Allow Okta auth backend to specify TTL and max TTL values

hashicorp · Jul 2, 2017 · f8812c1 · f8812c1
1 parent a00c9e5
commit f8812c1
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 12 deletions.
diff --git a/builtin/credential/okta/backend_test.go b/builtin/credential/okta/backend_test.go
@@ -12,12 +12,18 @@ import (
 
 	"github.com/hashicorp/vault/logical"
 	logicaltest "github.com/hashicorp/vault/logical/testing"
+	"time"
 )
 
 func TestBackend_Config(t *testing.T) {
+	defaultLeaseTTLVal := time.Hour * 12
+	maxLeaseTTLVal := time.Hour * 24
 	b, err := Factory(&logical.BackendConfig{
 		Logger: logformat.NewVaultLogger(log.LevelTrace),
-		System: &logical.StaticSystemView{},
+		System: &logical.StaticSystemView{
+			DefaultLeaseTTLVal: defaultLeaseTTLVal,
+			MaxLeaseTTLVal:     maxLeaseTTLVal,
+		},
 	})
 	if err != nil {
 		t.Fatalf("Unable to create backend: %s", err)
@@ -31,8 +37,10 @@ func TestBackend_Config(t *testing.T) {
 		"base_url":     "oktapreview.com",
 	}
 
+	updatedDuration := time.Hour * 1
 	configDataToken := map[string]interface{}{
 		"token": os.Getenv("OKTA_API_TOKEN"),
+		"ttl":   "1h",
 	}
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -41,23 +49,23 @@ func TestBackend_Config(t *testing.T) {
 		Backend:        b,
 		Steps: []logicaltest.TestStep{
 			testConfigCreate(t, configData),
-			testLoginWrite(t, username, "wrong", "E0000004", nil),
-			testLoginWrite(t, username, password, "user is not a member of any authorized policy", nil),
+			testLoginWrite(t, username, "wrong", "E0000004", 0, nil),
+			testLoginWrite(t, username, password, "user is not a member of any authorized policy", 0, nil),
 			testAccUserGroups(t, username, "local_group,local_group2"),
 			testAccGroups(t, "local_group", "local_group_policy"),
-			testLoginWrite(t, username, password, "", []string{"local_group_policy"}),
+			testLoginWrite(t, username, password, "", defaultLeaseTTLVal.Nanoseconds(), []string{"local_group_policy"}),
 			testAccGroups(t, "Everyone", "everyone_group_policy,every_group_policy2"),
-			testLoginWrite(t, username, password, "", []string{"local_group_policy"}),
+			testLoginWrite(t, username, password, "", defaultLeaseTTLVal.Nanoseconds(), []string{"local_group_policy"}),
 			testConfigUpdate(t, configDataToken),
 			testConfigRead(t, configData),
-			testLoginWrite(t, username, password, "", []string{"everyone_group_policy", "every_group_policy2", "local_group_policy"}),
+			testLoginWrite(t, username, password, "", updatedDuration.Nanoseconds(), []string{"everyone_group_policy", "every_group_policy2", "local_group_policy"}),
 			testAccGroups(t, "local_group2", "testgroup_group_policy"),
-			testLoginWrite(t, username, password, "", []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy"}),
+			testLoginWrite(t, username, password, "", updatedDuration.Nanoseconds(), []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy"}),
 		},
 	})
 }
 
-func testLoginWrite(t *testing.T, username, password, reason string, policies []string) logicaltest.TestStep {
+func testLoginWrite(t *testing.T, username, password, reason string, expectedTTL int64, policies []string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "login/" + username,
@@ -76,6 +84,11 @@ func testLoginWrite(t *testing.T, username, password, reason string, policies []
 				if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) {
 					return fmt.Errorf("policy mismatch expected %v but got %v", policies, resp.Auth.Policies)
 				}
+
+				actualTTL := resp.Auth.LeaseOptions.TTL.Nanoseconds()
+				if actualTTL != expectedTTL {
+					return fmt.Errorf("TTL mismatch expected %v but got %v", expectedTTL, actualTTL)
+				}
 			}
 
 			return nil

diff --git a/builtin/credential/okta/path_config.go b/builtin/credential/okta/path_config.go
@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"github.com/sstarcher/go-okta"
+	"time"
 )
 
 func pathConfig(b *backend) *framework.Path {
@@ -26,6 +27,14 @@ func pathConfig(b *backend) *framework.Path {
 				Description: `The API endpoint to use. Useful if you
 are using Okta development accounts.`,
 			},
+			"ttl": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Duration after which authentication will be expired`,
+			},
+			"max_ttl": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: `Maximum duration after which authentication will be expired`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -75,6 +84,8 @@ func (b *backend) pathConfigRead(
 		Data: map[string]interface{}{
 			"Org":     cfg.Org,
 			"BaseURL": cfg.BaseURL,
+			"TTL":     cfg.TTL,
+			"MaxTTL":  cfg.MaxTTL,
 		},
 	}
 
@@ -118,6 +129,31 @@ func (b *backend) pathConfigWrite(
 		cfg.BaseURL = d.Get("base_url").(string)
 	}
 
+	var ttl time.Duration
+	ttlRaw, ok := d.GetOk("ttl")
+	if !ok || len(ttlRaw.(string)) == 0 {
+		ttl = 0
+	} else {
+		ttl, err = time.ParseDuration(ttlRaw.(string))
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("Invalid 'ttl':%s", err)), nil
+		}
+	}
+
+	var maxTTL time.Duration
+	maxTTLRaw, ok := d.GetOk("max_ttl")
+	if !ok || len(maxTTLRaw.(string)) == 0 {
+		maxTTL = 0
+	} else {
+		maxTTL, err = time.ParseDuration(maxTTLRaw.(string))
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("Invalid 'max_ttl':%s", err)), nil
+		}
+	}
+
+	cfg.TTL = ttl
+	cfg.MaxTTL = maxTTL
+
 	jsonCfg, err := logical.StorageEntryJSON("config", cfg)
 	if err != nil {
 		return nil, err
@@ -155,9 +191,11 @@ func (c *ConfigEntry) OktaClient() *okta.Client {
 
 // ConfigEntry for Okta
 type ConfigEntry struct {
-	Org     string `json:"organization"`
-	Token   string `json:"token"`
-	BaseURL string `json:"base_url"`
+	Org     string        `json:"organization"`
+	Token   string        `json:"token"`
+	BaseURL string        `json:"base_url"`
+	TTL     time.Duration `json:"ttl"`
+	MaxTTL  time.Duration `json:"max_ttl"`
 }
 
 const pathConfigHelp = `

diff --git a/builtin/credential/okta/path_login.go b/builtin/credential/okta/path_login.go
@@ -5,9 +5,11 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/go-errors/errors"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
+	"time"
 )
 
 func pathLogin(b *backend) *framework.Path {
@@ -55,6 +57,11 @@ func (b *backend) pathLogin(
 
 	sort.Strings(policies)
 
+	ttl, _, err := b.getTTLs(req)
+	if err != nil {
+		return nil, err
+	}
+
 	resp.Auth = &logical.Auth{
 		Policies: policies,
 		Metadata: map[string]string{
@@ -66,6 +73,7 @@ func (b *backend) pathLogin(
 		},
 		DisplayName: username,
 		LeaseOptions: logical.LeaseOptions{
+			TTL:       ttl,
 			Renewable: true,
 		},
 	}
@@ -87,7 +95,27 @@ func (b *backend) pathLoginRenew(
 		return nil, fmt.Errorf("policies have changed, not renewing")
 	}
 
-	return framework.LeaseExtend(0, 0, b.System())(req, d)
+	ttl, maxTTL, err := b.getTTLs(req)
+	if err != nil {
+		return nil, err
+	}
+
+	return framework.LeaseExtend(ttl, maxTTL, b.System())(req, d)
+}
+
+func (b *backend) getTTLs(req *logical.Request) (ttl, maxTTL time.Duration, err error) {
+
+	cfg, err := b.Config(req.Storage)
+	if err != nil {
+		return 0, 0, err
+	}
+	if cfg == nil {
+		return 0, 0, errors.New("Okta backend not configured")
+	}
+
+	ttl, maxTTL, err = b.SanitizeTTLStr(cfg.TTL.String(), cfg.MaxTTL.String())
+
+	return ttl, maxTTL, err
 }
 
 const pathLoginSyn = `

diff --git a/website/source/docs/auth/okta.html.md b/website/source/docs/auth/okta.html.md
@@ -90,6 +90,10 @@ Configuration is written to `auth/okta/config`.
 * `organization` (string, required) - The Okta organization.  This will be the first part of the url `https://XXX.okta.com` url.
 * `token` (string, optional) - The Okta API token.  This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. This can be generated from http://developer.okta.com/docs/api/getting_started/getting_a_token.html
 * `base_url` (string, optional) - The Okta url. Examples: `oktapreview.com`, The default is `okta.com`
+* `max_ttl` (string, optional) - Maximum duration after which authentication will be expired.
+ This must be a string in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)
+* `ttl` (string, optional) - Duration after which authentication will be expired.
+ This must be a string in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)
 
 Use `vault path-help` for more details.