interactive CLI for mfa login (#14131)

* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* interactive CLI for mfa login

* minor fixes

* bail if no input was inserted

* change label name

* interactive CLI when single methodID is returned from login request

* minor fix

* adding changelog

* addressing feedback

* a user with a terminal should be able to choose between interactive and non-interactive.  A user without a terminal should not be able to use the interactive mode.

Co-authored-by: Josh Black <raskchanky@gmail.com>
This commit is contained in:
hghaf099 2022-02-24 15:16:15 -05:00 committed by GitHub
parent 9bb4920497
commit 671cdbcadb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 163 additions and 19 deletions

3
changelog/14131.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:improvement
cli: interactive CLI for login mfa
```

View file

@ -55,6 +55,7 @@ type BaseCommand struct {
flagFormat string flagFormat string
flagField string flagField string
flagOutputCurlString bool flagOutputCurlString bool
flagNonInteractive bool
flagMFA []string flagMFA []string
@ -393,6 +394,13 @@ func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets {
"This can be specified multiple times.", "This can be specified multiple times.",
}) })
f.BoolVar(&BoolVar{
Name: "non-interactive",
Target: &c.flagNonInteractive,
Default: false,
Usage: "When set true, prevents asking the user for input via the terminal.",
})
} }
if bit&(FlagSetOutputField|FlagSetOutputFormat) != 0 { if bit&(FlagSetOutputField|FlagSetOutputFormat) != 0 {

View file

@ -6,6 +6,8 @@ import (
"os" "os"
"strings" "strings"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mattn/go-isatty"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
"github.com/posener/complete" "github.com/posener/complete"
) )
@ -15,6 +17,13 @@ var (
_ cli.CommandAutocomplete = (*WriteCommand)(nil) _ cli.CommandAutocomplete = (*WriteCommand)(nil)
) )
// MFAMethodInfo contains the information about an MFA method
type MFAMethodInfo struct {
methodID string
methodType string
usePasscode bool
}
// WriteCommand is a Command that puts data into the Vault. // WriteCommand is a Command that puts data into the Vault.
type WriteCommand struct { type WriteCommand struct {
*BaseCommand *BaseCommand
@ -147,10 +156,103 @@ func (c *WriteCommand) Run(args []string) int {
} }
if secret != nil && secret.Auth != nil && secret.Auth.MFARequirement != nil { if secret != nil && secret.Auth != nil && secret.Auth.MFARequirement != nil {
if c.isInteractiveEnabled(len(secret.Auth.MFARequirement.MFAConstraints)) {
// Currently, if there is only one MFA method configured, the login
// request is validated interactively
methodInfo := c.getMFAMethodInfo(secret.Auth.MFARequirement.MFAConstraints)
if methodInfo.methodID != "" {
return c.validateMFA(secret.Auth.MFARequirement.MFARequestID, methodInfo)
}
}
c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+ c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+
"MFA validation. Please make sure to validate the login by sending another "+ "MFA validation. Please make sure to validate the login by sending another "+
"request to mfa/validate endpoint.") + "\n") "request to sys/mfa/validate endpoint.") + "\n")
} }
// Handle single field output
if c.flagField != "" {
return PrintRawField(c.UI, secret, c.flagField)
}
return OutputSecret(c.UI, secret)
}
func (c *WriteCommand) isInteractiveEnabled(mfaConstraintLen int) bool {
if mfaConstraintLen != 1 || !isatty.IsTerminal(os.Stdin.Fd()) {
return false
}
if !c.flagNonInteractive {
return true
}
return false
}
// getMFAMethodInfo returns MFA method information only if one MFA method is
// configured.
func (c *WriteCommand) getMFAMethodInfo(mfaConstraintAny map[string]*logical.MFAConstraintAny) MFAMethodInfo {
for _, mfaConstraint := range mfaConstraintAny {
if len(mfaConstraint.Any) != 1 {
return MFAMethodInfo{}
}
return MFAMethodInfo{
methodType: mfaConstraint.Any[0].Type,
methodID: mfaConstraint.Any[0].ID,
usePasscode: mfaConstraint.Any[0].UsesPasscode,
}
}
return MFAMethodInfo{}
}
func (c *WriteCommand) validateMFA(reqID string, methodInfo MFAMethodInfo) int {
var passcode string
var err error
if methodInfo.usePasscode {
passcode, err = c.UI.AskSecret(fmt.Sprintf("Enter the passphrase for methodID %q of type %q:", methodInfo.methodID, methodInfo.methodType))
if err != nil {
c.UI.Error(fmt.Sprintf("failed to read the passphrase with error %q. please validate the login by sending a request to sys/mfa/validate", err.Error()))
return 2
}
} else {
c.UI.Warn("Asking Vault to perform MFA validation with upstream service. " +
"You should receive a push notification in your authenticator app shortly")
}
// passcode could be an empty string
mfaPayload := map[string][]string{
methodInfo.methodID: {passcode},
}
client, err := c.Client()
if err != nil {
c.UI.Error(err.Error())
return 2
}
path := "sys/mfa/validate"
secret, err := client.Logical().Write(path, map[string]interface{}{
"mfa_request_id": reqID,
"mfa_payload": mfaPayload,
})
if err != nil {
c.UI.Error(err.Error())
if secret != nil {
OutputSecret(c.UI, secret)
}
return 2
}
if secret == nil {
// Don't output anything unless using the "table" format
if Format(c.UI) == "table" {
c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
}
return 0
}
// Handle single field output // Handle single field output
if c.flagField != "" { if c.flagField != "" {
return PrintRawField(c.UI, secret, c.flagField) return PrintRawField(c.UI, secret, c.flagField)

View file

@ -2107,7 +2107,6 @@ func (s standardUnsealStrategy) unseal(ctx context.Context, logger log.Logger, c
if err := c.setupQuotas(ctx, false); err != nil { if err := c.setupQuotas(ctx, false); err != nil {
return err return err
} }
c.setupCachedMFAResponseAuth() c.setupCachedMFAResponseAuth()
if err := c.setupHeaderHMACKey(ctx, false); err != nil { if err := c.setupHeaderHMACKey(ctx, false); err != nil {

View file

@ -135,10 +135,6 @@ func (c *Core) collectNamespaces() []*namespace.Namespace {
} }
} }
func (c *Core) namepaceByPath(string) *namespace.Namespace {
return namespace.RootNamespace
}
func (c *Core) HasWALState(required *logical.WALState, perfStandby bool) bool { func (c *Core) HasWALState(required *logical.WALState, perfStandby bool) bool {
return true return true
} }

View file

@ -1,12 +1,14 @@
package identity package identity
import ( import (
"context"
"fmt" "fmt"
"strings" "strings"
"testing" "testing"
"time" "time"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/audit"
"github.com/hashicorp/vault/builtin/credential/userpass" "github.com/hashicorp/vault/builtin/credential/userpass"
"github.com/hashicorp/vault/builtin/logical/totp" "github.com/hashicorp/vault/builtin/logical/totp"
vaulthttp "github.com/hashicorp/vault/http" vaulthttp "github.com/hashicorp/vault/http"
@ -14,29 +16,45 @@ import (
"github.com/hashicorp/vault/vault" "github.com/hashicorp/vault/vault"
) )
var loginMFACoreConfig = &vault.CoreConfig{ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) {
var noop *vault.NoopAudit
cluster := vault.NewTestCluster(t, &vault.CoreConfig{
CredentialBackends: map[string]logical.Factory{ CredentialBackends: map[string]logical.Factory{
"userpass": userpass.Factory, "userpass": userpass.Factory,
}, },
LogicalBackends: map[string]logical.Factory{ LogicalBackends: map[string]logical.Factory{
"totp": totp.Factory, "totp": totp.Factory,
}, },
AuditBackends: map[string]audit.Factory{
"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
noop = &vault.NoopAudit{
Config: config,
} }
return noop, nil
func TestLoginMfaGenerateTOTPRoleTest(t *testing.T) { },
cluster := vault.NewTestCluster(t, loginMFACoreConfig, &vault.TestClusterOptions{ },
},
&vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler, HandlerFunc: vaulthttp.Handler,
}) })
cluster.Start() cluster.Start()
defer cluster.Cleanup() defer cluster.Cleanup()
client := cluster.Cores[0].Client client := cluster.Cores[0].Client
// Enable the audit backend
err := client.Sys().EnableAuditWithOptions("noop", &api.EnableAuditOptions{Type: "noop"})
if err != nil {
t.Fatal(err)
}
// Mount the TOTP backend // Mount the TOTP backend
mountInfo := &api.MountInput{ mountInfo := &api.MountInput{
Type: "totp", Type: "totp",
} }
err := client.Sys().Mount("totp", mountInfo) err = client.Sys().Mount("totp", mountInfo)
if err != nil { if err != nil {
t.Fatalf("failed to mount totp backend: %v", err) t.Fatalf("failed to mount totp backend: %v", err)
} }
@ -254,6 +272,24 @@ func TestLoginMfaGenerateTOTPRoleTest(t *testing.T) {
t.Fatalf("MFA failed: %v", err) t.Fatalf("MFA failed: %v", err)
} }
if secret.Auth == nil || secret.Auth.ClientToken == "" {
t.Fatalf("successful mfa validation did not return a client token")
}
if noop.Req == nil {
t.Fatalf("no request was logged in audit log")
}
var found bool
for _, req := range noop.Req {
if req.Path == "sys/mfa/validate" {
found = true
break
}
}
if !found {
t.Fatalf("mfa/validate was not logged in audit log")
}
// check for login request expiration // check for login request expiration
secret, err = user2Client.Logical().Write("auth/userpass/login/testuser", map[string]interface{}{ secret, err = user2Client.Logical().Write("auth/userpass/login/testuser", map[string]interface{}{
"password": "testpassword", "password": "testpassword",