From 5e54d49d9b319786e3e22f8e6c176c2216e2c172 Mon Sep 17 00:00:00 2001
From: Jordan Reimer <zofskeez@gmail.com>
Date: Fri, 18 Feb 2022 08:22:39 -0700
Subject: [PATCH] updates mfa error handling (#14147)

---
 ui/app/components/mfa-error.js                | 43 ---------------
 ui/app/components/mfa-form.js                 | 23 +++++---
 ui/app/controllers/vault/cluster/auth.js      |  4 ++
 ui/app/services/auth.js                       | 18 +-----
 ui/app/templates/components/auth-form.hbs     |  2 +-
 ui/app/templates/components/mfa-error.hbs     | 15 -----
 ui/app/templates/components/mfa-form.hbs      |  2 +-
 ui/app/templates/vault/cluster/auth.hbs       | 16 +++++-
 ui/mirage/handlers/mfa.js                     |  7 ++-
 ui/tests/acceptance/mfa-test.js               | 17 ++++++
 .../integration/components/mfa-error-test.js  | 38 -------------
 .../integration/components/mfa-form-test.js   | 55 +++++++++++++------
 12 files changed, 99 insertions(+), 141 deletions(-)
 delete mode 100644 ui/app/components/mfa-error.js
 delete mode 100644 ui/app/templates/components/mfa-error.hbs
 delete mode 100644 ui/tests/integration/components/mfa-error-test.js

diff --git a/ui/app/components/mfa-error.js b/ui/app/components/mfa-error.js
deleted file mode 100644
index ed894a051a4c..000000000000
--- a/ui/app/components/mfa-error.js
+++ /dev/null
@@ -1,43 +0,0 @@
-import Component from '@glimmer/component';
-import { inject as service } from '@ember/service';
-import { action } from '@ember/object';
-import { TOTP_NOT_CONFIGURED } from 'vault/services/auth';
-
-const TOTP_NA_MSG =
-  'Multi-factor authentication is required, but you have not set it up. In order to do so, please contact your administrator.';
-const MFA_ERROR_MSG =
-  'Multi-factor authentication is required, but failed. Go back and try again, or contact your administrator.';
-
-export { TOTP_NA_MSG, MFA_ERROR_MSG };
-
-/**
- * @module MfaError
- * MfaError components are used to display mfa errors
- *
- * @example
- * ```js
- * <MfaError />
- * ```
- */
-
-export default class MfaError extends Component {
-  @service auth;
-
-  get isTotp() {
-    return this.auth.mfaErrors.includes(TOTP_NOT_CONFIGURED);
-  }
-  get title() {
-    return this.isTotp ? 'TOTP not set up' : 'Unauthorized';
-  }
-  get description() {
-    return this.isTotp ? TOTP_NA_MSG : MFA_ERROR_MSG;
-  }
-
-  @action
-  onClose() {
-    this.auth.set('mfaErrors', null);
-    if (this.args.onClose) {
-      this.args.onClose();
-    }
-  }
-}
diff --git a/ui/app/components/mfa-form.js b/ui/app/components/mfa-form.js
index 6ba69b32035e..b88410580041 100644
--- a/ui/app/components/mfa-form.js
+++ b/ui/app/components/mfa-form.js
@@ -17,12 +17,14 @@ import { numberToWord } from 'vault/helpers/number-to-word';
  * @param {function} onSuccess - fired when passcode passes validation
  */
 
+export const VALIDATION_ERROR =
+  'The passcode failed to validate. If you entered the correct passcode, contact your administrator.';
+
 export default class MfaForm extends Component {
   @service auth;
 
-  @tracked passcode;
   @tracked countdown;
-  @tracked errors;
+  @tracked error;
 
   get constraints() {
     return this.args.authData.mfa_requirement.mfa_constraints;
@@ -57,21 +59,26 @@ export default class MfaForm extends Component {
 
   @task *validate() {
     try {
+      this.error = null;
       const response = yield this.auth.totpValidate({
         clusterId: this.args.clusterId,
         ...this.args.authData,
       });
       this.args.onSuccess(response);
     } catch (error) {
-      this.errors = error.errors;
-      // TODO: update if specific error can be parsed for incorrect passcode
-      // this.newCodeDelay.perform();
+      const codeUsed = (error.errors || []).find((e) => e.includes('code already used;'));
+      if (codeUsed) {
+        // parse validity period from error string to initialize countdown
+        const seconds = parseInt(codeUsed.split('in ')[1].split(' seconds')[0]);
+        this.newCodeDelay.perform(seconds);
+      } else {
+        this.error = VALIDATION_ERROR;
+      }
     }
   }
 
-  @task *newCodeDelay() {
-    this.passcode = null;
-    this.countdown = 30;
+  @task *newCodeDelay(timePeriod) {
+    this.countdown = timePeriod;
     while (this.countdown) {
       yield timeout(1000);
       this.countdown--;
diff --git a/ui/app/controllers/vault/cluster/auth.js b/ui/app/controllers/vault/cluster/auth.js
index 3e98db58ee73..0959cbb920ce 100644
--- a/ui/app/controllers/vault/cluster/auth.js
+++ b/ui/app/controllers/vault/cluster/auth.js
@@ -80,5 +80,9 @@ export default Controller.extend({
     onMfaSuccess(authResponse) {
       this.authSuccess(authResponse);
     },
+    onMfaErrorDismiss() {
+      this.set('mfaAuthData', null);
+      this.auth.set('mfaErrors', null);
+    },
   },
 });
diff --git a/ui/app/services/auth.js b/ui/app/services/auth.js
index b25e502828c8..ec1db73f06fd 100644
--- a/ui/app/services/auth.js
+++ b/ui/app/services/auth.js
@@ -15,10 +15,9 @@ import { task, timeout } from 'ember-concurrency';
 const TOKEN_SEPARATOR = '☃';
 const TOKEN_PREFIX = 'vault-';
 const ROOT_PREFIX = '_root_';
-const TOTP_NOT_CONFIGURED = 'TOTP mfa required but not configured';
 const BACKENDS = supportedAuthBackends();
 
-export { TOKEN_SEPARATOR, TOKEN_PREFIX, ROOT_PREFIX, TOTP_NOT_CONFIGURED };
+export { TOKEN_SEPARATOR, TOKEN_PREFIX, ROOT_PREFIX };
 
 export default Service.extend({
   permissions: service(),
@@ -362,21 +361,10 @@ export default Service.extend({
   async authenticate(/*{clusterId, backend, data}*/) {
     const [options] = arguments;
     const adapter = this.clusterAdapter();
-    let resp;
-
-    try {
-      resp = await adapter.authenticate(options);
-    } catch (e) {
-      // TODO: check for totp not configured mfa error before throwing
-      const errors = this.handleError(e);
-      // stubbing error - verify once API is finalized
-      if (errors.includes(TOTP_NOT_CONFIGURED)) {
-        this.set('mfaErrors', errors);
-      }
-      throw e;
-    }
 
+    let resp = await adapter.authenticate(options);
     const { mfa_requirement, requiresAction } = this._parseMfaResponse(resp.auth?.mfa_requirement);
+
     if (mfa_requirement) {
       if (requiresAction) {
         return { mfa_requirement };
diff --git a/ui/app/templates/components/auth-form.hbs b/ui/app/templates/components/auth-form.hbs
index 654a6b43fd1d..9bc02fa8289e 100644
--- a/ui/app/templates/components/auth-form.hbs
+++ b/ui/app/templates/components/auth-form.hbs
@@ -1,4 +1,4 @@
-<div class="auth-form">
+<div class="auth-form" data-test-auth-form>
   {{#if this.hasMethodsWithPath}}
     <nav class="tabs is-marginless">
       <ul>
diff --git a/ui/app/templates/components/mfa-error.hbs b/ui/app/templates/components/mfa-error.hbs
deleted file mode 100644
index 019c54492f03..000000000000
--- a/ui/app/templates/components/mfa-error.hbs
+++ /dev/null
@@ -1,15 +0,0 @@
-<div class="has-top-margin-xxl">
-  <EmptyState
-    @title={{this.title}}
-    @message={{this.description}}
-    @icon="alert-circle"
-    @bottomBorder={{true}}
-    @subTitle={{join ". " this.auth.mfaErrors}}
-    class="is-box-shadowless"
-  >
-    <button type="button" class="button is-ghost is-transparent" {{on "click" this.onClose}} data-test-go-back>
-      <Icon @name="chevron-left" />
-      Go back
-    </button>
-  </EmptyState>
-</div>
\ No newline at end of file
diff --git a/ui/app/templates/components/mfa-form.hbs b/ui/app/templates/components/mfa-form.hbs
index 86baf99017f5..227ddf489334 100644
--- a/ui/app/templates/components/mfa-form.hbs
+++ b/ui/app/templates/components/mfa-form.hbs
@@ -4,7 +4,7 @@
       {{this.description}}
     </p>
     <form id="auth-form" {{on "submit" this.submit}}>
-      <MessageError @errors={{this.errors}} class="has-top-margin-s" />
+      <MessageError @errorMessage={{this.error}} class="has-top-margin-s" />
       <div class="field has-top-margin-l">
         {{#each this.constraints as |constraint index|}}
           {{#if index}}
diff --git a/ui/app/templates/vault/cluster/auth.hbs b/ui/app/templates/vault/cluster/auth.hbs
index 76dd5f54873e..b8214459f34c 100644
--- a/ui/app/templates/vault/cluster/auth.hbs
+++ b/ui/app/templates/vault/cluster/auth.hbs
@@ -1,6 +1,20 @@
 <SplashPage @hasAltContent={{this.auth.mfaErrors}} as |Page|>
   <Page.altContent>
-    <MfaError @onClose={{fn (mut this.mfaAuthData) null}} />
+    <div class="has-top-margin-xxl" data-test-mfa-error>
+      <EmptyState
+        @title="Unauthorized"
+        @message="Multi-factor authentication is required, but failed. Go back and try again, or contact your administrator."
+        @icon="alert-circle"
+        @bottomBorder={{true}}
+        @subTitle={{join ". " this.auth.mfaErrors}}
+        class="is-box-shadowless"
+      >
+        <button type="button" class="button is-ghost is-transparent" {{on "click" (action "onMfaErrorDismiss")}}>
+          <Icon @name="chevron-left" />
+          Go back
+        </button>
+      </EmptyState>
+    </div>
   </Page.altContent>
   <Page.header>
     {{#if this.oidcProvider}}
diff --git a/ui/mirage/handlers/mfa.js b/ui/mirage/handlers/mfa.js
index a76ea20c6006..aa7aff7eae96 100644
--- a/ui/mirage/handlers/mfa.js
+++ b/ui/mirage/handlers/mfa.js
@@ -43,6 +43,8 @@ export default function (server) {
       [mfa_constraints, methods] = generator([m('totp')], [m('okta')]); // 2 constraints 1 passcode 1 non-passcode
     } else if (user === 'mfa-i') {
       [mfa_constraints, methods] = generator([m('okta'), m('totp')], [m('totp')]); // 2 constraints 1 passcode/1 non-passcode 1 non-passcode
+    } else if (user === 'mfa-j') {
+      [mfa_constraints, methods] = generator([m('pingid')]); // use to test push failures
     }
     const numbers = (length) =>
       Math.random()
@@ -129,7 +131,10 @@ export default function (server) {
         const passcode = mfa_payload[constraintId][0];
         if (method.uses_passcode) {
           if (passcode !== 'test') {
-            const error = !passcode ? 'TOTP passcode not provided' : 'Incorrect TOTP passcode provided';
+            const error =
+              passcode === 'used'
+                ? 'code already used; new code is available in 30 seconds'
+                : 'failed to validate';
             return new Response(403, {}, { errors: [error] });
           }
         } else if (passcode) {
diff --git a/ui/tests/acceptance/mfa-test.js b/ui/tests/acceptance/mfa-test.js
index fcf3eb9372a3..a2f24a233aae 100644
--- a/ui/tests/acceptance/mfa-test.js
+++ b/ui/tests/acceptance/mfa-test.js
@@ -132,4 +132,21 @@ module('Acceptance | mfa', function (hooks) {
     await click('[data-test-mfa-validate]');
     didLogin(assert);
   });
+
+  test('it should render unauthorized message for push failure', async function (assert) {
+    await login('mfa-j');
+    assert.dom('[data-test-auth-form]').doesNotExist('Auth form hidden when mfa fails');
+    assert.dom('[data-test-empty-state-title]').hasText('Unauthorized', 'Error title renders');
+    assert
+      .dom('[data-test-empty-state-subText]')
+      .hasText('PingId MFA validation failed', 'Error message from server renders');
+    assert
+      .dom('[data-test-empty-state-message]')
+      .hasText(
+        'Multi-factor authentication is required, but failed. Go back and try again, or contact your administrator.',
+        'Error description renders'
+      );
+    await click('[data-test-mfa-error] button');
+    assert.dom('[data-test-auth-form]').exists('Auth form renders after mfa error dismissal');
+  });
 });
diff --git a/ui/tests/integration/components/mfa-error-test.js b/ui/tests/integration/components/mfa-error-test.js
deleted file mode 100644
index 9dc4fad51f1a..000000000000
--- a/ui/tests/integration/components/mfa-error-test.js
+++ /dev/null
@@ -1,38 +0,0 @@
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { click } from '@ember/test-helpers';
-import { TOTP_NOT_CONFIGURED } from 'vault/services/auth';
-import { TOTP_NA_MSG, MFA_ERROR_MSG } from 'vault/components/mfa-error';
-const UNAUTH = 'MFA authorization failed';
-
-module('Integration | Component | mfa-error', function (hooks) {
-  setupRenderingTest(hooks);
-
-  test('it renders', async function (assert) {
-    const auth = this.owner.lookup('service:auth');
-    auth.set('mfaErrors', [TOTP_NOT_CONFIGURED]);
-
-    this.onClose = () => assert.ok(true, 'onClose event is triggered');
-
-    await render(hbs`<MfaError @onClose={{this.onClose}}/>`);
-
-    assert.dom('[data-test-empty-state-title]').hasText('TOTP not set up', 'Title renders for TOTP error');
-    assert
-      .dom('[data-test-empty-state-subText]')
-      .hasText(TOTP_NOT_CONFIGURED, 'Error message renders for TOTP error');
-    assert.dom('[data-test-empty-state-message]').hasText(TOTP_NA_MSG, 'Description renders for TOTP error');
-
-    auth.set('mfaErrors', [UNAUTH]);
-    await render(hbs`<MfaError @onClose={{this.onClose}}/>`);
-
-    assert.dom('[data-test-empty-state-title]').hasText('Unauthorized', 'Title renders for mfa error');
-    assert.dom('[data-test-empty-state-subText]').hasText(UNAUTH, 'Error message renders for mfa error');
-    assert.dom('[data-test-empty-state-message]').hasText(MFA_ERROR_MSG, 'Description renders for mfa error');
-
-    await click('[data-test-go-back]');
-
-    assert.equal(auth.mfaErrors, null, 'mfaErrors unset in auth service');
-  });
-});
diff --git a/ui/tests/integration/components/mfa-form-test.js b/ui/tests/integration/components/mfa-form-test.js
index f48c4c0f01f8..e8ce51793c61 100644
--- a/ui/tests/integration/components/mfa-form-test.js
+++ b/ui/tests/integration/components/mfa-form-test.js
@@ -1,10 +1,11 @@
-import { module, test, skip } from 'qunit';
+import { module, test } from 'qunit';
 import { setupRenderingTest } from 'ember-qunit';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { fillIn, click, waitUntil } from '@ember/test-helpers';
 import { run, later } from '@ember/runloop';
+import { VALIDATION_ERROR } from 'vault/components/mfa-form';
 
 module('Integration | Component | mfa-form', function (hooks) {
   setupRenderingTest(hooks);
@@ -17,6 +18,14 @@ module('Integration | Component | mfa-form', function (hooks) {
       data: { username: 'foo', password: 'bar' },
     };
     this.authService = this.owner.lookup('service:auth');
+    // setup basic totp mfa_requirement
+    // override in tests that require different scenarios
+    this.totpConstraint = this.server.create('mfa-method', { type: 'totp' });
+    const { mfa_requirement } = this.authService._parseMfaResponse({
+      mfa_request_id: 'test-mfa-id',
+      mfa_constraints: { test_mfa: { any: [this.totpConstraint] } },
+    });
+    this.mfaAuthData.mfa_requirement = mfa_requirement;
   });
 
   test('it should render correct descriptions', async function (assert) {
@@ -115,22 +124,11 @@ module('Integration | Component | mfa-form', function (hooks) {
   });
 
   test('it should validate mfa requirement', async function (assert) {
-    const totpConstraint = this.server.create('mfa-method', { type: 'totp' });
-    const { mfa_requirement } = this.authService._parseMfaResponse({
-      mfa_request_id: 'test-mfa-id',
-      mfa_constraints: {
-        test_mfa: {
-          any: [totpConstraint],
-        },
-      },
-    });
-    this.mfaAuthData.mfa_requirement = mfa_requirement;
-
     this.server.post('/sys/mfa/validate', (schema, req) => {
       const json = JSON.parse(req.requestBody);
       const payload = {
         mfa_request_id: 'test-mfa-id',
-        mfa_payload: { [totpConstraint.id]: ['test-code'] },
+        mfa_payload: { [this.totpConstraint.id]: ['test-code'] },
       };
       assert.deepEqual(json, payload, 'Correct mfa payload passed to validate endpoint');
       return {};
@@ -164,11 +162,10 @@ module('Integration | Component | mfa-form', function (hooks) {
     await click('[data-test-mfa-validate]');
   });
 
-  // commented out in component until specific error code can be parsed from the api response
-  skip('it should show countdown on passcode validation failure', async function (assert) {
+  test('it should show countdown on passcode already used error', async function (assert) {
     this.owner.lookup('service:auth').reopen({
       totpValidate() {
-        throw new Error('Incorrect passcode');
+        throw { errors: ['code already used; new code is available in 45 seconds'] };
       },
     });
     await render(hbs`
@@ -181,10 +178,32 @@ module('Integration | Component | mfa-form', function (hooks) {
     await fillIn('[data-test-mfa-passcode]', 'test-code');
     later(() => run.cancelTimers(), 50);
     await click('[data-test-mfa-validate]');
+    assert
+      .dom('[data-test-mfa-countdown]')
+      .hasText('45', 'countdown renders with correct initial value from error response');
     assert.dom('[data-test-mfa-validate]').isDisabled('Button is disabled during countdown');
     assert.dom('[data-test-mfa-passcode]').isDisabled('Input is disabled during countdown');
-    assert.dom('[data-test-mfa-passcode]').hasNoValue('Input value is cleared on error');
     assert.dom('[data-test-inline-error-message]').exists('Alert message renders');
-    assert.dom('[data-test-mfa-countdown]').exists('30 second countdown renders');
+  });
+
+  test('it should show error message for passcode invalid error', async function (assert) {
+    this.owner.lookup('service:auth').reopen({
+      totpValidate() {
+        throw { errors: ['failed to validate'] };
+      },
+    });
+    await render(hbs`
+      <MfaForm
+        @clusterId={{this.clusterId}}
+        @authData={{this.mfaAuthData}}
+      />
+    `);
+
+    await fillIn('[data-test-mfa-passcode]', 'test-code');
+    later(() => run.cancelTimers(), 50);
+    await click('[data-test-mfa-validate]');
+    assert
+      .dom('[data-test-error]')
+      .includesText(VALIDATION_ERROR, 'Generic error message renders for passcode validation error');
   });
 });