Debug issue from gh440

aws_adfs/_duo_authenticator.py

@@ -241,16 +241,16 @@ def _load_duo_result_url(
 
     if response.status_code != 200:
         raise click.ClickException(
-            u'Issues when following the Duo result URL after '
+            u'Status code not 200 when following the Duo result URL after '
             u'authentication. The error response {}'.format(
                 response
             )
         )
     json_response = response.json()
     if json_response['stat'] != 'OK':
         raise click.ClickException(
-            u'There was an issue when following the Duo result URL after authentication.'
-            u' The error response: {}'.format(
+            u'Stat not OK when following the Duo result URL after authentication.'
+            u' The error response text: {}'.format(
                 response.text
             )
         )

aws_adfs/_duo_universal_prompt_authenticator.py

@@ -223,19 +223,20 @@ def _authentication_result(duo_host, sid, txid, factor, xsrf, session, ssl_verif
 
     if response.status_code != 200:
         raise click.ClickException(
-            "Issues during retrieval of a code entered into the device. The error response {}".format(response)
+            "HTTP status code not 200 during UP retrieval of a code entered into the device."
+            "The error response: {}".format(response)
         )
 
     json_response = response.json()
     if json_response["stat"] != "OK":
         raise click.ClickException(
-            "There was an issue during retrieval of a code entered into the device."
+            "'stat' not ok during UP retrieval of a code entered into the device."
             " The error response: {}".format(response.text)
         )
 
     if json_response["response"]["status_code"] != "allow":
         raise click.ClickException(
-            "There was an issue during retrieval of a code entered into the device."
+            "Response 'status_code' not 'allow' during UP retrieval of a code entered into the device."
             " The error response: {}".format(response.text)
         )
 
@@ -257,7 +258,7 @@ def _load_duo_result_url(duo_host, sid, txid, factor, xsrf, session, ssl_verific
 
     if response.status_code != 200:
         raise click.ClickException(
-            "Issues when following the Duo result URL after authentication. The error response {}".format(response)
+            f"Status code not 200 when following the Duo result URL after authentication. The error response {response} - {response.url} - {response.text}"
         )
 
     return response
@@ -278,7 +279,7 @@ def _verify_authentication_status(duo_host, sid, txid, session, ssl_verification
         json_response = response.json()
         if json_response["stat"] != "OK":
             raise click.ClickException(
-                "There was an issue during second factor verification. The error response: {}".format(response.text)
+                "'stat' not OK during UP second factor verification. The error response: {}".format(response.text)
             )
 
         if json_response["response"]["status_code"] not in [
@@ -289,7 +290,7 @@ def _verify_authentication_status(duo_host, sid, txid, session, ssl_verification
             "allow"
         ]:
             raise click.ClickException(
-                "There was an issue during second factor verification. The error response: {}".format(response.text)
+                "Bad 'status_code' during UP second factor verification. The error response: {}".format(response.text)
             )
 
         if json_response["response"]["status_code"] == "pushed":
@@ -351,7 +352,7 @@ def _verify_authentication_status(duo_host, sid, txid, session, ssl_verification
 
         responses.append(response.text)
 
-    raise click.ClickException("There was an issue during second factor verification. The responses: {}".format(responses))
+    raise click.ClickException("Number of responses exceeded during UP second factor verification. The responses: {}".format(responses))
 
 
 def _webauthn_get_assertion(
@@ -452,7 +453,8 @@ def _initiate_authentication(
 
     sid = query.get("sid")
     if sid is None:
-        # No need for second factor authentification, Duo directly returned the authentication cookie
+        logging.info("No need for second factor authentification, "
+                     "Duo directly returned the authentication cookie")
         return (None, None, None, None, None, _js_cookie(html_response), duo_url), True
 
     tx = html_response.find('.//input[@name="tx"]').get("value")
@@ -486,17 +488,34 @@ def _initiate_authentication(
         data=data,
     )
     trace_http_request(response)
-
+    for res in response.history:
+        logging.info(f"history: {res} - {res.url}")
     # API BREAKING CHANGE. There's now a callback that has to happen here
-    response = session.post(
-        response.url,
-        verify=ssl_verification_enabled,
-        headers=_headers,
-        allow_redirects=True,
-        params={"sid": sid, "tx": tx},
-        data=data,
-    )
+    logging.info(f"duo_url: {duo_url}")
+    logging.info(f"response.url: {response.url}")
+    try:
+        callback_response = session.post(
+            response.url,
+            verify=ssl_verification_enabled,
+            headers=_headers,
+            allow_redirects=True,
+            params={"sid": sid, "tx": tx},
+            data=data,
+        )
+        trace_http_request(callback_response)
+        # Do not overwrite the response unconditionally. If this breaks for some users, we'll need to find out how the response
+        # differs and how to use that for a decision what to do.
+        # In the case where it's not needed, "stat": "FAIL" can be seen in the response.
+        callback_json = callback_response.json()
+        if callback_json["stat"] == "OK":
+            logging.info("Callback stat OK, using response.")
+            response = callback_response
+    except Exception as e:
+        logging.error("Error doing callback", exc_info=e)
+        logging.error(f"ignoring: {e}")
+
 
+    logging.info("after callback")
     html_response = ET.fromstring(response.text, ET.HTMLParser())
     preferred_factor = _preferred_factor(html_response)
     preferred_device = _preferred_device(html_response)

aws_adfs/account_aliases_fetcher.py

@@ -6,8 +6,8 @@
 from .helpers import trace_http_request
 
 
-_account_alias_pattern = re.compile("Account: *([^(]+) *\(([0-9]+)\)")
-_account_without_alias_pattern = re.compile("Account: *\(?([0-9]+)\)?")
+_account_alias_pattern = re.compile("Account: *([^(]+) *\\(([0-9]+)\\)")
+_account_without_alias_pattern = re.compile(r"Account: *\(?([0-9]+)\)?")
 
 
 def account_aliases(session, username, password, auth_method, saml_response, config):

aws_adfs/commands.py

@@ -40,7 +40,7 @@ def cli(verbose):
     logging.basicConfig(
         format=log_format,
         stream=sys.stderr,
-        level=logging.DEBUG if verbose else logging.ERROR,
+        level=logging.DEBUG if verbose else logging.INFO,
     )
     if verbose:
         try: