mfa

package
v0.0.0-...-8f91da0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2024 License: Apache-2.0 Imports: 13 Imported by: 9

Documentation

Index

Constants

View Source 
const DeviceDescriptorRegistered = "registered"

DeviceDescriptorRegistered is a registered device.

View Source 
const ResponseMetadataKey = "mfa_challenge_response"

ResponseMetadataKey is the context metadata key for an MFA response in a gRPC request.

Variables

View Source 
var (
	// ErrAdminActionMFARequired is an error indicating that an admin-level
	// API request failed due to missing MFA verification.
	ErrAdminActionMFARequired = trace.AccessDeniedError{Message: "admin-level API request requires MFA verification"}

	// ErrMFANotRequired is returned by MFA ceremonies when it is discovered or
	// inferred that an MFA ceremony is not required by the server.
	ErrMFANotRequired = trace.BadParameterError{Message: "re-authentication with MFA is not required"}

	// ErrMFANotSupported is returned by MFA ceremonies when the client does not
	// support MFA ceremonies, or the server does not support MFA ceremonies for
	// the client user.
	ErrMFANotSupported = trace.BadParameterError{Message: "re-authentication with MFA is not supported for this client"}
)

Functions

func ContextWithMFAResponse 

func ContextWithMFAResponse(ctx context.Context, mfaResp *proto.MFAAuthenticateResponse) context.Context

ContextWithMFAResponse embeds the MFA response in the context.

func CredentialsFromContext 

func CredentialsFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)

CredentialsFromContext can be called from a GRPC server method to return MFA credentials added to the GRPC metadata for requests that require MFA, like admin-level requests. If no MFA credentials are found, an ErrAdminActionMFARequired will be returned, aggregated with any other errors encountered.

func EncodeMFAChallengeResponseCredentials 

func EncodeMFAChallengeResponseCredentials(mfaResp *proto.MFAAuthenticateResponse) (string, error)

EncodeMFAChallengeResponseCredentials encodes the given MFA challenge response into a string.

func MFAResponseFromContext 

func MFAResponseFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)

MFAResponseFromContext returns the MFA response from the context.

func PerformAdminActionMFACeremony 

func PerformAdminActionMFACeremony(ctx context.Context, mfaCeremony CeremonyFn, allowReuse bool) (*proto.MFAAuthenticateResponse, error)

PerformAdminActionMFACeremony retrieves an MFA challenge from the server for an admin action, prompts the user to answer the challenge, and returns the resulting MFA response.

func WithCredentials 

func WithCredentials(resp *proto.MFAAuthenticateResponse) grpc.CallOption

WithCredentials can be called on a GRPC client request to attach MFA credentials to the GRPC metadata for requests that require MFA, like admin-level requests.

Types

type Ceremony 

type Ceremony struct {
	// CreateAuthenticateChallenge creates an authentication challenge.
	CreateAuthenticateChallenge CreateAuthenticateChallengeFunc
	// PromptConstructor creates a prompt to prompt the user to solve an authentication challenge.
	PromptConstructor PromptConstructor
	// SSOMFACeremonyConstructor is an optional SSO MFA ceremony constructor. If provided,
	// the MFA ceremony will also attempt to retrieve an SSO MFA challenge.
	SSOMFACeremonyConstructor SSOMFACeremonyConstructor
}

Ceremony is an MFA ceremony.

func (*Ceremony) Run 

func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)

Run the MFA ceremony.

req may be nil if ceremony.CreateAuthenticateChallenge does not require it, e.g. in the moderated session mfa ceremony which uses a custom stream rpc to create challenges.

type CeremonyFn 

type CeremonyFn func(ctx context.Context, in *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)

CeremonyFn is a function that will carry out an MFA ceremony.

type CreateAuthenticateChallengeFunc 

type CreateAuthenticateChallengeFunc func(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)

CreateAuthenticateChallengeFunc is a function that creates an authentication challenge.

type DeviceDescriptor 

type DeviceDescriptor string

DeviceDescriptor is a descriptor for a device, such as "registered".

type Prompt 

type Prompt interface {
	// Run prompts the user to complete an MFA authentication challenge.
	Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
}

Prompt is an MFA prompt.

type PromptConfig 

type PromptConfig struct {
	// PromptReason is an optional message to share with the user before an MFA Prompt.
	// It is intended to provide context about why the user is being prompted where it may
	// not be obvious, such as for admin actions or per-session MFA.
	PromptReason string
	// DeviceType is an optional device description to emphasize during the prompt.
	DeviceType DeviceDescriptor
	// Quiet suppresses users prompts.
	Quiet bool
	// Extensions are the challenge extensions used to create the prompt's challenge.
	// Used to enrich certain prompts.
	Extensions *mfav1.ChallengeExtensions
	// SSOMFACeremony is an SSO MFA ceremony.
	SSOMFACeremony SSOMFACeremony
}

PromptConfig contains universal mfa prompt config options.

type PromptConstructor 

type PromptConstructor func(...PromptOpt) Prompt

PromptConstructor is a function that creates a new MFA prompt.

type PromptFunc 

type PromptFunc func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)

PromptFunc is a function wrapper that implements the Prompt interface.

func (PromptFunc) Run 

func (f PromptFunc) Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)

Run prompts the user to complete an MFA authentication challenge.

type PromptOpt 

type PromptOpt func(*PromptConfig)

PromptOpt applies configuration options to a prompt.

func WithPromptChallengeExtensions 

func WithPromptChallengeExtensions(exts *mfav1.ChallengeExtensions) PromptOpt

WithPromptChallengeExtensions sets the challenge extensions used to create the prompt's challenge. While not mandatory, informing the prompt of the extensions used allows for better user messaging.

func WithPromptDeviceType 

func WithPromptDeviceType(deviceType DeviceDescriptor) PromptOpt

WithPromptDeviceType sets the prompt's DeviceType field.

func WithPromptReason 

func WithPromptReason(hint string) PromptOpt

WithPromptReason sets the prompt's PromptReason field.

func WithPromptReasonAdminAction 

func WithPromptReasonAdminAction() PromptOpt

WithPromptReasonAdminAction sets the prompt's PromptReason field to a standard admin action message.

func WithPromptReasonSessionMFA 

func WithPromptReasonSessionMFA(serviceType, serviceName string) PromptOpt

WithPromptReasonSessionMFA sets the prompt's PromptReason field to a standard session mfa message.

func WithQuiet 

func WithQuiet() PromptOpt

WithQuiet sets the prompt's Quiet field.

type SSOMFACeremony 

type SSOMFACeremony interface {
	GetClientCallbackURL() string
	Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
	Close()
}

SSOMFACeremony is an SSO MFA ceremony.

type SSOMFACeremonyConstructor 

type SSOMFACeremonyConstructor func(ctx context.Context) (SSOMFACeremony, error)

SSOMFACeremonyConstructor constructs a new SSO MFA ceremony.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.