Revert "feat: Persist device token cookie in keystore to prevent repe…

…ated MFA prompt (segmentio#259)" This reverts commit 18e92f7.
dkujawski · Jan 31, 2020 · 62dc76b · 62dc76b
1 parent bf3f799
commit 62dc76b
Showing 1 changed file with 34 additions and 44 deletions.
diff --git a/lib/okta.go b/lib/okta.go
@@ -84,18 +84,19 @@ type OktaCreds struct {
 	Domain       string
 }
 
+<<<<<<< HEAD
 // OktaCookies maps the session with the device token
 type OktaCookies struct {
 	Session     string
 	DeviceToken string
 }
 
 // Validate create an Okta client and authenticate the user
+=======
+>>>>>>> parent of 18e92f7... feat: Persist device token cookie in keystore to prevent repeated MFA prompt (#259)
 func (c *OktaCreds) Validate(mfaConfig MFAConfig) error {
 	// OktaClient assumes we're doing some AWS SAML calls, but Validate doesn't
-	var cookies OktaCookies
-
-	o, err := NewOktaClient2(*c, "", cookies, mfaConfig)
+	o, err := NewOktaClient(*c, "", "", mfaConfig)
 	if err != nil {
 		return err
 	}
@@ -122,6 +123,7 @@ func GetOktaDomain(region string) (string, error) {
 
 // NewOktaClient will convert the sessionCookie string into a OktaCookies struct and pass the rest over to NewOktaClient2
 func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string, mfaConfig MFAConfig) (*OktaClient, error) {
+<<<<<<< HEAD
 	var cookies OktaCookies
 	cookies.Session = sessionCookie
 
@@ -130,6 +132,8 @@ func NewOktaClient(creds OktaCreds, oktaAwsSAMLUrl string, sessionCookie string,
 
 // NewOktaClient2 assemble credentials, urls, cookies, and MFA information into single structure
 func NewOktaClient2(creds OktaCreds, oktaAwsSAMLUrl string, cookies OktaCookies, mfaConfig MFAConfig) (*OktaClient, error) {
+=======
+>>>>>>> parent of 18e92f7... feat: Persist device token cookie in keystore to prevent repeated MFA prompt (#259)
 	var domain string
 
 	// maintain compatibility for deprecated creds.Organization
@@ -152,19 +156,11 @@ func NewOktaClient2(creds OktaCreds, oktaAwsSAMLUrl string, cookies OktaCookies,
 		return nil, err
 	}
 
-	if cookies.Session != "" {
+	if sessionCookie != "" {
 		jar.SetCookies(base, []*http.Cookie{
 			{
 				Name:  "sid",
-				Value: cookies.Session,
-			},
-		})
-	}
-	if cookies.DeviceToken != "" {
-		jar.SetCookies(base, []*http.Cookie{
-			{
-				Name:  "DT",
-				Value: cookies.DeviceToken,
+				Value: sessionCookie,
 			},
 		})
 	}
@@ -223,6 +219,7 @@ func (o *OktaClient) AuthenticateUser() error {
 	return nil
 }
 
+<<<<<<< HEAD
 // AuthenticateProfile pass off data to AuthenticateProfileWithRegion using an empty string for region
 func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error) {
 	return o.AuthenticateProfileWithRegion(profileARN, duration, "")
@@ -238,9 +235,11 @@ func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration t
 
 // AuthenticateProfile3 authenticate via SAML and assume IAM roles
 func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Duration, region string) (sts.Credentials, OktaCookies, error) {
+=======
+func (o *OktaClient) AuthenticateProfileWithRegion(profileARN string, duration time.Duration, region string) (sts.Credentials, string, error) {
+>>>>>>> parent of 18e92f7... feat: Persist device token cookie in keystore to prevent repeated MFA prompt (#259)
 
 	var assertion SAMLAssertion
-	var oc OktaCookies
 
 	// Attempt to reuse session cookie
 	err := o.Get("GET", o.OktaAwsSAMLUrl, nil, &assertion, "saml")
@@ -249,22 +248,22 @@ func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Durat
 
 		// Step 1 & Step 2
 		if err := o.AuthenticateUser(); err != nil {
-			return sts.Credentials{}, oc, err
+			return sts.Credentials{}, "", err
 		}
 
 		// Step 3 : Get SAML Assertion
 		log.Debug("Step: 3")
 		if err = o.Get("GET", o.OktaAwsSAMLUrl+"?onetimetoken="+o.UserAuth.SessionToken,
 			nil, &assertion, "saml"); err != nil {
-			return sts.Credentials{}, oc, err
+			return sts.Credentials{}, "", err
 		}
 	}
 
 	// retrieve IAM Roles
 	log.Debug("Step: 3.1")
 	principal, role, err := GetRoleFromSAML(assertion.Resp, profileARN)
 	if err != nil {
-		return sts.Credentials{}, oc, err
+		return sts.Credentials{}, "", err
 	}
 
 	// Step 4 : Assume Role with SAML
@@ -293,20 +292,22 @@ func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Durat
 	if err != nil {
 		log.WithField("role", role).Errorf(
 			"error assuming role with SAML: %s", err.Error())
-		return sts.Credentials{}, oc, err
+		return sts.Credentials{}, "", err
 	}
 
+	var sessionCookie string
 	cookies := o.CookieJar.Cookies(o.BaseURL)
 	for _, cookie := range cookies {
 		if cookie.Name == "sid" {
-			oc.Session = cookie.Value
-		}
-		if cookie.Name == "DT" {
-			oc.DeviceToken = cookie.Value
+			sessionCookie = cookie.Value
 		}
 	}
 
-	return *samlResp.Credentials, oc, nil
+	return *samlResp.Credentials, sessionCookie, nil
+}
+
+func (o *OktaClient) AuthenticateProfile(profileARN string, duration time.Duration) (sts.Credentials, string, error) {
+	return o.AuthenticateProfileWithRegion(profileARN, duration, "")
 }
 
 func selectMFADeviceFromConfig(o *OktaClient) (*OktaUserAuthnFactor, error) {
@@ -515,7 +516,11 @@ func (o *OktaClient) challengeMFA() (err error) {
 
 	payload, err = o.preChallenge(oktaFactorID, oktaFactorType)
 
+<<<<<<< HEAD
 	err = o.Get("POST", "api/v1/authn/factors/"+oktaFactorID+"/verify?rememberDevice=true",
+=======
+	err = o.Get("POST", "api/v1/authn/factors/"+oktaFactorId+"/verify",
+>>>>>>> parent of 18e92f7... feat: Persist device token cookie in keystore to prevent repeated MFA prompt (#259)
 		payload, &o.UserAuth, "json",
 	)
 	if err != nil {
@@ -665,47 +670,32 @@ func (p *OktaProvider) Retrieve() (sts.Credentials, string, error) {
 		return sts.Credentials{}, "", errors.New("Failed to get okta credentials from your keyring.  Please make sure you have added okta credentials with `aws-okta add`")
 	}
 
-	// Check for stored session and device token cookies
-	var cookies OktaCookies
+	// Check for stored session cookie
+	var sessionCookie string
 	cookieItem, err := p.Keyring.Get(p.OktaSessionCookieKey)
 	if err == nil {
-		cookies.Session = string(cookieItem.Data)
-	}
-	cookieItem2, err := p.Keyring.Get("okta-device-token-cookie")
-	if err == nil {
-		cookies.DeviceToken = string(cookieItem2.Data)
+		sessionCookie = string(cookieItem.Data)
 	}
 
-	oktaClient, err := NewOktaClient2(oktaCreds, p.OktaAwsSAMLUrl, cookies, p.MFAConfig)
+	oktaClient, err := NewOktaClient(oktaCreds, p.OktaAwsSAMLUrl, sessionCookie, p.MFAConfig)
 	if err != nil {
 		return sts.Credentials{}, "", err
 	}
 
-	creds, newCookies, err := oktaClient.AuthenticateProfile3(p.ProfileARN, p.SessionDuration, p.AwsRegion)
+	creds, newSessionCookie, err := oktaClient.AuthenticateProfileWithRegion(p.ProfileARN, p.SessionDuration, p.AwsRegion)
 	if err != nil {
 		return sts.Credentials{}, "", err
 	}
 
-	log.Debug("pOktaSessionCookieKey: ", p.OktaSessionCookieKey)
-
 	newCookieItem := keyring.Item{
 		Key:                         p.OktaSessionCookieKey,
-		Data:                        []byte(newCookies.Session),
+		Data:                        []byte(newSessionCookie),
 		Label:                       "okta session cookie",
 		KeychainNotTrustApplication: false,
 	}
 
 	p.Keyring.Set(newCookieItem)
 
-	newCookieItem2 := keyring.Item{
-		Key:                         "okta-device-token-cookie",
-		Data:                        []byte(newCookies.DeviceToken),
-		Label:                       "okta device token",
-		KeychainNotTrustApplication: false,
-	}
-
-	p.Keyring.Set(newCookieItem2)
-
 	return creds, oktaCreds.Username, err
 }