Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow headless auth when local auth is disabled #41933

Merged
merged 3 commits into from
Jun 13, 2024
Merged

Allow headless auth when local auth is disabled #41933

merged 3 commits into from
Jun 13, 2024

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented May 23, 2024
edited

changelog: Fix Headless auth for sso users, including when local auth is disabled.

Note: In addition to the issue below, this fixes a regression in headless auth for sso users caused by #41196.

Closes #37063
Closes https://github.com/gravitational/customer-sensitive-requests/issues/260

@Joerger Joerger marked this pull request as draft May 23, 2024 00:37
@Joerger Joerger force-pushed the joerger/allow-headless-with-local-auth-disabled branch from 3ad0e75 to 419e6bb Compare May 23, 2024 01:25
@Joerger Joerger marked this pull request as ready for review May 23, 2024 01:27
@github-actions github-actions bot requested review from gzdunek and kimlisa May 23, 2024 01:28
@Joerger Joerger force-pushed the joerger/allow-headless-with-local-auth-disabled branch from 419e6bb to 8448fab Compare May 23, 2024 02:07
ravicious
ravicious approved these changes May 23, 2024
View reviewed changes
lib/auth/methods.go Outdated
Comment on lines 541 to 547
// Only grab user lock on successful headless auth to perform normal login
// checks, like whether the user is locked. Failed headless login attempts
// won't lock out the user.
if err := a.WithUserLock(ctx, req.Username, func() error { return nil }); err != nil {
log.Debugf("WithUserLock for user %q failed during headless authentication: %v", req.Username, err)
return nil, trace.Wrap(authenticateHeadlessError)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does it mean to "grab user lock" in this context? "grab user lock" next to "perform normal login checks, like whether the user is locked" short-circuits my brain. 😶

I think the old comment has some useful context too, like the fact that failed headless login attempts usually fail due to timed-out or canceled attempts. It took me a minute to understand what's going on and both the new comment and the old one were crucial to figuring that out. It might be a good idea to keep that part of the old comment as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It means checking the user's failed login attempts to check whether the user is locked by failed logins, and updating the user's login attempts upon auth failure.

We actually don't need this for headless auth as it's more similar to SSO login than local login - it usually fails from timeout / cancellation. Even if the user denies a headless request we don't want to lock out the user, so it can just be removed. Updated the comment as well.

@Joerger Joerger requested a review from ravicious June 10, 2024 18:39
ravicious
ravicious approved these changes Jun 11, 2024
View reviewed changes
Copy link
Member

@ravicious ravicious left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just double checked that this doesn't allow locked user to perform headless auth and it indeed doesn't.

@Joerger Joerger force-pushed the joerger/allow-headless-with-local-auth-disabled branch from 0343383 to e995b7f Compare June 11, 2024 17:28
@Joerger
Copy link
Contributor Author

Joerger commented Jun 11, 2024

@fheinecke friendly ping to review

@rosstimothy rosstimothy self-requested a review June 11, 2024 18:06
@Joerger Joerger force-pushed the joerger/allow-headless-with-local-auth-disabled branch from e995b7f to 6531ede Compare June 11, 2024 19:15
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from fheinecke June 11, 2024 19:18
@Joerger Joerger enabled auto-merge June 12, 2024 19:52
@rosstimothy
Copy link
Contributor

@Joerger make fix-license and :shipit:

@Joerger Joerger force-pushed the joerger/allow-headless-with-local-auth-disabled branch from 2dcb20f to b142d29 Compare June 12, 2024 22:29
@Joerger Joerger added this pull request to the merge queue Jun 13, 2024
Merged via the queue into master with commit 6e3c188 Jun 13, 2024
37 checks passed
@Joerger Joerger deleted the joerger/allow-headless-with-local-auth-disabled branch June 13, 2024 00:57
@public-teleport-github-review-bot
Copy link

@Joerger See the table below for backport results.

Branch Result
branch/v14 Create PR
branch/v15 Create PR
branch/v16 Create PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ravicious ravicious ravicious approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport/branch/v14 backport/branch/v15 backport/branch/v16 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tsh --headless should work when local auth disabled
4 participants
@Joerger @rosstimothy @ravicious @zmb3