From 64989a8ed399d10acb7c5c43d87bbd3fb12cf0e8 Mon Sep 17 00:00:00 2001 From: Tomasz Wojtun Date: Sat, 23 Oct 2021 23:06:35 +0200 Subject: [PATCH 1/2] split Okta url to url and appId to support using same session cross idp --- pkg/provider/okta/okta.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go index 042f029c6..29a6bfd23 100644 --- a/pkg/provider/okta/okta.go +++ b/pkg/provider/okta/okta.go @@ -66,6 +66,7 @@ type Client struct { targetURL string disableSessions bool rememberDevice bool + appID string } // AuthRequest represents an mfa okta request @@ -122,6 +123,7 @@ func New(idpAccount *cfg.IDPAccount) (*Client, error) { disableSessions := idpAccount.DisableSessions rememberDevice := !idpAccount.DisableRememberDevice + appID := idpAccount.AppID if idpAccount.DisableSessions { // if user disabled sessions, also dont remember device rememberDevice = false @@ -130,6 +132,7 @@ func New(idpAccount *cfg.IDPAccount) (*Client, error) { // Debug the disableSessions and rememberDevice values logger.Debugf("okta | disableSessions: %v", disableSessions) logger.Debugf("okta | rememberDevice: %v", rememberDevice) + logger.Debugf("okta | AppID: %v", appID) return &Client{ client: client, @@ -137,6 +140,7 @@ func New(idpAccount *cfg.IDPAccount) (*Client, error) { targetURL: idpAccount.TargetURL, disableSessions: disableSessions, rememberDevice: rememberDevice, + appID: appID, }, nil } @@ -298,7 +302,7 @@ func (oc *Client) authWithSession(loginDetails *creds.LoginDetails) (string, err return oc.Authenticate(modifiedLoginDetails) } - req, err := http.NewRequest("GET", loginDetails.URL, nil) + req, err := http.NewRequest("GET", loginDetails.URL + oc.appID, nil) if err != nil { return "", errors.Wrap(err, "error building authWithSession request") } @@ -338,7 +342,7 @@ func (oc *Client) authWithSession(loginDetails *creds.LoginDetails) (string, err // This function is not currently used and but can be used in the future func (oc *Client) getDeviceTokenFromOkta(loginDetails *creds.LoginDetails) (string, error) { //dummy request to set device token cookie ("dt") - req, err := http.NewRequest("GET", loginDetails.URL, nil) + req, err := http.NewRequest("GET", loginDetails.URL + oc.appID, nil) if err != nil { return "", errors.Wrap(err, "error building device token request") } @@ -555,7 +559,7 @@ func (oc *Client) follow(ctx context.Context, req *http.Request, loginDetails *c logger.WithField("type", "saml-response").Debug("doc detect") handler = oc.handleFormRedirect } else { - req, err = http.NewRequest("GET", loginDetails.URL, nil) + req, err = http.NewRequest("GET", loginDetails.URL + oc.appID, nil) if err != nil { return "", errors.Wrap(err, "error building app request") } From e215ccd092f5acf79f3a41a9b44101933f75f8fc Mon Sep 17 00:00:00 2001 From: Tomasz Wojtun Date: Sat, 23 Oct 2021 22:35:07 +0200 Subject: [PATCH 2/2] use SecClassGenericPassword instead of SecClassInternetPassword --- helper/osxkeychain/keychain.go | 84 -------------------------- helper/osxkeychain/osxkeychain.go | 49 +++------------ helper/osxkeychain/osxkeychain_test.go | 2 +- 3 files changed, 9 insertions(+), 126 deletions(-) delete mode 100644 helper/osxkeychain/keychain.go diff --git a/helper/osxkeychain/keychain.go b/helper/osxkeychain/keychain.go deleted file mode 100644 index 3a9ec5ba7..000000000 --- a/helper/osxkeychain/keychain.go +++ /dev/null @@ -1,84 +0,0 @@ -// +build darwin,cgo - -package osxkeychain - -/* -#cgo LDFLAGS: -framework CoreFoundation -framework Security - -#include -#include -*/ -import "C" -import "github.com/keybase/go-keychain" - -// Protocols used to covert protocol to kSecAttrProtocol -var Protocols = map[string]string{ - "https": CFStringToString(C.CFStringRef(C.kSecAttrProtocolHTTPS)), - "http": CFStringToString(C.CFStringRef(C.kSecAttrProtocolHTTP)), - "smtp": CFStringToString(C.CFStringRef(C.kSecAttrProtocolSMTP)), - "pop3": CFStringToString(C.CFStringRef(C.kSecAttrProtocolPOP3)), - "pop3s": CFStringToString(C.CFStringRef(C.kSecAttrProtocolPOP3S)), - "socks": CFStringToString(C.CFStringRef(C.kSecAttrProtocolSOCKS)), - "imap": CFStringToString(C.CFStringRef(C.kSecAttrProtocolIMAP)), - "imaps": CFStringToString(C.CFStringRef(C.kSecAttrProtocolIMAPS)), - "ldap": CFStringToString(C.CFStringRef(C.kSecAttrProtocolLDAP)), - "ldaps": CFStringToString(C.CFStringRef(C.kSecAttrProtocolLDAPS)), - "ssh": CFStringToString(C.CFStringRef(C.kSecAttrProtocolSSH)), - "ftp": CFStringToString(C.CFStringRef(C.kSecAttrProtocolFTP)), - "ftps": CFStringToString(C.CFStringRef(C.kSecAttrProtocolFTPS)), -} - -var ( - // ServerKey is for kSecAttrServer - ServerKey = attrKey(C.CFTypeRef(C.kSecAttrServer)) - // ProtocolKey is for kSecAttrProtocol - ProtocolKey = attrKey(C.CFTypeRef(C.kSecAttrProtocol)) - // PortKey is for kSecAttrPort - PortKey = attrKey(C.CFTypeRef(C.kSecAttrPort)) - // PathKey is for kSecAttrPath - PathKey = attrKey(C.CFTypeRef(C.kSecAttrPath)) -) - -// SetPath sets the Path attribute -func SetPath(k keychain.Item, s string) { - k.SetString(PathKey, s) -} - -// SetPort sets the Port attribute -func SetPort(k keychain.Item, s string) { - k.SetString(PortKey, s) -} - -// SetProtocol sets the Protocol attribute -func SetProtocol(k keychain.Item, s string) { - k.SetString(ProtocolKey, Protocols[s]) -} - -// SetServer sets the server attribute -func SetServer(k keychain.Item, s string) { - k.SetString(ServerKey, s) -} - -func attrKey(ref C.CFTypeRef) string { - return CFStringToString(C.CFStringRef(ref)) -} - -// CFStringToString converts a CFStringRef to a string. -func CFStringToString(s C.CFStringRef) string { - p := C.CFStringGetCStringPtr(s, C.kCFStringEncodingUTF8) - if p != nil { - return C.GoString(p) - } - length := C.CFStringGetLength(s) - if length == 0 { - return "" - } - maxBufLen := C.CFStringGetMaximumSizeForEncoding(length, C.kCFStringEncodingUTF8) - if maxBufLen == 0 { - return "" - } - buf := make([]byte, maxBufLen) - var usedBufLen C.CFIndex - _ = C.CFStringGetBytes(s, C.CFRange{0, length}, C.kCFStringEncodingUTF8, C.UInt8(0), C.false, (*C.UInt8)(&buf[0]), maxBufLen, &usedBufLen) - return string(buf[:usedBufLen]) -} diff --git a/helper/osxkeychain/osxkeychain.go b/helper/osxkeychain/osxkeychain.go index cc0f951b0..0b5abb2a7 100644 --- a/helper/osxkeychain/osxkeychain.go +++ b/helper/osxkeychain/osxkeychain.go @@ -1,11 +1,8 @@ -// +build darwin,cgo +// +build darwin package osxkeychain import ( - "net/url" - "strings" - "github.com/keybase/go-keychain" "github.com/sirupsen/logrus" "github.com/versent/saml2aws/v2/helper/credentials" @@ -24,14 +21,11 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error { } item := keychain.NewItem() - item.SetSecClass(keychain.SecClassInternetPassword) + item.SetSecClass(keychain.SecClassGenericPassword) item.SetLabel(credentials.CredsLabel) item.SetAccount(creds.Username) item.SetData([]byte(creds.Secret)) - err = splitServer3(creds.ServerURL, item) - if err != nil { - return err - } + item.SetService(creds.ServerURL) err = keychain.AddItem(item) if err != nil { @@ -46,13 +40,9 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error { func (h Osxkeychain) Delete(serverURL string) error { item := keychain.NewItem() - item.SetSecClass(keychain.SecClassInternetPassword) - err := splitServer3(serverURL, item) - if err != nil { - return err - } - - err = keychain.DeleteItem(item) + item.SetSecClass(keychain.SecClassGenericPassword) + item.SetService(serverURL) + err := keychain.DeleteItem(item) if err != nil { return err } @@ -66,13 +56,8 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) { logger.WithField("serverURL", serverURL).Debug("Get credentials") query := keychain.NewItem() - query.SetSecClass(keychain.SecClassInternetPassword) - - err := splitServer3(serverURL, query) - if err != nil { - return "", "", err - } - + query.SetSecClass(keychain.SecClassGenericPassword) + query.SetService(serverURL) query.SetMatchLimit(keychain.MatchLimitOne) query.SetReturnAttributes(true) query.SetReturnData(true) @@ -95,21 +80,3 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) { func (Osxkeychain) SupportsCredentialStorage() bool { return true } - -func splitServer3(serverURL string, item keychain.Item) (err error) { - u, err := url.Parse(serverURL) - if err != nil { - return - } - - hostAndPort := strings.Split(u.Host, ":") - SetServer(item, hostAndPort[0]) - if len(hostAndPort) == 2 { - SetPort(item, hostAndPort[1]) - } - - SetProtocol(item, u.Scheme) - SetPath(item, u.Path) - - return -} diff --git a/helper/osxkeychain/osxkeychain_test.go b/helper/osxkeychain/osxkeychain_test.go index de9cda899..008015ba9 100644 --- a/helper/osxkeychain/osxkeychain_test.go +++ b/helper/osxkeychain/osxkeychain_test.go @@ -1,4 +1,4 @@ -// +build darwin,cgo +// +build darwin // Copyright (c) 2016 David Calavera