Return the correct errors to users when an mfa ceremony fails (#35581)

Errors returned from the mfa prompt are now wrapped to allow them to be differentiated and acted upon accordingly by callers. No further processing of the error is required in this change, the code that examines the errors will already do the right thing. Fixes #35580.
gravitational · Dec 14, 2023 · 3c6ed22 · 3c6ed22
1 parent 8981c02
commit 3c6ed22
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/lib/client/client.go b/lib/client/client.go
@@ -2048,6 +2048,20 @@ func (c *NodeClient) Close() error {
 	return trace.NewAggregate(errors...)
 }
 
+// ceremonyFailedErr indicates that the mfa ceremony was attempted unsuccessfully.
+type ceremonyFailedErr struct {
+	err error
+}
+
+// Error returns the error string of the wrapped error if one exists.
+func (c ceremonyFailedErr) Error() string {
+	if c.err == nil {
+		return ""
+	}
+
+	return c.err.Error()
+}
+
 func (proxy *ProxyClient) sessionSSHCertificate(ctx context.Context, nodeAddr NodeDetails, user string) ([]ssh.AuthMethod, error) {
 	if _, err := proxy.teleportClient.localAgent.GetKey(nodeAddr.Cluster); err != nil {
 		return nil, trace.Wrap(MFARequiredUnknown(err))
@@ -2070,7 +2084,7 @@ func (proxy *ProxyClient) sessionSSHCertificate(ctx context.Context, nodeAddr No
 		proxy.teleportClient.PromptMFA,
 	)
 	if err != nil {
-		return nil, trace.Wrap(err)
+		return nil, trace.Wrap(ceremonyFailedErr{err})
 	}
 	am, err := key.AsAuthMethod()
 	if err != nil {

diff --git a/tool/tsh/tsh_test.go b/tool/tsh/tsh_test.go
@@ -21,6 +21,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -1176,6 +1177,10 @@ func TestSSHOnMultipleNodes(t *testing.T) {
 		}
 	}
 
+	abortedChallenge := func(ctx context.Context, realOrigin string, assertion *wantypes.CredentialAssertion, prompt wancli.LoginPrompt, _ *wancli.LoginOpts) (*proto.MFAAuthenticateResponse, string, error) {
+		return nil, "", errors.New("aborted challenge")
+	}
+
 	cases := []struct {
 		name            string
 		target          string
@@ -1389,6 +1394,30 @@ func TestSSHOnMultipleNodes(t *testing.T) {
 			mfaPromptCount: 1,
 			errAssertion:   require.Error,
 		},
+		{
+			name: "aborted ceremony when role requires per session mfa",
+			authPreference: &types.AuthPreferenceV2{
+				Spec: types.AuthPreferenceSpecV2{
+					Type:         constants.Local,
+					SecondFactor: constants.SecondFactorOptional,
+					Webauthn: &types.Webauthn{
+						RPID: "localhost",
+					},
+				},
+			},
+			proxyAddr:       rootProxyAddr.String(),
+			auth:            rootAuth.GetAuthServer(),
+			target:          sshHostID,
+			roles:           []string{perSessionMFARole.GetName()},
+			webauthnLogin:   abortedChallenge,
+			stdoutAssertion: require.Empty,
+			stderrAssertion: func(t require.TestingT, v any, i ...any) {
+				out, ok := v.(string)
+				require.True(t, ok, i...)
+				require.Contains(t, out, "aborted challenge", i...)
+			},
+			errAssertion: require.Error,
+		},
 		{
 			name: "mfa ceremony prevented when using headless auth",
 			authPreference: &types.AuthPreferenceV2{