interactive CLI for mfa login

[hghaf099]

This PR is a step to improve CLI for mfa login. For a login request that is subject to MFA validation, it interactively asks user for credentials to validate the request, and return the client token.
Also, enabled audit backend in a test to make sure mfa/validate is audited.

Example of the CLI output in interactive mode:

vault write auth/userpass/login/alice -format=json @/tmp/alice_pwd.json

Enter the passphrase for methodID "3b7bac01-9792-d870-5c24-ff70af7ccb0d": 
{
  "request_id": "56ce9b00-d008-faec-4ff2-e46a4f5b8dc5",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "s.d0zwd86n4yuFxMIkr14EQJTB",
    "accessor": "DpMaT5UksUhUOuytgDSkVtrE",
    "policies": [
      "default"
    ],
    "token_policies": [
      "default"
    ],
    "identity_policies": null,
    "metadata": {
      "username": "alice"
    },
    "orphan": true,
    "entity_id": "f69c3147-5994-b078-9cea-94918b7f4ccd",
    "lease_duration": 2764800,
    "renewable": true,
    "mfa_requirement": null
  }
}

[ncabatoff]

I would rather see the write code repeated than have this goto.

[ncabatoff]

Can you extract this into a func so we can use return instead of goto?

[ncabatoff]

Suggested change

	Usage: "It controls a command to be executed in an interactive or non-interactive fashion with a user.",
	Usage: "When set true, prevents asking the user for input via the terminal.",

[ncabatoff]

Can we also use github.com/mattn/go-isatty to override the var to true when we can't ask the user for input (because there's no tty)?

[hghaf099]

Actually, ui.AskSecret already takes care of that here:
https://github.com/mitchellh/cli/blob/5454ffe87bc5c6d8b6b21c825617755e18a07828/ui.go#L79

[ncabatoff]

I think this is less desirable, because then if the user didn't say -non-interactive, but they're running without a terminal, we'll simply block waiting for input on stdin. This will be a surprising change and it won't be obvious what the problem is.

[ncabatoff]

It would be nice if we could tell them the method type, not sure if we have that info.

[ncabatoff]

Suggested change

	c.UI.Error(fmt.Sprintf("failed to read the passphrase with error %q. please validate the login by sending a request to mfa/validate", err.Error()))
	c.UI.Error(fmt.Sprintf("failed to read the passphrase with error %q. please validate the login by sending a request to sys/mfa/validate", err.Error()))

[ncabatoff]

Shouldn't we prompt them (e.g. "hit enter") so we know when they've done it?

[hghaf099]

Well, at this point, the validate request has not issued yet. This is just a reminder for them to check their authenticator app. There is a chance that the validate request fails even before issuing the notification.

[ncabatoff]

I see. Maybe we can make the message a little more explicit then, something like "Asking Vault to perform MFA validation with upstream service. You should receive a push notification in your authenticator app shortly"? Otherwise if they go and look immediately they might not see the push yet.

[raskchanky]

Looks good to me, modulo Nick's outstanding comment(s).

[hghaf099]

I tested the following combinations:

• method using passcode in interactive mode
• method using passcode in non-interactive mode
• method not using passcode (DUO) in interactive mode
• method not using passcode (DUO) in non-interactive mode

[ncabatoff]

I'm a bit confused by these test changes - are they related to the new rest of the PR? It looks like we're just checking in the audit log to see if the explicit write we did to sys/mfa/validate resulted in an audit record.

[hghaf099]

no, I just did not want to push another PR for it. I have made a note in the PR description about it.

[ncabatoff]

Looks good!