diff --git a/gimme_aws_creds/config.py b/gimme_aws_creds/config.py index 01dc6ea..fe541d3 100644 --- a/gimme_aws_creds/config.py +++ b/gimme_aws_creds/config.py @@ -201,6 +201,10 @@ def _handle_config(self, config, profile_config, include_inherits = True): profile_config[key] = True elif profile_config[key] == 'False': profile_config[key] = False + + # Empty string in force_classic should be handled as True - this makes sure that migrating from Classic to OIE is seamless + if profile_config.get('force_classic') == '' or profile_config.get('force_classic') is None: + profile_config['force_classic'] = True if "inherits" in profile_config.keys() and include_inherits: self.ui.message("Using inherited config: " + profile_config["inherits"]) diff --git a/gimme_aws_creds/main.py b/gimme_aws_creds/main.py index 238d44c..44349ae 100644 --- a/gimme_aws_creds/main.py +++ b/gimme_aws_creds/main.py @@ -505,12 +505,6 @@ def okta_platform(self): if 'okta_platform' in self._cache: return self._cache['okta_platform'] - # Treat this domain as classic, even if it's OIE - if self.config.force_classic == True or self.conf_dict.get('force_classic') == "True": - self.ui.message('Okta Classic login flow enabled') - self.set_okta_platform('classic') - return 'classic' - response = requests.get( self.okta_org_url + '/.well-known/okta-organization', headers={ @@ -527,8 +521,13 @@ def okta_platform(self): ret = 'classic' elif response_data['pipeline'] == 'idx': ret = 'identity_engine' - if not self.conf_dict.get('client_id'): - raise errors.GimmeAWSCredsError('OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.') + # Force_Classic is set - treat this domain as classic + if self.config.force_classic is True or self.conf_dict.get('force_classic') is True: + self.ui.message('Okta Classic login flow enabled') + ret = 'classic' + else: + if not self.conf_dict.get('client_id'): + raise errors.GimmeAWSCredsError('OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.') else: raise RuntimeError('Unknown Okta platform type: {}'.format(response_data['pipeline'])) else: @@ -607,7 +606,7 @@ def get_resolver(self): @property def device_token(self): - if self.config.action_register_device is True: + if self.config.action_register_device is True or self.conf_dict.get('force_classic') is True: self.conf_dict['device_token'] = None return self.conf_dict.get('device_token') @@ -944,7 +943,7 @@ def handle_action_store_json_creds(self, stream=None): def handle_action_register_device(self): # Capture the Device Token and write it to the config file - if self.okta_platform == "classic" and ( not self.device_token or self.config.action_register_device is True ): + if self.okta_platform == "classic" and (self.conf_dict.get('force_classic') is not True) and ( not self.device_token or self.config.action_register_device is True ): if not self.config.action_register_device: self.ui.notify('\n*** No device token found in configuration file, it will be created.') self.ui.notify('*** You may be prompted for MFA more than once for this run.\n') diff --git a/gimme_aws_creds/okta_classic.py b/gimme_aws_creds/okta_classic.py index af308be..c17aa49 100644 --- a/gimme_aws_creds/okta_classic.py +++ b/gimme_aws_creds/okta_classic.py @@ -261,6 +261,11 @@ def auth_oauth(self, client_id, **kwargs): ) response.raise_for_status() + # If we didn't get a 302 redirect, the MFA factor didn't meet the requirement for the app + if 'Location' not in response.headers: + raise errors.GimmeAWSCredsError( + "LOGIN ERROR: Provided MFA factor does not meet the authentication policies for this application", 2 + ) url_parse_results = urlparse(response.headers['Location']) query_result = parse_qs(url_parse_results.fragment) diff --git a/setup.py b/setup.py index 10961e7..a7b6f98 100644 --- a/setup.py +++ b/setup.py @@ -4,7 +4,7 @@ requirements = f.read().splitlines() setup( - name='gimme-aws-creds', + name='gimme_aws_creds', version='2.8.0', install_requires=requirements, author='Eric Pierce', diff --git a/tests/test_config.py b/tests/test_config.py index a100201..fc1390f 100644 --- a/tests/test_config.py +++ b/tests/test_config.py @@ -61,7 +61,7 @@ def test_read_config(self): config = Config(gac_ui=test_ui, create_config=False) config.conf_profile = "myprofile" profile_config = config.get_config_dict() - self.assertEqual(profile_config, {"client_id": "foo"}) + self.assertEqual(profile_config, {"client_id": "foo", 'force_classic': True}) def test_read_config_inherited(self): """Test to make sure getting config works when inherited""" @@ -75,6 +75,7 @@ def test_read_config_inherited(self): [mybase] client_id = bar aws_appname = baz + force_classic = True [myprofile] inherits = mybase client_id = foo @@ -89,6 +90,7 @@ def test_read_config_inherited(self): "client_id": "foo", "aws_appname": "baz", "aws_rolename": "myrole", + 'force_classic': True, }) def test_read_nested_config_inherited(self): @@ -104,6 +106,7 @@ def test_read_nested_config_inherited(self): [mybase-level2] inherits = mybase-level1 aws_appname = baz +force_classic = [myprofile] inherits = mybase-level2 client_id = foo @@ -116,6 +119,7 @@ def test_read_nested_config_inherited(self): "client_id": "foo", "aws_appname": "baz", "aws_rolename": "myrole", + "force_classic": True }) def test_fail_if_profile_not_found(self):