From a0a3dc0a4edf3f89a5efa95ec24474e1ca36e686 Mon Sep 17 00:00:00 2001 From: hghaf099 <83242695+hghaf099@users.noreply.github.com> Date: Wed, 16 Feb 2022 13:38:57 -0500 Subject: [PATCH] Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path --- vault/login_mfa.go | 12 ++++++++++++ vault/request_handling.go | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/vault/login_mfa.go b/vault/login_mfa.go index 0cd513f0eb89..e8f05240ef16 100644 --- a/vault/login_mfa.go +++ b/vault/login_mfa.go @@ -2272,6 +2272,18 @@ func (b *LoginMFABackend) deleteMFAConfigByMethodID(ctx context.Context, configI b.mfaLock.Lock() defer b.mfaLock.Unlock() + eConfigIter, err := b.MemDBMFALoginEnforcementConfigIterator() + if err != nil { + return err + } + + for eConfigRaw := eConfigIter.Next(); eConfigRaw != nil; eConfigRaw = eConfigIter.Next() { + eConfig := eConfigRaw.(*mfa.MFAEnforcementConfig) + if strutil.StrListContains(eConfig.MFAMethodIDs, configID) { + return fmt.Errorf("methodID is still used by an enforcement configuration with ID: %s", eConfig.ID) + } + } + // Delete the config from storage entryIndex := prefix + configID err = b.Core.systemBarrierView.Delete(ctx, entryIndex) diff --git a/vault/request_handling.go b/vault/request_handling.go index 41c46d799e1b..f3c4c3992de5 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1075,7 +1075,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp // Only the token store is allowed to return an auth block, for any // other request this is an internal error. if resp != nil && resp.Auth != nil { - if !strings.HasPrefix(req.Path, "auth/token/") && req.Path != "sys/mfa/validate" { + if !strings.HasPrefix(req.Path, "auth/token/") { c.logger.Error("unexpected Auth response for non-token backend", "request_path", req.Path) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr @@ -1303,7 +1303,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re return } // If the response generated an authentication, then generate the token - if resp != nil && resp.Auth != nil { + if resp != nil && resp.Auth != nil && req.Path != "sys/mfa/validate" { leaseGenerated := false // by placing this after the authorization check, we don't leak