Feat/fido workaround (#1065)

* Updated okta libraries, ignore fido

The auth library doesn't know about FIDO, so it fails to deal with it.
We'll skip that until we can use the different library.

* Fixed tests

* Added tests for factor skipping methods

* Fix check order for shouldSkip

* Reverted node changes

Co-authored-by: Shawn Sherwood <[email protected]>

cerberus-auth-connector-okta/src/main/java/com/nike/cerberus/auth/connector/okta/statehandlers/AbstractOktaStateHandler.java

@@ -135,6 +135,16 @@ public boolean isTriggerRequired(Factor factor) {
     return false;
   }
 
+  /**
+   * Determines whether the factor is a FIDO type, which the okta.auth.sdk cannot handle
+   *
+   * @param factor Okta MFA factor
+   * @return boolean trigger required
+   */
+  public boolean isFido(Factor factor) {
+    return factor.getVendorName().equals("FIDO");
+  }
+
   /**
    * Determines whether a trigger is required for a provided MFA factor
    *
@@ -149,6 +159,16 @@ public boolean isPush(Factor factor) {
     return (provider.equals(FactorProvider.OKTA) && type == FactorType.PUSH);
   }
 
+  /**
+   * Determines whether a trigger is required for a provided MFA factor
+   *
+   * @param factor Okta MFA factor
+   * @return boolean trigger required
+   */
+  public boolean shouldSkip(Factor factor) {
+    return isFido(factor) || isPush(factor);
+  }
+
   /**
    * Ensure the user has at least one active MFA device set up
    *

cerberus-auth-connector-okta/src/main/java/com/nike/cerberus/auth/connector/okta/statehandlers/InitialLoginStateHandler.java

@@ -72,7 +72,7 @@ private void handleMfaResponse(AuthenticationResponse mfaResponse) {
 
     final List<Factor> factors = new ArrayList<>(mfaResponse.getFactors());
 
-    factors.removeIf(this::isPush);
+    factors.removeIf(this::shouldSkip);
 
     validateUserFactors(factors);
 

cerberus-auth-connector-okta/src/test/java/com/nike/cerberus/auth/connector/okta/AbstractOktaStateHandlerTest.java

@@ -18,6 +18,8 @@
 
 import static groovy.test.GroovyTestCase.assertEquals;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
 
@@ -241,4 +243,59 @@ public void handleUnknownPasswordExpired() {
 
     abstractOktaStateHandler.handleUnknown(unknownResponse);
   }
+
+  @Test
+  public void testIsFido() {
+    DefaultFactor nonFidoFactor = mock(DefaultFactor.class);
+    when(nonFidoFactor.getVendorName()).thenReturn("Okta");
+    Assert.assertFalse(abstractOktaStateHandler.isFido(nonFidoFactor));
+
+    DefaultFactor fidoFactor = mock(DefaultFactor.class);
+    when(fidoFactor.getVendorName()).thenReturn("FIDO");
+    Assert.assertTrue(abstractOktaStateHandler.isFido(fidoFactor));
+  }
+
+  @Test
+  public void testIsPush() {
+    DefaultFactor nonPushFactor = mock(DefaultFactor.class);
+    when(nonPushFactor.getVendorName()).thenReturn("Okta");
+    when(nonPushFactor.getProvider()).thenReturn(FactorProvider.OKTA);
+    when(nonPushFactor.getType()).thenReturn(FactorType.TOKEN_SOFTWARE_TOTP);
+
+    Assert.assertFalse(abstractOktaStateHandler.isPush(nonPushFactor));
+
+    DefaultFactor pushFactor = mock(DefaultFactor.class);
+    when(pushFactor.getVendorName()).thenReturn("Okta");
+    when(pushFactor.getProvider()).thenReturn(FactorProvider.OKTA);
+    when(pushFactor.getType()).thenReturn(FactorType.PUSH);
+
+    Assert.assertTrue(abstractOktaStateHandler.isPush(pushFactor));
+  }
+
+  @Test
+  public void testShouldSkip() {
+    DefaultFactor nonSkipFactor = mock(DefaultFactor.class);
+    when(nonSkipFactor.getVendorName()).thenReturn("Okta");
+    when(nonSkipFactor.getProvider()).thenReturn(FactorProvider.OKTA);
+    when(nonSkipFactor.getType()).thenReturn(FactorType.TOKEN_SOFTWARE_TOTP);
+
+    Assert.assertFalse(abstractOktaStateHandler.shouldSkip(nonSkipFactor));
+
+    DefaultFactor pushFactor = mock(DefaultFactor.class);
+    when(pushFactor.getVendorName()).thenReturn("Okta");
+    when(pushFactor.getProvider()).thenReturn(FactorProvider.OKTA);
+    when(pushFactor.getType()).thenReturn(FactorType.PUSH);
+
+    Assert.assertTrue(abstractOktaStateHandler.isPush(pushFactor));
+    Assert.assertTrue(abstractOktaStateHandler.shouldSkip(pushFactor));
+
+    DefaultFactor fidoFactor = mock(DefaultFactor.class);
+    when(fidoFactor.getVendorName()).thenReturn("FIDO");
+    when(fidoFactor.getProvider()).thenReturn(FactorProvider.OKTA);
+    when(fidoFactor.getType()).thenReturn(FactorType.TOKEN_SOFTWARE_TOTP);
+
+    Assert.assertTrue(abstractOktaStateHandler.isFido(fidoFactor));
+    Assert.assertTrue(abstractOktaStateHandler.shouldSkip(fidoFactor));
+    verify(fidoFactor, times(0)).getProvider();
+  }
 }

cerberus-auth-connector-okta/src/test/java/com/nike/cerberus/auth/connector/okta/InitialLoginStateHandlerTest.java

@@ -87,6 +87,7 @@ public void handleMfaRequired() throws Exception {
     when(factor.getProvider()).thenReturn(provider);
     when(factor.getStatus()).thenReturn(status);
     when(factor.getId()).thenReturn(deviceId);
+    when(factor.getVendorName()).thenReturn("OKTA");
     when(expectedResponse.getFactors()).thenReturn(Lists.newArrayList(factor));
 
     // do the call
@@ -125,6 +126,7 @@ public void handleMfaEnroll() throws Exception {
     when(factor.getProvider()).thenReturn(provider);
     when(factor.getStatus()).thenReturn(status);
     when(factor.getId()).thenReturn(deviceId);
+    when(factor.getVendorName()).thenReturn("OKTA");
     when(expectedResponse.getFactors()).thenReturn(Lists.newArrayList(factor));
 
     // do the call