Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for base_url for Okta api #3316

Merged
merged 9 commits into from
Sep 15, 2017
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 33 additions & 30 deletions builtin/credential/okta/path_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package okta
import (
"fmt"
"net/url"
"strings"

"time"

Expand All @@ -13,35 +12,39 @@ import (
"github.com/hashicorp/vault/logical/framework"
)

const (
defaultBaseURL = "okta.com"
previewBaseURL = "oktapreview.com"
)

func pathConfig(b *backend) *framework.Path {
return &framework.Path{
Pattern: `config`,
Fields: map[string]*framework.FieldSchema{
"organization": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Okta organization to authenticate against (DEPRECATED)",
Description: "(DEPRECATED) Okta organization to authenticate against",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe update this to say "Use org_name instead."

},
"org_name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the organization to be used in the Okta API.",
},
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Okta admin API token (DEPRECATED)",
Description: "(DEPRECATED) Okta admin API token",
},
"api_token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Okta API key.",
},
"base_url": &framework.FieldSchema{
Type: framework.TypeString,
Description: `The API endpoint to use. Useful if you
are using Okta development accounts. (DEPRECATED)`,
Type: framework.TypeString,
Default: defaultBaseURL,
Description: `The base domain to use for the Okta API. Default is "okta.com".`,
},
"production": &framework.FieldSchema{
Type: framework.TypeBool,
Default: true,
Description: `If set, production API URL prefix will be used to communicate with Okta and if not set, a preview production API URL prefix will be used. Defaults to true.`,
Description: `(DEPRECATED) Use base_url.`,
},
"ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Expand Down Expand Up @@ -100,14 +103,16 @@ func (b *backend) pathConfigRead(
Data: map[string]interface{}{
"organization": cfg.Org,
"org_name": cfg.Org,
"production": *cfg.Production,
"ttl": cfg.TTL,
"max_ttl": cfg.MaxTTL,
},
}
if cfg.BaseURL != "" {
resp.Data["base_url"] = cfg.BaseURL
}
if cfg.Production != nil {
resp.Data["production"] = *cfg.Production
}

return resp, nil
}
Expand Down Expand Up @@ -153,22 +158,18 @@ func (b *backend) pathConfigWrite(
return logical.ErrorResponse("api_token is missing"), nil
}

baseURL, ok := d.GetOk("base_url")
if ok {
baseURLString := baseURL.(string)
if len(baseURLString) != 0 {
_, err = url.Parse(baseURLString)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Error parsing given base_url: %s", err)), nil
}
cfg.BaseURL = baseURLString
}
} else if req.Operation == logical.CreateOperation {
cfg.BaseURL = d.Get("base_url").(string)
baseURL := d.Get("base_url").(string)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code now requires base_url set at all times instead of honoring create/update. Not necessarily a problem, but a change in behavior. Also, the documentation lists it as optional.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is the problem with providing a default value in the fields. I'll remove the default and only populate it when it is specified.

_, err = url.Parse(fmt.Sprintf("https://%s,%s", cfg.Org, baseURL))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Error parsing given base_url: %s", err)), nil
}
cfg.BaseURL = baseURL

productionRaw := d.Get("production").(bool)
cfg.Production = &productionRaw
productionRaw, ok := d.GetOk("production")
if ok {
production := productionRaw.(bool)
cfg.Production = &production
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this loads cfg first if it's there, if they have production in the past, but now leave that value out and switch to a custom base url, there's a possibility of their base url being overwritten by the production value later on. I think if a base_url is provided we should nil out production.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. I played around with this dance a bit and ended up hear. I like your suggestion better.

}

ttl, ok := d.GetOk("ttl")
if ok {
Expand Down Expand Up @@ -207,16 +208,18 @@ func (b *backend) pathConfigExistenceCheck(

// OktaClient creates a basic okta client connection
func (c *ConfigEntry) OktaClient() *okta.Client {
production := true
if c.Production != nil {
production = *c.Production
}
baseURL := defaultBaseURL
if c.BaseURL != "" {
if strings.Contains(c.BaseURL, "oktapreview.com") {
production = false
baseURL = c.BaseURL
}
if c.Production != nil {
if !*c.Production {
baseURL = previewBaseURL
}
}
return okta.NewClient(cleanhttp.DefaultClient(), c.Org, c.Token, production)
// We validate config on input and errors are only returned when parsing URLs
client, _ := okta.NewClientWithDomain(cleanhttp.DefaultClient(), c.Org, baseURL, c.Token)
return client
}

// ConfigEntry for Okta
Expand Down
60 changes: 40 additions & 20 deletions vendor/github.com/chrismalek/oktasdk-go/okta/sdk.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions vendor/vendor.json
Original file line number Diff line number Diff line change
Expand Up @@ -439,10 +439,10 @@
"revisionTime": "2017-07-11T19:02:43Z"
},
{
"checksumSHA1": "QZtBo/fc3zeQFxPFgPVMyDiw70M=",
"checksumSHA1": "sFjc2R+KS9AeXIPMV4KCw+GwX5I=",
"path": "github.com/chrismalek/oktasdk-go/okta",
"revision": "7d4ce0a254ec5f9eda3397523f6cf183e1d46c5e",
"revisionTime": "2017-02-07T05:01:14Z"
"revision": "ae553c909ca06a4c34eb41ee435e83871a7c2496",
"revisionTime": "2017-09-11T15:31:29Z"
},
{
"checksumSHA1": "WsB6y1Yd+kDbHGz1Rm7xZ44hyAE=",
Expand Down
7 changes: 3 additions & 4 deletions website/source/api/auth/okta/index.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,8 @@ distinction between the `create` and `update` capabilities inside ACL policies.
- `org_name` `(string: <required>)` - Name of the organization to be used in the
Okta API.
- `api_token` `(string: <required>)` - Okta API key.
- `production` `(bool: true)` - If set, production API URL prefix will be used
to communicate with Okta and if not set, a preview production API URL prefix
will be used. Defaults to true.
- `base_url` `(string: "okta.com")` - If set, will be used as the base domain
for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com.
- `ttl` `(string: "")` - Duration after which authentication will be expired.
- `max_ttl` `(string: "")` - Maximum duration after which authentication will
be expired.
Expand Down Expand Up @@ -83,7 +82,7 @@ $ curl \
"data": {
"org_name": "example",
"api_token": "abc123",
"production": true,
"base_url": "okta.com",
"ttl": "",
"max_ttl": ""
},
Expand Down
10 changes: 5 additions & 5 deletions website/source/docs/auth/okta.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,8 @@ Configuration is written to `auth/okta/config`.

### Connection parameters

* `organization` (string, required) - The Okta organization. This will be the first part of the url `https://XXX.okta.com` url.
* `token` (string, optional) - The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. This can be generated from http://developer.okta.com/docs/api/getting_started/getting_a_token.html
* `org_name` (string, required) - The Okta organization. This will be the first part of the url `https://XXX.okta.com` url.
* `api_token` (string, optional) - The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. This can be generated from http://developer.okta.com/docs/api/getting_started/getting_a_token.html
* `base_url` (string, optional) - The Okta url. Examples: `oktapreview.com`, The default is `okta.com`
* `max_ttl` (string, optional) - Maximum duration after which authentication will be expired.
Either number of seconds or in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)
Expand All @@ -106,7 +106,7 @@ Use `vault path-help` for more details.

```
$ vault write auth/okta/config \
organization="XXXTest"
org_name="XXXTest"
...
```

Expand All @@ -118,8 +118,8 @@ $ vault write auth/okta/config \

```
$ vault write auth/okta/config base_url="oktapreview.com" \
organization="dev-123456" \
token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
org_name="dev-123456" \
api_token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
...
```

Expand Down