def test_OktaOpenVPNValidator_run(self): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, } tmp = tempfile.NamedTemporaryFile() env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'], 'auth_control_file': tmp.name, 'assert_pin': self.herokuapp_dot_com_pin, }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.run() self.assertTrue(validator.user_valid) tmp.file.seek(0) rv = tmp.file.read() self.assertEquals(rv, '1') last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_suffix_with_valid_config_file(self): config_format = ( "[OktaAPI]\n" "Url: {}\n" "Token: {}\n" "UsernameSuffix: {}\n") cfg = tempfile.NamedTemporaryFile() cfg.file.write(config_format.format( self.okta_url, self.okta_token, self.username_suffix)) cfg.file.seek(0) env = MockEnviron({ 'common_name': self.username_prefix, 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env validator.read_configuration_file() validator.load_environment_variables() # Disable Public Key Pinning validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, True) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_with_valid_config_file_with_untrusted_user_disabled(self): for val in ['yes', '1', 'true', 'ok', 'False', '0']: config_format = ( "[OktaAPI]\n" "Url: {}\n" "Token: {}\n" "AllowUntrustedUsers: {}") cfg = tempfile.NamedTemporaryFile() cfg.file.write(config_format.format( self.okta_url, self.okta_token, val)) cfg.file.seek(0) env = MockEnviron({ 'username': self.config['username'], 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env validator.read_configuration_file() validator.load_environment_variables() # Disable Public Key Pinning validator.okta_config['assert_pinset'] = [ self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, False)
def test_control_file_directory_has_bad_permissions(self): cfg = self.config tmp_dir = tempfile.mkdtemp() tmp = tempfile.NamedTemporaryFile(dir=tmp_dir) os.chmod(tmp_dir, 0777) env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'], 'auth_control_file': tmp.name, 'assert_pin': self.herokuapp_dot_com_pin, }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env msgs = self.expected_messages msgs.append('directory containing') self.assertRaises(ControlFilePermissionsError, validator.run) last_error = self.okta_log_messages['critical'][-1:][0] for msg in msgs: self.assertIn(msg, last_error) tmp.close() os.rmdir(tmp_dir)
def test_okta_verify_push_int(self, patched_time_sleep): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, 'mfa_push_max_retries': int(20), 'mfa_push_delay_secs': int(11), } env = MockEnviron({ 'common_name': '*****@*****.**', 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.load_environment_variables() validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin] validator.authenticate() for call in patched_time_sleep.call_args_list: args, kwargs = call for arg in args: import pprint pprint.pprint(arg) msg = "time.sleep() must be called with a float not %s" assert isinstance(arg, float), msg % type(arg) patched_time_sleep.assert_called_with(11)
def test_with_valid_config_file(self): config_format = ( "[OktaAPI]\n" "Url: {}\n" "Token: {}\n") cfg = tempfile.NamedTemporaryFile() cfg.file.write(config_format.format( self.okta_url, self.okta_token)) cfg.file.seek(0) env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env validator.read_configuration_file() validator.load_environment_variables() # Disable Public Key Pinning validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, True) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_no_okta_url(self): env = MockEnviron({}) validator = OktaOpenVPNValidator() validator.env = env rv = validator.load_environment_variables() self.assertEquals(rv, False) last_error = self.okta_log_messages['critical'][-1:][0] self.assertIn('OKTA_URL not defined', last_error)
def test_okta_url_no_token(self): cfg = {"okta_url": self.okta_url} env = MockEnviron({}) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env rv = validator.load_environment_variables() self.assertEquals(rv, False) last_error = self.okta_log_messages["critical"][-1:][0] self.assertIn("OKTA_TOKEN not defined", last_error)
def test_with_invalid_config_file(self): cfg = tempfile.NamedTemporaryFile() cfg.file.write("invalidconfig") cfg.file.seek(0) env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]}) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env rv = validator.read_configuration_file() self.assertEquals(rv, False)
def test_no_username_or_password(self): cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token} env = MockEnviron({}) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env rv = validator.load_environment_variables() rv = validator.authenticate() self.assertEquals(rv, False) last_error = self.okta_log_messages["warning"][-1:][0] self.assertIn("is not trusted - failing", last_error)
def test_okta_url_no_token(self): cfg = { 'okta_url': self.okta_url } env = MockEnviron({}) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env rv = validator.load_environment_variables() self.assertEquals(rv, False) last_error = self.okta_log_messages['critical'][-1:][0] self.assertIn('OKTA_TOKEN not defined', last_error)
def test_authenticate_handles_exceptions(self): cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token} env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]}) validator = OktaOpenVPNValidator() validator.cls = ThrowsErrorOktaAPI validator.site_config = cfg validator.env = env validator.load_environment_variables() rv = validator.authenticate() self.assertEquals(rv, False) last_error = self.okta_log_messages["error"][-1:][0] self.assertIn("authentication failed, because", last_error)
def test_with_invalid_config_file(self): cfg = tempfile.NamedTemporaryFile() cfg.file.write('invalidconfig') cfg.file.seek(0) env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env rv = validator.read_configuration_file() self.assertEquals(rv, False)
def test_with_username_and_password(self): cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token} env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]}) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.load_environment_variables() validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, True) last_error = self.okta_log_messages["info"][-1:][0] self.assertIn("is now authenticated with MFA via Okta API", last_error)
def test_no_username_or_password(self): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, } env = MockEnviron({}) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env rv = validator.load_environment_variables() rv = validator.authenticate() self.assertEquals(rv, False) last_error = self.okta_log_messages['warning'][-1:][0] self.assertIn('is not trusted - failing', last_error)
def test_with_valid_config_file_with_untrusted_user_disabled(self): for val in ["yes", "1", "true", "ok", "False", "0"]: config_format = "[OktaAPI]\n" "Url: {}\n" "Token: {}\n" "AllowUntrustedUsers: {}" cfg = tempfile.NamedTemporaryFile() cfg.file.write(config_format.format(self.okta_url, self.okta_token, val)) cfg.file.seek(0) env = MockEnviron({"username": self.config["username"], "password": self.config["password"]}) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env validator.read_configuration_file() validator.load_environment_variables() # Disable Public Key Pinning validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, False)
def test_with_valid_config_file_with_untrusted_user_enabled(self): config_format = "[OktaAPI]\n" "Url: {}\n" "Token: {}\n" "AllowUntrustedUsers: True" cfg = tempfile.NamedTemporaryFile() cfg.file.write(config_format.format(self.okta_url, self.okta_token)) cfg.file.seek(0) env = MockEnviron({"username": self.config["username"], "password": self.config["password"]}) validator = OktaOpenVPNValidator() validator.config_file = cfg.name validator.env = env validator.read_configuration_file() validator.load_environment_variables() # Disable Public Key Pinning validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, True) last_error = self.okta_log_messages["info"][-1:][0] self.assertIn("is now authenticated with MFA via Okta API", last_error)
def test_authenticate_handles_exceptions(self): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, } env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.cls = ThrowsErrorOktaAPI validator.site_config = cfg validator.env = env validator.load_environment_variables() rv = validator.authenticate() self.assertEquals(rv, False) last_error = self.okta_log_messages['error'][-1:][0] self.assertIn('authentication failed, because', last_error)
def test_okta_verify_push_fails(self): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, 'mfa_push_max_retries': 20, 'mfa_push_delay_secs': self.mfa_push_delay_secs, } env = MockEnviron({ 'common_name': '*****@*****.**', 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.load_environment_variables() validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, False)
def test_with_username_and_password(self): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, } env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.load_environment_variables() validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, True) last_error = self.okta_log_messages['info'][-1:][0] self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_okta_verify_push(self): cfg = { 'okta_url': self.okta_url, 'okta_token': self.okta_token, 'mfa_push_max_retries': 20, 'mfa_push_delay_secs': self.mfa_push_delay_secs, } env = MockEnviron({ 'common_name': '*****@*****.**', 'password': self.config['password'] }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.load_environment_variables() validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin] rv = validator.authenticate() self.assertEquals(rv, True) last_error = self.okta_log_messages['info'][-1] self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_connect_to_unintended_server_writes_0_to_control_file(self): cfg = self.config cfg['okta_url'] = 'https://example.com' tmp = tempfile.NamedTemporaryFile() env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'], 'auth_control_file': tmp.name, }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.run() self.assertFalse(validator.user_valid) tmp.file.seek(0) rv = tmp.file.read() self.assertEquals(rv, '0')
def test_control_file_bad_permissions_permutations(self): cfg = self.config modes = [ 0606, 0660, 0622, ] for mode in modes: tmp = tempfile.NamedTemporaryFile() os.chmod(tmp.name, mode) env = MockEnviron({ 'common_name': self.config['username'], 'password': self.config['password'], 'auth_control_file': tmp.name, 'assert_pin': self.herokuapp_dot_com_pin, }) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env self.assertRaises(ControlFilePermissionsError, validator.run) tmp.close()
def test_OktaOpenVPNValidator_run(self): cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token} tmp = tempfile.NamedTemporaryFile() env = MockEnviron( { "common_name": self.config["username"], "password": self.config["password"], "auth_control_file": tmp.name, "assert_pin": self.herokuapp_dot_com_pin, } ) validator = OktaOpenVPNValidator() validator.site_config = cfg validator.env = env validator.run() self.assertTrue(validator.user_valid) tmp.file.seek(0) rv = tmp.file.read() self.assertEquals(rv, "1") last_error = self.okta_log_messages["info"][-1:][0] self.assertIn("is now authenticated with MFA via Okta API", last_error)