From b8654aa6f9f49bd388987c8ce48e1bd58a44a023 Mon Sep 17 00:00:00 2001
From: pcmxgti <16561338+pcmxgti@users.noreply.github.com>
Date: Thu, 7 Dec 2023 11:01:39 -0500
Subject: [PATCH] Fix: Step-up checks too narrow

---
 tokendito/__init__.py |  2 +-
 tokendito/aws.py      |  2 +-
 tokendito/okta.py     | 18 ++++++++++++------
 tokendito/user.py     |  7 +------
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/tokendito/__init__.py b/tokendito/__init__.py
index d8c54ddf..16f12b07 100644
--- a/tokendito/__init__.py
+++ b/tokendito/__init__.py
@@ -1,7 +1,7 @@
 # vim: set filetype=python ts=4 sw=4
 # -*- coding: utf-8 -*-
 """Tokendito module initialization."""
-__version__ = "2.3.3"
+__version__ = "2.3.4"
 __title__ = "tokendito"
 __description__ = "Get AWS STS tokens from Okta SSO"
 __long_description_content_type__ = "text/markdown"
diff --git a/tokendito/aws.py b/tokendito/aws.py
index d7ada323..3f2fc833 100644
--- a/tokendito/aws.py
+++ b/tokendito/aws.py
@@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls):
         saml_xml = okta.extract_saml_response(saml_response_string)
         if not saml_xml:
             state_token = okta.extract_state_token(saml_response_string)
-            if "Extra Verification" in saml_response_string and state_token:
+            if state_token:
                 logger.info(f"Step-Up authentication required for {url}.")
                 if okta.step_up_authenticate(config, state_token):
                     return authenticate_to_roles(config, urls)
diff --git a/tokendito/okta.py b/tokendito/okta.py
index fd18f2c3..ead588f5 100644
--- a/tokendito/okta.py
+++ b/tokendito/okta.py
@@ -250,7 +250,6 @@ def send_saml_response(config, saml_response):
 
     # Get the 'sid' value from the reponse cookies.
     sid = response.cookies.get("sid", None)
-    logger.debug(f"New sid is {sid}")
 
     # If 'sid' is present, mask its value for logging purposes.
     if sid:
@@ -555,6 +554,12 @@ def authorize_request(oauth2_config, oauth2_session_data):
         params=payload,
     )
 
+    idx = HTTP_client.session.cookies.get("idx", None)
+    if idx:
+        user.add_sensitive_value_to_be_masked(idx)
+    else:
+        logger.debug("We did not find an 'idx' entry in the cookies.")
+
     authorize_code = get_authorize_code(response, session_token)
     return authorize_code
 
@@ -676,15 +681,16 @@ def idp_authenticate(config):
         logger.error("Okta auth failed: unknown type.")
         sys.exit(1)
 
-    if is_saml2_authentication(auth_properties):
-        # We may loop thru the saml2 servers until
-        # we find the authentication server.
-        saml2_authenticate(config, auth_properties)
-    elif local_authentication_enabled(auth_properties):
+    # Possible recursion ahead. The exit condition should be the first if statement.
+    if local_authentication_enabled(auth_properties):
         session_token = local_authenticate(config)
         # authentication sends us a token
         # which we then put in our session cookies
         create_authn_cookies(config.okta["org"], session_token)
+    elif is_saml2_authentication(auth_properties):
+        # We may loop thru the saml2 servers until
+        # we find the authentication server.
+        saml2_authenticate(config, auth_properties)
     else:
         logger.error(
             f"{auth_properties['type']} login via IdP Discovery is not currently supported"
diff --git a/tokendito/user.py b/tokendito/user.py
index 8172c381..40457d24 100644
--- a/tokendito/user.py
+++ b/tokendito/user.py
@@ -76,12 +76,7 @@ def cmd_interface(args):
 
     # get authentication and authorization cookies from okta
     okta.access_control(config)
-    logger.debug(
-        f"""
-        about to call discover_tile
-        we have client cookies: {HTTP_client.session.cookies}
-        """
-    )
+
     if config.okta["tile"]:
         tile_label = ""
         config.okta["tile"] = (config.okta["tile"], tile_label)