feat: SSO MFA - Moderated Sessions (#48646)

* Add sso client redirect url to maintain session rpc. * Handle sso client redirect URL in maintain session presence RPC. * Add client implementation of SSO MFA for moderated sessions. * Cleanup.
gravitational · Nov 12, 2024 · 169128d · 169128d
1 parent 4750262
commit 169128d
Show file tree

Hide file tree

Showing 10 changed files with 1,058 additions and 1,002 deletions.
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go
@@ -56,16 +56,8 @@ type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.Create
 // req may be nil if ceremony.CreateAuthenticateChallenge does not require it, e.g. in
 // the moderated session mfa ceremony which uses a custom stream rpc to create challenges.
 func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	switch {
-	case c.CreateAuthenticateChallenge == nil:
+	if c.CreateAuthenticateChallenge == nil {
 		return nil, trace.BadParameter("mfa ceremony must have CreateAuthenticateChallenge set in order to begin")
-	case req == nil:
-		// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
-		// its own req or uses a different rpc, e.g. moderated sessions.
-	case req.ChallengeExtensions == nil:
-		return nil, trace.BadParameter("missing challenge extensions")
-	case req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED:
-		return nil, trace.BadParameter("mfa challenge scope must be specified")
 	}
 
 	// If available, prepare an SSO MFA ceremony and set the client redirect URL in the challenge
@@ -78,6 +70,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
 			slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err)
 		} else {
 			defer ssoMFACeremony.Close()
+
+			// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
+			// its own req or uses a different e.g. login. We should still provide the sso client
+			// redirect URL in case the custom CreateAuthenticateChallenge handles it.
+			if req == nil {
+				req = new(proto.CreateAuthenticateChallengeRequest)
+			}
+
 			req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
 			promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
 		}

diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -2169,6 +2169,9 @@ message UpdateSessionTrackerRequest {
 message PresenceMFAChallengeRequest {
   // SessionID is unique identifier of the session you want to request presence for.
   string SessionID = 1 [(gogoproto.jsontag) = "session_id,omitempty"];
+  // SSOClientRedirectURL should be supplied If the client supports SSO MFA checks.
+  // If unset, the server will only return non-SSO challenges.
+  string SSOClientRedirectURL = 2 [(gogoproto.jsontag) = "sso_client_redirect_url,omitempty"];
 }
 
 // PresenceMFAChallengeSend is a presence challenge request or response.

diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go
@@ -2167,11 +2167,8 @@ func (g *GRPCServer) DeleteRole(ctx context.Context, req *authpb.DeleteRoleReque
 func doMFAPresenceChallenge(ctx context.Context, actx *grpcContext, stream authpb.AuthService_MaintainSessionPresenceServer, challengeReq *authpb.PresenceMFAChallengeRequest) error {
 	user := actx.User.GetName()
 
-	// TODO(Joerger): Extend SSO MFA support for moderated sessions.
-	var ssoClientRedirectURL string
-
 	chalExt := &mfav1pb.ChallengeExtensions{Scope: mfav1pb.ChallengeScope_CHALLENGE_SCOPE_USER_SESSION}
-	authChallenge, err := actx.authServer.mfaAuthChallenge(ctx, user, ssoClientRedirectURL, chalExt)
+	authChallenge, err := actx.authServer.mfaAuthChallenge(ctx, user, challengeReq.SSOClientRedirectURL, chalExt)
 	if err != nil {
 		return trace.Wrap(err)
 	}

diff --git a/lib/client/api.go b/lib/client/api.go
@@ -2239,7 +2239,7 @@ func (tc *TeleportClient) Join(ctx context.Context, mode types.SessionParticipan
 	if mode == types.SessionModeratorMode {
 		beforeStart = func(out io.Writer) {
 			nc.OnMFA = func() {
-				RunPresenceTask(presenceCtx, out, clt.AuthClient, session.GetSessionID(), tc.NewMFAPrompt(mfa.WithQuiet()))
+				RunPresenceTask(presenceCtx, out, clt.AuthClient, session.GetSessionID(), tc.NewMFACeremony())
 			}
 		}
 	}

diff --git a/lib/client/kubesession.go b/lib/client/kubesession.go
@@ -32,7 +32,6 @@ import (
 
 	"github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/defaults"
-	"github.com/gravitational/teleport/api/mfa"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/client/terminal"
 	"github.com/gravitational/teleport/lib/kube/proxy/streamproto"
@@ -196,7 +195,7 @@ func (s *KubeSession) handleMFA(ctx context.Context, tc *TeleportClient, mode ty
 		}
 
 		go func() {
-			RunPresenceTask(ctx, stdout, auth, s.meta.GetSessionID(), tc.NewMFAPrompt(mfa.WithQuiet()))
+			RunPresenceTask(ctx, stdout, auth, s.meta.GetSessionID(), tc.NewMFACeremony())
 			auth.Close()
 			clt.Close()
 		}()

diff --git a/lib/client/presence.go b/lib/client/presence.go
@@ -56,7 +56,7 @@ func WithPresenceClock(clock clockwork.Clock) PresenceOption {
 
 // RunPresenceTask periodically performs and MFA ceremony to detect that a user is
 // still present and attentive.
-func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMaintainer, sessionID string, mfaPrompt mfa.Prompt, opts ...PresenceOption) error {
+func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMaintainer, sessionID string, baseCeremony *mfa.Ceremony, opts ...PresenceOption) error {
 	fmt.Fprintf(term, "\r\nTeleport > MFA presence enabled\r\n")
 
 	o := &presenceOptions{
@@ -76,12 +76,16 @@ func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMai
 		return trace.Wrap(err)
 	}
 
-	mfaCeremony := &mfa.Ceremony{
-		PromptConstructor: func(po ...mfa.PromptOpt) mfa.Prompt {
+	presenceCeremony := &mfa.Ceremony{
+		SSOMFACeremonyConstructor: baseCeremony.SSOMFACeremonyConstructor,
+		PromptConstructor: func(opts ...mfa.PromptOpt) mfa.Prompt {
 			return mfa.PromptFunc(func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) {
+				// Replace normal output with terminal messages specific to moderated sessions.
+				opts = append(opts, mfa.WithQuiet())
+
 				fmt.Fprint(term, "\r\nTeleport > Please tap your MFA key\r\n")
 
-				mfaResp, err := mfaPrompt.Run(ctx, chal)
+				mfaResp, err := baseCeremony.PromptConstructor(opts...).Run(ctx, chal)
 				if err != nil {
 					fmt.Fprintf(term, "\r\nTeleport > Failed to confirm presence: %v\r\n", err)
 					return nil, trace.Wrap(err)
@@ -91,10 +95,13 @@ func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMai
 				return mfaResp, nil
 			})
 		},
-		CreateAuthenticateChallenge: func(ctx context.Context, _ *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) {
+		CreateAuthenticateChallenge: func(ctx context.Context, chalReq *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) {
 			req := &proto.PresenceMFAChallengeSend{
 				Request: &proto.PresenceMFAChallengeSend_ChallengeRequest{
-					ChallengeRequest: &proto.PresenceMFAChallengeRequest{SessionID: sessionID},
+					ChallengeRequest: &proto.PresenceMFAChallengeRequest{
+						SessionID:            sessionID,
+						SSOClientRedirectURL: chalReq.SSOClientRedirectURL,
+					},
 				},
 			}
 
@@ -118,7 +125,7 @@ func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMai
 	for {
 		select {
 		case <-ticker.Chan():
-			mfaResp, err := mfaCeremony.Run(ctx, nil /* req is not needed for MaintainSessionPresence */)
+			mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{})
 			if err != nil {
 				return trace.Wrap(err)
 			}

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -218,7 +218,7 @@ type ProxySettingsGetter interface {
 
 // PresenceChecker is a function that executes an mfa prompt to enforce
 // that a user is present.
-type PresenceChecker = func(ctx context.Context, term io.Writer, maintainer client.PresenceMaintainer, sessionID string, mfaPrompt mfa.Prompt, opts ...client.PresenceOption) error
+type PresenceChecker = func(ctx context.Context, term io.Writer, maintainer client.PresenceMaintainer, sessionID string, mfaCeremony *mfa.Ceremony, opts ...client.PresenceOption) error
 
 // Config represents web handler configuration parameters
 type Config struct {

diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go
@@ -10004,8 +10004,8 @@ func TestModeratedSessionWithMFA(t *testing.T) {
 				RPID: RPID,
 			},
 		},
-		presenceChecker: func(ctx context.Context, term io.Writer, maintainer client.PresenceMaintainer, sessionID string, mfaPrompt mfa.Prompt, opts ...client.PresenceOption) error {
-			return trace.Wrap(client.RunPresenceTask(ctx, term, maintainer, sessionID, mfaPrompt, client.WithPresenceClock(presenceClock)))
+		presenceChecker: func(ctx context.Context, term io.Writer, maintainer client.PresenceMaintainer, sessionID string, mfaCeremony *mfa.Ceremony, opts ...client.PresenceOption) error {
+			return trace.Wrap(client.RunPresenceTask(ctx, term, maintainer, sessionID, mfaCeremony, client.WithPresenceClock(presenceClock)))
 		},
 	})
 

diff --git a/lib/web/terminal.go b/lib/web/terminal.go
@@ -613,12 +613,11 @@ func (t *sshBaseHandler) issueSessionMFACerts(ctx context.Context, tc *client.Te
 }
 
 func newMFACeremony(stream *terminal.WSStream, createAuthenticateChallenge mfa.CreateAuthenticateChallengeFunc) *mfa.Ceremony {
+	// channelID is used by the front end to differentiate between separate ongoing SSO challenges.
 	var channelID string
+
 	return &mfa.Ceremony{
 		CreateAuthenticateChallenge: createAuthenticateChallenge,
-		PromptConstructor: func(...mfa.PromptOpt) mfa.Prompt {
-			return newMFAPrompt(stream, channelID)
-		},
 		SSOMFACeremonyConstructor: func(ctx context.Context) (mfa.SSOMFACeremony, error) {
 			id, err := uuid.NewRandom()
 			if err != nil {
@@ -635,36 +634,33 @@ func newMFACeremony(stream *terminal.WSStream, createAuthenticateChallenge mfa.C
 				ClientCallbackURL: u.String(),
 			}, nil
 		},
-	}
-}
-
-// create a new MFA prompt. When provided, ssoChannelID is used by the front end to differentiate
-// between separate ongoing SSO challenges.
-func newMFAPrompt(stream *terminal.WSStream, ssoChannelID string) mfa.Prompt {
-	return mfa.PromptFunc(func(ctx context.Context, chal *authproto.MFAAuthenticateChallenge) (*authproto.MFAAuthenticateResponse, error) {
-		// Convert from proto to JSON types.
-		var challenge client.MFAAuthenticateChallenge
-		if chal.WebauthnChallenge != nil {
-			challenge.WebauthnChallenge = wantypes.CredentialAssertionFromProto(chal.WebauthnChallenge)
-		}
+		PromptConstructor: func(...mfa.PromptOpt) mfa.Prompt {
+			return mfa.PromptFunc(func(ctx context.Context, chal *authproto.MFAAuthenticateChallenge) (*authproto.MFAAuthenticateResponse, error) {
+				// Convert from proto to JSON types.
+				var challenge client.MFAAuthenticateChallenge
+				if chal.WebauthnChallenge != nil {
+					challenge.WebauthnChallenge = wantypes.CredentialAssertionFromProto(chal.WebauthnChallenge)
+				}
 
-		if chal.SSOChallenge != nil {
-			challenge.SSOChallenge = client.SSOChallengeFromProto(chal.SSOChallenge)
-			challenge.SSOChallenge.ChannelID = ssoChannelID
-		}
+				if chal.SSOChallenge != nil {
+					challenge.SSOChallenge = client.SSOChallengeFromProto(chal.SSOChallenge)
+					challenge.SSOChallenge.ChannelID = channelID
+				}
 
-		if chal.WebauthnChallenge == nil && chal.SSOChallenge == nil {
-			return nil, trace.AccessDenied("only WebAuthn and SSO MFA methods are supported on the web terminal, please register a supported mfa method to connect to this server")
-		}
+				if chal.WebauthnChallenge == nil && chal.SSOChallenge == nil {
+					return nil, trace.AccessDenied("only WebAuthn and SSO MFA methods are supported on the web terminal, please register a supported mfa method to connect to this server")
+				}
 
-		var codec protobufMFACodec
-		if err := stream.WriteChallenge(&challenge, codec); err != nil {
-			return nil, trace.Wrap(err)
-		}
+				var codec protobufMFACodec
+				if err := stream.WriteChallenge(&challenge, codec); err != nil {
+					return nil, trace.Wrap(err)
+				}
 
-		resp, err := stream.ReadChallengeResponse(codec)
-		return resp, trace.Wrap(err)
-	})
+				resp, err := stream.ReadChallengeResponse(codec)
+				return resp, trace.Wrap(err)
+			})
+		},
+	}
 }
 
 type connectWithMFAFn = func(ctx context.Context, ws terminal.WSConn, tc *client.TeleportClient, accessChecker services.AccessChecker, getAgent teleagent.Getter, signer agentless.SignerCreator) (*client.NodeClient, error)
@@ -822,7 +818,8 @@ func (t *TerminalHandler) streamTerminal(ctx context.Context, tc *client.Telepor
 	if t.participantMode == types.SessionModeratorMode {
 		beforeStart = func(out io.Writer) {
 			nc.OnMFA = func() {
-				if err := t.presenceChecker(ctx, out, t.userAuthClient, t.sessionData.ID.String(), newMFAPrompt(t.stream.WSStream, "" /*ssoChannelID*/)); err != nil {
+				baseCeremony := newMFACeremony(t.stream.WSStream, nil)
+				if err := t.presenceChecker(ctx, out, t.userAuthClient, t.sessionData.ID.String(), baseCeremony); err != nil {
 					t.log.WithError(err).Warn("Unable to stream terminal - failure performing presence checks")
 					return
 				}