Skip to content

Commit

Permalink
Cleanup.
Browse files Browse the repository at this point in the history
  • Loading branch information
Joerger committed Nov 12, 2024
1 parent 7599bef commit 0a67be8
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 14 deletions.
15 changes: 9 additions & 6 deletions api/mfa/ceremony.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,8 @@ type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.Create
// req may be nil if ceremony.CreateAuthenticateChallenge does not require it, e.g. in
// the moderated session mfa ceremony which uses a custom stream rpc to create challenges.
func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) {
switch {
case c.CreateAuthenticateChallenge == nil:
if c.CreateAuthenticateChallenge == nil {
return nil, trace.BadParameter("mfa ceremony must have CreateAuthenticateChallenge set in order to begin")
case req.ChallengeExtensions == nil:
return nil, trace.BadParameter("missing challenge extensions")
case req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED:
return nil, trace.BadParameter("mfa challenge scope must be specified")
}

// If available, prepare an SSO MFA ceremony and set the client redirect URL in the challenge
Expand All @@ -75,6 +70,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err)
} else {
defer ssoMFACeremony.Close()

// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
// its own req or uses a different e.g. login. We should still provide the sso client
// redirect URL in case the custom CreateAuthenticateChallenge handles it.
if req == nil {
req = new(proto.CreateAuthenticateChallengeRequest)
}

req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
}
Expand Down
9 changes: 1 addition & 8 deletions lib/client/presence.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
"github.com/jonboulle/clockwork"

"github.com/gravitational/teleport/api/client/proto"
mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
"github.com/gravitational/teleport/api/mfa"
)

Expand Down Expand Up @@ -126,13 +125,7 @@ func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMai
for {
select {
case <-ticker.Chan():
mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{
// With the custom CreateAuthenticateChallenge method above, we don't actually
// need to provide the extensions here, but the ceremony expects it.
ChallengeExtensions: &mfav1.ChallengeExtensions{
Scope: mfav1.ChallengeScope_CHALLENGE_SCOPE_USER_SESSION,
},
})
mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{})
if err != nil {
return trace.Wrap(err)
}
Expand Down

0 comments on commit 0a67be8

Please sign in to comment.