Add support for Hardware Key PIN (#31743)

api/proto/teleport/legacy/types/types.proto

@@ -5333,9 +5333,14 @@ enum RequireMFAType {
   // and login sessions must use a private key backed by a hardware key.
   SESSION_AND_HARDWARE_KEY = 2;
   // HARDWARE_KEY_TOUCH means login sessions must use a hardware private key that
-  // requires touch to be used. This touch is required for all private key operations,
-  // so the key is always treated as MFA verified for sessions.
+  // requires touch to be used.
   HARDWARE_KEY_TOUCH = 3;
+  // HARDWARE_KEY_PIN means login sessions must use a hardware private key that
+  // requires pin to be used.
+  HARDWARE_KEY_PIN = 4;
+  // HARDWARE_KEY_TOUCH_AND_PIN means login sessions must use a hardware private key that
+  // requires touch and pin to be used.
+  HARDWARE_KEY_TOUCH_AND_PIN = 5;
 }
 
 // Plugin describes a single instance of a Teleport Plugin

api/types/authentication.go

@@ -389,6 +389,10 @@ func (c *AuthPreferenceV2) GetPrivateKeyPolicy() keys.PrivateKeyPolicy {
 		return keys.PrivateKeyPolicyHardwareKey
 	case RequireMFAType_HARDWARE_KEY_TOUCH:
 		return keys.PrivateKeyPolicyHardwareKeyTouch
+	case RequireMFAType_HARDWARE_KEY_PIN:
+		return keys.PrivateKeyPolicyHardwareKeyPIN
+	case RequireMFAType_HARDWARE_KEY_TOUCH_AND_PIN:
+		return keys.PrivateKeyPolicyHardwareKeyTouchAndPIN
 	default:
 		return keys.PrivateKeyPolicyNone
 	}
@@ -907,8 +911,14 @@ func (r *RequireMFAType) UnmarshalJSON(data []byte) error {
 }
 
 const (
-	RequireMFATypeHardwareKeyString      = "hardware_key"
+	// RequireMFATypeHardwareKeyString is the string representation of RequireMFATypeHardwareKey
+	RequireMFATypeHardwareKeyString = "hardware_key"
+	// RequireMFATypeHardwareKeyTouchString is the string representation of RequireMFATypeHardwareKeyTouch
 	RequireMFATypeHardwareKeyTouchString = "hardware_key_touch"
+	// RequireMFATypeHardwareKeyPINString is the string representation of RequireMFATypeHardwareKeyPIN
+	RequireMFATypeHardwareKeyPINString = "hardware_key_pin"
+	// RequireMFATypeHardwareKeyTouchAndPINString is the string representation of RequireMFATypeHardwareKeyTouchAndPIN
+	RequireMFATypeHardwareKeyTouchAndPINString = "hardware_key_touch_and_pin"
 )
 
 // encode RequireMFAType into a string or boolean. This is necessary for
@@ -924,6 +934,10 @@ func (r *RequireMFAType) encode() (interface{}, error) {
 		return RequireMFATypeHardwareKeyString, nil
 	case RequireMFAType_HARDWARE_KEY_TOUCH:
 		return RequireMFATypeHardwareKeyTouchString, nil
+	case RequireMFAType_HARDWARE_KEY_PIN:
+		return RequireMFATypeHardwareKeyPINString, nil
+	case RequireMFAType_HARDWARE_KEY_TOUCH_AND_PIN:
+		return RequireMFATypeHardwareKeyTouchAndPINString, nil
 	default:
 		return nil, trace.BadParameter("RequireMFAType invalid value %v", *r)
 	}
@@ -940,6 +954,10 @@ func (r *RequireMFAType) decode(val interface{}) error {
 			*r = RequireMFAType_SESSION_AND_HARDWARE_KEY
 		case RequireMFATypeHardwareKeyTouchString:
 			*r = RequireMFAType_HARDWARE_KEY_TOUCH
+		case RequireMFATypeHardwareKeyPINString:
+			*r = RequireMFAType_HARDWARE_KEY_PIN
+		case RequireMFATypeHardwareKeyTouchAndPINString:
+			*r = RequireMFAType_HARDWARE_KEY_TOUCH_AND_PIN
 		case "":
 			// default to off
 			*r = RequireMFAType_OFF

api/types/authentication_test.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestMarshalUnmarshalRequireMFAType tests encoding/decoding of the RequireMFAType.
+func TestEncodeDecodeRequireMFAType(t *testing.T) {
+	for _, tt := range []struct {
+		requireMFAType RequireMFAType
+		encoded        any
+	}{
+		{
+			requireMFAType: RequireMFAType_OFF,
+			encoded:        false,
+		}, {
+			requireMFAType: RequireMFAType_SESSION,
+			encoded:        true,
+		}, {
+			requireMFAType: RequireMFAType_SESSION_AND_HARDWARE_KEY,
+			encoded:        RequireMFATypeHardwareKeyString,
+		}, {
+			requireMFAType: RequireMFAType_HARDWARE_KEY_TOUCH,
+			encoded:        RequireMFATypeHardwareKeyTouchString,
+		}, {
+			requireMFAType: RequireMFAType_HARDWARE_KEY_PIN,
+			encoded:        RequireMFATypeHardwareKeyPINString,
+		}, {
+			requireMFAType: RequireMFAType_HARDWARE_KEY_TOUCH_AND_PIN,
+			encoded:        RequireMFATypeHardwareKeyTouchAndPINString,
+		},
+	} {
+		t.Run(tt.requireMFAType.String(), func(t *testing.T) {
+			t.Run("encode", func(t *testing.T) {
+				encoded, err := tt.requireMFAType.encode()
+				require.NoError(t, err)
+				require.Equal(t, tt.encoded, encoded)
+			})
+
+			t.Run("decode", func(t *testing.T) {
+				var decoded RequireMFAType
+				err := decoded.decode(tt.encoded)
+				require.NoError(t, err)
+				require.Equal(t, tt.requireMFAType, decoded)
+			})
+		})
+	}
+}

api/types/role.go

@@ -889,6 +889,10 @@ func (r *RoleV6) GetPrivateKeyPolicy() keys.PrivateKeyPolicy {
 		return keys.PrivateKeyPolicyHardwareKey
 	case RequireMFAType_HARDWARE_KEY_TOUCH:
 		return keys.PrivateKeyPolicyHardwareKeyTouch
+	case RequireMFAType_HARDWARE_KEY_PIN:
+		return keys.PrivateKeyPolicyHardwareKeyPIN
+	case RequireMFAType_HARDWARE_KEY_TOUCH_AND_PIN:
+		return keys.PrivateKeyPolicyHardwareKeyTouchAndPIN
 	default:
 		return keys.PrivateKeyPolicyNone
 	}