Generate custom x509 certificate in Okta

* Requires API key with admin access, least for the target app

Obtain app name & label using app ID

curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://[okta_instance].okta.com/api/v1/apps/[app_id]"

Generate custom certificate and capture ‘kid’ value from response

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
}' "https://[okta_instance].okta.com/api/v1/apps/[app_id]/credentials/keys/generate?validityYears=[number]"

Inject custom certificate to app

curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
  "name": "[app_name]",
  "label": "[app_label]",
  "signOnMode": "SAML_2_0",
  "credentials": {
    "signing": {
      "kid": "[kid]"
    }
  }
 }
}' "https://[okta_instnace].okta.com/api/v1/apps/[app_id]"

Selenium test with docker-compose

In case using selenium standalone during test.

docker-compose YAML

  version: '3'
    services:
      test:
        depends_on:
          - selenium
        environment:
          - E2ETEST_HOST=test
          - SELENIUM_PORT=4444
          - SELENIUM_HOST=selenium
        build:
          context: .
          dockerfile: Dockerfile
        ports:
          - 80
          - 443
        command: run_test.sh
      selenium:
        image: selenium/standalone-chrome
        ports:
          - 4444

nightwatch config sample

"test_settings": {
    "default": {
        "selenium_port"  : parseInt(process.env.SELENIUM_PORT) || 4444,
        "selenium_host"  : process.env.SELENIUM_HOST,
        "silent": true,
        "desiredCapabilities": {
            "browserName": "chrome",
            "javascriptEnabled": true,
            "acceptSslCerts": true,
            "chromeOptions" : {
                "args" : ["--no-sandbox"]
            }
        }
    }

run_test.sh

docker-compose down
docker-compose up --force-recreate --build --abort-on-container-exit --exit-code-from test test

AWS KMS – two liners

For binary encrypted output:

aws kms encrypt --region ap-southeast-2 --key-id alias/blah --plaintext fileb://blah --output text --query CiphertextBlob | base64 --decode > blah.enc
aws kms decrypt --ciphertext-blob fileb://blah.enc --output text --query Plaintext | base64 --decode

For base64 encrypted output:

aws kms encrypt --region ap-southeast-2 --key-id alias/blah --plaintext fileb://blah --output text --query CiphertextBlob > blah.enc
aws kms decrypt --ciphertext-blob fileb://<(cat blah.enc | base64 --decode) --output text --query Plaintext | base64 --decode

or try:
https://github.com/realestate-com-au/shush

Curl net performance test

Print out CloudFront X-Amz-Cf-Id when response time is slower than set threshold.

#!/bin/bash

output=($(curl -I -s -w "Time: %{time_total}\n"  http://cf_url.here grep -e X-Amz-Cf-Id -e Time | awk {'print $2'}))

id=${output[0]}
time=${output[1]}
compare=0.01

if (( $(echo "$time > $compare" |bc -l) )); then
    echo $time - $id >> test_results.txt
fi

Small variation (unrelated to CF)

#!/bin/bash
while :
do
output=($(curl -o /dev/null -s -w "time_namelookup: %{time_namelookup}\n time_connect: %{time_connect}\n time_appconnect: %{time_appconnect}\n time_pretransfer: %{time_pretransfer}\n time_redirect: %{time_redirect}\n time_starttransfer: %{time_starttransfer}\n time_total: %{time_total}\n" http://services.realestate.com.au/services/listings/120542701 | grep time_ | awk {'print $2'}))

time_namelookup=${output[0]}
time_connect=${output[1]}
time_appconnect=${output[2]}
time_pretransfer=${output[3]}
time_redirect=${output[4]}
time_starttransfer=${output[5]}
time_total=${output[6]}
compare=0.1

if (( $(echo "$time_total &gt; $compare" |bc -l) )); then
echo $time_namelookup,$time_connect,$time_appconnect,$time_pretransfer,$time_redirect,$time_starttransfer,$time_total &gt;&gt; test_results.txt
fi
sleep 1
done