github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/mfa/mfa_test.go (about) 1 /* 2 Copyright 2023 Gravitational, Inc. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package mfa_test 18 19 import ( 20 "context" 21 "net" 22 "testing" 23 24 "github.com/gravitational/trace" 25 "github.com/stretchr/testify/assert" 26 "github.com/stretchr/testify/require" 27 "google.golang.org/grpc" 28 "google.golang.org/grpc/credentials" 29 30 "github.com/gravitational/teleport/api/client/proto" 31 "github.com/gravitational/teleport/api/mfa" 32 "github.com/gravitational/teleport/api/testhelpers/mtls" 33 "github.com/gravitational/teleport/api/utils/grpc/interceptors" 34 ) 35 36 const otpTestCode = "otp-test-code" 37 38 type mfaService struct { 39 proto.UnimplementedAuthServiceServer 40 } 41 42 func (s *mfaService) Ping(ctx context.Context, req *proto.PingRequest) (*proto.PingResponse, error) { 43 if err := verifyMFAFromContext(ctx); err != nil { 44 return nil, trace.Wrap(err) 45 } 46 return &proto.PingResponse{}, nil 47 } 48 49 func verifyMFAFromContext(ctx context.Context) error { 50 mfaResp, err := mfa.CredentialsFromContext(ctx) 51 if err != nil { 52 // (In production consider logging err, so we don't swallow it silently.) 53 return trace.Wrap(&mfa.ErrAdminActionMFARequired) 54 } 55 56 switch r := mfaResp.Response.(type) { 57 case *proto.MFAAuthenticateResponse_TOTP: 58 if r.TOTP.Code != otpTestCode { 59 return trace.AccessDenied("failed MFA verification") 60 } 61 default: 62 return trace.BadParameter("unexpected mfa response type %T", r) 63 } 64 65 return nil 66 } 67 68 // TestMFAPerRPCCredentials tests the MFA verification process between a client and server. 69 func TestMFAPerRPCCredentials(t *testing.T) { 70 t.Parallel() 71 72 mtlsConfig := mtls.NewConfig(t) 73 listener, err := net.Listen("tcp", "localhost:0") 74 require.NoError(t, err) 75 76 server := grpc.NewServer( 77 grpc.ChainUnaryInterceptor(interceptors.GRPCServerUnaryErrorInterceptor), 78 grpc.Creds(credentials.NewTLS(mtlsConfig.ServerTLS)), 79 ) 80 proto.RegisterAuthServiceServer(server, &mfaService{}) 81 go func() { 82 server.Serve(listener) 83 }() 84 defer server.Stop() 85 86 conn, err := grpc.Dial( 87 listener.Addr().String(), 88 grpc.WithTransportCredentials(credentials.NewTLS(mtlsConfig.ClientTLS)), 89 grpc.WithUnaryInterceptor(interceptors.GRPCClientUnaryErrorInterceptor), 90 ) 91 require.NoError(t, err) 92 defer conn.Close() 93 94 client := proto.NewAuthServiceClient(conn) 95 _, err = client.Ping(context.Background(), &proto.PingRequest{}) 96 assert.ErrorIs(t, err, &mfa.ErrAdminActionMFARequired, "Ping error mismatch") 97 98 mfaTestResp := &proto.MFAAuthenticateResponse{ 99 Response: &proto.MFAAuthenticateResponse_TOTP{ 100 TOTP: &proto.TOTPResponse{ 101 Code: otpTestCode, 102 }, 103 }, 104 } 105 106 _, err = client.Ping(context.Background(), &proto.PingRequest{}, mfa.WithCredentials(mfaTestResp)) 107 assert.NoError(t, err) 108 }