From c156244a69457c7466af17e87eddee7825ac2b01 Mon Sep 17 00:00:00 2001 From: Jose Rojas Date: Fri, 23 Mar 2018 09:41:11 -0700 Subject: [PATCH 1/2] Add missing SECRET_HASH key when responding to the NEW_PASSWORD_REQUIRED_CHALLENGE --- warrant/aws_srp.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/warrant/aws_srp.py b/warrant/aws_srp.py index 3b53f34e..6878c9d0 100644 --- a/warrant/aws_srp.py +++ b/warrant/aws_srp.py @@ -239,6 +239,10 @@ def set_new_password_challenge(self, new_password, client=None): 'USERNAME': auth_params['USERNAME'], 'NEW_PASSWORD': new_password } + + if self.client_secret is not None: + challenge_response['SECRET_HASH'] = self.get_secret_hash(self.username, self.client_id, self.client_secret) + new_password_response = boto_client.respond_to_auth_challenge( ClientId=self.client_id, ChallengeName=self.NEW_PASSWORD_REQUIRED_CHALLENGE, From 3dee8aa58cffee6f5b554df76767edd83152d959 Mon Sep 17 00:00:00 2001 From: Jose Rojas Date: Mon, 26 Mar 2018 20:38:43 -0700 Subject: [PATCH 2/2] For challenge responses to username alias, use the USER_ID_FOR_SRP attribute as a challenge response paramter and to calculate the SECRET_HASH. --- warrant/__init__.py | 6 ++++++ warrant/aws_srp.py | 12 +++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/warrant/__init__.py b/warrant/__init__.py index 2a0c2313..e785b25d 100644 --- a/warrant/__init__.py +++ b/warrant/__init__.py @@ -365,6 +365,12 @@ def admin_authenticate(self, password): AuthParameters=auth_params, ) + if tokens.get('ChallengeName') is not None: + if tokens.get('ChallengeName') == aws_srp.AWSSRP.NEW_PASSWORD_REQUIRED_CHALLENGE: + raise aws_srp.ForceChangePasswordException('Change password before authenticating') + else: + raise NotImplementedError('The %s challenge is not supported' % tokens.get('ChallengeName')) + self.verify_token(tokens['AuthenticationResult']['IdToken'], 'id_token','id') self.refresh_token = tokens['AuthenticationResult']['RefreshToken'] self.verify_token(tokens['AuthenticationResult']['AccessToken'], 'access_token','access') diff --git a/warrant/aws_srp.py b/warrant/aws_srp.py index 6878c9d0..686092f2 100644 --- a/warrant/aws_srp.py +++ b/warrant/aws_srp.py @@ -194,7 +194,7 @@ def process_challenge(self, challenge_parameters): if self.client_secret is not None: response.update({ "SECRET_HASH": - self.get_secret_hash(self.username, self.client_id, self.client_secret)}) + self.get_secret_hash(user_id_for_srp, self.client_id, self.client_secret)}) return response def authenticate_user(self, client=None): @@ -235,13 +235,19 @@ def set_new_password_challenge(self, new_password, client=None): ChallengeResponses=challenge_response) if tokens['ChallengeName'] == self.NEW_PASSWORD_REQUIRED_CHALLENGE: + challenge_parameters = response['ChallengeParameters'] + user_id_for_srp = challenge_parameters.get('USER_ID_FOR_SRP') + + if user_id_for_srp is None: + user_id_for_srp = self.username + challenge_response = { - 'USERNAME': auth_params['USERNAME'], + 'USERNAME': user_id_for_srp, 'NEW_PASSWORD': new_password } if self.client_secret is not None: - challenge_response['SECRET_HASH'] = self.get_secret_hash(self.username, self.client_id, self.client_secret) + challenge_response['SECRET_HASH'] = self.get_secret_hash(user_id_for_srp, self.client_id, self.client_secret) new_password_response = boto_client.respond_to_auth_challenge( ClientId=self.client_id,