Remove U2F fallback support from client tools (#43133)

U2F support was deprecated in favor of WebAuthn many releases ago, however,
not all references were removed when working on
#10375. This eliminates
the last remaining inclusions of github.com/flynn/u2f and
github.com/flynn/hid from lib/client and drops all support of
falling back to U2F if client tools are not built with FIDO2
enabled.

In practice, this should only cause problems for people building
tsh/tctl locally without setting the correct build flags. All
release artifacts published should already be built with the
appropriate flags and not cause any issues as a result.

Updates #43112.

go.mod

@@ -73,8 +73,6 @@ require (
 	github.com/dustin/go-humanize v1.0.1
 	github.com/elastic/go-elasticsearch/v8 v8.9.0
 	github.com/evanphx/json-patch v5.6.0+incompatible
-	github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a
-	github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d
 	github.com/fsouza/fake-gcs-server v1.47.4
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/ghodss/yaml v1.0.0

go.sum

@@ -529,10 +529,6 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a h1:fsyWnwbywFpHJS4T55vDW+UUeWP2WomJbB45/jf4If4=
-github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a/go.mod h1:Osz+xPHFsGWK9kZCEVcwXazcF/CHjscCVZosNFgwUIY=
-github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d h1:2D6Rp/MRcrKnRFr7kfgBOJnJPFN0jPfc36ggct5MaK0=
-github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d/go.mod h1:shcCQPgKtaJz4obqb6Si031WgtSrW+Tj+ZLq/mRNrM8=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8=
 github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=

lib/auth/webauthncli/api.go

@@ -106,7 +106,7 @@ type LoginOpts struct {
 	AuthenticatorAttachment AuthenticatorAttachment
 }
 
-// Login performs client-side, U2F-compatible, Webauthn login.
+// Login performs client-side, Webauthn login.
 // This method blocks until either device authentication is successful or the
 // context is canceled. Calling Login without a deadline or cancel condition
 // may cause it to block forever.
@@ -176,26 +176,9 @@ func crossPlatformLogin(
 	ctx context.Context,
 	origin string, assertion *wantypes.CredentialAssertion, prompt LoginPrompt, opts *LoginOpts,
 ) (*proto.MFAAuthenticateResponse, string, error) {
-	if isLibfido2Enabled() {
-		log.Debug("FIDO2: Using libfido2 for assertion")
-		return FIDO2Login(ctx, origin, assertion, prompt, opts)
-	}
-
-	ackTouch, err := prompt.PromptTouch()
-	if err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-
-	resp, err := U2FLogin(ctx, origin, assertion)
-	if err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-
-	if err := ackTouch(); err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-
-	return resp, "" /* credentialUser */, err
+	log.Debug("FIDO2: Using libfido2 for assertion")
+	resp, user, err := FIDO2Login(ctx, origin, assertion, prompt, opts)
+	return resp, user, trace.Wrap(err)
 }
 
 func platformLogin(origin, user string, assertion *wantypes.CredentialAssertion, prompt LoginPrompt) (*proto.MFAAuthenticateResponse, string, error) {
@@ -225,7 +208,7 @@ type RegisterPrompt interface {
 	PromptTouch() (TouchAcknowledger, error)
 }
 
-// Register performs client-side, U2F-compatible, Webauthn registration.
+// Register performs client-side, Webauthn registration.
 // This method blocks until either device authentication is successful or the
 // context is canceled. Calling Register without a deadline or cancel condition
 // may cause it block forever.
@@ -240,28 +223,15 @@ func Register(
 		return wanwin.Register(ctx, origin, cc)
 	}
 
-	if isLibfido2Enabled() {
-		log.Debug("FIDO2: Using libfido2 for credential creation")
-		return FIDO2Register(ctx, origin, cc, prompt)
-	}
-
-	ackTouch, err := prompt.PromptTouch()
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	resp, err := U2FRegister(ctx, origin, cc)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return resp, trace.Wrap(ackTouch())
+	log.Debug("FIDO2: Using libfido2 for credential creation")
+	resp, err := FIDO2Register(ctx, origin, cc, prompt)
+	return resp, trace.Wrap(err)
 }
 
 // HasPlatformSupport returns true if the platform supports client-side
 // WebAuthn-compatible logins.
 func HasPlatformSupport() bool {
-	return IsFIDO2Available() || touchid.IsAvailable() || isU2FAvailable()
+	return IsFIDO2Available() || touchid.IsAvailable()
 }
 
 // IsFIDO2Available returns true if FIDO2 is implemented either via native

lib/auth/webauthncli/fido2.go

@@ -24,7 +24,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
 	"sync"
 	"time"
 
@@ -134,9 +133,7 @@ var (
 
 // isLibfido2Enabled returns true if libfido2 is available in the current build.
 func isLibfido2Enabled() bool {
-	val, ok := os.LookupEnv("TELEPORT_FIDO2")
-	// Default to enabled, otherwise obey the env variable.
-	return !ok || val == "1"
+	return true
 }
 
 // fido2Login implements FIDO2Login.

lib/auth/webauthncli/fido2_test.go

@@ -23,7 +23,6 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"os"
 	"sync"
 	"testing"
 	"time"
@@ -146,44 +145,6 @@ func (p *pinCancelPrompt) PromptTouch() (wancli.TouchAcknowledger, error) {
 	return func() error { return nil }, nil
 }
 
-func TestIsFIDO2Available(t *testing.T) {
-	const fido2Key = "TELEPORT_FIDO2"
-	tests := []struct {
-		name   string
-		setenv func()
-		want   bool
-	}{
-		{
-			name: "env var unset",
-			setenv: func() {
-				_ = os.Unsetenv(fido2Key)
-			},
-			want: true,
-		},
-		{
-			name: "env var set to 1",
-			setenv: func() {
-				t.Setenv(fido2Key, "1")
-			},
-			want: true,
-		},
-		{
-			name: "env var set to 0",
-			setenv: func() {
-				t.Setenv(fido2Key, "0")
-			},
-			want: false,
-		},
-	}
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			test.setenv()
-			got := wancli.IsFIDO2Available()
-			require.Equal(t, test.want, got, "IsFIDO2Available")
-		})
-	}
-}
-
 func TestFIDO2Login(t *testing.T) {
 	resetFIDO2AfterTests(t)
 	wancli.FIDO2PollInterval = 1 * time.Millisecond // run fast on tests