From ada03ba0a184e2dec933b9aeb7350865785be313 Mon Sep 17 00:00:00 2001 From: Brian Joerger Date: Wed, 30 Oct 2024 11:32:17 -0700 Subject: [PATCH 1/2] Replace NewCLIPromptV2. (#47927) --- lib/client/mfa.go | 2 +- lib/client/mfa/cli.go | 25 ++++++++----------------- lib/client/mfa/cli_test.go | 23 +++++++++++++++-------- lib/client/mfa_test.go | 2 +- tool/tctl/common/admin_action_test.go | 2 +- tool/tctl/common/tctl.go | 2 +- 6 files changed, 27 insertions(+), 29 deletions(-) diff --git a/lib/client/mfa.go b/lib/client/mfa.go index 9f8860db3472a..f969a411a4042 100644 --- a/lib/client/mfa.go +++ b/lib/client/mfa.go @@ -34,7 +34,7 @@ type WebauthnLoginFunc = libmfa.WebauthnLoginFunc func (tc *TeleportClient) NewMFAPrompt(opts ...mfa.PromptOpt) mfa.Prompt { cfg := tc.newPromptConfig(opts...) - var prompt mfa.Prompt = libmfa.NewCLIPromptV2(&libmfa.CLIPromptConfig{ + var prompt mfa.Prompt = libmfa.NewCLIPrompt(&libmfa.CLIPromptConfig{ PromptConfig: *cfg, Writer: tc.Stderr, PreferOTP: tc.PreferOTP, diff --git a/lib/client/mfa/cli.go b/lib/client/mfa/cli.go index a5e4cc8f26178..40127b314e06d 100644 --- a/lib/client/mfa/cli.go +++ b/lib/client/mfa/cli.go @@ -61,23 +61,8 @@ type CLIPrompt struct { cfg CLIPromptConfig } -// NewCLIPrompt returns a new CLI mfa prompt with the config and writer. -// TODO(Joerger): Delete once /e is no longer dependent on it. -func NewCLIPrompt(cfg *PromptConfig, writer io.Writer) *CLIPrompt { - // If no config is provided, use defaults (zero value). - if cfg == nil { - cfg = new(PromptConfig) - } - return NewCLIPromptV2(&CLIPromptConfig{ - PromptConfig: *cfg, - Writer: writer, - }) -} - -// NewCLIPromptV2 returns a new CLI mfa prompt with the given config. -// TODO(Joerger): this is V2 because /e depends on a different function -// signature for NewCLIPrompt, so this requires a couple follow up PRs to fix. -func NewCLIPromptV2(cfg *CLIPromptConfig) *CLIPrompt { +// NewCLIPrompt returns a new CLI mfa prompt with the given config. +func NewCLIPrompt(cfg *CLIPromptConfig) *CLIPrompt { // If no config is provided, use defaults (zero value). if cfg == nil { cfg = new(CLIPromptConfig) @@ -87,6 +72,12 @@ func NewCLIPromptV2(cfg *CLIPromptConfig) *CLIPrompt { } } +// NewCLIPromptV2 returns a new CLI mfa prompt with the given config. +// TODO(Joerger): remove once /e is no longer dependent on this. +func NewCLIPromptV2(cfg *CLIPromptConfig) *CLIPrompt { + return NewCLIPrompt(cfg) +} + func (c *CLIPrompt) stdin() prompt.StdinReader { if c.cfg.StdinFunc == nil { return prompt.Stdin() diff --git a/lib/client/mfa/cli_test.go b/lib/client/mfa/cli_test.go index 54e0fcfd92fd9..ff5419f1a87e4 100644 --- a/lib/client/mfa/cli_test.go +++ b/lib/client/mfa/cli_test.go @@ -53,7 +53,8 @@ func TestCLIPrompt(t *testing.T) { expectStdOut: "", challenge: &proto.MFAAuthenticateChallenge{}, expectResp: &proto.MFAAuthenticateResponse{}, - }, { + }, + { name: "OK webauthn", expectStdOut: "Tap any security key\n", challenge: &proto.MFAAuthenticateChallenge{ @@ -64,7 +65,8 @@ func TestCLIPrompt(t *testing.T) { Webauthn: &webauthnpb.CredentialAssertionResponse{}, }, }, - }, { + }, + { name: "OK totp", expectStdOut: "Enter an OTP code from a device:\n", stdin: "123456", @@ -78,7 +80,8 @@ func TestCLIPrompt(t *testing.T) { }, }, }, - }, { + }, + { name: "OK webauthn or totp choose webauthn", expectStdOut: "Tap any security key or enter a code from a OTP device\n", challenge: &proto.MFAAuthenticateChallenge{ @@ -90,7 +93,8 @@ func TestCLIPrompt(t *testing.T) { Webauthn: &webauthnpb.CredentialAssertionResponse{}, }, }, - }, { + }, + { name: "OK webauthn or totp choose totp", expectStdOut: "Tap any security key or enter a code from a OTP device\n", stdin: "123456", @@ -105,21 +109,24 @@ func TestCLIPrompt(t *testing.T) { }, }, }, - }, { + }, + { name: "NOK no webauthn response", expectStdOut: "Tap any security key\n", challenge: &proto.MFAAuthenticateChallenge{ WebauthnChallenge: &webauthnpb.CredentialAssertion{}, }, expectErr: context.DeadlineExceeded, - }, { + }, + { name: "NOK no totp response", expectStdOut: "Enter an OTP code from a device:\n", challenge: &proto.MFAAuthenticateChallenge{ TOTP: &proto.TOTPChallenge{}, }, expectErr: context.DeadlineExceeded, - }, { + }, + { name: "NOK no webauthn or totp response", expectStdOut: "Tap any security key or enter a code from a OTP device\n", challenge: &proto.MFAAuthenticateChallenge{ @@ -260,7 +267,7 @@ Enter your security key PIN: buffer := make([]byte, 0, 100) out := bytes.NewBuffer(buffer) - prompt := mfa.NewCLIPromptV2(&mfa.CLIPromptConfig{ + prompt := mfa.NewCLIPrompt(&mfa.CLIPromptConfig{ PromptConfig: *cfg, Writer: out, AllowStdinHijack: true, diff --git a/lib/client/mfa_test.go b/lib/client/mfa_test.go index 845e9b1f975e5..bb24f3fb14a03 100644 --- a/lib/client/mfa_test.go +++ b/lib/client/mfa_test.go @@ -116,7 +116,7 @@ func TestPromptMFAChallenge_usingNonRegisteredDevice(t *testing.T) { test.customizePrompt(cliConfig) } - _, err := mfa.NewCLIPromptV2(cliConfig).Run(ctx, test.challenge) + _, err := mfa.NewCLIPrompt(cliConfig).Run(ctx, test.challenge) if !errors.Is(err, wancli.ErrUsingNonRegisteredDevice) { t.Errorf("PromptMFAChallenge returned err=%q, want %q", err, wancli.ErrUsingNonRegisteredDevice) } diff --git a/tool/tctl/common/admin_action_test.go b/tool/tctl/common/admin_action_test.go index bf877b702d4d8..920b67cb71d4c 100644 --- a/tool/tctl/common/admin_action_test.go +++ b/tool/tctl/common/admin_action_test.go @@ -1020,7 +1020,7 @@ func newAdminActionTestSuite(t *testing.T) *adminActionTestSuite { promptCfg := libmfa.NewPromptConfig(proxyPublicAddr.String(), opts...) promptCfg.WebauthnLoginFunc = mockWebauthnLogin promptCfg.WebauthnSupported = true - return libmfa.NewCLIPromptV2(&libmfa.CLIPromptConfig{ + return libmfa.NewCLIPrompt(&libmfa.CLIPromptConfig{ PromptConfig: *promptCfg, }) } diff --git a/tool/tctl/common/tctl.go b/tool/tctl/common/tctl.go index 7d62b692a13bc..d4d31c3c09e7b 100644 --- a/tool/tctl/common/tctl.go +++ b/tool/tctl/common/tctl.go @@ -250,7 +250,7 @@ func TryRun(commands []CLICommand, args []string) error { proxyAddr := resp.ProxyPublicAddr client.SetMFAPromptConstructor(func(opts ...mfa.PromptOpt) mfa.Prompt { promptCfg := libmfa.NewPromptConfig(proxyAddr, opts...) - return libmfa.NewCLIPromptV2(&libmfa.CLIPromptConfig{ + return libmfa.NewCLIPrompt(&libmfa.CLIPromptConfig{ PromptConfig: *promptCfg, }) }) From 1c6aca5d7fcb594b6c782989bb0545448dcbb34d Mon Sep 17 00:00:00 2001 From: joerger Date: Thu, 31 Oct 2024 11:45:22 -0700 Subject: [PATCH 2/2] Update e ref to branch/v15; Add missing changes. --- e | 2 +- lib/client/weblogin.go | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/e b/e index 456398aca8de8..af339e72670c2 160000 --- a/e +++ b/e @@ -1 +1 @@ -Subproject commit 456398aca8de86fb1bd64717bb4dfb21807681fd +Subproject commit af339e72670c298ffe4162b9595f96e076c68b7f diff --git a/lib/client/weblogin.go b/lib/client/weblogin.go index ca3d60eac3442..e8bb05e256a96 100644 --- a/lib/client/weblogin.go +++ b/lib/client/weblogin.go @@ -658,7 +658,8 @@ func SSHAgentMFALogin(ctx context.Context, login SSHLoginMFA) (*authclient.SSHLo promptMFA := login.PromptMFA if promptMFA == nil { - promptMFA = libmfa.NewCLIPrompt(libmfa.NewPromptConfig(login.ProxyAddr), os.Stderr) + cfg := libmfa.NewPromptConfig(login.ProxyAddr) + promptMFA = libmfa.NewCLIPrompt(&libmfa.CLIPromptConfig{PromptConfig: *cfg}) } respPB, err := promptMFA.Run(ctx, chal) @@ -856,7 +857,8 @@ func SSHAgentMFAWebSessionLogin(ctx context.Context, login SSHLoginMFA) (*WebCli promptMFA := login.PromptMFA if promptMFA == nil { - promptMFA = libmfa.NewCLIPrompt(libmfa.NewPromptConfig(login.ProxyAddr), os.Stderr) + cfg := libmfa.NewPromptConfig(login.ProxyAddr) + promptMFA = libmfa.NewCLIPrompt(&libmfa.CLIPromptConfig{PromptConfig: *cfg}) } respPB, err := promptMFA.Run(ctx, chal)