Initial commit

.circleci/config.yml

@@ -0,0 +1,69 @@
+version: 2
+
+tox_shared_config: &tox_shared_config
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+          - v1-dependencies-{{ checksum "requirements-dev.txt" }}
+          - v1-dependencies-
+      - run:
+          name: install dependencies
+          command: |
+            virtualenv venv
+            . venv/bin/activate
+            pip install -r requirements-dev.txt
+      - save_cache:
+          paths:
+            - ./venv
+          key: v1-dependencies-{{ checksum "requirements-dev.txt" }}
+      - run:
+          name: run tests
+          command: |
+            . venv/bin/activate
+            tox -e "${CIRCLE_JOB}"
+
+jobs:
+  lint:
+    <<: *tox_shared_config
+    docker:
+      - image: circleci/python:3.7
+
+  py27:
+    <<: *tox_shared_config
+    docker:
+      - image: circleci/python:2.7
+
+  py36:
+    <<: *tox_shared_config
+    docker:
+      - image: circleci/python:3.6
+
+  py37:
+    <<: *tox_shared_config
+    docker:
+      - image: circleci/python:3.7
+  functional:
+    <<: *tox_shared_config
+    docker:
+      - image: circleci/python:3.7
+
+workflows:
+  version: 2
+  hygiene_and_tests:
+    jobs:
+      - lint
+      - py27:
+          requires:
+            - lint
+      - py36:
+          requires:
+            - lint
+      - py37:
+          requires:
+            - lint
+      - functional:
+          requires:
+            - py27
+            - py36
+            - py37

.gitignore

@@ -0,0 +1,106 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+
+.DS_Store

AUTHORS.rst

@@ -0,0 +1,17 @@
+Tokendito is written and maintained by Cloud Security and Engineering at Dow Jones, and
+various contributors:
+
+Dow Jones Cloud Security and Engineering
+```````````````````````
+
+- Sydney Sweeney
+- Nico Halpern
+- Lars Joergensen
+
+Patches and more
+```````````````````````
+- Kuber Kaul
+- Steve Stevenson
+- Roman Sluzhynskyy
+- Scott Rahner
+- Basant Singh

LICENSE.txt

@@ -0,0 +1,10 @@
+Copyright 2019 Dow Jones & Co.
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
+file except in compliance with the License. You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF A
+NY KIND, either express or implied. See the License for the specific language governi
+ng permissions and limitations under the License.

MANIFEST.in

@@ -0,0 +1 @@
+include MANIFEST.in README.rst requirements.txt requirements-dev.txt

README.rst

@@ -0,0 +1,41 @@
+.. image:: https://raw.githubusercontent.com/dowjones/tokendito/master/docs/tokendito.png
+   :align: center
+
+Generate temporary AWS credentials via Okta. 
+
+.. image:: https://circleci.com/gh/dowjones/tokendito/tree/master.svg?style=svg
+    :target: https://circleci.com/gh/dowjones/tokendito/tree/master
+
+|
+|
+
+.. image:: https://raw.githubusercontent.com/dowjones/tokendito/master/docs/tokendito-scaled.gif
+
+NOTE: Advanced users may shorten the tokendito interaction to a single command.
+
+.. _STS: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
+
+Use tokendito to generate temporary AWS credentials via Okta for programmatic authentication to AWS. Tokendito signs you in to Okta and uses your existing AWS integration to broker your SAML assertion into your AWS accounts, returning STS_ tokens into your local ``~/.aws/credentials`` file. 
+
+Requirements
+------------
+
+* Python 2.7.10+
+* Your AWS account is federated in Okta
+
+tokendito is compatible with both python 2 and 3, and can be installed with either pip or pip3.
+
+Getting started
+---------------
+
+#. Install (via PyPi): ``pip install tokendito``
+
+#. Run ``tokendito --configure``.
+
+#. Run ``tokendito``.
+
+Have multiple Okta tiles to switch between? View our `multi-tile guide <https://github.com/dowjones/tokendito/tree/master/docs#multi-tile-guide>`_.
+
+=====================================================================================================================================================================================================================================================
+Tips, tricks, troubleshooting, examples, and more docs are `here <https://github.com/dowjones/tokendito/blob/master/docs/README.rst>`_! Also, `contributions are welcome <https://github.com/dowjones/tokendito/blob/master/docs/CONTRIBUTING.rst>`_!
+=====================================================================================================================================================================================================================================================

docs/CODEOWNERS

@@ -0,0 +1,3 @@
+# Global Owners
+
+@dowjones/tokendito-owners

docs/CONTRIBUTING.rst

@@ -0,0 +1,29 @@
+============
+Contributing
+============
+
+Ideally create a topic branch for every separate change you make. Each logical change should be its own separate pull request. For example:
+
+
+#. Fork the repository.
+#. Create a  branch (\ ``git checkout -b feature/my-new-feature``\ , ``git checkout -b fix/my-fix``\ )
+#. Add and commit your changes to your fork (\ ``git commit -m 'Added some feature'``\ )
+#. Push to your fork (\ ``git push origin feature/my-new-feature``\ )
+#. Create new Pull Request from your fork onto the tokendito repo
+#. Assign the PR to a team member.
+
+See `GitHub Flow <https://guides.github.com/introduction/flow/>`_
+
+Git commit messages
+^^^^^^^^^^^^^^^^^^^
+
+
+* Separate subject from body with a blank line
+* Limit the subject line to 50 characters
+* Capitalize the subject line
+* Do not end the subject line with a period
+* Use the imperative mood in the subject line
+* Wrap the body at 72 characters
+* Use the body to explain what and why vs. how
+
+See best practices on `commit messages <https://chris.beams.io/posts/git-commit/>`_

docs/README.rst

@@ -0,0 +1,98 @@
+==========
+More Docs!
+==========
+
+.. contents:: Table of contents
+.. section-numbering::
+
+Additional Usage Reference
+--------------------------
+
+.. code-block:: sh
+
+    usage: tokendito  [-h] [--version] [--configure] [--username USERNAME]
+                      [--password PASSWORD] [--config-file CONFIG_FILE]
+                      [--okta-aws-app-url OKTA_AWS_APP_URL]
+                      [--okta-profile OKTA_PROFILE] [--aws-region AWS_REGION]
+                      [--aws-output AWS_OUTPUT] [--aws-profile AWS_PROFILE]
+                      [--mfa-method MFA_METHOD] [--mfa-response MFA_RESPONSE]
+                      [--role-arn ROLE_ARN] [--output-file OUTPUT_FILE]
+                      [--loglevel {DEBUG,INFO,WARN,ERROR}]
+
+    Gets a STS token to use with the AWS CLI
+
+    optional arguments:
+      -h, --help            show this help message and exit
+      --version, -v         Displays version and exit
+      --configure, -c       Prompt user for configuration parameters
+      --username USERNAME, -u USERNAME
+                            username to login to Okta. You can also use the
+                            OKTA_USERNAME environment variable.
+      --password PASSWORD, -p PASSWORD
+                            password to login to Okta. You can also user the
+                            OKTA_PASSWORD environment variable.
+      --config-file CONFIG_FILE, -C CONFIG_FILE
+                            Use an alternative configuration file
+      --okta-aws-app-url OKTA_AWS_APP_URL, -ou OKTA_AWS_APP_URL
+                            Okta App URL to use.
+      --okta-profile OKTA_PROFILE, -op OKTA_PROFILE
+                            Okta configuration profile to use.
+      --aws-region AWS_REGION, -r AWS_REGION
+                            Sets the AWS region for the profile
+      --aws-output AWS_OUTPUT, -ao AWS_OUTPUT
+                            Sets the AWS output type for the profile
+      --aws-profile AWS_PROFILE, -ap AWS_PROFILE
+                            Override AWS profile to save as in the credentials
+                            file.
+      --mfa-method MFA_METHOD, -mm MFA_METHOD
+                            Sets the MFA method
+      --mfa-response MFA_RESPONSE, -mr MFA_RESPONSE
+                            Sets the MFA response to a challenge
+      --role-arn ROLE_ARN, -R ROLE_ARN
+                            Sets the IAM role
+      --output-file OUTPUT_FILE, -o OUTPUT_FILE
+                            Log output to filename
+      --loglevel {DEBUG,INFO,WARN,ERROR}, -l {DEBUG,INFO,WARN,ERROR}
+                            [DEBUG|INFO|WARN|ERROR], default loglevel is ERROR.
+                            Note: DEBUG level may display credentials
+
+To upgrade:
+"""""""""""
+``pip install tokendito --upgrade``
+
+
+Installing from github:
+"""""""""""""""""""""""
+
+``pip install git+ssh://[email protected]/dowjones/tokendito.git@<version>``
+
+For instance, ``pip install git+ssh://[email protected]/dowjones/[email protected]``
+
+Troubleshooting:
+""""""""""""""""
+Validate your environment's AWS configuration profile(s) located at:
+
+``$HOME/.aws/config``
+
+``$HOME/.aws/credentials``
+
+``$HOME/.aws/okta_auth``
+
+
+Multi-tile Guide!
+-----------------
+If you have multiple AWS-type Okta tiles assigned to you, please update your local `$HOME/.aws/okta_auth <okta_auth.example>`_ with the links to your AWS tiles in Okta. You can get the link to your tile by right clicking on the tile in Okta and selecting "Copy Link URL." 
+This file supports multiple profiles, in case there is a need to connect with different Okta Orgs and tiles. tokendito can access the profiles by name, by passing in the ``--okta-profile`` parameter.
+
+ex:
+``tokendito --okta-profile my_prod_okta_tile``
+
+Without specifying a specific profile, tokendito will look for a default profile within that file.
+
+
+Design & Limitations
+--------------------
+
+* This tool does not cache and reuse Okta session IDs
+
+`Pull requests welcome <CONTRIBUTING.rst>`_!