Remove U2F fallback support from client tools (#43133) (#43273)

U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
gravitational · Jun 24, 2024 · b0f6f93 · b0f6f93
1 parent e5e08f2
commit b0f6f93
Show file tree

Hide file tree

Showing 14 changed files with 10 additions and 1,534 deletions.
diff --git a/go.mod b/go.mod
@@ -84,8 +84,6 @@ require (
 	github.com/elastic/go-elasticsearch/v8 v8.13.1
 	github.com/elimity-com/scim v0.0.0-20240320110924-172bf2aee9c8
 	github.com/evanphx/json-patch v5.9.0+incompatible
-	github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a
-	github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d
 	github.com/fsouza/fake-gcs-server v1.48.0
 	github.com/fxamacker/cbor/v2 v2.6.0
 	github.com/ghodss/yaml v1.0.0

diff --git a/go.sum b/go.sum
@@ -1172,10 +1172,6 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a h1:fsyWnwbywFpHJS4T55vDW+UUeWP2WomJbB45/jf4If4=
-github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a/go.mod h1:Osz+xPHFsGWK9kZCEVcwXazcF/CHjscCVZosNFgwUIY=
-github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d h1:2D6Rp/MRcrKnRFr7kfgBOJnJPFN0jPfc36ggct5MaK0=
-github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d/go.mod h1:shcCQPgKtaJz4obqb6Si031WgtSrW+Tj+ZLq/mRNrM8=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8=

diff --git a/lib/auth/webauthncli/api.go b/lib/auth/webauthncli/api.go
@@ -110,7 +110,7 @@ type LoginOpts struct {
 	AuthenticatorAttachment AuthenticatorAttachment
 }
 
-// Login performs client-side, U2F-compatible, Webauthn login.
+// Login performs client-side, Webauthn login.
 // This method blocks until either device authentication is successful or the
 // context is canceled. Calling Login without a deadline or cancel condition
 // may cause it to block forever.
@@ -180,26 +180,9 @@ func crossPlatformLogin(
 	ctx context.Context,
 	origin string, assertion *wantypes.CredentialAssertion, prompt LoginPrompt, opts *LoginOpts,
 ) (*proto.MFAAuthenticateResponse, string, error) {
-	if isLibfido2Enabled() {
-		log.Debug("FIDO2: Using libfido2 for assertion")
-		return FIDO2Login(ctx, origin, assertion, prompt, opts)
-	}
-
-	ackTouch, err := prompt.PromptTouch()
-	if err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-
-	resp, err := U2FLogin(ctx, origin, assertion)
-	if err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-
-	if err := ackTouch(); err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-
-	return resp, "" /* credentialUser */, err
+	log.Debug("FIDO2: Using libfido2 for assertion")
+	resp, user, err := FIDO2Login(ctx, origin, assertion, prompt, opts)
+	return resp, user, trace.Wrap(err)
 }
 
 func platformLogin(origin, user string, assertion *wantypes.CredentialAssertion, prompt LoginPrompt) (*proto.MFAAuthenticateResponse, string, error) {
@@ -229,7 +212,7 @@ type RegisterPrompt interface {
 	PromptTouch() (TouchAcknowledger, error)
 }
 
-// Register performs client-side, U2F-compatible, Webauthn registration.
+// Register performs client-side, Webauthn registration.
 // This method blocks until either device authentication is successful or the
 // context is canceled. Calling Register without a deadline or cancel condition
 // may cause it block forever.
@@ -244,28 +227,15 @@ func Register(
 		return wanwin.Register(ctx, origin, cc)
 	}
 
-	if isLibfido2Enabled() {
-		log.Debug("FIDO2: Using libfido2 for credential creation")
-		return FIDO2Register(ctx, origin, cc, prompt)
-	}
-
-	ackTouch, err := prompt.PromptTouch()
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	resp, err := U2FRegister(ctx, origin, cc)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return resp, trace.Wrap(ackTouch())
+	log.Debug("FIDO2: Using libfido2 for credential creation")
+	resp, err := FIDO2Register(ctx, origin, cc, prompt)
+	return resp, trace.Wrap(err)
 }
 
 // HasPlatformSupport returns true if the platform supports client-side
 // WebAuthn-compatible logins.
 func HasPlatformSupport() bool {
-	return IsFIDO2Available() || touchid.IsAvailable() || isU2FAvailable()
+	return IsFIDO2Available() || touchid.IsAvailable()
 }
 
 // IsFIDO2Available returns true if FIDO2 is implemented either via native

diff --git a/lib/auth/webauthncli/export_test.go b/lib/auth/webauthncli/export_test.go
diff --git a/lib/auth/webauthncli/fido2.go b/lib/auth/webauthncli/fido2.go
@@ -28,7 +28,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
 	"sync"
 	"time"
 
@@ -138,9 +137,7 @@ var (
 
 // isLibfido2Enabled returns true if libfido2 is available in the current build.
 func isLibfido2Enabled() bool {
-	val, ok := os.LookupEnv("TELEPORT_FIDO2")
-	// Default to enabled, otherwise obey the env variable.
-	return !ok || val == "1"
+	return true
 }
 
 // fido2Login implements FIDO2Login.

diff --git a/lib/auth/webauthncli/fido2_test.go b/lib/auth/webauthncli/fido2_test.go
@@ -27,7 +27,6 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"os"
 	"sync"
 	"testing"
 	"time"
@@ -150,44 +149,6 @@ func (p *pinCancelPrompt) PromptTouch() (wancli.TouchAcknowledger, error) {
 	return func() error { return nil }, nil
 }
 
-func TestIsFIDO2Available(t *testing.T) {
-	const fido2Key = "TELEPORT_FIDO2"
-	tests := []struct {
-		name   string
-		setenv func()
-		want   bool
-	}{
-		{
-			name: "env var unset",
-			setenv: func() {
-				_ = os.Unsetenv(fido2Key)
-			},
-			want: true,
-		},
-		{
-			name: "env var set to 1",
-			setenv: func() {
-				t.Setenv(fido2Key, "1")
-			},
-			want: true,
-		},
-		{
-			name: "env var set to 0",
-			setenv: func() {
-				t.Setenv(fido2Key, "0")
-			},
-			want: false,
-		},
-	}
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			test.setenv()
-			got := wancli.IsFIDO2Available()
-			require.Equal(t, test.want, got, "IsFIDO2Available")
-		})
-	}
-}
-
 func TestFIDO2Login(t *testing.T) {
 	resetFIDO2AfterTests(t)
 	wancli.FIDO2PollInterval = 1 * time.Millisecond // run fast on tests

diff --git a/lib/auth/webauthncli/fuzz_test.go b/lib/auth/webauthncli/fuzz_test.go