open-vault/builtin/credential/okta/cli.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package okta

import (
	"encoding/json"
	"fmt"
	"os"
	"strings"
	"time"

	"github.com/hashicorp/go-secure-stdlib/base62"
	pwd "github.com/hashicorp/go-secure-stdlib/password"
	"github.com/hashicorp/vault/api"
)

// CLIHandler struct
type CLIHandler struct{}

// Auth cli method
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
	mount, ok := m["mount"]
	if !ok {
		mount = "okta"
	}

	username, ok := m["username"]
	if !ok {
		return nil, fmt.Errorf("'username' var must be set")
	}
	password, ok := m["password"]
	if !ok {
		fmt.Fprintf(os.Stderr, "Password (will be hidden): ")
		var err error
		password, err = pwd.Read(os.Stdin)
		fmt.Fprintf(os.Stderr, "\n")
		if err != nil {
			return nil, err
		}
	}

	data := map[string]interface{}{
		"password": password,
	}

	// Okta or Google totp code
	if totp, ok := m["totp"]; ok {
		data["totp"] = totp
	}

	// provider is an optional parameter
	if provider, ok := m["provider"]; ok {
		data["provider"] = provider
	}

	nonce := base62.MustRandom(20)
	data["nonce"] = nonce

	// Create a done channel to signal termination of the login so that we can
	// clean up the goroutine
	doneCh := make(chan struct{})
	defer close(doneCh)

	go func() {
		for {
			timer := time.NewTimer(time.Second)
			select {
			case <-doneCh:
				timer.Stop()
				return
			case <-timer.C:
			}

			resp, _ := c.Logical().Read(fmt.Sprintf("auth/%s/verify/%s", mount, nonce))
			if resp != nil {
				fmt.Fprintf(os.Stderr, "In Okta Verify, tap the number %q\n", resp.Data["correct_answer"].(json.Number))
				return
			}
		}
	}()

	path := fmt.Sprintf("auth/%s/login/%s", mount, username)
	secret, err := c.Logical().Write(path, data)
	if err != nil {
		return nil, err
	}
	if secret == nil {
		return nil, fmt.Errorf("empty response from credential provider")
	}

	return secret, nil
}

// Help method for okta cli
func (h *CLIHandler) Help() string {
	help := `
Usage: vault login -method=okta [CONFIG K=V...]

  The Okta auth method allows users to authenticate using Okta.

  Authenticate as "sally":

      $ vault login -method=okta username=sally
      Password (will be hidden):

  Authenticate as "bob":

      $ vault login -method=okta username=bob password=password

Configuration:

  password=<string>
      Okta password to use for authentication. If not provided, the CLI will
      prompt for this on stdin.

  username=<string>
      Okta username to use for authentication.
`

	return strings.TrimSpace(help)
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`package okta`

			`import (`
auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`"encoding/json"`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`"fmt"`
			`"os"`
			`"strings"`
auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`"time"`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`"github.com/hashicorp/go-secure-stdlib/base62"`
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) * Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter 2021-07-16 00:17:31 +00:00			`pwd "github.com/hashicorp/go-secure-stdlib/password"`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`"github.com/hashicorp/vault/api"`
			`)`

			`// CLIHandler struct`
			`type CLIHandler struct{}`

			`// Auth cli method`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`func (h CLIHandler) Auth(c api.Client, m map[string]string) (*api.Secret, error) {`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`mount, ok := m["mount"]`
			`if !ok {`
			`mount = "okta"`
			`}`

			`username, ok := m["username"]`
			`if !ok {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, fmt.Errorf("'username' var must be set")`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`
			`password, ok := m["password"]`
			`if !ok {`
Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 17:14:19 +00:00			`fmt.Fprintf(os.Stderr, "Password (will be hidden): ")`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`var err error`
			`password, err = pwd.Read(os.Stdin)`
Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 17:14:19 +00:00			`fmt.Fprintf(os.Stderr, "\n")`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`if err != nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, err`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`
			`}`

			`data := map[string]interface{}{`
			`"password": password,`
			`}`

supporting google authenticator with Okta auth (#14985) * supporting google authenticator with Okta auth * minor fix * CL * feedback * Update changelog/14985.txt Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> * updating docs Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> 2022-04-14 12:37:04 +00:00			`// Okta or Google totp code`
Add TOTP support to Okta Auth (#10942) 2021-02-22 05:18:17 +00:00			`if totp, ok := m["totp"]; ok {`
			`data["totp"] = totp`
			`}`

supporting google authenticator with Okta auth (#14985) * supporting google authenticator with Okta auth * minor fix * CL * feedback * Update changelog/14985.txt Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> * updating docs Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> 2022-04-14 12:37:04 +00:00			`// provider is an optional parameter`
			`if provider, ok := m["provider"]; ok {`
			`data["provider"] = provider`
			`}`

auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`nonce := base62.MustRandom(20)`
			`data["nonce"] = nonce`

			`// Create a done channel to signal termination of the login so that we can`
			`// clean up the goroutine`
			`doneCh := make(chan struct{})`
			`defer close(doneCh)`

			`go func() {`
			`for {`
VAULT-8436 remove <-time.After statements in for loops (#18818) * replace time.After with ticker in loops * add semgrep rule * update to use timers * remove stop 2023-02-06 16:49:01 +00:00			`timer := time.NewTimer(time.Second)`
auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`select {`
			`case <-doneCh:`
VAULT-8436 remove <-time.After statements in for loops (#18818) * replace time.After with ticker in loops * add semgrep rule * update to use timers * remove stop 2023-02-06 16:49:01 +00:00			`timer.Stop()`
auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`return`
VAULT-8436 remove <-time.After statements in for loops (#18818) * replace time.After with ticker in loops * add semgrep rule * update to use timers * remove stop 2023-02-06 16:49:01 +00:00			`case <-timer.C:`
auth/okta: Add support for Okta number challenge (#15361) * POC of Okta Auth Number Challenge verification * switch from callbacks to operations, forward validate to primary * cleanup and nonce description update * add changelog * error on empty nonce, no forwarding, return correct_answer instead * properly clean up verify goroutine * add docs on new endpoint and parameters * change polling frequency when WAITING to 1s Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2022-05-12 00:09:29 +00:00			`}`

			`resp, _ := c.Logical().Read(fmt.Sprintf("auth/%s/verify/%s", mount, nonce))`
			`if resp != nil {`
			`fmt.Fprintf(os.Stderr, "In Okta Verify, tap the number %q\n", resp.Data["correct_answer"].(json.Number))`
			`return`
			`}`
			`}`
			`}()`

Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`path := fmt.Sprintf("auth/%s/login/%s", mount, username)`
			`secret, err := c.Logical().Write(path, data)`
			`if err != nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, err`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`
			`if secret == nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, fmt.Errorf("empty response from credential provider")`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`

Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return secret, nil`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`

			`// Help method for okta cli`
			`func (h *CLIHandler) Help() string {`
			help := `
Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`Usage: vault login -method=okta [CONFIG K=V...]`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Spell Okta correctly 2017-10-04 21:16:39 +00:00			`The Okta auth method allows users to authenticate using Okta.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Update help output for okta auth 2017-09-02 22:50:21 +00:00			`Authenticate as "sally":`

Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`$ vault login -method=okta username=sally`
Update help output for okta auth 2017-09-02 22:50:21 +00:00			`Password (will be hidden):`

			`Authenticate as "bob":`

Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`$ vault login -method=okta username=bob password=password`
Update help output for okta auth 2017-09-02 22:50:21 +00:00
			`Configuration:`

			`password=<string>`
Spell Okta correctly 2017-10-04 21:16:39 +00:00			`Okta password to use for authentication. If not provided, the CLI will`
Update help output for okta auth 2017-09-02 22:50:21 +00:00			`prompt for this on stdin.`

			`username=<string>`
Spell Okta correctly 2017-10-04 21:16:39 +00:00			`Okta username to use for authentication.`
Update credential help Use "vault login" instead of "vault auth" and use "method" consistently over provider. 2017-09-06 14:02:15 +00:00			`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
			`return strings.TrimSpace(help)`
			`}`