def test_okta_mfa_verify_value_error( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_MFA_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn/factors/id/verify', body="NOT JSON", status=500 ) with self.assertRaises(SystemExit): Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Status Code: 500"), call("Error: Invalid JSON") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_TOKEN_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions', json=json.loads(SESSION_RESPONSE) ) okta = Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) self.assertEqual(okta.okta_single_use_token, "single_use_token") self.assertEqual(okta.organization, "organization.okta.com") self.assertEqual(okta.okta_session_id, "session_token")
def test_okta_auth_send_error( self, mock_print_tty, mock_makedirs ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json={ "status": "foo", "errorSummary": "bar" }, status=500 ) with self.assertRaises(SystemExit): Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Status Code: 500"), call("Error: Status: foo"), call("Error: Summary: bar") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_auth_value_error( self, mock_print_tty, mock_makedirs ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', body="NOT JSON", status=500 ) with self.assertRaises(SystemExit): Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Status Code: 500"), call("Error: Invalid JSON") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_cached_session( self, mock_print_tty, mock_makedirs, mock_isfile, mock_open, mock_chmod ): StubDate.now = classmethod(lambda cls, tz: datetime(1, 1, 1, 0, 0, tzinfo=tz)) mock_isfile.return_value = True mock_enter = MagicMock() mock_enter.read.return_value = SESSION_RESPONSE mock_open().__enter__.return_value = mock_enter responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions/me/lifecycle/refresh', json=json.loads(SESSION_RESPONSE) ) okta = Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) self.assertEqual(okta.okta_session_id, "session_token") self.assertEqual(okta.organization, "organization.okta.com")
def test_okta_connection_error( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', body=ConnectionError() ) with self.assertRaises(SystemExit): Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Connection Error") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_refresh_value_error( self, mock_print_tty, mock_makedirs, mock_isfile, mock_open, mock_chmod ): StubDate.now = classmethod(lambda cls, tz: datetime(1, 1, 1, 0, 0, tzinfo=tz)) mock_isfile.return_value = True mock_enter = MagicMock() mock_enter.read.return_value = SESSION_RESPONSE mock_open().__enter__.return_value = mock_enter responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions/me/lifecycle/refresh', body="bob", status=500 ) with self.assertRaises(SystemExit): Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Status Code: 500"), call("Error: Invalid JSON") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_get_applications( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_TOKEN_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions', json=json.loads(SESSION_RESPONSE) ) responses.add( responses.GET, 'https://organization.okta.com/api/v1/users/me/appLinks', json=json.loads(APPLICATIONS_RESPONSE) ) okta = Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) applications = okta.get_applications() expected_applications = OrderedDict( [ ('AWS', 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270'), ('AWS GOV', 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/272') ] ) self.assertEqual(applications, expected_applications)
def test_okta_get_saml_response( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_TOKEN_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions', json=json.loads(SESSION_RESPONSE) ) responses.add( responses.GET, 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270', body=SAML_RESPONSE ) okta = Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) saml_response = okta.get_saml_response( application_url='https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270' ) self.assertEqual(saml_response, SAML_RESPONSE)
def test_okta_mfa_push_multiple_factor_challenge( self, mock_makedirs, mock_open, mock_chmod, mock_input ): mock_input.return_value = "2" responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_MFA_MULTIPLE_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn/factors/id/verify', json=json.loads(MFA_WAITING_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn/factors/id/lifecycle/activate/poll', json=json.loads(AUTH_TOKEN_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions', json=json.loads(SESSION_RESPONSE) ) okta = Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) self.assertEqual(okta.okta_single_use_token, "single_use_token") self.assertEqual(okta.organization, "organization.okta.com") self.assertEqual(okta.okta_session_id, "session_token")
def test_okta(self, mock_requests, mock_get_session_token, mock_get_session, mock_set_session, mock_print_tty): mock_session = MagicMock() mock_requests.Session.return_value = mock_session mock_get_session_token.return_value = "single_use_token" mock_get_session.return_value = { 'id': 'session_id', 'expiresAt': '2019-01-22T19:24:24Z' } okta = Okta(user_name="user_name", user_pass="******", organization="organization_domain", factor="factor_type") self.assertIs(okta.session, mock_session) self.assertEqual(okta.okta_single_use_token, "single_use_token") self.assertEqual(okta.organization, "organization_domain") self.assertEqual(okta.factor, "factor_type") mock_get_session_token.assert_called_once_with(user_name="user_name", user_pass="******")
def test_okta_refresh_key_error( self, mock_print_tty, mock_makedirs, mock_isfile, mock_open, mock_chmod ): StubDate.now = classmethod(lambda cls, tz: datetime(1, 1, 1, 0, 0, tzinfo=tz)) mock_isfile.return_value = True mock_enter = MagicMock() mock_enter.read.return_value = SESSION_RESPONSE mock_open().__enter__.return_value = mock_enter responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions/me/lifecycle/refresh', json={ "status": "foo", "errorSummary": "bar" }, status=500 ) Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Status Code: 500"), call("Error: Status: foo"), call("Error: Summary: bar") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_session_id_key_error( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod ): responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_TOKEN_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions', json={ "status": "foo", "errorSummary": "bar" }, status=500 ) with self.assertRaises(SystemExit): Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) print_tty_calls = [ call("Error: Status Code: 500"), call("Error: Status: foo"), call("Error: Summary: bar") ] mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_mfa_totp_challenge( self, mock_print_tty, mock_makedirs, mock_open, mock_chmod, mock_input ): mock_input.return_value = "123456" responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn', json=json.loads(AUTH_MFA_TOTP_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/authn/factors/id/verify', json=json.loads(AUTH_TOKEN_RESPONSE) ) responses.add( responses.POST, 'https://organization.okta.com/api/v1/sessions', json=json.loads(SESSION_RESPONSE) ) okta = Okta( user_name="user_name", user_pass="******", organization="organization.okta.com" ) self.assertEqual(okta.okta_single_use_token, "single_use_token") self.assertEqual(okta.organization, "organization.okta.com") self.assertEqual(okta.okta_session_id, "session_token")
def _get_credentials(self): # Do NOT load credentials from ENV or ~/.aws/credentials client = boto3.client( 'sts', aws_access_key_id='', aws_secret_access_key='', aws_session_token='' ) okta = Okta( user_name=self._configuration["AWS_OKTA_USER"], user_pass=self._authenticate.get_pass(), organization=self._configuration["AWS_OKTA_ORGANIZATION"], factor=self._configuration["AWS_OKTA_FACTOR"], silent=self._configuration["AWS_OKTA_SILENT"] ) self._configuration["AWS_OKTA_USER"] = '' self._configuration["AWS_OKTA_PASS"] = '' if self._configuration["AWS_OKTA_APPLICATION"]: application_url = self._configuration["AWS_OKTA_APPLICATION"] else: applications = okta.get_applications() application_url = prompt.get_item( items=applications, label="AWS application", key=self._configuration["AWS_OKTA_APPLICATION"] ) saml_response = okta.get_saml_response( application_url=application_url ) saml_assertion = saml.get_saml_assertion( saml_response=saml_response ) aws_roles = saml.get_aws_roles( saml_assertion=saml_assertion ) aws_role = prompt.get_item( items=aws_roles, label="AWS Role", key=self._configuration["AWS_OKTA_ROLE"] ) print_tty( "Role: {}".format(aws_role.role_arn), silent=self._configuration["AWS_OKTA_SILENT"] ) response = client.assume_role_with_saml( RoleArn=aws_role.role_arn, PrincipalArn=aws_role.principal_arn, SAMLAssertion=saml_assertion, DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"]) ) expiration = (response['Credentials']['Expiration'] .isoformat().replace("+00:00", "Z")) response['Credentials']['Expiration'] = expiration return response