Merge branch 'master-oss' into cli-enhancements

CHANGELOG.md

@@ -5,6 +5,9 @@ IMPROVEMENTS:
  * auth/centrify: Add CLI helper
  * audit: Always log failure metrics, even if zero, to ensure the values appear
    on dashboards [GH-3937]
+ * secret/pki: Add a flag to make the common name optional on certs [GH-3940]
+ * secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
+   properly handle IDNA transformations for these DNS names [GH-3953]
 
 BUG FIXES:
 
@@ -19,12 +22,18 @@ BUG FIXES:
    creation. Passing an explicit zero value for the period no longer create
    periodic tokens. [GH-3880]
  * command/ssh: Create and reuse the api client [GH-3909]
+ * identity: Fix race when creating entities [GH-3932]
+ * plugin/gRPC: Fixed an issue with list requests and raw responses coming from 
+   plugins using gRPC transport [GH-3881]
+ * plugin/gRPC: Fix panic when special paths are not set [GH-3946]
+ * secret/pki: Verify a name is a valid hostname before adding to DNS SANs
+   [GH-3918]
+ * secret/transit: Fix auditing when reading a key after it has been backed up
+   or restored [GH-3919]
  * storage/etcd3: Fix memory ballooning with standby instances [GH-3798]
  * storage/etcd3: Fix large lists (like token loading at startup) not being
    handled [GH-3772]
  * storage/zookeeper: Update vendoring to fix freezing issues [GH-3896]
- * plugin/gRPC: Fixed an issue with list requests and raw responses coming from 
-   plugins using gRPC transport [GH-3881]
 
 ## 0.9.3 (January 28th, 2018)
 

builtin/credential/okta/backend.go

@@ -115,6 +115,11 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 	case "PASSWORD_WARN":
 		oktaResponse.AddWarning("Your Okta password is in warning state and needs to be changed soon.")
 
+	case "MFA_REQUIRED", "MFA_ENROLL":
+		if !cfg.BypassOktaMFA {
+			return nil, logical.ErrorResponse("okta mfa required for this account but mfa bypass not set in config"), nil, nil
+		}
+
 	case "SUCCESS":
 		// Do nothing here
 
@@ -126,7 +131,13 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 	}
 
 	// Verify result status again in case a switch case above modifies result
-	if result.Status != "SUCCESS" && result.Status != "PASSWORD_WARN" {
+	switch {
+	case result.Status == "SUCCESS",
+		result.Status == "PASSWORD_WARN",
+		result.Status == "MFA_REQUIRED" && cfg.BypassOktaMFA,
+		result.Status == "MFA_ENROLL" && cfg.BypassOktaMFA:
+		// Allowed
+	default:
 		if b.Logger().IsDebug() {
 			b.Logger().Debug("auth/okta: authentication returned a non-success status", "status", result.Status)
 		}

builtin/credential/okta/path_config.go

@@ -54,6 +54,10 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeDurationSecond,
 				Description: `Maximum duration after which authentication will be expired`,
 			},
+			"bypass_okta_mfa": &framework.FieldSchema{
+				Type:        framework.TypeBool,
+				Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -99,10 +103,11 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 
 	resp := &logical.Response{
 		Data: map[string]interface{}{
-			"organization": cfg.Org,
-			"org_name":     cfg.Org,
-			"ttl":          cfg.TTL.Seconds(),
-			"max_ttl":      cfg.MaxTTL.Seconds(),
+			"organization":    cfg.Org,
+			"org_name":        cfg.Org,
+			"ttl":             cfg.TTL.Seconds(),
+			"max_ttl":         cfg.MaxTTL.Seconds(),
+			"bypass_okta_mfa": cfg.BypassOktaMFA,
 		},
 	}
 	if cfg.BaseURL != "" {
@@ -112,6 +117,10 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 		resp.Data["production"] = *cfg.Production
 	}
 
+	if cfg.BypassOktaMFA {
+		resp.AddWarning("Okta MFA bypass is configured. In addition to ignoring Okta MFA requests, certain other account statuses will not be seen, such as PASSWORD_EXPIRED. Authentication will succeed in these cases.")
+	}
+
 	return resp, nil
 }
 
@@ -175,6 +184,11 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 		cfg.Production = nil
 	}
 
+	bypass, ok := d.GetOk("bypass_okta_mfa")
+	if ok {
+		cfg.BypassOktaMFA = bypass.(bool)
+	}
+
 	ttl, ok := d.GetOk("ttl")
 	if ok {
 		cfg.TTL = time.Duration(ttl.(int)) * time.Second
@@ -197,7 +211,13 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 		return nil, err
 	}
 
-	return nil, nil
+	var resp *logical.Response
+	if cfg.BypassOktaMFA {
+		resp = new(logical.Response)
+		resp.AddWarning("Okta MFA bypass is configured. In addition to ignoring Okta MFA requests, certain other account statuses will not be seen, such as PASSWORD_EXPIRED. Authentication will succeed in these cases.")
+	}
+
+	return resp, nil
 }
 
 func (b *backend) pathConfigExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
@@ -228,12 +248,13 @@ func (c *ConfigEntry) OktaClient() *okta.Client {
 
 // ConfigEntry for Okta
 type ConfigEntry struct {
-	Org        string        `json:"organization"`
-	Token      string        `json:"token"`
-	BaseURL    string        `json:"base_url"`
-	Production *bool         `json:"is_production,omitempty"`
-	TTL        time.Duration `json:"ttl"`
-	MaxTTL     time.Duration `json:"max_ttl"`
+	Org           string        `json:"organization"`
+	Token         string        `json:"token"`
+	BaseURL       string        `json:"base_url"`
+	Production    *bool         `json:"is_production,omitempty"`
+	TTL           time.Duration `json:"ttl"`
+	MaxTTL        time.Duration `json:"max_ttl"`
+	BypassOktaMFA bool          `json:"bypass_okta_mfa"`
 }
 
 const pathConfigHelp = `