gravitational · Joerger · Jan 24, 2024 · Jan 12, 2024 · Jan 23, 2024 · Jan 23, 2024
diff --git a/web/packages/teleport/src/Account/AccountNew.tsx b/web/packages/teleport/src/Account/AccountNew.tsx
@@ -28,7 +28,7 @@ import { FeatureBox } from 'teleport/components/Layout';
 import ReAuthenticate from 'teleport/components/ReAuthenticate';
 import { RemoveDialog } from 'teleport/components/MfaDeviceList';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import { AuthDeviceList } from './ManageDevices/AuthDeviceList/AuthDeviceList';
 import useManageDevices, {
@@ -216,7 +216,7 @@ export function Account({
             onAuthenticated={setToken}
             onClose={hideReAuthenticate}
             actionText="registering a new device"
-            challengeScope={MFAChallengeScope.USER_SESSION}
+            challengeScope={MfaChallengeScope.USER_SESSION}
           />
         )}
         {isAddDeviceVisible && (

diff --git a/web/packages/teleport/src/Account/ManageDevices/ManageDevices.tsx b/web/packages/teleport/src/Account/ManageDevices/ManageDevices.tsx
@@ -30,7 +30,7 @@ import MfaDeviceList, { RemoveDialog } from 'teleport/components/MfaDeviceList';
 
 import ReAuthenticate from 'teleport/components/ReAuthenticate';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import AddDevice from './AddDevice';
 import useManageDevices, { State } from './useManageDevices';
@@ -106,7 +106,7 @@ export function ManageDevices({
           onAuthenticated={setToken}
           onClose={hideReAuthenticate}
           actionText="registering a new device"
-          challengeScope={MFAChallengeScope.USER_SESSION}
+          challengeScope={MfaChallengeScope.USER_SESSION}
         />
       )}
       {isAddDeviceVisible && (

diff --git a/web/packages/teleport/src/Console/DocumentSsh/useGetScpUrl.ts b/web/packages/teleport/src/Console/DocumentSsh/useGetScpUrl.ts
@@ -20,7 +20,7 @@ import { useCallback } from 'react';
 import useAttempt from 'shared/hooks/useAttemptNext';
 
 import cfg, { UrlScpParams } from 'teleport/config';
-import auth, { MFAChallengeScope } from 'teleport/services/auth/auth';
+import auth, { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 export default function useGetScpUrl(addMfaToScpUrls: boolean) {
   const { setAttempt, attempt, handleError } = useAttempt('');
@@ -36,7 +36,7 @@ export default function useGetScpUrl(addMfaToScpUrls: boolean) {
       }
       try {
         let webauthn = await auth.getWebauthnResponse(
-          MFAChallengeScope.USER_SESSION
+          MfaChallengeScope.USER_SESSION
         );
         setAttempt({
           status: 'success',

diff --git a/web/packages/teleport/src/Discover/ConnectMyComputer/TestConnection/TestConnection.tsx b/web/packages/teleport/src/Discover/ConnectMyComputer/TestConnection/TestConnection.tsx
@@ -47,7 +47,7 @@ import {
 import { sortNodeLogins } from 'teleport/services/nodes';
 import { ApiError } from 'teleport/services/api/parseError';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import { NodeMeta } from '../../useDiscover';
 
@@ -174,7 +174,7 @@ export function TestConnection(props: AgentStepProps) {
             })
           }
           onClose={cancelMfaDialog}
-          challengeScope={MFAChallengeScope.USER_SESSION}
+          challengeScope={MfaChallengeScope.USER_SESSION}
         />
       )}
       <Header>

diff --git a/web/packages/teleport/src/Discover/Database/TestConnection/TestConnection.tsx b/web/packages/teleport/src/Discover/Database/TestConnection/TestConnection.tsx
@@ -25,7 +25,7 @@ import TextSelectCopy from 'teleport/components/TextSelectCopy';
 import { generateTshLoginCommand } from 'teleport/lib/util';
 import ReAuthenticate from 'teleport/components/ReAuthenticate';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import {
   ActionButtons,
@@ -91,7 +91,7 @@ export function TestConnectionView({
         <ReAuthenticate
           onMfaResponse={res => testConnection(makeTestConnRequest(), res)}
           onClose={cancelMfaDialog}
-          challengeScope={MFAChallengeScope.USER_SESSION}
+          challengeScope={MfaChallengeScope.USER_SESSION}
         />
       )}
       <Header>Test Connection</Header>

diff --git a/web/packages/teleport/src/Discover/Kubernetes/TestConnection/TestConnection.tsx b/web/packages/teleport/src/Discover/Kubernetes/TestConnection/TestConnection.tsx
@@ -28,7 +28,7 @@ import TextSelectCopy from 'teleport/components/TextSelectCopy';
 import { generateTshLoginCommand } from 'teleport/lib/util';
 import ReAuthenticate from 'teleport/components/ReAuthenticate';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import {
   ActionButtons,
@@ -103,7 +103,7 @@ export function TestConnection({
             <ReAuthenticate
               onMfaResponse={res => testConnection(makeTestConnRequest(), res)}
               onClose={cancelMfaDialog}
-              challengeScope={MFAChallengeScope.USER_SESSION}
+              challengeScope={MfaChallengeScope.USER_SESSION}
             />
           )}
           <Header>Test Connection</Header>

diff --git a/web/packages/teleport/src/Discover/Server/TestConnection/TestConnection.tsx b/web/packages/teleport/src/Discover/Server/TestConnection/TestConnection.tsx
@@ -33,7 +33,7 @@ import {
 } from 'teleport/Discover/Shared';
 import { sortNodeLogins } from 'teleport/services/nodes';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import { NodeMeta } from '../../useDiscover';
 
@@ -89,7 +89,7 @@ export function TestConnection(props: AgentStepProps) {
         <ReAuthenticate
           onMfaResponse={res => testConnection(selectedOpt.value, res)}
           onClose={cancelMfaDialog}
-          challengeScope={MFAChallengeScope.USER_SESSION}
+          challengeScope={MfaChallengeScope.USER_SESSION}
         />
       )}
       <Header>Test Connection</Header>

diff --git a/web/packages/teleport/src/Users/useUsers.ts b/web/packages/teleport/src/Users/useUsers.ts
@@ -21,6 +21,7 @@ import { useAttempt } from 'shared/hooks';
 
 import { User } from 'teleport/services/user';
 import useTeleport from 'teleport/useTeleport';
+import auth from 'teleport/services/auth/auth';
 
 export default function useUsers({
   InviteCollaborators,
@@ -82,11 +83,18 @@ export default function useUsers({
     });
   }
 
-  function onCreate(u: User) {
+  async function onCreate(u: User) {
+    const webauthnResponse = await auth.getWebauthnResponseForAdminAction(true);
     return ctx.userService
-      .createUser(u)
+      .createUser(u, webauthnResponse)
       .then(result => setUsers([result, ...users]))
-      .then(() => ctx.userService.createResetPasswordToken(u.name, 'invite'));
+      .then(() =>
+        ctx.userService.createResetPasswordToken(
+          u.name,
+          'invite',
+          webauthnResponse
+        )
+      );
   }
 
   function onInviteCollaboratorsClose(newUsers?: User[]) {

diff --git a/web/packages/teleport/src/components/ReAuthenticate/ReAuthenticate.story.tsx b/web/packages/teleport/src/components/ReAuthenticate/ReAuthenticate.story.tsx
@@ -18,7 +18,7 @@
 
 import React from 'react';
 
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import { State } from './useReAuthenticate';
 import { ReAuthenticate } from './ReAuthenticate';
@@ -49,5 +49,5 @@ const props: State = {
   onClose: () => null,
   auth2faType: 'on',
   actionText: 'performing this action',
-  challengeScope: MFAChallengeScope.UNSPECIFIED,
+  challengeScope: MfaChallengeScope.UNSPECIFIED,
 };
diff --git a/web/packages/teleport/src/components/ReAuthenticate/useReAuthenticate.ts b/web/packages/teleport/src/components/ReAuthenticate/useReAuthenticate.ts
@@ -20,7 +20,7 @@ import useAttempt from 'shared/hooks/useAttemptNext';
 
 import cfg from 'teleport/config';
 import auth from 'teleport/services/auth';
-import { MFAChallengeScope } from 'teleport/services/auth/auth';
+import { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import type { MfaAuthnResponse } from 'teleport/services/mfa';
 
@@ -53,7 +53,7 @@ export default function useReAuthenticate(props: Props) {
       .catch(handleError);
   }
 
-  function submitWithWebauthn(scope: MFAChallengeScope) {
+  function submitWithWebauthn(scope: MfaChallengeScope) {
     setAttempt({ status: 'processing' });
 
     if ('onMfaResponse' in props) {
@@ -119,7 +119,7 @@ type BaseProps = {
   /**
    * The MFA challenge scope of the action to perform, as defined in webauthn.proto.
    */
-  challengeScope: MFAChallengeScope;
+  challengeScope: MfaChallengeScope;
 };
 
 // MfaResponseProps defines a function

diff --git a/web/packages/teleport/src/config.ts b/web/packages/teleport/src/config.ts
@@ -381,6 +381,10 @@ const cfg = {
     return cfg.auth.allowPasswordless;
   },
 
+  isAdminActionMfaEnforced() {
+    return cfg.auth.second_factor === 'webauthn';
+  },
+
   getPrimaryAuthType(): PrimaryAuthType {
     if (cfg.auth.localConnectorName === 'passwordless') {
       return 'passwordless';

diff --git a/web/packages/teleport/src/services/api/api.ts b/web/packages/teleport/src/services/api/api.ts
@@ -17,7 +17,7 @@
  */
 
 import 'whatwg-fetch';
-import auth, { MFAChallengeScope } from 'teleport/services/auth/auth';
+import auth, { MfaChallengeScope } from 'teleport/services/auth/auth';
 
 import { storageService } from '../storageService';
 import { WebauthnAssertionResponse } from '../auth';
@@ -31,12 +31,16 @@ const api = {
     return api.fetchJsonWithMfaAuthnRetry(url, { signal: abortSignal });
   },
 
-  post(url, data?, abortSignal?) {
-    return api.fetchJsonWithMfaAuthnRetry(url, {
-      body: JSON.stringify(data),
-      method: 'POST',
-      signal: abortSignal,
-    });
+  post(url, data?, abortSignal?, webauthnResponse?: WebauthnAssertionResponse) {
+    return api.fetchJsonWithMfaAuthnRetry(
+      url,
+      {
+        body: JSON.stringify(data),
+        method: 'POST',
+        signal: abortSignal,
+      },
+      webauthnResponse
+    );
   },
 
   postFormData(url, formData) {
@@ -58,18 +62,26 @@ const api = {
     throw new Error('data for body is not a type of FormData');
   },
 
-  delete(url, data?) {
-    return api.fetchJsonWithMfaAuthnRetry(url, {
-      body: JSON.stringify(data),
-      method: 'DELETE',
-    });
+  delete(url, data?, webauthnResponse?: WebauthnAssertionResponse) {
+    return api.fetchJsonWithMfaAuthnRetry(
+      url,
+      {
+        body: JSON.stringify(data),
+        method: 'DELETE',
+      },
+      webauthnResponse
+    );
   },
 
-  put(url, data) {
-    return api.fetchJsonWithMfaAuthnRetry(url, {
-      body: JSON.stringify(data),
-      method: 'PUT',
-    });
+  put(url, data, webauthnResponse?: WebauthnAssertionResponse) {
+    return api.fetchJsonWithMfaAuthnRetry(
+      url,
+      {
+        body: JSON.stringify(data),
+        method: 'PUT',
+      },
+      webauthnResponse
+    );
   },
 
   /**
@@ -118,7 +130,7 @@ const api = {
     let webauthnResponseForRetry;
     try {
       webauthnResponseForRetry = await auth.getWebauthnResponse(
-        MFAChallengeScope.ADMIN_ACTION
+        MfaChallengeScope.ADMIN_ACTION
       );
     } catch (err) {
       throw new Error(