Add Okta directory sync (firezone#3614)

Why:

* To allow syncing of users/groups/memberships from an IDP to Firezone,
a custom identify provider adapter needs to be created in the portal
codebase at this time. The custom IDP adapter created in this commit is
for Okta.

* This commit also includes some additional tests for the Microsoft
Entra IDP adapter. These tests were mistakenly overlooked when finishing
the Entra adapter.

Author: bmanifold

docker-compose.yml

@@ -79,7 +79,7 @@ services:
       DATABASE_USER: postgres
       DATABASE_PASSWORD: postgres
       # Auth
-      AUTH_PROVIDER_ADAPTERS: "email,openid_connect,userpass,token,google_workspace,microsoft_entra"
+      AUTH_PROVIDER_ADAPTERS: "email,openid_connect,userpass,token,google_workspace,microsoft_entra,okta"
       # Secrets
       TOKENS_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
       TOKENS_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"

elixir/apps/domain/lib/domain/auth/adapters.ex

@@ -7,6 +7,7 @@ defmodule Domain.Auth.Adapters do
     openid_connect: Domain.Auth.Adapters.OpenIDConnect,
     google_workspace: Domain.Auth.Adapters.GoogleWorkspace,
     microsoft_entra: Domain.Auth.Adapters.MicrosoftEntra,
+    okta: Domain.Auth.Adapters.Okta,
     userpass: Domain.Auth.Adapters.UserPass
   }
 

elixir/apps/domain/lib/domain/auth/adapters/okta.ex

@@ -0,0 +1,82 @@
+defmodule Domain.Auth.Adapters.Okta do
+  use Supervisor
+  alias Domain.Actors
+  alias Domain.Auth.{Provider, Adapter}
+  alias Domain.Auth.Adapters.OpenIDConnect
+  alias Domain.Auth.Adapters.Okta
+  require Logger
+
+  @behaviour Adapter
+  @behaviour Adapter.IdP
+
+  def start_link(_init_arg) do
+    Supervisor.start_link(__MODULE__, nil, name: __MODULE__)
+  end
+
+  @impl true
+  def init(_init_arg) do
+    children = [
+      Okta.APIClient,
+      {Domain.Jobs, Okta.Jobs}
+    ]
+
+    Supervisor.init(children, strategy: :one_for_one)
+  end
+
+  @impl true
+  def capabilities do
+    [
+      provisioners: [:custom],
+      default_provisioner: :custom,
+      parent_adapter: :openid_connect
+    ]
+  end
+
+  @impl true
+  def identity_changeset(%Provider{} = _provider, %Ecto.Changeset{} = changeset) do
+    changeset
+    |> Domain.Validator.trim_change(:provider_identifier)
+    |> Domain.Validator.copy_change(:provider_virtual_state, :provider_state)
+    |> Ecto.Changeset.put_change(:provider_virtual_state, %{})
+  end
+
+  @impl true
+  def provider_changeset(%Ecto.Changeset{} = changeset) do
+    changeset
+    |> Domain.Changeset.cast_polymorphic_embed(:adapter_config,
+      required: true,
+      with: fn current_attrs, attrs ->
+        Ecto.embedded_load(Okta.Settings, current_attrs, :json)
+        |> Okta.Settings.Changeset.changeset(attrs)
+      end
+    )
+  end
+
+  @impl true
+  def ensure_provisioned(%Provider{} = provider) do
+    {:ok, provider}
+  end
+
+  @impl true
+  def ensure_deprovisioned(%Provider{} = provider) do
+    {:ok, provider}
+  end
+
+  @impl true
+  def sign_out(provider, identity, redirect_url) do
+    OpenIDConnect.sign_out(provider, identity, redirect_url)
+  end
+
+  @impl true
+  def verify_and_update_identity(%Provider{} = provider, payload) do
+    OpenIDConnect.verify_and_update_identity(provider, payload)
+  end
+
+  def verify_and_upsert_identity(%Actors.Actor{} = actor, %Provider{} = provider, payload) do
+    OpenIDConnect.verify_and_upsert_identity(actor, provider, payload)
+  end
+
+  def refresh_access_token(%Provider{} = provider) do
+    OpenIDConnect.refresh_access_token(provider)
+  end
+end

elixir/apps/domain/lib/domain/auth/adapters/okta/api_client.ex

@@ -0,0 +1,149 @@
+defmodule Domain.Auth.Adapters.Okta.APIClient do
+  use Supervisor
+
+  @pool_name __MODULE__.Finch
+
+  def start_link(_init_arg) do
+    Supervisor.start_link(__MODULE__, nil, name: __MODULE__)
+  end
+
+  @impl true
+  def init(_init_arg) do
+    children = [
+      {Finch,
+       name: @pool_name,
+       pools: %{
+         default: pool_opts()
+       }}
+    ]
+
+    Supervisor.init(children, strategy: :one_for_one)
+  end
+
+  defp pool_opts do
+    transport_opts =
+      Domain.Config.fetch_env!(:domain, __MODULE__)
+      |> Keyword.fetch!(:finch_transport_opts)
+
+    [conn_opts: [transport_opts: transport_opts]]
+  end
+
+  def list_users(endpoint, api_token) do
+    uri =
+      URI.parse("#{endpoint}/api/v1/users")
+      |> URI.append_query(
+        URI.encode_query(%{
+          "limit" => 200
+        })
+      )
+
+    headers = [
+      {"Content-Type", "application/json; okta-response=omitCredentials,omitCredentialsLinks"}
+    ]
+
+    with {:ok, users} <- list_all(uri, headers, api_token) do
+      active_users =
+        Enum.filter(users, fn user ->
+          user["status"] == "ACTIVE"
+        end)
+
+      {:ok, active_users}
+    end
+  end
+
+  def list_groups(endpoint, api_token) do
+    uri =
+      URI.parse("#{endpoint}/api/v1/groups")
+      |> URI.append_query(
+        URI.encode_query(%{
+          "limit" => 200
+        })
+      )
+
+    headers = []
+
+    list_all(uri, headers, api_token)
+  end
+
+  def list_group_members(endpoint, api_token, group_id) do
+    uri =
+      URI.parse("#{endpoint}/api/v1/groups/#{group_id}/users")
+      |> URI.append_query(
+        URI.encode_query(%{
+          "limit" => 200
+        })
+      )
+
+    headers = []
+
+    with {:ok, members} <- list_all(uri, headers, api_token) do
+      enabled_members =
+        Enum.filter(members, fn member ->
+          member["status"] == "ACTIVE"
+        end)
+
+      {:ok, enabled_members}
+    end
+  end
+
+  defp list_all(uri, headers, api_token, acc \\ []) do
+    case list(uri, headers, api_token) do
+      {:ok, list, nil} ->
+        {:ok, List.flatten(Enum.reverse([list | acc]))}
+
+      {:ok, list, next_page_uri} ->
+        URI.parse(next_page_uri)
+        |> list_all(headers, api_token, [list | acc])
+
+      {:error, reason} ->
+        {:error, reason}
+    end
+  end
+
+  defp list(uri, headers, api_token) do
+    headers = headers ++ [{"Authorization", "Bearer #{api_token}"}]
+    request = Finch.build(:get, uri, headers)
+
+    with {:ok, %Finch.Response{headers: headers, body: response, status: status}}
+         when status in 200..299 <- Finch.request(request, @pool_name),
+         {:ok, list} <- Jason.decode(response) do
+      {:ok, list, fetch_next_link(headers)}
+    else
+      {:ok, %Finch.Response{status: status}} when status in 500..599 ->
+        {:error, :retry_later}
+
+      {:ok, %Finch.Response{body: response, status: status}} ->
+        case Jason.decode(response) do
+          {:ok, json_response} ->
+            {:error, {status, json_response}}
+
+          _error ->
+            {:error, {status, response}}
+        end
+
+      :error ->
+        {:ok, [], nil}
+
+      other ->
+        other
+    end
+  end
+
+  defp fetch_next_link(headers) do
+    headers
+    |> Enum.find(fn {name, value} ->
+      name == "link" && String.contains?(value, "rel=\"next\"")
+    end)
+    |> parse_link_header()
+  end
+
+  defp parse_link_header({_name, value}) do
+    [raw_url | _] = String.split(value, ";")
+
+    raw_url
+    |> String.replace_prefix("<", "")
+    |> String.replace_suffix(">", "")
+  end
+
+  defp parse_link_header(nil), do: nil
+end