mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-01 19:17:58 +00:00
interactive CLI for mfa login (#14131)
* Login MFA * ENT OSS segragation (#14088) * Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path * adding use_passcode field to DUO config (#14059) * add changelog * preventing replay attack on MFA passcodes (#14056) * preventing replay attack on MFA passcodes * using %w instead of %s for error * Improve CLI command for login mfa (#14106) CLI prints a warning message indicating the login request needs to get validated * adding the validity period of a passcode to error messages (#14115) * interactive CLI for mfa login * minor fixes * bail if no input was inserted * change label name * interactive CLI when single methodID is returned from login request * minor fix * adding changelog * addressing feedback * a user with a terminal should be able to choose between interactive and non-interactive. A user without a terminal should not be able to use the interactive mode. Co-authored-by: Josh Black <raskchanky@gmail.com>
This commit is contained in:
hghaf099
104
command/write.go
104
command/write.go
@@ -6,6 +6,8 @@ import (
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
"github.com/mattn/go-isatty"
|
||||
"github.com/mitchellh/cli"
|
||||
"github.com/posener/complete"
|
||||
)
|
||||
@@ -15,6 +17,13 @@ var (
|
||||
_ cli.CommandAutocomplete = (*WriteCommand)(nil)
|
||||
)
|
||||
|
||||
// MFAMethodInfo contains the information about an MFA method
|
||||
type MFAMethodInfo struct {
|
||||
methodID string
|
||||
methodType string
|
||||
usePasscode bool
|
||||
}
|
||||
|
||||
// WriteCommand is a Command that puts data into the Vault.
|
||||
type WriteCommand struct {
|
||||
*BaseCommand
|
||||
@@ -147,10 +156,103 @@ func (c *WriteCommand) Run(args []string) int {
|
||||
}
|
||||
|
||||
if secret != nil && secret.Auth != nil && secret.Auth.MFARequirement != nil {
|
||||
if c.isInteractiveEnabled(len(secret.Auth.MFARequirement.MFAConstraints)) {
|
||||
// Currently, if there is only one MFA method configured, the login
|
||||
// request is validated interactively
|
||||
methodInfo := c.getMFAMethodInfo(secret.Auth.MFARequirement.MFAConstraints)
|
||||
if methodInfo.methodID != "" {
|
||||
return c.validateMFA(secret.Auth.MFARequirement.MFARequestID, methodInfo)
|
||||
}
|
||||
}
|
||||
c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+
|
||||
"MFA validation. Please make sure to validate the login by sending another "+
|
||||
"request to mfa/validate endpoint.") + "\n")
|
||||
"request to sys/mfa/validate endpoint.") + "\n")
|
||||
}
|
||||
|
||||
// Handle single field output
|
||||
if c.flagField != "" {
|
||||
return PrintRawField(c.UI, secret, c.flagField)
|
||||
}
|
||||
|
||||
return OutputSecret(c.UI, secret)
|
||||
}
|
||||
|
||||
func (c *WriteCommand) isInteractiveEnabled(mfaConstraintLen int) bool {
|
||||
if mfaConstraintLen != 1 || !isatty.IsTerminal(os.Stdin.Fd()) {
|
||||
return false
|
||||
}
|
||||
|
||||
if !c.flagNonInteractive {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// getMFAMethodInfo returns MFA method information only if one MFA method is
|
||||
// configured.
|
||||
func (c *WriteCommand) getMFAMethodInfo(mfaConstraintAny map[string]*logical.MFAConstraintAny) MFAMethodInfo {
|
||||
for _, mfaConstraint := range mfaConstraintAny {
|
||||
if len(mfaConstraint.Any) != 1 {
|
||||
return MFAMethodInfo{}
|
||||
}
|
||||
|
||||
return MFAMethodInfo{
|
||||
methodType: mfaConstraint.Any[0].Type,
|
||||
methodID: mfaConstraint.Any[0].ID,
|
||||
usePasscode: mfaConstraint.Any[0].UsesPasscode,
|
||||
}
|
||||
}
|
||||
|
||||
return MFAMethodInfo{}
|
||||
}
|
||||
|
||||
func (c *WriteCommand) validateMFA(reqID string, methodInfo MFAMethodInfo) int {
|
||||
var passcode string
|
||||
var err error
|
||||
if methodInfo.usePasscode {
|
||||
passcode, err = c.UI.AskSecret(fmt.Sprintf("Enter the passphrase for methodID %q of type %q:", methodInfo.methodID, methodInfo.methodType))
|
||||
if err != nil {
|
||||
c.UI.Error(fmt.Sprintf("failed to read the passphrase with error %q. please validate the login by sending a request to sys/mfa/validate", err.Error()))
|
||||
return 2
|
||||
}
|
||||
} else {
|
||||
c.UI.Warn("Asking Vault to perform MFA validation with upstream service. " +
|
||||
"You should receive a push notification in your authenticator app shortly")
|
||||
}
|
||||
|
||||
// passcode could be an empty string
|
||||
mfaPayload := map[string][]string{
|
||||
methodInfo.methodID: {passcode},
|
||||
}
|
||||
|
||||
client, err := c.Client()
|
||||
if err != nil {
|
||||
c.UI.Error(err.Error())
|
||||
return 2
|
||||
}
|
||||
|
||||
path := "sys/mfa/validate"
|
||||
|
||||
secret, err := client.Logical().Write(path, map[string]interface{}{
|
||||
"mfa_request_id": reqID,
|
||||
"mfa_payload": mfaPayload,
|
||||
})
|
||||
if err != nil {
|
||||
c.UI.Error(err.Error())
|
||||
if secret != nil {
|
||||
OutputSecret(c.UI, secret)
|
||||
}
|
||||
return 2
|
||||
}
|
||||
if secret == nil {
|
||||
// Don't output anything unless using the "table" format
|
||||
if Format(c.UI) == "table" {
|
||||
c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
// Handle single field output
|
||||
if c.flagField != "" {
|
||||
return PrintRawField(c.UI, secret, c.flagField)
|
||||
|
||||
Reference in New Issue
Block a user