mfa

package

v0.0.0-...-ac4870c Latest Latest Go to latest Published: May 2, 2024 License: Apache-2.0 Imports: 11 Imported by: 9

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Index ¶

Constants
Variables
func ContextWithMFAResponse(ctx context.Context, mfaResp *proto.MFAAuthenticateResponse) context.Context
func CredentialsFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)
func EncodeMFAChallengeResponseCredentials(mfaResp *proto.MFAAuthenticateResponse) (string, error)
func MFAResponseFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)
func PerformAdminActionMFACeremony(ctx context.Context, mfaCeremony MFACeremony, allowReuse bool) (*proto.MFAAuthenticateResponse, error)
func PerformMFACeremony(ctx context.Context, clt MFACeremonyClient, ...) (*proto.MFAAuthenticateResponse, error)
func WithCredentials(resp *proto.MFAAuthenticateResponse) grpc.CallOption
type DeviceDescriptor
type MFACeremony
type MFACeremonyClient
type Prompt
type PromptConfig
type PromptConstructor
type PromptFunc
- func (f PromptFunc) Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
type PromptOpt

Constants ¶

View Source

const DeviceDescriptorRegistered = "registered"

DeviceDescriptorRegistered is a registered device.

View Source

const ResponseMetadataKey = "mfa_challenge_response"

ResponseMetadataKey is the context metadata key for an MFA response in a gRPC request.

Variables ¶

View Source

var (
	// ErrAdminActionMFARequired is an error indicating that an admin-level
	// API request failed due to missing MFA verification.
	ErrAdminActionMFARequired = trace.AccessDeniedError{Message: "admin-level API request requires MFA verification"}

	// ErrMFANotRequired is returned by MFA ceremonies when it is discovered or
	// inferred that an MFA ceremony is not required by the server.
	ErrMFANotRequired = trace.BadParameterError{Message: "re-authentication with MFA is not required"}

	// ErrMFANotSupported is returned by MFA ceremonies when the client does not
	// support MFA ceremonies, or the server does not support MFA ceremonies for
	// the client user.
	ErrMFANotSupported = trace.BadParameterError{Message: "re-authentication with MFA is not supported for this client"}
)

Functions ¶

func ContextWithMFAResponse ¶

func ContextWithMFAResponse(ctx context.Context, mfaResp *proto.MFAAuthenticateResponse) context.Context

ContextWithMFAResponse embeds the MFA response in the context.

func CredentialsFromContext ¶

func CredentialsFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)

CredentialsFromContext can be called from a GRPC server method to return MFA credentials added to the GRPC metadata for requests that require MFA, like admin-level requests. If no MFA credentials are found, an ErrAdminActionMFARequired will be returned, aggregated with any other errors encountered.

func EncodeMFAChallengeResponseCredentials ¶

func EncodeMFAChallengeResponseCredentials(mfaResp *proto.MFAAuthenticateResponse) (string, error)

EncodeMFAChallengeResponseCredentials encodes the given MFA challenge response into a string.

func MFAResponseFromContext ¶

func MFAResponseFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)

MFAResponseFromContext returns the MFA response from the context.

func PerformAdminActionMFACeremony ¶

func PerformAdminActionMFACeremony(ctx context.Context, mfaCeremony MFACeremony, allowReuse bool) (*proto.MFAAuthenticateResponse, error)

PerformAdminActionMFACeremony retrieves an MFA challenge from the server for an admin action, prompts the user to answer the challenge, and returns the resulting MFA response.

func PerformMFACeremony ¶

func PerformMFACeremony(ctx context.Context, clt MFACeremonyClient, challengeRequest *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)

PerformMFACeremony retrieves an MFA challenge from the server with the given challenge extensions and prompts the user to answer the challenge with the given promptOpts, and ultimately returning an MFA challenge response for the user.

func WithCredentials ¶

func WithCredentials(resp *proto.MFAAuthenticateResponse) grpc.CallOption

WithCredentials can be called on a GRPC client request to attach MFA credentials to the GRPC metadata for requests that require MFA, like admin-level requests.

Types ¶

type DeviceDescriptor ¶

type DeviceDescriptor string

DeviceDescriptor is a descriptor for a device, such as "registered".

type MFACeremony ¶

type MFACeremony func(ctx context.Context, challengeRequest *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)

type MFACeremonyClient ¶

type MFACeremonyClient interface {
	// CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.
	CreateAuthenticateChallenge(ctx context.Context, in *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error)
	// PromptMFA prompts the user for MFA.
	PromptMFA(ctx context.Context, chal *proto.MFAAuthenticateChallenge, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)
}

MFACeremonyClient is a client that can perform an MFA ceremony, from retrieving the MFA challenge to prompting for an MFA response from the user.

type Prompt ¶

type Prompt interface {
	// Run prompts the user to complete an MFA authentication challenge.
	Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
}

Prompt is an MFA prompt.

type PromptConfig ¶

type PromptConfig struct {
	// PromptReason is an optional message to share with the user before an MFA Prompt.
	// It is intended to provide context about why the user is being prompted where it may
	// not be obvious, such as for admin actions or per-session MFA.
	PromptReason string
	// DeviceType is an optional device description to emphasize during the prompt.
	DeviceType DeviceDescriptor
	// Quiet suppresses users prompts.
	Quiet bool
}

PromptConfig contains common mfa prompt config options.

type PromptConstructor ¶

type PromptConstructor func(...PromptOpt) Prompt

PromptConstructor is a function that creates a new MFA prompt.

type PromptFunc ¶

type PromptFunc func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)

PromptFunc is a function wrapper that implements the Prompt interface.

func (PromptFunc) Run ¶

func (f PromptFunc) Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)

Run prompts the user to complete an MFA authentication challenge.

type PromptOpt ¶

type PromptOpt func(*PromptConfig)

PromptOpt applies configuration options to a prompt.

func WithPromptDeviceType ¶

func WithPromptDeviceType(deviceType DeviceDescriptor) PromptOpt

WithPromptDeviceType sets the prompt's DeviceType field.

func WithPromptReason ¶

func WithPromptReason(hint string) PromptOpt

WithPromptReason sets the prompt's PromptReason field.

func WithPromptReasonAdminAction ¶

func WithPromptReasonAdminAction() PromptOpt

WithPromptReasonAdminAction sets the prompt's PromptReason field to a standard admin action message.

func WithPromptReasonSessionMFA ¶

func WithPromptReasonSessionMFA(serviceType, serviceName string) PromptOpt

WithPromptReasonSessionMFA sets the prompt's PromptReason field to a standard session mfa message.

func WithQuiet ¶

func WithQuiet() PromptOpt

WithQuiet sets the prompt's Quiet field.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL