Class: AWSUDO::IdentityProvider

Inherits:

Object

• Object
• AWSUDO::IdentityProvider

Defined in:

lib/awsudo/identity_provider.rb

Direct Known Subclasses

AWSUDO::IdentityProviders::Adfs, AWSUDO::IdentityProviders::Okta

Instance Attribute Summary

• #idp_login_url ⇒ Object

  Returns the value of attribute idp_login_url.

• #logger ⇒ Object

  Returns the value of attribute logger.

• #password ⇒ Object

  Returns the value of attribute password.

• #saml_provider_name ⇒ Object

  Returns the value of attribute saml_provider_name.

• #username ⇒ Object

  Returns the value of attribute username.

Class Method Summary

• .new_from_config(config, username, password) ⇒ Object
• .sts ⇒ Object

Instance Method Summary

• #assume_role(role_arn) ⇒ Object
• #get_saml_response ⇒ Object
• #initialize(url, name, username, password) ⇒ IdentityProvider constructor

  A new instance of IdentityProvider.

• #saml_request ⇒ Object

Constructor Details

#initialize(url, name, username, password) ⇒ IdentityProvider

Returns a new instance of IdentityProvider.

# File 'lib/awsudo/identity_provider.rb', line 29

def initialize(url, name, username, password)
  @idp_login_url = url
  @saml_provider_name = name
  @username = username
  @password = password
  @logger   = AWSUDO.logger
  begin
    URI.parse @idp_login_url
  rescue
    raise "`#{@idp_login_url.inspect}' is not a valid IDP login URL"
  end
  if @saml_provider_name.nil? || @saml_provider_name.strip.empty?
    raise "`#{@saml_provider_name.inspect}' is not a valid SAML provider name"
  end
end

Instance Attribute Details

#idp_login_url ⇒ Object

Returns the value of attribute idp_login_url.

# File 'lib/awsudo/identity_provider.rb', line 14

def idp_login_url
  @idp_login_url
end

#logger ⇒ Object

Returns the value of attribute logger.

# File 'lib/awsudo/identity_provider.rb', line 15

def logger
  @logger
end

#password ⇒ Object

Returns the value of attribute password.

# File 'lib/awsudo/identity_provider.rb', line 15

def password
  @password
end

#saml_provider_name ⇒ Object

Returns the value of attribute saml_provider_name.

# File 'lib/awsudo/identity_provider.rb', line 14

def saml_provider_name
  @saml_provider_name
end

#username ⇒ Object

Returns the value of attribute username.

# File 'lib/awsudo/identity_provider.rb', line 15

def username
  @username
end

Class Method Details

.new_from_config(config, username, password) ⇒ Object

# File 'lib/awsudo/identity_provider.rb', line 24

def self.new_from_config(config, username, password)
  new(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'],
           username, password)
end

.sts ⇒ Object

# File 'lib/awsudo/identity_provider.rb', line 17

def self.sts
  return @sts unless @sts.nil?
  @sts = Aws::STS::Client.new(
    credentials: Aws::Credentials.new('a', 'b', 'c'),
    region:      'us-east-1')
end

Instance Method Details

#assume_role(role_arn) ⇒ Object

# File 'lib/awsudo/identity_provider.rb', line 75

def assume_role(role_arn)
  logger.debug {"role_arn: <#{role_arn}>"}
  base_arn = role_arn[/^arn:aws:iam::\d+:/]
  principal_arn = "#{base_arn}saml-provider/#{saml_provider_name}"
  logger.debug {"principal_arn: <#{principal_arn}>"}
  saml_assertion = get_saml_response
  logger.debug {"saml_assertion: <#{Base64.decode64 saml_assertion}>"}
  if saml_assertion.empty?
    raise 'Unable to get SAML assertion (failed authentication?)'
  end
  self.class.sts.assume_role_with_saml(
    role_arn: role_arn,
    principal_arn: principal_arn,
    saml_assertion: saml_assertion).credentials.to_h
end

#get_saml_response ⇒ Object

# File 'lib/awsudo/identity_provider.rb', line 49

def get_saml_response
  req = saml_request
  res = nil
  uri = URI.parse(idp_login_url)

  loop do
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER

    res = http.request(req)
    logger.debug {"Location: <#{res['Location']}>"}
    logger.debug {"Headers: <#{res.to_hash.inspect}>"}
    logger.debug {"Body: <#{res.body.inspect}>"}

    break if res['Location'].nil?

    uri = URI.parse(res['Location'])
    req = Net::HTTP::Get.new(uri.request_uri)
    req['Cookie'] = res['Set-Cookie']
  end

  doc = Nokogiri::HTML(res.body)
  doc.xpath('/html/body//form/input[@name = "SAMLResponse"]/@value').to_s
end

#saml_request ⇒ Object

# File 'lib/awsudo/identity_provider.rb', line 45

def saml_request
  raise "should be implemented by subclass"
end