Merge branch 'master' of github.com:Prounckk/samltoawsstskeys into Prounckk-master

Author: prolane

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 2023-mar-20 (v3.3)
+* Option to set custom Session Duration
+
 ## 2022-dec-19 (v3.2)
 * Fix [#61](https://github.com/prolane/samltoawsstskeys/issues/61). Instead of using the aws http api directly for AssumeRoleWithSAML, this version switches to using the aws sdk. This is to fix processing large SAML Assertions.
 * Fix [#62](https://github.com/prolane/samltoawsstskeys/issues/62). When the IDP does not add a Session Duration as SAML Assertion Attribute, ignore and continue.

README.md

@@ -1,5 +1,5 @@
 # SAML to AWS STS Keys Conversion
-Google Chrome Extension which converts a SAML 2.0 assertion to AWS STS Keys (temporary credentials). Just log in to the AWS Web Management Console using your SAML IDP and the Chrome Extension will fetch the SAML Assertion from the HTTP request. The SAML Assertion is then used to call the assumeRoleWithSAML API to create the temporary credentials. (AccessKeyId, SecretAccessKey and SessionToken).
+Google Chrome Extension, which converts a SAML 2.0 assertion to AWS STS Keys (temporary credentials). Just log in to the AWS Web Management Console using your SAML IDP, and the Chrome Extension will fetch the SAML Assertion from the HTTP request. The SAML Assertion is then used to call the assumeRoleWithSAML API to create the temporary credentials. (AccessKeyId, SecretAccessKey and SessionToken).
 
 The Chrome Extension can be downloaded here:
 [Google Chrome Web Store](https://chrome.google.com/webstore/detail/ekniobabpcnfjgfbphhcolcinmnbehde/)
@@ -8,23 +8,25 @@ The Chrome Extension can be downloaded here:
 
 # Table of Contents
 * [Why this Chrome Extension?](#why)
-* [Getting Started](#gettingstarted)
-* [Create a symlink to your .aws directory (for Windows users)](#symlink)
+* [Getting Started from source](#gettingstarted)
 * [Plugin Development Notes](#development)
 * [Frequently Asked Question](#faq)
 
 ## <a name="why"></a>Why this Chrome Extension?
-If you don't have any user administration setup within AWS Identity & Access Management (IAM) but instead rely on your corporate user directory, i.e. Microsoft Active Directory. Your company uses a SAML 2.0 Identity Provider (IDP) to log in to the AWS Web Management Console (Single Sign On). Then this Chrome Estension if for you!
+If you don't have any user administration setup within AWS Identity & Access Management (IAM) but instead rely on your corporate user directory, i.e. Microsoft Active Directory. Your company uses a SAML 2.0 Identity Provider (IDP) to log in to the AWS Web Management Console (Single Sign On).
+Then this Chrome Extension is for you!
 
-You run into trouble as soon as you would like to execute some fancy scripts from your computer which calls the AWS API's. When sending a request to the AWS API's you need credentials, meaning an AccessKey and SecretKey. You can easily generate these keys for each user in AWS IAM. However, since you don't have any users in AWS IAM and don't want to create users just for the sake of having an AccessKey and SecretKey you are screwed. But there is a way to get temporary credentials specifically for your corporate identity.
+You run into trouble as soon as you want to execute some fancy scripts from your computer, which call the AWS API. When sending a request to the AWS API, you need credentials, meaning AccessKey and SecretKey. You can quickly generate these keys for each user in AWS IAM. However, since you don't have any users in AWS IAM and don't want to create users just for the sake of having an AccessKey and SecretKey, you are screwed. But there is a way to get temporary credentials specifically for your corporate identity.
 
-The Security Token Service (STS) from AWS provides an API action assumeRoleWithSAML. Using the SAML Assertion given by your IDP the Chrome Extension will call this API action to fetch temporary credentials. (AccessKeyId, SecretAccessKey and SessionToken). This way there is no need to create some sort of anonymous user in AWS IAM used for executing scripts. This would be a real security nightmare, since it won't be possible to audit who did what. This Chrome Extension however will make it super easy for you to just use your corporate identity for executing scripts calling AWS API's.
+The Security Token Service (STS) from AWS provides an API action assumeRoleWithSAML. Using the SAML Assertion given by your IDP, the Chrome Extension will call this API action to fetch temporary credentials. (AccessKeyId, SecretAccessKey and SessionToken). This way, there is no need to create some anonymous user in AWS IAM used for executing scripts. This would be an absolute security nightmare since it is impossible to audit who did what. This Chrome Extension, however, will make it super easy for you to use your corporate identity for executing scripts calling AWS API.
 
-## <a name="gettingstarted"></a>Getting Started
-TODO
-
-## <a name="symlink"></a>Create a symlink to your .aws directory (for Windows users)
-TODO
+## <a name="gettingstarted"></a>Getting Started from source
+1. Clone this repository
+2. Open Chrome and go to `chrome://extensions/`
+3. Enable Developer Mode
+4. Click on "Load unpacked extension..."
+5. Select the folder where you cloned this repository
+6. Enjoy!
 
 ## <a name="development"></a>Plugin Development Notes
 Here are some important notes for development of this plugin.
@@ -57,3 +59,6 @@ With security in mind Google has limited the Chrome browser to only read and wri
 
 3. How long are the credentials valid?
 AWS calls this 'session duration'. The default session duration is 1 hour. The maximum session duration is configured in AWS IAM as an attribute of the IAM Role. Your IDP might be configured to pass along an additional SAML claim which requests to apply a custom session duration. This value can be configured to be higher than the default of 1 hour. However, this can never be higher than the configured maximum session duration on the IAM Role as this will result in an error.
+
+4. Create a symlink to your .aws directory
+TODO

background/script.js

@@ -6,6 +6,7 @@ importScripts(
 // Global variables
 let FileName = 'credentials';
 let ApplySessionDuration = true;
+let CustomSessionDuration = 3600;
 let DebugLogs = false;
 let RoleArns = {};
 let LF = '\n';
@@ -15,19 +16,19 @@ let LF = '\n';
 loadItemsFromStorage();
 // Additionaly on start of the background process it is checked if this extension can be activated
 chrome.storage.sync.get({
-    // The default is activated
-    Activated: true
-  }, function(item) {
-    if (item.Activated) addOnBeforeRequestEventListener();
+  // The default is activated
+  Activated: true
+}, function(item) {
+  if (item.Activated) addOnBeforeRequestEventListener();
 });
 // Additionally on start of the background process it is checked if a new version of the plugin is installed.
 // If so, show the user the changelog
 // var thisVersion = chrome.runtime.getManifest().version;
-chrome.runtime.onInstalled.addListener(function(details){
-  if(details.reason == "install" || details.reason == "update"){
+chrome.runtime.onInstalled.addListener(function(details) {
+  if (details.reason == "install" || details.reason == "update") {
     // Open a new tab to show changelog html page
-    chrome.tabs.create({url: "../options/changelog.html"});
-    }
+    chrome.tabs.create({ url: "../options/changelog.html" });
+  }
 });
 
 
@@ -41,7 +42,7 @@ function addOnBeforeRequestEventListener() {
   } else {
     chrome.webRequest.onBeforeRequest.addListener(
       onBeforeRequestEvent,
-      {urls: ["https://signin.aws.amazon.com/saml"]},
+      { urls: ["https://signin.aws.amazon.com/saml"] },
       ["requestBody"]
     );
     if (DebugLogs) console.log('DEBUG: onBeforeRequest Listener added');
@@ -73,10 +74,10 @@ async function onBeforeRequestEvent(details) {
     samlXmlDoc = decodeURIComponent(unescape(atob(details.requestBody.formData.SAMLResponse[0])));
   } else if (details.requestBody.raw) {
     let combined = new ArrayBuffer(0);
-    details.requestBody.raw.forEach(function(element) { 
-      let tmp = new Uint8Array(combined.byteLength + element.bytes.byteLength); 
-      tmp.set( new Uint8Array(combined), 0 ); 
-      tmp.set( new Uint8Array(element.bytes),combined.byteLength ); 
+    details.requestBody.raw.forEach(function(element) {
+      let tmp = new Uint8Array(combined.byteLength + element.bytes.byteLength);
+      tmp.set(new Uint8Array(combined), 0);
+      tmp.set(new Uint8Array(element.bytes), combined.byteLength);
       combined = tmp.buffer;
     });
     let combinedView = new DataView(combined);
@@ -138,14 +139,15 @@ async function onBeforeRequestEvent(details) {
     hasRoleIndex = roleIndex != undefined;
   }
 
-  // Only set the SessionDuration if it was supplied by the SAML provider and 
-  // when the user has configured to use this feature.
+  // Set the session duration to the value of CustomSessionDuration if:
+  // * session duration was not supplied in the SAML assertion
+  // * user configured to NOT use the session duration supplied in the SAML assertion
   if (typeof sessionduration === 'undefined' || !ApplySessionDuration) {
-    sessionduration = null
+    sessionduration = CustomSessionDuration
   }
 
   // Change newline sequence when client is on Windows
-  if (navigator.userAgent.indexOf('Windows')  !== -1) {
+  if (navigator.userAgent.indexOf('Windows') !== -1) {
     LF = '\r\n'
   }
 
@@ -376,37 +378,40 @@ function outputDocAsDownload(docContent) {
 // This Listener receives messages from options.js and popup.js
 // Received messages are meant to affect the background process.
 chrome.runtime.onMessage.addListener(
-  function(request, sender, sendResponse) {
+  function (request, sender, sendResponse) {
     // When the options are changed in the Options panel
     // these items need to be reloaded in this background process.
     if (request.action == "reloadStorageItems") {
       loadItemsFromStorage();
-      sendResponse({message: "Storage items reloaded in background process."});
+      sendResponse({ message: "Storage items reloaded in background process." });
     }
     // When the activation checkbox on the popup screen is checked/unchecked
     // the webRequest event listener needs to be added or removed.
     if (request.action == "addWebRequestEventListener") {
       if (DebugLogs) console.log('DEBUG: Extension enabled from popup');
       addOnBeforeRequestEventListener();
-      sendResponse({message: "webRequest EventListener added in background process."});
+      sendResponse({ message: "webRequest EventListener added in background process." });
     }
     if (request.action == "removeWebRequestEventListener") {
       if (DebugLogs) console.log('DEBUG: Extension disabled from popup');
       removeOnBeforeRequestEventListener();
-      sendResponse({message: "webRequest EventListener removed in background process."});
+      sendResponse({ message: "webRequest EventListener removed in background process." });
     }
   });
 
 
 
 function loadItemsFromStorage() {
+  //default values for the options
   chrome.storage.sync.get({
     FileName: 'credentials',
     ApplySessionDuration: 'yes',
+    CustomSessionDuration: '3600',
     DebugLogs: 'no',
     RoleArns: {}
-  }, function(items) {
+  }, function (items) {
     FileName = items.FileName;
+    CustomSessionDuration = items.CustomSessionDuration;
     if (items.ApplySessionDuration == "no") {
       ApplySessionDuration = false;
     } else {

manifest.json

@@ -4,7 +4,7 @@
   "homepage_url": "https://github.com/prolane/samltoawsstskeys",
   "name": "SAML to AWS STS Keys Conversion",
   "description": "Generates file with AWS STS Keys after logging in to AWS webconsole using SSO (SAML 2.0). It leverages 'assumeRoleWithSAML' API.",
-  "version": "3.2",
+  "version": "3.3",
   "icons": {  "16": "icons/icon_16.png",
               "32": "icons/icon_32.png",
               "48": "icons/icon_48.png",

options/changelog.html

@@ -20,6 +20,13 @@
   <hr>
 
   <div id="divChangelog">
+    <h3>2023-mar-20<br>v3.3</h3>
+    <ul>
+      <li>Option to set custom Session Duration.</li>
+    </ul>
+    <br />
+    <br />
+
     <h3>2022-dec-19<br>v3.2</h3>
     <ul>
       <li>Fix <a href="https://github.com/prolane/samltoawsstskeys/issues/61" target="_blank">#61</a>. Instead of using the aws http api directly for AssumeRoleWithSAML, this version switches to using the aws sdk. This is to fix processing large SAML Assertions.</li>

options/options.css

@@ -21,6 +21,21 @@ div {
   background-color: #fef6e0;
 }
 
+#divCustomSessionDuration {
+  padding-left: 0px;
+  padding-top: 0px;
+  padding-bottom: 0px;
+  padding-right: 0px;
+}
+
+.element-visible {
+  display: block;
+}
+
+.element-hide {
+  display: none;
+}
+
 .setting-part {
   width: 876px;
   border-radius: 10px;

options/options.html

@@ -25,14 +25,20 @@
     </div>
 
     <div id="divSessionDuration" class="setting-part">
-      <label>[OPTIONAL]</label><br>
-      <label>Apply the SessionDuration requested by the SAML provider</label>
+      <label>Apply the session duration requested by the SAML provider</label>
       <br />
       <select name="SessionDuration" id="SessionDuration">
         <option value="yes">yes</option>
         <option value="no">no</option>
       </select>
       <br><br>
+      <div id="divCustomSessionDuration">
+        <label>Set custom session duration in seconds. Example: 14400 is 4 hours
+        <br>Note: the requested session duration can NOT be more than MaxSessionDuration set for this role.</label>
+        <br />
+        <input type="text" name="CustomSessionDuration" id="CustomSessionDuration" size="40">
+        <br><br>
+      </div>
       <label>Enable DEBUG logs</label>
       <br />
       <select name="DebugLogs" id="DebugLogs">