def test_valid_token(self): config = self.config okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, True) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('now authenticated with MFA via Okta API', last_error)
def test_connect_to_example_with_good_pin(self): config = self.config config['assert_pinset'] = [self.herokuapp_dot_com_pin] okta = OktaAPIAuth(**config) result = okta.preauth() self.assertIn('status', result) self.assertEquals(result['status'], 'MFA_REQUIRED')
def test_user_agent_set(self): config = self.config okta = OktaAPIAuth(**config) okta.pool = MagicMock() class Urlopen_Mock: data = '{}' okta.pool.urlopen.return_value = Urlopen_Mock() user_agent = 'user-agent' # http://www.ietf.org/rfc/rfc2616.txt # OktaOpenVPN/1.0.0 (Darwin 13.4.0) CPython/2.7.1 okta.preauth() args = okta.pool.urlopen.call_args_list headers = args[0][1]['headers'] self.assertIn(user_agent, headers) actual = headers[user_agent] import platform system = platform.uname()[0] system_version = platform.uname()[2] python_version = "{}/{}".format( platform.python_implementation(), platform.python_version(), ) for expected in ['OktaOpenVPN/', system, system_version, python_version]: self.assertIn(expected, actual)
def test_user_agent_set(self): config = self.config okta = OktaAPIAuth(**config) okta.pool = MagicMock() class Urlopen_Mock: data = '{}' okta.pool.urlopen.return_value = Urlopen_Mock() user_agent = 'user-agent' # http://www.ietf.org/rfc/rfc2616.txt # OktaOpenVPN/1.0.0 (Darwin 13.4.0) CPython/2.7.1 okta.preauth() args = okta.pool.urlopen.call_args_list headers = args[0][1]['headers'] self.assertIn(user_agent, headers) actual = headers[user_agent] import platform system = platform.uname()[0] system_version = platform.uname()[2] python_version = "{}/{}".format( platform.python_implementation(), platform.python_version(), ) for expected in [ 'OktaOpenVPN/', system, system_version, python_version ]: self.assertIn(expected, actual)
def test_connect_to_okta_with_good_pins(self): config = self.config config['okta_url'] = 'https://example.okta.com' okta = OktaAPIAuth(**config) result = okta.preauth() # This is what we'll get since we're sending an invalid token: self.assertIn('errorSummary', result) self.assertEquals(result['errorSummary'], 'Invalid token provided')
def test_invalid_url(self): config = self.config config['okta_url'] = 'http://127.0.0.1:86753' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['error'][-1:][0] self.assertIn('Error connecting to the Okta API', last_error)
def test_invalid_no_token(self): config = self.config config['password'] = '******' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('No second factor found for username', last_error)
def test_password_None(self): config = self.config config['password'] = None okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('Missing username or password', last_error)
def test_password_expired(self): config = self.config config['username'] = '******' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('is not allowed to authenticate', last_error)
def test_invalid_token(self): config = self.config config['password'] = '******' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['debug'][-1:][0] self.assertIn('MFA token authentication failed', last_error)
def test_valid_user_must_enroll_mfa(self): config = self.config config['username'] = '******' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('needs to enroll first', last_error)
def test_valid_user_no_mfa(self): config = self.config config['username'] = '******' config['password'] = '******' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, True) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('authenticated without MFA', last_error)
def test_invalid_password(self): config = self.config config['username'] = '******' config['password'] = '******' okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['info'][-1:][0] expected = 'pre-authentication failed: Authentication failed' self.assertIn(expected, last_error)
def test_unexpected_error(self): config = self.config okta = OktaAPIAuth(**config) def doauth_fail(a, b): raise Exception('Mocked exception') okta.doauth = doauth_fail auth = okta.auth() self.assertEquals(auth, False) last_error = self.okta_log_messages['error'][-1:][0] self.assertIn('Unexpected error with the Okta API', last_error)
def test_okta_url_cleaned(self): config = self.config url_with_trailing_slash = "{}/".format(self.okta_url) config['okta_url'] = url_with_trailing_slash okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, True) url_with_path = "{}/api/v1".format(self.okta_url) config['okta_url'] = url_with_path okta = OktaAPIAuth(**config) auth = okta.auth() self.assertEquals(auth, True)
def test_bad_pin_log_message(self): config = self.config config['assert_pinset'] = ['not-a-sha256'] okta = OktaAPIAuth(**config) self.assertRaises(PinError, okta.preauth) last_error = self.okta_log_messages['critical'][-1:][0] messages = [ 'efusing to authenticate', 'mocked-okta-api.herokuapp.com', 'TLS public key pinning check', 'lease contact [email protected]', ] for msg in messages: self.assertIn(msg, last_error)
def test_connect_to_example_with_bad_pin(self): config = self.config config['assert_pinset'] = ['not-a-sha256'] okta = OktaAPIAuth(**config) self.assertRaises(PinError, okta.preauth)
def test_connect_to_unencrypted_server(self): config = self.config config['okta_url'] = 'http://example.com' okta = OktaAPIAuth(**config) self.assertRaises(urllib3.exceptions.PoolError, okta.preauth)
def test_connect_to_encrypted_but_unintended_server(self): config = self.config config['okta_url'] = 'https://example.com' okta = OktaAPIAuth(**config) self.assertRaises(PinError, okta.preauth)