Version 0.3.4 returns no roles.

[eikenb]

I have an existing 0.3.3 setup with python2.7 that works, logging me in with the appropriate role. After I upgrade to 0.3.4 it gives me "This account does not have access to any roles". I ran "pip install -I aws-adfs==0.3.3" to downgrade back to 0.3.3 and it works again.

Is there some configuration setting that I might have changed. I tried moving my .aws folder out of the way and starting from scratch, but that didn't help. When I do that though, I get this error before it prompts me for a usersname. Not sure if it is related or not.

2017-06-20 21:13:16,637 [authenticator authenticator.py:authenticate] [10592-MainProcess] [140651283568384-MainThread] - ERROR: Cannot extract saml assertion. Second factor authentication failed?

Thanks.

[venth]

I think that the issue can be related to the changes introduced yesterday. Does your adfs server have duo second factor authentication enabled? Would you like to use --verbose and paste the log?

[eikenb]

We are not using duo second factor auth at present. I've pasted the log below. I eliding the long session/token strings and anonymized the output.

2017-06-21 11:13:42,718 [connectionpool connectionpool.py:_new_conn] [5816-MainProcess] [140336628340480-MainThread] - DEBUG: Starting new HTTPS connection (1): adfs.foobar.com
2017-06-21 11:13:43,668 [connectionpool connectionpool.py:_make_request] [5816-MainProcess] [140336628340480-MainThread] - DEBUG: https://adfs.foobar.com:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 200 6014
2017-06-21 11:13:43,670 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [5816-MainProcess] [140336628340480-MainThread] - DEBUG: Request:
* url: https://adfs.foobar.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'Content-Length': '37', 'Accept-Language': 'en', 'Accept-Encoding': 'gzip, deflate', 'Accept': '/', 'User-Agent': 'python-requests/2.18.1', 'Connection': 'keep-alive', 'Cookie': 'MSISLoopDetectionCookie=MxNy...pcMQ==; MSISAuthenticated=Ni8y...gUE0=; SamlSession=tc0O...tu44', 'Content-Type': 'application/x-www-form-urlencoded'}
Response:
* status: 200
* headers: {'Content-Length': '6014', 'Set-Cookie': 'SamlSession=dXJu...0TU3; path=/adfs; HttpOnly; Secure, MSISAuthenticated=Ni8y...gUE0=; path=/adfs; HttpOnly; Secure, MSISLoopDetectionCookie=MjAx...FpcMQ==; path=/adfs; HttpOnly; Secure', 'Expires': '-1', 'Server': 'Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0', 'Pragma': 'no-cache', 'Cache-Control': 'no-cache,no-store', 'Date': 'Wed, 21 Jun 2017 18:13:46 GMT', 'P3P': "ADFS doesn't have P3P policy, please contact your site's admin for more details", 'Content-Type': 'text/html; charset=utf-8'}
* body: <title>Working...</title>

Script is disabled. Click Submit to continue.

<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>

2017-06-21 11:13:43,672 [connectionpool connectionpool.py:_new_conn] [5816-MainProcess] [140336628340480-MainThread] - DEBUG: Starting new HTTPS connection (1): signin.aws.amazon.com
2017-06-21 11:13:44,153 [connectionpool connectionpool.py:_make_request] [5816-MainProcess] [140336628340480-MainThread] - DEBUG: https://signin.aws.amazon.com:443 "POST /saml HTTP/1.1" 200 None

[eikenb]

I cloned the repo to look at the differences between the versions and noticed a difference in what is tagged in the repo as 0.3.4 and what I got from pip install/pypi. Moreover if I moved the pip installed one out of the way and sym-linked the cloned directory to the venv's site-packages/aws_adfs directory... it works.

The files that are different in the cloned version vs the pypi version are; html_roles_fetcher.py and authenticator.py.

[venth]

Please, paste the patch, so I can identify origin of these changes. I suspect, that I wrongly packed egg and uploaded it into pypi.

[eikenb]

diff -x '*.pyc' -ur aws_adfs-do-not-use/authenticator.py ../../../../aws-adfs/aws_adfs/authenticator.py
--- aws_adfs-do-not-use/authenticator.py	2017-06-20 21:09:13.000000000 -0700
+++ ../../../../aws-adfs/aws_adfs/authenticator.py	2017-06-21 11:43:05.067813987 -0700
@@ -1,4 +1,3 @@
-import logging
 import lxml.etree as ET
 
 from . import _duo_authenticator as duo_auth
@@ -17,55 +16,9 @@
         password=password,
     )
 
-    assertion = None
-    aws_session_duration = None
+    extract_strategy = _strategy(response, config, session)
 
-    aggregated_principal_roles = None
-    if response.status_code == 200:
-        extract_strategy = _strategy(response, config, session)
-
-        principal_roles, assertion, aws_session_duration = extract_strategy()
-
-        if assertion is None:
-            logging.error(u'Cannot extract saml assertion. Second factor authentication failed?')
-        else:
-            aggregated_principal_roles = _aggregate_roles_by_account_alias(session,
-                                                                           config,
-                                                                           username,
-                                                                           password,
-                                                                           assertion,
-                                                                           principal_roles)
-
-    else:
-        logging.error(u'Cannot extract roles from response')
-
-    return aggregated_principal_roles, assertion, aws_session_duration
-
-
-def _aggregate_roles_by_account_alias(session,
-                                      config,
-                                      username,
-                                      password,
-                                      assertion,
-                                      principal_roles):
-    alias_response = session.post(
-        'https://signin.aws.amazon.com/saml',
-        verify=config.ssl_verification,
-        headers={
-            'Accept-Language': 'en',
-            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
-            'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
-            'Accept': 'text/plain, */*; q=0.01',
-        },
-        auth=None,
-        data={
-            'UserName': username,
-            'Password': password,
-            'AuthMethod': config.provider_id,
-            'SAMLResponse': assertion,
-        }
-    )
-    return {}
+    return extract_strategy()
 
 
 def _strategy(response, config, session):
diff -x '*.pyc' -ur aws_adfs-do-not-use/html_roles_fetcher.py ../../../../aws-adfs/aws_adfs/html_roles_fetcher.py
--- aws_adfs-do-not-use/html_roles_fetcher.py	2017-06-20 21:09:13.000000000 -0700
+++ ../../../../aws-adfs/aws_adfs/html_roles_fetcher.py	2017-06-21 11:43:05.067813987 -0700
@@ -69,13 +69,7 @@
         * status: {}
         * headers: {}
         * body: {}
-    '''.format(
-            authentication_url,
-            response.request.headers,
-            response.status_code,
-            response.headers,
-            response.text
-       ))
+    '''.format(authentication_url, response.request.headers, response.status_code, response.headers, response.text))
 
     if response.status_code >= 400:
         session.cookies.clear()

[eikenb]

The aws_adfs-do-not-use/authenticator.py one is from pypi, the ../../../../ one is from the git repo.

[venth]

OK. I know what has happened. I've created egg from incomplete feature branch: https://github.com/venth/aws-adfs/tree/feature/35_ADFS_with_DUO_list_account_alias_instead_of_account_IDs

I need to think about automation of the release process

[venth]

I uploaded new version 0.3.5 with one commit (version increase and praises for you for vigilance). Thank you.

[eikenb]

Great. I'll test 0.3.5 with python2.7 and python3.4 and let you know.

[eikenb]

I was able to refresh my current session without problem using both python 2.7 and 3.4. So I think you got it. Thanks!