Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

named Login MFA methods #18610

Merged
merged 19 commits into from
Jan 23, 2023
Merged

named Login MFA methods #18610

merged 19 commits into from
Jan 23, 2023

Conversation

hghaf099
Copy link
Contributor

@hghaf099 hghaf099 commented Jan 5, 2023
edited
Loading

Addresses https://hashicorp.atlassian.net/browse/VAULT-12529

Here is an outline of changes:

  • A new parameter method_name is added to all supported login MFA methods.
  • Method name can contain a namespace path. There is logic to remove the namespace path from the name so as to store the name in the MFA config. Note that the namespace ID is already stored in the MFA config.
    ** In creating an MFA method, the extracted namespace path is checked against the current namespace to make sure they match. An error is returned if there is a mismatch. In addition, if a method name is specified, we look through the cached MFA methods in the same namespace to make sure there is not any MFA config with the same name. An MFA method name should be unique across a single namespace.
  • For both single phase and two phase login MFA procedures, it is allowed to use the MFA method name instead of an MFA method ID in the login/validation requests. MFA credentials are sanitized in which at least one MFA ID in the matched MFA enforcement config is replaced with its corresponding MFA method name in the MFA credentials.
  • An MFA method ID is still the only identifier to configure MFA enforcement, or read, list, update, and remove an MFA method configuration.
  • A couple of functions introduced to enable fetching an MFA config using method name and namespaceID.

hghaf099
hghaf099 commented Jan 5, 2023
View reviewed changes
sdk/framework/path.go Outdated Show resolved Hide resolved
@hghaf099 hghaf099 added this to the 1.13.0-rc1 milestone Jan 6, 2023
ccapurso
ccapurso reviewed Jan 9, 2023
View reviewed changes
vault/login_mfa.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
vault/login_mfa.go Show resolved Hide resolved
@hghaf099 hghaf099 marked this pull request as ready for review January 10, 2023 16:26
ccapurso
ccapurso reviewed Jan 11, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
@ccapurso
Copy link
Contributor

This looks good to me! I'm hesitant to approve given my lack of familiarity with our MFA implementation but I'll keep an eye out for other discussions.

hghaf099 and others added 5 commits January 12, 2023 10:03
@hghaf099
consistent use of passcode for all MFA methods (#18611)
f47111f 
* make use of passcode factor consistent for all MFA types

* improved type for MFA factors

* add method name to login CLI

* minor refactoring
@hghaf099
only accept MFA method name with its namespace path in the login requ…
b510b04 
…est MFA header
@hghaf099
fix a bug
fa3fb2d
@hghaf099
fixing an ErrorOrNil return value
5b8175b
@hghaf099
more informative error message
210d699
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
changelog/18610.txt Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 17, 2023
View reviewed changes
command/login_test.go Outdated Show resolved Hide resolved
mpalmi
mpalmi reviewed Jan 18, 2023
View reviewed changes
vault/login_mfa.go Outdated Show resolved Hide resolved
ncabatoff
ncabatoff reviewed Jan 20, 2023
View reviewed changes
vault/login_mfa.go Outdated
}
}

// don't return an error unless all entries were invalid
if mfaFactor.passcode != "" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your current approach is forgiving: so long as we can find something in creds that looks right, you'll use it. That's an acceptable approach, and maybe the right one. The downside of being less strict is that it may result in confusing user behaviour, e.g. garbage was provided and ignored in the past, now I'm putting that garbage in a different position in the creds list and it's failing.

Not asking you to change this unless you agree that a stricter approach might be better. One reason we might not want to: maybe this isn't the right place. After all, why do we even have a slice of creds here? Simply because original the creds came from a header (and still can, in single-phase), and in HTTP headers can be provided multiple times. There's no legitimate use case that I know of for having more than one creds value for a given mfa method.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think being more strict ends up with better UX, at least users are not confused about it as you described. I will return an error immediately in the second case.
About the creds though, my motivation of using the slice was that if in the future we would want to add other factors, then those would all be in the same creds slice. So, it made sense to loop through creds.
Having said the above, we could still expect to have one passcode in the creds, and we can be strict about it.

helper/testhelpers/testhelpers.go Outdated Show resolved Hide resolved
helper/testhelpers/testhelpers.go Outdated Show resolved Hide resolved
vault/external_tests/mfa/login_mfa_test.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
@hghaf099 hghaf099 requested a review from ncabatoff January 21, 2023 02:19
ncabatoff
ncabatoff approved these changes Jan 23, 2023
View reviewed changes
Copy link
Collaborator

@ncabatoff ncabatoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see the name sanitization removed from mfa method update handler, otherwise looks good!

@hghaf099 hghaf099 merged commit e18fd32 into main Jan 23, 2023
@hghaf099 hghaf099 deleted the login-mfa-named-methods branch January 23, 2023 20:51
@patcable patcable mentioned this pull request Mar 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ccapurso ccapurso ccapurso left review comments

@ncabatoff ncabatoff ncabatoff approved these changes

@raskchanky raskchanky Awaiting requested review from raskchanky

@divyaac divyaac Awaiting requested review from divyaac

@zofskeez zofskeez Awaiting requested review from zofskeez

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core Awaiting requested review from hc-github-team-secure-vault-core

@mpalmi mpalmi Awaiting requested review from mpalmi

@akshya96 akshya96 Awaiting requested review from akshya96

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.13.0-rc1
Development

Successfully merging this pull request may close these issues.
5 participants
@hghaf099 @ccapurso @ncabatoff @mpalmi @akshya96