def test_okta_verify_push_int(self, patched_time_sleep):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
'mfa_push_max_retries': int(20),
'mfa_push_delay_secs': int(11),
}
env = MockEnviron({
'common_name': '*****@*****.**',
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
validator.authenticate()
for call in patched_time_sleep.call_args_list:
args, kwargs = call
for arg in args:
import pprint
pprint.pprint(arg)
msg = "time.sleep() must be called with a float not %s"
assert isinstance(arg, float), msg % type(arg)
patched_time_sleep.assert_called_with(11)
def test_with_valid_config_file_with_untrusted_user_disabled(self):
for val in ['yes', '1', 'true', 'ok', 'False', '0']:
config_format = (
"[OktaAPI]\n"
"Url: {}\n"
"Token: {}\n"
"AllowUntrustedUsers: {}")
cfg = tempfile.NamedTemporaryFile()
cfg.file.write(config_format.format(
self.okta_url,
self.okta_token,
val))
cfg.file.seek(0)
env = MockEnviron({
'username': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.config_file = cfg.name
validator.env = env
validator.read_configuration_file()
validator.load_environment_variables()
# Disable Public Key Pinning
validator.okta_config['assert_pinset'] = [
self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, False)
def test_suffix_with_valid_config_file(self):
config_format = (
"[OktaAPI]\n"
"Url: {}\n"
"Token: {}\n"
"UsernameSuffix: {}\n")
cfg = tempfile.NamedTemporaryFile()
cfg.file.write(config_format.format(
self.okta_url,
self.okta_token,
self.username_suffix))
cfg.file.seek(0)
env = MockEnviron({
'common_name': self.username_prefix,
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.config_file = cfg.name
validator.env = env
validator.read_configuration_file()
validator.load_environment_variables()
# Disable Public Key Pinning
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_with_valid_config_file(self):
config_format = (
"[OktaAPI]\n"
"Url: {}\n"
"Token: {}\n")
cfg = tempfile.NamedTemporaryFile()
cfg.file.write(config_format.format(
self.okta_url,
self.okta_token))
cfg.file.seek(0)
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.config_file = cfg.name
validator.env = env
validator.read_configuration_file()
validator.load_environment_variables()
# Disable Public Key Pinning
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_authenticate_handles_exceptions(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]})
validator = OktaOpenVPNValidator()
validator.cls = ThrowsErrorOktaAPI
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages["error"][-1:][0]
self.assertIn("authentication failed, because", last_error)
def test_with_username_and_password(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages["info"][-1:][0]
self.assertIn("is now authenticated with MFA via Okta API", last_error)
def test_with_valid_config_file_with_untrusted_user_disabled(self):
for val in ["yes", "1", "true", "ok", "False", "0"]:
config_format = "[OktaAPI]\n" "Url: {}\n" "Token: {}\n" "AllowUntrustedUsers: {}"
cfg = tempfile.NamedTemporaryFile()
cfg.file.write(config_format.format(self.okta_url, self.okta_token, val))
cfg.file.seek(0)
env = MockEnviron({"username": self.config["username"], "password": self.config["password"]})
validator = OktaOpenVPNValidator()
validator.config_file = cfg.name
validator.env = env
validator.read_configuration_file()
validator.load_environment_variables()
# Disable Public Key Pinning
validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, False)
def test_no_okta_url(self):
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.env = env
rv = validator.load_environment_variables()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['critical'][-1:][0]
self.assertIn('OKTA_URL not defined', last_error)
def test_no_okta_url(self):
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.env = env
rv = validator.load_environment_variables()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['critical'][-1:][0]
self.assertIn('OKTA_URL not defined', last_error)
def test_with_valid_config_file_with_untrusted_user_enabled(self):
config_format = "[OktaAPI]\n" "Url: {}\n" "Token: {}\n" "AllowUntrustedUsers: True"
cfg = tempfile.NamedTemporaryFile()
cfg.file.write(config_format.format(self.okta_url, self.okta_token))
cfg.file.seek(0)
env = MockEnviron({"username": self.config["username"], "password": self.config["password"]})
validator = OktaOpenVPNValidator()
validator.config_file = cfg.name
validator.env = env
validator.read_configuration_file()
validator.load_environment_variables()
# Disable Public Key Pinning
validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages["info"][-1:][0]
self.assertIn("is now authenticated with MFA via Okta API", last_error)
def test_authenticate_handles_exceptions(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.cls = ThrowsErrorOktaAPI
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('authentication failed, because', last_error)
def test_authenticate_handles_exceptions(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.cls = ThrowsErrorOktaAPI
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('authentication failed, because', last_error)
def test_with_username_and_password(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_okta_verify_push_fails(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
'mfa_push_max_retries': 20,
'mfa_push_delay_secs': self.mfa_push_delay_secs,
}
env = MockEnviron({
'common_name': '*****@*****.**',
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, False)
def test_okta_url_no_token(self):
cfg = {"okta_url": self.okta_url}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
self.assertEquals(rv, False)
last_error = self.okta_log_messages["critical"][-1:][0]
self.assertIn("OKTA_TOKEN not defined", last_error)
def test_with_username_and_password(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_no_username_or_password(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages["warning"][-1:][0]
self.assertIn("is not trusted - failing", last_error)
def test_okta_url_no_token(self):
cfg = {
'okta_url': self.okta_url
}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['critical'][-1:][0]
self.assertIn('OKTA_TOKEN not defined', last_error)
def test_okta_verify_push(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
'mfa_push_max_retries': 20,
'mfa_push_delay_secs': self.mfa_push_delay_secs,
}
env = MockEnviron({
'common_name': '*****@*****.**',
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_no_username_or_password(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['warning'][-1:][0]
self.assertIn('is not trusted - failing', last_error)
