From fccabf88438f23f4f434f39589c7696e6a83a876 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 17 Oct 2024 16:16:56 -0300 Subject: [PATCH 1/2] feat: Disable auto-enroll via environment variable --- lib/devicetrust/enroll/auto_enroll.go | 14 ++++++++++++++ lib/devicetrust/enroll/auto_enroll_test.go | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/lib/devicetrust/enroll/auto_enroll.go b/lib/devicetrust/enroll/auto_enroll.go index d6b9588198d51..75ead77630d58 100644 --- a/lib/devicetrust/enroll/auto_enroll.go +++ b/lib/devicetrust/enroll/auto_enroll.go @@ -16,12 +16,21 @@ package enroll import ( "context" + "errors" + "os" + "strconv" "github.com/gravitational/trace" devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1" ) +// ErrAutoEnrollDisabled signifies that auto-enroll is disabled in the current +// device. +// Setting the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment disables +// auto-enroll. +var ErrAutoEnrollDisabled = errors.New("auto-enroll disabled") + // AutoEnrollCeremony is the auto-enrollment version of [Ceremony]. type AutoEnrollCeremony struct { *Ceremony @@ -45,6 +54,11 @@ func AutoEnroll(ctx context.Context, devicesClient devicepb.DeviceTrustServiceCl // [devicepb.DeviceTrustServiceClient.CreateDeviceEnrollToken] and enrolls the // device using a regular [Ceremony]. func (c *AutoEnrollCeremony) Run(ctx context.Context, devicesClient devicepb.DeviceTrustServiceClient) (*devicepb.Device, error) { + const autoEnrollDisabledKey = "TELEPORT_DEVICE_AUTO_ENROLL_DISABLED" + if disabled, _ := strconv.ParseBool(os.Getenv(autoEnrollDisabledKey)); disabled { + return nil, trace.Wrap(ErrAutoEnrollDisabled) + } + // Creating the init message straight away aborts the process cleanly if the // device cannot create the device key (for example, if it lacks a TPM). // This avoids a situation where we ask for escalation, like a sudo prompt or diff --git a/lib/devicetrust/enroll/auto_enroll_test.go b/lib/devicetrust/enroll/auto_enroll_test.go index 71a958274bdb6..d323fdb48a2ef 100644 --- a/lib/devicetrust/enroll/auto_enroll_test.go +++ b/lib/devicetrust/enroll/auto_enroll_test.go @@ -16,6 +16,7 @@ package enroll_test import ( "context" + "os" "testing" "github.com/stretchr/testify/assert" @@ -63,3 +64,10 @@ func TestAutoEnrollCeremony_Run(t *testing.T) { }) } } + +func TestAutoEnroll_disabledByEnv(t *testing.T) { + os.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") + + _, err := enroll.AutoEnroll(context.Background(), nil /* devicesClient */) + assert.ErrorIs(t, err, enroll.ErrAutoEnrollDisabled, "AutoEnroll() error mismatch") +} From f6e090844f7f2b8d773765ccad8d956ba57807b0 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 18 Oct 2024 16:00:21 -0300 Subject: [PATCH 2/2] Fix TestAutoEnroll_disabledByEnv flakiness (#47723) * Fix TestAutoEnroll_disabledByEnv flakiness * Use t.Setenv Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --- lib/devicetrust/enroll/auto_enroll_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/devicetrust/enroll/auto_enroll_test.go b/lib/devicetrust/enroll/auto_enroll_test.go index d323fdb48a2ef..e8a788dc31da8 100644 --- a/lib/devicetrust/enroll/auto_enroll_test.go +++ b/lib/devicetrust/enroll/auto_enroll_test.go @@ -16,7 +16,6 @@ package enroll_test import ( "context" - "os" "testing" "github.com/stretchr/testify/assert" @@ -66,7 +65,7 @@ func TestAutoEnrollCeremony_Run(t *testing.T) { } func TestAutoEnroll_disabledByEnv(t *testing.T) { - os.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") + t.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") _, err := enroll.AutoEnroll(context.Background(), nil /* devicesClient */) assert.ErrorIs(t, err, enroll.ErrAutoEnrollDisabled, "AutoEnroll() error mismatch")