Add Stored Credentials Support to Okta (#23749)

demisto · Jan 12, 2023 · 02efc27 · 02efc27
1 parent 5911475
commit 02efc27
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 100 deletions.
diff --git a/Packs/Okta/.pack-ignore b/Packs/Okta/.pack-ignore
@@ -2,10 +2,10 @@
 ignore=auto-test
 
 [file:Okta_IAM.yml]
-ignore=IN135,BA108,BA109,IN145
+ignore=IN135,BA108,BA109
 
 [file:Okta_v2.yml]
-ignore=BA108,BA109,IN145
+ignore=BA108,BA109
 
 [file:README.md]
 ignore=RM104,RM106

diff --git a/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py b/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py
@@ -1,14 +1,11 @@
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
 
-# noqa: F401
-# noqa: F401
-# noqa: F401
-# noqa: F401
+import urllib3
 
 
 # Disable insecure warnings
-requests.packages.urllib3.disable_warnings()
+urllib3.disable_warnings()
 
 '''CONSTANTS'''
 
@@ -918,7 +915,11 @@ def main():
     user_profile = None
     params = demisto.params()
     base_url = urljoin(params['url'].strip('/'), '/api/v1/')
-    token = params.get('apitoken')
+    token = params.get('credentials', {}).get('password', '') or params.get('apitoken', '')
+
+    if not token:
+        raise ValueError('Missing API token.')
+
     mapper_in = params.get('mapper-in')
     mapper_out = params.get('mapper-out')
     verify_certificate = not params.get('insecure', False)

diff --git a/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml b/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml
@@ -7,10 +7,14 @@ configuration:
   name: url
   required: true
   type: 0
-- display: API Token (see Detailed Instructions)
+- name: credentials
+  type: 9
+  displaypassword: API Token (see detailed instructions)
+  hiddenusername: true
+- display: API Token (See detailed instructions)
   name: apitoken
-  required: true
   type: 4
+  hidden: true
 - display: Trust any certificate (not secure)
   name: insecure
   required: false
@@ -49,52 +53,46 @@ configuration:
   name: mapper-in
   required: true
   type: 0
-- defaultvalue: User Profile - Okta (Outgoing)
+- defaultvalue: 'User Profile - Okta (Outgoing)'
   display: Outgoing Mapper
   name: mapper-out
   required: true
   type: 0
-- defaultvalue: '50'
-  display: Fetch limit (recommended value is less than 200)
+- display: Fetch limit (recommended value is less than 200)
   name: max_fetch
   required: false
   type: 0
+  defaultvalue: '50'
 - display: Fetch incidents
   name: isFetch
   required: false
   type: 8
-- defaultvalue: '1'
-  display: Incidents Fetch Interval
+- display: Incidents Fetch Interval
   name: incidentFetchInterval
   required: false
   type: 19
+  defaultvalue: '1'
 - display: Incident type
   name: incidentType
   required: false
   type: 13
-- additionalinfo: Configure an "IAM - Configuration" incident to specify the Okta
-    apps you wish to sync to XSOAR. Further information about IAM configuration is
-    detailed in the Help (the "?" icon).
-  defaultvalue: 'true'
+- additionalinfo: 'Configure an "IAM - Configuration" incident to specify the Okta apps you wish to sync to XSOAR. Further information about IAM configuration is detailed in the Help (the "?" icon).'
   display: Query only application events configured in IAM Configuration
   name: auto_generate_query_filter
   required: false
   type: 8
-- additionalinfo: 'Use a query filter expression in SCIM format. Note: make sure the
-    "Query only application events configured in IAM Configuration" is unchecked to
-    use this parameter. See the Help (the "?" icon) to learn more about the filter
-    parameter.'
-  display: Fetch Query Filter (Okta system log events)
+  defaultvalue: 'true'
+- display: Fetch Query Filter (Okta system log events)
   name: fetch_query_filter
   required: false
   type: 0
+  additionalinfo: 'Use a query filter expression in SCIM format. Note: make sure the "Query only application events configured in IAM Configuration" is unchecked to use this parameter. See the Help (the "?" icon) to learn more about the filter parameter.'
 - defaultvalue: 0 minutes
   display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
   name: first_fetch
   required: false
   type: 0
-description: Integrate with Okta's Identity Access Management service to execute CRUD
-  operations to employee lifecycle processes.
+description: Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes.
 display: Okta IAM
 name: Okta IAM
 script:
@@ -109,8 +107,7 @@ script:
     - auto: PREDEFINED
       default: false
       defaultValue: 'true'
-      description: When set to true, after the command execution the status of the
-        user in the 3rd-party integration will be active.
+      description: When set to true, after the command execution the status of the user in the 3rd-party integration will be active.
       isArray: false
       name: allow-enable
       predefined:
@@ -124,8 +121,7 @@ script:
     name: iam-create-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -164,8 +160,7 @@ script:
     - auto: PREDEFINED
       default: false
       defaultValue: 'true'
-      description: When set to true, after the command execution the status of the
-        user in the 3rd-party integration will be active.
+      description: When set to true, after the command execution the status of the user in the 3rd-party integration will be active.
       isArray: false
       name: allow-enable
       predefined:
@@ -174,14 +169,12 @@ script:
       required: false
       secret: false
     deprecated: false
-    description: Updates an existing user with the data passed in the user-profile
-      argument.
+    description: Updates an existing user with the data passed in the user-profile argument.
     execution: true
     name: iam-update-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -223,8 +216,7 @@ script:
     name: iam-get-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -266,8 +258,7 @@ script:
     name: iam-disable-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -297,8 +288,7 @@ script:
       description: The employee's username in the app.
       type: String
   - deprecated: false
-    description: Retrieves a User Profile schema which holds all of the user fields
-      within the application. Used for outgoing-mapping through the Get Schema option.
+    description: Retrieves a User Profile schema which holds all of the user fields within the application. Used for outgoing-mapping through the Get Schema option.
     execution: false
     name: get-mapping-fields
   - arguments:
@@ -470,35 +460,27 @@ script:
       type: String
   - arguments:
     - default: false
-      description: 'Useful for performing structured queries where constraints on
-        LogEvent attribute values can be explicitly targeted.  The following expressions
-        are supported for events with the filter query parameter: eventType eq " :eventType"
-        -Events that have a specific action; eventType target.id eq ":id" - Events
-        published with a specific target id; actor.id eq ":id"- Events published with
-        a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering'
+      description: 'Useful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted.  The following expressions are supported for events with the filter query parameter: eventType eq " :eventType" -Events that have a specific action; eventType target.id eq ":id" - Events published with a specific target id; actor.id eq ":id"- Events published with a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering'
       isArray: false
       name: filter
       required: false
       secret: false
     - default: false
-      description: 'Filters the lower time bound of the log events in the Internet
-        Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
+      description: 'Filters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
       isArray: false
       name: since
       required: false
       secret: false
     - default: false
-      description: 'Filters the upper time bound of the log events in the Internet
-        Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
+      description: 'Filters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
       isArray: false
       name: until
       required: false
       secret: false
     - auto: PREDEFINED
       default: false
       defaultValue: ASCENDING
-      description: The order of the returned events. Can be "ASCENDING" or "DESCENDING".
-        The default is "ASCENDING".
+      description: The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING".
       isArray: false
       name: sortOrder
       predefined:
@@ -521,13 +503,10 @@ script:
       description: ID of the actor.
       type: String
     - contextPath: Okta.Logs.Events.client.userAgent.rawUserAgent
-      description: A raw string representation of user agent, formatted according
-        to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the
-        OS fields can be derived from this field.
+      description: A raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
       type: String
     - contextPath: Okta.Logs.Events.client.userAgent.os
-      description: The operating system on which the client runs. For example, Microsoft
-        Windows 10.
+      description: The operating system on which the client runs. For example, Microsoft Windows 10.
       type: String
     - contextPath: Okta.Logs.Events.client.userAgent.browser
       description: Identifies the type of web browser, if relevant. For example, Chrome.
@@ -536,23 +515,19 @@ script:
       description: Type of device from which the client operated. For example, Computer.
       type: String
     - contextPath: Okta.Logs.Events.client.id
-      description: For OAuth requests, the ID of the OAuth client making the request.
-        For SSWS token requests, the ID of the agent making the request.
+      description: For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
       type: String
     - contextPath: Okta.Logs.Events.client.ipAddress
       description: IP address from which the client made its request.
       type: String
     - contextPath: Okta.Logs.Events.client.geographicalContext.city
-      description: The city encompassing the area containing the geo-location coordinates,
-        if available. For example, Seattle, San Francisco.
+      description: The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
       type: String
     - contextPath: Okta.Logs.Events.client.geographicalContext.state
-      description: Full name of the state or province encompassing the area containing
-        the geo-location coordinates. For example, Montana, Incheon.
+      description: Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
       type: String
     - contextPath: Okta.Logs.Events.client.geographicalContext.country
-      description: Full name of the country encompassing the area containing the geo-location
-        coordinates. For example, France, Uganda.
+      description: Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
       type: String
     - contextPath: Okta.Logs.Events.displayMessage
       description: The display message for an event.
@@ -561,8 +536,7 @@ script:
       description: Type of event that was published.
       type: String
     - contextPath: Okta.Logs.Events.outcome.result
-      description: Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or
-        "UNKNOWN".
+      description: Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
       type: String
     - contextPath: Okta.Logs.Events.outcome.reason
       description: Reason for the result. For example, INVALID_CREDENTIALS.
@@ -574,12 +548,10 @@ script:
       description: The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
       type: String
     - contextPath: Okta.Logs.Events.securityContext.asNumber
-      description: Autonomous system number associated with the autonomous system
-        that the event request was sourced to.
+      description: Autonomous system number associated with the autonomous system that the event request was sourced to.
       type: Number
     - contextPath: Okta.Logs.Events.securityContext.asOrg
-      description: Organization associated with the autonomous system that the event
-        request was sourced to.
+      description: Organization associated with the autonomous system that the event request was sourced to.
       type: String
     - contextPath: Okta.Logs.Events.securityContext.isp
       description: Internet service provider used to send the event's request.
@@ -591,16 +563,13 @@ script:
       description: IP address.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.geographicalContext.city
-      description: The city encompassing the area containing the geo-location coordinates,
-        if available. For example, Seattle, San Francisco.
+      description: The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.geographicalContext.state
-      description: Full name of the state or province encompassing the area containing
-        the geo-location coordinates. For example, Montana, Incheon.
+      description: Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.geographicalContext.country
-      description: Full name of the country encompassing the area containing the geo-location
-        coordinates. For example, France, Uganda.
+      description: Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.source
       description: Details regarding the source.
@@ -617,7 +586,7 @@ script:
     - contextPath: Okta.Logs.Events.target.displayName
       description: Display name of a target.
       type: String
-  dockerimage: demisto/python3:3.10.5.31928
+  dockerimage: demisto/python3:3.10.9.42476
   feed: false
   isfetch: true
   longRunning: false

diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py
@@ -2,9 +2,11 @@
 from CommonServerPython import *  # noqa: F401
 from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
 
+import urllib3
+
 # IMPORTS
 # Disable insecure warnings
-requests.packages.urllib3.disable_warnings()
+urllib3.disable_warnings()
 
 # CONSTANTS
 DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
@@ -1305,7 +1307,11 @@ def main():
     """
     # get the service API url
     base_url = urljoin(demisto.params()['url'].strip('/'), '/api/v1/')
-    apitoken = demisto.params().get('apitoken')
+    apitoken = demisto.params().get("credentials", {}).get("password", '') or demisto.params().get('apitoken', '')
+
+    if not apitoken:
+        raise ValueError('Missing API token.')
+
     verify_certificate = not demisto.params().get('insecure', False)
     proxy = demisto.params().get('proxy', False)