diff --git a/lib/auth/usertoken.go b/lib/auth/usertoken.go index f60716d05e772..5959f223cb491 100644 --- a/lib/auth/usertoken.go +++ b/lib/auth/usertoken.go @@ -384,7 +384,7 @@ func (a *Server) CreatePrivilegeToken(ctx context.Context, req *proto.CreatePriv // For a user to add a device, second factor must be enabled. // A nil request will be interpreted as a user who has second factor enabled // but does not have any MFA registered, as can be the case with second factor optional. - if !authPref.IsSecondFactorEnforced() { + if !authPref.IsSecondFactorEnabled() { return nil, trace.AccessDenied("second factor must be enabled") } diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go index b9587ce5e5910..4449eeec5922b 100644 --- a/lib/web/apiserver_test.go +++ b/lib/web/apiserver_test.go @@ -4612,7 +4612,7 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) { const MOTD = "Welcome to cluster, your activity will be recorded." ap, err := types.NewAuthPreference(types.AuthPreferenceSpecV2{ Type: constants.Local, - SecondFactor: constants.SecondFactorOptional, + SecondFactor: constants.SecondFactorOn, ConnectorName: constants.PasswordlessConnector, Webauthn: &types.Webauthn{ RPID: "localhost", @@ -4642,7 +4642,7 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) { expectedCfg := webclient.WebConfig{ Auth: webclient.WebConfigAuthSettings{ - SecondFactor: constants.SecondFactorOptional, + SecondFactor: constants.SecondFactorOn, Providers: []webclient.WebConfigAuthProvider{{ Name: "test-github", Type: constants.Github, diff --git a/tool/tctl/common/edit_command_test.go b/tool/tctl/common/edit_command_test.go index bc8007cfa6ea8..70c46683433c5 100644 --- a/tool/tctl/common/edit_command_test.go +++ b/tool/tctl/common/edit_command_test.go @@ -282,10 +282,7 @@ func testEditAuthPreference(t *testing.T, clt *authclient.Client) { } expected.SetRevision(initial.GetRevision()) - expected.SetSecondFactors( - types.SecondFactorType_SECOND_FACTOR_TYPE_WEBAUTHN, - types.SecondFactorType_SECOND_FACTOR_TYPE_OTP, - ) + expected.SetSecondFactors(types.SecondFactorType_SECOND_FACTOR_TYPE_OTP) collection := &authPrefCollection{authPref: expected} return trace.NewAggregate(writeYAML(collection, f), f.Close()) diff --git a/tool/tctl/common/resource_command_test.go b/tool/tctl/common/resource_command_test.go index 3ba77f4f92ab0..1eb4b6ee34bfd 100644 --- a/tool/tctl/common/resource_command_test.go +++ b/tool/tctl/common/resource_command_test.go @@ -1832,7 +1832,7 @@ func testCreateAuthPreference(t *testing.T, clt *authclient.Client) { metadata: name: cluster-auth-preference spec: - second_factors: [otp] + second_factors: [otp, sso] type: local version: v2 ` @@ -1849,17 +1849,18 @@ version: v2 cap = mustDecodeJSON[[]*types.AuthPreferenceV2](t, buf) require.Len(t, cap, 1) - expectSecondFactors := []types.SecondFactorType{types.SecondFactorType_SECOND_FACTOR_TYPE_OTP} + expectInitialSecondFactors := []types.SecondFactorType{types.SecondFactorType_SECOND_FACTOR_TYPE_OTP} // second factors defaults to [otp] + require.Equal(t, expectInitialSecondFactors, initial.GetSecondFactors()) - var expected types.AuthPreferenceV2 - require.NoError(t, yaml.Unmarshal([]byte(capYAML), &expected)) - require.NotEqual(t, expectSecondFactors, initial.GetSecondFactors()) - require.Equal(t, expectSecondFactors, expected.GetSecondFactors()) + var revised types.AuthPreferenceV2 + require.NoError(t, yaml.Unmarshal([]byte(capYAML), &revised)) + expectRevisedSecondFactors := []types.SecondFactorType{types.SecondFactorType_SECOND_FACTOR_TYPE_OTP, types.SecondFactorType_SECOND_FACTOR_TYPE_SSO} + require.Equal(t, expectRevisedSecondFactors, revised.GetSecondFactors()) // Explicitly change the revision and try creating the cap with and without // the force flag. - expected.SetRevision(uuid.NewString()) - raw, err := services.MarshalAuthPreference(&expected, services.PreserveRevision()) + revised.SetRevision(uuid.NewString()) + raw, err := services.MarshalAuthPreference(&revised, services.PreserveRevision()) require.NoError(t, err) require.NoError(t, os.WriteFile(capYAMLPath, raw, 0644))