diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2f2862e..626e72f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,20 +9,14 @@ jobs: strategy: matrix: platform: [ubuntu-latest, macos-latest, windows-latest] - python-version: ["2.7", "3.6", "3.7", "3.8", "3.9", "3.10"] + python-version: ["3.7", "3.8", "3.9", "3.10"] exclude: - - platform: macos-latest - python-version: "3.6" - platform: macos-latest python-version: "3.7" - platform: macos-latest python-version: "3.9" - platform: macos-latest python-version: "3.10" - - platform: windows-latest - python-version: "2.7" - - platform: windows-latest - python-version: "3.6" - platform: windows-latest python-version: "3.7" - platform: windows-latest diff --git a/cloudformation/idtoken_for_roles/functions/idtoken_for_roles.py b/cloudformation/idtoken_for_roles/functions/idtoken_for_roles.py index 5c210e8..98cb9b9 100644 --- a/cloudformation/idtoken_for_roles/functions/idtoken_for_roles.py +++ b/cloudformation/idtoken_for_roles/functions/idtoken_for_roles.py @@ -23,6 +23,8 @@ 'ALLOWED_MAP_BUILDER_SUB_PREFIX', False) GROUP_ROLE_MAP_BUILDER_FUNCTION_NAME = os.getenv( 'GROUP_ROLE_MAP_BUILDER_FUNCTION_NAME') +CLAIM_NAME = os.getenv( + 'CLAIM_NAME', 'id') METHOD_NOT_ALLOWED = { 'headers': {'Content-Type': 'text/html'}, @@ -78,9 +80,9 @@ def validate_token(token, key): except exceptions.JWTError as e: logger.error('Invalid JWT signature : {}'.format(e)) raise TokenValidationError('Invalid JWT signature') - if 'amr' not in id_token: - logger.error('amr claim missing from ID Token : {}'.format(id_token)) - raise TokenValidationError('amr claim missing from ID Token') + if CLAIM_NAME not in id_token: + logger.error('{} claim missing from ID Token : {}'.format(CLAIM_NAME, id_token)) + raise TokenValidationError('{} claim missing from ID Token'.format(CLAIM_NAME)) return id_token @@ -129,17 +131,18 @@ def get_roles_and_aliases(token, key, cache): roles = set() aliases = {} for group, mapped_roles in group_role_map.items(): - if group in id_token['amr']: + if group in id_token[CLAIM_NAME]: for role in mapped_roles: aws_account_id = role.split(':')[4] if (aws_account_id in account_alias_map and len(account_alias_map[aws_account_id]) > 0): if aws_account_id not in aliases: logger.debug( - 'Group {} found in AMR {} adding AWS Account ' + 'Group {} found in {} {} adding AWS Account ' 'alias {} for account {}'.format( group, - id_token['amr'], + CLAIM_NAME, + id_token[CLAIM_NAME], account_alias_map[aws_account_id], aws_account_id)) aliases[aws_account_id] = ( @@ -148,8 +151,8 @@ def get_roles_and_aliases(token, key, cache): aliases[aws_account_id] = [aws_account_id] roles.update(mapped_roles) else: - logger.debug('Group {} not in amr {}'.format( - group, id_token['amr'])) + logger.debug('Group {} not in {} {}'.format( + group, CLAIM_NAME, id_token[CLAIM_NAME])) return {'roles': list(roles), 'aliases': aliases} diff --git a/tox.ini b/tox.ini index d856413..2c57655 100644 --- a/tox.ini +++ b/tox.ini @@ -1,10 +1,8 @@ [tox] -envlist = py{27,36,37,38,39,310}-{linux,macos,windows}, flake8 +envlist = py{37,38,39,310}-{linux,macos,windows}, flake8 [gh-actions] python = - 2.7: py27 - 3.6: py36 3.7: py37 3.8: py38 3.9: py39