Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import base64
- import binascii
- import boto3
- import datetime as dt
- import hashlib
- import hmac
- # http://pythonhosted.org/srp/
- # https://github.com/cocagne/pysrp
- import srp
- bytes_to_hex = lambda x: "".join("{:02x}".format(ord(c)) for c in x)
- cognito = boto3.client('cognito-idp', region_name="us-east-1")
- username = "foobar@foobar.com"
- password = "123456"
- user_pool_id = u"us-east-1_XXXXXXXXX"
- client_id = u"XXXXXXXXXXXXXXXXXXXXXXXXXX"
- # Step 1:
- # Use SRP lib to construct a SRP_A value.
- srp_user = srp.User(username, password)
- _, srp_a_bytes = srp_user.start_authentication()
- srp_a_hex = bytes_to_hex(srp_a_bytes)
- # Step 2:
- # Submit USERNAME & SRP_A to Cognito, get challenge.
- response = cognito.initiate_auth(
- AuthFlow='USER_SRP_AUTH',
- AuthParameters={ 'USERNAME': username, 'SRP_A': srp_a_hex },
- ClientId=client_id,
- ClientMetadata={ 'UserPoolId': user_pool_id })
- # Step 3:
- # Use challenge parameters from Cognito to construct
- # challenge response.
- salt_hex = response['ChallengeParameters']['SALT']
- srp_b_hex = response['ChallengeParameters']['SRP_B']
- secret_block_b64 = response['ChallengeParameters']['SECRET_BLOCK']
- secret_block_bytes = base64.standard_b64decode(secret_block_b64)
- secret_block_hex = bytes_to_hex(secret_block_bytes)
- salt_bytes = binascii.unhexlify(salt_hex)
- srp_b_bytes = binascii.unhexlify(srp_b_hex)
- process_challenge_bytes = srp_user.process_challenge(salt_bytes,
- srp_b_bytes)
- timestamp = unicode(dt.datetime.utcnow().strftime("%a %b %d %H:%m:%S +0000 %Y"))
- hmac_obj = hmac.new(process_challenge_bytes, digestmod=hashlib.sha256)
- hmac_obj.update(user_pool_id.split('_')[1].encode('utf-8'))
- hmac_obj.update(username.encode('utf-8'))
- hmac_obj.update(secret_block_bytes)
- hmac_obj.update(timestamp.encode('utf-8'))
- challenge_responses = {
- "TIMESTAMP": timestamp.encode('utf-8'),
- "USERNAME": username.encode('utf-8'),
- "PASSWORD_CLAIM_SECRET_BLOCK": secret_block_hex,
- "PASSWORD_CLAIM_SIGNATURE": hmac_obj.hexdigest()
- }
- # Step 4:
- # Submit challenge response to Cognito.
- response = cognito.respond_to_auth_challenge(
- ClientId=client_id,
- ChallengeName='PASSWORD_VERIFIER',
- ChallengeResponses=challenge_responses)
- from warrant.aws_srp import AWSSRP
- USERNAME='xxx'
- PASSWORD='yyy'
- POOL_ID='us-east-1_zzzzz'
- CLIENT_ID = '12xxxxxxxxxxxxxxxxxxxxxxx'
- aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID,
- client_id=CLIENT_ID)
- tokens = aws.authenticate_user()
- id_token = tokens['AuthenticationResult']['IdToken']
- refresh_token = tokens['AuthenticationResult']['RefreshToken']
- access_token = tokens['AuthenticationResult']['AccessToken']
- token_type = tokens['AuthenticationResult']['TokenType']
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement