lib

package
v1.0.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2021 License: MIT Imports: 36 Imported by: 13

Documentation

Index

Constants

View Source 
const (
	OktaServerUs      = "okta.com"
	OktaServerEmea    = "okta-emea.com"
	OktaServerPreview = "oktapreview.com"
	OktaServerDefault = OktaServerUs

	// deprecated; use OktaServerUs
	OktaServer = OktaServerUs

	Timeout = time.Duration(60 * time.Second)
)
View Source 
const (
	MaxSessionDuration    = time.Hour * 24 * 90
	MinSessionDuration    = time.Minute * 15
	MinAssumeRoleDuration = time.Minute * 15
	MaxAssumeRoleDuration = time.Hour * 12

	DefaultSessionDuration    = time.Hour * 4
	DefaultAssumeRoleDuration = time.Minute * 15
)

Variables

This section is empty.

Functions

func GetAssumableRolesFromSAML added in v0.24.0 

func GetAssumableRolesFromSAML(resp *saml.Response) (saml.AssumableRoles, error)

func GetFactorId 

func GetFactorId(f *OktaUserAuthnFactor) (id string, err error)

func GetNode 

func GetNode(n *html.Node, name string) (val string, node *html.Node)

func GetOktaDomain added in v0.20.0 

func GetOktaDomain(region string) (string, error)

func GetRole added in v0.24.0 

func GetRole(roleList saml.AssumableRoles, profileARN string) (saml.AssumableRole, error)

func GetRoleFromSAML 

func GetRoleFromSAML(resp *saml.Response, profileARN string) (string, string, error)

func NewConfigFromEnv 

func NewConfigFromEnv() (config, error)

func OpenKeyring 

func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error)

func ParseSAML 

func ParseSAML(body []byte, resp *SAMLAssertion) (err error)

func Prompt 

func Prompt(prompt string, sensitive bool) (string, error)

func PromptWithOutput added in v0.19.5 

func PromptWithOutput(prompt string, sensitive bool, output *os.File) (string, error)

Types

type DuoClient 

type DuoClient struct {
	Host       string
	Signature  string
	Callback   string
	Device     string
	StateToken string
	FactorID   string
}

func NewDuoClient 

func NewDuoClient(host, signature, callback, factorID string) *DuoClient

func (*DuoClient) ChallengeU2f 

func (d *DuoClient) ChallengeU2f(verificationHost string) (err error)

ChallengeU2F performs multiple call against an obscure Duo API.

Normally you use an iframe to perform those calls but here the main idea is to fake Duo is order to use the CLI without any browser.

The function perform three successive calls to retry the challenge data. Wait for the user to perform the verification (Duo Push or Yubikey). And then call the callback url.

TODO: Use a Context to gracefully shutdown the thing and have a nice timeout

func (*DuoClient) DoAuth 

func (d *DuoClient) DoAuth(tx string, inputSid string, inputCertsURL string) (sid string, err error)

DoAuth sends a POST request to the Duo /frame/web/v1/auth endpoint. The request will not follow the redirect and retrieve the location from the HTTP header. From the Location we get the Duo Session ID (sid) required for the rest of the communication. In some integrations of Duo, an empty POST to the Duo /frame/web/v1/auth endpoint will return StatusOK with a form of hidden inputs. In that case, we redo the POST with data from the hidden inputs, which triggers the usual redirect/location flow and allows for a successful authentication.

The function will return the sid

func (*DuoClient) DoCallback 

func (d *DuoClient) DoCallback(auth string) (err error)

DoCallback send a POST request to the Okta callback url defined in the DuoClient

The callback request requires the stateToken from Okta and a sig_response built from the precedent requests.

func (*DuoClient) DoPrompt 

func (d *DuoClient) DoPrompt(sid string) (txid string, err error)

DoPrompt sends a POST request to the Duo /frame/promt endpoint

The functions returns the Duo transaction ID which is different from the Okta transaction ID

func (*DuoClient) DoRedirect 

func (d *DuoClient) DoRedirect(url string, sid string) (string, error)

func (*DuoClient) DoStatus 

func (d *DuoClient) DoStatus(txid, sid string) (auth string, status StatusResp, err error)

DoStatus sends a POST request against the Duo /frame/status endpoint

The function returns the auth string required for the Okta Callback if the request succeeded.

func (*DuoClient) DoU2FPromptFinish added in v0.19.5 

func (d *DuoClient) DoU2FPromptFinish(sid string, sessionID string, resp *u2fhost.AuthenticateResponse) (txid string, err error)

DoPrompt sends a POST request to the Duo /frame/promt endpoint

The functions returns the Duo transaction ID which is different from the Okta transaction ID

type FacetResponse added in v0.19.5 

type FacetResponse struct {
	TrustedFacets []struct {
		Ids     []string `json:"ids"`
		Version struct {
			Major int `json:"major"`
			Minor int `json:"minor"`
		} `json:"version"`
	} `json:"trustedFacets"`
}

type MFAConfig added in v0.20.0 

type MFAConfig struct {
	Provider   string // Which MFA provider to use when presented with an MFA challenge
	FactorType string // Which of the factor types of the MFA provider to use
	DuoDevice  string // Which DUO device to use for DUO MFA
}

type OktaClient 

type OktaClient struct {
	// Organization will be deprecated in the future
	Organization    string
	Username        string
	Password        string
	UserAuth        *OktaUserAuthn
	DuoClient       *DuoClient
	AccessKeyId     string
	SecretAccessKey string
	SessionToken    string
	Expiration      time.Time
	OktaAwsSAMLUrl  string
	CookieJar       http.CookieJar
	BaseURL         *url.URL
	Domain          string
	MFAConfig       MFAConfig
}

func NewOktaClient 

func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string, mfaConfig MFAConfig) (*OktaClient, error)

func NewOktaClient2 added in v1.0.0 

func NewOktaClient2(creds OktaCreds, oktaAwsSAMLUrl string, cookies OktaCookies, mfaConfig MFAConfig) (*OktaClient, error)

func (*OktaClient) AuthenticateProfile 

func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error)

func (*OktaClient) AuthenticateProfile3 added in v1.0.0 

func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Duration, region string) (sts.Credentials, OktaCookies, error)

func (*OktaClient) AuthenticateProfileWithRegion added in v0.23.0 

func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration time.Duration, region string) (sts.Credentials, string, error)

func (*OktaClient) AuthenticateUser 

func (o *OktaClient) AuthenticateUser() error

func (*OktaClient) Get 

func (o *OktaClient) Get(method string, path string, data []byte, recv interface{}, format string) (err error)

type OktaCookies added in v1.0.0 

type OktaCookies struct {
	Session     string
	DeviceToken string
}

type OktaCreds 

type OktaCreds struct {
	// Organization will be deprecated in the future
	Organization string
	Username     string
	Password     string
	Domain       string
}

func (*OktaCreds) Validate 

func (c *OktaCreds) Validate(mfaConfig MFAConfig) error

type OktaProvider 

type OktaProvider struct {
	Keyring         keyring.Keyring
	ProfileARN      string
	SessionDuration time.Duration
	OktaAwsSAMLUrl  string
	// OktaSessionCookieKey represents the name of the session cookie
	// to be stored in the keyring.
	OktaSessionCookieKey string
	OktaAccountName      string
	MFAConfig            MFAConfig
	AwsRegion            string
}

func (*OktaProvider) GetSAMLLoginURL added in v0.19.5 

func (p *OktaProvider) GetSAMLLoginURL() (*url.URL, error)

func (*OktaProvider) Retrieve 

func (p *OktaProvider) Retrieve() (sts.Credentials, string, error)

type OktaStateToken 

type OktaStateToken struct {
	StateToken string `json:"stateToken"`
	PassCode   string `json:"passCode"`
}

type OktaUser 

type OktaUser struct {
	Username string `json:"username"`
	Password string `json:"password"`
}

http://developer.okta.com/docs/api/resources/authn.html

type OktaUserAuthn 

type OktaUserAuthn struct {
	StateToken   string                `json:"stateToken"`
	SessionToken string                `json:"sessionToken"`
	ExpiresAt    string                `json:"expiresAt"`
	Status       string                `json:"status"`
	Embedded     OktaUserAuthnEmbedded `json:"_embedded"`
	FactorResult string                `json:"factorResult"`
}

type OktaUserAuthnEmbedded 

type OktaUserAuthnEmbedded struct {
	Factors []OktaUserAuthnFactor `json:"factors"`
	Factor  OktaUserAuthnFactor   `json:"factor"`
}

type OktaUserAuthnFactor 

type OktaUserAuthnFactor struct {
	Id         string                      `json:"id"`
	FactorType string                      `json:"factorType"`
	Provider   string                      `json:"provider"`
	Embedded   OktaUserAuthnFactorEmbedded `json:"_embedded"`
	Profile    OktaUserAuthnFactorProfile  `json:"profile"`
}

type OktaUserAuthnFactorEmbedded 

type OktaUserAuthnFactorEmbedded struct {
	Verification OktaUserAuthnFactorEmbeddedVerification `json:"verification"`
	Challenge    OktaUserAuthnFactorEmbeddedChallenge    `json:"challenge"`
}

type OktaUserAuthnFactorEmbeddedChallenge added in v0.23.0 

type OktaUserAuthnFactorEmbeddedChallenge struct {
	Nonce           string `json:"nonce"`
	Challenge       string `json:"challenge"`
	TimeoutSeconnds int    `json:"timeoutSeconds"`
}

type OktaUserAuthnFactorEmbeddedVerification 

type OktaUserAuthnFactorEmbeddedVerification struct {
	Host         string                                       `json:"host"`
	Signature    string                                       `json:"signature"`
	FactorResult string                                       `json:"factorResult"`
	Links        OktaUserAuthnFactorEmbeddedVerificationLinks `json:"_links"`
}
type OktaUserAuthnFactorEmbeddedVerificationLinks struct {
	Complete OktaUserAuthnFactorEmbeddedVerificationLinksComplete `json:"complete"`
}

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete 

type OktaUserAuthnFactorEmbeddedVerificationLinksComplete struct {
	Href string `json:"href"`
}

type OktaUserAuthnFactorProfile added in v0.23.0 

type OktaUserAuthnFactorProfile struct {
	CredentialId string `json:"credentialId"`
	AppId        string `json:"appId"`
	Version      string `json:"version"`
}

type Profiles added in v0.19.5 

type Profiles map[string]map[string]string

func (Profiles) GetValue added in v0.19.5 

func (p Profiles) GetValue(profile string, config_key string) (string, string, error)

type PromptResp 

type PromptResp struct {
	Response struct {
		Txid string `json:"txid"`
	} `json:"response"`
	Stat string `json:"stat"`
}

type Provider 

type Provider struct {
	credentials.Expiry
	ProviderOptions
	// contains filtered or unexported fields
}

func NewProvider 

func NewProvider(k keyring.Keyring, profile string, opts ProviderOptions) (*Provider, error)

func (*Provider) GetExpiration added in v0.26.0 

func (p *Provider) GetExpiration() time.Time

func (*Provider) GetRoleARN added in v0.23.0 

func (p *Provider) GetRoleARN() (string, error)

GetRoleARN uses p to establish temporary credentials then calls lib.GetRoleARN with them to get the role's ARN. It is unused internally and is kept for backwards compatability.

func (*Provider) GetRoleARNWithRegion added in v0.25.0 

func (p *Provider) GetRoleARNWithRegion(creds credentials.Value) (string, error)

GetRoleARN uses temporary credentials to call AWS's get-caller-identity and returns the assumed role's ARN

func (*Provider) GetSAMLLoginURL added in v0.19.5 

func (p *Provider) GetSAMLLoginURL() (*url.URL, error)

func (*Provider) Retrieve 

func (p *Provider) Retrieve() (credentials.Value, error)

type ProviderOptions 

type ProviderOptions struct {
	SessionDuration    time.Duration
	AssumeRoleDuration time.Duration
	ExpiryWindow       time.Duration
	Profiles           Profiles
	MFAConfig          MFAConfig
	AssumeRoleArn      string
	// if true, use store_singlekritem SessionCache (new)
	// if false, use store_kritempersession SessionCache (old)
	SessionCacheSingleItem bool
}

func (ProviderOptions) ApplyDefaults 

func (o ProviderOptions) ApplyDefaults() ProviderOptions

func (ProviderOptions) Validate 

func (o ProviderOptions) Validate() error

type ResponseData added in v0.19.5 

type ResponseData struct {
	ClientData    string `json:"clientData"`
	KeyHandle     string `json:"keyHandle"`
	SessionID     string `json:"sessionId"`
	SignatureData string `json:"signatureData"`
}

It's same as u2fhost.AuthenticateResponse but needs SessionID for Duo/Okta

type SAMLAssertion 

type SAMLAssertion struct {
	Resp    *saml.Response
	RawData []byte
}

type SessionCacheInterface added in v0.22.0 

type SessionCacheInterface interface {
	Get(sessioncache.Key) (*sessioncache.Session, error)
	Put(sessioncache.Key, *sessioncache.Session) error
}

type StatusResp 

type StatusResp struct {
	Response struct {
		SessionID      string `json:"sid"`
		U2FSignRequest []struct {
			Version   string `json:"version"`
			Challenge string `json:"challenge"`
			AppID     string `json:"appId"`
			KeyHandle string `json:"keyHandle"`
			SessionID string `json:"sessionId"`
		} `json:"u2f_sign_request"`
		Status     string `json:"status"`
		StatusCode string `json:"status_code"`
		Reason     string `json:"reason"`
		Parent     string `json:"parent"`
		Cookie     string `json:"cookie"`
		Result     string `json:"result"`
		ResultURL  string `json:"result_url"`
	} `json:"response"`
	Stat string `json:"stat"`
}

Source Files

View all Source files

Directories

Path Synopsis
module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.