Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Per-session MFA for leaf apps #51394

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Fix Per-session MFA for leaf apps #51394

wants to merge 8 commits into from
+535 −105

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Jan 23, 2025
edited
Loading

MFA for app access in the WebUI mistakenly used the user's root client to check if mfa is required when connecting to a leaf app:

	// MFA verification should run in the cluster that holds the target resource.
	// If you are issuing challenges from the root cluster, but accessing a leaf,
	// call [AuthService.IsMFARequired] in the leaf instead of setting this field.
	MFARequiredCheck *IsMFARequiredRequest `protobuf:"bytes,5,opt,name=MFARequiredCheck,proto3" json:"mfa_required_check,omitempty"`

Fixes #51350

Changelog: Fix connecting to Apps in a leaf cluster when Per-session MFA is enabled.

@Joerger Joerger force-pushed the joerger/fix-mfa-leaf-app branch 2 times, most recently from f4ac8f6 to fa93b48 Compare January 23, 2025 20:09
@Joerger Joerger marked this pull request as ready for review January 23, 2025 20:09
@Joerger Joerger force-pushed the joerger/fix-mfa-leaf-app branch from fa93b48 to add9cc9 Compare January 23, 2025 20:10
@Joerger Joerger force-pushed the joerger/fix-mfa-leaf-app branch 2 times, most recently from 9ca5eae to e2d0ae8 Compare January 23, 2025 22:34
flyinghermit
flyinghermit reviewed Jan 24, 2025
View reviewed changes
lib/web/mfa.go Show resolved Hide resolved
lib/web/mfa.go Outdated
Comment on lines 202 to 213
// If the MFA requirement check is being performed for a leaf host, we must check directly
// with the leaf cluster before the authentication challenge request through root.
if req.IsMFARequiredRequest.ClusterID != "" && req.IsMFARequiredRequest.ClusterID != c.cfg.RootClusterName {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add some test coverage for the fix?

@Joerger Joerger force-pushed the joerger/fix-mfa-leaf-app branch from 2e285ab to 5c887d6 Compare January 30, 2025 03:55
@Joerger Joerger force-pushed the joerger/fix-mfa-leaf-app branch from eae69cf to de47e12 Compare January 30, 2025 23:29
@Joerger Joerger force-pushed the joerger/fix-mfa-leaf-app branch from 98892fa to d18d4ff Compare January 31, 2025 00:13
flyinghermit
flyinghermit approved these changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@flyinghermit flyinghermit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for the tests.

lib/web/mfa.go
// If this is an mfa required check for a leaf host, we need to check the requirement through
// the leaf cluster, rather than through root in the authenticate challenge request below
//
// TODO(Joerger): Currently, we only leafs hosts that we check mfa requirements for directly
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this commentry reads like its missing some words

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flyinghermit flyinghermit flyinghermit approved these changes

@ravicious ravicious ravicious approved these changes

Assignees
No one assigned
Labels
backport/branch/v16 backport/branch/v17 size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

App MFA disable keeps failing MFA challenge
3 participants
@Joerger @ravicious @flyinghermit