feat: add support for aws azuread federation (#165)

* feat: add support for aws azuread federation This adds support for using AzureAD to Federate into AWS. Fixes #160. * fix: added /oauth2/authorize presence check in AWS IAM Role Federated login window * fix: sanitized untrusted URLs Co-authored-by: Eric Villa <[email protected]>
Noovolari · Sep 8, 2021 · bc7f694 · bc7f694
1 parent 9b8f5c9
commit bc7f694
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/docs/use-cases/aws_iam_role.md b/docs/use-cases/aws_iam_role.md
@@ -1,7 +1,7 @@
 # AWS IAM Roles
 
 ## AWS IAM Federated Role
-Federation is established between **G Suite**, **Okta**, **OneLogin** and **AWS**. No more AWS credentials
+Federation is established between **G Suite**, **Okta**, **OneLogin**, **AzureAD**, and **AWS**. No more AWS credentials
 management is needed.
 
 Leapp allows you to get to cloud resources with company email and password.

diff --git a/docs/use-cases/intro.md b/docs/use-cases/intro.md
@@ -21,5 +21,5 @@ The use cases covered by Leapp are the following:
 - **OneLogin to AWS** - :white_check_mark:
 - **G Suite to Azure** - :white_check_mark:
 - **AZURE AD to Azure** - :white_check_mark:
-- **AZURE AD to AWS** - :soon:
+- **AZURE AD to AWS** - :white_check_mark:
 - **AWS Single Sign-On** - :white_check_mark:
diff --git a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
@@ -164,6 +164,7 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
           'https://*.onelogin.com/*',
           'https://*.okta.com/*',
           'https://accounts.google.com/ServiceLogin*',
+          'https://login.microsoftonline.com/*',
           'https://signin.aws.amazon.com/saml'
         ]
       };
@@ -172,7 +173,7 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
       // to construct the ideal method to deal with the construction of the response
       idpWindow.webContents.session.webRequest.onBeforeRequest(filter, (details, callback) => {
         // G Suite
-        if (details.url.indexOf('accounts.google.com/ServiceLogin') !== -1) {
+        if (details.url.indexOf('https://accounts.google.com/ServiceLogin') !== -1) {
           idpWindow = null;
           resolve(true);
         }
@@ -186,8 +187,13 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
           idpWindow = null;
           resolve(true);
         }
+        // AzureAD
+        if (details.url.indexOf('https://login.microsoftonline.com') !== -1 && details.url.indexOf('/oauth2/authorize') !== -1) {
+          idpWindow = null;
+          resolve(true);
+        }
         // Do not show window: already logged by means of session cookies
-        if (details.url.indexOf('signin.aws.amazon.com/saml') !== -1) {
+        if (details.url.indexOf('https://signin.aws.amazon.com/saml') !== -1) {
           idpWindow = null;
           resolve(false);
         }