Merge pull request #457 from Nike-Inc/dev

Merge Changes from Dev into Master

gimme_aws_creds/config.py

@@ -201,6 +201,10 @@ def _handle_config(self, config, profile_config, include_inherits = True):
                 profile_config[key] = True
             elif profile_config[key] == 'False':
                 profile_config[key] = False
+
+        # Empty string in force_classic should be handled as True - this makes sure that migrating from Classic to OIE is seamless
+        if profile_config.get('force_classic') == '' or profile_config.get('force_classic') is None:
+            profile_config['force_classic'] = True
 
         if "inherits" in profile_config.keys() and include_inherits:
             self.ui.message("Using inherited config: " + profile_config["inherits"])

gimme_aws_creds/main.py

@@ -505,12 +505,6 @@ def okta_platform(self):
         if 'okta_platform' in self._cache:
             return self._cache['okta_platform']
 
-        # Treat this domain as classic, even if it's OIE
-        if self.config.force_classic == True or self.conf_dict.get('force_classic') == "True":
-            self.ui.message('Okta Classic login flow enabled')
-            self.set_okta_platform('classic')
-            return 'classic'
-
         response = requests.get(
             self.okta_org_url + '/.well-known/okta-organization',
             headers={
@@ -527,8 +521,13 @@ def okta_platform(self):
                 ret = 'classic'
             elif response_data['pipeline'] == 'idx':
                 ret = 'identity_engine'
-                if not self.conf_dict.get('client_id'):
-                    raise errors.GimmeAWSCredsError('OAuth Client ID is required for Okta Identity Engine domains.  Try running --config again.')
+                # Force_Classic is set - treat this domain as classic
+                if self.config.force_classic is True or self.conf_dict.get('force_classic') is True:
+                    self.ui.message('Okta Classic login flow enabled')
+                    ret = 'classic'
+                else:
+                    if not self.conf_dict.get('client_id'):
+                        raise errors.GimmeAWSCredsError('OAuth Client ID is required for Okta Identity Engine domains.  Try running --config again.')
             else:
                 raise RuntimeError('Unknown Okta platform type: {}'.format(response_data['pipeline']))
         else:
@@ -607,7 +606,7 @@ def get_resolver(self):
 
     @property
     def device_token(self):
-        if self.config.action_register_device is True:
+        if self.config.action_register_device is True or self.conf_dict.get('force_classic') is True:
             self.conf_dict['device_token'] = None
 
         return self.conf_dict.get('device_token')
@@ -944,7 +943,7 @@ def handle_action_store_json_creds(self, stream=None):
 
     def handle_action_register_device(self):
         # Capture the Device Token and write it to the config file
-        if self.okta_platform == "classic" and ( not self.device_token or self.config.action_register_device is True ):
+        if self.okta_platform == "classic" and (self.conf_dict.get('force_classic') is not True) and ( not self.device_token or self.config.action_register_device is True ):
             if not self.config.action_register_device:
                 self.ui.notify('\n*** No device token found in configuration file, it will be created.')
                 self.ui.notify('*** You may be prompted for MFA more than once for this run.\n')

gimme_aws_creds/okta_classic.py

@@ -261,6 +261,11 @@ def auth_oauth(self, client_id, **kwargs):
         )
         response.raise_for_status()
 
+        # If we didn't get a 302 redirect, the MFA factor didn't meet the requirement for the app
+        if 'Location' not in response.headers:
+            raise errors.GimmeAWSCredsError(
+                "LOGIN ERROR: Provided MFA factor does not meet the authentication policies for this application", 2
+            )
         url_parse_results = urlparse(response.headers['Location'])
 
         query_result = parse_qs(url_parse_results.fragment)

setup.py

@@ -4,7 +4,7 @@
     requirements = f.read().splitlines()
 
 setup(
-    name='gimme-aws-creds',
+    name='gimme_aws_creds',
     version='2.8.0',
     install_requires=requirements,
     author='Eric Pierce',

tests/test_config.py

@@ -61,7 +61,7 @@ def test_read_config(self):
         config = Config(gac_ui=test_ui, create_config=False)
         config.conf_profile = "myprofile"
         profile_config = config.get_config_dict()
-        self.assertEqual(profile_config, {"client_id": "foo"})
+        self.assertEqual(profile_config, {"client_id": "foo", 'force_classic': True})
 
     def test_read_config_inherited(self):
         """Test to make sure getting config works when inherited"""
@@ -75,6 +75,7 @@ def test_read_config_inherited(self):
                 [mybase]
                 client_id = bar
                 aws_appname = baz
+                force_classic = True
                 [myprofile]
                 inherits = mybase
                 client_id = foo
@@ -89,6 +90,7 @@ def test_read_config_inherited(self):
             "client_id": "foo",
             "aws_appname": "baz",
             "aws_rolename": "myrole",
+            'force_classic': True,
         })
 
     def test_read_nested_config_inherited(self):
@@ -104,6 +106,7 @@ def test_read_nested_config_inherited(self):
 [mybase-level2]
 inherits = mybase-level1
 aws_appname = baz
+force_classic = 
 [myprofile]
 inherits = mybase-level2
 client_id = foo
@@ -116,6 +119,7 @@ def test_read_nested_config_inherited(self):
             "client_id": "foo",
             "aws_appname": "baz",
             "aws_rolename": "myrole",
+            "force_classic": True
         })
 
     def test_fail_if_profile_not_found(self):