2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2017-01-27 00:08:52 +00:00
|
|
|
package okta
|
|
|
|
|
|
|
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2017-01-27 00:08:52 +00:00
|
|
|
"fmt"
|
2021-09-03 20:09:11 +00:00
|
|
|
"net/textproto"
|
2018-02-15 01:28:19 +00:00
|
|
|
"time"
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2022-04-14 12:37:04 +00:00
|
|
|
"github.com/hashicorp/go-secure-stdlib/strutil"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-07-02 21:44:38 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2020-07-24 13:05:08 +00:00
|
|
|
"github.com/okta/okta-sdk-golang/v2/okta"
|
2022-05-12 00:09:29 +00:00
|
|
|
"github.com/patrickmn/go-cache"
|
2017-01-27 00:08:52 +00:00
|
|
|
)
|
|
|
|
|
|
2021-02-22 05:18:17 +00:00
|
|
|
const (
|
2023-04-13 15:29:59 +00:00
|
|
|
operationPrefixOkta = "okta"
|
|
|
|
|
mfaPushMethod = "push"
|
|
|
|
|
mfaTOTPMethod = "token:software:totp"
|
2021-02-22 05:18:17 +00:00
|
|
|
)
|
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
b := Backend()
|
2018-01-19 06:44:44 +00:00
|
|
|
if err := b.Setup(ctx, conf); err != nil {
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return b, nil
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Backend() *backend {
|
|
|
|
|
var b backend
|
|
|
|
|
b.Backend = &framework.Backend{
|
|
|
|
|
Help: backendHelp,
|
|
|
|
|
|
|
|
|
|
PathsSpecial: &logical.Paths{
|
|
|
|
|
Unauthenticated: []string{
|
|
|
|
|
"login/*",
|
2022-05-12 00:09:29 +00:00
|
|
|
"verify/*",
|
2017-01-27 00:08:52 +00:00
|
|
|
},
|
2017-11-03 15:43:31 +00:00
|
|
|
SealWrapStorage: []string{
|
|
|
|
|
"config",
|
|
|
|
|
},
|
2017-01-27 00:08:52 +00:00
|
|
|
},
|
|
|
|
|
|
2022-04-20 01:19:34 +00:00
|
|
|
Paths: []*framework.Path{
|
2017-01-27 00:08:52 +00:00
|
|
|
pathConfig(&b),
|
|
|
|
|
pathUsers(&b),
|
|
|
|
|
pathGroups(&b),
|
|
|
|
|
pathUsersList(&b),
|
|
|
|
|
pathGroupsList(&b),
|
2022-04-20 01:19:34 +00:00
|
|
|
pathLogin(&b),
|
2022-05-12 00:09:29 +00:00
|
|
|
pathVerify(&b),
|
2017-12-07 19:17:42 +00:00
|
|
|
},
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-07-28 18:04:46 +00:00
|
|
|
AuthRenew: b.pathLoginRenew,
|
|
|
|
|
BackendType: logical.TypeCredential,
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
2022-05-12 00:09:29 +00:00
|
|
|
b.verifyCache = cache.New(5*time.Minute, time.Minute)
|
2017-01-27 00:08:52 +00:00
|
|
|
|
|
|
|
|
return &b
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type backend struct {
|
|
|
|
|
*framework.Backend
|
2022-05-12 00:09:29 +00:00
|
|
|
verifyCache *cache.Cache
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-12 00:09:29 +00:00
|
|
|
func (b *backend) Login(ctx context.Context, req *logical.Request, username, password, totp, nonce, preferredProvider string) ([]string, *logical.Response, []string, error) {
|
2018-01-19 06:44:44 +00:00
|
|
|
cfg, err := b.Config(ctx, req.Storage)
|
2017-01-27 00:08:52 +00:00
|
|
|
if err != nil {
|
2017-11-02 20:05:48 +00:00
|
|
|
return nil, nil, nil, err
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
if cfg == nil {
|
2018-01-03 19:02:31 +00:00
|
|
|
return nil, logical.ErrorResponse("Okta auth method not configured"), nil, nil
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
|
2019-07-02 21:44:38 +00:00
|
|
|
// Check for a CIDR match.
|
2019-07-22 16:44:34 +00:00
|
|
|
if len(cfg.TokenBoundCIDRs) > 0 {
|
|
|
|
|
if req.Connection == nil {
|
|
|
|
|
b.Logger().Warn("token bound CIDRs found but no connection information available for validation")
|
|
|
|
|
return nil, nil, nil, logical.ErrPermissionDenied
|
|
|
|
|
}
|
|
|
|
|
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
|
|
|
|
|
return nil, nil, nil, logical.ErrPermissionDenied
|
|
|
|
|
}
|
2019-07-02 21:44:38 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-24 13:05:08 +00:00
|
|
|
shim, err := cfg.OktaClient(ctx)
|
2020-02-03 17:51:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, nil, err
|
|
|
|
|
}
|
2017-08-31 02:37:21 +00:00
|
|
|
|
2018-02-15 01:28:19 +00:00
|
|
|
type mfaFactor struct {
|
|
|
|
|
Id string `json:"id"`
|
|
|
|
|
Type string `json:"factorType"`
|
|
|
|
|
Provider string `json:"provider"`
|
2022-05-12 00:09:29 +00:00
|
|
|
Embedded struct {
|
|
|
|
|
Challenge struct {
|
|
|
|
|
CorrectAnswer *int `json:"correctAnswer"`
|
|
|
|
|
} `json:"challenge"`
|
|
|
|
|
} `json:"_embedded"`
|
2018-02-15 01:28:19 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-31 02:37:21 +00:00
|
|
|
type embeddedResult struct {
|
2018-02-15 01:28:19 +00:00
|
|
|
User okta.User `json:"user"`
|
|
|
|
|
Factors []mfaFactor `json:"factors"`
|
2022-05-12 00:09:29 +00:00
|
|
|
Factor *mfaFactor `json:"factor"`
|
2017-08-31 02:37:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type authResult struct {
|
2018-02-15 01:28:19 +00:00
|
|
|
Embedded embeddedResult `json:"_embedded"`
|
|
|
|
|
Status string `json:"status"`
|
|
|
|
|
FactorResult string `json:"factorResult"`
|
|
|
|
|
StateToken string `json:"stateToken"`
|
2017-08-31 02:37:21 +00:00
|
|
|
}
|
|
|
|
|
|
2020-04-23 18:35:26 +00:00
|
|
|
authReq, err := shim.NewRequest("POST", "authn", map[string]interface{}{
|
2017-08-31 02:37:21 +00:00
|
|
|
"username": username,
|
|
|
|
|
"password": password,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
2017-11-02 20:05:48 +00:00
|
|
|
return nil, nil, nil, err
|
2017-08-31 02:37:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var result authResult
|
2020-02-03 17:51:10 +00:00
|
|
|
rsp, err := shim.Do(authReq, &result)
|
2017-01-27 00:08:52 +00:00
|
|
|
if err != nil {
|
2020-02-03 17:51:10 +00:00
|
|
|
if oe, ok := err.(*okta.Error); ok {
|
|
|
|
|
return nil, logical.ErrorResponse("Okta auth failed: %v (code=%v)", err, oe.ErrorCode), nil, nil
|
|
|
|
|
}
|
2017-11-02 20:05:48 +00:00
|
|
|
return nil, logical.ErrorResponse(fmt.Sprintf("Okta auth failed: %v", err)), nil, nil
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
2017-08-31 02:37:21 +00:00
|
|
|
if rsp == nil {
|
2018-01-03 19:02:31 +00:00
|
|
|
return nil, logical.ErrorResponse("okta auth method unexpected failure"), nil, nil
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
oktaResponse := &logical.Response{
|
|
|
|
|
Data: map[string]interface{}{},
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// More about Okta's Auth transaction state here:
|
2018-02-15 01:28:19 +00:00
|
|
|
// https://developer.okta.com/docs/api/resources/authn#transaction-state
|
|
|
|
|
|
2018-01-26 18:46:11 +00:00
|
|
|
// If lockout failures are not configured to be hidden, the status needs to
|
|
|
|
|
// be inspected for LOCKED_OUT status. Otherwise, it is handled above by an
|
|
|
|
|
// error returned during the authentication request.
|
|
|
|
|
switch result.Status {
|
|
|
|
|
case "LOCKED_OUT":
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("user is locked out", "user", username)
|
2018-01-26 18:46:11 +00:00
|
|
|
}
|
|
|
|
|
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
|
|
|
|
|
|
|
|
|
|
case "PASSWORD_EXPIRED":
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("password is expired", "user", username)
|
2018-01-26 18:46:11 +00:00
|
|
|
}
|
|
|
|
|
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
|
|
|
|
|
|
|
|
|
|
case "PASSWORD_WARN":
|
|
|
|
|
oktaResponse.AddWarning("Your Okta password is in warning state and needs to be changed soon.")
|
|
|
|
|
|
2018-02-15 01:28:19 +00:00
|
|
|
case "MFA_ENROLL", "MFA_ENROLL_ACTIVATE":
|
2018-02-09 22:03:49 +00:00
|
|
|
if !cfg.BypassOktaMFA {
|
2018-02-15 01:28:19 +00:00
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("user must enroll or complete mfa enrollment", "user", username)
|
2018-02-15 01:28:19 +00:00
|
|
|
}
|
|
|
|
|
return nil, logical.ErrorResponse("okta authentication failed: you must complete MFA enrollment to continue"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case "MFA_REQUIRED":
|
|
|
|
|
// Per Okta documentation: Users are challenged for MFA (MFA_REQUIRED)
|
|
|
|
|
// before the Status of PASSWORD_EXPIRED is exposed (if they have an
|
|
|
|
|
// active factor enrollment). This bypass removes visibility
|
|
|
|
|
// into the authenticating user's password expiry, but still ensures the
|
|
|
|
|
// credentials are valid and the user is not locked out.
|
2021-02-22 05:18:17 +00:00
|
|
|
//
|
|
|
|
|
// API reference: https://developer.okta.com/docs/reference/api/authn/#verify-factor
|
2018-02-15 01:28:19 +00:00
|
|
|
if cfg.BypassOktaMFA {
|
|
|
|
|
result.Status = "SUCCESS"
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-22 05:18:17 +00:00
|
|
|
var selectedFactor, totpFactor, pushFactor *mfaFactor
|
2018-02-15 01:28:19 +00:00
|
|
|
|
2021-02-22 05:18:17 +00:00
|
|
|
// Scan for available factors
|
2018-02-15 01:28:19 +00:00
|
|
|
for _, v := range result.Embedded.Factors {
|
2021-02-22 05:18:17 +00:00
|
|
|
v := v // create a new copy since we'll be taking the address later
|
|
|
|
|
|
2022-04-14 12:37:04 +00:00
|
|
|
if preferredProvider != "" && preferredProvider != v.Provider {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !strutil.StrListContains(b.getSupportedProviders(), v.Provider) {
|
2021-02-22 05:18:17 +00:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch v.Type {
|
|
|
|
|
case mfaTOTPMethod:
|
|
|
|
|
totpFactor = &v
|
|
|
|
|
case mfaPushMethod:
|
|
|
|
|
pushFactor = &v
|
2018-02-15 01:28:19 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-14 12:37:04 +00:00
|
|
|
// Okta push and totp, and Google totp are currently supported.
|
|
|
|
|
// If a totp passcode is provided during login and is supported,
|
|
|
|
|
// that will be the preferred method.
|
2021-02-22 05:18:17 +00:00
|
|
|
switch {
|
|
|
|
|
case totpFactor != nil && totp != "":
|
|
|
|
|
selectedFactor = totpFactor
|
2022-04-14 12:37:04 +00:00
|
|
|
case pushFactor != nil && pushFactor.Provider == oktaProvider:
|
2021-02-22 05:18:17 +00:00
|
|
|
selectedFactor = pushFactor
|
|
|
|
|
case totpFactor != nil && totp == "":
|
|
|
|
|
return nil, logical.ErrorResponse("'totp' passcode parameter is required to perform MFA"), nil, nil
|
|
|
|
|
default:
|
2022-04-14 12:37:04 +00:00
|
|
|
return nil, logical.ErrorResponse("Okta Verify Push or TOTP or Google TOTP factor is required in order to perform MFA"), nil, nil
|
2018-02-15 01:28:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requestPath := fmt.Sprintf("authn/factors/%s/verify", selectedFactor.Id)
|
2021-02-22 05:18:17 +00:00
|
|
|
|
2018-02-15 01:28:19 +00:00
|
|
|
payload := map[string]interface{}{
|
|
|
|
|
"stateToken": result.StateToken,
|
|
|
|
|
}
|
2021-02-22 05:18:17 +00:00
|
|
|
if selectedFactor.Type == mfaTOTPMethod {
|
|
|
|
|
payload["passCode"] = totp
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-03 17:51:10 +00:00
|
|
|
verifyReq, err := shim.NewRequest("POST", requestPath, payload)
|
2018-02-15 01:28:19 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, nil, err
|
|
|
|
|
}
|
2021-09-03 20:09:11 +00:00
|
|
|
if len(req.Headers["X-Forwarded-For"]) > 0 {
|
|
|
|
|
verifyReq.Header.Set("X-Forwarded-For", req.Headers[textproto.CanonicalMIMEHeaderKey("X-Forwarded-For")][0])
|
|
|
|
|
}
|
2018-02-15 01:28:19 +00:00
|
|
|
|
2020-02-03 17:51:10 +00:00
|
|
|
rsp, err := shim.Do(verifyReq, &result)
|
2018-02-15 01:28:19 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, logical.ErrorResponse(fmt.Sprintf("Okta auth failed: %v", err)), nil, nil
|
|
|
|
|
}
|
|
|
|
|
if rsp == nil {
|
|
|
|
|
return nil, logical.ErrorResponse("okta auth backend unexpected failure"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
for result.Status == "MFA_CHALLENGE" {
|
|
|
|
|
switch result.FactorResult {
|
|
|
|
|
case "WAITING":
|
2020-02-03 17:51:10 +00:00
|
|
|
verifyReq, err := shim.NewRequest("POST", requestPath, payload)
|
2019-04-16 17:05:50 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, logical.ErrorResponse(fmt.Sprintf("okta auth failed creating verify request: %v", err)), nil, nil
|
|
|
|
|
}
|
2020-02-03 17:51:10 +00:00
|
|
|
rsp, err := shim.Do(verifyReq, &result)
|
2022-05-12 00:09:29 +00:00
|
|
|
|
|
|
|
|
// Store number challenge if found
|
|
|
|
|
numberChallenge := result.Embedded.Factor.Embedded.Challenge.CorrectAnswer
|
|
|
|
|
if numberChallenge != nil {
|
|
|
|
|
if nonce == "" {
|
|
|
|
|
return nil, logical.ErrorResponse("nonce must be provided during login request when presented with number challenge"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.verifyCache.SetDefault(nonce, *numberChallenge)
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-15 01:28:19 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, logical.ErrorResponse(fmt.Sprintf("Okta auth failed checking loop: %v", err)), nil, nil
|
|
|
|
|
}
|
|
|
|
|
if rsp == nil {
|
|
|
|
|
return nil, logical.ErrorResponse("okta auth backend unexpected failure"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-06 16:49:01 +00:00
|
|
|
timer := time.NewTimer(1 * time.Second)
|
2018-02-15 01:28:19 +00:00
|
|
|
select {
|
2023-02-06 16:49:01 +00:00
|
|
|
case <-timer.C:
|
2018-02-15 01:28:19 +00:00
|
|
|
// Continue
|
|
|
|
|
case <-ctx.Done():
|
2023-02-06 16:49:01 +00:00
|
|
|
timer.Stop()
|
2018-02-15 01:28:19 +00:00
|
|
|
return nil, logical.ErrorResponse("exiting pending mfa challenge"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
case "REJECTED":
|
|
|
|
|
return nil, logical.ErrorResponse("multi-factor authentication denied"), nil, nil
|
|
|
|
|
case "TIMEOUT":
|
|
|
|
|
return nil, logical.ErrorResponse("failed to complete multi-factor authentication"), nil, nil
|
|
|
|
|
case "SUCCESS":
|
|
|
|
|
// Allowed
|
|
|
|
|
default:
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("unhandled result status", "status", result.Status, "factorstatus", result.FactorResult)
|
2018-02-15 01:28:19 +00:00
|
|
|
}
|
|
|
|
|
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
|
|
|
|
|
}
|
2018-02-09 22:03:49 +00:00
|
|
|
}
|
|
|
|
|
|
2018-01-26 18:46:11 +00:00
|
|
|
case "SUCCESS":
|
|
|
|
|
// Do nothing here
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("unhandled result status", "status", result.Status)
|
2018-01-26 18:46:11 +00:00
|
|
|
}
|
|
|
|
|
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify result status again in case a switch case above modifies result
|
2018-02-09 22:03:49 +00:00
|
|
|
switch {
|
|
|
|
|
case result.Status == "SUCCESS",
|
|
|
|
|
result.Status == "PASSWORD_WARN",
|
|
|
|
|
result.Status == "MFA_REQUIRED" && cfg.BypassOktaMFA,
|
2018-02-15 01:28:19 +00:00
|
|
|
result.Status == "MFA_ENROLL" && cfg.BypassOktaMFA,
|
|
|
|
|
result.Status == "MFA_ENROLL_ACTIVATE" && cfg.BypassOktaMFA:
|
2018-02-09 22:03:49 +00:00
|
|
|
// Allowed
|
|
|
|
|
default:
|
2018-01-26 18:46:11 +00:00
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("authentication returned a non-success status", "status", result.Status)
|
2018-01-26 18:46:11 +00:00
|
|
|
}
|
|
|
|
|
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-27 00:08:52 +00:00
|
|
|
var allGroups []string
|
2017-09-15 04:27:45 +00:00
|
|
|
// Only query the Okta API for group membership if we have a token
|
2020-07-24 13:05:08 +00:00
|
|
|
client, oktactx := shim.Client()
|
2020-02-03 17:51:10 +00:00
|
|
|
if client != nil {
|
2020-07-24 13:05:08 +00:00
|
|
|
oktaGroups, err := b.getOktaGroups(oktactx, client, &result.Embedded.User)
|
2017-09-15 04:27:45 +00:00
|
|
|
if err != nil {
|
2017-11-02 20:05:48 +00:00
|
|
|
return nil, logical.ErrorResponse(fmt.Sprintf("okta failure retrieving groups: %v", err)), nil, nil
|
2017-09-15 04:27:45 +00:00
|
|
|
}
|
|
|
|
|
if len(oktaGroups) == 0 {
|
|
|
|
|
errString := fmt.Sprintf(
|
|
|
|
|
"no Okta groups found; only policies from locally-defined groups available")
|
|
|
|
|
oktaResponse.AddWarning(errString)
|
|
|
|
|
}
|
|
|
|
|
allGroups = append(allGroups, oktaGroups...)
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-27 00:08:52 +00:00
|
|
|
// Import the custom added groups from okta backend
|
2018-01-19 06:44:44 +00:00
|
|
|
user, err := b.User(ctx, req.Storage, username)
|
2017-08-25 18:48:37 +00:00
|
|
|
if err != nil {
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("error looking up user", "error", err)
|
2017-08-25 18:48:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
2017-01-27 00:08:52 +00:00
|
|
|
if err == nil && user != nil && user.Groups != nil {
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("adding local groups", "num_local_groups", len(user.Groups), "local_groups", user.Groups)
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
allGroups = append(allGroups, user.Groups...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Retrieve policies
|
|
|
|
|
var policies []string
|
|
|
|
|
for _, groupName := range allGroups {
|
2018-01-19 06:44:44 +00:00
|
|
|
entry, _, err := b.Group(ctx, req.Storage, groupName)
|
2017-08-25 18:48:37 +00:00
|
|
|
if err != nil {
|
|
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("error looking up group policies", "error", err)
|
2017-08-25 18:48:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if err == nil && entry != nil && entry.Policies != nil {
|
|
|
|
|
policies = append(policies, entry.Policies...)
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Merge local Policies into Okta Policies
|
2017-02-14 21:28:16 +00:00
|
|
|
if user != nil && user.Policies != nil {
|
|
|
|
|
policies = append(policies, user.Policies...)
|
|
|
|
|
}
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-11-02 20:05:48 +00:00
|
|
|
return policies, oktaResponse, allGroups, nil
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-24 13:05:08 +00:00
|
|
|
func (b *backend) getOktaGroups(ctx context.Context, client *okta.Client, user *okta.User) ([]string, error) {
|
|
|
|
|
groups, resp, err := client.User.ListUserGroups(ctx, user.Id)
|
2017-09-15 04:27:45 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-02-03 17:51:10 +00:00
|
|
|
oktaGroups := make([]string, 0, len(groups))
|
|
|
|
|
for _, group := range groups {
|
2017-09-15 04:27:45 +00:00
|
|
|
oktaGroups = append(oktaGroups, group.Profile.Name)
|
|
|
|
|
}
|
2020-07-24 13:05:08 +00:00
|
|
|
for resp.HasNextPage() {
|
|
|
|
|
var nextGroups []*okta.Group
|
|
|
|
|
resp, err = resp.Next(ctx, &nextGroups)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
for _, group := range nextGroups {
|
|
|
|
|
oktaGroups = append(oktaGroups, group.Profile.Name)
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-09-15 04:27:45 +00:00
|
|
|
if b.Logger().IsDebug() {
|
2018-04-03 00:46:59 +00:00
|
|
|
b.Logger().Debug("Groups fetched from Okta", "num_groups", len(oktaGroups), "groups", fmt.Sprintf("%#v", oktaGroups))
|
2017-09-15 04:27:45 +00:00
|
|
|
}
|
|
|
|
|
return oktaGroups, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-27 00:08:52 +00:00
|
|
|
const backendHelp = `
|
|
|
|
|
The Okta credential provider allows authentication querying,
|
2018-04-02 20:51:26 +00:00
|
|
|
checking username and password, and associating policies. If an api token is
|
|
|
|
|
configured groups are pulled down from Okta.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
|
|
|
|
Configuration of the connection is done through the "config" and "policies"
|
|
|
|
|
endpoints by a user with root access. Authentication is then done
|
2018-03-20 18:54:10 +00:00
|
|
|
by supplying the two fields for "login".
|
2017-01-27 00:08:52 +00:00
|
|
|
`
|