okta-openvpn plugin integration

[bbbyerly]

Overview

Integrating Okta MFA into the forked Openvpn docker image used for running Openvpn CE from ECS containers. Latest version of Alpine doesn't support python2 so ported to python3 and revised from https://github.com/jpf/okta-openvpn.

Related Work

• https://github.com/knockaway/knock-infra-env/pull/454 (referencing the rebuilt docker-openvpn docker image with dev instructions)
• https://github.com/knockaway/knock-infra-env/pull/462 (updated networking requirements to support Okta plugin)

Testing

• integration tests

  (venv) bdbyerly@bbyerlys-MacBook-Pro okta % bash run.sh
  pwd
  okta_openvpn-MainProcess[42442]: okta_openvpn: Authenticating username user_MFA_REQUIRED@example.com
  okta_openvpn-MainProcess[42442]: okta_openvpn: User user_MFA_REQUIRED@example.com password validates, checking second factor
  okta_openvpn-MainProcess[42442]: okta_openvpn: factor: {'factorType': 'question', '_links': {'verify': {'href': 'http://mocked-okta-api.herokuapp.com/api/v1/authn/factors/ufsm3jZGDQXPJDEIXZMP/verify', 'hints': {'allow': ['POST']}}}, 'id': 'ufsm3jZGDQXPJDEIXZMP', 'profile': {'question': 'disliked_food', 'questionText': 'What is the food you least like?'}, 'provider': 'OKTA'}
  okta_openvpn-MainProcess[42442]: okta_openvpn: factor: {'factorType': 'token', '_links': {'verify': {'href': 'http://mocked-okta-api.herokuapp.com/api/v1/authn/factors/rsalhpMQVYKHZKXZJQEW/verify', 'hints': {'allow': ['POST']}}}, 'id': 'rsalhpMQVYKHZKXZJQEW', 'profile': {'credentialId': 'isaac@example.org'}, 'provider': 'RSA'}
  okta_openvpn-MainProcess[42442]: okta_openvpn: factor: {'factorType': 'token:software:totp', '_links': {'verify': {'href': 'http://mocked-okta-api.herokuapp.com/api/v1/authn/factors/uftm3iHSGFQXHCUSDAND/verify', 'hints': {'allow': ['POST']}}}, 'id': 'uftm3iHSGFQXHCUSDAND', 'profile': {'credentialId': 'isaac@example.org'}, 'provider': 'GOOGLE'}
  okta_openvpn-MainProcess[42442]: okta_openvpn: factor: {'factorType': 'token:software:totp', '_links': {'verify': {'href': 'http://mocked-okta-api.herokuapp.com/api/v1/authn/factors/ostfm3hPNYSOIOIVTQWY/verify', 'hints': {'allow': ['POST']}}}, 'id': 'ostfm3hPNYSOIOIVTQWY', 'profile': {'credentialId': 'isaac@example.org'}, 'provider': 'OKTA'}
  okta_openvpn-MainProcess[42442]: okta_openvpn: User user_MFA_REQUIRED@example.com is now authenticated with MFA via Okta API

Additional Notes

• unit tests to be added in subsequent CR.
• removed certificate pinning (as per https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning)