Simplify Hardware Key support test plan.

gravitational · Mar 5, 2024 · 56a7d77 · 56a7d77
1 parent 65b91e7
commit 56a7d77
Showing 1 changed file with 10 additions and 31 deletions.
diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md
@@ -733,38 +733,17 @@ This feature has additional build requirements, so it should be tested with a pr
 
 #### Server Access
 
-These tests should be carried out sequentially. `tsh` tests should be carried out on Linux, MacOS, and Windows.
-
-1. [ ] `tsh login` as user with [Webauthn](https://goteleport.com/docs/access-controls/guides/webauthn/) login and no hardware key requirement.
-2. [ ] Request a role with `role.role_options.require_session_mfa: hardware_key` - `tsh login --request-roles=hardware_key_required`
-  - [ ] Assuming the role should force automatic re-login with yubikey
-  - [ ] `tsh ssh`
-    - [ ] Requires yubikey to be connected for re-login
-    - [ ] Prompts for per-session MFA
-3. [ ] Request a role with `role.role_options.require_session_mfa: hardware_key_touch` - `tsh login --request-roles=hardware_key_touch_required`
-  - [ ] Assuming the role should force automatic re-login with yubikey
-    - [ ] Prompts for touch if not cached (last touch within 15 seconds)
-  - [ ] `tsh ssh`
-    - [ ] Requires yubikey to be connected for re-login
-    - [ ] Prompts for touch if not cached
-4. [ ] `tsh logout` and `tsh login` as the user with no hardware key requirement.
-5. [ ] Upgrade auth settings to `auth_service.authentication.require_session_mfa: hardware_key`
-  - [ ] Using the existing login session (`tsh ls`) should force automatic re-login with yubikey
-  - [ ] `tsh ssh`
-    - [ ] Requires yubikey to be connected for re-login
-    - [ ] Prompts for per-session MFA
-6. [ ] Upgrade auth settings to `auth_service.authentication.require_session_mfa: hardware_key_touch`
-  - [ ] Using the existing login session (`tsh ls`) should force automatic re-login with yubikey
-    - [ ] Prompts for touch if not cached
-  - [ ] `tsh ssh`
-    - [ ] Requires yubikey to be connected for re-login
-    - [ ] Prompts for touch if not cached
-
-#### Other
-
-Set `auth_service.authentication.require_session_mfa: hardware_key_touch` in your cluster auth settings.
-
+This test should be carried out on Linux, MacOS, and Windows.
+
+Set `auth_service.authentication.require_session_mfa: hardware_key_touch` in your cluster auth settings and login.
+- [ ] `tsh login`
+  - [ ] Prompts for Yubikey touch with message "Tap your YubiKey" (separate from normal MFA prompt).
+- [ ] Server Access `tsh ssh`
+  - [ ] Requires yubikey to be connected
+  - [ ] Prompts for touch (if not cached)
 - [ ] Database Access: `tsh proxy db --tunnel`
+  - [ ] Requires yubikey to be connected
+  - [ ] Prompts for touch (if not cached)
 
 ### HSM Support