From 02efc278fc879e5e1dce7b58d876bb99e825e0d3 Mon Sep 17 00:00:00 2001
From: Michael Yochpaz <8832013+MichaelYochpaz@users.noreply.github.com>
Date: Thu, 12 Jan 2023 13:48:07 +0200
Subject: [PATCH] Add Stored Credentials Support to Okta (#23749)

---
 Packs/Okta/.pack-ignore                       |   4 +-
 Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py  |  13 +-
 Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml | 113 +++++++-----------
 Packs/Okta/Integrations/Okta_v2/Okta_v2.py    |  10 +-
 Packs/Okta/Integrations/Okta_v2/Okta_v2.yml   |  27 ++---
 Packs/Okta/ReleaseNotes/3_1_2.md              |   8 ++
 Packs/Okta/pack_metadata.json                 |   2 +-
 7 files changed, 77 insertions(+), 100 deletions(-)
 create mode 100644 Packs/Okta/ReleaseNotes/3_1_2.md

diff --git a/Packs/Okta/.pack-ignore b/Packs/Okta/.pack-ignore
index aa638d751b36..71b79b6d7678 100644
--- a/Packs/Okta/.pack-ignore
+++ b/Packs/Okta/.pack-ignore
@@ -2,10 +2,10 @@
 ignore=auto-test
 
 [file:Okta_IAM.yml]
-ignore=IN135,BA108,BA109,IN145
+ignore=IN135,BA108,BA109
 
 [file:Okta_v2.yml]
-ignore=BA108,BA109,IN145
+ignore=BA108,BA109
 
 [file:README.md]
 ignore=RM104,RM106
diff --git a/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py b/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py
index d8e53a5b8410..dc8a52f59247 100644
--- a/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py
+++ b/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.py
@@ -1,14 +1,11 @@
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
 
-# noqa: F401
-# noqa: F401
-# noqa: F401
-# noqa: F401
+import urllib3
 
 
 # Disable insecure warnings
-requests.packages.urllib3.disable_warnings()
+urllib3.disable_warnings()
 
 '''CONSTANTS'''
 
@@ -918,7 +915,11 @@ def main():
     user_profile = None
     params = demisto.params()
     base_url = urljoin(params['url'].strip('/'), '/api/v1/')
-    token = params.get('apitoken')
+    token = params.get('credentials', {}).get('password', '') or params.get('apitoken', '')
+
+    if not token:
+        raise ValueError('Missing API token.')
+
     mapper_in = params.get('mapper-in')
     mapper_out = params.get('mapper-out')
     verify_certificate = not params.get('insecure', False)
diff --git a/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml b/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml
index 29b5e3e32521..0144f3d65ad9 100644
--- a/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml
+++ b/Packs/Okta/Integrations/Okta_IAM/Okta_IAM.yml
@@ -7,10 +7,14 @@ configuration:
   name: url
   required: true
   type: 0
-- display: API Token (see Detailed Instructions)
+- name: credentials
+  type: 9
+  displaypassword: API Token (see detailed instructions)
+  hiddenusername: true
+- display: API Token (See detailed instructions)
   name: apitoken
-  required: true
   type: 4
+  hidden: true
 - display: Trust any certificate (not secure)
   name: insecure
   required: false
@@ -49,52 +53,46 @@ configuration:
   name: mapper-in
   required: true
   type: 0
-- defaultvalue: User Profile - Okta (Outgoing)
+- defaultvalue: 'User Profile - Okta (Outgoing)'
   display: Outgoing Mapper
   name: mapper-out
   required: true
   type: 0
-- defaultvalue: '50'
-  display: Fetch limit (recommended value is less than 200)
+- display: Fetch limit (recommended value is less than 200)
   name: max_fetch
   required: false
   type: 0
+  defaultvalue: '50'
 - display: Fetch incidents
   name: isFetch
   required: false
   type: 8
-- defaultvalue: '1'
-  display: Incidents Fetch Interval
+- display: Incidents Fetch Interval
   name: incidentFetchInterval
   required: false
   type: 19
+  defaultvalue: '1'
 - display: Incident type
   name: incidentType
   required: false
   type: 13
-- additionalinfo: Configure an "IAM - Configuration" incident to specify the Okta
-    apps you wish to sync to XSOAR. Further information about IAM configuration is
-    detailed in the Help (the "?" icon).
-  defaultvalue: 'true'
+- additionalinfo: 'Configure an "IAM - Configuration" incident to specify the Okta apps you wish to sync to XSOAR. Further information about IAM configuration is detailed in the Help (the "?" icon).'
   display: Query only application events configured in IAM Configuration
   name: auto_generate_query_filter
   required: false
   type: 8
-- additionalinfo: 'Use a query filter expression in SCIM format. Note: make sure the
-    "Query only application events configured in IAM Configuration" is unchecked to
-    use this parameter. See the Help (the "?" icon) to learn more about the filter
-    parameter.'
-  display: Fetch Query Filter (Okta system log events)
+  defaultvalue: 'true'
+- display: Fetch Query Filter (Okta system log events)
   name: fetch_query_filter
   required: false
   type: 0
+  additionalinfo: 'Use a query filter expression in SCIM format. Note: make sure the "Query only application events configured in IAM Configuration" is unchecked to use this parameter. See the Help (the "?" icon) to learn more about the filter parameter.'
 - defaultvalue: 0 minutes
   display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
   name: first_fetch
   required: false
   type: 0
-description: Integrate with Okta's Identity Access Management service to execute CRUD
-  operations to employee lifecycle processes.
+description: Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes.
 display: Okta IAM
 name: Okta IAM
 script:
@@ -109,8 +107,7 @@ script:
     - auto: PREDEFINED
       default: false
       defaultValue: 'true'
-      description: When set to true, after the command execution the status of the
-        user in the 3rd-party integration will be active.
+      description: When set to true, after the command execution the status of the user in the 3rd-party integration will be active.
       isArray: false
       name: allow-enable
       predefined:
@@ -124,8 +121,7 @@ script:
     name: iam-create-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -164,8 +160,7 @@ script:
     - auto: PREDEFINED
       default: false
       defaultValue: 'true'
-      description: When set to true, after the command execution the status of the
-        user in the 3rd-party integration will be active.
+      description: When set to true, after the command execution the status of the user in the 3rd-party integration will be active.
       isArray: false
       name: allow-enable
       predefined:
@@ -174,14 +169,12 @@ script:
       required: false
       secret: false
     deprecated: false
-    description: Updates an existing user with the data passed in the user-profile
-      argument.
+    description: Updates an existing user with the data passed in the user-profile argument.
     execution: true
     name: iam-update-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -223,8 +216,7 @@ script:
     name: iam-get-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -266,8 +258,7 @@ script:
     name: iam-disable-user
     outputs:
     - contextPath: IAM.Vendor.active
-      description: When true, indicates that the employee's status is active in the
-        3rd-party integration.
+      description: When true, indicates that the employee's status is active in the 3rd-party integration.
       type: Boolean
     - contextPath: IAM.Vendor.brand
       description: Name of the integration.
@@ -297,8 +288,7 @@ script:
       description: The employee's username in the app.
       type: String
   - deprecated: false
-    description: Retrieves a User Profile schema which holds all of the user fields
-      within the application. Used for outgoing-mapping through the Get Schema option.
+    description: Retrieves a User Profile schema which holds all of the user fields within the application. Used for outgoing-mapping through the Get Schema option.
     execution: false
     name: get-mapping-fields
   - arguments:
@@ -470,26 +460,19 @@ script:
       type: String
   - arguments:
     - default: false
-      description: 'Useful for performing structured queries where constraints on
-        LogEvent attribute values can be explicitly targeted.  The following expressions
-        are supported for events with the filter query parameter: eventType eq " :eventType"
-        -Events that have a specific action; eventType target.id eq ":id" - Events
-        published with a specific target id; actor.id eq ":id"- Events published with
-        a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering'
+      description: 'Useful for performing structured queries where constraints on LogEvent attribute values can be explicitly targeted.  The following expressions are supported for events with the filter query parameter: eventType eq " :eventType" -Events that have a specific action; eventType target.id eq ":id" - Events published with a specific target id; actor.id eq ":id"- Events published with a specific actor ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering'
       isArray: false
       name: filter
       required: false
       secret: false
     - default: false
-      description: 'Filters the lower time bound of the log events in the Internet
-        Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
+      description: 'Filters the lower time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
       isArray: false
       name: since
       required: false
       secret: false
     - default: false
-      description: 'Filters the upper time bound of the log events in the Internet
-        Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
+      description: 'Filters the upper time bound of the log events in the Internet Date/Time Format profile of ISO 8601. For example: 2017-05-03T16:22:18Z.'
       isArray: false
       name: until
       required: false
@@ -497,8 +480,7 @@ script:
     - auto: PREDEFINED
       default: false
       defaultValue: ASCENDING
-      description: The order of the returned events. Can be "ASCENDING" or "DESCENDING".
-        The default is "ASCENDING".
+      description: The order of the returned events. Can be "ASCENDING" or "DESCENDING". The default is "ASCENDING".
       isArray: false
       name: sortOrder
       predefined:
@@ -521,13 +503,10 @@ script:
       description: ID of the actor.
       type: String
     - contextPath: Okta.Logs.Events.client.userAgent.rawUserAgent
-      description: A raw string representation of user agent, formatted according
-        to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the
-        OS fields can be derived from this field.
+      description: A raw string representation of user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field.
       type: String
     - contextPath: Okta.Logs.Events.client.userAgent.os
-      description: The operating system on which the client runs. For example, Microsoft
-        Windows 10.
+      description: The operating system on which the client runs. For example, Microsoft Windows 10.
       type: String
     - contextPath: Okta.Logs.Events.client.userAgent.browser
       description: Identifies the type of web browser, if relevant. For example, Chrome.
@@ -536,23 +515,19 @@ script:
       description: Type of device from which the client operated. For example, Computer.
       type: String
     - contextPath: Okta.Logs.Events.client.id
-      description: For OAuth requests, the ID of the OAuth client making the request.
-        For SSWS token requests, the ID of the agent making the request.
+      description: For OAuth requests, the ID of the OAuth client making the request. For SSWS token requests, the ID of the agent making the request.
       type: String
     - contextPath: Okta.Logs.Events.client.ipAddress
       description: IP address from which the client made its request.
       type: String
     - contextPath: Okta.Logs.Events.client.geographicalContext.city
-      description: The city encompassing the area containing the geo-location coordinates,
-        if available. For example, Seattle, San Francisco.
+      description: The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
       type: String
     - contextPath: Okta.Logs.Events.client.geographicalContext.state
-      description: Full name of the state or province encompassing the area containing
-        the geo-location coordinates. For example, Montana, Incheon.
+      description: Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
       type: String
     - contextPath: Okta.Logs.Events.client.geographicalContext.country
-      description: Full name of the country encompassing the area containing the geo-location
-        coordinates. For example, France, Uganda.
+      description: Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
       type: String
     - contextPath: Okta.Logs.Events.displayMessage
       description: The display message for an event.
@@ -561,8 +536,7 @@ script:
       description: Type of event that was published.
       type: String
     - contextPath: Okta.Logs.Events.outcome.result
-      description: Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or
-        "UNKNOWN".
+      description: Result of the action. Can be "SUCCESS", "FAILURE", "SKIPPED", or "UNKNOWN".
       type: String
     - contextPath: Okta.Logs.Events.outcome.reason
       description: Reason for the result. For example, INVALID_CREDENTIALS.
@@ -574,12 +548,10 @@ script:
       description: The event severity. Can be "DEBUG", "INFO", "WARN", or "ERROR".
       type: String
     - contextPath: Okta.Logs.Events.securityContext.asNumber
-      description: Autonomous system number associated with the autonomous system
-        that the event request was sourced to.
+      description: Autonomous system number associated with the autonomous system that the event request was sourced to.
       type: Number
     - contextPath: Okta.Logs.Events.securityContext.asOrg
-      description: Organization associated with the autonomous system that the event
-        request was sourced to.
+      description: Organization associated with the autonomous system that the event request was sourced to.
       type: String
     - contextPath: Okta.Logs.Events.securityContext.isp
       description: Internet service provider used to send the event's request.
@@ -591,16 +563,13 @@ script:
       description: IP address.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.geographicalContext.city
-      description: The city encompassing the area containing the geo-location coordinates,
-        if available. For example, Seattle, San Francisco.
+      description: The city encompassing the area containing the geo-location coordinates, if available. For example, Seattle, San Francisco.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.geographicalContext.state
-      description: Full name of the state or province encompassing the area containing
-        the geo-location coordinates. For example, Montana, Incheon.
+      description: Full name of the state or province encompassing the area containing the geo-location coordinates. For example, Montana, Incheon.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.geographicalContext.country
-      description: Full name of the country encompassing the area containing the geo-location
-        coordinates. For example, France, Uganda.
+      description: Full name of the country encompassing the area containing the geo-location coordinates. For example, France, Uganda.
       type: String
     - contextPath: Okta.Logs.Events.request.ipChain.source
       description: Details regarding the source.
@@ -617,7 +586,7 @@ script:
     - contextPath: Okta.Logs.Events.target.displayName
       description: Display name of a target.
       type: String
-  dockerimage: demisto/python3:3.10.5.31928
+  dockerimage: demisto/python3:3.10.9.42476
   feed: false
   isfetch: true
   longRunning: false
diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py
index 29ec9e6adf79..eaf141c6c182 100644
--- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py
+++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py
@@ -2,9 +2,11 @@
 from CommonServerPython import *  # noqa: F401
 from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
 
+import urllib3
+
 # IMPORTS
 # Disable insecure warnings
-requests.packages.urllib3.disable_warnings()
+urllib3.disable_warnings()
 
 # CONSTANTS
 DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
@@ -1305,7 +1307,11 @@ def main():
     """
     # get the service API url
     base_url = urljoin(demisto.params()['url'].strip('/'), '/api/v1/')
-    apitoken = demisto.params().get('apitoken')
+    apitoken = demisto.params().get("credentials", {}).get("password", '') or demisto.params().get('apitoken', '')
+
+    if not apitoken:
+        raise ValueError('Missing API token.')
+
     verify_certificate = not demisto.params().get('insecure', False)
     proxy = demisto.params().get('proxy', False)
 
diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml
index ac160a57588d..bf7f3a200aab 100644
--- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml
+++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml
@@ -7,10 +7,14 @@ configuration:
   name: url
   required: true
   type: 0
-- display: API Token (see Detailed Instructions)
+- name: credentials
+  type: 9
+  displaypassword: API Token (see detailed instructions)
+  hiddenusername: true
+- display: API Token (see detailed instructions)
   name: apitoken
-  required: true
   type: 4
+  hidden: true
 - display: Trust any certificate (not secure)
   name: insecure
   required: false
@@ -398,10 +402,7 @@ script:
     deprecated: false
     execution: false
   - arguments:
-    - description: "The cursor in which to retrive the results from and on.\
-        \ if the query didn't reach the end of results,\
-        \ the tag can be obtained from the bottom of the grid in the readable output,\
-        \ or in the context path Okta.User.tag."
+    - description: "The cursor in which to retrive the results from and on. if the query didn't reach the end of results, the tag can be obtained from the bottom of the grid in the readable output, or in the context path Okta.User.tag."
       name: after
     - description: The maximum number of results to return, the default is 200.
       name: limit
@@ -423,15 +424,7 @@ script:
       secret: false
     - description: Searches the name property of groups for matching values.
       name: query
-    - description: "Useful for performing structured queries where constraints on\
-        \ group attribute values can be explicitly targeted. \nThe following expressions\
-        \ are supported(among others) for groups with the filter query parameter:\
-        \ \ntype eq \"OKTA_GROUP\" - Groups that have a type of OKTA_GROUP; lastUpdated\
-        \ lt \"yyyy-MM-dd''T''HH:mm:ss.SSSZ\" - Groups with profile last updated before\
-        \ a specific timestamp; lastMembershipUpdated eq \"yyyy-MM-dd''T''HH:mm:ss.SSSZ\"\
-        \ - Groups with memberships last updated at a specific timestamp; id eq \"\
-        00g1emaKYZTWRYYRRTSK\" - Group with a specified ID. For more information about\
-        \ filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering"
+    - description: "Useful for performing structured queries where constraints on group attribute values can be explicitly targeted. \nThe following expressions are supported (among others) for groups with the filter query parameter: \ntype eq \"OKTA_GROUP\" - Groups that have a type of OKTA_GROUP; lastUpdated lt \"yyyy-MM-dd''T''HH:mm:ss.SSSZ\" - Groups with profile last updated before a specific timestamp; lastMembershipUpdated eq \"yyyy-MM-dd''T''HH:mm:ss.SSSZ\" - Groups with memberships last updated at a specific timestamp; id eq \"00g1emaKYZTWRYYRRTSK\" - Group with a specified ID. For more information about filtering, visit https://developer.okta.com/docs/api/getting_started/design_principles#filtering"
       name: filter
     description: Lists users in your organization.
     name: okta-list-users
@@ -464,7 +457,7 @@ script:
       description: Timestamp for when the user's password was last changed.
       type: Date
     - contextPath: Okta.User.tag
-      description: The location of the next item, used with after param. 
+      description: The location of the next item, used with after param.
       type: String
     deprecated: false
     execution: false
@@ -2015,7 +2008,7 @@ script:
     name: okta-assign-group-to-app
     deprecated: false
     execution: false
-  dockerimage: demisto/python3:3.10.7.33922
+  dockerimage: demisto/python3:3.10.9.42476
   runonce: false
   script: '-'
   subtype: python3
diff --git a/Packs/Okta/ReleaseNotes/3_1_2.md b/Packs/Okta/ReleaseNotes/3_1_2.md
new file mode 100644
index 000000000000..296ee22fbfcc
--- /dev/null
+++ b/Packs/Okta/ReleaseNotes/3_1_2.md
@@ -0,0 +1,8 @@
+
+#### Integrations
+##### Okta v2
+- Added support for fetching stored credentials for the *API Token* parameter.
+- Updated the Docker image to: *demisto/python3:3.10.9.42476*.
+##### Okta IAM
+- Added support for fetching stored credentials for the *API Token* parameter.
+- Updated the Docker image to: *demisto/python3:3.10.9.42476*.
diff --git a/Packs/Okta/pack_metadata.json b/Packs/Okta/pack_metadata.json
index 4040ce2ebc0c..fe6b29042de0 100644
--- a/Packs/Okta/pack_metadata.json
+++ b/Packs/Okta/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Okta",
     "description": "Integration with Okta's cloud-based identity management service.",
     "support": "xsoar",
-    "currentVersion": "3.1.1",
+    "currentVersion": "3.1.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",