From 6f2fdf7c238f5ddfbfcc5c1ece750a58d2fbff4c Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 18 Oct 2024 18:32:12 -0300 Subject: [PATCH] [v14] feat: Disable auto-enroll via environment variable (#47718) * feat: Disable auto-enroll via environment variable * Fix TestAutoEnroll_disabledByEnv flakiness (#47723) * Fix TestAutoEnroll_disabledByEnv flakiness * Use t.Setenv Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --- lib/devicetrust/enroll/auto_enroll.go | 14 ++++++++++++++ lib/devicetrust/enroll/auto_enroll_test.go | 7 +++++++ 2 files changed, 21 insertions(+) diff --git a/lib/devicetrust/enroll/auto_enroll.go b/lib/devicetrust/enroll/auto_enroll.go index d6b9588198d51..75ead77630d58 100644 --- a/lib/devicetrust/enroll/auto_enroll.go +++ b/lib/devicetrust/enroll/auto_enroll.go @@ -16,12 +16,21 @@ package enroll import ( "context" + "errors" + "os" + "strconv" "github.com/gravitational/trace" devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1" ) +// ErrAutoEnrollDisabled signifies that auto-enroll is disabled in the current +// device. +// Setting the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment disables +// auto-enroll. +var ErrAutoEnrollDisabled = errors.New("auto-enroll disabled") + // AutoEnrollCeremony is the auto-enrollment version of [Ceremony]. type AutoEnrollCeremony struct { *Ceremony @@ -45,6 +54,11 @@ func AutoEnroll(ctx context.Context, devicesClient devicepb.DeviceTrustServiceCl // [devicepb.DeviceTrustServiceClient.CreateDeviceEnrollToken] and enrolls the // device using a regular [Ceremony]. func (c *AutoEnrollCeremony) Run(ctx context.Context, devicesClient devicepb.DeviceTrustServiceClient) (*devicepb.Device, error) { + const autoEnrollDisabledKey = "TELEPORT_DEVICE_AUTO_ENROLL_DISABLED" + if disabled, _ := strconv.ParseBool(os.Getenv(autoEnrollDisabledKey)); disabled { + return nil, trace.Wrap(ErrAutoEnrollDisabled) + } + // Creating the init message straight away aborts the process cleanly if the // device cannot create the device key (for example, if it lacks a TPM). // This avoids a situation where we ask for escalation, like a sudo prompt or diff --git a/lib/devicetrust/enroll/auto_enroll_test.go b/lib/devicetrust/enroll/auto_enroll_test.go index 71a958274bdb6..e8a788dc31da8 100644 --- a/lib/devicetrust/enroll/auto_enroll_test.go +++ b/lib/devicetrust/enroll/auto_enroll_test.go @@ -63,3 +63,10 @@ func TestAutoEnrollCeremony_Run(t *testing.T) { }) } } + +func TestAutoEnroll_disabledByEnv(t *testing.T) { + t.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") + + _, err := enroll.AutoEnroll(context.Background(), nil /* devicesClient */) + assert.ErrorIs(t, err, enroll.ErrAutoEnrollDisabled, "AutoEnroll() error mismatch") +}