From b7f4ae21d17cc16580295bb5d6741bffb243e6ed Mon Sep 17 00:00:00 2001
From: Erik Hovland <erik@hovland.org>
Date: Wed, 15 Apr 2020 20:08:44 -0700
Subject: [PATCH 1/5] Add assume_role_with_saml to STSBackend.

Add the assume_role_with_saml method to the STSBackend class.
---
 moto/sts/models.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/moto/sts/models.py b/moto/sts/models.py
index 12824b2ed..b274b1acd 100644
--- a/moto/sts/models.py
+++ b/moto/sts/models.py
@@ -1,5 +1,7 @@
 from __future__ import unicode_literals
+from base64 import b64decode
 import datetime
+import xmltodict
 from moto.core import BaseBackend, BaseModel
 from moto.core.utils import iso_8601_datetime_with_milliseconds
 from moto.core import ACCOUNT_ID
@@ -79,5 +81,24 @@ class STSBackend(BaseBackend):
     def assume_role_with_web_identity(self, **kwargs):
         return self.assume_role(**kwargs)
 
+    def assume_role_with_saml(self, **kwargs):
+        del kwargs["principal_arn"]
+        saml_assertion_encoded = kwargs.pop("saml_assertion")
+        saml_assertion_decoded = b64decode(saml_assertion_encoded)
+        saml_assertion = xmltodict.parse(saml_assertion_decoded.decode("utf-8"))
+        kwargs["duration"] = int(
+            saml_assertion["samlp:Response"]["Assertion"]["AttributeStatement"][
+                "Attribute"
+            ][2]["AttributeValue"]
+        )
+        kwargs["role_session_name"] = saml_assertion["samlp:Response"]["Assertion"][
+            "AttributeStatement"
+        ]["Attribute"][0]["AttributeValue"]
+        kwargs["external_id"] = None
+        kwargs["policy"] = None
+        role = AssumedRole(**kwargs)
+        self.assumed_roles.append(role)
+        return role
+
 
 sts_backend = STSBackend()

From b10718eea7fde315003c2e8ee83bd92a2a5d03fe Mon Sep 17 00:00:00 2001
From: Erik Hovland <erik@hovland.org>
Date: Wed, 15 Apr 2020 20:10:22 -0700
Subject: [PATCH 2/5] Add AssumeRoleWithSAML response to responses.py.

Add the AssumeRoleWithSAML response to the available STS responses.
---
 moto/sts/responses.py | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/moto/sts/responses.py b/moto/sts/responses.py
index f36799b03..9af2c3e12 100644
--- a/moto/sts/responses.py
+++ b/moto/sts/responses.py
@@ -71,6 +71,19 @@ class TokenResponse(BaseResponse):
         template = self.response_template(ASSUME_ROLE_WITH_WEB_IDENTITY_RESPONSE)
         return template.render(role=role)
 
+    def assume_role_with_saml(self):
+        role_arn = self.querystring.get("RoleArn")[0]
+        principal_arn = self.querystring.get("PrincipalArn")[0]
+        saml_assertion = self.querystring.get("SAMLAssertion")[0]
+
+        role = sts_backend.assume_role_with_saml(
+            role_arn=role_arn,
+            principal_arn=principal_arn,
+            saml_assertion=saml_assertion,
+        )
+        template = self.response_template(ASSUME_ROLE_WITH_SAML_RESPONSE)
+        return template.render(role=role)
+
     def get_caller_identity(self):
         template = self.response_template(GET_CALLER_IDENTITY_RESPONSE)
 
@@ -168,6 +181,30 @@ ASSUME_ROLE_WITH_WEB_IDENTITY_RESPONSE = """<AssumeRoleWithWebIdentityResponse x
 </AssumeRoleWithWebIdentityResponse>"""
 
 
+ASSUME_ROLE_WITH_SAML_RESPONSE = """<AssumeRoleWithSAMLResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+  <AssumeRoleWithSAMLResult>
+    <Audience>https://signin.aws.amazon.com/saml</Audience>
+    <AssumedRoleUser>
+      <AssumedRoleId>{{ role.user_id }}</AssumedRoleId>
+      <Arn>{{ role.arn }}</Arn>
+    </AssumedRoleUser>
+    <Credentials>
+      <AccessKeyId>{{ role.access_key_id }}</AccessKeyId>
+      <SecretAccessKey>{{ role.secret_access_key }}</SecretAccessKey>
+      <SessionToken>{{ role.session_token }}</SessionToken>
+      <Expiration>{{ role.expiration_ISO8601 }}</Expiration>
+    </Credentials>
+    <Subject>{{ role.user_id }}</Subject>
+    <NameQualifier>B64EncodedStringOfHashOfIssuerAccountIdAndUserId=</NameQualifier>
+    <SubjectType>persistent</SubjectType>
+    <Issuer>http://localhost:3000/</Issuer>
+  </AssumeRoleWithSAMLResult>
+  <ResponseMetadata>
+    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
+  </ResponseMetadata>
+</AssumeRoleWithSAMLResponse>"""
+
+
 GET_CALLER_IDENTITY_RESPONSE = """<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
   <GetCallerIdentityResult>
     <Arn>{{ arn }}</Arn>

From 88494c58f9a45a3d100837d74ad9b4bbc9e9d24e Mon Sep 17 00:00:00 2001
From: Erik Hovland <erik@hovland.org>
Date: Wed, 15 Apr 2020 20:11:33 -0700
Subject: [PATCH 3/5] Add a test for assume_role_with_saml.

Add a test with SAML assertion to test the assume_role_with_saml method
in the STSBackend.
---
 tests/test_sts/test_sts.py | 123 +++++++++++++++++++++++++++++++++++++
 1 file changed, 123 insertions(+)

diff --git a/tests/test_sts/test_sts.py b/tests/test_sts/test_sts.py
index 4dee9184f..efc04beb4 100644
--- a/tests/test_sts/test_sts.py
+++ b/tests/test_sts/test_sts.py
@@ -1,4 +1,5 @@
 from __future__ import unicode_literals
+from base64 import b64encode
 import json
 
 import boto
@@ -103,6 +104,128 @@ def test_assume_role():
     )
 
 
+@freeze_time("2012-01-01 12:00:00")
+@mock_sts
+def test_assume_role_with_saml():
+    client = boto3.client("sts", region_name="us-east-1")
+
+    session_name = "session-name"
+    policy = json.dumps(
+        {
+            "Statement": [
+                {
+                    "Sid": "Stmt13690092345534",
+                    "Action": ["S3:ListBucket"],
+                    "Effect": "Allow",
+                    "Resource": ["arn:aws:s3:::foobar-tester"],
+                }
+            ]
+        }
+    )
+    role_name = "test-role"
+    provider_name = "TestProvFed"
+    user_name = "testuser"
+    role_input = "arn:aws:iam::{account_id}:role/{role_name}".format(
+        account_id=ACCOUNT_ID, role_name=role_name
+    )
+    principal_role = "arn:aws:iam:{account_id}:saml-provider/{provider_name}".format(
+        account_id=ACCOUNT_ID, provider_name=provider_name
+    )
+    saml_assertion = """
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_00000000-0000-0000-0000-000000000000" Version="2.0" IssueInstant="2012-01-01T12:00:00.000Z" Destination="https://signin.aws.amazon.com/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified">
+  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost/</Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_00000000-0000-0000-0000-000000000000" IssueInstant="2012-12-01T12:00:00.000Z" Version="2.0">
+    <Issuer>http://localhost:3000/</Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#_00000000-0000-0000-0000-000000000000">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue>NTIyMzk0ZGI4MjI0ZjI5ZGNhYjkyOGQyZGQ1NTZjODViZjk5YTY4ODFjOWRjNjkyYzZmODY2ZDQ4NjlkZjY3YSAgLQo=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue>NTIyMzk0ZGI4MjI0ZjI5ZGNhYjkyOGQyZGQ1NTZjODViZjk5YTY4ODFjOWRjNjkyYzZmODY2ZDQ4NjlkZjY3YSAgLQo=</ds:SignatureValue>
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>NTIyMzk0ZGI4MjI0ZjI5ZGNhYjkyOGQyZGQ1NTZjODViZjk5YTY4ODFjOWRjNjkyYzZmODY2ZDQ4NjlkZjY3YSAgLQo=</ds:X509Certificate>
+        </ds:X509Data>
+      </KeyInfo>
+    </ds:Signature>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">{username}</NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <SubjectConfirmationData NotOnOrAfter="2012-01-01T13:00:00.000Z" Recipient="https://signin.aws.amazon.com/saml"/>
+      </SubjectConfirmation>
+    </Subject>
+    <Conditions NotBefore="2012-01-01T12:00:00.000Z" NotOnOrAfter="2012-01-01T13:00:00.000Z">
+      <AudienceRestriction>
+        <Audience>urn:amazon:webservices</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AttributeStatement>
+      <Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
+        <AttributeValue>{username}@localhost</AttributeValue>
+      </Attribute>
+      <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
+        <AttributeValue>arn:aws:iam::{account_id}:saml-provider/{provider_name},arn:aws:iam::{account_id}:role/{role_name}</AttributeValue>
+      </Attribute>
+      <Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
+        <AttributeValue>900</AttributeValue>
+      </Attribute>
+    </AttributeStatement>
+    <AuthnStatement AuthnInstant="2012-01-01T12:00:00.000Z" SessionIndex="_00000000-0000-0000-0000-000000000000">
+      <AuthnContext>
+        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</samlp:Response>""".format(
+        account_id=ACCOUNT_ID,
+        role_name=role_name,
+        provider_name=provider_name,
+        username=user_name,
+    ).replace(
+        "\n", ""
+    )
+
+    assume_role_response = client.assume_role_with_saml(
+        RoleArn=role_input,
+        PrincipalArn=principal_role,
+        SAMLAssertion=b64encode(saml_assertion.encode("utf-8")).decode("utf-8"),
+    )
+
+    credentials = assume_role_response["Credentials"]
+    if not settings.TEST_SERVER_MODE:
+        credentials["Expiration"].isoformat().should.equal("2012-01-01T12:15:00+00:00")
+    credentials["SessionToken"].should.have.length_of(356)
+    assert credentials["SessionToken"].startswith("FQoGZXIvYXdzE")
+    credentials["AccessKeyId"].should.have.length_of(20)
+    assert credentials["AccessKeyId"].startswith("ASIA")
+    credentials["SecretAccessKey"].should.have.length_of(40)
+
+    assume_role_response["AssumedRoleUser"]["Arn"].should.equal(
+        "arn:aws:sts::{account_id}:assumed-role/{role_name}/{fed_name}@localhost".format(
+            account_id=ACCOUNT_ID, role_name=role_name, fed_name=user_name
+        )
+    )
+    assert assume_role_response["AssumedRoleUser"]["AssumedRoleId"].startswith("AROA")
+    assert assume_role_response["AssumedRoleUser"]["AssumedRoleId"].endswith(
+        ":{fed_name}@localhost".format(fed_name=user_name)
+    )
+    assume_role_response["AssumedRoleUser"]["AssumedRoleId"].should.have.length_of(
+        21 + 1 + len("{fed_name}@localhost".format(fed_name=user_name))
+    )
+
+
 @freeze_time("2012-01-01 12:00:00")
 @mock_sts_deprecated
 def test_assume_role_with_web_identity():

From 50111929cc16ea270b6c7d266c934777c15c9ad5 Mon Sep 17 00:00:00 2001
From: Bert Blommers <info@bertblommers.nl>
Date: Wed, 22 Apr 2020 12:18:27 +0100
Subject: [PATCH 4/5] STS - Handle AssumeRoleWithSAML as an unsigned request

---
 moto/server.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/moto/server.py b/moto/server.py
index 92fe6f229..7987a629d 100644
--- a/moto/server.py
+++ b/moto/server.py
@@ -1,6 +1,7 @@
 from __future__ import unicode_literals
 
 import argparse
+import io
 import json
 import re
 import sys
@@ -29,6 +30,7 @@ UNSIGNED_REQUESTS = {
     "AWSCognitoIdentityService": ("cognito-identity", "us-east-1"),
     "AWSCognitoIdentityProviderService": ("cognito-idp", "us-east-1"),
 }
+UNSIGNED_ACTIONS = {"AssumeRoleWithSAML": ("sts", "us-east-1")}
 
 
 class DomainDispatcherApplication(object):
@@ -77,9 +79,13 @@ class DomainDispatcherApplication(object):
         else:
             # Unsigned request
             target = environ.get("HTTP_X_AMZ_TARGET")
+            action = self.get_action_from_body(environ)
             if target:
                 service, _ = target.split(".", 1)
                 service, region = UNSIGNED_REQUESTS.get(service, DEFAULT_SERVICE_REGION)
+            elif action and action in UNSIGNED_ACTIONS:
+                # See if we can match the Action to a known service
+                service, region = UNSIGNED_ACTIONS.get(action)
             else:
                 # S3 is the last resort when the target is also unknown
                 service, region = DEFAULT_SERVICE_REGION
@@ -130,6 +136,22 @@ class DomainDispatcherApplication(object):
                 self.app_instances[backend] = app
             return app
 
+    def get_action_from_body(self, environ):
+        body = None
+        try:
+            request_body_size = int(environ.get("CONTENT_LENGTH", 0))
+            if "wsgi.input" in environ:
+                body = environ["wsgi.input"].read(request_body_size).decode("utf-8")
+                body_dict = dict(x.split("=") for x in str(body).split("&"))
+                return body_dict["Action"]
+        except ValueError:
+            pass
+        finally:
+            if body:
+                # We've consumed the body = need to reset it
+                environ["wsgi.input"] = io.StringIO(body)
+        return None
+
     def __call__(self, environ, start_response):
         backend_app = self.get_application(environ)
         return backend_app(environ, start_response)

From 25d1e1059e6ad28050147dc2257e6a12846396a9 Mon Sep 17 00:00:00 2001
From: Bert Blommers <info@bertblommers.nl>
Date: Wed, 22 Apr 2020 14:07:19 +0100
Subject: [PATCH 5/5] STS - Only check request-body of eligible requests for
 Actions

---
 moto/server.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/moto/server.py b/moto/server.py
index 7987a629d..498f6c504 100644
--- a/moto/server.py
+++ b/moto/server.py
@@ -139,12 +139,16 @@ class DomainDispatcherApplication(object):
     def get_action_from_body(self, environ):
         body = None
         try:
-            request_body_size = int(environ.get("CONTENT_LENGTH", 0))
-            if "wsgi.input" in environ:
+            # AWS requests use querystrings as the body (Action=x&Data=y&...)
+            simple_form = environ["CONTENT_TYPE"].startswith(
+                "application/x-www-form-urlencoded"
+            )
+            request_body_size = int(environ["CONTENT_LENGTH"])
+            if simple_form and request_body_size:
                 body = environ["wsgi.input"].read(request_body_size).decode("utf-8")
-                body_dict = dict(x.split("=") for x in str(body).split("&"))
+                body_dict = dict(x.split("=") for x in body.split("&"))
                 return body_dict["Action"]
-        except ValueError:
+        except (KeyError, ValueError):
             pass
         finally:
             if body: