WireMock

LiveOktaAuthentication is tested with WireMock. If you make changes to that file, you'll likely need to update the WireMock recordings.

Here are the steps to do so:

1. delete all the existing mappings.
2. create a new user in Okta (following the test fields, so name is TEST INTEGRATION and email is [email protected]) curl request:

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS {$actualOktaApiToken}" \
-d '{
  "profile": {
    "firstName": "TEST",
    "lastName": "INTEGRATION",
    "email": "[email protected]",
    "login": "[email protected]",
    "mobilePhone": "999-999-9999"
  }
}' "https://hhs-prime.okta.com/api/v1/users?activate=false"

This should return a user id, you'll want to keep that.

3. Next, you need to activate the user in Okta. (This returns the activation token; it's not the same as the programmatic activation we do in the test.) curl request:

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${actualOktaAiToken}" \
"https://hhs-prime.okta.com/api/v1/users/${userIdFromStep3}/lifecycle/activate?sendEmail=false"

Get the activation token out of the response.

4. Replace the userId and activationToken in LiveOktaAuthenticationTest with the new user id and activation token.

5. Add a call to Thread.sleep(45000) in the resendActivationPasscode success case test. (If there's not a 30 second pause between requests, Okta will throw an error)

6. Replace the static "passcode" in verifyActivationPasscodeSuccessful with the following code:

JSONObject embeddedJson = new JSONObject(factor.getEmbedded());
    String sharedSecret = embeddedJson.getJSONObject("activation").getString("sharedSecret");
    long timeStep = embeddedJson.getJSONObject("activation").getLong("timeStep");

    CodeGenerator codeGenerator = new DefaultCodeGenerator();
    long millisSinceEpoch = Instant.now().toEpochMilli();
    long counter = millisSinceEpoch / 1000 / timeStep;
    String passcode = codeGenerator.generate(sharedSecret, counter);

You will likely also need to add the library to build.gradle and add the imports back in. The gradle build is:

testCompile 'dev.samstevens.totp:totp:1.7.1'

The imports are:

import dev.samstevens.totp.code.CodeGenerator;
import dev.samstevens.totp.code.DefaultCodeGenerator;
import java.time.Instant;

7. Add the Wiremock recording lines back in.

@BeforeAll
   public void startMockServer() throws IOException {
     WireMock.startRecording("https://hhs-prime.okta.com");
   }

 @AfterAll
   public void stopMockServer() throws IOException {
     List<StubMapping> recordedMappings = WireMock.stopRecording().getStubMappings();
   }

The Wiremock imports are as follows:

import com.github.tomakehurst.wiremock.stubbing.StubMapping;
import com.github.tomakehurst.wiremock.client.WireMock;

8. Add the actual okta token to application-default.yaml
9. Run the test! This should pass and generate all the recordings. (There might be a failure around removing/deactivating the user in Okta, you can ignore this. It'll present as some kind of executionException, and it happens because there's no response body for the final user deletion call and WireMock doesn't know how to handle it.)
10. Search in the /mappings folder for the request/response for verifying an activation passcode. Find the success case, and copy/paste that passcode to verifyActivationPasscodeSuccessful (replacing the CodeGenerator from step 7.)
11. Remove the Wiremock recording code, remove the totp import from build.gradle, and remove the call to Thread.sleep.
12. If user deactivation/deletion did fail, delete the user. This can either be done directly in the Okta admin console, or with the following curl requests: deactivate:

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${actualOktaApiToken} \
"https://hhs-prime.okta.com/api/v1/users/${userId}/lifecycle/deactivate?sendEmail=false"

delete (you probably have to run this twice, once to soft-delete and once to hard-delete):

curl -v -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${actualOktaApiToken}" \
"https://hhs-prime.okta.com/api/v1/users/${userId}?sendEmail=false"

13. Re-run the test and it should pass using the recordings!
14. If you're feeling ambitious and like you have a couple hours to kill, you can categorize and rename the mappings (also possibly strip some of the unnecessary info, like headers in the response.) If you're not feeling ambitious and/or have better things to do, you can apologize to your reviewers for the massive file dump ¯_(ツ)_/¯

The reason for the nonsense with creating/activating/deleting a user on every run of the recording is that there's a test which verifies that a user's password has never been set before. If you just de-activate the user, their previous setPassword information will be kept, and the test will fail.