Skip to content

Commit

Permalink
Remove lib/devicetrust from lib/client (#43277)
Browse files Browse the repository at this point in the history
The native device trust libraries included in lib/devicetrust
prevent building client tools that don't use device trust from
building with cgo disabled. This moves the default device auth
ceremony and device enrollment from lib/client into a location
specific to tsh since it's the only tool that requires them.

Updates #43112.
  • Loading branch information
rosstimothy authored Jun 20, 2024
1 parent 452c7c8 commit 48ae542
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 18 deletions.
26 changes: 12 additions & 14 deletions lib/client/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,6 @@ import (
"github.com/gravitational/teleport/lib/client/terminal"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/devicetrust"
dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn"
dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll"
"github.com/gravitational/teleport/lib/events"
kubeutils "github.com/gravitational/teleport/lib/kube/utils"
"github.com/gravitational/teleport/lib/modules"
Expand Down Expand Up @@ -463,20 +461,20 @@ type Config struct {
// PROXYSigner is used to sign PROXY headers for securely propagating client IP address
PROXYSigner multiplexer.PROXYHeaderSigner

// DTAuthnRunCeremony allows tests to override the default device
// authentication function.
// Defaults to "dtauthn.NewCeremony().Run()".
// DTAuthnRunCeremony is the device authentication function to execute
// during device login ceremonies. If not provided and device trust is
// required, then the device login will fail.
DTAuthnRunCeremony DTAuthnRunCeremonyFunc

// dtAttemptLoginIgnorePing and dtAutoEnrollIgnorePing allow Device Trust
// tests to ignore Ping responses.
// Useful to force flows that only typically happen on Teleport Enterprise.
dtAttemptLoginIgnorePing, dtAutoEnrollIgnorePing bool

// dtAutoEnroll allows tests to override the default device auto-enroll
// function.
// Defaults to [dtenroll.AutoEnroll].
dtAutoEnroll dtAutoEnrollFunc
// DTAutoEnroll is the device auto-enroll function to execute during
// device enrollment. If not provided and device trust auto-enrollment
// is enabled, then the enrollment process will fail.
DTAutoEnroll DTAutoEnrollFunc

// WebauthnLogin allows tests to override the Webauthn Login func.
// Defaults to [wancli.Login].
Expand Down Expand Up @@ -1069,8 +1067,8 @@ func (c *Config) ResourceFilter(kind string) *proto.ListResourcesRequest {
// DTAuthnRunCeremonyFunc matches the signature of [dtauthn.Ceremony.Run].
type DTAuthnRunCeremonyFunc func(context.Context, devicepb.DeviceTrustServiceClient, *devicepb.UserCertificates) (*devicepb.UserCertificates, error)

// dtAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll].
type dtAutoEnrollFunc func(context.Context, devicepb.DeviceTrustServiceClient) (*devicepb.Device, error)
// DTAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll].
type DTAutoEnrollFunc func(context.Context, devicepb.DeviceTrustServiceClient) (*devicepb.Device, error)

// TeleportClient is a wrapper around SSH client with teleport specific
// workflow built in.
Expand Down Expand Up @@ -3735,7 +3733,7 @@ func (tc *TeleportClient) DeviceLogin(ctx context.Context, rootAuthClient authcl
// Allow tests to override the default authn function.
runCeremony := tc.DTAuthnRunCeremony
if runCeremony == nil {
runCeremony = dtauthn.NewCeremony().Run
return nil, trace.BadParameter("device authentication not enabled")
}

// Login without a previous auto-enroll attempt.
Expand All @@ -3756,9 +3754,9 @@ func (tc *TeleportClient) DeviceLogin(ctx context.Context, rootAuthClient authcl
return nil, trace.Wrap(loginErr) // err swallowed for loginErr
}

autoEnroll := tc.dtAutoEnroll
autoEnroll := tc.DTAutoEnroll
if autoEnroll == nil {
autoEnroll = dtenroll.AutoEnroll
return nil, trace.BadParameter("device auto enrollment not enabled")
}

// Auto-enroll and Login again.
Expand Down
4 changes: 2 additions & 2 deletions lib/client/export_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@ func (tc *TeleportClient) SetDTAuthnRunCeremony(fn DTAuthnRunCeremonyFunc) {
tc.DTAuthnRunCeremony = fn
}

func (tc *TeleportClient) SetDTAutoEnroll(fn dtAutoEnrollFunc) {
tc.dtAutoEnroll = fn
func (tc *TeleportClient) SetDTAutoEnroll(fn DTAutoEnrollFunc) {
tc.DTAutoEnroll = fn
}
4 changes: 4 additions & 0 deletions lib/teleterm/clusters/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ import (

"github.com/gravitational/teleport/api/profile"
"github.com/gravitational/teleport/lib/client"
dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn"
dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll"
"github.com/gravitational/teleport/lib/teleterm/api/uri"
)

Expand Down Expand Up @@ -285,6 +287,8 @@ func (s *Storage) makeDefaultClientConfig() *client.Config {
// true.
cfg.AllowStdinHijack = true

cfg.DTAuthnRunCeremony = dtauthn.NewCeremony().Run
cfg.DTAutoEnroll = dtenroll.AutoEnroll
return cfg
}

Expand Down
14 changes: 12 additions & 2 deletions tool/tsh/common/tsh.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ import (
dbprofile "github.com/gravitational/teleport/lib/client/db"
"github.com/gravitational/teleport/lib/client/identityfile"
"github.com/gravitational/teleport/lib/defaults"
dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn"
dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll"
"github.com/gravitational/teleport/lib/kube/kubeconfig"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/observability/tracing"
Expand Down Expand Up @@ -522,6 +524,11 @@ type CLIConf struct {
// Defaults to [dtauthn.NewCeremony().Run].
DTAuthnRunCeremony client.DTAuthnRunCeremonyFunc

// DTAutoEnroll allows tests to override the default device
// auto-enroll function.
// Defaults to [dtenroll.AutoEnroll].
DTAutoEnroll client.DTAutoEnrollFunc

// WebauthnLogin allows tests to override the Webauthn Login func.
// Defaults to [wancli.Login].
WebauthnLogin client.WebauthnLoginFunc
Expand Down Expand Up @@ -680,8 +687,10 @@ func initLogger(cf *CLIConf) {
// DO NOT RUN TESTS that call Run() in parallel (unless you taken precautions).
func Run(ctx context.Context, args []string, opts ...CliOption) error {
cf := CLIConf{
Context: ctx,
TracingProvider: tracing.NoopProvider(),
Context: ctx,
TracingProvider: tracing.NoopProvider(),
DTAuthnRunCeremony: dtauthn.NewCeremony().Run,
DTAutoEnroll: dtenroll.AutoEnroll,
}

// run early to enable debug logging if env var is set.
Expand Down Expand Up @@ -4028,6 +4037,7 @@ func loadClientConfigFromCLIConf(cf *CLIConf, proxy string) (*client.Config, err
c.MockSSOLogin = cf.MockSSOLogin
c.MockHeadlessLogin = cf.MockHeadlessLogin
c.DTAuthnRunCeremony = cf.DTAuthnRunCeremony
c.DTAutoEnroll = cf.DTAutoEnroll
c.WebauthnLogin = cf.WebauthnLogin

// pass along MySQL/Postgres path overrides (only used in tests).
Expand Down

0 comments on commit 48ae542

Please sign in to comment.