Add sts_endpoint_url option

techservicesillinois · Mar 13, 2023 · 46ab987 · 46ab987
1 parent 819c4d2
commit 46ab987
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 10 deletions.
diff --git a/docs/readme.rst b/docs/readme.rst
@@ -332,6 +332,13 @@ http_header_passcode
 
         http_header_passcode = X-Shibboleth-Duo-Passcode
 
+sts_endpoint_url
+    The endpoint URL to use to communicate with the AWS Security
+    Token Service (STS). Generally, only needed for testing and
+    debugging::
+
+        sts_endpoint_url = http://localhost:5000
+
 verify_ssl_certificate
     Whether to verify the SSL certificate from the IdP. Defaults to true.
 

diff --git a/src/awscli_login/config.py b/src/awscli_login/config.py
@@ -64,6 +64,7 @@ class Profile:
     http_header_factor: str
     http_header_passcode: str
     verify_ssl_certificate: bool = True
+    sts_endpoint_url: Optional[str]
 
     # path to profile configuration file
     config_file: str
@@ -84,6 +85,7 @@ class Profile:
             'http_header_factor': None,
             'http_header_passcode': None,
             'verify_ssl_certificate': True,
+            'sts_endpoint_url': None,
     }
 
     _cli_only: Dict[str, Any] = {

diff --git a/src/awscli_login/plugin/__init__.py b/src/awscli_login/plugin/__init__.py
@@ -106,6 +106,12 @@ class Login(BasicCommand):
             'default': None,
             'help_text': 'HTTP Header to store the user\'s Duo passcode'
         },
+        {
+            'name': 'sts-endpoint-url',
+            'no_paramfile': True,
+            'default': None,
+            'help_text': 'AWS STS endpoint URL to retrieve credentials from'
+        },
         {
             'name': 'verify-ssl-certificate',
             'default': None,
@@ -204,6 +210,7 @@ class Configure(BasicCommand):
 * **duration** - Time in seconds credentials are valid
 * **http_header_factor** - HTTP Header to store Duo factor
 * **http_header_passcode** - HTTP Header to store passcode
+* **sts_endpoint_url** - Set to override default AWS STS endpoint
 * **verify_ssl_certificate** - Set to False to skip check of IdP SSL cert
 ''')
     SYNOPSIS = ('aws login configure')

diff --git a/src/awscli_login/plugin/__main__.py b/src/awscli_login/plugin/__main__.py
@@ -107,7 +107,10 @@ def main(profile: Profile, session: Session):
         logger.warning("Logged out: ignoring --force-refresh.")
 
     try:
-        client = session.create_client('sts')
+        client = session.create_client(
+            'sts',
+            endpoint_url=profile.sts_endpoint_url
+        )
 
         # Exit if already logged in
         profile.raise_if_logged_in()

diff --git a/src/integration_tests/tests/common-docker-idp.bash b/src/integration_tests/tests/common-docker-idp.bash
@@ -4,14 +4,16 @@
 load 'base'
 eval "_base_$(declare -f setup)"  # Rename setup to _base_setup
 
+export LOGIN="login --sts-endpoint-url=http://127.0.0.1:5000 --verify-ssl-certificate=false --password password"
+
 setup() {
     _base_setup
 
     # We cannot run integration tests dependent on Linux docker
     # containers on Windows runners because GitHub Actions does not
     # support Linux containers on Windows (See actions/runner-images#1143,
     # actions/runner#904, and actions/runner-images#5760).
-    if [ $RUNNER_OS == "Windows" ]; then
+    if [ "$RUNNER_OS" == "Windows" ]; then
         skip "Windows runners do not support Docker IdP integration tests."
     fi
 

diff --git a/src/integration_tests/tests/docker-idp-login.bats b/src/integration_tests/tests/docker-idp-login.bats
@@ -11,17 +11,16 @@ load 'common-docker-idp'
 		
 	EOF
 
-    run aws login --verify-ssl-certificate=false --password password
+    run aws $LOGIN
     assert_failure
     assert_output "404 Client Error:  for url: https://localhost:8443/bad/endpoint"
-    run aws login --verify-ssl-certificate=false --password password \
-        --ecp-endpoint-url 'https://localhost:8443/idp/profile/SAML2/SOAP/ECP'
-    assert_failure
-    assert_output -e "An error occurred \(InvalidIdentityToken\) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist \(Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: [0-9a-f-]+; Proxy: null\)"
+    run aws $LOGIN --ecp-endpoint-url 'https://localhost:8443/idp/profile/SAML2/SOAP/ECP'
+    assert_success
+    assert_output ""
 }
 
 @test "Login with Docker IdP" {
-    run aws login --verify-ssl-certificate=false --password password
-    assert_failure
-    assert_output -e "An error occurred \(InvalidIdentityToken\) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist \(Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: [0-9a-f-]+; Proxy: null\)"
+    run aws $LOGIN
+    assert_success
+    assert_output ""
 }
diff --git a/src/tests/util.py b/src/tests/util.py
@@ -115,6 +115,7 @@ def login_cli_args(
     duration=None,
     http_header_factor=None,
     http_header_passcode=None,
+    sts_endpoint_url=None,
     verify_ssl_certificate=True,
     # CLI only
     ask_password=False,