Cleanup.

gravitational · Nov 12, 2024 · 1bc77b6 · 1bc77b6
1 parent 768d4f0
commit 1bc77b6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 14 deletions.
diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go
@@ -56,13 +56,8 @@ type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.Create
 // req may be nil if ceremony.CreateAuthenticateChallenge does not require it, e.g. in
 // the moderated session mfa ceremony which uses a custom stream rpc to create challenges.
 func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	switch {
-	case c.CreateAuthenticateChallenge == nil:
+	if c.CreateAuthenticateChallenge == nil {
 		return nil, trace.BadParameter("mfa ceremony must have CreateAuthenticateChallenge set in order to begin")
-	case req.ChallengeExtensions == nil:
-		return nil, trace.BadParameter("missing challenge extensions")
-	case req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED:
-		return nil, trace.BadParameter("mfa challenge scope must be specified")
 	}
 
 	// If available, prepare an SSO MFA ceremony and set the client redirect URL in the challenge
@@ -75,6 +70,14 @@ func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallen
 			slog.DebugContext(ctx, "Failed to attempt SSO MFA, continuing with other MFA methods", "error", err)
 		} else {
 			defer ssoMFACeremony.Close()
+
+			// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
+			// its own req or uses a different e.g. login. We should still provide the sso client
+			// redirect URL in case the custom CreateAuthenticateChallenge handles it.
+			if req == nil {
+				req = new(proto.CreateAuthenticateChallengeRequest)
+			}
+
 			req.SSOClientRedirectURL = ssoMFACeremony.GetClientCallbackURL()
 			promptOpts = append(promptOpts, withSSOMFACeremony(ssoMFACeremony))
 		}

diff --git a/lib/client/presence.go b/lib/client/presence.go
@@ -28,7 +28,6 @@ import (
 	"github.com/jonboulle/clockwork"
 
 	"github.com/gravitational/teleport/api/client/proto"
-	mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
 	"github.com/gravitational/teleport/api/mfa"
 )
 
@@ -126,13 +125,7 @@ func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMai
 	for {
 		select {
 		case <-ticker.Chan():
-			mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{
-				// With the custom CreateAuthenticateChallenge method above, we don't actually
-				// need to provide the extensions here, but the ceremony expects it.
-				ChallengeExtensions: &mfav1.ChallengeExtensions{
-					Scope: mfav1.ChallengeScope_CHALLENGE_SCOPE_USER_SESSION,
-				},
-			})
+			mfaResp, err := presenceCeremony.Run(ctx, &proto.CreateAuthenticateChallengeRequest{})
 			if err != nil {
 				return trace.Wrap(err)
 			}