hashicorp · hghaf099 · Jan 23, 2023 · Jan 4, 2023 · Jan 5, 2023 · Jan 6, 2023
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth: named login MFA methods
+```
@@ -557,6 +557,9 @@ func (t TableFormatter) OutputSecret(ui cli.Ui, secret *api.Secret) error {
 				for _, constraint := range constraintSet.Any {
 					out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_id %s %s", k, constraint.Type, hopeDelim, constraint.ID))
 					out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_uses_passcode %s %t", k, constraint.Type, hopeDelim, constraint.UsesPasscode))
+					if constraint.Name != "" {
+						out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_name %s %s", k, constraint.Type, hopeDelim, constraint.Name))
+					}
 				}
 			}
 		} else { // Token information only makes sense if no further MFA requirement (i.e. if we actually have a token)

@@ -1,8 +1,11 @@
 package command
 
 import (
+	"context"
+	"regexp"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/mitchellh/cli"
 
@@ -435,16 +438,60 @@ func TestLoginCommand_Run(t *testing.T) {
 		client, closer := testVaultServer(t)
 		defer closer()
 
+		userClient, entityID, methodID, methodName := testhelpers.SetupLoginMFATOTP(t, client)
+		enginePath := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
+
+		runCommand := func(methodIdentifier string) {
+			// the time required for the totp engine to generate a new code
+			time.Sleep(21 * time.Second)
+			totpCode := testhelpers.GetTOTPCodeFromEngine(t, client, enginePath)
+			ui, cmd := testLoginCommand(t)
+			cmd.client = userClient
+			// login command bails early for test clients, so we have to explicitly set this
+			cmd.client.SetMFACreds([]string{methodIdentifier + ":" + totpCode})
+			code := cmd.Run([]string{
+				"-method", "userpass",
+				"username=testuser1",
+				"password=testpassword",
+			})
+			if exp := 0; code != exp {
+				t.Errorf("expected %d to be %d", code, exp)
+			}
+
+			tokenHelper, err := cmd.TokenHelper()
+			if err != nil {
+				t.Fatal(err)
+			}
+			storedToken, err := tokenHelper.Get()
+			if err != nil {
+				t.Fatal(err)
+			}
+			output = ui.OutputWriter.String() + ui.ErrorWriter.String()
+			t.Logf("\n%+v", output)
+			if !strings.Contains(output, storedToken) {
+				t.Fatalf("expected stored token: %q, got: %q", storedToken, output)
+			}
+		}
+		runCommand(methodID)
+		runCommand(methodName)
+	})
+
+	t.Run("login_mfa_two_phase", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
 		ui, cmd := testLoginCommand(t)
 
-		userclient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client)
+		userclient, entityID, methodID, _ := testhelpers.SetupLoginMFATOTP(t, client)
 		cmd.client = userclient
 
-		enginePath := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
-		totpCode := testhelpers.GetTOTPCodeFromEngine(t, client, enginePath)
+		_ = testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
+
+		// clear the MFA creds just to be sure
+		cmd.client.SetMFACreds([]string{})
 
-		// login command bails early for test clients, so we have to explicitly set this
-		cmd.client.SetMFACreds([]string{methodID + ":" + totpCode})
 		code := cmd.Run([]string{
 			"-method", "userpass",
 			"username=testuser1",
@@ -454,64 +501,83 @@ func TestLoginCommand_Run(t *testing.T) {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
+		expected := methodID
+		output = ui.OutputWriter.String() + ui.ErrorWriter.String()
+		t.Logf("\n%+v", output)
+		if !strings.Contains(output, expected) {
+			t.Fatalf("expected stored token: %q, got: %q", expected, output)
+		}
+
 		tokenHelper, err := cmd.TokenHelper()
 		if err != nil {
 			t.Fatal(err)
 		}
 		storedToken, err := tokenHelper.Get()
+		if storedToken != "" {
+			t.Fatal("expected empty stored token")
+		}
 		if err != nil {
 			t.Fatal(err)
 		}
-		output = ui.OutputWriter.String() + ui.ErrorWriter.String()
-		t.Logf("\n%+v", output)
-		if !strings.Contains(output, storedToken) {
-			t.Fatalf("expected stored token: %q, got: %q", storedToken, output)
-		}
 	})
 
-	t.Run("login_mfa_two_phase", func(t *testing.T) {
+	t.Run("login_mfa_two_phase_non_interactive_method_name", func(t *testing.T) {
 		t.Parallel()
 
 		client, closer := testVaultServer(t)
 		defer closer()
 
 		ui, cmd := testLoginCommand(t)
 
-		userclient, entityID, methodID := testhelpers.SetupLoginMFATOTP(t, client)
+		userclient, entityID, methodID, methodName := testhelpers.SetupLoginMFATOTP(t, client)
 		cmd.client = userclient
 
-		_ = testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
+		engineName := testhelpers.RegisterEntityInTOTPEngine(t, client, entityID, methodID)
 
 		// clear the MFA creds just to be sure
 		cmd.client.SetMFACreds([]string{})
 
 		code := cmd.Run([]string{
 			"-method", "userpass",
+			"-non-interactive",
 			"username=testuser1",
 			"password=testpassword",
 		})
 		if exp := 0; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := methodID
 		output = ui.OutputWriter.String() + ui.ErrorWriter.String()
-		t.Logf("\n%+v", output)
-		if !strings.Contains(output, expected) {
-			t.Fatalf("expected stored token: %q, got: %q", expected, output)
-		}
 
-		tokenHelper, err := cmd.TokenHelper()
+		reqIdReg, err := regexp.Compile(`mfa_request_id\s+(?P<name>[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})?\s+mfa_constraint.*`)
 		if err != nil {
-			t.Fatal(err)
-		}
-		storedToken, err := tokenHelper.Get()
-		if storedToken != "" {
-			t.Fatal("expected empty stored token")
+			t.Fatalf("failed to compile regex")
 		}
-		if err != nil {
-			t.Fatal(err)
+
+		reqIDRaw := reqIdReg.FindAllStringSubmatch(output, -1)
+		mfaReqID := reqIDRaw[0][1]
+
+		validateFunc := func(methodIdentifier string) {
+			// the time required for the totp engine to generate a new code
+			time.Sleep(22 * time.Second)
+			totpPasscode1 := "passcode=" + testhelpers.GetTOTPCodeFromEngine(t, client, engineName)
+
+			secret, err := cmd.client.Logical().WriteWithContext(context.Background(), "sys/mfa/validate", map[string]interface{}{
+				"mfa_request_id": mfaReqID,
+				"mfa_payload": map[string][]string{
+					methodIdentifier: {totpPasscode1},
+				},
+			})
+			if err != nil {
+				t.Fatalf("mfa validation failed: %v", err)
+			}
+
+			if secret.Auth == nil || secret.Auth.ClientToken == "" {
+				t.Fatalf("mfa validation did not return a client token")
+			}
 		}
+
+		validateFunc(methodName)
 	})
 
 	t.Run("communication_failure", func(t *testing.T) {

@@ -942,7 +942,7 @@ func GetTOTPCodeFromEngine(t testing.T, client *api.Client, enginePath string) s
 
 // SetupLoginMFATOTP setups up a TOTP MFA using some basic configuration and
 // returns all relevant information to the client.
-func SetupLoginMFATOTP(t testing.T, client *api.Client) (*api.Client, string, string) {
+func SetupLoginMFATOTP(t testing.T, client *api.Client) (*api.Client, string, string, string) {
 	t.Helper()
 	// Mount the totp secrets engine
 	SetupTOTPMount(t, client)
@@ -952,6 +952,7 @@ func SetupLoginMFATOTP(t testing.T, client *api.Client) (*api.Client, string, st
 
 	// Create a test entity and alias
 	entityClient, entityID, _ := CreateEntityAndAlias(t, client, mountAccessor, "entity1", "testuser1")
+	methodName := "foo"
 
 	// Configure a default TOTP method
 	totpConfig := map[string]interface{}{
@@ -963,6 +964,7 @@ func SetupLoginMFATOTP(t testing.T, client *api.Client) (*api.Client, string, st
 		"key_size":                20,
 		"qr_size":                 200,
 		"max_validation_attempts": 5,
+		"method_name":             methodName,
 	}
 	methodID := SetupTOTPMethod(t, client, totpConfig)
 
@@ -974,7 +976,7 @@ func SetupLoginMFATOTP(t testing.T, client *api.Client) (*api.Client, string, st
 	}
 
 	SetupMFALoginEnforcement(t, client, enforcementConfig)
-	return entityClient, entityID, methodID
+	return entityClient, entityID, methodID, methodName
 }
 
 func SkipUnlessEnvVarsSet(t testing.T, envVars []string) {

@@ -79,6 +79,7 @@ message MFAMethodID {
 	string type = 1;
 	string id = 2;
 	bool uses_passcode = 3;
+	string name = 4;
 }
 
 message MFAConstraintAny {