Fix Admin MFA required check (gravitational#51618)

* Fix admin mfa required check. * Fix test. * Add client fallback mechanism by removing pre-existing mfa context from admin action mfa ceremony.
carloscastrojumo · Feb 19, 2025 · d9d1951 · d9d1951
1 parent a8d8eb8
commit d9d1951
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 10 deletions.
diff --git a/api/mfa/ceremony.go b/api/mfa/ceremony.go
@@ -137,6 +137,13 @@ func PerformAdminActionMFACeremony(ctx context.Context, mfaCeremony CeremonyFn,
 		},
 	}
 
-	resp, err := mfaCeremony(ctx, challengeRequest, WithPromptReasonAdminAction())
+	// Remove MFA resp from context if set. This way, the mfa required
+	// check will return true as long as MFA for admin actions is enabled,
+	// even if the current context has a reusable MFA. v18 server will
+	// return this requirement as expected.
+	// TODO(Joerger): DELETE IN v19.0.0
+	ceremonyCtx := ContextWithMFAResponse(ctx, nil)
+
+	resp, err := mfaCeremony(ceremonyCtx, challengeRequest, WithPromptReasonAdminAction())
 	return resp, trace.Wrap(err)
 }
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -5991,15 +5991,15 @@ func (a *ServerWithRoles) IsMFARequired(ctx context.Context, req *proto.IsMFAReq
 	// Check if MFA is required for admin actions. We don't currently have
 	// a reason to check the name of the admin action in question.
 	if _, ok := req.Target.(*proto.IsMFARequiredRequest_AdminAction); ok {
-		if a.context.AdminActionAuthState == authz.AdminActionAuthUnauthorized {
+		if a.context.AdminActionAuthState == authz.AdminActionAuthNotRequired {
 			return &proto.IsMFARequiredResponse{
-				Required:    true,
-				MFARequired: proto.MFARequired_MFA_REQUIRED_YES,
+				Required:    false,
+				MFARequired: proto.MFARequired_MFA_REQUIRED_NO,
 			}, nil
 		} else {
 			return &proto.IsMFARequiredResponse{
-				Required:    false,
-				MFARequired: proto.MFARequired_MFA_REQUIRED_NO,
+				Required:    true,
+				MFARequired: proto.MFARequired_MFA_REQUIRED_YES,
 			}, nil
 		}
 	}

diff --git a/lib/auth/auth_with_roles_test.go b/lib/auth/auth_with_roles_test.go
@@ -9545,15 +9545,15 @@ func TestIsMFARequired_AdminAction(t *testing.T) {
 			name:                 "mfa verified",
 			adminActionAuthState: authz.AdminActionAuthMFAVerified,
 			expectResp: &proto.IsMFARequiredResponse{
-				Required:    false,
-				MFARequired: proto.MFARequired_MFA_REQUIRED_NO,
+				Required:    true,
+				MFARequired: proto.MFARequired_MFA_REQUIRED_YES,
 			},
 		}, {
 			name:                 "mfa verified with reuse",
 			adminActionAuthState: authz.AdminActionAuthMFAVerifiedWithReuse,
 			expectResp: &proto.IsMFARequiredResponse{
-				Required:    false,
-				MFARequired: proto.MFARequired_MFA_REQUIRED_NO,
+				Required:    true,
+				MFARequired: proto.MFARequired_MFA_REQUIRED_YES,
 			},
 		},
 	} {