From 0a7ca2ac6b279a71c12145195a38168f92c06c89 Mon Sep 17 00:00:00 2001
From: Michael Holt <mike@holtit.com>
Date: Mon, 30 Aug 2021 14:08:23 -0700
Subject: [PATCH 1/3] feat: add support for aws azuread federation

This adds support for using AzureAD to Federate into AWS. Fixes #160.
---
 docs/use-cases/aws_iam_role.md                              | 2 +-
 docs/use-cases/intro.md                                     | 2 +-
 .../session/aws/methods/aws-iam-role-federated.service.ts   | 6 ++++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/use-cases/aws_iam_role.md b/docs/use-cases/aws_iam_role.md
index 3a937bcaf..8e718e920 100644
--- a/docs/use-cases/aws_iam_role.md
+++ b/docs/use-cases/aws_iam_role.md
@@ -1,7 +1,7 @@
 # AWS IAM Roles
 
 ## AWS IAM Federated Role
-Federation is established between **G Suite**, **Okta**, **OneLogin** and **AWS**. No more AWS credentials
+Federation is established between **G Suite**, **Okta**, **OneLogin**, **AzureAD**, and **AWS**. No more AWS credentials
 management is needed.
 
 Leapp allows you to get to cloud resources with company email and password.
diff --git a/docs/use-cases/intro.md b/docs/use-cases/intro.md
index b2ca06fdb..cc8edf113 100644
--- a/docs/use-cases/intro.md
+++ b/docs/use-cases/intro.md
@@ -21,5 +21,5 @@ The use cases covered by Leapp are the following:
 - **OneLogin to AWS** - :white_check_mark:
 - **G Suite to Azure** - :white_check_mark:
 - **AZURE AD to Azure** - :white_check_mark:
-- **AZURE AD to AWS** - :soon:
+- **AZURE AD to AWS** - :white_check_mark:
 - **AWS Single Sign-On** - :white_check_mark:
diff --git a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
index 7c2b6dca6..964b6ddc6 100644
--- a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
+++ b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
@@ -164,6 +164,7 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
           'https://*.onelogin.com/*',
           'https://*.okta.com/*',
           'https://accounts.google.com/ServiceLogin*',
+          'https://login.microsoftonline.com/*',
           'https://signin.aws.amazon.com/saml'
         ]
       };
@@ -186,6 +187,11 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
           idpWindow = null;
           resolve(true);
         }
+        // AzureAD
+        if (details.url.indexOf('login.microsoftonline.com') !== -1) {
+          idpWindow = null;
+          resolve(true);
+        }
         // Do not show window: already logged by means of session cookies
         if (details.url.indexOf('signin.aws.amazon.com/saml') !== -1) {
           idpWindow = null;

From b8e24412b942a7baa512c0b399270d56d7f5999a Mon Sep 17 00:00:00 2001
From: Eric Villa <eric.villa91@gmail.com>
Date: Tue, 7 Sep 2021 18:46:43 +0200
Subject: [PATCH 2/3] fix: added /oauth2/authorize presence check in AWS IAM
 Role Federated login window

---
 .../session/aws/methods/aws-iam-role-federated.service.ts       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
index 964b6ddc6..d66030657 100644
--- a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
+++ b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
@@ -188,7 +188,7 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
           resolve(true);
         }
         // AzureAD
-        if (details.url.indexOf('login.microsoftonline.com') !== -1) {
+        if (details.url.indexOf('login.microsoftonline.com') !== -1 && details.url.indexOf('/oauth2/authorize') !== -1) {
           idpWindow = null;
           resolve(true);
         }

From 47d04011de98fef6ed55dae69ab1cbd4878abe71 Mon Sep 17 00:00:00 2001
From: Eric Villa <eric.villa91@gmail.com>
Date: Wed, 8 Sep 2021 12:53:40 +0200
Subject: [PATCH 3/3] fix: sanitized untrusted URLs

---
 .../session/aws/methods/aws-iam-role-federated.service.ts   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
index d66030657..2a8996db3 100644
--- a/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
+++ b/src/app/services/session/aws/methods/aws-iam-role-federated.service.ts
@@ -173,7 +173,7 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
       // to construct the ideal method to deal with the construction of the response
       idpWindow.webContents.session.webRequest.onBeforeRequest(filter, (details, callback) => {
         // G Suite
-        if (details.url.indexOf('accounts.google.com/ServiceLogin') !== -1) {
+        if (details.url.indexOf('https://accounts.google.com/ServiceLogin') !== -1) {
           idpWindow = null;
           resolve(true);
         }
@@ -188,12 +188,12 @@ export class AwsIamRoleFederatedService extends AwsSessionService {
           resolve(true);
         }
         // AzureAD
-        if (details.url.indexOf('login.microsoftonline.com') !== -1 && details.url.indexOf('/oauth2/authorize') !== -1) {
+        if (details.url.indexOf('https://login.microsoftonline.com') !== -1 && details.url.indexOf('/oauth2/authorize') !== -1) {
           idpWindow = null;
           resolve(true);
         }
         // Do not show window: already logged by means of session cookies
-        if (details.url.indexOf('signin.aws.amazon.com/saml') !== -1) {
+        if (details.url.indexOf('https://signin.aws.amazon.com/saml') !== -1) {
           idpWindow = null;
           resolve(false);
         }