v0.19.4 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Sep 11, 2018 License: MIT Imports: 31 Imported by: 0




View Source
const (
	MaxSessionDuration    = time.Hour * 36
	MinSessionDuration    = time.Minute * 15
	MinAssumeRoleDuration = time.Minute * 15
	MaxAssumeRoleDuration = time.Hour * 12

	DefaultSessionDuration    = time.Hour * 4
	DefaultAssumeRoleDuration = time.Minute * 15
View Source
const (
	OktaServer = ""


This section is empty.


func GetFactorId

func GetFactorId(f *OktaUserAuthnFactor) (id string, err error)

func GetNode

func GetNode(n *html.Node, name string) (val string, node *html.Node)

func GetRoleFromSAML

func GetRoleFromSAML(resp *saml.Response, profileARN string) (string, string, error)

func NewConfigFromEnv

func NewConfigFromEnv() (config, error)

func OpenKeyring added in v0.15.0

func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error)

func ParseSAML

func ParseSAML(body []byte, resp *SAMLAssertion) (err error)

func Prompt

func Prompt(prompt string, sensitive bool) (string, error)


type DuoClient

type DuoClient struct {
	Host       string
	Signature  string
	Callback   string
	StateToken string

func NewDuoClient

func NewDuoClient(host, signature, callback string) *DuoClient

func (*DuoClient) ChallengeU2f

func (d *DuoClient) ChallengeU2f() (err error)

ChallengeU2F performs multiple call against an obscure Duo API.

Normally you use an iframe to perform those calls but here the main idea is to fake Duo is order to use the CLI without any browser.

The function perform three successive calls to retry the challenge data. Wait for the user to perform the verification (Duo Push or Yubikey). And then call the callback url.

TODO: Use a Context to gracefully shutdown the thing and have a nice timeout

func (*DuoClient) DoAuth

func (d *DuoClient) DoAuth(tx string, inputSid string, inputCertsURL string) (sid string, err error)

DoAuth sends a POST request to the Duo /frame/web/v1/auth endpoint. The request will not follow the redirect and retrieve the location from the HTTP header. From the Location we get the Duo Session ID (sid) required for the rest of the communication. In some integrations of Duo, an empty POST to the Duo /frame/web/v1/auth endpoint will return StatusOK with a form of hidden inputs. In that case, we redo the POST with data from the hidden inputs, which triggers the usual redirect/location flow and allows for a successful authentication.

The function will return the sid

func (*DuoClient) DoCallback

func (d *DuoClient) DoCallback(auth string) (err error)

DoCallback send a POST request to the Okta callback url defined in the DuoClient

The callback request requires the stateToken from Okta and a sig_response built from the precedent requests.

func (*DuoClient) DoPrompt

func (d *DuoClient) DoPrompt(sid string) (txid string, err error)

DoPrompt sends a POST request to the Duo /frame/promt endpoint

The functions returns the Duo transaction ID which is different from the Okta transaction ID

func (*DuoClient) DoRedirect added in v0.19.1

func (d *DuoClient) DoRedirect(url string, sid string) (string, error)

func (*DuoClient) DoStatus

func (d *DuoClient) DoStatus(txid, sid string) (auth string, err error)

DoStatus sends a POST request against the Duo /frame/status endpoint

The function returns the auth string required for the Okta Callback if the request succeeded.

type KeyringSessions

type KeyringSessions struct {
	Keyring  keyring.Keyring
	Profiles profiles

func NewKeyringSessions

func NewKeyringSessions(k keyring.Keyring, p profiles) (*KeyringSessions, error)

func (*KeyringSessions) Delete

func (s *KeyringSessions) Delete(profile string) (n int, err error)

func (*KeyringSessions) Retrieve

func (s *KeyringSessions) Retrieve(profile string, duration time.Duration) (sts.Credentials, string, error)

func (*KeyringSessions) Store

func (s *KeyringSessions) Store(profile string, sessionName string, creds sts.Credentials, duration time.Duration) error

type OktaClient

type OktaClient struct {
	Organization    string
	Username        string
	Password        string
	UserAuth        *OktaUserAuthn
	DuoClient       *DuoClient
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
	OktaAwsSAMLUrl  string
	CookieJar       http.CookieJar
	BaseURL         *url.URL

func NewOktaClient

func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string) (*OktaClient, error)

func (*OktaClient) AuthenticateProfile

func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error)

func (*OktaClient) AuthenticateUser added in v0.19.1

func (o *OktaClient) AuthenticateUser() error

func (*OktaClient) Get

func (o *OktaClient) Get(method string, path string, data []byte, recv interface{}, format string) (err error)

type OktaCreds

type OktaCreds struct {
	Organization string
	Username     string
	Password     string

func (*OktaCreds) Validate added in v0.19.1

func (c *OktaCreds) Validate() error

type OktaProvider

type OktaProvider struct {
	Keyring         keyring.Keyring
	ProfileARN      string
	SessionDuration time.Duration
	OktaAwsSAMLUrl  string

func (*OktaProvider) Retrieve

func (p *OktaProvider) Retrieve() (sts.Credentials, string, error)

type OktaStateToken

type OktaStateToken struct {
	StateToken string `json:"stateToken"`
	PassCode   string `json:"passCode"`

type OktaUser

type OktaUser struct {
	Username string `json:"username"`
	Password string `json:"password"`

type OktaUserAuthn

type OktaUserAuthn struct {
	StateToken   string                `json:"stateToken"`
	SessionToken string                `json:"sessionToken"`
	ExpiresAt    string                `json:"expiresAt"`
	Status       string                `json:"status"`
	Embedded     OktaUserAuthnEmbedded `json:"_embedded"`
	FactorResult string                `json:"factorResult"`

type OktaUserAuthnEmbedded

type OktaUserAuthnEmbedded struct {
	Factors []OktaUserAuthnFactor `json:"factors"`
	Factor  OktaUserAuthnFactor   `json:"factor"`

type OktaUserAuthnFactor

type OktaUserAuthnFactor struct {
	Id         string                      `json:"id"`
	FactorType string                      `json:"factorType"`
	Provider   string                      `json:"provider"`
	Embedded   OktaUserAuthnFactorEmbedded `json:"_embedded"`

type OktaUserAuthnFactorEmbedded

type OktaUserAuthnFactorEmbedded struct {
	Verification OktaUserAuthnFactorEmbeddedVerification `json:"verification"`

type OktaUserAuthnFactorEmbeddedVerification

type OktaUserAuthnFactorEmbeddedVerification struct {
	Host         string                                       `json:"host"`
	Signature    string                                       `json:"signature"`
	FactorResult string                                       `json:"factorResult"`
	Links        OktaUserAuthnFactorEmbeddedVerificationLinks `json:"_links"`
type OktaUserAuthnFactorEmbeddedVerificationLinks struct {
	Complete OktaUserAuthnFactorEmbeddedVerificationLinksComplete `json:"complete"`

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete struct {
	Href string `json:"href"`

type PromptResp

type PromptResp struct {
	Response struct {
		Txid string `json:"txid"`
	} `json:"response"`
	Stat string `json:"stat"`

type Provider

type Provider struct {
	// contains filtered or unexported fields

func NewProvider

func NewProvider(k keyring.Keyring, profile string, opts ProviderOptions) (*Provider, error)

func (*Provider) Retrieve

func (p *Provider) Retrieve() (credentials.Value, error)

type ProviderOptions

type ProviderOptions struct {
	SessionDuration    time.Duration
	AssumeRoleDuration time.Duration
	ExpiryWindow       time.Duration
	Profiles           profiles

func (ProviderOptions) ApplyDefaults

func (o ProviderOptions) ApplyDefaults() ProviderOptions

func (ProviderOptions) Validate

func (o ProviderOptions) Validate() error

type SAMLAssertion

type SAMLAssertion struct {
	Resp    *saml.Response
	RawData []byte

type StatusResp

type StatusResp struct {
	Response struct {
		U2FSignRequest []struct {
			Version   string `json:"version"`
			Challenge string `json:"challenge"`
			AppID     string `json:"appId"`
			KeyHandle string `json:"keyHandle"`
			SessionID string `json:"sessionId"`
		} `json:"u2f_sign_request"`
		Status     string `json:"status"`
		StatusCode string `json:"status_code"`
		Reason     string `json:"reason"`
		Parent     string `json:"parent"`
		Cookie     string `json:"cookie"`
		Result     string `json:"result"`
		ResultURL  string `json:"result_url"`
	} `json:"response"`
	Stat string `json:"stat"`


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL