Okta conditional access configs (#34566)

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #34533

This is the first sub-task out of several. Changes file will be added in
a subsequent PR.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

## New Fleet configuration settings

- [x] Setting(s) is/are explicitly **excluded** from GitOps

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added Okta Conditional Access support (IDP, ACS URL, audience,
certificate) and exposed conditional access in AppConfig/API
  * App activity logging for adding/removing Okta conditional access

* **Bug Fixes**
  * Fixed typo in conditional access validation messaging

* **Tests**
* Added tests for Okta Conditional Access lifecycle, license gating, and
GitOps export exclusion

* **Documentation**
  * Added audit-log entries for Okta conditional access add/delete
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: getvictor

cmd/fleetctl/fleetctl/generate_gitops_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/fleetdm/fleet/v4/server/ptr"
 	"github.com/ghodss/yaml"
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/urfave/cli/v2"
 )
@@ -758,6 +759,56 @@ func TestGeneratedOrgSettingsNoSSO(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestGeneratedOrgSettingsOktaConditionalAccessNotIncluded(t *testing.T) {
+	// Get the test app config.
+	fleetClient := &MockClient{}
+	appConfig, err := fleetClient.GetAppConfig()
+	require.NoError(t, err)
+
+	// Set Okta conditional access fields (these should NOT appear in GitOps output)
+	appConfig.ConditionalAccess = &fleet.ConditionalAccessSettings{
+		MicrosoftEntraTenantID:             "test-tenant-id",
+		MicrosoftEntraConnectionConfigured: true,
+		OktaIDPID:                          optjson.SetString("https://okta.example.com/idp"),
+		OktaAssertionConsumerServiceURL:    optjson.SetString("https://okta.example.com/acs"),
+		OktaAudienceURI:                    optjson.SetString("https://okta.example.com/audience"),
+		OktaCertificate:                    optjson.SetString("-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----"),
+	}
+
+	// Create the command.
+	cmd := &GenerateGitopsCommand{
+		Client:       fleetClient,
+		CLI:          cli.NewContext(&cli.App{}, nil, nil),
+		Messages:     Messages{},
+		FilesToWrite: make(map[string]interface{}),
+		AppConfig:    appConfig,
+	}
+
+	// Generate the org settings.
+	orgSettingsRaw, err := cmd.generateOrgSettings()
+	require.NoError(t, err)
+	require.NotNil(t, orgSettingsRaw)
+	var orgSettings map[string]any
+	b, err := yaml.Marshal(orgSettingsRaw)
+	require.NoError(t, err)
+	err = yaml.Unmarshal(b, &orgSettings)
+	require.NoError(t, err)
+
+	// Verify that conditional_access section does not exist in the output
+	// (Okta configs are not supported in GitOps)
+	_, hasConditionalAccess := orgSettings["conditional_access"]
+	assert.False(t, hasConditionalAccess, "conditional_access section should not be present in GitOps output as Okta configs are not supported")
+
+	// Also verify by checking the YAML string directly
+	yamlStr := string(b)
+	assert.NotContains(t, yamlStr, "okta_idp_id", "Okta IDP ID should not be in GitOps output")
+	assert.NotContains(t, yamlStr, "okta_assertion_consumer_service_url", "Okta ACS URL should not be in GitOps output")
+	assert.NotContains(t, yamlStr, "okta_audience_uri", "Okta Audience URI should not be in GitOps output")
+	assert.NotContains(t, yamlStr, "okta_certificate", "Okta Certificate should not be in GitOps output")
+	assert.NotContains(t, yamlStr, "microsoft_entra_tenant_id", "Microsoft Entra Tenant ID should not be in GitOps output")
+	assert.NotContains(t, yamlStr, "microsoft_entra_connection_configured", "Microsoft Entra connection status should not be in GitOps output")
+}
+
 func TestGenerateOrgSettingsInsecure(t *testing.T) {
 	// Get the test app config.
 	fleetClient := &MockClient{}

cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigJson.json

@@ -41,6 +41,14 @@
       "activity_expiry_enabled": false,
       "activity_expiry_window": 0
     },
+    "conditional_access": {
+      "microsoft_entra_tenant_id": "",
+      "microsoft_entra_connection_configured": false,
+      "okta_idp_id": null,
+      "okta_assertion_consumer_service_url": null,
+      "okta_audience_uri": null,
+      "okta_certificate": null
+    },
     "features": {
       "enable_host_users": true,
       "enable_software_inventory": false

cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigTeamMaintainerJson.json

@@ -26,6 +26,14 @@
       "activity_expiry_enabled": false,
       "activity_expiry_window": 0
     },
+    "conditional_access": {
+      "microsoft_entra_tenant_id": "",
+      "microsoft_entra_connection_configured": false,
+      "okta_idp_id": null,
+      "okta_assertion_consumer_service_url": null,
+      "okta_audience_uri": null,
+      "okta_certificate": null
+    },
     "features": {
       "enable_host_users": true,
       "enable_software_inventory": false

cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigTeamMaintainerYaml.yml

@@ -10,6 +10,13 @@ spec:
   activity_expiry_settings:
     activity_expiry_enabled: false
     activity_expiry_window: 0
+  conditional_access:
+    microsoft_entra_tenant_id: ""
+    microsoft_entra_connection_configured: false
+    okta_idp_id: null
+    okta_assertion_consumer_service_url: null
+    okta_audience_uri: null
+    okta_certificate: null
   features:
     enable_host_users: true
     enable_software_inventory: false

cmd/fleetctl/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml

@@ -10,6 +10,13 @@ spec:
   activity_expiry_settings:
     activity_expiry_enabled: false
     activity_expiry_window: 0
+  conditional_access:
+    microsoft_entra_tenant_id: ""
+    microsoft_entra_connection_configured: false
+    okta_idp_id: null
+    okta_assertion_consumer_service_url: null
+    okta_audience_uri: null
+    okta_certificate: null
   features:
     enable_host_users: true
     enable_software_inventory: false

cmd/fleetctl/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json

@@ -41,6 +41,14 @@
       "activity_expiry_enabled": false,
       "activity_expiry_window": 0
     },
+    "conditional_access": {
+      "microsoft_entra_tenant_id": "",
+      "microsoft_entra_connection_configured": false,
+      "okta_idp_id": null,
+      "okta_assertion_consumer_service_url": null,
+      "okta_audience_uri": null,
+      "okta_certificate": null
+    },
     "features": {
       "enable_host_users": true,
       "enable_software_inventory": false

cmd/fleetctl/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml

@@ -10,6 +10,13 @@ spec:
   activity_expiry_settings:
     activity_expiry_enabled: false
     activity_expiry_window: 0
+  conditional_access:
+    microsoft_entra_tenant_id: ""
+    microsoft_entra_connection_configured: false
+    okta_idp_id: null
+    okta_assertion_consumer_service_url: null
+    okta_audience_uri: null
+    okta_certificate: null
   features:
     enable_host_users: true
     enable_software_inventory: false

cmd/fleetctl/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml

@@ -13,6 +13,13 @@ spec:
   activity_expiry_settings:
     activity_expiry_enabled: false
     activity_expiry_window: 0
+  conditional_access:
+    microsoft_entra_tenant_id: ""
+    microsoft_entra_connection_configured: false
+    okta_idp_id: null
+    okta_assertion_consumer_service_url: null
+    okta_audience_uri: null
+    okta_certificate: null
   integrations:
     conditional_access_enabled: null
     google_calendar: null

cmd/fleetctl/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml

@@ -13,6 +13,13 @@ spec:
   activity_expiry_settings:
     activity_expiry_enabled: false
     activity_expiry_window: 0
+  conditional_access:
+    microsoft_entra_tenant_id: ""
+    microsoft_entra_connection_configured: false
+    okta_idp_id: null
+    okta_assertion_consumer_service_url: null
+    okta_audience_uri: null
+    okta_certificate: null
   integrations:
     conditional_access_enabled: null
     google_calendar: null

docs/Contributing/reference/audit-logs.md

@@ -2068,6 +2068,18 @@ Generated when Microsoft Entra is integration is disconnected.
 
 This activity does not contain any detail fields.
 
+## added_conditional_access_okta
+
+Generated when Okta is configured or edited for conditional access.
+
+This activity does not contain any detail fields.
+
+## deleted_conditional_access_okta
+
+Generated when Okta conditional access configuration is removed.
+
+This activity does not contain any detail fields.
+
 ## enabled_conditional_access_automations
 
 Generated when conditional access automations are enabled for a team.