Add Okta auth integration

[lukeheath]

Tasks

• [ ] Add an endpoint POST /api/_version_/fleet/mdm/apple/dep_login (@lukeheath to confirm/edit)
• [ ] The endpoint receives email and password those will likely need to be form values, depending on the approach we decide for https://github.com/fleetdm/fleet/issues/10272
• [ ] Validate the credentials provided with Okta using the Resource Owner Password flow. From the prototype:

params := url.Values{
    "username":   []string{email},
    "password":   []string{password},
    "scope":      []string{"openid"},
    "grant_type": []string{"password"},
}
req, err := http.NewRequestWithContext(
    ctx, "POST", OKTA_URL + "/oauth2/default/v1/token",
    strings.NewReader(params.Encode()),
)
if err != nil {
    return nil, err
}

client := http.Client{}
digest := base64.StdEncoding.EncodeToString(OKTA_APP_ID + ":" + OKTA_APP_SECRET)
req.Header.Add("Authorization", "Basic " + digest)
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)

• [ ] If the credentials are valid, Okta returns a 200 OK response, we don't need to store the returned token for now
• [ ] if the credentials are valid, hash and salt the password so we can create a local account in https://github.com/fleetdm/fleet/issues/10273, from the prototype and heavily based on code extracted from micromdm:

type SaltedSHA512PBKDF2Dictionary struct {
    Iterations int    `plist:"iterations"`
    Salt       []byte `plist:"salt"`
    Entropy    []byte `plist:"entropy"`
}

const macKeyLen = 128

// saltedSHA512PBKDF2 creates a SALTED-SHA512-PBKDF2 dictionary
// from a plaintext password.
func saltedSHA512PBKDF2(plaintext string) (int, []byte, []byte, error) {
    salt := make([]byte, 32)
    if _, err := rand.Read(salt); err != nil {
        return 0, nil, nil, err
    }
    iterations, err := secureRandInt(20000, 40000)
    if err != nil {
        return 0, nil, nil, err
    }
    return iterations, salt, pbkdf2.Key([]byte(plaintext), salt, iterations, macKeyLen, sha512.New), nil
}

func secureRandInt(min, max int64) (int, error) {
    var random int
    for {
        iter, err := rand.Int(rand.Reader, big.NewInt(max))
        if err != nil {
            return 0, err
        }
        if iter.Int64() >= min {
            random = int(iter.Int64())
            break
        }
    }
    return random, nil
}

• [ ] generate an uuid
• [ ] save the user, hash, salt, iteration count and uuid in the database, so we can retrieve them by uuid in https://github.com/fleetdm/fleet/issues/10273
• [ ] generate an enrollment profile, but include the uuid as a query parameter for the ServerURL key, this is so https://github.com/fleetdm/fleet/issues/10273 can match the enrollment with the user
• [ ] serve the enrollment profile with content-type: application/x-apple-aspen-config

[lukeheath]

Hey team! Please add your planning poker estimate with Zenhub @gillespi314 @roperzh

[noahtalerman]

Here's the MDM command to create Mac user account (admin privileges): https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf#accountconfiguration

[lukeheath]

@roperzh Heads up that we've been asked to defer finishing the Okta integration for now. Please go ahead and finish this issue since it's so close.

[fleet-release]

// Secure password saved // In the clouds of a glass city // Secure in Okta's arms