diff --git a/lib/client/api.go b/lib/client/api.go index 985631be8f9e9..1931d32d4c0a4 100644 --- a/lib/client/api.go +++ b/lib/client/api.go @@ -77,8 +77,6 @@ import ( "github.com/gravitational/teleport/lib/client/terminal" "github.com/gravitational/teleport/lib/defaults" "github.com/gravitational/teleport/lib/devicetrust" - dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn" - dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll" "github.com/gravitational/teleport/lib/events" kubeutils "github.com/gravitational/teleport/lib/kube/utils" "github.com/gravitational/teleport/lib/modules" @@ -463,9 +461,9 @@ type Config struct { // PROXYSigner is used to sign PROXY headers for securely propagating client IP address PROXYSigner multiplexer.PROXYHeaderSigner - // DTAuthnRunCeremony allows tests to override the default device - // authentication function. - // Defaults to "dtauthn.NewCeremony().Run()". + // DTAuthnRunCeremony is the device authentication function to execute + // during device login ceremonies. If not provided and device trust is + // required, then the device login will fail. DTAuthnRunCeremony DTAuthnRunCeremonyFunc // dtAttemptLoginIgnorePing and dtAutoEnrollIgnorePing allow Device Trust @@ -473,10 +471,10 @@ type Config struct { // Useful to force flows that only typically happen on Teleport Enterprise. dtAttemptLoginIgnorePing, dtAutoEnrollIgnorePing bool - // dtAutoEnroll allows tests to override the default device auto-enroll - // function. - // Defaults to [dtenroll.AutoEnroll]. - dtAutoEnroll dtAutoEnrollFunc + // DTAutoEnroll is the device auto-enroll function to execute during + // device enrollment. If not provided and device trust auto-enrollment + // is enabled, then the enrollment process will fail. + DTAutoEnroll DTAutoEnrollFunc // WebauthnLogin allows tests to override the Webauthn Login func. // Defaults to [wancli.Login]. @@ -1069,8 +1067,8 @@ func (c *Config) ResourceFilter(kind string) *proto.ListResourcesRequest { // DTAuthnRunCeremonyFunc matches the signature of [dtauthn.Ceremony.Run]. type DTAuthnRunCeremonyFunc func(context.Context, devicepb.DeviceTrustServiceClient, *devicepb.UserCertificates) (*devicepb.UserCertificates, error) -// dtAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll]. -type dtAutoEnrollFunc func(context.Context, devicepb.DeviceTrustServiceClient) (*devicepb.Device, error) +// DTAutoEnrollFunc matches the signature of [dtenroll.AutoEnroll]. +type DTAutoEnrollFunc func(context.Context, devicepb.DeviceTrustServiceClient) (*devicepb.Device, error) // TeleportClient is a wrapper around SSH client with teleport specific // workflow built in. @@ -3735,7 +3733,7 @@ func (tc *TeleportClient) DeviceLogin(ctx context.Context, rootAuthClient authcl // Allow tests to override the default authn function. runCeremony := tc.DTAuthnRunCeremony if runCeremony == nil { - runCeremony = dtauthn.NewCeremony().Run + return nil, trace.BadParameter("device authentication not enabled") } // Login without a previous auto-enroll attempt. @@ -3756,9 +3754,9 @@ func (tc *TeleportClient) DeviceLogin(ctx context.Context, rootAuthClient authcl return nil, trace.Wrap(loginErr) // err swallowed for loginErr } - autoEnroll := tc.dtAutoEnroll + autoEnroll := tc.DTAutoEnroll if autoEnroll == nil { - autoEnroll = dtenroll.AutoEnroll + return nil, trace.BadParameter("device auto enrollment not enabled") } // Auto-enroll and Login again. diff --git a/lib/client/export_test.go b/lib/client/export_test.go index 6ea8a9015e1e7..cd74528139cc3 100644 --- a/lib/client/export_test.go +++ b/lib/client/export_test.go @@ -32,6 +32,6 @@ func (tc *TeleportClient) SetDTAuthnRunCeremony(fn DTAuthnRunCeremonyFunc) { tc.DTAuthnRunCeremony = fn } -func (tc *TeleportClient) SetDTAutoEnroll(fn dtAutoEnrollFunc) { - tc.dtAutoEnroll = fn +func (tc *TeleportClient) SetDTAutoEnroll(fn DTAutoEnrollFunc) { + tc.DTAutoEnroll = fn } diff --git a/lib/teleterm/clusters/storage.go b/lib/teleterm/clusters/storage.go index 6de5378468ea1..8018d6017b2fd 100644 --- a/lib/teleterm/clusters/storage.go +++ b/lib/teleterm/clusters/storage.go @@ -27,6 +27,8 @@ import ( "github.com/gravitational/teleport/api/profile" "github.com/gravitational/teleport/lib/client" + dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn" + dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll" "github.com/gravitational/teleport/lib/teleterm/api/uri" ) @@ -285,6 +287,8 @@ func (s *Storage) makeDefaultClientConfig() *client.Config { // true. cfg.AllowStdinHijack = true + cfg.DTAuthnRunCeremony = dtauthn.NewCeremony().Run + cfg.DTAutoEnroll = dtenroll.AutoEnroll return cfg } diff --git a/tool/tsh/common/tsh.go b/tool/tsh/common/tsh.go index 95ae46af6b7fd..faaeb2878c4ae 100644 --- a/tool/tsh/common/tsh.go +++ b/tool/tsh/common/tsh.go @@ -77,6 +77,8 @@ import ( dbprofile "github.com/gravitational/teleport/lib/client/db" "github.com/gravitational/teleport/lib/client/identityfile" "github.com/gravitational/teleport/lib/defaults" + dtauthn "github.com/gravitational/teleport/lib/devicetrust/authn" + dtenroll "github.com/gravitational/teleport/lib/devicetrust/enroll" "github.com/gravitational/teleport/lib/kube/kubeconfig" "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/observability/tracing" @@ -522,6 +524,11 @@ type CLIConf struct { // Defaults to [dtauthn.NewCeremony().Run]. DTAuthnRunCeremony client.DTAuthnRunCeremonyFunc + // DTAutoEnroll allows tests to override the default device + // auto-enroll function. + // Defaults to [dtenroll.AutoEnroll]. + DTAutoEnroll client.DTAutoEnrollFunc + // WebauthnLogin allows tests to override the Webauthn Login func. // Defaults to [wancli.Login]. WebauthnLogin client.WebauthnLoginFunc @@ -680,8 +687,10 @@ func initLogger(cf *CLIConf) { // DO NOT RUN TESTS that call Run() in parallel (unless you taken precautions). func Run(ctx context.Context, args []string, opts ...CliOption) error { cf := CLIConf{ - Context: ctx, - TracingProvider: tracing.NoopProvider(), + Context: ctx, + TracingProvider: tracing.NoopProvider(), + DTAuthnRunCeremony: dtauthn.NewCeremony().Run, + DTAutoEnroll: dtenroll.AutoEnroll, } // run early to enable debug logging if env var is set. @@ -4028,6 +4037,7 @@ func loadClientConfigFromCLIConf(cf *CLIConf, proxy string) (*client.Config, err c.MockSSOLogin = cf.MockSSOLogin c.MockHeadlessLogin = cf.MockHeadlessLogin c.DTAuthnRunCeremony = cf.DTAuthnRunCeremony + c.DTAutoEnroll = cf.DTAutoEnroll c.WebauthnLogin = cf.WebauthnLogin // pass along MySQL/Postgres path overrides (only used in tests).