Skip to content
This repository has been archived by the owner on Sep 18, 2023. It is now read-only.

Commit

Permalink
Merge pull request #256 from gene1wood/variable_claim_name_for_id_tok…
Browse files Browse the repository at this point in the history 
…en_for_roles

Remove hard coding of "amr" as OIDC claim name in idtoken_for_roles
  • Loading branch information
@floatingatoll
floatingatoll authored Jul 25, 2023
2 parents 61c720d + 29510eb commit b1594c3
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 18 deletions.
8 changes: 1 addition & 7 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,20 +9,14 @@ jobs:
strategy:
matrix:
platform: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["2.7", "3.6", "3.7", "3.8", "3.9", "3.10"]
python-version: ["3.7", "3.8", "3.9", "3.10"]
exclude:
- platform: macos-latest
python-version: "3.6"
- platform: macos-latest
python-version: "3.7"
- platform: macos-latest
python-version: "3.9"
- platform: macos-latest
python-version: "3.10"
- platform: windows-latest
python-version: "2.7"
- platform: windows-latest
python-version: "3.6"
- platform: windows-latest
python-version: "3.7"
- platform: windows-latest
Expand Down
19 changes: 11 additions & 8 deletions cloudformation/idtoken_for_roles/functions/idtoken_for_roles.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@
'ALLOWED_MAP_BUILDER_SUB_PREFIX', False)
GROUP_ROLE_MAP_BUILDER_FUNCTION_NAME = os.getenv(
'GROUP_ROLE_MAP_BUILDER_FUNCTION_NAME')
CLAIM_NAME = os.getenv(
'CLAIM_NAME', 'id')

METHOD_NOT_ALLOWED = {
'headers': {'Content-Type': 'text/html'},
Expand Down Expand Up @@ -78,9 +80,9 @@ def validate_token(token, key):
except exceptions.JWTError as e:
logger.error('Invalid JWT signature : {}'.format(e))
raise TokenValidationError('Invalid JWT signature')
if 'amr' not in id_token:
logger.error('amr claim missing from ID Token : {}'.format(id_token))
raise TokenValidationError('amr claim missing from ID Token')
if CLAIM_NAME not in id_token:
logger.error('{} claim missing from ID Token : {}'.format(CLAIM_NAME, id_token))
raise TokenValidationError('{} claim missing from ID Token'.format(CLAIM_NAME))
return id_token


Expand Down Expand Up @@ -129,17 +131,18 @@ def get_roles_and_aliases(token, key, cache):
roles = set()
aliases = {}
for group, mapped_roles in group_role_map.items():
if group in id_token['amr']:
if group in id_token[CLAIM_NAME]:
for role in mapped_roles:
aws_account_id = role.split(':')[4]
if (aws_account_id in account_alias_map
and len(account_alias_map[aws_account_id]) > 0):
if aws_account_id not in aliases:
logger.debug(
'Group {} found in AMR {} adding AWS Account '
'Group {} found in {} {} adding AWS Account '
'alias {} for account {}'.format(
group,
id_token['amr'],
CLAIM_NAME,
id_token[CLAIM_NAME],
account_alias_map[aws_account_id],
aws_account_id))
aliases[aws_account_id] = (
Expand All @@ -148,8 +151,8 @@ def get_roles_and_aliases(token, key, cache):
aliases[aws_account_id] = [aws_account_id]
roles.update(mapped_roles)
else:
logger.debug('Group {} not in amr {}'.format(
group, id_token['amr']))
logger.debug('Group {} not in {} {}'.format(
group, CLAIM_NAME, id_token[CLAIM_NAME]))
return {'roles': list(roles), 'aliases': aliases}


Expand Down
4 changes: 1 addition & 3 deletions tox.ini
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
[tox]
envlist = py{27,36,37,38,39,310}-{linux,macos,windows}, flake8
envlist = py{37,38,39,310}-{linux,macos,windows}, flake8

[gh-actions]
python =
2.7: py27
3.6: py36
3.7: py37
3.8: py38
3.9: py39
Expand Down

0 comments on commit b1594c3

Please sign in to comment.