New "weakest MFA" property breaks user comparisons

[zmb3]

I have an old Teleport local user that was likely created before we tracked whether the user has a password set and that I haven't logged in with in a long time.

I noticed that every time I log in to this old user account, I see an error in the logs which happens when we try to set the password state to "has a password".

Failed to set password state error:[
ERROR REPORT:
Original Error: *trace.CompareFailedError user zac did not match expected existing value

The compare and swap operation fails due to a mismatch in the new MfaWeakestDevice field.

  &types.UserV2{
        ... // 3 identical fields
        Metadata: {Name: "zac", Namespace: "default", ...},
        Spec:     {Roles: {"editor", "access", "auditor"}, Traits: {"aws_role_arns": nil, "db_names": nil, "db_users": nil, "kubernetes_groups": nil, ...}, CreatedBy: {Time: s"2022-05-29 17:47:02.403016 +0000 UTC", User: {Name: "b507c22c-685e-45bd-a796-7a5bcd63e3e6.zac"}}},
        Status: types.UserStatusV2{
                PasswordState:    s"PASSWORD_STATE_UNSPECIFIED",
-               MfaWeakestDevice: s"MFA_DEVICE_KIND_UNSET",
+               MfaWeakestDevice: s"MFA_DEVICE_KIND_UNSPECIFIED",
                ... // 3 ignored fields
        },
        ... // 3 ignored fields
  }

Note that the user object in backend storage has no status field at all (and therefore no MfaWeakestDevice setting):

{
  "kind": "user",
  "version": "v2",
  "metadata": {
    "name": "zac"
  },
  "spec": {
    "roles": [
      "editor",
      "access",
      "auditor"
    ],
    "traits": {
      "aws_role_arns": null,
      "db_names": null,
      "db_users": null,
      "kubernetes_groups": null,
      "kubernetes_users": null,
      "logins": null,
      "windows_logins": null
    },
    "status": {
      "is_locked": false,
      "locked_time": "0001-01-01T00:00:00Z",
      "lock_expires": "0001-01-01T00:00:00Z",
      "recovery_attempt_lock_expires": "0001-01-01T00:00:00Z"
    },
    "expires": "0001-01-01T00:00:00Z",
    "created_by": {
      "time": "2022-05-29T17:47:02.403016Z",
      "user": {
        "name": "b507c22c-685e-45bd-a796-7a5bcd63e3e6.zac"
      }
    }
  }
}

The comparison appears to fail because of new code added to GetUser that mutates the user object
instead of returning exactly what existed in storage:

teleport/lib/services/local/resource.go

Lines 343 to 346 in cb7a4d5

	if auth != nil {
	// when reading with secrets, we can populate the data automatically.
	user.SetWeakestDevice(getWeakestMFADeviceKind(auth.MFA))
	}

As a side note, SetWeakestDevice is not a great name, as not all MFA methods are devices. SetWeakestMFA would have been a better choice.

[tigrato]

@zmb3 thanks. I completely forgot we still used the compare and swap for users