forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mfa.go
88 lines (77 loc) · 2.93 KB
/
mfa.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
// Package mfa provides wrappers to add multi-factor authentication
// to any auth method.
//
// To add MFA to a backend, replace its login path with the
// paths returned by MFAPaths and add the additional root
// paths returned by MFARootPaths. The backend provides
// the username to the MFA wrapper in Auth.Metadata['username'].
//
// To add an additional MFA type, create a subpackage that
// implements [Type]Paths, [Type]RootPaths, and [Type]Handler
// functions and add them to MFAPaths, MFARootPaths, and
// handlers respectively.
package mfa
import (
"context"
"github.com/hashicorp/vault/helper/mfa/duo"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
// MFAPaths returns paths to wrap the original login path and configure MFA.
// When adding MFA to a backend, these paths should be included instead of
// the login path in Backend.Paths.
func MFAPaths(originalBackend *framework.Backend, loginPath *framework.Path) []*framework.Path {
var b backend
b.Backend = originalBackend
return append(duo.DuoPaths(), pathMFAConfig(&b), wrapLoginPath(&b, loginPath))
}
// MFARootPaths returns path strings used to configure MFA. When adding MFA
// to a backend, these paths should be included in
// Backend.PathsSpecial.Root.
func MFARootPaths() []string {
return append(duo.DuoRootPaths(), "mfa_config")
}
// HandlerFunc is the callback called to handle MFA for a login request.
type HandlerFunc func(context.Context, *logical.Request, *framework.FieldData, *logical.Response) (*logical.Response, error)
// handlers maps each supported MFA type to its handler.
var handlers = map[string]HandlerFunc{
"duo": duo.DuoHandler,
}
type backend struct {
*framework.Backend
}
func wrapLoginPath(b *backend, loginPath *framework.Path) *framework.Path {
loginPath.Fields["passcode"] = &framework.FieldSchema{
Type: framework.TypeString,
Description: "One time passcode (optional)",
}
loginPath.Fields["method"] = &framework.FieldSchema{
Type: framework.TypeString,
Description: "Multi-factor auth method to use (optional)",
}
// wrap write callback to do MFA after auth
loginHandler := loginPath.Callbacks[logical.UpdateOperation]
loginPath.Callbacks[logical.UpdateOperation] = b.wrapLoginHandler(loginHandler)
return loginPath
}
func (b *backend) wrapLoginHandler(loginHandler framework.OperationFunc) framework.OperationFunc {
return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// login with original login function first
resp, err := loginHandler(ctx, req, d)
if err != nil || resp.Auth == nil {
return resp, err
}
// check if multi-factor enabled
mfa_config, err := b.MFAConfig(ctx, req)
if err != nil || mfa_config == nil {
return resp, nil
}
// perform multi-factor authentication if type supported
handler, ok := handlers[mfa_config.Type]
if ok {
return handler(ctx, req, d, resp)
} else {
return resp, err
}
}
}