Validate SAML parameters before doing AssumeRoleWithSAML

Mike Morris · Mike Morris · commit c8add300cbf7 · 2020-09-04T10:58:25.000-05:00
Check that we have something resembling a value in the SAMLAssertion
and PrincipalARN before making the AssumeRole call.  We'll leave the
data validation to AWS, but make sure we provide a more helpful error
message in case these values aren't set.
diff --git a/lib/credentials/saml_role_credentials.go b/lib/credentials/saml_role_credentials.go
@@ -3,6 +3,7 @@ package credentials
 import (
 	"aws-runas/lib/cache"
 	"encoding/base64"
+	"fmt"
 	"github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -84,6 +85,14 @@ func (p *SamlRoleProvider) retrieve() (*cache.CacheableCredentials, error) {
 		p.Duration = AssumeRoleDefaultDuration
 	}
 
+	if len(p.SAMLAssertion) < 20 {
+		return nil, fmt.Errorf("invalid SAML Assertion detected, check your local SAML and identity provider configuration")
+	}
+
+	if len(p.principalArn) < 20 {
+		return nil, fmt.Errorf("invalid Principal ARN, check that your configured role ARN matches the identity provider configuration")
+	}
+
 	i := new(sts.AssumeRoleWithSAMLInput).SetDurationSeconds(p.validateDuration(p.Duration)).SetRoleArn(p.RoleARN).
 		SetPrincipalArn(p.principalArn).SetSAMLAssertion(p.SAMLAssertion)
 
