Merge pull request #9 from WarnerMedia/merge-upstream-2.4.1

Merge upstream 2.4.1
WarnerMedia · Apr 26, 2021 · 8942960 · 8942960
2 parents c935101 + 955c2bd
commit 8942960
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 16 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,7 @@ ENV PACKAGES="gcc musl-dev python3-dev libffi-dev openssl-dev cargo"
 
 RUN apk --update add $PACKAGES \
     && pip install --upgrade pip setuptools-rust \
+    && pip install futures \
     && python setup.py install \
     && apk del --purge $PACKAGES
 

diff --git a/gimme_aws_creds/__init__.py b/gimme_aws_creds/__init__.py
@@ -1,2 +1,2 @@
 __all__ = ['config', 'okta', 'main', 'ui']
-version = '2.4.0.3'
+version = '2.4.1.2'
diff --git a/gimme_aws_creds/errors.py b/gimme_aws_creds/errors.py
@@ -61,6 +61,11 @@ class GimmeAWSCredsError(GimmeAWSCredsExceptionBase, GimmeAWSCredsExitError):
     pass
 
 
+class GimmeAWSCredsMFAEnrollStatus(GimmeAWSCredsError):
+    def __init__(self):
+        super().__init__("You must enroll in MFA before using this tool.", 2)
+
+
 class NoFIDODeviceFoundError(Exception):
     pass
 
@@ -71,4 +76,3 @@ class FIDODeviceTimeoutError(Exception):
 
 class FIDODeviceError(Exception):
     pass
-
diff --git a/gimme_aws_creds/main.py b/gimme_aws_creds/main.py
@@ -909,6 +909,7 @@ def handle_setup_fido_authenticator(self):
             # noinspection PyStatementEffect
             self.auth_session
 
+            self.okta.set_preferred_mfa_type(None)
             credential_id, user = self.okta.setup_fido_authenticator()
 
             registered_authenticators = RegisteredAuthenticators(self.ui)

diff --git a/gimme_aws_creds/okta.py b/gimme_aws_creds/okta.py
@@ -33,6 +33,7 @@
 from gimme_aws_creds.u2f import FactorU2F
 from gimme_aws_creds.webauthn import WebAuthnClient, FakeAssertion
 from . import errors, ui, version, duo
+from .errors import GimmeAWSCredsMFAEnrollStatus
 from .registered_authenticators import RegisteredAuthenticators
 
 
@@ -302,7 +303,7 @@ def _next_login_step(self, state_token, login_data):
         elif status == 'LOCKED_OUT':
             raise errors.GimmeAWSCredsError("Your Okta access has been locked out due to failed login attempts.", 2)
         elif status == 'MFA_ENROLL':
-            raise errors.GimmeAWSCredsError("You must enroll in MFA before using this tool.", 2)
+            raise GimmeAWSCredsMFAEnrollStatus()
         elif status == 'MFA_REQUIRED':
             return self._login_multi_factor(state_token, login_data)
         elif status == 'MFA_CHALLENGE':
@@ -910,7 +911,12 @@ def setup_fido_authenticator(self):
         if not state_token:
             raise RuntimeError('Could not extract state token from http response')
 
-        self.stepup_auth(setup_fido_authenticator_url, state_token)
+        try:
+            self.stepup_auth(setup_fido_authenticator_url, state_token)
+        except errors.GimmeAWSCredsMFAEnrollStatus:
+            # Expected while adding a new fido authenticator
+            pass
+
         response = self._http_client.get(setup_fido_authenticator_url, json={'stateToken': state_token},
                                          headers=self._get_headers(), verify=self._verify_ssl_certs)
         response.raise_for_status()

diff --git a/gimme_aws_creds/u2f.py b/gimme_aws_creds/u2f.py
@@ -18,7 +18,7 @@
 
 from fido2.ctap1 import APDU
 from fido2.ctap1 import ApduError
-from fido2.ctap1 import CTAP1
+from fido2.ctap1 import Ctap1
 from fido2.hid import CtapHidDevice
 from fido2.utils import sha256, websafe_decode
 
@@ -55,7 +55,7 @@ def locate_device(self):
             self.ui.info("No FIDO device found")
             raise NoFIDODeviceFoundError
 
-        self._clients = [CTAP1(d) for d in devs]
+        self._clients = [Ctap1(d) for d in devs]
 
     def work(self, client):
         for _ in range(30):

diff --git a/gimme_aws_creds/webauthn.py b/gimme_aws_creds/webauthn.py
@@ -22,7 +22,8 @@
 from fido2.hid import CtapHidDevice, STATUS
 from fido2.utils import websafe_decode
 from fido2.webauthn import PublicKeyCredentialCreationOptions, \
-    PublicKeyCredentialType, PublicKeyCredentialParameters, PublicKeyCredentialDescriptor, UserVerificationRequirement
+    PublicKeyCredentialType, PublicKeyCredentialParameters, PublicKeyCredentialDescriptor, UserVerificationRequirement, \
+    PublicKeyCredentialRequestOptions
 
 from gimme_aws_creds.errors import NoFIDODeviceFoundError, FIDODeviceTimeoutError
 
@@ -75,14 +76,20 @@ def verify(self):
 
     def _verify(self, client):
         try:
+            user_verification = self._get_user_verification_requirement_from_client(client)
             options = PublicKeyCredentialRequestOptions(challenge=self._challenge, rp_id=self._rp['id'],
                                                         allow_credentials=self._allow_list, timeout=self._timeout_ms,
-                                                        user_verification=UserVerificationRequirement.PREFERRED)
+                                                        user_verification=user_verification)
 
             pin = self._get_pin_from_client(client)
-            self._assertions, self._client_data = client.get_assertion(options, event=self._event,
-                                                                       on_keepalive=self.on_keepalive,
-                                                                       pin=pin)
+            assertion_selection = client.get_assertion(options, event=self._event,
+                                                       on_keepalive=self.on_keepalive,
+                                                       pin=pin)
+            self._assertions = assertion_selection.get_assertions()
+            assert len(self._assertions) >= 0
+
+            assertion_res = assertion_selection.get_response(0)
+            self._client_data = assertion_res.client_data
             self._event.set()
         except ClientError as e:
             if e.code == ClientError.ERR.DEVICE_INELIGIBLE:
@@ -105,9 +112,11 @@ def _make_credential(self, client, user):
                                                      timeout=self._timeout_ms)
 
         pin = self._get_pin_from_client(client)
-        self._attestation, self._client_data = client.make_credential(options, event=self._event,
-                                                                      on_keepalive=self.on_keepalive,
-                                                                      pin=pin)
+        attestation_res = client.make_credential(options, event=self._event,
+                                                 on_keepalive=self.on_keepalive,
+                                                 pin=pin)
+
+        self._attestation, self._client_data = attestation_res.attestation_object, attestation_res.client_data
         self._event.set()
 
     def _run_in_thread(self, method, *args, **kwargs):
@@ -139,3 +148,10 @@ def _get_pin_from_client(client):
         # Prompt for PIN if needed
         pin = getpass("Please enter PIN: ")
         return pin
+
+    @staticmethod
+    def _get_user_verification_requirement_from_client(client):
+        if not client.info.options.get(CtapOptions.USER_VERIFICATION):
+            return None
+
+        return UserVerificationRequirement.PREFERRED
diff --git a/requirements.txt b/requirements.txt
@@ -4,6 +4,6 @@ beautifulsoup4>=4.6.0,<5.0.0
 configparser>=3.5.0,<4.0.0
 keyring>=21.4.0
 requests>=2.13.0,<3.0.0
-fido2>=0.9.1
+fido2>=0.9.1,<0.10.0
 okta>=0.0.4,<1.0.0
-ctap-keyring-device>=1.0.4
+ctap-keyring-device>=1.0.6