Skip to content

Commit

Permalink
Remove U2F fallback support from client tools (#43133) (#43274)
Browse files Browse the repository at this point in the history
U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.
  • Loading branch information
rosstimothy authored Jun 24, 2024
1 parent bff7555 commit 6591ce8
Show file tree
Hide file tree
Showing 14 changed files with 10 additions and 1,534 deletions.
2 changes: 0 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,6 @@ require (
github.com/elastic/go-elasticsearch/v8 v8.11.1
github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
github.com/evanphx/json-patch v5.7.0+incompatible
github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a
github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d
github.com/fsouza/fake-gcs-server v1.47.7
github.com/fxamacker/cbor/v2 v2.5.0
github.com/ghodss/yaml v1.0.0
Expand Down
4 changes: 0 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -553,10 +553,6 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a h1:fsyWnwbywFpHJS4T55vDW+UUeWP2WomJbB45/jf4If4=
github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a/go.mod h1:Osz+xPHFsGWK9kZCEVcwXazcF/CHjscCVZosNFgwUIY=
github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d h1:2D6Rp/MRcrKnRFr7kfgBOJnJPFN0jPfc36ggct5MaK0=
github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d/go.mod h1:shcCQPgKtaJz4obqb6Si031WgtSrW+Tj+ZLq/mRNrM8=
github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8=
github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
Expand Down
48 changes: 9 additions & 39 deletions lib/auth/webauthncli/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ type LoginOpts struct {
AuthenticatorAttachment AuthenticatorAttachment
}

// Login performs client-side, U2F-compatible, Webauthn login.
// Login performs client-side, Webauthn login.
// This method blocks until either device authentication is successful or the
// context is canceled. Calling Login without a deadline or cancel condition
// may cause it to block forever.
Expand Down Expand Up @@ -180,26 +180,9 @@ func crossPlatformLogin(
ctx context.Context,
origin string, assertion *wantypes.CredentialAssertion, prompt LoginPrompt, opts *LoginOpts,
) (*proto.MFAAuthenticateResponse, string, error) {
if isLibfido2Enabled() {
log.Debug("FIDO2: Using libfido2 for assertion")
return FIDO2Login(ctx, origin, assertion, prompt, opts)
}

ackTouch, err := prompt.PromptTouch()
if err != nil {
return nil, "", trace.Wrap(err)
}

resp, err := U2FLogin(ctx, origin, assertion)
if err != nil {
return nil, "", trace.Wrap(err)
}

if err := ackTouch(); err != nil {
return nil, "", trace.Wrap(err)
}

return resp, "" /* credentialUser */, err
log.Debug("FIDO2: Using libfido2 for assertion")
resp, user, err := FIDO2Login(ctx, origin, assertion, prompt, opts)
return resp, user, trace.Wrap(err)
}

func platformLogin(origin, user string, assertion *wantypes.CredentialAssertion, prompt LoginPrompt) (*proto.MFAAuthenticateResponse, string, error) {
Expand Down Expand Up @@ -229,7 +212,7 @@ type RegisterPrompt interface {
PromptTouch() (TouchAcknowledger, error)
}

// Register performs client-side, U2F-compatible, Webauthn registration.
// Register performs client-side, Webauthn registration.
// This method blocks until either device authentication is successful or the
// context is canceled. Calling Register without a deadline or cancel condition
// may cause it block forever.
Expand All @@ -244,28 +227,15 @@ func Register(
return wanwin.Register(ctx, origin, cc)
}

if isLibfido2Enabled() {
log.Debug("FIDO2: Using libfido2 for credential creation")
return FIDO2Register(ctx, origin, cc, prompt)
}

ackTouch, err := prompt.PromptTouch()
if err != nil {
return nil, trace.Wrap(err)
}

resp, err := U2FRegister(ctx, origin, cc)
if err != nil {
return nil, trace.Wrap(err)
}

return resp, trace.Wrap(ackTouch())
log.Debug("FIDO2: Using libfido2 for credential creation")
resp, err := FIDO2Register(ctx, origin, cc, prompt)
return resp, trace.Wrap(err)
}

// HasPlatformSupport returns true if the platform supports client-side
// WebAuthn-compatible logins.
func HasPlatformSupport() bool {
return IsFIDO2Available() || touchid.IsAvailable() || isU2FAvailable()
return IsFIDO2Available() || touchid.IsAvailable()
}

// IsFIDO2Available returns true if FIDO2 is implemented either via native
Expand Down
23 changes: 0 additions & 23 deletions lib/auth/webauthncli/export_test.go

This file was deleted.

5 changes: 1 addition & 4 deletions lib/auth/webauthncli/fido2.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
"encoding/json"
"errors"
"fmt"
"os"
"sync"
"time"

Expand Down Expand Up @@ -138,9 +137,7 @@ var (

// isLibfido2Enabled returns true if libfido2 is available in the current build.
func isLibfido2Enabled() bool {
val, ok := os.LookupEnv("TELEPORT_FIDO2")
// Default to enabled, otherwise obey the env variable.
return !ok || val == "1"
return true
}

// fido2Login implements FIDO2Login.
Expand Down
39 changes: 0 additions & 39 deletions lib/auth/webauthncli/fido2_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"crypto/rand"
"errors"
"fmt"
"os"
"sync"
"testing"
"time"
Expand Down Expand Up @@ -150,44 +149,6 @@ func (p *pinCancelPrompt) PromptTouch() (wancli.TouchAcknowledger, error) {
return func() error { return nil }, nil
}

func TestIsFIDO2Available(t *testing.T) {
const fido2Key = "TELEPORT_FIDO2"
tests := []struct {
name string
setenv func()
want bool
}{
{
name: "env var unset",
setenv: func() {
_ = os.Unsetenv(fido2Key)
},
want: true,
},
{
name: "env var set to 1",
setenv: func() {
t.Setenv(fido2Key, "1")
},
want: true,
},
{
name: "env var set to 0",
setenv: func() {
t.Setenv(fido2Key, "0")
},
want: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
test.setenv()
got := wancli.IsFIDO2Available()
require.Equal(t, test.want, got, "IsFIDO2Available")
})
}
}

func TestFIDO2Login(t *testing.T) {
resetFIDO2AfterTests(t)
wancli.FIDO2PollInterval = 1 * time.Millisecond // run fast on tests
Expand Down
66 changes: 0 additions & 66 deletions lib/auth/webauthncli/fuzz_test.go

This file was deleted.

Loading

0 comments on commit 6591ce8

Please sign in to comment.