open-vault/builtin/credential/okta/backend_test.go

package okta

import (
	"fmt"
	"os"
	"strings"
	"testing"

	"github.com/hashicorp/vault/helper/logformat"
	"github.com/hashicorp/vault/helper/policyutil"
	log "github.com/mgutz/logxi/v1"

	"time"

	"github.com/hashicorp/vault/logical"
	logicaltest "github.com/hashicorp/vault/logical/testing"
)

func TestBackend_Config(t *testing.T) {
	defaultLeaseTTLVal := time.Hour * 12
	maxLeaseTTLVal := time.Hour * 24
	b, err := Factory(&logical.BackendConfig{
		Logger: logformat.NewVaultLogger(log.LevelTrace),
		System: &logical.StaticSystemView{
			DefaultLeaseTTLVal: defaultLeaseTTLVal,
			MaxLeaseTTLVal:     maxLeaseTTLVal,
		},
	})
	if err != nil {
		t.Fatalf("Unable to create backend: %s", err)
	}

	username := os.Getenv("OKTA_USERNAME")
	password := os.Getenv("OKTA_PASSWORD")
	token := os.Getenv("OKTA_API_TOKEN")

	configData := map[string]interface{}{
		"organization": os.Getenv("OKTA_ORG"),
		"base_url":     "oktapreview.com",
	}

	updatedDuration := time.Hour * 1
	configDataToken := map[string]interface{}{
		"token": token,
		"ttl":   "1h",
	}

	logicaltest.Test(t, logicaltest.TestCase{
		AcceptanceTest: true,
		PreCheck:       func() { testAccPreCheck(t) },
		Backend:        b,
		Steps: []logicaltest.TestStep{
			testConfigCreate(t, configData),
			testLoginWrite(t, username, "wrong", "E0000004", 0, nil),
			testLoginWrite(t, username, password, "user is not a member of any authorized policy", 0, nil),
			testAccUserGroups(t, username, "local_grouP,lOcal_group2", []string{"user_policy"}),
			testAccGroups(t, "local_groUp", "loCal_group_policy"),
			testLoginWrite(t, username, password, "", defaultLeaseTTLVal, []string{"local_group_policy", "user_policy"}),
			testAccGroups(t, "everyoNe", "everyone_grouP_policy,eveRy_group_policy2"),
			testLoginWrite(t, username, password, "", defaultLeaseTTLVal, []string{"local_group_policy", "user_policy"}),
			testConfigUpdate(t, configDataToken),
			testConfigRead(t, token, configData),
			testLoginWrite(t, username, password, "", updatedDuration, []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "user_policy"}),
			testAccGroups(t, "locAl_group2", "testgroup_group_policy"),
			testLoginWrite(t, username, password, "", updatedDuration, []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy", "user_policy"}),
		},
	})
}

func testLoginWrite(t *testing.T, username, password, reason string, expectedTTL time.Duration, policies []string) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "login/" + username,
		ErrorOk:   true,
		Data: map[string]interface{}{
			"password": password,
		},
		Check: func(resp *logical.Response) error {
			if resp.IsError() {
				if reason == "" || !strings.Contains(resp.Error().Error(), reason) {
					return resp.Error()
				}
			}

			if resp.Auth != nil {
				if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) {
					return fmt.Errorf("policy mismatch expected %v but got %v", policies, resp.Auth.Policies)
				}

				actualTTL := resp.Auth.LeaseOptions.TTL
				if actualTTL != expectedTTL {
					return fmt.Errorf("TTL mismatch expected %v but got %v", expectedTTL, actualTTL)
				}
			}

			return nil
		},
	}
}

func testConfigCreate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.CreateOperation,
		Path:      "config",
		Data:      d,
	}
}

func testConfigUpdate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "config",
		Data:      d,
	}
}

func testConfigRead(t *testing.T, token string, d map[string]interface{}) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.ReadOperation,
		Path:      "config",
		Check: func(resp *logical.Response) error {
			if resp.IsError() {
				return resp.Error()
			}

			if resp.Data["organization"] != d["organization"] {
				return fmt.Errorf("Org mismatch expected %s but got %s", d["organization"], resp.Data["Org"])
			}

			if resp.Data["base_url"] != d["base_url"] {
				return fmt.Errorf("BaseURL mismatch expected %s but got %s", d["base_url"], resp.Data["BaseURL"])
			}

			for _, value := range resp.Data {
				if value == token {
					return fmt.Errorf("token should not be returned on a read request")
				}
			}

			return nil
		},
	}
}

func testAccPreCheck(t *testing.T) {
	if v := os.Getenv("OKTA_USERNAME"); v == "" {
		t.Fatal("OKTA_USERNAME must be set for acceptance tests")
	}

	if v := os.Getenv("OKTA_PASSWORD"); v == "" {
		t.Fatal("OKTA_PASSWORD must be set for acceptance tests")
	}

	if v := os.Getenv("OKTA_ORG"); v == "" {
		t.Fatal("OKTA_ORG must be set for acceptance tests")
	}

	if v := os.Getenv("OKTA_API_TOKEN"); v == "" {
		t.Fatal("OKTA_API_TOKEN must be set for acceptance tests")
	}
}

func testAccUserGroups(t *testing.T, user string, groups interface{}, policies interface{}) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "users/" + user,
		Data: map[string]interface{}{
			"groups":   groups,
			"policies": policies,
		},
	}
}

func testAccGroups(t *testing.T, group string, policies interface{}) logicaltest.TestStep {
	t.Logf("[testAccGroups] - Registering group %s, policy %s", group, policies)
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "groups/" + group,
		Data: map[string]interface{}{
			"policies": policies,
		},
	}
}

func testAccLogin(t *testing.T, user, password string, keys []string) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "login/" + user,
		Data: map[string]interface{}{
			"password": password,
		},
		Unauthenticated: true,

		Check: logicaltest.TestCheckAuth(keys),
	}
}
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`package okta`

			`import (`
			`"fmt"`
			`"os"`
			`"strings"`
			`"testing"`

			`"github.com/hashicorp/vault/helper/logformat"`
Fix Okta auth issue when a user has no policies and/or groups set. (#2371) Fixes #2367 2017-02-14 21:28:16 +00:00			`"github.com/hashicorp/vault/helper/policyutil"`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`log "github.com/mgutz/logxi/v1"`

Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase. 2017-08-25 18:48:37 +00:00			`"time"`

Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`"github.com/hashicorp/vault/logical"`
			`logicaltest "github.com/hashicorp/vault/logical/testing"`
			`)`

			`func TestBackend_Config(t *testing.T) {`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`defaultLeaseTTLVal := time.Hour * 12`
			`maxLeaseTTLVal := time.Hour * 24`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`b, err := Factory(&logical.BackendConfig{`
			`Logger: logformat.NewVaultLogger(log.LevelTrace),`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`System: &logical.StaticSystemView{`
			`DefaultLeaseTTLVal: defaultLeaseTTLVal,`
			`MaxLeaseTTLVal: maxLeaseTTLVal,`
			`},`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`})`
			`if err != nil {`
			`t.Fatalf("Unable to create backend: %s", err)`
			`}`

			`username := os.Getenv("OKTA_USERNAME")`
			`password := os.Getenv("OKTA_PASSWORD")`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`token := os.Getenv("OKTA_API_TOKEN")`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
			`configData := map[string]interface{}{`
			`"organization": os.Getenv("OKTA_ORG"),`
			`"base_url": "oktapreview.com",`
			`}`

Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`updatedDuration := time.Hour * 1`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`configDataToken := map[string]interface{}{`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`"token": token,`
			`"ttl": "1h",`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`

			`logicaltest.Test(t, logicaltest.TestCase{`
			`AcceptanceTest: true,`
			`PreCheck: func() { testAccPreCheck(t) },`
			`Backend: b,`
			`Steps: []logicaltest.TestStep{`
			`testConfigCreate(t, configData),`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`testLoginWrite(t, username, "wrong", "E0000004", 0, nil),`
			`testLoginWrite(t, username, password, "user is not a member of any authorized policy", 0, nil),`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`testAccUserGroups(t, username, "local_grouP,lOcal_group2", []string{"user_policy"}),`
Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase. 2017-08-25 18:48:37 +00:00			`testAccGroups(t, "local_groUp", "loCal_group_policy"),`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`testLoginWrite(t, username, password, "", defaultLeaseTTLVal, []string{"local_group_policy", "user_policy"}),`
Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase. 2017-08-25 18:48:37 +00:00			`testAccGroups(t, "everyoNe", "everyone_grouP_policy,eveRy_group_policy2"),`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`testLoginWrite(t, username, password, "", defaultLeaseTTLVal, []string{"local_group_policy", "user_policy"}),`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`testConfigUpdate(t, configDataToken),`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`testConfigRead(t, token, configData),`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`testLoginWrite(t, username, password, "", updatedDuration, []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "user_policy"}),`
Compare groups case-insensitively at login time (#3240) * Compare groups case-insensitively at login time, since Okta groups are case-insensitive but preserving. * Make other group operations case-preserving but otherwise case-insensitive. New groups will be written in lowercase. 2017-08-25 18:48:37 +00:00			`testAccGroups(t, "locAl_group2", "testgroup_group_policy"),`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`testLoginWrite(t, username, password, "", updatedDuration, []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy", "user_policy"}),`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`},`
			`})`
			`}`

Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`func testLoginWrite(t *testing.T, username, password, reason string, expectedTTL time.Duration, policies []string) logicaltest.TestStep {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`return logicaltest.TestStep{`
			`Operation: logical.UpdateOperation,`
			`Path: "login/" + username,`
			`ErrorOk: true,`
			`Data: map[string]interface{}{`
			`"password": password,`
			`},`
			`Check: func(resp *logical.Response) error {`
			`if resp.IsError() {`
			`if reason == "" \|\| !strings.Contains(resp.Error().Error(), reason) {`
			`return resp.Error()`
			`}`
			`}`

			`if resp.Auth != nil {`
Fix Okta auth issue when a user has no policies and/or groups set. (#2371) Fixes #2367 2017-02-14 21:28:16 +00:00			`if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) {`
			`return fmt.Errorf("policy mismatch expected %v but got %v", policies, resp.Auth.Policies)`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`
Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00
			`actualTTL := resp.Auth.LeaseOptions.TTL`
			`if actualTTL != expectedTTL {`
			`return fmt.Errorf("TTL mismatch expected %v but got %v", expectedTTL, actualTTL)`
			`}`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`

			`return nil`
			`},`
			`}`
			`}`

			`func testConfigCreate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {`
			`return logicaltest.TestStep{`
			`Operation: logical.CreateOperation,`
			`Path: "config",`
			`Data: d,`
			`}`
			`}`

			`func testConfigUpdate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {`
			`return logicaltest.TestStep{`
			`Operation: logical.UpdateOperation,`
			`Path: "config",`
			`Data: d,`
			`}`
			`}`

Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`func testConfigRead(t *testing.T, token string, d map[string]interface{}) logicaltest.TestStep {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`return logicaltest.TestStep{`
			`Operation: logical.ReadOperation,`
			`Path: "config",`
			`Check: func(resp *logical.Response) error {`
			`if resp.IsError() {`
			`return resp.Error()`
			`}`

Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`if resp.Data["organization"] != d["organization"] {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`return fmt.Errorf("Org mismatch expected %s but got %s", d["organization"], resp.Data["Org"])`
			`}`

Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`if resp.Data["base_url"] != d["base_url"] {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`return fmt.Errorf("BaseURL mismatch expected %s but got %s", d["base_url"], resp.Data["BaseURL"])`
			`}`

Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 13:42:37 +00:00			`for _, value := range resp.Data {`
			`if value == token {`
			`return fmt.Errorf("token should not be returned on a read request")`
			`}`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`

			`return nil`
			`},`
			`}`
			`}`

			`func testAccPreCheck(t *testing.T) {`
			`if v := os.Getenv("OKTA_USERNAME"); v == "" {`
			`t.Fatal("OKTA_USERNAME must be set for acceptance tests")`
			`}`

			`if v := os.Getenv("OKTA_PASSWORD"); v == "" {`
			`t.Fatal("OKTA_PASSWORD must be set for acceptance tests")`
			`}`

			`if v := os.Getenv("OKTA_ORG"); v == "" {`
			`t.Fatal("OKTA_ORG must be set for acceptance tests")`
			`}`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00
			`if v := os.Getenv("OKTA_API_TOKEN"); v == "" {`
			`t.Fatal("OKTA_API_TOKEN must be set for acceptance tests")`
			`}`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`

Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`func testAccUserGroups(t *testing.T, user string, groups interface{}, policies interface{}) logicaltest.TestStep {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`return logicaltest.TestStep{`
			`Operation: logical.UpdateOperation,`
			`Path: "users/" + user,`
			`Data: map[string]interface{}{`
Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`"groups": groups,`
			`"policies": policies,`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`},`
			`}`
			`}`

Support JSON lists for Okta user groups+policies. (#3801) * Support JSON lists for Okta user groups+policies. Migrate the manually-parsed comma-separated string field types for user groups and user policies to TypeCommaStringSlice. This means user endpoints now accept proper lists as input for these fields in addition to comma-separated string values. The value for reads remains a list. Update the Okta API documentation for users and groups to reflect that both user group and user/group policy fields are list-valued. Update the Okta acceptance tests to cover passing a list value for the user policy field, and require the OKTA_API_TOKEN env var to be set (required for the "everyone" policy tests to pass). * Fix typo, add comma-separated docs. 2018-01-16 23:20:19 +00:00			`func testAccGroups(t *testing.T, group string, policies interface{}) logicaltest.TestStep {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`t.Logf("[testAccGroups] - Registering group %s, policy %s", group, policies)`
			`return logicaltest.TestStep{`
			`Operation: logical.UpdateOperation,`
			`Path: "groups/" + group,`
			`Data: map[string]interface{}{`
			`"policies": policies,`
			`},`
			`}`
			`}`

			`func testAccLogin(t *testing.T, user, password string, keys []string) logicaltest.TestStep {`
			`return logicaltest.TestStep{`
			`Operation: logical.UpdateOperation,`
			`Path: "login/" + user,`
			`Data: map[string]interface{}{`
			`"password": password,`
			`},`
			`Unauthenticated: true,`

			`Check: logicaltest.TestCheckAuth(keys),`
			`}`
			`}`