open-vault/helper/mfa/mfa.go

// Package mfa provides wrappers to add multi-factor authentication
// to any auth method.
//
// To add MFA to a backend, replace its login path with the
// paths returned by MFAPaths and add the additional root
// paths returned by MFARootPaths. The backend provides
// the username to the MFA wrapper in Auth.Metadata['username'].
//
// To add an additional MFA type, create a subpackage that
// implements [Type]Paths, [Type]RootPaths, and [Type]Handler
// functions and add them to MFAPaths, MFARootPaths, and
// handlers respectively.
package mfa

import (
	"context"

	"github.com/hashicorp/vault/helper/mfa/duo"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

// MFAPaths returns paths to wrap the original login path and configure MFA.
// When adding MFA to a backend, these paths should be included instead of
// the login path in Backend.Paths.
func MFAPaths(originalBackend *framework.Backend, loginPath *framework.Path) []*framework.Path {
	var b backend
	b.Backend = originalBackend
	return append(duo.DuoPaths(), pathMFAConfig(&b), wrapLoginPath(&b, loginPath))
}

// MFARootPaths returns path strings used to configure MFA. When adding MFA
// to a backend, these paths should be included in
// Backend.PathsSpecial.Root.
func MFARootPaths() []string {
	return append(duo.DuoRootPaths(), "mfa_config")
}

// HandlerFunc is the callback called to handle MFA for a login request.
type HandlerFunc func(context.Context, *logical.Request, *framework.FieldData, *logical.Response) (*logical.Response, error)

// handlers maps each supported MFA type to its handler.
var handlers = map[string]HandlerFunc{
	"duo": duo.DuoHandler,
}

type backend struct {
	*framework.Backend
}

func wrapLoginPath(b *backend, loginPath *framework.Path) *framework.Path {
	loginPath.Fields["passcode"] = &framework.FieldSchema{
		Type:        framework.TypeString,
		Description: "One time passcode (optional)",
	}
	loginPath.Fields["method"] = &framework.FieldSchema{
		Type:        framework.TypeString,
		Description: "Multi-factor auth method to use (optional)",
	}
	// wrap write callback to do MFA after auth
	loginHandler := loginPath.Callbacks[logical.UpdateOperation]
	loginPath.Callbacks[logical.UpdateOperation] = b.wrapLoginHandler(loginHandler)
	return loginPath
}

func (b *backend) wrapLoginHandler(loginHandler framework.OperationFunc) framework.OperationFunc {
	return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
		// login with original login function first
		resp, err := loginHandler(ctx, req, d)
		if err != nil || resp.Auth == nil {
			return resp, err
		}

		// check if multi-factor enabled
		mfa_config, err := b.MFAConfig(ctx, req)
		if err != nil || mfa_config == nil {
			return resp, nil
		}

		// perform multi-factor authentication if type supported
		handler, ok := handlers[mfa_config.Type]
		if ok {
			return handler(ctx, req, d, resp)
		} else {
			return resp, err
		}
	}
}
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// Package mfa provides wrappers to add multi-factor authentication`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`// to any auth method.`
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`//`
			`// To add MFA to a backend, replace its login path with the`
			`// paths returned by MFAPaths and add the additional root`
			`// paths returned by MFARootPaths. The backend provides`
			`// the username to the MFA wrapper in Auth.Metadata['username'].`
			`//`
			`// To add an additional MFA type, create a subpackage that`
			`// implements [Type]Paths, [Type]RootPaths, and [Type]Handler`
			`// functions and add them to MFAPaths, MFARootPaths, and`
			`// handlers respectively.`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`package mfa`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`

mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`"github.com/hashicorp/vault/helper/mfa/duo"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`)`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// MFAPaths returns paths to wrap the original login path and configure MFA.`
			`// When adding MFA to a backend, these paths should be included instead of`
			`// the login path in Backend.Paths.`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`func MFAPaths(originalBackend framework.Backend, loginPath framework.Path) []*framework.Path {`
			`var b backend`
			`b.Backend = originalBackend`
			`return append(duo.DuoPaths(), pathMFAConfig(&b), wrapLoginPath(&b, loginPath))`
			`}`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// MFARootPaths returns path strings used to configure MFA. When adding MFA`
			`// to a backend, these paths should be included in`
			`// Backend.PathsSpecial.Root.`
			`func MFARootPaths() []string {`
			`return append(duo.DuoRootPaths(), "mfa_config")`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`}`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// HandlerFunc is the callback called to handle MFA for a login request.`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`type HandlerFunc func(context.Context, logical.Request, framework.FieldData, logical.Response) (logical.Response, error)`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// handlers maps each supported MFA type to its handler.`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`var handlers = map[string]HandlerFunc{`
			`"duo": duo.DuoHandler,`
			`}`

mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`type backend struct {`
			`*framework.Backend`
			`}`

			`func wrapLoginPath(b backend, loginPath framework.Path) *framework.Path {`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`loginPath.Fields["passcode"] = &framework.FieldSchema{`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`Type: framework.TypeString,`
			`Description: "One time passcode (optional)",`
			`}`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`loginPath.Fields["method"] = &framework.FieldSchema{`
gofmt 2016-08-19 20:48:32 +00:00			`Type: framework.TypeString,`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`Description: "Multi-factor auth method to use (optional)",`
			`}`
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// wrap write callback to do MFA after auth`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`loginHandler := loginPath.Callbacks[logical.UpdateOperation]`
			`loginPath.Callbacks[logical.UpdateOperation] = b.wrapLoginHandler(loginHandler)`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`return loginPath`
			`}`

			`func (b *backend) wrapLoginHandler(loginHandler framework.OperationFunc) framework.OperationFunc {`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`return func(ctx context.Context, req logical.Request, d framework.FieldData) (*logical.Response, error) {`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`// login with original login function first`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`resp, err := loginHandler(ctx, req, d)`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`if err != nil \|\| resp.Auth == nil {`
			`return resp, err`
			`}`

			`// check if multi-factor enabled`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`mfa_config, err := b.MFAConfig(ctx, req)`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`if err != nil \|\| mfa_config == nil {`
			`return resp, nil`
			`}`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// perform multi-factor authentication if type supported`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`handler, ok := handlers[mfa_config.Type]`
			`if ok {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`return handler(ctx, req, d, resp)`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`} else {`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`return resp, err`
			`}`
			`}`
			`}`