lib

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 30, 2018 License: MIT Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source
const (
	MaxSessionDuration    = time.Hour * 36
	MinSessionDuration    = time.Minute * 15
	MinAssumeRoleDuration = time.Minute * 15
	MaxAssumeRoleDuration = time.Hour * 12

	DefaultSessionDuration    = time.Hour * 4
	DefaultAssumeRoleDuration = time.Minute * 15
)
View Source
const (
	OktaServer = "okta.com"
)

Variables

This section is empty.

Functions

func GetFactorId

func GetFactorId(f *OktaUserAuthnFactor) (id string, err error)

func GetNode

func GetNode(n *html.Node, name string) (val string, node *html.Node)

func GetRoleFromSAML

func GetRoleFromSAML(resp *saml.Response, profileARN string) (string, string, error)

func NewConfigFromEnv

func NewConfigFromEnv() (config, error)

func OpenKeyring

func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error)

func ParseSAML

func ParseSAML(body []byte, resp *SAMLAssertion) (err error)

func Prompt

func Prompt(prompt string, sensitive bool) (string, error)

Types

type DuoClient

type DuoClient struct {
	Host       string
	Signature  string
	Callback   string
	StateToken string
}

func NewDuoClient

func NewDuoClient(host, signature, callback string) *DuoClient

func (*DuoClient) ChallengeU2f

func (d *DuoClient) ChallengeU2f() (err error)

ChallengeU2F performs multiple call against an obscure Duo API.

Normally you use an iframe to perform those calls but here the main idea is to fake Duo is order to use the CLI without any browser.

The function perform three successive calls to retry the challenge data. Wait for the user to perform the verification (Duo Push or Yubikey). And then call the callback url.

TODO: Use a Context to gracefully shutdown the thing and have a nice timeout

func (*DuoClient) DoAuth

func (d *DuoClient) DoAuth(tx string, inputSid string, inputCertsURL string) (sid string, err error)

DoAuth sends a POST request to the Duo /frame/web/v1/auth endpoint. The request will not follow the redirect and retrieve the location from the HTTP header. From the Location we get the Duo Session ID (sid) required for the rest of the communication. In some integrations of Duo, an empty POST to the Duo /frame/web/v1/auth endpoint will return StatusOK with a form of hidden inputs. In that case, we redo the POST with data from the hidden inputs, which triggers the usual redirect/location flow and allows for a successful authentication.

The function will return the sid

func (*DuoClient) DoCallback

func (d *DuoClient) DoCallback(auth string) (err error)

DoCallback send a POST request to the Okta callback url defined in the DuoClient

The callback request requires the stateToken from Okta and a sig_response built from the precedent requests.

func (*DuoClient) DoPrompt

func (d *DuoClient) DoPrompt(sid string) (txid string, err error)

DoPrompt sends a POST request to the Duo /frame/promt endpoint

The functions returns the Duo transaction ID which is different from the Okta transaction ID

func (*DuoClient) DoStatus

func (d *DuoClient) DoStatus(txid, sid string) (auth string, err error)

DoStatus sends a POST request against the Duo /frame/status endpoint

The function returns the auth string required for the Okta Callback if the request succeeded.

type KeyringSessions

type KeyringSessions struct {
	Keyring  keyring.Keyring
	Profiles profiles
}

func NewKeyringSessions

func NewKeyringSessions(k keyring.Keyring, p profiles) (*KeyringSessions, error)

func (*KeyringSessions) Delete

func (s *KeyringSessions) Delete(profile string) (n int, err error)

func (*KeyringSessions) Retrieve

func (s *KeyringSessions) Retrieve(profile string, duration time.Duration) (sts.Credentials, string, error)

func (*KeyringSessions) Store

func (s *KeyringSessions) Store(profile string, sessionName string, creds sts.Credentials, duration time.Duration) error

type OktaClient

type OktaClient struct {
	Organization    string
	Username        string
	Password        string
	UserAuth        *OktaUserAuthn
	DuoClient       *DuoClient
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
	OktaAwsSAMLUrl  string
	CookieJar       http.CookieJar
	BaseURL         *url.URL
}

func NewOktaClient

func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string) (*OktaClient, error)

func (*OktaClient) AuthenticateProfile

func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error)

func (*OktaClient) Get

func (o *OktaClient) Get(method string, path string, data []byte, recv interface{}, format string) (err error)

type OktaCreds

type OktaCreds struct {
	Organization string
	Username     string
	Password     string
}

type OktaProvider

type OktaProvider struct {
	Keyring         keyring.Keyring
	ProfileARN      string
	SessionDuration time.Duration
	OktaAwsSAMLUrl  string
}

func (*OktaProvider) Retrieve

func (p *OktaProvider) Retrieve() (sts.Credentials, string, error)

type OktaStateToken

type OktaStateToken struct {
	StateToken string `json:"stateToken"`
	PassCode   string `json:"passCode"`
}

type OktaUser

type OktaUser struct {
	Username string `json:"username"`
	Password string `json:"password"`
}

http://developer.okta.com/docs/api/resources/authn.html

type OktaUserAuthn

type OktaUserAuthn struct {
	StateToken   string                `json:"stateToken"`
	SessionToken string                `json:"sessionToken"`
	ExpiresAt    string                `json:"expiresAt"`
	Status       string                `json:"status"`
	Embedded     OktaUserAuthnEmbedded `json:"_embedded"`
	FactorResult string                `json:"factorResult"`
}

type OktaUserAuthnEmbedded

type OktaUserAuthnEmbedded struct {
	Factors []OktaUserAuthnFactor `json:"factors"`
	Factor  OktaUserAuthnFactor   `json:"factor"`
}

type OktaUserAuthnFactor

type OktaUserAuthnFactor struct {
	Id         string                      `json:"id"`
	FactorType string                      `json:"factorType"`
	Provider   string                      `json:"provider"`
	Embedded   OktaUserAuthnFactorEmbedded `json:"_embedded"`
}

type OktaUserAuthnFactorEmbedded

type OktaUserAuthnFactorEmbedded struct {
	Verification OktaUserAuthnFactorEmbeddedVerification `json:"verification"`
}

type OktaUserAuthnFactorEmbeddedVerification

type OktaUserAuthnFactorEmbeddedVerification struct {
	Host         string                                       `json:"host"`
	Signature    string                                       `json:"signature"`
	FactorResult string                                       `json:"factorResult"`
	Links        OktaUserAuthnFactorEmbeddedVerificationLinks `json:"_links"`
}
type OktaUserAuthnFactorEmbeddedVerificationLinks struct {
	Complete OktaUserAuthnFactorEmbeddedVerificationLinksComplete `json:"complete"`
}

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete struct {
	Href string `json:"href"`
}

type PromptResp

type PromptResp struct {
	Response struct {
		Txid string `json:"txid"`
	} `json:"response"`
	Stat string `json:"stat"`
}

type Provider

type Provider struct {
	credentials.Expiry
	ProviderOptions
	// contains filtered or unexported fields
}

func NewProvider

func NewProvider(k keyring.Keyring, profile string, opts ProviderOptions) (*Provider, error)

func (*Provider) Retrieve

func (p *Provider) Retrieve() (credentials.Value, error)

type ProviderOptions

type ProviderOptions struct {
	SessionDuration    time.Duration
	AssumeRoleDuration time.Duration
	ExpiryWindow       time.Duration
	Profiles           profiles
}

func (ProviderOptions) ApplyDefaults

func (o ProviderOptions) ApplyDefaults() ProviderOptions

func (ProviderOptions) Validate

func (o ProviderOptions) Validate() error

type SAMLAssertion

type SAMLAssertion struct {
	Resp    *saml.Response
	RawData []byte
}

type StatusResp

type StatusResp struct {
	Response struct {
		U2FSignRequest []struct {
			Version   string `json:"version"`
			Challenge string `json:"challenge"`
			AppID     string `json:"appId"`
			KeyHandle string `json:"keyHandle"`
			SessionID string `json:"sessionId"`
		} `json:"u2f_sign_request"`
		Status     string `json:"status"`
		StatusCode string `json:"status_code"`
		Reason     string `json:"reason"`
		Parent     string `json:"parent"`
		Cookie     string `json:"cookie"`
		Result     string `json:"result"`
	} `json:"response"`
	Stat string `json:"stat"`
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL