From e53f8ecbec06ca9456f14c449cbd5ea7da2eda0b Mon Sep 17 00:00:00 2001
From: Dylan Azucena <dylan.azucena@veracross.com>
Date: Thu, 15 Aug 2019 10:29:13 -0400
Subject: [PATCH] Add okta auth method and tests

---
 lib/vault/api/auth.rb  | 22 ++++++++++++++++++++++
 spec/unit/auth_spec.rb | 12 +++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/lib/vault/api/auth.rb b/lib/vault/api/auth.rb
index 156c1945..462dc266 100644
--- a/lib/vault/api/auth.rb
+++ b/lib/vault/api/auth.rb
@@ -267,6 +267,28 @@ def gcp(role, jwt, path = 'gcp')
       return secret
     end
 
+    # Authenticate via the okta authentication method. If authentication
+    # is successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.okta("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] username
+    # @param [String] password
+    # @param [Hash] options
+    #   additional options to pass to the authentication call, such as a custom
+    #   mount point
+    #
+    # @return [Secret]
+    def okta(username, password, options = {})
+      payload = { password: password }.merge(options)
+      json = client.post("/v1/auth/okta/login/#{encode_path(username)}", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
     # Authenticate via a TLS authentication method. If authentication is
     # successful, the resulting token will be stored on the client and used
     # for future requests.
diff --git a/spec/unit/auth_spec.rb b/spec/unit/auth_spec.rb
index 74b0f63f..76bd3388 100644
--- a/spec/unit/auth_spec.rb
+++ b/spec/unit/auth_spec.rb
@@ -2,7 +2,17 @@
 
 module Vault
   describe Authenticate do
-    let(:auth) { Authenticate.new(client: nil) }
+    let(:client) { double('client') }
+    let(:auth) { Authenticate.new(client) }
+
+    describe '#okta' do
+      it 'authenticates with Okta auth method' do
+        allow(client).to receive(:post).with('/v1/auth/okta/login/user1', {password: 'secure'}.to_json) { {auth: {client_token: 'abcd-1234'}} }
+        allow(client).to receive(:token=)
+        expect(auth.okta('user1', 'secure').auth.client_token).to eq('abcd-1234')
+      end
+    end
+
     describe "#region_from_sts_endpoint" do
       subject { auth.send(:region_from_sts_endpoint, sts_endpoint) }