def test_okta_mfa_verify_value_error(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_MFA_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn/factors/id/verify',
body="NOT JSON",
status=500
)
with self.assertRaises(SystemExit):
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Status Code: 500"),
call("Error: Invalid JSON")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_TOKEN_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions',
json=json.loads(SESSION_RESPONSE)
)
okta = Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
self.assertEqual(okta.okta_single_use_token, "single_use_token")
self.assertEqual(okta.organization, "organization.okta.com")
self.assertEqual(okta.okta_session_id, "session_token")
def test_okta_auth_send_error(
self,
mock_print_tty,
mock_makedirs
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json={
"status": "foo",
"errorSummary": "bar"
},
status=500
)
with self.assertRaises(SystemExit):
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Status Code: 500"),
call("Error: Status: foo"),
call("Error: Summary: bar")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_auth_value_error(
self,
mock_print_tty,
mock_makedirs
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
body="NOT JSON",
status=500
)
with self.assertRaises(SystemExit):
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Status Code: 500"),
call("Error: Invalid JSON")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_cached_session(
self,
mock_print_tty,
mock_makedirs,
mock_isfile,
mock_open,
mock_chmod
):
StubDate.now = classmethod(lambda cls, tz: datetime(1, 1, 1, 0, 0, tzinfo=tz))
mock_isfile.return_value = True
mock_enter = MagicMock()
mock_enter.read.return_value = SESSION_RESPONSE
mock_open().__enter__.return_value = mock_enter
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions/me/lifecycle/refresh',
json=json.loads(SESSION_RESPONSE)
)
okta = Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
self.assertEqual(okta.okta_session_id, "session_token")
self.assertEqual(okta.organization, "organization.okta.com")
def test_okta_connection_error(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
body=ConnectionError()
)
with self.assertRaises(SystemExit):
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Connection Error")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_refresh_value_error(
self,
mock_print_tty,
mock_makedirs,
mock_isfile,
mock_open,
mock_chmod
):
StubDate.now = classmethod(lambda cls, tz: datetime(1, 1, 1, 0, 0, tzinfo=tz))
mock_isfile.return_value = True
mock_enter = MagicMock()
mock_enter.read.return_value = SESSION_RESPONSE
mock_open().__enter__.return_value = mock_enter
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions/me/lifecycle/refresh',
body="bob",
status=500
)
with self.assertRaises(SystemExit):
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Status Code: 500"),
call("Error: Invalid JSON")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_get_applications(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_TOKEN_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions',
json=json.loads(SESSION_RESPONSE)
)
responses.add(
responses.GET,
'https://organization.okta.com/api/v1/users/me/appLinks',
json=json.loads(APPLICATIONS_RESPONSE)
)
okta = Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
applications = okta.get_applications()
expected_applications = OrderedDict(
[
('AWS', 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270'),
('AWS GOV', 'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/272')
]
)
self.assertEqual(applications, expected_applications)
def test_okta_get_saml_response(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_TOKEN_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions',
json=json.loads(SESSION_RESPONSE)
)
responses.add(
responses.GET,
'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270',
body=SAML_RESPONSE
)
okta = Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
saml_response = okta.get_saml_response(
application_url='https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270'
)
self.assertEqual(saml_response, SAML_RESPONSE)
def test_okta_mfa_push_multiple_factor_challenge(
self,
mock_makedirs,
mock_open,
mock_chmod,
mock_input
):
mock_input.return_value = "2"
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_MFA_MULTIPLE_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn/factors/id/verify',
json=json.loads(MFA_WAITING_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn/factors/id/lifecycle/activate/poll',
json=json.loads(AUTH_TOKEN_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions',
json=json.loads(SESSION_RESPONSE)
)
okta = Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
self.assertEqual(okta.okta_single_use_token, "single_use_token")
self.assertEqual(okta.organization, "organization.okta.com")
self.assertEqual(okta.okta_session_id, "session_token")
def test_okta(self, mock_requests, mock_get_session_token,
mock_get_session, mock_set_session, mock_print_tty):
mock_session = MagicMock()
mock_requests.Session.return_value = mock_session
mock_get_session_token.return_value = "single_use_token"
mock_get_session.return_value = {
'id': 'session_id',
'expiresAt': '2019-01-22T19:24:24Z'
}
okta = Okta(user_name="user_name",
user_pass="******",
organization="organization_domain",
factor="factor_type")
self.assertIs(okta.session, mock_session)
self.assertEqual(okta.okta_single_use_token, "single_use_token")
self.assertEqual(okta.organization, "organization_domain")
self.assertEqual(okta.factor, "factor_type")
mock_get_session_token.assert_called_once_with(user_name="user_name",
user_pass="******")
def test_okta_refresh_key_error(
self,
mock_print_tty,
mock_makedirs,
mock_isfile,
mock_open,
mock_chmod
):
StubDate.now = classmethod(lambda cls, tz: datetime(1, 1, 1, 0, 0, tzinfo=tz))
mock_isfile.return_value = True
mock_enter = MagicMock()
mock_enter.read.return_value = SESSION_RESPONSE
mock_open().__enter__.return_value = mock_enter
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions/me/lifecycle/refresh',
json={
"status": "foo",
"errorSummary": "bar"
},
status=500
)
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Status Code: 500"),
call("Error: Status: foo"),
call("Error: Summary: bar")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_session_id_key_error(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod
):
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_TOKEN_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions',
json={
"status": "foo",
"errorSummary": "bar"
},
status=500
)
with self.assertRaises(SystemExit):
Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
print_tty_calls = [
call("Error: Status Code: 500"),
call("Error: Status: foo"),
call("Error: Summary: bar")
]
mock_print_tty.assert_has_calls(print_tty_calls)
def test_okta_mfa_totp_challenge(
self,
mock_print_tty,
mock_makedirs,
mock_open,
mock_chmod,
mock_input
):
mock_input.return_value = "123456"
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_MFA_TOTP_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/authn/factors/id/verify',
json=json.loads(AUTH_TOKEN_RESPONSE)
)
responses.add(
responses.POST,
'https://organization.okta.com/api/v1/sessions',
json=json.loads(SESSION_RESPONSE)
)
okta = Okta(
user_name="user_name",
user_pass="******",
organization="organization.okta.com"
)
self.assertEqual(okta.okta_single_use_token, "single_use_token")
self.assertEqual(okta.organization, "organization.okta.com")
self.assertEqual(okta.okta_session_id, "session_token")
def _get_credentials(self):
# Do NOT load credentials from ENV or ~/.aws/credentials
client = boto3.client(
'sts',
aws_access_key_id='',
aws_secret_access_key='',
aws_session_token=''
)
okta = Okta(
user_name=self._configuration["AWS_OKTA_USER"],
user_pass=self._authenticate.get_pass(),
organization=self._configuration["AWS_OKTA_ORGANIZATION"],
factor=self._configuration["AWS_OKTA_FACTOR"],
silent=self._configuration["AWS_OKTA_SILENT"]
)
self._configuration["AWS_OKTA_USER"] = ''
self._configuration["AWS_OKTA_PASS"] = ''
if self._configuration["AWS_OKTA_APPLICATION"]:
application_url = self._configuration["AWS_OKTA_APPLICATION"]
else:
applications = okta.get_applications()
application_url = prompt.get_item(
items=applications,
label="AWS application",
key=self._configuration["AWS_OKTA_APPLICATION"]
)
saml_response = okta.get_saml_response(
application_url=application_url
)
saml_assertion = saml.get_saml_assertion(
saml_response=saml_response
)
aws_roles = saml.get_aws_roles(
saml_assertion=saml_assertion
)
aws_role = prompt.get_item(
items=aws_roles,
label="AWS Role",
key=self._configuration["AWS_OKTA_ROLE"]
)
print_tty(
"Role: {}".format(aws_role.role_arn),
silent=self._configuration["AWS_OKTA_SILENT"]
)
response = client.assume_role_with_saml(
RoleArn=aws_role.role_arn,
PrincipalArn=aws_role.principal_arn,
SAMLAssertion=saml_assertion,
DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"])
)
expiration = (response['Credentials']['Expiration']
.isoformat().replace("+00:00", "Z"))
response['Credentials']['Expiration'] = expiration
return response
