okta-aws-cli icon indicating copy to clipboard operation
okta-aws-cli copied to clipboard
verified publisher icon okta

role arn matching in okta.yaml creates ambiguity

Open eric51893 opened this issue 1 year ago • 1 comments

roles in okta.yaml act as if they use "string contains" matching or maybe an implied wildcard.

Example from okta.yaml roles: "arn:aws:iam::.*:role/bu-readonly": "bu-readonly-okta-production"

The above matches multiple roles in the account that start with arn:aws:iam::.:role/bu-readonly and thus creates a confusing list of selectable options.

This can be avoided if we use a $ terminator like "arn:aws:iam::.*:role/bu-readonly$" to ensure it only matches at most once.

We would prefer that a wildcard (*) is required if you want to match multiple roles and not using a * should match only one arn.

eric51893 avatar Aug 13 '24 20:08 eric51893

I'll take a look at this ...

monde avatar Aug 28 '24 00:08 monde

@eric51893 regexp chars like $ are valid for the idp string e.g. arn:aws:iam::.*:role/bu-readonly$. This is the bit of code that does so: https://github.com/okta/okta-aws-cli/blob/master/internal/webssoauth/webssoauth.go#L230-L235

I'll update the test https://github.com/okta/okta-aws-cli/blob/master/internal/webssoauth/webssoauth_test.go#L189-L199 to show this

		{
			name: "regexp friendly label",
			alt:  "alternate",
			arn:  "arn:aws:iam::789:saml-provider/aidp",
			idps: map[string]string{
				"arn:aws:iam::123:saml-provider/youridp":  "YourIdP",
				"arn:aws:iam::123:saml-provider/myidp":    "My IdP",
				"arn:aws:iam::.*:saml-provider/aidp$":     "A IdP",
				"arn:aws:iam::.*:saml-provider/aidp-more": "A IdP more",
			},
			expected: "A IdP",
		},

monde avatar Jan 07 '25 19:01 monde

actually, I'm taking a second look at this.

monde avatar Jan 07 '25 19:01 monde

The implementation of the friendly label (regex patterns for ARNs) is using the MatchString function from golang regexp:

MatchString reports whether the string s contains any match of the regular expression pattern. More complicated queries need to use Compile and the full Regexp interface.

For IdPs: https://github.com/okta/okta-aws-cli/blob/master/internal/webssoauth/webssoauth.go#L232

For Roles: https://github.com/okta/okta-aws-cli/blob/master/internal/webssoauth/webssoauth.go#L444

Given an ARN, a look up the first label that matches that ARN is made given the pattern that matches it. If the regexps are too greedy then they'll need to be adjusted.

This is a convenience feature, I'll help anyone that can submit a PR to adjust the behavior but I'm unable to allocate more time to this.

monde avatar Jan 08 '25 00:01 monde

@monde thank you for the details on how this works. We will adopt use of the $ to terminate our role arns to avoid the greedy(string contains) type of behavior of the MatchString function.

eric51893 avatar Jan 13 '25 16:01 eric51893