luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/credential/okta/backend_test.go

212 lines
6.7 KiB
Go
Raw Normal View History

Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
package okta
import (
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
"context"
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
"fmt"
"os"
"strings"
"testing"
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
"time"
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
log "github.com/hashicorp/go-hclog"
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/logging"
Move policyutil to sdk
2019-04-12 22:08:46 +00:00
"github.com/hashicorp/vault/sdk/helper/policyutil"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/logical"
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
)
func TestBackend_Config(t *testing.T) {
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
defaultLeaseTTLVal := time.Hour * 12
maxLeaseTTLVal := time.Hour * 24
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
b, err := Factory(context.Background(), &logical.BackendConfig{
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
Logger: logging.NewVaultLogger(log.Trace),
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
System: &logical.StaticSystemView{
DefaultLeaseTTLVal: defaultLeaseTTLVal,
MaxLeaseTTLVal: maxLeaseTTLVal,
},
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
})
if err != nil {
t.Fatalf("Unable to create backend: %s", err)
}
username := os.Getenv("OKTA_USERNAME")
password := os.Getenv("OKTA_PASSWORD")
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
token := os.Getenv("OKTA_API_TOKEN")
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
configData := map[string]interface{}{
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
"org_name": os.Getenv("OKTA_ORG"),
"base_url": "oktapreview.com",
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
updatedDuration := time.Hour * 1
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
configDataToken := map[string]interface{}{
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
"api_token": token,
"token_ttl": "1h",
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
logicaltest.Test(t, logicaltest.TestCase{
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
AcceptanceTest: true,
PreCheck: func() { testAccPreCheck(t) },
CredentialBackend: b,
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
Steps: []logicaltest.TestStep{
testConfigCreate(t, configData),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 2. Login with bad password, expect failure (E0000004=okta auth failure).
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
testLoginWrite(t, username, "wrong", "E0000004", 0, nil),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 3. Make our user belong to two groups and have one user-specific policy.
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
testAccUserGroups(t, username, "local_grouP,lOcal_group2", []string{"user_policy"}),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 4. Create the group local_group, assign it a single policy.
Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase.
2017-08-25 18:48:37 +00:00
testAccGroups(t, "local_groUp", "loCal_group_policy"),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 5. Login with good password, expect user to have their user-specific
// policy and the policy of the one valid group they belong to.
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
testLoginWrite(t, username, password, "", defaultLeaseTTLVal, []string{"local_group_policy", "user_policy"}),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 6. Create the group everyone, assign it two policies. This is a
// magic group name in okta that always exists and which every
// user automatically belongs to.
Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase.
2017-08-25 18:48:37 +00:00
testAccGroups(t, "everyoNe", "everyone_grouP_policy,eveRy_group_policy2"),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 7. Login as before, expect same result
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
testLoginWrite(t, username, password, "", defaultLeaseTTLVal, []string{"local_group_policy", "user_policy"}),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 8. Add API token so we can lookup groups
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
testConfigUpdate(t, configDataToken),
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
testConfigRead(t, token, configData),
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
// 10. Login should now lookup okta groups; since all okta users are
// in the "everyone" group, that should be returned; since we
// defined policies attached to the everyone group, we should now
// see those policies attached to returned vault token.
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
testLoginWrite(t, username, password, "", updatedDuration, []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "user_policy"}),
Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase.
2017-08-25 18:48:37 +00:00
testAccGroups(t, "locAl_group2", "testgroup_group_policy"),
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
testLoginWrite(t, username, password, "", updatedDuration, []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy", "user_policy"}),
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
},
})
}
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
func testLoginWrite(t *testing.T, username, password, reason string, expectedTTL time.Duration, policies []string) logicaltest.TestStep {
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + username,
ErrorOk: true,
Data: map[string]interface{}{
"password": password,
},
Check: func(resp *logical.Response) error {
if resp.IsError() {
if reason == "" || !strings.Contains(resp.Error().Error(), reason) {
return resp.Error()
}
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
} else if reason != "" {
return fmt.Errorf("expected error containing %q, got no error", reason)
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
if resp.Auth != nil {
Fix Okta auth issue when a user has no policies and/or groups set. (#2371) Fixes #2367
2017-02-14 21:28:16 +00:00
if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) {
return fmt.Errorf("policy mismatch expected %v but got %v", policies, resp.Auth.Policies)
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
actualTTL := resp.Auth.LeaseOptions.TTL
if actualTTL != expectedTTL {
return fmt.Errorf("TTL mismatch expected %v but got %v", expectedTTL, actualTTL)
}
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
return nil
},
}
}
func testConfigCreate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.CreateOperation,
Path: "config",
Data: d,
}
}
func testConfigUpdate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: d,
}
}
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
func testConfigRead(t *testing.T, token string, d map[string]interface{}) logicaltest.TestStep {
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "config",
Check: func(resp *logical.Response) error {
if resp.IsError() {
return resp.Error()
}
Upgrade okta sdk lib (#8143) Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
2020-02-03 17:51:10 +00:00
if resp.Data["org_name"] != d["org_name"] {
Clean up error string formatting (#4304)
2018-04-09 18:35:21 +00:00
return fmt.Errorf("org mismatch expected %s but got %s", d["organization"], resp.Data["Org"])
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
if resp.Data["base_url"] != d["base_url"] {
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
return fmt.Errorf("BaseURL mismatch expected %s but got %s", d["base_url"], resp.Data["BaseURL"])
}
Allow Okta auth backend to specify TTL and max TTL values (#2915)
2017-07-05 13:42:37 +00:00
for _, value := range resp.Data {
if value == token {
return fmt.Errorf("token should not be returned on a read request")
}
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
return nil
},
}
}
func testAccPreCheck(t *testing.T) {
if v := os.Getenv("OKTA_USERNAME"); v == "" {
t.Fatal("OKTA_USERNAME must be set for acceptance tests")
}
if v := os.Getenv("OKTA_PASSWORD"); v == "" {
t.Fatal("OKTA_PASSWORD must be set for acceptance tests")
}
if v := os.Getenv("OKTA_ORG"); v == "" {
t.Fatal("OKTA_ORG must be set for acceptance tests")
}
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
if v := os.Getenv("OKTA_API_TOKEN"); v == "" {
t.Fatal("OKTA_API_TOKEN must be set for acceptance tests")
}
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
}
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
func testAccUserGroups(t *testing.T, user string, groups interface{}, policies interface{}) logicaltest.TestStep {
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "users/" + user,
Data: map[string]interface{}{
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
"groups": groups,
"policies": policies,
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
},
}
}
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs.
2018-01-16 23:20:19 +00:00
func testAccGroups(t *testing.T, group string, policies interface{}) logicaltest.TestStep {
Okta implementation (#1966)
2017-01-27 00:08:52 +00:00
t.Logf("[testAccGroups] - Registering group %s, policy %s", group, policies)
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "groups/" + group,
Data: map[string]interface{}{
"policies": policies,
},
}
}
func testAccLogin(t *testing.T, user, password string, keys []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": password,
},
Unauthenticated: true,
Check: logicaltest.TestCheckAuth(keys),
}
}
Reference in a new issue Copy permalink