flypenguin / okta-cli Goto Github PK

for large fetches (eg, 1,000s of users), it fetches everyone first, then displays them (this is nice because you can format the table, and you want to figure out the column widths). it'd be nice to a) show progress, and/or b) have a flag to show immediate results (eg, per page, even if they're not formatted as nicely from page to page).

--output-fields replaces the default fields. it'd be nice to have another flag to add to the default fields.

config list doesn't show which one is the default or the current. config delete crashes when you try to delete something that's not there.

First, thank you so much for creating and maintaining this utility.

I upgraded from a working pip install of 17.3.2 to a pip install of 18.0.0 using pip install --upgrade okta-cli.

After upgrading, running okta-cli returns the following Traceback:

Traceback (most recent call last):
  File "/usr/local/bin/okta-cli", line 5, in <module>
    from oktacli import cli_main
  File "/usr/local/lib/python3.10/site-packages/oktacli/__init__.py", line 1, in <module>
    from .cli import cli_main
  File "/usr/local/lib/python3.10/site-packages/oktacli/cli.py", line 17, in <module>
    from .dotted.collection import DottedDict, DottedCollection
ModuleNotFoundError: No module named 'oktacli.dotted'

Looking at the site-package path, I saw that the dotted folder present in the repository is missing:

ls -lah /usr/local/lib/python3.10/site-packages/oktacli

-rw-r--r--    1 daniel.huckmann  admin    26B Jan 31 15:58 __init__.py
-rw-r--r--    1 daniel.huckmann  admin    70B Jan 31 15:58 __main__.py
drwxr-xr-x    9 daniel.huckmann  admin   288B Jan 31 16:08 __pycache__
-rw-r--r--    1 daniel.huckmann  admin   2.9K Jan 31 15:58 api.py
-rw-r--r--    1 daniel.huckmann  admin    65K Jan 31 16:08 cli.py
-rw-r--r--    1 daniel.huckmann  admin   129B Jan 31 15:58 exceptions.py
-rw-r--r--    1 daniel.huckmann  admin   7.5K Jan 31 15:58 okta.py
-rw-r--r--    1 daniel.huckmann  admin   610B Jan 31 15:58 pwgen.py
-rw-r--r--    1 daniel.huckmann  admin   8.2M Jan 31 15:58 wordlist.sqlite

Copying the dotted folder from the repository into /usr/local/lib/python3.10/site-packages/oktacli corrected the issue.

okta-cli raw logs returns a target which is a JSON array (ie, a Python list), but u can't address it. eg, it'd be nice to request target.0.displayName or target[0].displayName, etc, but this crashes the cli.

Was sure the best way to make a feature request here. What I really need is a ways to auth to Okta to create and admin API with a limited duration from the command line. In this case you could also then have it interact with the config from that id. Or simply print or set that short term key to an env var I could use elsewhere.

I'm trying to use okta-cli to set the value of an array-based attribute in Okta. The code currently assumes string only values for all cli arguments. However, I've been looking into how setting array based value could be implemented:

I managed to modify cli.py to somewhat detect an array if an attribute value starts/end with [ and ]. It is not pretty, but it somewhat works for what needed:

@@ -860,6 +860,9 @@ def apps_getuser(app, user, user_lookup_field, **kwargs):
 def apps_adduser(app, user, user_lookup_field, set_fields, **kwargs):
     """Add a user to an application"""
     appuser = {k: v for k, v in map(lambda x: x.split("=", 1), set_fields)}
+    for k,v in appuser.items():
+        if v.startswith("[") and v.endswith("]"):
+            appuser[k] = v.lstrip("[").rstrip("]").split(",")
     app = _okta_get("apps", app,
                     selector=_selector_field_find("label", app))
     user = _okta_get("users", user,

However, [ and ] characters need to be escaped at the shell level

% okta-cli apps adduser -a 0oado6m4123457Ao0357 -u [email protected] \
-s profile.stringAttribute="String value" \
-s profile.arrayAttribute=\["A","B"\]

However, it would prevent someone from adding an actual string value that starts with a [ into an Okta attribute.

What would be the preferred way to handle a cli parameter value that is an array?

okta-cli raw logs returns un-pretty-printed JSON by default, whereas other commands return a table by default, or the JSON is pretty-printed.

I followed your brew install and received the following error message:

`Last 15 lines from /Users/JohnDoe/Library/Logs/Homebrew/okta-cli/10.python3.10:

note: This error originates from a subprocess, and is likely not a problem with pip.
full command: /opt/homebrew/Cellar/okta-cli/18.0.4/libexec/bin/python /opt/homebrew/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py get_requires_for_build_wheel /private/tmp/tmp7muom6x9
cwd: /private/tmp/okta-cli--PyYAML-20240209-54334-9u4l7i/PyYAML-6.0
Getting requirements to build wheel: finished with status 'error'
error: subprocess-exited-with-error
`

My machine is currently running python version 3.10.13

I wanted to use the cli for bulk-updates, but this requires a csv (or some intermediary file). would something like this be recommended instead? it "works", but a) it's slow (cuz it spawns the cli many times, and it can't reuse the requests.Session(), b) is it good? i'm not much of a shell programmer. it'd be nice to have something more like what you can do in SQL:

update users 
set department = 'New IT' 
where department = 'IT';

again, example use cases would be nice -- how do you use the cli?

okta-cli users list --search 'profile.department eq "IT"' | 
while read id status rest; do 
  echo $id $status $rest
  okta-cli users update $id --set profile.department="New IT" > /dev/null
done

or

okta-cli users list --search 'profile.department eq "IT"' --output-fields id | 
while read id; do 
  okta-cli users update $id --set profile.department="New IT"
done

@flypenguin replied #15 (comment)
yes, this is slow. your idea in q8 was "the right one", unfortunately if i'm correct you hit an Okta limitation. yet okta-cli can still help you ;) . --match filters after downloading the users (i.e. not using the API), in contrast to -f, -s, and -q. so modify your first command in question q8 like this: okta-cli users list --partial --match "profile.department=^IT" (it accepts regexes and needs no quotes IIRC). that should still be much faster than your q7 approach.

--

my follow-up:

i don't understand. plus, if u have 1 million users, it doesn't make sense to fetch all of them in order to update 10 of them

see this comment. if i am correct there should not be any, so maybe it's a bug.

When running the command :

okta-cli users groups -h

The result shows: List all users in a group where it should be saying that it lists all groups belonging to that user

When I run the following:
okta-cli users add --set "[email protected]" --set "[email protected]" --set "firstName=First" --set "lastName=Last"

I get the following error:
ERROR: {"errorCode": "E0000003", "errorSummary": "The request body was not well-formed.", "errorLink": "E0000003", "errorId": "oaewUnkGrYhRWWZKWIxxxx", "errorCauses": []}

This fixes it:
in okta.py
if I add the following line: body_object = { 'profile': body_object } then add_user succeeds.

like so

    def add_user(self, query_params, body_object):
        body_object = { 'profile': body_object }
        body = json.dumps(body_object).encode("utf-8")

then I get a success from the API:

  "status": "PROVISIONED",

Would you like me to create a pull request?

Thanks for the great tool! i've been showing other Okta customers on https://macadmins.slack.com how to use it.

i know this is a lot (esp. in 1 place). hopefully that's ok.

1. okta-cli raw logs returns un-pretty-printed JSON by default, whereas other commands return a table by default, or the JSON is pretty-printed.
2. okta-cli raw logs returns a target which is a JSON array (ie, a Python list), but u can't address it. eg, it'd be nice to request target.0.displayName or target[0].displayName, etc, but this crashes the cli.
3. --output-fields replaces the default fields. it'd be nice to have another flag to add to the default fields.
4. csv crashes when there's only 1 column. i think i figured out the format, but it's not well-documented -- examples would be nice.
5. config list doesn't show which one is the default or the current. config delete crashes when you try to delete something that's not there.
6. for large fetches (eg, 1,000s of users), it fetches everyone first, then displays them (this is nice because you can format the table, and you want to figure out the column widths). it'd be nice to a) show progress, and/or b) have a flag to show immediate results (eg, per page, even if they're not formatted as nicely from page to page).
7. I wanted to use the cli for bulk-updates, but this requires a csv (or some intermediary file). would something like this be recommended instead? it "works", but a) it's slow (cuz it spawns the cli many times, and it can't reuse the requests.Session(), b) is it good? i'm not much of a shell programmer. it'd be nice to have something more like what you can do in SQL: update users set department = 'New IT' where department = 'IT'. again, example use cases would be nice -- how do you use the cli?

okta-cli users list --search 'profile.department eq "IT"' | 
while read id status rest; do 
  echo $id $status $rest
  okta-cli users update $id --set profile.department="New IT" > /dev/null
done

or

okta-cli users list --search 'profile.department eq "IT"' --output-fields id | 
while read id; do 
  okta-cli users update $id --set profile.department="New IT"
done

csv crashes when there's only 1 column. i think i figured out the format, but it's not well-documented -- examples would be nice.

I tried to upgrade my Python version to 3.10.5 and get the following error when running okta-cli list.

class DottedList(DottedCollection, collections.MutableSequence): AttributeError: module 'collections' has no attribute 'MutableSequence'

Does anyone know if Okta-cli can support Python version 3.10.x? Thanks.

The README is missing a few key pieces of information to help me to figure out how the application works. For example, the sample query 'email eq "[email protected]"' doesn't work for me, I think it should be 'profile.email eq "[email protected]"' as per the Okta docs.

I also would like to make it clearer where the config file is stored.