Login MFA (#14025)

* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* PR feedback

* duo to handle preventing passcode reuse

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>

api/client.go

@@ -800,6 +800,12 @@ func (c *Client) setNamespace(namespace string) {
 	c.headers.Set(consts.NamespaceHeaderName, namespace)
 }
 
+func (c *Client) ClearNamespace() {
+	c.modifyLock.Lock()
+	defer c.modifyLock.Unlock()
+	c.headers.Del(consts.NamespaceHeaderName)
+}
+
 // Token returns the access token being used by this client. It will
 // return the empty string if there is no token set.
 func (c *Client) Token() string {

api/secret.go

@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 // Secret is the structure returned for every secret within Vault.
@@ -297,6 +298,8 @@ type SecretAuth struct {
 
 	LeaseDuration int  `json:"lease_duration"`
 	Renewable     bool `json:"renewable"`
+
+	MFARequirement *logical.MFARequirement `json:"mfa_requirement"`
 }
 
 // ParseSecret is used to parse a secret value from JSON from an io.Reader.

changelog/14025.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+auth: Add support for single and two phase MFA to login endpoints.
+```

command/write.go

@@ -146,6 +146,11 @@ func (c *WriteCommand) Run(args []string) int {
 		return 0
 	}
 
+	if secret != nil && secret.Auth != nil && secret.Auth.MFARequirement != nil {
+		c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+
+			"MFA validation. Please make sure to validate the login by sending another "+
+			"request to mfa/validate endpoint.") + "\n")
+	}
 	// Handle single field output
 	if c.flagField != "" {
 		return PrintRawField(c.UI, secret, c.flagField)

go.mod

@@ -38,6 +38,7 @@ require (
 	github.com/coreos/go-semver v0.3.0
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/denisenkom/go-mssqldb v0.12.0
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74

go.sum

@@ -452,6 +452,7 @@ github.com/denverdino/aliyungo v0.0.0-20170926055100-d3308649c661/go.mod h1:dV8l
 github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba h1:p6poVbjHDkKa+wtC8frBMwQtT3BmqGYBjzMwJ63tuR4=
 github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
 github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/digitalocean/godo v1.7.5 h1:JOQbAO6QT1GGjor0doT0mXefX2FgUDPOpYh2RaXA+ko=

helper/identity/mfa/mfa.go

@@ -24,3 +24,22 @@ func (c *Config) Clone() (*Config, error) {
 
 	return &clonedConfig, nil
 }
+
+func (c *MFAEnforcementConfig) Clone() (*MFAEnforcementConfig, error) {
+	if c == nil {
+		return nil, fmt.Errorf("nil config")
+	}
+
+	marshaledConfig, err := proto.Marshal(c)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal config: %w", err)
+	}
+
+	var clonedConfig MFAEnforcementConfig
+	err = proto.Unmarshal(marshaledConfig, &clonedConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal config: %w", err)
+	}
+
+	return &clonedConfig, nil
+}

helper/identity/mfa/types.proto

@@ -26,6 +26,8 @@ message Config {
 		DuoConfig duo_config = 8;
 		PingIDConfig pingid_config = 9;
 	}
+	// @inject_tag: sentinel:"-"
+	string namespace_id = 10;
 }
 
 // TOTPConfig represents the configuration information required to generate
@@ -61,6 +63,8 @@ message DuoConfig {
 	string api_hostname = 3;
 	// @inject_tag: sentinel:"-"
 	string push_info = 4;
+	// @inject_tag: sentinel:"-"
+	bool use_passcode = 5;
 }
 
 // OktaConfig contains Okta configuration parameters required to perform Okta
@@ -129,3 +133,16 @@ message TOTPSecret {
 	// @inject_tag: sentinel:"-"
 	string key = 9;
 }
+
+// MFAEnforcementConfig is what the user provides to the
+// mfa/login_enforcement endpoint.
+message MFAEnforcementConfig {
+	string name = 1;
+	string namespace_id = 2;
+	repeated string mfa_method_ids = 3;
+	repeated string auth_method_accessors = 4;
+	repeated string auth_method_types = 5;
+	repeated string identity_group_ids = 6;
+	repeated string identity_entity_ids = 7;
+	string id = 8;
+}

helper/namespace/namespace_test.go

@@ -1,6 +1,8 @@
 package namespace
 
-import "testing"
+import (
+	"testing"
+)
 
 func TestSplitIDFromString(t *testing.T) {
 	tcases := []struct {
@@ -72,3 +74,98 @@ func TestSplitIDFromString(t *testing.T) {
 		}
 	}
 }
+
+func TestHasParent(t *testing.T) {
+	// Create ns1
+	ns1 := &Namespace{
+		ID:   "id1",
+		Path: "ns1/",
+	}
+
+	// Create ns1/ns2
+	ns2 := &Namespace{
+		ID:   "id2",
+		Path: "ns1/ns2/",
+	}
+
+	// Create ns1/ns2/ns3
+	ns3 := &Namespace{
+		ID:   "id3",
+		Path: "ns1/ns2/ns3/",
+	}
+
+	// Create ns4
+	ns4 := &Namespace{
+		ID:   "id4",
+		Path: "ns4/",
+	}
+
+	// Create ns4/ns5
+	ns5 := &Namespace{
+		ID:   "id5",
+		Path: "ns4/ns5/",
+	}
+
+	tests := []struct {
+		name     string
+		parent   *Namespace
+		ns       *Namespace
+		expected bool
+	}{
+		{
+			"is root an ancestor of ns1",
+			RootNamespace,
+			ns1,
+			true,
+		},
+		{
+			"is ns1 an ancestor of ns2",
+			ns1,
+			ns2,
+			true,
+		},
+		{
+			"is ns2 an ancestor of ns3",
+			ns2,
+			ns3,
+			true,
+		},
+		{
+			"is ns1 an ancestor of ns3",
+			ns1,
+			ns3,
+			true,
+		},
+		{
+			"is root an ancestor of ns3",
+			RootNamespace,
+			ns3,
+			true,
+		},
+		{
+			"is ns4 an ancestor of ns3",
+			ns4,
+			ns3,
+			false,
+		},
+		{
+			"is ns5 an ancestor of ns3",
+			ns5,
+			ns3,
+			false,
+		},
+		{
+			"is ns1 an ancestor of ns5",
+			ns1,
+			ns5,
+			false,
+		},
+	}
+
+	for _, test := range tests {
+		actual := test.ns.HasParent(test.parent)
+		if actual != test.expected {
+			t.Fatalf("bad ancestor calculation; name: %q, actual: %t, expected: %t", test.name, actual, test.expected)
+		}
+	}
+}

http/handler.go

@@ -1127,7 +1127,7 @@ func parseMFAHeader(req *logical.Request) error {
 
 		shardSplits := strings.SplitN(mfaHeaderValue, ":", 2)
 		if shardSplits[0] == "" {
-			return fmt.Errorf("invalid data in header %q; missing method name", MFAHeaderName)
+			return fmt.Errorf("invalid data in header %q; missing method name or ID", MFAHeaderName)
 		}
 
 		if shardSplits[1] == "" {

http/logical_test.go

@@ -219,15 +219,16 @@ func TestLogical_CreateToken(t *testing.T) {
 		"data":           nil,
 		"wrap_info":      nil,
 		"auth": map[string]interface{}{
-			"policies":       []interface{}{"root"},
-			"token_policies": []interface{}{"root"},
-			"metadata":       nil,
-			"lease_duration": json.Number("0"),
-			"renewable":      false,
-			"entity_id":      "",
-			"token_type":     "service",
-			"orphan":         false,
-			"num_uses":       json.Number("0"),
+			"policies":        []interface{}{"root"},
+			"token_policies":  []interface{}{"root"},
+			"metadata":        nil,
+			"lease_duration":  json.Number("0"),
+			"renewable":       false,
+			"entity_id":       "",
+			"token_type":      "service",
+			"orphan":          false,
+			"mfa_requirement": nil,
+			"num_uses":        json.Number("0"),
 		},
 		"warnings": nilWarnings,
 	}

sdk/logical/auth.go

@@ -100,6 +100,9 @@ type Auth struct {
 
 	// Orphan is set if the token does not have a parent
 	Orphan bool `json:"orphan"`
+
+	// MFARequirement
+	MFARequirement *MFARequirement `json:"mfa_requirement"`
 }
 
 func (a *Auth) GoString() string {