search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
538 stars 180 forks source link

Crashing on missing <input> value #214

Open sethp-verica opened 3 years ago

sethp-verica commented 3 years ago

I saw this while trying to auth today:

ERROR:root:'NoneType' object has no attribute 'get'
Traceback (most recent call last):
  File "/build/aws_google_auth/__init__.py", line 79, in cli
    process_auth(args, config)
  File "/build/aws_google_auth/__init__.py", line 243, in process_auth
    google_client.do_login()
  File "/build/aws_google_auth/google.py", line 325, in do_login
    sess = self.handle_prompt(sess)
  File "/build/aws_google_auth/google.py", line 621, in handle_prompt
    response_page.find('input', {
AttributeError: 'NoneType' object has no attribute 'get'

The code in question:

https://github.com/cevoaustralia/aws-google-auth/blob/3f3b73bea5b3c0a8161942b2ffc8423dbda93a4a/aws_google_auth/google.py#L619-L628

Running with --save-flow, I looked in aws-google-auth-2021-01-29T001110/ac.go.com~o~saml2~initsso_2.html and found that I was missing an for checkedDomains and pstMsg:

  <input type="hidden" name="" value="">
  <input type="hidden" name="gxf" value="...">
  <input type="hidden" name="continue" value="...">
  <input type="hidden" name="followup" value="...">
  <input type="hidden" name="ltmpl" value="popup">
  <input type="hidden" name="scc" value="1">
  <input type="hidden" name="sarp" value="1">
  <input type="hidden" name="oauth" value="1">
  <input type="hidden" name="faa" value="1">
  <input id="profile-information" name="ProfileInformation" type="hidden" value="">
  <input id="session-state" name="SessionState" type="hidden" value="...">
  <input name="flowName" type="hidden" value="...">
  <input type="hidden" id="_utf8" name="_utf8" value="&#9731;"/>
  <input type="hidden" name="bgresponse" id="bgresponse" value="js_disabled">

I got past this locally by skipping over those fields:

diff --git a/aws_google_auth/google.py b/aws_google_auth/google.py
index 398eff5..6b35966 100644
--- a/aws_google_auth/google.py
+++ b/aws_google_auth/google.py
@@ -561,6 +561,7 @@ class Google:
         return self.post(challenge_url, data=payload)

     def handle_prompt(self, sess):
         response_page = BeautifulSoup(sess.text, 'html.parser')
         challenge_url = sess.url.split("?")[0]

@@ -616,16 +617,8 @@ class Google:
             response_page.find('input', {
                 'name': 'sarp'
             }).get('value'),
-            'checkedDomains':
-            response_page.find('input', {
-                'name': 'checkedDomains'
-            }).get('value'),
             'checkConnection':
             'youtube:1295:1',
-            'pstMsg':
-            response_page.find('input', {
-                'name': 'pstMsg'
-            }).get('value'),
             'TL':
             response_page.find('input', {
                 'name': 'TL'
@@ -642,6 +635,14 @@ class Google:
             }).get('value'),
             'TrustDevice':
             'on',
         }

         return self.post(challenge_url, data=payload)

Which got me credentials, and they work, but I don't know what I'm doing when I skip adding those fields to the request, nor can I speak to why they're not in the payload Google handed back to me today.

stevemac007 commented 3 years ago

Which build are you using?

sethp-verica commented 3 years ago

I tried with 0.3.7 and the tip of the main branch, and both had the same issue. It looks like both are looking for those same fields unconditionally, so it makes sense that my "interstitial" (2fa waiting room? device prompt?) page that lacked either checkedDomains or pstMsg would fail in the same way.

I also tried with earlier versions, but then I ran into the issues I believe c22f5afeaddf5ea addressed.

ricoli commented 3 years ago

I'm seeing the same thing here

vkatsikaros commented 3 years ago

I have also run into the same problem with the most recent 0.0.37 version.

$ aws-google-auth --version
aws-google-auth 0.0.37

$ aws-google-auth   -p google   -u user@example.com   -I IIIIIIIIIIIIIIIIII   -S SSSSSSSSSS   -R eu-west-1   -d 36000   --save-failure-html -l debug
INFO:root:aws_google_auth: SAML cache not found
Google Password: 
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): accounts.google.com:443
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /o/saml2/initsso?idpid=IIIIIIIIIIIIIIIIII&spid=SSSSSSSSSS&forceauthn=false HTTP/1.1" 302 0
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/saml2/initsso?idpid%3DIIIIIIIIIIIIIIIIII%26spid%3DSSSSSSSSSS%26forceauthn%3Dfalse%26from_login%3D1%26as%3DAAAAAAAAAAAAAAAAAAAA&followup=https://accounts.google.com/o/saml2/initsso?idpid%3DIIIIIIIIIIIIIIIIII%26spid%3DSSSSSSSSSS%26forceauthn%3Dfalse%26from_login%3D1%26as%3DAAAAAAAAAAAAAAAAAAAA&ltmpl=popup&oauth=1&faa=1&sarp=1&scc=1 HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/v1/lookup HTTP/1.1" 302 565
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /signin/challenge/pwd/1?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Finitsso%3Fidpid%3DIIIIIIIIIIIIIIIIII%26spid%3DSSSSSSSSSS%26forceauthn%3Dfalse%26from_login%3D1%26as%3DAAAAAAAAAAAAAAAAAAAA&sarp=1&scc=1&flowName=GlifWebSignIn&faa=1&oauth=1&ltmpl=popup&TL=TTTTTTTTTTTTTTTTTTTTTTTTTTTT HTTP/1.1" 200 None
INFO:root:Handling new-style login page
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/challenge/pwd/1 HTTP/1.1" 302 564
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /signin/challenge/az/2?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Finitsso%3Fidpid%3DIIIIIIIIIIIIIIIIII%26spid%3DSSSSSSSSSS%26forceauthn%3Dfalse%26from_login%3D1%26as%3DAAAAAAAAAAAAAAAAAAAA&sarp=1&scc=1&flowName=GlifWebSignIn&faa=1&oauth=1&ltmpl=popup&TL=TTTTTTTTTTTTTTTTTTTTTTTTTTTT HTTP/1.1" 200 None
numerical code for prompt: 28
Open the Google App, and tap 'Yes' on the prompt to sign in ...
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): content.googleapis.com:443
DEBUG:urllib3.connectionpool:https://content.googleapis.com:443 "POST /cryptauth/v1/authzen/awaittx?alt=json&key=kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk HTTP/1.1" 200 None
ERROR:root:'NoneType' object has no attribute 'get'
Traceback (most recent call last):
  File "/home/ubuntu/.venv/aws-google-auth/lib/python3.8/site-packages/aws_google_auth/__init__.py", line 79, in cli
    process_auth(args, config)
  File "/home/ubuntu/.venv/aws-google-auth/lib/python3.8/site-packages/aws_google_auth/__init__.py", line 243, in process_auth
    google_client.do_login()
  File "/home/ubuntu/.venv/aws-google-auth/lib/python3.8/site-packages/aws_google_auth/google.py", line 325, in do_login
    sess = self.handle_prompt(sess)
  File "/home/ubuntu/.venv/aws-google-auth/lib/python3.8/site-packages/aws_google_auth/google.py", line 620, in handle_prompt
    response_page.find('input', {
AttributeError: 'NoneType' object has no attribute 'get'
LucasSymons commented 3 years ago

I was having this issue with 0.0.37 installed via homebrew. because homebrew sucks at downgrading I uninstalled it and installed 0.0.36 via pip directly. sudo pip install aws-google-auth==0.0.36

that worked for me. 3 consecutive login's without issue.

fernandolsantos commented 3 years ago

Confirming @LucasSymons's post, I was having the same problem. Downgraded to version 0.0.36 and it worked.