         <slf4j.version>1.7.26</slf4j.version>
         <openjfx.version>12.0.1</openjfx.version>
     </properties>
 
     <dependencies>
         <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk-core</artifactId>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>protocol-core</artifactId>
             <version>${aws-java-sdk.version}</version>
         </dependency>
         <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk-sts</artifactId>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>aws-json-protocol</artifactId>
+            <version>${aws-java-sdk.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>iam</artifactId>
+            <version>${aws-java-sdk.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
             <version>${aws-java-sdk.version}</version>
         </dependency>
         <dependency>
@@ -188,7 +197,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-shade-plugin</artifactId>
-                <version>3.2.0</version>
+                <version>3.2.4</version>
                 <executions>
                     <execution>
                         <phase>package</phase>

src/main/java/com/okta/tools/AWSCredentialsUtil.java

@@ -18,28 +18,26 @@
 import java.io.IOException;
 import java.time.Instant;
 
-import com.amazonaws.auth.AWSCredentials;
-import com.amazonaws.auth.AWSSessionCredentials;
-import com.amazonaws.auth.BasicSessionCredentials;
-import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLResult;
-import com.amazonaws.services.securitytoken.model.Credentials;
+import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlResponse;
+import software.amazon.awssdk.services.sts.model.Credentials;
 
 public interface AWSCredentialsUtil {
 
-    static AWSCredentials getAWSCredential() throws IOException, InterruptedException {
-        AssumeRoleWithSAMLResult samlResult = OktaAwsCliAssumeRole.withEnvironment(OktaAwsConfig.loadEnvironment()).getAssumeRoleWithSAMLResult(Instant.now());
+    static AwsSessionCredentials getAWSCredential() throws IOException, InterruptedException {
+        AssumeRoleWithSamlResponse samlResult = OktaAwsCliAssumeRole.withEnvironment(OktaAwsConfig.loadEnvironment()).getAssumeRoleWithSAMLResult(Instant.now());
 
-        Credentials credentials = samlResult.getCredentials();
+        Credentials credentials = samlResult.credentials();
 
-        return new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
+        return AwsSessionCredentials.create(credentials.accessKeyId(), credentials.secretAccessKey(), credentials.sessionToken());
     }
-    
-    static AWSSessionCredentials getAWSCredential (OktaAwsCliEnvironment environment) throws IOException, InterruptedException {
-        AssumeRoleWithSAMLResult samlResult = OktaAwsCliAssumeRole.withEnvironment(environment).getAssumeRoleWithSAMLResult(Instant.now());
-        
-        Credentials credentials = samlResult.getCredentials();
-        
-        return new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
+
+    static AwsSessionCredentials getAWSCredential (OktaAwsCliEnvironment environment) throws IOException, InterruptedException {
+        AssumeRoleWithSamlResponse samlResult = OktaAwsCliAssumeRole.withEnvironment(environment).getAssumeRoleWithSAMLResult(Instant.now());
+
+        Credentials credentials = samlResult.credentials();
+
+        return AwsSessionCredentials.create(credentials.accessKeyId(), credentials.secretAccessKey(), credentials.sessionToken());
     }
 
 }

src/main/java/com/okta/tools/OktaAwsCliAssumeRole.java

@@ -20,21 +20,21 @@
 import java.time.temporal.ChronoUnit;
 import java.util.Optional;
 
-import com.amazonaws.services.securitytoken.model.Credentials;
 import com.okta.tools.authentication.*;
 import com.okta.tools.helpers.*;
 import com.okta.tools.saml.OktaAppClient;
 import com.okta.tools.saml.OktaAppClientImpl;
 import org.apache.commons.lang.StringUtils;
 
-import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLRequest;
-import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLResult;
+import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlRequest;
+import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlResponse;
 import com.okta.tools.models.Profile;
 import com.okta.tools.models.Session;
 import com.okta.tools.saml.OktaSaml;
+import software.amazon.awssdk.services.sts.model.Credentials;
 
 final class OktaAwsCliAssumeRole {
-    private OktaAwsCliEnvironment environment;
+    final private OktaAwsCliEnvironment environment;
 
     private SessionHelper sessionHelper;
     private RoleHelper roleHelper;
@@ -103,10 +103,10 @@ RunResult run(Instant startInstant) throws IOException, InterruptedException {
 
         RunResult runResult = new RunResult();
         runResult.profileName = profileSAMLResult.profileName;
-        Credentials credentials = profileSAMLResult.assumeRoleWithSAMLResult.getCredentials();
-        runResult.accessKeyId = credentials.getAccessKeyId();
-        runResult.secretAccessKey = credentials.getSecretAccessKey();
-        runResult.sessionToken = credentials.getSessionToken();
+        Credentials credentials = profileSAMLResult.assumeRoleWithSAMLResult.credentials();
+        runResult.accessKeyId = credentials.accessKeyId();
+        runResult.secretAccessKey = credentials.secretAccessKey();
+        runResult.sessionToken = credentials.sessionToken();
 
         return runResult;
     }
@@ -118,7 +118,7 @@ class RunResult {
         String sessionToken;
     }
 
-    AssumeRoleWithSAMLResult getAssumeRoleWithSAMLResult(Instant startInstant) throws IOException, InterruptedException {
+    AssumeRoleWithSamlResponse getAssumeRoleWithSAMLResult(Instant startInstant) throws IOException, InterruptedException {
         init();
 
         environment.awsRoleToAssume = currentProfile.map(profile1 -> profile1.roleArn).orElse(environment.awsRoleToAssume);
@@ -130,9 +130,9 @@ AssumeRoleWithSAMLResult getAssumeRoleWithSAMLResult(Instant startInstant) throw
 
     private ProfileSAMLResult doRequest(Instant startInstant) throws IOException, InterruptedException {
         String samlResponse = oktaSaml.getSamlResponse();
-        AssumeRoleWithSAMLRequest assumeRequest = roleHelper.chooseAwsRoleToAssume(samlResponse);
-        Instant sessionExpiry = startInstant.plus((long) assumeRequest.getDurationSeconds() - (long) 30, ChronoUnit.SECONDS);
-        AssumeRoleWithSAMLResult assumeResult = roleHelper.assumeChosenAwsRole(assumeRequest);
+        AssumeRoleWithSamlRequest assumeRequest = roleHelper.chooseAwsRoleToAssume(samlResponse);
+        Instant sessionExpiry = startInstant.plus((long) assumeRequest.durationSeconds() - (long) 30, ChronoUnit.SECONDS);
+        AssumeRoleWithSamlResponse assumeResult = roleHelper.assumeChosenAwsRole(assumeRequest);
 
         String profileName = profileHelper.getProfileName(assumeResult);
         if (!environment.oktaEnvMode) {
@@ -143,19 +143,19 @@ private ProfileSAMLResult doRequest(Instant startInstant) throws IOException, In
         return new ProfileSAMLResult(assumeResult, profileName);
     }
 
-    private void updateConfig(AssumeRoleWithSAMLRequest assumeRequest, Instant sessionExpiry, String profileName) throws IOException {
+    private void updateConfig(AssumeRoleWithSamlRequest assumeRequest, Instant sessionExpiry, String profileName) throws IOException {
         environment.oktaProfile = profileName;
-        environment.awsRoleToAssume = assumeRequest.getRoleArn();
+        environment.awsRoleToAssume = assumeRequest.roleArn();
         sessionHelper.addOrUpdateProfile(sessionExpiry);
         sessionHelper.updateCurrentSession(sessionExpiry, profileName);
     }
 
     // Holds the values for the profile name and SAML result shared by CLI and SDK implementations
-    private class ProfileSAMLResult {
+    static private class ProfileSAMLResult {
         String profileName;
-        AssumeRoleWithSAMLResult assumeRoleWithSAMLResult;
+        AssumeRoleWithSamlResponse assumeRoleWithSAMLResult;
 
-        ProfileSAMLResult(AssumeRoleWithSAMLResult pAssumeRoleWithSAMLResult, String pProfileName) {
+        ProfileSAMLResult(AssumeRoleWithSamlResponse pAssumeRoleWithSAMLResult, String pProfileName) {
             assumeRoleWithSAMLResult = pAssumeRoleWithSAMLResult;
             profileName = pProfileName;
         }

src/main/java/com/okta/tools/OktaAwsCliEnvironment.java

@@ -15,6 +15,8 @@
  */
 package com.okta.tools;
 
+import software.amazon.awssdk.regions.Region;
+
 public class OktaAwsCliEnvironment {
     public final boolean browserAuth;
     public final String oktaOrg;
@@ -28,7 +30,7 @@ public class OktaAwsCliEnvironment {
     public String awsRoleToAssume;
 
     public int stsDuration;
-    public final String awsRegion;
+    public final Region awsRegion;
     public final String oktaMfaChoice;
     public boolean oktaEnvMode;
 
@@ -42,7 +44,7 @@ public OktaAwsCliEnvironment()
     public OktaAwsCliEnvironment(boolean browserAuth, String oktaOrg,
                                  String oktaUsername, InterruptibleSupplier<String> oktaPassword, String oktaCookiesPath,
                                  String oktaProfile, String oktaAwsAppUrl, String awsRoleToAssume,
-                                 int stsDuration, String awsRegion,
+                                 int stsDuration, Region awsRegion,
                                  String oktaMfaChoice, boolean oktaEnvMode, String oktaIgnoreSaml) {
         this.browserAuth = browserAuth;
         this.oktaOrg = oktaOrg;