Merge pull request #70 from onelogin/fix_cris

Fix a number of issues
onelogin · Jun 6, 2022 · 6087324 · 6087324
2 parents a09aa38 + 9cbd82e
commit 6087324
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,5 @@
 ####### requirements.txt #######
 boto3
-onelogin
+onelogin>=2.0
 pyyaml
 lxml
diff --git a/setup.py b/setup.py
@@ -37,7 +37,7 @@
     package_data={'': ['accounts.yaml','onelogin.sdk.json']},
     install_requires=[
         'boto3>=1.7.84',
-        'onelogin>=1.9.0',
+        'onelogin>=2.0.3',
         'pyyaml>=5.1.2',
         'lxml'
     ],

diff --git a/src/aws_assume_role/aws_assume_role.py b/src/aws_assume_role/aws_assume_role.py
@@ -106,6 +106,14 @@ def get_options():
                         default=False,
                         help="By default in order to select Account/Role, the list will be ordered by account ids. Enable this to list by role name instead.",
                         action="store_true")
+    parser.add_argument("--ip",
+                        dest="ip",
+                        help="The IP address to use for the SAML assertion")
+    parser.add_argument("--saml-api-version",
+                        dest="saml_api_version",
+                        type=int,
+                        default=1,
+                        help="The version of the OneLogin SAML APIs to use")
 
     options = parser.parse_args()
 
@@ -153,6 +161,13 @@ def get_options():
     elif options.duration > 43200:
         options.duration = 43200
 
+    if not options.saml_api_version:
+        options.saml_api_version = 1
+    elif options.saml_api_version < 1:
+        options.saml_api_version = 1
+    elif options.saml_api_version > 2:
+        options.saml_api_version = 2
+
     return options
 
 
@@ -179,6 +194,7 @@ def get_client(options):
         client_id = options.client_id
         client_secret = options.client_secret
         region = options.region
+        ip = options.ip
     else:
         if options.config_file_path is not None and os.path.isfile(os.path.join(options.config_file_path, client_file_name)):
             json_data = open(os.path.join(options.config_file_path, client_file_name)).read()
@@ -199,6 +215,7 @@ def get_client(options):
     if not client_id or not client_secret:
         raise Exception("OneLogin Client ID and Secret are required")
     client = OneLoginClient(client_id, client_secret, region)
+    client.api_configuration["assertion"] = options.saml_api_version
     if ip:
         client.ip = ip
     client.prepare_token()
@@ -237,6 +254,8 @@ def get_saml_response(client, username_or_email, password, app_id, onelogin_subd
                     username_or_email = sys.stdin.readline().strip()
                 else:
                     raise Exception(error_msg)
+            elif client.error is not None:
+                print("Error %s. %s" % (client.error, client.error_description))
 
         if saml_endpoint_response and saml_endpoint_response.type == "pending":
             time.sleep(TIME_SLEEP_ON_RESPONSE_PENDING)
@@ -246,6 +265,10 @@ def get_saml_response(client, username_or_email, password, app_id, onelogin_subd
             print("Not able to get a SAMLResponse with success status after %s iteration(s)." % MAX_ITER_GET_SAML_RESPONSE)
             sys.exit()
 
+    if saml_endpoint_response and saml_endpoint_response.type == None:
+        print("SAML assertion failed with message: ", saml_endpoint_response.message)
+        sys.exit()
+
     if saml_endpoint_response and saml_endpoint_response.type == "success":
         if saml_endpoint_response.mfa is not None:
             device_type = None

diff --git a/src/aws_assume_role/version.py b/src/aws_assume_role/version.py
@@ -1,3 +1,3 @@
 #! /usr/bin/env python
 
-__version__ = '1.9.0'
+__version__ = '1.10.0'