03b14d8a64
Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case. Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
356 lines
9.4 KiB
Go
356 lines
9.4 KiB
Go
package okta
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"github.com/hashicorp/go-cleanhttp"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
oktaold "github.com/chrismalek/oktasdk-go/okta"
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/tokenutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
oktanew "github.com/okta/okta-sdk-golang/okta"
|
|
)
|
|
|
|
const (
|
|
defaultBaseURL = "okta.com"
|
|
previewBaseURL = "oktapreview.com"
|
|
)
|
|
|
|
func pathConfig(b *backend) *framework.Path {
|
|
p := &framework.Path{
|
|
Pattern: `config`,
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"organization": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Use org_name instead.",
|
|
Deprecated: true,
|
|
},
|
|
"org_name": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Name of the organization to be used in the Okta API.",
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
Name: "Organization Name",
|
|
},
|
|
},
|
|
"token": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Use api_token instead.",
|
|
Deprecated: true,
|
|
},
|
|
"api_token": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Okta API key.",
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
Name: "API Token",
|
|
},
|
|
},
|
|
"base_url": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`,
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
Name: "Base URL",
|
|
},
|
|
},
|
|
"production": &framework.FieldSchema{
|
|
Type: framework.TypeBool,
|
|
Description: `Use base_url instead.`,
|
|
Deprecated: true,
|
|
},
|
|
"ttl": &framework.FieldSchema{
|
|
Type: framework.TypeDurationSecond,
|
|
Description: tokenutil.DeprecationText("token_ttl"),
|
|
Deprecated: true,
|
|
},
|
|
"max_ttl": &framework.FieldSchema{
|
|
Type: framework.TypeDurationSecond,
|
|
Description: tokenutil.DeprecationText("token_max_ttl"),
|
|
Deprecated: true,
|
|
},
|
|
"bypass_okta_mfa": &framework.FieldSchema{
|
|
Type: framework.TypeBool,
|
|
Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
Name: "Bypass Okta MFA",
|
|
},
|
|
},
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.ReadOperation: b.pathConfigRead,
|
|
logical.CreateOperation: b.pathConfigWrite,
|
|
logical.UpdateOperation: b.pathConfigWrite,
|
|
},
|
|
|
|
ExistenceCheck: b.pathConfigExistenceCheck,
|
|
|
|
HelpSynopsis: pathConfigHelp,
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
Action: "Configure",
|
|
},
|
|
}
|
|
|
|
tokenutil.AddTokenFields(p.Fields)
|
|
p.Fields["token_policies"].Description += ". This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups."
|
|
return p
|
|
}
|
|
|
|
// Config returns the configuration for this backend.
|
|
func (b *backend) Config(ctx context.Context, s logical.Storage) (*ConfigEntry, error) {
|
|
entry, err := s.Get(ctx, "config")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if entry == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
var result ConfigEntry
|
|
if entry != nil {
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if result.TokenTTL == 0 && result.TTL > 0 {
|
|
result.TokenTTL = result.TTL
|
|
}
|
|
if result.TokenMaxTTL == 0 && result.MaxTTL > 0 {
|
|
result.TokenMaxTTL = result.MaxTTL
|
|
}
|
|
|
|
return &result, nil
|
|
}
|
|
|
|
func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
cfg, err := b.Config(ctx, req.Storage)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if cfg == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
data := map[string]interface{}{
|
|
"organization": cfg.Org,
|
|
"org_name": cfg.Org,
|
|
"bypass_okta_mfa": cfg.BypassOktaMFA,
|
|
}
|
|
cfg.PopulateTokenData(data)
|
|
|
|
if cfg.BaseURL != "" {
|
|
data["base_url"] = cfg.BaseURL
|
|
}
|
|
if cfg.Production != nil {
|
|
data["production"] = *cfg.Production
|
|
}
|
|
if cfg.TTL > 0 {
|
|
data["ttl"] = int64(cfg.TTL.Seconds())
|
|
}
|
|
if cfg.MaxTTL > 0 {
|
|
data["max_ttl"] = int64(cfg.MaxTTL.Seconds())
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
Data: data,
|
|
}
|
|
|
|
if cfg.BypassOktaMFA {
|
|
resp.AddWarning("Okta MFA bypass is configured. In addition to ignoring Okta MFA requests, certain other account statuses will not be seen, such as PASSWORD_EXPIRED. Authentication will succeed in these cases.")
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
cfg, err := b.Config(ctx, req.Storage)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Due to the existence check, entry will only be nil if it's a create
|
|
// operation, so just create a new one
|
|
if cfg == nil {
|
|
cfg = &ConfigEntry{}
|
|
}
|
|
|
|
org, ok := d.GetOk("org_name")
|
|
if ok {
|
|
cfg.Org = org.(string)
|
|
}
|
|
if cfg.Org == "" {
|
|
org, ok = d.GetOk("organization")
|
|
if ok {
|
|
cfg.Org = org.(string)
|
|
}
|
|
}
|
|
if cfg.Org == "" && req.Operation == logical.CreateOperation {
|
|
return logical.ErrorResponse("org_name is missing"), nil
|
|
}
|
|
|
|
token, ok := d.GetOk("api_token")
|
|
if ok {
|
|
cfg.Token = token.(string)
|
|
} else if token, ok = d.GetOk("token"); ok {
|
|
cfg.Token = token.(string)
|
|
}
|
|
|
|
baseURLRaw, ok := d.GetOk("base_url")
|
|
if ok {
|
|
baseURL := baseURLRaw.(string)
|
|
_, err = url.Parse(fmt.Sprintf("https://%s,%s", cfg.Org, baseURL))
|
|
if err != nil {
|
|
return logical.ErrorResponse(fmt.Sprintf("Error parsing given base_url: %s", err)), nil
|
|
}
|
|
cfg.BaseURL = baseURL
|
|
}
|
|
|
|
// We only care about the production flag when base_url is not set. It is
|
|
// for compatibility reasons.
|
|
if cfg.BaseURL == "" {
|
|
productionRaw, ok := d.GetOk("production")
|
|
if ok {
|
|
production := productionRaw.(bool)
|
|
cfg.Production = &production
|
|
}
|
|
} else {
|
|
// clear out old production flag if base_url is set
|
|
cfg.Production = nil
|
|
}
|
|
|
|
bypass, ok := d.GetOk("bypass_okta_mfa")
|
|
if ok {
|
|
cfg.BypassOktaMFA = bypass.(bool)
|
|
}
|
|
|
|
if err := cfg.ParseTokenFields(req, d); err != nil {
|
|
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
|
|
}
|
|
|
|
// Handle upgrade cases
|
|
{
|
|
if err := tokenutil.UpgradeValue(d, "ttl", "token_ttl", &cfg.TTL, &cfg.TokenTTL); err != nil {
|
|
return logical.ErrorResponse(err.Error()), nil
|
|
}
|
|
|
|
if err := tokenutil.UpgradeValue(d, "max_ttl", "token_max_ttl", &cfg.MaxTTL, &cfg.TokenMaxTTL); err != nil {
|
|
return logical.ErrorResponse(err.Error()), nil
|
|
}
|
|
}
|
|
|
|
jsonCfg, err := logical.StorageEntryJSON("config", cfg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := req.Storage.Put(ctx, jsonCfg); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var resp *logical.Response
|
|
if cfg.BypassOktaMFA {
|
|
resp = new(logical.Response)
|
|
resp.AddWarning("Okta MFA bypass is configured. In addition to ignoring Okta MFA requests, certain other account statuses will not be seen, such as PASSWORD_EXPIRED. Authentication will succeed in these cases.")
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func (b *backend) pathConfigExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
|
|
cfg, err := b.Config(ctx, req.Storage)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return cfg != nil, nil
|
|
}
|
|
|
|
type oktaShim interface {
|
|
Client() *oktanew.Client
|
|
NewRequest(method string, url string, body interface{}) (*http.Request, error)
|
|
Do(req *http.Request, v interface{}) (interface{}, error)
|
|
}
|
|
|
|
type oktaShimNew struct {
|
|
client *oktanew.Client
|
|
}
|
|
|
|
func (new *oktaShimNew) Client() *oktanew.Client {
|
|
return new.client
|
|
}
|
|
|
|
func (new *oktaShimNew) NewRequest(method string, url string, body interface{}) (*http.Request, error) {
|
|
return new.client.GetRequestExecutor().NewRequest(method, url, body)
|
|
}
|
|
|
|
func (new *oktaShimNew) Do(req *http.Request, v interface{}) (interface{}, error) {
|
|
return new.client.GetRequestExecutor().Do(req, v)
|
|
}
|
|
|
|
type oktaShimOld struct {
|
|
client *oktaold.Client
|
|
}
|
|
|
|
func (new *oktaShimOld) Client() *oktanew.Client {
|
|
return nil
|
|
}
|
|
|
|
func (new *oktaShimOld) NewRequest(method string, url string, body interface{}) (*http.Request, error) {
|
|
return new.client.NewRequest(method, url, body)
|
|
}
|
|
|
|
func (new *oktaShimOld) Do(req *http.Request, v interface{}) (interface{}, error) {
|
|
return new.client.Do(req, v)
|
|
}
|
|
|
|
// OktaClient creates a basic okta client connection
|
|
func (c *ConfigEntry) OktaClient() (oktaShim, error) {
|
|
baseURL := defaultBaseURL
|
|
if c.Production != nil {
|
|
if !*c.Production {
|
|
baseURL = previewBaseURL
|
|
}
|
|
}
|
|
if c.BaseURL != "" {
|
|
baseURL = c.BaseURL
|
|
}
|
|
|
|
if c.Token != "" {
|
|
client, err := oktanew.NewClient(context.Background(),
|
|
oktanew.WithOrgUrl("https://"+c.Org+"."+baseURL),
|
|
oktanew.WithToken(c.Token))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &oktaShimNew{client}, nil
|
|
}
|
|
client, err := oktaold.NewClientWithDomain(cleanhttp.DefaultClient(), c.Org, baseURL, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &oktaShimOld{client}, nil
|
|
}
|
|
|
|
// ConfigEntry for Okta
|
|
type ConfigEntry struct {
|
|
tokenutil.TokenParams
|
|
|
|
Org string `json:"organization"`
|
|
Token string `json:"token"`
|
|
BaseURL string `json:"base_url"`
|
|
Production *bool `json:"is_production,omitempty"`
|
|
TTL time.Duration `json:"ttl"`
|
|
MaxTTL time.Duration `json:"max_ttl"`
|
|
BypassOktaMFA bool `json:"bypass_okta_mfa"`
|
|
}
|
|
|
|
const pathConfigHelp = `
|
|
This endpoint allows you to configure the Okta and its
|
|
configuration options.
|
|
|
|
The Okta organization are the characters at the front of the URL for Okta.
|
|
Example https://ORG.okta.com
|
|
`
|