v1.1.6 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2022 License: MIT Imports: 36 Imported by: 0




View Source
const (
	OktaServerUs      = ""
	OktaServerEmea    = ""
	OktaServerPreview = ""
	OktaServerDefault = OktaServerUs

	// deprecated; use OktaServerUs
	OktaServer = OktaServerUs

	Timeout = time.Duration(60 * time.Second)
View Source
const (
	MaxSessionDuration    = time.Hour * 24 * 90
	MinSessionDuration    = time.Minute * 15
	MinAssumeRoleDuration = time.Minute * 15
	MaxAssumeRoleDuration = time.Hour * 12

	DefaultSessionDuration    = time.Hour * 4
	DefaultAssumeRoleDuration = time.Minute * 15


This section is empty.


func GetAssumableRolesFromSAML added in v1.0.0

func GetAssumableRolesFromSAML(resp *saml.Response) (saml.AssumableRoles, error)

func GetFactorId

func GetFactorId(f *OktaUserAuthnFactor) (id string, err error)

func GetNode

func GetNode(n *html.Node, name string) (val string, node *html.Node)

func GetOktaDomain added in v1.0.0

func GetOktaDomain(region string) (string, error)

func GetRole added in v1.0.0

func GetRole(roleList saml.AssumableRoles, profileARN string) (saml.AssumableRole, error)

func GetRoleFromSAML

func GetRoleFromSAML(resp *saml.Response, profileARN string) (string, string, error)

func NewConfigFromEnv

func NewConfigFromEnv() (config, error)

func OpenKeyring

func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error)

func ParseSAML

func ParseSAML(body []byte, resp *SAMLAssertion) (err error)

func Prompt

func Prompt(prompt string, sensitive bool) (string, error)

func PromptWithOutput added in v1.0.0

func PromptWithOutput(prompt string, sensitive bool, output *os.File) (string, error)

func SourceProfile added in v1.0.0

func SourceProfile(p string, from Profiles) string


type DuoClient

type DuoClient struct {
	Host       string
	Signature  string
	Callback   string
	Device     string
	StateToken string

func NewDuoClient

func NewDuoClient(host, signature, callback string) *DuoClient

func (*DuoClient) ChallengeU2f

func (d *DuoClient) ChallengeU2f(verificationHost string) (err error)

ChallengeU2F performs multiple call against an obscure Duo API.

Normally you use an iframe to perform those calls but here the main idea is to fake Duo is order to use the CLI without any browser.

The function perform three successive calls to retry the challenge data. Wait for the user to perform the verification (Duo Push or Yubikey). And then call the callback url.

TODO: Use a Context to gracefully shutdown the thing and have a nice timeout

func (*DuoClient) DoAuth

func (d *DuoClient) DoAuth(tx string, inputSid string, inputCertsURL string) (sid string, err error)

DoAuth sends a POST request to the Duo /frame/web/v1/auth endpoint. The request will not follow the redirect and retrieve the location from the HTTP header. From the Location we get the Duo Session ID (sid) required for the rest of the communication. In some integrations of Duo, an empty POST to the Duo /frame/web/v1/auth endpoint will return StatusOK with a form of hidden inputs. In that case, we redo the POST with data from the hidden inputs, which triggers the usual redirect/location flow and allows for a successful authentication.

The function will return the sid

func (*DuoClient) DoCallback

func (d *DuoClient) DoCallback(auth string) (err error)

DoCallback send a POST request to the Okta callback url defined in the DuoClient

The callback request requires the stateToken from Okta and a sig_response built from the precedent requests.

func (*DuoClient) DoPrompt

func (d *DuoClient) DoPrompt(sid string) (txid string, err error)

DoPrompt sends a POST request to the Duo /frame/promt endpoint

The functions returns the Duo transaction ID which is different from the Okta transaction ID

func (*DuoClient) DoRedirect

func (d *DuoClient) DoRedirect(url string, sid string) (string, error)

func (*DuoClient) DoStatus

func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp, err error)

DoStatus sends a POST request against the Duo /frame/status endpoint

The function returns the auth string required for the Okta Callback if the request succeeded.

func (*DuoClient) DoU2FPromptFinish added in v1.0.0

func (d *DuoClient) DoU2FPromptFinish(sid string, sessionID string, resp *u2fhost.AuthenticateResponse) (txid string, err error)

DoPrompt sends a POST request to the Duo /frame/promt endpoint

The functions returns the Duo transaction ID which is different from the Okta transaction ID

type FacetResponse added in v1.0.0

type FacetResponse struct {
	TrustedFacets []struct {
		Ids     []string `json:"ids"`
		Version struct {
			Major int `json:"major"`
			Minor int `json:"minor"`
		} `json:"version"`
	} `json:"trustedFacets"`

type MFAConfig added in v1.0.0

type MFAConfig struct {
	Provider   string // Which MFA provider to use when presented with an MFA challenge
	FactorType string // Which of the factor types of the MFA provider to use
	DuoDevice  string // Which DUO device to use for DUO MFA

type OktaClient

type OktaClient struct {
	// Organization will be deprecated in the future
	Organization    string
	Username        string
	Password        string
	UserAuth        *OktaUserAuthn
	DuoClient       *DuoClient
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
	OktaAwsSAMLUrl  string
	CookieJar       http.CookieJar
	BaseURL         *url.URL
	Domain          string
	MFAConfig       MFAConfig

func NewOktaClient

func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string, mfaConfig MFAConfig) (*OktaClient, error)

func (*OktaClient) AuthenticateProfile

func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error)

func (*OktaClient) AuthenticateProfileWithRegion added in v1.0.0

func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration time.Duration, region string) (sts.Credentials, string, error)

func (*OktaClient) AuthenticateUser

func (o *OktaClient) AuthenticateUser() error

func (*OktaClient) Get

func (o *OktaClient) Get(method string, path string, data []byte, recv interface{}, format string) (err error)

type OktaCreds

type OktaCreds struct {
	// Organization will be deprecated in the future
	Organization string
	Username     string
	Password     string
	Domain       string

func (*OktaCreds) Validate

func (c *OktaCreds) Validate(mfaConfig MFAConfig) error

type OktaProvider

type OktaProvider struct {
	Keyring         keyring.Keyring
	ProfileARN      string
	SessionDuration time.Duration
	OktaAwsSAMLUrl  string
	// OktaSessionCookieKey represents the name of the session cookie
	// to be stored in the keyring.
	OktaSessionCookieKey string
	OktaAccountName      string
	MFAConfig            MFAConfig
	AwsRegion            string

func (*OktaProvider) GetSAMLLoginURL added in v1.0.0

func (p *OktaProvider) GetSAMLLoginURL() (*url.URL, error)

func (*OktaProvider) Retrieve

func (p *OktaProvider) Retrieve() (sts.Credentials, string, error)

type OktaStateToken

type OktaStateToken struct {
	StateToken string `json:"stateToken"`
	PassCode   string `json:"passCode"`

type OktaUser

type OktaUser struct {
	Username string `json:"username"`
	Password string `json:"password"`

type OktaUserAuthn

type OktaUserAuthn struct {
	StateToken   string                `json:"stateToken"`
	SessionToken string                `json:"sessionToken"`
	ExpiresAt    string                `json:"expiresAt"`
	Status       string                `json:"status"`
	Embedded     OktaUserAuthnEmbedded `json:"_embedded"`
	FactorResult string                `json:"factorResult"`

type OktaUserAuthnEmbedded

type OktaUserAuthnEmbedded struct {
	Factors []OktaUserAuthnFactor `json:"factors"`
	Factor  OktaUserAuthnFactor   `json:"factor"`

type OktaUserAuthnFactor

type OktaUserAuthnFactor struct {
	Id         string                      `json:"id"`
	FactorType string                      `json:"factorType"`
	Provider   string                      `json:"provider"`
	Embedded   OktaUserAuthnFactorEmbedded `json:"_embedded"`
	Profile    OktaUserAuthnFactorProfile  `json:"profile"`

type OktaUserAuthnFactorEmbedded

type OktaUserAuthnFactorEmbedded struct {
	Verification OktaUserAuthnFactorEmbeddedVerification `json:"verification"`
	Challenge    OktaUserAuthnFactorEmbeddedChallenge    `json:"challenge"`

type OktaUserAuthnFactorEmbeddedChallenge added in v1.0.0

type OktaUserAuthnFactorEmbeddedChallenge struct {
	Nonce           string `json:"nonce"`
	TimeoutSeconnds int    `json:"timeoutSeconds"`
	Challenge       string `json:"challenge"`

type OktaUserAuthnFactorEmbeddedVerification

type OktaUserAuthnFactorEmbeddedVerification struct {
	Host         string                                       `json:"host"`
	Signature    string                                       `json:"signature"`
	FactorResult string                                       `json:"factorResult"`
	Links        OktaUserAuthnFactorEmbeddedVerificationLinks `json:"_links"`
type OktaUserAuthnFactorEmbeddedVerificationLinks struct {
	Complete OktaUserAuthnFactorEmbeddedVerificationLinksComplete `json:"complete"`

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete struct {
	Href string `json:"href"`

type OktaUserAuthnFactorProfile added in v1.0.0

type OktaUserAuthnFactorProfile struct {
	CredentialId string `json:"credentialId"`
	AppId        string `json:"appId"`
	Version      string `json:"version"`

type Profiles added in v1.0.0

type Profiles map[string]map[string]string

func (Profiles) GetValue added in v1.0.0

func (p Profiles) GetValue(profile string, config_key string) (string, string, error)

type PromptResp

type PromptResp struct {
	Response struct {
		Txid string `json:"txid"`
	} `json:"response"`
	Stat string `json:"stat"`

type Provider

type Provider struct {
	// contains filtered or unexported fields

func NewProvider

func NewProvider(k keyring.Keyring, profile string, opts ProviderOptions) (*Provider, error)

func (*Provider) GetExpiration added in v1.0.0

func (p *Provider) GetExpiration() time.Time

func (*Provider) GetRoleARN added in v1.0.0

func (p *Provider) GetRoleARN() (string, error)

GetRoleARN uses p to establish temporary credentials then calls lib.GetRoleARN with them to get the role's ARN. It is unused internally and is kept for backwards compatability.

func (*Provider) GetRoleARNWithRegion added in v1.0.0

func (p *Provider) GetRoleARNWithRegion(creds credentials.Value) (string, error)

GetRoleARN uses temporary credentials to call AWS's get-caller-identity and returns the assumed role's ARN

func (*Provider) GetSAMLLoginURL added in v1.0.0

func (p *Provider) GetSAMLLoginURL() (*url.URL, error)

func (*Provider) Retrieve

func (p *Provider) Retrieve() (credentials.Value, error)

type ProviderOptions

type ProviderOptions struct {
	SessionDuration    time.Duration
	AssumeRoleDuration time.Duration
	ExpiryWindow       time.Duration
	Profiles           Profiles
	MFAConfig          MFAConfig
	AssumeRoleArn      string
	// if true, use store_singlekritem SessionCache (new)
	// if false, use store_kritempersession SessionCache (old)
	SessionCacheSingleItem bool

func (ProviderOptions) ApplyDefaults

func (o ProviderOptions) ApplyDefaults() ProviderOptions

func (ProviderOptions) Validate

func (o ProviderOptions) Validate() error

type ResponseData added in v1.0.0

type ResponseData struct {
	ClientData    string `json:"clientData"`
	KeyHandle     string `json:"keyHandle"`
	SessionID     string `json:"sessionId"`
	SignatureData string `json:"signatureData"`

It's same as u2fhost.AuthenticateResponse but needs SessionID for Duo/Okta

type SAMLAssertion

type SAMLAssertion struct {
	Resp    *saml.Response
	RawData []byte

type SessionCacheInterface added in v1.0.0

type SessionCacheInterface interface {
	Get(sessioncache.Key) (*sessioncache.Session, error)
	Put(sessioncache.Key, *sessioncache.Session) error

type StatusResp

type StatusResp struct {
	Response struct {
		U2FSignRequest []struct {
			Version   string `json:"version"`
			Challenge string `json:"challenge"`
			AppID     string `json:"appId"`
			KeyHandle string `json:"keyHandle"`
			SessionID string `json:"sessionId"`
		} `json:"u2f_sign_request"`
		Status     string `json:"status"`
		StatusCode string `json:"status_code"`
		Reason     string `json:"reason"`
		Parent     string `json:"parent"`
		Cookie     string `json:"cookie"`
		Result     string `json:"result"`
		ResultURL  string `json:"result_url"`
	} `json:"response"`
	Stat string `json:"stat"`


Path Synopsis
Client for making requests to Okta APIs
Client for making requests to Okta APIs
manages auth sessions for Okta applications
manages auth sessions for Okta applications
sessioncache caches sessions (sts.Credentials)
sessioncache caches sessions (sts.Credentials)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL