Skip to content

Commit

Permalink
Delete method id if not used in an MFA enforcement config (#14063)
Browse files Browse the repository at this point in the history
* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path
  • Loading branch information
hghaf099 authored Feb 16, 2022
1 parent 66ee056 commit a0a3dc0
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
12 changes: 12 additions & 0 deletions vault/login_mfa.go
Original file line number Diff line number Diff line change
Expand Up @@ -2272,6 +2272,18 @@ func (b *LoginMFABackend) deleteMFAConfigByMethodID(ctx context.Context, configI
b.mfaLock.Lock()
defer b.mfaLock.Unlock()

eConfigIter, err := b.MemDBMFALoginEnforcementConfigIterator()
if err != nil {
return err
}

for eConfigRaw := eConfigIter.Next(); eConfigRaw != nil; eConfigRaw = eConfigIter.Next() {
eConfig := eConfigRaw.(*mfa.MFAEnforcementConfig)
if strutil.StrListContains(eConfig.MFAMethodIDs, configID) {
return fmt.Errorf("methodID is still used by an enforcement configuration with ID: %s", eConfig.ID)
}
}

// Delete the config from storage
entryIndex := prefix + configID
err = b.Core.systemBarrierView.Delete(ctx, entryIndex)
Expand Down
4 changes: 2 additions & 2 deletions vault/request_handling.go
Original file line number Diff line number Diff line change
Expand Up @@ -1075,7 +1075,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
// Only the token store is allowed to return an auth block, for any
// other request this is an internal error.
if resp != nil && resp.Auth != nil {
if !strings.HasPrefix(req.Path, "auth/token/") && req.Path != "sys/mfa/validate" {
if !strings.HasPrefix(req.Path, "auth/token/") {
c.logger.Error("unexpected Auth response for non-token backend", "request_path", req.Path)
retErr = multierror.Append(retErr, ErrInternalError)
return nil, auth, retErr
Expand Down Expand Up @@ -1303,7 +1303,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
return
}
// If the response generated an authentication, then generate the token
if resp != nil && resp.Auth != nil {
if resp != nil && resp.Auth != nil && req.Path != "sys/mfa/validate" {
leaseGenerated := false

// by placing this after the authorization check, we don't leak
Expand Down

0 comments on commit a0a3dc0

Please sign in to comment.