v1.0.3 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Sep 7, 2023 License: Apache-2.0 Imports: 29 Imported by: 0



Package client implements obtaining AWS STS Tokens by authenticating to ADFS (e.g. Azure AD) and passing the received SAML Claims to AWS.



View Source
const (
	AwsRoleSessionNameAttribute = ""
	AwsRoleAttribute            = ""
	AwsSessionDurationAttribute = ""


This section is empty.


func ExpandFilePath

func ExpandFilePath(s string) string


type AdfsAuthForm

type AdfsAuthForm struct {
	URL    string
	Host   string
	Port   string
	Fields map[string]string

AdfsAuthForm contains successful AWS STS service response.

func NewAdfsAuthFormFromBytes

func NewAdfsAuthFormFromBytes(s []byte) (*AdfsAuthForm, error)

NewAdfsAuthFormFromBytes returns AdfsAuthForm instance from an input byte array.

func NewAdfsAuthFormFromString

func NewAdfsAuthFormFromString(s string) (*AdfsAuthForm, error)

NewAdfsAuthFormFromString returns AdfsAuthForm instance from an input string.

type AdfsAuthResponseForm

type AdfsAuthResponseForm struct {
	URL    string
	Host   string
	Port   string
	Fields map[string]string

AdfsAuthResponseForm contains successful AWS STS service response.

func NewAdfsAuthResponseFormFromBytes

func NewAdfsAuthResponseFormFromBytes(s []byte) (*AdfsAuthResponseForm, error)

NewAdfsAuthResponseFormFromBytes returns AdfsAuthResponseForm instance from an input byte array.

func NewAdfsAuthResponseFormFromString

func NewAdfsAuthResponseFormFromString(s string) (*AdfsAuthResponseForm, error)

NewAdfsAuthResponseFormFromString returns AdfsAuthResponseForm instance from an input string.

type AdfsConfiguration

type AdfsConfiguration struct {
	Hostname string `xml:"hostname,attr" json:"hostname" yaml:"hostname"`

type AssumedRoleUser

type AssumedRoleUser struct {
	AssumedRoleId string
	Arn           string

AwsStsResponseAssumedRoleUser contains the AssumedRoleUser part of AwsStsResponse.

type Aws

type Aws struct {
	Credentials []*AwsCredentials

type AwsConfiguration

type AwsConfiguration struct {
	Roles             []*AwsConfigurationRole `xml:"roles,attr" json:"roles" yaml:"roles"`
	AuthenticationURL string                  `xml:"url,attr" json:"url" yaml:"url"`

type AwsConfigurationRole

type AwsConfigurationRole struct {
	AccountID     string `xml:"account_id,attr" json:"account_id" yaml:"account_id"`
	Name          string `xml:"role,attr" json:"role" yaml:"role"`
	ProfileName   string `xml:"profile_name,attr" json:"profile_name" yaml:"profile_name"`
	DefaultRegion string `xml:"region,attr" json:"region" yaml:"region"`

type AwsCredentials

type AwsCredentials struct {
	Raw             *AwsStsResponse
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	ProfileName     string
	DefaultRegion   string

AwsCredentials holds raw AWS STS response.

func NewAwsCredentialsFromStsResponse

func NewAwsCredentialsFromStsResponse(resp *AwsStsResponse) (*AwsCredentials, error)

NewAwsCredentialsFromStsResponse return AwsCredentials from AwsStsResponse.

func (*AwsCredentials) IsValid

func (c *AwsCredentials) IsValid() error

IsValid check whether the credentials contain mandatory keys.

func (*AwsCredentials) WriteCredentialsFile

func (c *AwsCredentials) WriteCredentialsFile(fp string) error

WriteCredentialsFile writes the credentials to a file i.e. `.aws/credentials`. The function takes in a file path and a profile name. It creates a profile definition with the supplied namd and adds `aws_access_key_id`, `aws_secret_access_key`, and `aws_session_token` to the profile. If the profile exists, it overwrites.

func (*AwsCredentials) WriteEnvVarsFile

func (c *AwsCredentials) WriteEnvVarsFile(fp string) error

WriteEnvVarsFile writes an environment variables file which exports `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` environment variables.

type AwsRole

type AwsRole struct {
	Raw                 string
	AccountID           string
	Name                string
	RoleARN             string
	IdentityProviderARN string
	ProfileName         string
	DefaultRegion       string

AwsRole is TBD.

func ParseAwsRole

func ParseAwsRole(s string) (*AwsRole, error)

type AwsStsAssumeRoleWithSAMLResponse

type AwsStsAssumeRoleWithSAMLResponse struct {
	AssumeRoleWithSAMLResult *AwsStsResponse
	ResponseMetadata         AwsStsResponseMetadata

AwsStsAssumeRoleWithSAMLResponse is the response to HTTP POST to AWS STS APIendpoint.

type AwsStsAssumeRoleWithSAMLResult

type AwsStsAssumeRoleWithSAMLResult struct {
	AssumeRoleWithSAMLResult *AwsStsResponse

AwsStsAssumeRoleWithSAMLResult is the result of the HTTP POST to AWS STS API endpoint.

type AwsStsErrorResponseBody

type AwsStsErrorResponseBody struct {
	Error AwsStsResponseError

type AwsStsResponse

type AwsStsResponse struct {
	SubjectType     string
	AssumedRoleUser *AssumedRoleUser
	Audience        string
	NameQualifier   string
	Credentials     *AwsStsResponseCredentials
	Subject         string
	Issuer          string

AwsStsResponse contains successful AWS STS service response.

func NewAwsStsResponseFromBytes

func NewAwsStsResponseFromBytes(s []byte) (*AwsStsResponse, error)

NewAwsStsResponseFromBytes returns AwsStsResponse instance from an input byte array.

func NewAwsStsResponseFromString

func NewAwsStsResponseFromString(s string) (*AwsStsResponse, error)

NewAwsStsResponseFromString returns AwsStsResponse instance from an input string.

type AwsStsResponseBody

type AwsStsResponseBody struct {
	AssumeRoleWithSAMLResponse AwsStsAssumeRoleWithSAMLResponse

type AwsStsResponseCredentials

type AwsStsResponseCredentials struct {
	SecretAccessKey string
	SessionToken    string
	//Expiration      string
	//Expiration  time.Time
	AccessKeyId string

AwsStsResponseCredentials contains the Credentials part of AwsStsResponse.

type AwsStsResponseError

type AwsStsResponseError struct {
	Code    string
	Message string
	Type    string

type AwsStsResponseMetadata

type AwsStsResponseMetadata struct {
	RequestId string

AwsStsResponseMetadata is the metadata associated with HTTP POST to AWS STS API endpoint.

type AzureAuthResponseForm

type AzureAuthResponseForm struct {
	URL    string
	Host   string
	Port   string
	Fields map[string]string

AzureAuthResponseForm contains successful AWS STS service response.

func NewAzureAuthResponseFormFromBytes

func NewAzureAuthResponseFormFromBytes(s []byte) (*AzureAuthResponseForm, error)

NewAzureAuthResponseFormFromBytes returns AzureAuthResponseForm instance from an input byte array.

func NewAzureAuthResponseFormFromString

func NewAzureAuthResponseFormFromString(s string) (*AzureAuthResponseForm, error)

NewAzureAuthResponseFormFromString returns AzureAuthResponseForm instance from an input string.

type AzureAuthnRequest

type AzureAuthnRequest struct {
	URL           string
	ID            string
	TenantID      string
	ApplicationID string
	ConsumerURL   string

AzureAuthnRequest is SAML AuthnRequest components.

type AzureConfiguration

type AzureConfiguration struct {
	TenantID      string `xml:"tenant_id,attr" json:"tenant_id" yaml:"tenant_id"`
	ApplicationID string `xml:"application_id,attr" json:"application_id" yaml:"application_id"`

type BuildInfo

type BuildInfo struct {
	OperatingSystem string
	Architecture    string
	User            string
	Date            string

BuildInfo holds information build-related information.

type Client

type Client struct {

	Name    string
	Config  Configuration
	Runtime StateMachine
	Info    Info
	Aws     Aws
	// contains filtered or unexported fields

Client is an instance of the compliance auditing utility for AWS.

func New

func New() *Client

New returns an instance of Client.

func (*Client) AssumeRoleWithSaml

func (c *Client) AssumeRoleWithSaml() error

AssumeRoleWithSaml makes AWS API call to STS service and asks for temporary credentials.

func (*Client) AuthenticateWithAdfs

func (c *Client) AuthenticateWithAdfs() error

AuthenticateWithAdfs authenticates to ADFS and receives SAML assertions back.

func (*Client) AuthenticateWithAzure

func (c *Client) AuthenticateWithAzure() error

AuthenticateWithAzure authenticates to Azure AD and receives SAML assertions back.

func (*Client) DoAzureAuthnRequestWithAdfs

func (c *Client) DoAzureAuthnRequestWithAdfs(r *AzureAuthnRequest) error

DoAzureAuthnRequestWithAdfs uses auto-accelleration feature to authenticate to IDP.

func (*Client) GetAdfsAuthenticationRequestBody

func (c *Client) GetAdfsAuthenticationRequestBody() (url.Values, error)

GetAdfsAuthenticationRequestBody build ADFS authentication request body.

func (*Client) GetAdfsMetadata

func (c *Client) GetAdfsMetadata() error

GetAdfsMetadata fetches the matadata about an inssuer.

func (*Client) GetAuthenticationURL

func (c *Client) GetAuthenticationURL() error

GetAuthenticationURL build ADFS Authentication URL.

func (*Client) GetAwsCredentials

func (c *Client) GetAwsCredentials() ([]*AwsCredentials, error)

GetAwsCredentials makes SAML request, authenticates to SAML IdP endpoint and receives SAML assertions back. Then, it sends the assertions to AWS STS service. The service responds with temporary credentials.

func (*Client) GetAzureAuthnRequest

func (c *Client) GetAzureAuthnRequest() (*AzureAuthnRequest, error)

GetAzureAuthnRequest returns Azure SAML Authen Request.

func (*Client) GetRequestedAwsRoles

func (c *Client) GetRequestedAwsRoles() []*AwsRole

func (*Client) GetSamlAssertions

func (c *Client) GetSamlAssertions() error

GetSamlAssertions requests SAML assertions either from ADFS instance, Azure AD, or local file.

func (*Client) GetVersionInfo

func (c *Client) GetVersionInfo() string

GetVersionInfo returns version information

func (*Client) InteractiveConfig

func (c *Client) InteractiveConfig(s string) error

InteractiveConfig propmts users for configuration data interactively.

func (*Client) IsAwsRoleAvailable

func (c *Client) IsAwsRoleAvailable() error

func (*Client) IsMetadataExists

func (c *Client) IsMetadataExists() bool

IsMetadataExists checks whether metadata file exists

func (*Client) IsMetadataNeeded

func (c *Client) IsMetadataNeeded() bool

IsMetadataNeeded returns true when metadata is not necessary, e.g. when SAML Response is available.

func (*Client) IsSamlAssertionValid

func (c *Client) IsSamlAssertionValid() error

func (*Client) OutputCurrentState

func (c *Client) OutputCurrentState() error

func (*Client) ReadMetadataFromFile

func (c *Client) ReadMetadataFromFile() error

ReadMetadataFromFile reads ADFS metadata from a file.

func (*Client) ReadStaticSamlResponseFile

func (c *Client) ReadStaticSamlResponseFile() error

ReadStaticSamlResponseFile reads SAML Response from a file.

func (*Client) RequestAwsRole

func (c *Client) RequestAwsRole(reqRole map[string]string) error

RequestAwsRole sets the desired IAM role name on AWS account to assume, together with a default region and profile name in AWS credentials file.

func (*Client) SetAdfsHostname

func (c *Client) SetAdfsHostname(s string) error

SetAdfsHostname sets the hostname for enterprise ADFS instance.

func (*Client) SetAzureApplicationID

func (c *Client) SetAzureApplicationID(s string) error

SetAzureApplicationID sets the AWS Application ID for Azure ADFS integration.

func (*Client) SetAzureTenantID

func (c *Client) SetAzureTenantID(s string) error

SetAzureTenantID sets the tenant ID for Azure ADFS integration.

func (*Client) SetConfigFile

func (c *Client) SetConfigFile(s string) error

SetConfigFile sets the name and directory of the configuration file.

func (*Client) SetLogLevel

func (c *Client) SetLogLevel(level log.Level)

func (*Client) SetPassword

func (c *Client) SetPassword(s string) error

SetPassword sets password for ADFS requests.

func (*Client) SetStaticSamlResponseFile

func (c *Client) SetStaticSamlResponseFile(s string) error

SetStaticSamlResponseFile sets the path to the file with ADFS SAML Response.

func (*Client) SetUsername

func (c *Client) SetUsername(s string) error

SetUsername sets username for ADFS requests.

func (*Client) UpdateAwsRoles

func (c *Client) UpdateAwsRoles() error

UpdateAwsRoles iterates over the existing roles and throws an error when the role map is non-compliant.

func (*Client) WriteMetadataToFile

func (c *Client) WriteMetadataToFile() error

WriteMetadataFile writes a metadata file to the directory of the configuration file

type Configuration

type Configuration struct {
	Static   StaticConfiguration `xml:"static,attr" json:"static" yaml:"static"`
	Adfs     AdfsConfiguration   `xml:"adfs,attr" json:"adfs" yaml:"adfs"`
	Azure    AzureConfiguration  `xml:"azure,attr" json:"azure" yaml:"azure"`
	Aws      AwsConfiguration    `xml:"aws,attr" json:"aws" yaml:"aws"`
	Username string              `xml:"email,attr" json:"email" yaml:"email"`
	Password string              `xml:"password,attr" json:"password" yaml:"password"`
	Domain   string              `xml:"domain,attr" json:"domain" yaml:"domain"`
	File     File

type File

type File struct {
	Dir  string
	Name string
	Path string

type GitInfo

type GitInfo struct {
	Branch string
	Commit string

GitInfo holds information Git-related information.

type Info

type Info struct {
	Name          string
	Version       string
	Description   string
	Documentation string
	Git           GitInfo
	Build         BuildInfo

Info holds information about the package

type SamlAssertion

type SamlAssertion struct {
	XMLName      xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`
	ID           string    `xml:"ID,attr"`
	Version      string    `xml:"Version,attr"`
	IssueInstant time.Time `xml:"IssueInstant,attr"`

	Issuer             string                           `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Subject            SamlAssertionSubject             `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"`
	Conditions         SamlAssertionConditions          `xml:"urn:oasis:names:tc:SAML:2.0:assertion Conditions"`
	AuthnStatement     SamlAssertionAuthnStatement      `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnStatement"`
	AttributeStatement *SamlAssertionAttributeStatement `xml:"urn:oasis:names:tc:SAML:2.0:assertion AttributeStatement,omitempty"`

SamlAssertion is a structure holding SAMLv2 response assertion.

type SamlAssertionAttribute

type SamlAssertionAttribute struct {
	XMLName    xml.Name                      `xml:"urn:oasis:names:tc:SAML:2.0:assertion Attribute"`
	Name       string                        `xml:"Name,attr"`
	NameFormat string                        `xml:"NameFormat,attr"`
	Values     []SamlAssertionAttributeValue `xml:"urn:oasis:names:tc:SAML:2.0:assertion AttributeValue"`

SamlAssertionAttribute is TBD.

type SamlAssertionAttributeStatement

type SamlAssertionAttributeStatement struct {
	XMLName    xml.Name                 `xml:"urn:oasis:names:tc:SAML:2.0:assertion AttributeStatement"`
	Attributes []SamlAssertionAttribute `xml:"urn:oasis:names:tc:SAML:2.0:assertion Attribute"`

SamlAssertionAttributeStatement is TBD.

type SamlAssertionAttributeValue

type SamlAssertionAttributeValue struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion AttributeValue"`
	XMLNS   string   `xml:"xmlns:xs,attr"`
	Type    string   `xml:" type,attr"`
	Value   string   `xml:",chardata"`

SamlAssertionAttributeValue is TBD.

type SamlAssertionAudienceRestriction

type SamlAssertionAudienceRestriction struct {
	XMLName  xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion AudienceRestriction"`
	Audience string   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Audience"`

SamlAssertionAudienceRestriction is TBD.

type SamlAssertionAuthnContext

type SamlAssertionAuthnContext struct {
	XMLName              xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnContext"`
	AuthnContextClassRef string   `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnContextClassRef"`

SamlAssertionAuthnContext is TBD.

type SamlAssertionAuthnStatement

type SamlAssertionAuthnStatement struct {
	XMLName             xml.Name                  `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnStatement"`
	AuthnInstant        time.Time                 `xml:"AuthnInstant,attr"`
	SessionNotOnOrAfter time.Time                 `xml:"SessionNotOnOrAfter,attr"`
	SessionIndex        string                    `xml:"SessionIndex,attr"`
	AuthnContext        SamlAssertionAuthnContext `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnContext"`

SamlAssertionAuthnStatement is TBD.

type SamlAssertionConditions

type SamlAssertionConditions struct {
	XMLName             xml.Name                         `xml:"urn:oasis:names:tc:SAML:2.0:assertion Conditions"`
	NotBefore           time.Time                        `xml:"NotBefore,attr"`
	NotOnOrAfter        time.Time                        `xml:"NotOnOrAfter,attr"`
	AudienceRestriction SamlAssertionAudienceRestriction `xml:"urn:oasis:names:tc:SAML:2.0:assertion AudienceRestriction"`

SamlAssertionConditions is TBD.

type SamlAssertionNameID

type SamlAssertionNameID struct {
	XMLName         xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion NameID"`
	SPNameQualifier string   `xml:"SPNameQualifier,attr,omitempty"`
	Format          string   `xml:"Format,attr"`
	ID              string   `xml:",chardata"`

SamlAssertionNameID is TBD.

type SamlAssertionSubject

type SamlAssertionSubject struct {
	XMLName      xml.Name                         `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"`
	NameID       SamlAssertionNameID              `xml:"urn:oasis:names:tc:SAML:2.0:assertion NameID"`
	Confirmation SamlAssertionSubjectConfirmation `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmation"`

SamlAssertionSubject is TBD.

type SamlAssertionSubjectConfirmation

type SamlAssertionSubjectConfirmation struct {
	XMLName xml.Name                             `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmation"`
	Method  string                               `xml:"Method,attr"`
	Data    SamlAssertionSubjectConfirmationData `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmationData"`

SamlAssertionSubjectConfirmation is TBD.

type SamlAssertionSubjectConfirmationData

type SamlAssertionSubjectConfirmationData struct {
	XMLName      xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmationData"`
	NotOnOrAfter time.Time `xml:"NotOnOrAfter,attr"`
	Recipient    string    `xml:"Recipient,attr"`
	InResponseTo string    `xml:"InResponseTo,attr,omitempty"`

SamlAssertionSubjectConfirmationData is TBD.

type SamlAuthRequestParams

type SamlAuthRequestParams struct {
	ID        string
	Issuer    string
	Timestamp string

type SamlClaim

type SamlClaim struct {
	Type  string
	Value string

SamlClaim is TBD.

func ParseSamlResponseClaim

func ParseSamlResponseClaim(t, s string) *SamlClaim

type SamlProtocolIssuer

type SamlProtocolIssuer struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Format  string   `xml:"Format,attr"`
	Issuer  string   `xml:",chardata"`

SamlProtocolIssuer is a structure holding the Issuer of SAMLv2 response.

type SamlProtocolStatus

type SamlProtocolStatus struct {
	XMLName    xml.Name               `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	StatusCode SamlProtocolStatusCode `xml:"urn:oasis:names:tc:SAML:2.0:protocol StatusCode"`

SamlProtocolStatus is a structure holding the Status SAMLv2 response.

type SamlProtocolStatusCode

type SamlProtocolStatusCode struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol StatusCode"`
	Value   string   `xml:"Value,attr"`

SamlProtocolStatusCode is a structure holding the StatusCode of SAMLv2 response.

type SamlResponse

type SamlResponse struct {
	XMLName      xml.Name           `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"`
	ID           string             `xml:"ID,attr"`
	Version      string             `xml:"Version,attr"`
	IssueInstant time.Time          `xml:"IssueInstant,attr"`
	Destination  string             `xml:"Destination,attr,omitempty"`
	Issuer       SamlProtocolIssuer `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Status       SamlProtocolStatus `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	Assertion    SamlAssertion      `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`

SamlResponse is the structure holding SAMLv2 response.

func (*SamlResponse) GetAttributes

func (r *SamlResponse) GetAttributes() (*SamlResponseData, error)

type SamlResponseAssertions

type SamlResponseAssertions struct {
	Raw   []byte
	Plain string
	File  File

func (*SamlResponseAssertions) GetEncoded

func (a *SamlResponseAssertions) GetEncoded() string

func (*SamlResponseAssertions) GetPath

func (a *SamlResponseAssertions) GetPath() string

type SamlResponseData

type SamlResponseData struct {
	Aws struct {
		Roles                   []*AwsRole
		SessionName             string
		SessionDuration         int
		SessionEndTimestamp     time.Time
		SessionStartTimestamp   time.Time
		AuthenticateByTimestamp time.Time
	Issuer  string
	Success bool
	Claims  []*SamlClaim

SamlResponseData is TBD

type SamlServiceMetadata

type SamlServiceMetadata struct {
	Raw   []byte
	Plain string
	File  File
	URL   string

type SamlStateMachine

type SamlStateMachine struct {
	Response   SamlResponse
	Attributes *SamlResponseData
	Assertions *SamlResponseAssertions

type StateMachine

type StateMachine struct {
	Metadata          SamlServiceMetadata
	AuthenticationURL string `xml:"auth_url,attr" json:"auth_url" yaml:"auth_url"`
	Saml              SamlStateMachine

type StaticConfiguration

type StaticConfiguration struct {
	SamlResponseFile string `xml:"saml_response_file,attr" json:"saml_response_file" yaml:"saml_response_file"`

type WebResponse

type WebResponse struct {
	Success     bool
	Redirect    bool
	RedirectURL string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL