Documentation ¶
Index ¶
- Constants
- Variables
- func ContextWithMFAResponse(ctx context.Context, mfaResp *proto.MFAAuthenticateResponse) context.Context
- func CredentialsFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)
- func EncodeMFAChallengeResponseCredentials(mfaResp *proto.MFAAuthenticateResponse) (string, error)
- func MFAResponseFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)
- func PerformAdminActionMFACeremony(ctx context.Context, mfaCeremony MFACeremony, allowReuse bool) (*proto.MFAAuthenticateResponse, error)
- func PerformMFACeremony(ctx context.Context, clt MFACeremonyClient, ...) (*proto.MFAAuthenticateResponse, error)
- func WithCredentials(resp *proto.MFAAuthenticateResponse) grpc.CallOption
- type DeviceDescriptor
- type MFACeremony
- type MFACeremonyClient
- type Prompt
- type PromptConfig
- type PromptConstructor
- type PromptFunc
- type PromptOpt
Constants ¶
const DeviceDescriptorRegistered = "registered"
DeviceDescriptorRegistered is a registered device.
const ResponseMetadataKey = "mfa_challenge_response"
ResponseMetadataKey is the context metadata key for an MFA response in a gRPC request.
Variables ¶
var ( // ErrAdminActionMFARequired is an error indicating that an admin-level // API request failed due to missing MFA verification. ErrAdminActionMFARequired = trace.AccessDeniedError{Message: "admin-level API request requires MFA verification"} // ErrMFANotRequired is returned by MFA ceremonies when it is discovered or // inferred that an MFA ceremony is not required by the server. ErrMFANotRequired = trace.BadParameterError{Message: "re-authentication with MFA is not required"} // ErrMFANotSupported is returned by MFA ceremonies when the client does not // support MFA ceremonies, or the server does not support MFA ceremonies for // the client user. ErrMFANotSupported = trace.BadParameterError{Message: "re-authentication with MFA is not supported for this client"} )
Functions ¶
func ContextWithMFAResponse ¶
func ContextWithMFAResponse(ctx context.Context, mfaResp *proto.MFAAuthenticateResponse) context.Context
ContextWithMFAResponse embeds the MFA response in the context.
func CredentialsFromContext ¶
func CredentialsFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)
CredentialsFromContext can be called from a GRPC server method to return MFA credentials added to the GRPC metadata for requests that require MFA, like admin-level requests. If no MFA credentials are found, an ErrAdminActionMFARequired will be returned, aggregated with any other errors encountered.
func EncodeMFAChallengeResponseCredentials ¶
func EncodeMFAChallengeResponseCredentials(mfaResp *proto.MFAAuthenticateResponse) (string, error)
EncodeMFAChallengeResponseCredentials encodes the given MFA challenge response into a string.
func MFAResponseFromContext ¶
func MFAResponseFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse, error)
MFAResponseFromContext returns the MFA response from the context.
func PerformAdminActionMFACeremony ¶
func PerformAdminActionMFACeremony(ctx context.Context, mfaCeremony MFACeremony, allowReuse bool) (*proto.MFAAuthenticateResponse, error)
PerformAdminActionMFACeremony retrieves an MFA challenge from the server for an admin action, prompts the user to answer the challenge, and returns the resulting MFA response.
func PerformMFACeremony ¶
func PerformMFACeremony(ctx context.Context, clt MFACeremonyClient, challengeRequest *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)
PerformMFACeremony retrieves an MFA challenge from the server with the given challenge extensions and prompts the user to answer the challenge with the given promptOpts, and ultimately returning an MFA challenge response for the user.
func WithCredentials ¶
func WithCredentials(resp *proto.MFAAuthenticateResponse) grpc.CallOption
WithCredentials can be called on a GRPC client request to attach MFA credentials to the GRPC metadata for requests that require MFA, like admin-level requests.
Types ¶
type DeviceDescriptor ¶
type DeviceDescriptor string
DeviceDescriptor is a descriptor for a device, such as "registered".
type MFACeremony ¶
type MFACeremony func(ctx context.Context, challengeRequest *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error)
type MFACeremonyClient ¶
type MFACeremonyClient interface { // CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices. CreateAuthenticateChallenge(ctx context.Context, in *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) // PromptMFA prompts the user for MFA. PromptMFA(ctx context.Context, chal *proto.MFAAuthenticateChallenge, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) }
MFACeremonyClient is a client that can perform an MFA ceremony, from retrieving the MFA challenge to prompting for an MFA response from the user.
type Prompt ¶
type Prompt interface { // Run prompts the user to complete an MFA authentication challenge. Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) }
Prompt is an MFA prompt.
type PromptConfig ¶
type PromptConfig struct { // PromptReason is an optional message to share with the user before an MFA Prompt. // It is intended to provide context about why the user is being prompted where it may // not be obvious, such as for admin actions or per-session MFA. PromptReason string // DeviceType is an optional device description to emphasize during the prompt. DeviceType DeviceDescriptor // Quiet suppresses users prompts. Quiet bool }
PromptConfig contains common mfa prompt config options.
type PromptConstructor ¶
PromptConstructor is a function that creates a new MFA prompt.
type PromptFunc ¶
type PromptFunc func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
PromptFunc is a function wrapper that implements the Prompt interface.
func (PromptFunc) Run ¶
func (f PromptFunc) Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error)
Run prompts the user to complete an MFA authentication challenge.
type PromptOpt ¶
type PromptOpt func(*PromptConfig)
PromptOpt applies configuration options to a prompt.
func WithPromptDeviceType ¶
func WithPromptDeviceType(deviceType DeviceDescriptor) PromptOpt
WithPromptDeviceType sets the prompt's DeviceType field.
func WithPromptReason ¶
WithPromptReason sets the prompt's PromptReason field.
func WithPromptReasonAdminAction ¶
func WithPromptReasonAdminAction() PromptOpt
WithPromptReasonAdminAction sets the prompt's PromptReason field to a standard admin action message.
func WithPromptReasonSessionMFA ¶
WithPromptReasonSessionMFA sets the prompt's PromptReason field to a standard session mfa message.