From 440505e8cb159c80af39720ade740da7c18b6665 Mon Sep 17 00:00:00 2001
From: odg0318 <odg0318@gmail.com>
Date: Fri, 27 Dec 2024 15:39:36 +0900
Subject: [PATCH] feat(tls): Adding option to skip TLS verification

---
 aws_okta_processor/commands/authenticate.py |  3 +++
 aws_okta_processor/core/fetcher.py          |  5 +++++
 aws_okta_processor/core/saml.py             | 14 ++++++++++----
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/aws_okta_processor/commands/authenticate.py b/aws_okta_processor/commands/authenticate.py
index bc39eff..8f16fe4 100644
--- a/aws_okta_processor/commands/authenticate.py
+++ b/aws_okta_processor/commands/authenticate.py
@@ -13,6 +13,7 @@
     --version                                                   Show version.
     --no-okta-cache                                             Do not read Okta cache.
     --no-aws-cache                                              Do not read AWS cache.
+    --no-tls-verify                                             Do not verify TLS.
     -e --environment                                            Dump auth into ENV variables.
     -u <user_name>, --user=<user_name>                          Okta user name.
     -p <user_pass>, --pass=<user_pass>                          Okta user password.
@@ -85,6 +86,7 @@
     "--silent": "AWS_OKTA_SILENT",
     "--no-okta-cache": "AWS_OKTA_NO_OKTA_CACHE",
     "--no-aws-cache": "AWS_OKTA_NO_AWS_CACHE",
+    "--no-tls-verify": "AWS_OKTA_NO_TLS_VERIFY",
     "--account-alias": "AWS_OKTA_ACCOUNT_ALIAS",
     "--target-shell": "AWS_OKTA_TARGET_SHELL",
 }
@@ -106,6 +108,7 @@
     "AWS_OKTA_SILENT": "silent",
     "AWS_OKTA_NO_OKTA_CACHE": "no-okta-cache",
     "AWS_OKTA_NO_AWS_CACHE": "no-aws-cache",
+    "AWS_OKTA_NO_TLS_VERIFY": "no-tls-verify",
     "AWS_OKTA_ACCOUNT_ALIAS": "account-alias",
     "AWS_OKTA_TARGET_SHELL": "target-shell",
 }
diff --git a/aws_okta_processor/core/fetcher.py b/aws_okta_processor/core/fetcher.py
index f3245e8..867840c 100644
--- a/aws_okta_processor/core/fetcher.py
+++ b/aws_okta_processor/core/fetcher.py
@@ -139,6 +139,7 @@ def _get_app_roles(self):
             saml_assertion=saml_assertion,
             accounts_filter=self._configuration.get("AWS_OKTA_ACCOUNT_ALIAS", None),
             sign_in_url=self._configuration.get("AWS_OKTA_SIGN_IN_URL", None),
+            no_tls_verify=self._configuration.get("AWS_OKTA_NO_TLS_VERIFY", None),
         )
 
         return (
@@ -173,6 +174,8 @@ def _get_credentials(self):
         Returns:
             A dictionary containing AWS credentials and expiration time.
         """
+        tls_verify = (self._configuration["AWS_OKTA_NO_TLS_VERIFY"] == None)
+
         # Do NOT load credentials from ENV or ~/.aws/credentials
         client = boto3.client(
             "sts",
@@ -180,6 +183,7 @@ def _get_credentials(self):
             aws_secret_access_key="",
             aws_session_token="",
             region_name=self._configuration["AWS_OKTA_REGION"],
+            verify=tls_verify,
         )
 
         # Get available AWS roles and SAML assertion
@@ -217,6 +221,7 @@ def _get_credentials(self):
                 aws_secret_access_key=credentials["SecretAccessKey"],
                 aws_session_token=credentials["SessionToken"],
                 region_name=self._configuration["AWS_OKTA_REGION"],
+                verify=tls_verify,
             )
             response = client.assume_role(
                 RoleArn=secondary_role_arn,
diff --git a/aws_okta_processor/core/saml.py b/aws_okta_processor/core/saml.py
index 7d6d8be..dc21209 100644
--- a/aws_okta_processor/core/saml.py
+++ b/aws_okta_processor/core/saml.py
@@ -12,6 +12,7 @@
 from bs4 import BeautifulSoup  # type: ignore[import-untyped]
 import requests  # type: ignore[import-untyped]
 import six  # type: ignore[import-untyped]
+import urllib3  # type: ignore[import-untyped]
 
 from aws_okta_processor.core.tty import print_tty
 
@@ -61,7 +62,7 @@ def get_saml_assertion(saml_response=None):
 
 
 def get_aws_roles(  # pylint: disable=R0914
-    saml_assertion=None, accounts_filter=None, sign_in_url=None
+    saml_assertion=None, accounts_filter=None, sign_in_url=None, no_tls_verify=None,
 ):
     """
     Parses the SAML assertion and extracts AWS roles.
@@ -99,7 +100,7 @@ def get_aws_roles(  # pylint: disable=R0914
     if len(role_principals) > 1:
         # Retrieve account roles from AWS sign-in page
         account_roles = get_account_roles(
-            saml_assertion=saml_assertion, sign_in_url=sign_in_url
+            saml_assertion=saml_assertion, sign_in_url=sign_in_url, no_tls_verify=no_tls_verify,
         )
 
         for account_role in account_roles:
@@ -129,7 +130,7 @@ def get_aws_roles(  # pylint: disable=R0914
     return aws_roles
 
 
-def get_account_roles(saml_assertion=None, sign_in_url=None):
+def get_account_roles(saml_assertion=None, sign_in_url=None, no_tls_verify=None):
     """
     Retrieves AWS account roles from the AWS SAML sign-in page.
 
@@ -144,8 +145,13 @@ def get_account_roles(saml_assertion=None, sign_in_url=None):
 
     data = {"SAMLResponse": saml_assertion, "RelayState": ""}
 
+    # Configure TLS verification
+    tls_verify = (no_tls_verify == None)
+    if not tls_verify:
+        urllib3.disalbe_warnings()
+
     # Post the SAML assertion to AWS sign-in URL
-    response = requests.post(sign_in_url or AWS_SIGN_IN_URL, data=data, timeout=60)
+    response = requests.post(sign_in_url or AWS_SIGN_IN_URL, data=data, timeout=60, verify=tls_verify)
     soup = BeautifulSoup(response.text, "html.parser")
     accounts = soup.find("fieldset").find_all(
         "div", attrs={"class": "saml-account"}, recursive=False