MFA for admin actions: Add MFA prompt to API client (tctl and tsh)

[Joerger]

This PR updates the API client to prompt for MFA for admin actions. This can be done either by passing the call option directly, or retrying after getting the relevant access denied error.

Part of implementing RFD 131.

In follow up PRs, Admin Action API requests will be updated to

• Client side: provide MFA through the call option when we know MFA is required
• Server side: verify the MFA passed in the request context.
  • MFA will not be required until we flip the switch in Teleport 15, but Teleport 14 clients will be able to pass the requirement with the retry mechanism added in this PR.

This is used in tctl, tsh, and Teleport Connect, though Teleport Connect does not show a modal yet.

WebSessions do not use this retry mechanism. I follow up this PR with a solution for the WebUI if I find a way to do it.

Depends on #30578

[codingllama]

Reviewed commit-by-commit, so some comments may be repeated (or already addressed).

First of all thanks for the refactor, moving client-MFA to its own package is a good idea.

I think overall the PR is too big, it would be easier to review a smaller, more gradual package move, with changes separate in their own PRs. If you want to break it up, given the number of comments, it might be a good idea. (You can preemptively address the comments in future PRs.)

[codingllama]

One more reason to break the PR is so we can backport the package move, but not the admin changes. If we don't backport the move, any eventual fixes in older code will be nasty to get to old releases.

[codingllama]

This is WAY simpler to review now, I didn't even recognize it at first. Many thanks for all the refactors.

[rosstimothy]

Do we really want any and every client created to have this interceptor or just the tctl client? Should the client used by a node/app/db/kube/etc service have this interceptor included?

[codingllama]

I'd say yes, why would we not want it?

[rosstimothy]

How is the Proxy supposed to perform MFA?

[codingllama]

Oh sorry, I was thinking about the wrong PR. Ignore me.

[Joerger]

I've changed this so it is only used for tsh, tctl, and Teleport Connect.

The interceptor will always be set, but it'll essentially be a noop unless client.PromptAdminRequestMFA is set.

To be specific, it will aggregate trace.BadParameter("missing PromptAdminRequestMFA field, client cannot perform MFA ceremony") with the ErrAdminActionMFARequired passed through the interceptor.

@codingllama you mentioned before that you weren't sold on enabling/disabling the interceptor in this way, but I think it makes more sense. If the client has a method to prompt MFA, it should. If it doesn't, it shouldn't. Adding a separate flag seems redundant.

[codingllama]

How difficult would it be to create certain clients without the interceptor?

If you think it isn't worth it, or a worse solution, we can go with the nil. Thanks for calling attention to it explicitly.

[Joerger]

I think having the aggregated error is slightly better as it can help point us in the right direction with any bugs, such as if a client does not have PromptAdminRequestMFA set when we expect it to. Also adding the mfa-retry interceptor into the middle of list after the fact is a bit awkward from a code formatting perspective.