Action appSignOn missing from * okta/policyRuleActions.go#PolicyRuleActions *

[mimatache]

Describe the bug?

When using the client.Policy.ListPolicyRules(ctx, "policyID") the appSignOn attribute is missing from the Go struct, even though it is present in the JSON Response.
Looking at the struct used to return the body, this attribute/tag is missing from the representation:

type PolicyRuleActions struct {
	Enroll                   *PolicyRuleActionsEnroll           `json:"enroll,omitempty"`
	Idp                      *IdpPolicyRuleAction               `json:"idp,omitempty"`
	PasswordChange           *PasswordPolicyRuleAction          `json:"passwordChange,omitempty"`
	SelfServicePasswordReset *PasswordPolicyRuleAction          `json:"selfServicePasswordReset,omitempty"`
	SelfServiceUnlock        *PasswordPolicyRuleAction          `json:"selfServiceUnlock,omitempty"`
	Signon                   *OktaSignOnPolicyRuleSignonActions `json:"signon,omitempty"`
}

What is expected to happen?

I expect the Go structs to match the JSON Response received from the server

What is the actual behavior?

Some fields that are present in the JSON are missing from the Go representation.

Reproduction Steps?

For our case, the issue is present in the Okta Admin Console policy

Additional Information?

No response

Golang Version

go version go1.18 linux/amd64

SDK Version

v2.11.1

OS version

No response

[laura-rodriguez]

Thanks for reporting this @mimatache!

Someone from our team will into it soon.

cc @monde

[monde]

@mimatache we are working on a patch update on our SDKs, I'll see if I can get this in also.

[monde]

@mimatache can you give me a sample of the JSON you are seeing and little bit more of your code? In the API spec that all of our SDKs are generated from there is a AccessPolicyRuleActions with a appSignOn property, see https://github.com/okta/okta-management-openapi-spec/blob/master/resources/spec.yaml#L11756-L11763 . AccessPolicyRuleActions is a child of PolicyRuleActions

Here are the related models that are generated in golang

• https://github.com/okta/okta-sdk-golang/blob/master/okta/policyRule.go
• https://github.com/okta/okta-sdk-golang/blob/master/okta/policyRuleActions.go
• https://github.com/okta/okta-sdk-golang/blob/master/okta/accessPolicyRuleActions.go

I'm wondering if you are missing a casting in your implementation. Something like rule.Actions.(*okta.AccessPolicyRuleActions)

[mimatache]

Hello @monde ,

Glad to see such a quick response from 👍 .

I hope this is all the information you requested

From an API call with Postman to the URI ${orgAccount}/api/v1/policies/${somePolicyID}/rules/${ruleID} I get the following response:

{
    "id": "ruleID",
    "status": "ACTIVE",
    "name": "Admin App Policy",
    "priority": 0,
    "created": "2022-03-25T09:58:52.000Z",
    "lastUpdated": "2022-03-25T09:58:52.000Z",
    "system": false,
    "conditions": {
        "people": {
            "users": {
                "exclude": []
            }
        },
        "network": {
            "connection": "ANYWHERE"
        },
        "userType": {
            "include": [],
            "exclude": []
        }
    },
    "actions": {
        "appSignOn": {
            "access": "ALLOW",
            "verificationMethod": {
                "factorMode": "2FA",
                "type": "ASSURANCE",
                "reauthenticateIn": "PT0S",
                "constraints": [
                    {
                        "knowledge": {
                            "types": [
                                "password"
                            ],
                            "reauthenticateIn": "PT43800H"
                        }
                    }
                ]
            }
        }
    },
    "_links": {
        "self": {
            "href": "https://account.okta.com/api/v1/policies/somePolicyID/rules/ruleID",
            "hints": {
                "allow": [
                    "GET",
                    "PUT",
                    "DELETE"
                ]
            }
        },
        "deactivate": {
            "href": "https://account.okta.com/api/v1/policies/somePolicyID/rules/ruleID/lifecycle/deactivate",
            "hints": {
                "allow": [
                    "POST"
                ]
            }
        }
    },
    "type": "ACCESS_POLICY"
}

As for the code, here is a test that gives the same results as the code I am using:

package rule_test

import (
	"context"
	"encoding/json"
	"fmt"
	"testing"

	"github.com/okta/okta-sdk-golang/v2/okta"
)

func Test_GetAccessRule(t *testing.T) {
	_, client, err := okta.NewClient(
		context.TODO(),
		okta.WithOrgUrl("account.okta.com"),
		okta.WithToken("some-long-token"),
	)
	if err != nil {
		t.Fail()
	}
	rls, _, err := client.Policy.ListPolicyRules(context.TODO(), "somePolicyID")
	if err != nil {
		t.Fail()
	}
	data, err := json.MarshalIndent(rls, "", "  ")
	if err != nil {
		t.Fail()
	}
	fmt.Println(string(data))
}

As for the AccessPolicyRule (thank you for pointing it out, I missed it) which uses the correct actions I have not found any usage of it in the library, maybe I missed it, but at least nothing references it.

Let me know if you need anything else from me.

[monde]

Just posting this up for others looking for sample code ...

# see http headers
GODEBUG=http2debug=1 go run main.go
# or
go run main.go

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"log"

	"github.com/okta/okta-sdk-golang/v2/okta"
	"github.com/okta/okta-sdk-golang/v2/okta/query"
)

func main() {
	_, client, err := okta.NewClient(
		context.TODO(),
		// OKTA_CLIENT_TOKEN set in env
		// OKTA_CLIENT_ORGURL set in env
	)
	if err != nil {
		log.Fatalf("client: %+v\n", err)
	}
	policies, _, err := client.Policy.ListPolicies(context.TODO(), &query.Params{Type: "ACCESS_POLICY"})
	if err != nil {
		log.Fatalf("list policies: %+v\n", err)
	}

	for _, policy := range policies {
		//policy := okta.AccessPolicy(p)
		fmt.Printf("\n================= policy (%T) %s : %s ============\n\n", policy, policy.Id, policy.Name)
		rls, _, err := client.Policy.ListPolicyRules(context.TODO(), policy.Id)
		if err != nil {
			log.Fatalf("list policy rules: %+v\n", err)
		}

        for _, rule := range rls {
			//actions := rule.Actions.(*okta.AccessPolicyRuleActions)
			fmt.Printf("  ---- policy rule (%T) %s : %s : %s ----\n", rule, rule.Id, rule.Type, rule.Name)
			//data, err := json.MarshalIndent(rule.(*okta.AccessPolicyRule).Actions, "", "  ")
			data, err := json.MarshalIndent(rule.Actions, "", "  ")
			if err != nil {
				log.Fatalf("json: %+v\n", err)
			}
			fmt.Println("         action")
			fmt.Printf("         %T\n         %s\n\n", rule.Actions, string(data))
		}
	}
}

[monde]

Ok, @mimatache I had to refresh memory of the architecture of the okta-sdk-golang. Basically, it is half polymorphic (on the write), in that if you created an access policy rule like:

rule := okta.AccessPolicyRule{
    Actions: &okta.AccessPolicyRuleActions {
        AppSignOn: &okta.AccessPolicyRuleApplicationSignOn {
            Access: "some value",
        },
    },
}

you can the call update policy rule with that access policy rule, something like

_, _, err := client.Policy.UpdatePolicyRule(ctx, policyId, ruleId, rule)

It isn't polymorphic on the read, which is what I thought it would do, but can see that it doesn't.
We'd need something where we can hint at the type

rls, _, err := client.Policy.ListPolicyRulesTyped(context.TODO(), "somePolicyID", okta.AccessPolicyRule)

or define ListPolicyRules() on the AccessPolicy model, also.

We are getting ready to update the API spec (and the code generator tooling) that all of the Okta SDK languages use to generate their code. I'm not certain I'll be able to address this issue in v2.11.X of okta-sdk-golang or if it will be addressed in v3.0.0 when we change the way we generate the golang code.

[mimatache]

Thank you for the update. I can probably work around this issue at this point.
Regarding the API spec update and release of v3.0.0, is there a roadmap, or some information which would allow us to get a better understanding of the changes to some?

[monde]

v3 of the Okta API spec will be supported in golang in the next couple of months. I marked the issue with a v3 label and will keep it open to mark that we should address this then. The Okta Java SDK has a beta out now https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-9.0.0-beta so know that this is a high priority in Okta Developer Experience team. My time is getting pulled between all of our golang items, okta-sdk-golang, and the Okta Terraform provider.

[github-actions]

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

[preslavgerchev]

Hi!
I have also recently ran into the same issue with needing the AccessPolicyRule which doesn't seem possible right now via the sdk. Is there any update on when this might be available? For anyone interested, I got around this by accessing the API manually and then using the already defined structs to get the data back:

func fetchAccessPolicyRules(ctx context.Context, policyid, organization, token string) ([]okta.AccessPolicyRule, error) {
	urlPath := fmt.Sprintf("https://%s/api/v1/policies/%s/rules", organization, policyid)
	client := http.Client{}
	req, err := http.NewRequest("GET", urlPath, nil)
	if err != nil {
		return []okta.AccessPolicyRule{}, err
	}
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("Authorization", fmt.Sprintf("SSWS %s", token))
	resp, err := client.Do(req)
	if err != nil {
		return []okta.AccessPolicyRule{}, err
	}
	defer resp.Body.Close()

	if resp.StatusCode != 200 {
		return []okta.AccessPolicyRule{}, errors.New("failed to fetch access policy rules from " + urlPath + ": " + resp.Status)
	}

	raw, err := io.ReadAll(resp.Body)
	if err != nil {
		return []okta.AccessPolicyRule{}, err
	}
	result := []okta.AccessPolicyRule{}
	err = json.Unmarshal(raw, &result)
	return result, err
}