Skip to content
This repository was archived by the owner on Feb 8, 2024. It is now read-only.

Handle private key policy errors#1298

Merged
kimlisa merged 8 commits intomasterfrom
lisa/private-key-policy-warning
Oct 28, 2022
Merged

Handle private key policy errors#1298
kimlisa merged 8 commits intomasterfrom
lisa/private-key-policy-warning

Conversation

@kimlisa
Copy link
Copy Markdown
Contributor

@kimlisa kimlisa commented Oct 25, 2022
edited
Loading

resolves gravitational/teleport#16168

Description

There are three ways we determine if use of private key is enabled:

  1. Cluster config flag: this setting won't allow the user to login to the web, it will just direct user to login with other supported methods
  2. privateKeyPolicyEnabled flag: only returned with a 200 for resets and invites. This flag was required so that we can additionally render recovery codes if any (only for Teleport Cloud)
  3. checking if the error returned contains the backend hard coded keywords: hardware_key or hardware_key_touch, this is used for:

TODO

Test cases to add to test plan (added screenshots for UI and copy review)

Enforce use of private keys by cluster config or by role config.

# Cluster wide config
auth_service:
    require_session_mfa: hardware_key_touch  # or `hardware_key`

# Role config
kind: role
spec:
  options:
    require_session_mfa: hardware_key_touch  # or `hardware_key`

Private key policy card should render for:

  • With cluster setting on login page
  • With cluster setting on login page for Teleport Cloud (should also render option to recover authn)
  • With role setting, after successfully logging in with password only, with 2fa's, and passwordless

image

image

With a access request role that requires private key, a private key required dialogue pops up for:

  • Waiting room
  • Assuming an approved access request through the access request list
  • Assuming an approved access request through the view access request screen

(For waiting room, action button says Logout, but when logged in and you get this error from trying to assume requests, the action button says Okay)
image

Below tests, it shouldn't matter if private key enforcement is set through cluster or role setting.
Private key policy card should render for Invites and Resets:

  • After successfully registering with password only, with 2fa's, and passwordless
  • After successfully resetting with password only, with 2fa's, and passwordless)
  • After successfully registering/resetting with Teleport Cloud and successfully receiving recovery codes

image

image

@kimlisa kimlisa mentioned this pull request Oct 25, 2022
Merged
@xinding33
Copy link
Copy Markdown

xinding33 commented Oct 25, 2022

@kimlisa suggested copy:

Web UI Login Disabled - This Teleport Cluster requires that user private keys be stored on hardware authentication devices. Since these keys are not accessible by web browsers, Web UI login has been disabled. Please use Teleport Connect or tsh to log in.

@kimlisa kimlisa force-pushed the lisa/private-key-policy-warning branch from cc93fe3 to 7b5e033 Compare October 26, 2022 06:26
@kimlisa kimlisa marked this pull request as ready for review October 26, 2022 06:26
@kimlisa
Copy link
Copy Markdown
Contributor Author

kimlisa commented Oct 27, 2022

friendly ping @JanKaczmarkiewicz @ryanclark

@kimlisa kimlisa merged commit 5b3a2df into master Oct 28, 2022
@kimlisa kimlisa deleted the lisa/private-key-policy-warning branch October 28, 2022 21:38
kimlisa added a commit that referenced this pull request Oct 28, 2022
@kimlisa
Handle private key policy errors and config (#1298)
bb46210 
There are three ways we determine if use of private key is enabled:

-Cluster config: this setting won't render the login form,
it will just direct user to login with other supported methods
- 'privateKeyPolicyEnabled' flag: only returned with a 200 for resets
and invites. This flag was required so that we can additionally render
recovery codes if any (only for Teleport Cloud)
- Checking if the error returned contains the backend hard coded
keywords ('hardware_key' or 'hardware_key_touch'). Role configs
will require an attempt (either logging in or assuming an access request)
before the backend checks if this user requires use of private keys.
@kimlisa kimlisa mentioned this pull request Oct 28, 2022
Merged
2 tasks
kimlisa added a commit that referenced this pull request Nov 1, 2022
@kimlisa
[v11] Handle private key policy errors and config (#1298) (#1311)
0ebff10 
There are three ways we determine if use of private key is enabled:

-Cluster config: this setting won't render the login form,
it will just direct user to login with other supported methods
- 'privateKeyPolicyEnabled' flag: only returned with a 200 for resets
and invites. This flag was required so that we can additionally render
recovery codes if any (only for Teleport Cloud)
- Checking if the error returned contains the backend hard coded
keywords ('hardware_key' or 'hardware_key_touch'). Role configs
will require an attempt (either logging in or assuming an access request)
before the backend checks if this user requires use of private keys.

* Update e-ref
This was referenced Feb 8, 2023
Merged
Merged
@Joerger Joerger mentioned this pull request Oct 3, 2023
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@ryanclark ryanclark ryanclark approved these changes

@JanKaczmarkiewicz JanKaczmarkiewicz JanKaczmarkiewicz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Hardware key WebUI registration

4 participants

@kimlisa @xinding33 @ryanclark @JanKaczmarkiewicz