From e29686c39ca7f696a174f8aca2acdddf0548ee23 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 17 Oct 2024 16:16:56 -0300 Subject: [PATCH 1/2] feat: Disable auto-enroll via environment variable --- lib/devicetrust/enroll/auto_enroll.go | 14 ++++++++++++++ lib/devicetrust/enroll/auto_enroll_test.go | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/lib/devicetrust/enroll/auto_enroll.go b/lib/devicetrust/enroll/auto_enroll.go index 2d9db0214fa45..4ed5a94383610 100644 --- a/lib/devicetrust/enroll/auto_enroll.go +++ b/lib/devicetrust/enroll/auto_enroll.go @@ -20,12 +20,21 @@ package enroll import ( "context" + "errors" + "os" + "strconv" "github.com/gravitational/trace" devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1" ) +// ErrAutoEnrollDisabled signifies that auto-enroll is disabled in the current +// device. +// Setting the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment disables +// auto-enroll. +var ErrAutoEnrollDisabled = errors.New("auto-enroll disabled") + // AutoEnrollCeremony is the auto-enrollment version of [Ceremony]. type AutoEnrollCeremony struct { *Ceremony @@ -49,6 +58,11 @@ func AutoEnroll(ctx context.Context, devicesClient devicepb.DeviceTrustServiceCl // [devicepb.DeviceTrustServiceClient.CreateDeviceEnrollToken] and enrolls the // device using a regular [Ceremony]. func (c *AutoEnrollCeremony) Run(ctx context.Context, devicesClient devicepb.DeviceTrustServiceClient) (*devicepb.Device, error) { + const autoEnrollDisabledKey = "TELEPORT_DEVICE_AUTO_ENROLL_DISABLED" + if disabled, _ := strconv.ParseBool(os.Getenv(autoEnrollDisabledKey)); disabled { + return nil, trace.Wrap(ErrAutoEnrollDisabled) + } + // Creating the init message straight away aborts the process cleanly if the // device cannot create the device key (for example, if it lacks a TPM). // This avoids a situation where we ask for escalation, like a sudo prompt or diff --git a/lib/devicetrust/enroll/auto_enroll_test.go b/lib/devicetrust/enroll/auto_enroll_test.go index fc1853ec895ce..d12842506dd05 100644 --- a/lib/devicetrust/enroll/auto_enroll_test.go +++ b/lib/devicetrust/enroll/auto_enroll_test.go @@ -20,6 +20,7 @@ package enroll_test import ( "context" + "os" "testing" "github.com/stretchr/testify/assert" @@ -67,3 +68,10 @@ func TestAutoEnrollCeremony_Run(t *testing.T) { }) } } + +func TestAutoEnroll_disabledByEnv(t *testing.T) { + os.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") + + _, err := enroll.AutoEnroll(context.Background(), nil /* devicesClient */) + assert.ErrorIs(t, err, enroll.ErrAutoEnrollDisabled, "AutoEnroll() error mismatch") +} From 8e86aa2c8b3a6fa1d38d4f0ce40bf26cad89c835 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 18 Oct 2024 16:00:21 -0300 Subject: [PATCH 2/2] Fix TestAutoEnroll_disabledByEnv flakiness (#47723) * Fix TestAutoEnroll_disabledByEnv flakiness * Use t.Setenv Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --- lib/devicetrust/enroll/auto_enroll_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/devicetrust/enroll/auto_enroll_test.go b/lib/devicetrust/enroll/auto_enroll_test.go index d12842506dd05..77a6678a9949a 100644 --- a/lib/devicetrust/enroll/auto_enroll_test.go +++ b/lib/devicetrust/enroll/auto_enroll_test.go @@ -20,7 +20,6 @@ package enroll_test import ( "context" - "os" "testing" "github.com/stretchr/testify/assert" @@ -70,7 +69,7 @@ func TestAutoEnrollCeremony_Run(t *testing.T) { } func TestAutoEnroll_disabledByEnv(t *testing.T) { - os.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") + t.Setenv("TELEPORT_DEVICE_AUTO_ENROLL_DISABLED", "1") _, err := enroll.AutoEnroll(context.Background(), nil /* devicesClient */) assert.ErrorIs(t, err, enroll.ErrAutoEnrollDisabled, "AutoEnroll() error mismatch")