Merge pull request #29 from aripalo/fix/yubikey-without-password

aripalo · web-flow · commit 7704e3c3118d · 2022-05-12T20:52:55.000+03:00
Fix: Yubikey without Password
diff --git a/internal/app/assume.go b/internal/app/assume.go
@@ -58,7 +58,7 @@ func (a *App) Assume(flags AssumeFlags) error {
 	// Catch timeout error and return a cleaner error message.
 	if err != nil {
 		if errors.Is(err, context.DeadlineExceeded) {
-			msg.Fatal(fmt.Sprintf("Operation Timeout"))
+			msg.Fatal("Operation Timeout")
 		}
 		msg.Fatal(fmt.Sprintf("Credentials: STS: %s", err))
 	}
diff --git a/internal/app/version_test.go b/internal/app/version_test.go
@@ -38,7 +38,7 @@ func TestVersion(t *testing.T) {
 			a := &App{dest: &output}
 			err := a.Version(test.input)
 			require.NoError(t, err)
-			actual := string(output.Bytes())
+			actual := output.String()
 			assert.Equal(t, test.expected, actual)
 		})
 	}
diff --git a/internal/credentials/cache.go b/internal/credentials/cache.go
@@ -65,13 +65,3 @@ func (c *Credentials) readFromCache() error {
 
 	return nil
 }
-
-// DeleteFromCache deletes the cached response cache database
-func (c *Credentials) deleteFromCache() error {
-	key, err := resolveKey(c.cfg.ProfileName, c.cfg.Checksum)
-	if err != nil {
-		return err
-	}
-
-	return c.repo.Delete(key)
-}
diff --git a/internal/multinput/multinput.go b/internal/multinput/multinput.go
@@ -2,7 +2,6 @@ package multinput
 
 import (
 	"context"
-	"time"
 )
 
 // Identifier for a single resolver.
@@ -17,7 +16,6 @@ type Result struct {
 
 // Multinput models the configuration/state.
 type Multinput struct {
-	timeout   time.Duration
 	results   chan *Result
 	resolvers []InputResolver
 }
@@ -33,8 +31,8 @@ func New(resolvers []InputResolver) Multinput {
 	}
 }
 
-// Provide runs the given resolvers and will keep waitig for first
-// non-empty value until timeout reached.
+// Provide runs the given resolvers and will keep waiting for first
+// non-empty value until timeout (defined by ctx) reached.
 func (m *Multinput) Provide(ctx context.Context) (*Result, error) {
 
 	// loop through all given resolvers, run them as goroutines and
diff --git a/internal/tmpl/write_test.go b/internal/tmpl/write_test.go
@@ -63,7 +63,7 @@ func TestWrite(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			var output bytes.Buffer
 			err := Write(&output, "test", test.template, test.input)
-			actual := string(output.Bytes())
+			actual := output.String()
 			assert.Equal(t, test.err, err)
 			assert.Equal(t, test.expected, actual)
 		})
diff --git a/internal/totp/message.go b/internal/totp/message.go
@@ -26,5 +26,5 @@ func formatInputMessage(enableGui bool, enableYubikey bool) string {
 	if err != nil {
 		msg.Fatal(err.Error())
 	}
-	return string(message.Bytes())
+	return message.String()
 }
diff --git a/internal/totp/totp.go b/internal/totp/totp.go
@@ -60,6 +60,8 @@ func GetCode(ctx context.Context, options Options) (string, error) {
 
 	code := result.Value
 
+	msg.Debug("ℹ️", fmt.Sprintf("MFA: Token received: \"%s\"", result.Value))
+
 	if !isValidToken(code) {
 		return code, errors.New("invalid mfa code") // TODO
 	}
diff --git a/internal/yubikey/setup/setup.go b/internal/yubikey/setup/setup.go
@@ -39,6 +39,9 @@ func Setup(options Options, store PasswordStore) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
+	msg.Debug("🔧", fmt.Sprintf("Yubikey: Device Serial: %s", options.Device))
+	msg.Debug("🔧", fmt.Sprintf("Yubikey: OATH Account: %s", options.Account))
+
 	oathAccounts, err := ykmangoath.New(ctx, options.Device)
 	if err != nil {
 		return fmt.Errorf("ykmangoat init: %w", err)
@@ -135,6 +138,16 @@ func stateMachine(state State, op Operation) State {
 			}
 		}
 		msg.Debug("🔓", "Yubikey: OATH application not password protected")
+
+		err := op.SetPassword("")
+		if err != nil {
+			msg.Warn("⚠️", fmt.Sprintf("Yubikey: Could not configure empty password: %s", err))
+			return State{
+				Name:  ERROR,
+				Error: errors.New("yubikey: could not configure empty password"),
+			}
+		}
+
 		return State{
 			Name: CHECK_DEVICE_HAS_ACCOUNT,
 		}
@@ -258,6 +271,7 @@ func stateMachine(state State, op Operation) State {
 	case CHECK_DEVICE_HAS_ACCOUNT:
 		has, err := op.HasAccount()
 		if err != nil {
+			msg.Debug("ℹ️", fmt.Sprintf("Yubikey: Failed to acquire account: %s", err))
 			return State{
 				Name:  ERROR,
 				Error: errors.New("yubikey: could not read accounts"),
@@ -270,6 +284,7 @@ func stateMachine(state State, op Operation) State {
 				Error: errors.New("yubikey: account not found"),
 			}
 		}
+		msg.Debug("ℹ️", "Yubikey: Account found")
 		return State{
 			Name: DONE,
 		}
diff --git a/internal/yubikey/setup/setup_test.go b/internal/yubikey/setup/setup_test.go
@@ -44,9 +44,12 @@ func TestStateMachine(t *testing.T) {
 			expected: State{Name: CHECK_DEVICE_PASSWORD_PROTECTED},
 		},
 		{
-			name:     "device not password protected",
-			input:    State{Name: CHECK_DEVICE_PASSWORD_PROTECTED},
-			op:       Operation{IsPasswordProtected: func() bool { return false }},
+			name:  "device not password protected",
+			input: State{Name: CHECK_DEVICE_PASSWORD_PROTECTED},
+			op: Operation{
+				IsPasswordProtected: func() bool { return false },
+				SetPassword:         func(string) error { return nil },
+			},
 			expected: State{Name: CHECK_DEVICE_HAS_ACCOUNT},
 		},
 		{

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func (a *App) Assume(flags AssumeFlags) error {`
`58`	`58`	`// Catch timeout error and return a cleaner error message.`
`59`	`59`	`if err != nil {`
`60`	`60`	`if errors.Is(err, context.DeadlineExceeded) {`
`61`		`- msg.Fatal(fmt.Sprintf("Operation Timeout"))`
	`61`	`+ msg.Fatal("Operation Timeout")`
`62`	`62`	`}`
`63`	`63`	`msg.Fatal(fmt.Sprintf("Credentials: STS: %s", err))`
`64`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func TestVersion(t *testing.T) {`
`38`	`38`	`a := &App{dest: &output}`
`39`	`39`	`err := a.Version(test.input)`
`40`	`40`	`require.NoError(t, err)`
`41`		`- actual := string(output.Bytes())`
	`41`	`+ actual := output.String()`
`42`	`42`	`assert.Equal(t, test.expected, actual)`
`43`	`43`	`})`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package multinput`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`- "time"`
`6`	`5`	`)`
`7`	`6`
`8`	`7`	`// Identifier for a single resolver.`
`@@ -17,7 +16,6 @@ type Result struct {`
`17`	`16`
`18`	`17`	`// Multinput models the configuration/state.`
`19`	`18`	`type Multinput struct {`
`20`		`- timeout time.Duration`
`21`	`19`	`results chan *Result`
`22`	`20`	`resolvers []InputResolver`
`23`	`21`	`}`
`@@ -33,8 +31,8 @@ func New(resolvers []InputResolver) Multinput {`
`33`	`31`	`}`
`34`	`32`	`}`
`35`	`33`
`36`		`-// Provide runs the given resolvers and will keep waitig for first`
`37`		`-// non-empty value until timeout reached.`
	`34`	`+// Provide runs the given resolvers and will keep waiting for first`
	`35`	`+// non-empty value until timeout (defined by ctx) reached.`
`38`	`36`	`func (m Multinput) Provide(ctx context.Context) (Result, error) {`
`39`	`37`
`40`	`38`	`// loop through all given resolvers, run them as goroutines and`
Original file line number	Diff line number	Diff line change
`@@ -26,5 +26,5 @@ func formatInputMessage(enableGui bool, enableYubikey bool) string {`
`26`	`26`	`if err != nil {`
`27`	`27`	`msg.Fatal(err.Error())`
`28`	`28`	`}`
`29`		`- return string(message.Bytes())`
	`29`	`+ return message.String()`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,8 @@ func GetCode(ctx context.Context, options Options) (string, error) {`
`60`	`60`
`61`	`61`	`code := result.Value`
`62`	`62`
	`63`	`+ msg.Debug("ℹ️", fmt.Sprintf("MFA: Token received: \"%s\"", result.Value))`
	`64`	`+`
`63`	`65`	`if !isValidToken(code) {`
`64`	`66`	`return code, errors.New("invalid mfa code") // TODO`
`65`	`67`	`}`