Skip to content

Support hardware keys prompts in Connect #47652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gzdunek merged 11 commits into from
Oct 23, 2024
Merged

Support hardware keys prompts in Connect #47652

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
aa0b4a5
Add new protos for hardware key prompts
gzdunek Oct 16, 2024
1dbc3a8
Implement hardware key prompts on the daemon side
gzdunek Oct 16, 2024
c3ab05b
Show prompts in the UI
gzdunek Oct 16, 2024
231cdbb
`PromptHardwareKeyPINAsk` -> `PromptHardwareKeyPIN`
gzdunek Oct 22, 2024
594cdd7
Improve proto docs
gzdunek Oct 22, 2024
fae707c
`PromptHardwareKeySlotOverwrite` -> `ConfirmHardwareKeySlotOverwrite`
gzdunek Oct 22, 2024
b6eb8b2
Fix typo
gzdunek Oct 22, 2024
c68587a
Remove unnecessary `form`
gzdunek Oct 22, 2024
7223164
Pass an enum to `AskPIN` instead of the entire message
gzdunek Oct 22, 2024
181c72b
Remove an invalid restriction of PIN/PUK to numbers only
gzdunek Oct 22, 2024
f162318
Improve the copy
gzdunek Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion api/utils/keys/cliprompt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,11 @@ import (

type cliPrompt struct{}

func (c *cliPrompt) AskPIN(ctx context.Context, message string) (string, error) {
func (c *cliPrompt) AskPIN(ctx context.Context, requirement PINPromptRequirement) (string, error) {
message := "Enter your YubiKey PIV PIN"
if requirement == PINOptional {
message = "Enter your YubiKey PIV PIN [blank to use default PIN]"
}
password, err := prompt.Password(ctx, os.Stderr, prompt.Stdin(), message)
return password, trace.Wrap(err)
}
Expand Down
4 changes: 2 additions & 2 deletions api/utils/keys/yubikey.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,7 @@ func (y *YubiKeyPrivateKey) sign(ctx context.Context, rand io.Reader, digest []b
defer touchPromptDelayTimer.Reset(signTouchPromptDelay)
}
}
pass, err := y.prompt.AskPIN(ctx, "Enter your YubiKey PIV PIN")
pass, err := y.prompt.AskPIN(ctx, PINRequired)
return pass, trace.Wrap(err)
}

Expand Down Expand Up @@ -666,7 +666,7 @@ func (y *YubiKey) SetPIN(oldPin, newPin string) error {
// If the user provides the default PIN, they will be prompted to set a
// non-default PIN and PUK before continuing.
func (y *YubiKey) checkOrSetPIN(ctx context.Context) error {
pin, err := y.prompt.AskPIN(ctx, "Enter your YubiKey PIV PIN [blank to use default PIN]")
pin, err := y.prompt.AskPIN(ctx, PINOptional)
if err != nil {
return trace.Wrap(err)
}
Expand Down
13 changes: 12 additions & 1 deletion api/utils/keys/yubikey_common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ import (
// HardwareKeyPrompt provides methods to interact with a YubiKey hardware key.
type HardwareKeyPrompt interface {
// AskPIN prompts the user for a PIN.
AskPIN(ctx context.Context, message string) (string, error)
// The requirement tells if the PIN is required or optional.
AskPIN(ctx context.Context, requirement PINPromptRequirement) (string, error)
// Touch prompts the user to touch the hardware key.
Touch(ctx context.Context) error
// ChangePIN asks for a new PIN.
Expand All @@ -35,6 +36,16 @@ type HardwareKeyPrompt interface {
ConfirmSlotOverwrite(ctx context.Context, message string) (bool, error)
}

// PINPromptRequirement specifies whether a PIN is required.
type PINPromptRequirement int

const (
// PINOptional allows the user to proceed without entering a PIN.
PINOptional PINPromptRequirement = iota
// PINRequired enforces that a PIN must be entered to proceed.
PINRequired
)

// PINAndPUK describes a response returned from HardwareKeyPrompt.ChangePIN.
type PINAndPUK struct {
// New PIN set by the user.
Expand Down
Loading