MFA (#14049)

* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6a, reversing
changes made to 2428dd6.

* format-ttl helper fix from main

Author: zofskeez

api/client.go

@@ -51,8 +51,6 @@ const (
 	EnvRateLimit          = "VAULT_RATE_LIMIT"
 	EnvHTTPProxy          = "VAULT_HTTP_PROXY"
 	HeaderIndex           = "X-Vault-Index"
-	HeaderForward         = "X-Vault-Forward"
-	HeaderInconsistent    = "X-Vault-Inconsistent"
 )
 
 // Deprecated values
@@ -1397,7 +1395,7 @@ func ParseReplicationState(raw string, hmacKey []byte) (*logical.WALState, error
 // conjunction with RequireState.
 func ForwardInconsistent() RequestCallback {
 	return func(req *Request) {
-		req.Headers.Set(HeaderInconsistent, "forward-active-node")
+		req.Headers.Set("X-Vault-Inconsistent", "forward-active-node")
 	}
 }
 
@@ -1406,7 +1404,7 @@ func ForwardInconsistent() RequestCallback {
 // This feature must be enabled in Vault's configuration.
 func ForwardAlways() RequestCallback {
 	return func(req *Request) {
-		req.Headers.Set(HeaderForward, "active-node")
+		req.Headers.Set("X-Vault-Forward", "active-node")
 	}
 }
 

api/sys_mounts.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"time"
 
 	"github.com/mitchellh/mapstructure"
 )
@@ -66,91 +65,24 @@ func (c *Sys) Unmount(path string) error {
 	return err
 }
 
-// Remount kicks off a remount operation, polls the status endpoint using
-// the migration ID till either success or failure state is observed
 func (c *Sys) Remount(from, to string) error {
-	remountResp, err := c.StartRemount(from, to)
-	if err != nil {
-		return err
-	}
-
-	for {
-		remountStatusResp, err := c.RemountStatus(remountResp.MigrationID)
-		if err != nil {
-			return err
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == "success" {
-			return nil
-		}
-		if remountStatusResp.MigrationInfo.MigrationStatus == "failure" {
-			return fmt.Errorf("Failure! Error encountered moving mount %s to %s, with migration ID %s", from, to, remountResp.MigrationID)
-		}
-		time.Sleep(1 * time.Second)
-	}
-}
-
-// StartRemount kicks off a mount migration and returns a response with the migration ID
-func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error) {
 	body := map[string]interface{}{
 		"from": from,
 		"to":   to,
 	}
 
 	r := c.c.NewRequest("POST", "/v1/sys/remount")
 	if err := r.SetJSONBody(body); err != nil {
-		return nil, err
+		return err
 	}
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	defer cancelFunc()
 	resp, err := c.c.RawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-
-	var result MountMigrationOutput
-	err = mapstructure.Decode(secret.Data, &result)
-	if err != nil {
-		return nil, err
-	}
-
-	return &result, err
-}
-
-// RemountStatus checks the status of a mount migration operation with the provided ID
-func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error) {
-	r := c.c.NewRequest("GET", fmt.Sprintf("/v1/sys/remount/status/%s", migrationID))
-
-	ctx, cancelFunc := context.WithCancel(context.Background())
-	defer cancelFunc()
-	resp, err := c.c.RawRequestWithContext(ctx, r)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	secret, err := ParseSecret(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if secret == nil || secret.Data == nil {
-		return nil, errors.New("data from server response is empty")
-	}
-
-	var result MountMigrationStatusOutput
-	err = mapstructure.Decode(secret.Data, &result)
-	if err != nil {
-		return nil, err
+	if err == nil {
+		defer resp.Body.Close()
 	}
-
-	return &result, err
+	return err
 }
 
 func (c *Sys) TuneMount(path string, config MountConfigInput) error {
@@ -255,18 +187,3 @@ type MountConfigOutput struct {
 	// Deprecated: This field will always be blank for newer server responses.
 	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
 }
-
-type MountMigrationOutput struct {
-	MigrationID string `mapstructure:"migration_id"`
-}
-
-type MountMigrationStatusOutput struct {
-	MigrationID   string                    `mapstructure:"migration_id"`
-	MigrationInfo *MountMigrationStatusInfo `mapstructure:"migration_info"`
-}
-
-type MountMigrationStatusInfo struct {
-	SourceMount     string `mapstructure:"source_mount"`
-	TargetMount     string `mapstructure:"target_mount"`
-	MigrationStatus string `mapstructure:"status"`
-}

builtin/credential/approle/path_login.go

@@ -178,14 +178,11 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 				}
 
 				belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, entry.CIDRList)
-				if err != nil {
-					return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-				}
-
-				if !belongs {
+				if !belongs || err != nil {
 					return logical.ErrorResponse(fmt.Errorf(
-						"source address %q unauthorized through CIDR restrictions on the secret ID",
+						"source address %q unauthorized through CIDR restrictions on the secret ID: %w",
 						req.Connection.RemoteAddr,
+						err,
 					).Error()), nil
 				}
 			}

builtin/logical/ssh/path_config_ca.go

@@ -10,16 +10,13 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"io"
 
 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 	"golang.org/x/crypto/ssh"
-
-	"github.com/mikesmitty/edkey"
 )
 
 const (
@@ -360,9 +357,9 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st
 			return "", "", err
 		}
 
-		marshalled := edkey.MarshalED25519PrivateKey(privateSeed)
-		if marshalled == nil {
-			return "", "", errors.New("unable to marshal ed25519 private key")
+		marshalled, err := x509.MarshalPKCS8PrivateKey(privateSeed)
+		if err != nil {
+			return "", "", err
 		}
 
 		privateBlock = &pem.Block{

builtin/logical/ssh/path_config_ca_test.go

@@ -191,31 +191,17 @@ func createDeleteHelper(t *testing.T, b logical.Backend, config *logical.Backend
 	}
 	resp, err := b.HandleRequest(context.Background(), caReq)
 	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("bad case %v: err: %v, resp: %v", index, err, resp)
+		t.Fatalf("bad case %v: err: %v, resp:%v", index, err, resp)
 	}
 	if !strings.Contains(resp.Data["public_key"].(string), caReq.Data["key_type"].(string)) {
 		t.Fatalf("bad case %v: expected public key of type %v but was %v", index, caReq.Data["key_type"], resp.Data["public_key"])
 	}
 
-	issueOptions := map[string]interface{}{
-		"public_key": testCAPublicKeyEd25519,
-	}
-	issueReq := &logical.Request{
-		Path:      "sign/ca-issuance",
-		Operation: logical.UpdateOperation,
-		Storage:   config.StorageView,
-		Data:      issueOptions,
-	}
-	resp, err = b.HandleRequest(context.Background(), issueReq)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("bad case %v: err: %v, resp: %v", index, err, resp)
-	}
-
 	// Delete the configured keys
 	caReq.Operation = logical.DeleteOperation
 	resp, err = b.HandleRequest(context.Background(), caReq)
 	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("bad case %v: err: %v, resp: %v", index, err, resp)
+		t.Fatalf("bad case %v: err: %v, resp:%v", index, err, resp)
 	}
 }
 
@@ -249,24 +235,6 @@ func TestSSH_ConfigCAKeyTypes(t *testing.T) {
 		{"ed25519", 0},
 	}
 
-	// Create a role for ssh signing.
-	roleOptions := map[string]interface{}{
-		"allow_user_certificates": true,
-		"allowed_users":           "*",
-		"key_type":                "ca",
-		"ttl":                     "30s",
-	}
-	roleReq := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      "roles/ca-issuance",
-		Data:      roleOptions,
-		Storage:   config.StorageView,
-	}
-	_, err = b.HandleRequest(context.Background(), roleReq)
-	if err != nil {
-		t.Fatalf("Cannot create role to issue against: %s", err)
-	}
-
 	for index, scenario := range cases {
 		createDeleteHelper(t, b, config, index, scenario.keyType, scenario.keyBits)
 	}

builtin/logical/transit/backend.go

@@ -190,7 +190,7 @@ func (b *backend) periodicFunc(ctx context.Context, req *logical.Request) error
 }
 
 // autoRotateKeys retrieves all transit keys and rotates those which have an
-// auto rotate period defined which has passed. This operation only happens
+// auto rotate interval defined which has passed. This operation only happens
 // on primary nodes and performance secondary nodes which have a local mount.
 func (b *backend) autoRotateKeys(ctx context.Context, req *logical.Request) error {
 	// Only check for autorotation once an hour to avoid unnecessarily iterating
@@ -247,15 +247,15 @@ func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, ke
 	}
 	defer p.Unlock()
 
-	// If the policy's automatic rotation period is 0, it should not
+	// If the policy's automatic rotation interval is 0, it should not
 	// automatically rotate.
-	if p.AutoRotatePeriod == 0 {
+	if p.AutoRotateInterval == 0 {
 		return nil
 	}
 
 	// Retrieve the latest version of the policy and determine if it is time to rotate.
 	latestKey := p.Keys[strconv.Itoa(p.LatestVersion)]
-	if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) {
+	if time.Now().After(latestKey.CreationTime.Add(p.AutoRotateInterval)) {
 		if b.Logger().IsDebug() {
 			b.Logger().Debug("automatically rotating key", "key", key)
 		}

builtin/logical/transit/backend_test.go

@@ -1607,7 +1607,7 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 					Operation: logical.UpdateOperation,
 					Path:      "keys/test2",
 					Data: map[string]interface{}{
-						"auto_rotate_period": 24 * time.Hour,
+						"auto_rotate_interval": 24 * time.Hour,
 					},
 				}
 				resp, err = b.HandleRequest(context.Background(), req)
@@ -1651,7 +1651,7 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 					t.Fatalf("incorrect latest_version found, got: %d, want: %d", resp.Data["latest_version"], 1)
 				}
 
-				// Update auto rotate period on one key to be one nanosecond
+				// Update auto rotate interval on one key to be one nanosecond
 				p, _, err := b.GetPolicy(context.Background(), keysutil.PolicyRequest{
 					Storage: storage,
 					Name:    "test2",
@@ -1662,7 +1662,7 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 				if p == nil {
 					t.Fatal("expected non-nil policy")
 				}
-				p.AutoRotatePeriod = time.Nanosecond
+				p.AutoRotateInterval = time.Nanosecond
 				err = p.Persist(context.Background(), storage)
 				if err != nil {
 					t.Fatal(err)

builtin/logical/transit/path_config.go

@@ -49,7 +49,7 @@ the latest version of the key is allowed.`,
 				Description: `Enables taking a backup of the named key in plaintext format. Once set, this cannot be disabled.`,
 			},
 
-			"auto_rotate_period": {
+			"auto_rotate_interval": {
 				Type: framework.TypeDurationSecond,
 				Description: `Amount of time the key should live before
 being automatically rotated. A value of 0
@@ -193,19 +193,19 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 		}
 	}
 
-	autoRotatePeriodRaw, ok, err := d.GetOkErr("auto_rotate_period")
+	autoRotateIntervalRaw, ok, err := d.GetOkErr("auto_rotate_interval")
 	if err != nil {
 		return nil, err
 	}
 	if ok {
-		autoRotatePeriod := time.Second * time.Duration(autoRotatePeriodRaw.(int))
+		autoRotateInterval := time.Second * time.Duration(autoRotateIntervalRaw.(int))
 		// Provided value must be 0 to disable or at least an hour
-		if autoRotatePeriod != 0 && autoRotatePeriod < time.Hour {
-			return logical.ErrorResponse("auto rotate period must be 0 to disable or at least an hour"), nil
+		if autoRotateInterval != 0 && autoRotateInterval < time.Hour {
+			return logical.ErrorResponse("auto rotate interval must be 0 to disable or at least an hour"), nil
 		}
 
-		if autoRotatePeriod != p.AutoRotatePeriod {
-			p.AutoRotatePeriod = autoRotatePeriod
+		if autoRotateInterval != p.AutoRotateInterval {
+			p.AutoRotateInterval = autoRotateInterval
 			persistNeeded = true
 		}
 	}