Support hardware keys prompts in Connect (#47652)

* Add new protos for hardware key prompts * Implement hardware key prompts on the daemon side * Show prompts in the UI * `PromptHardwareKeyPINAsk` -> `PromptHardwareKeyPIN` * Improve proto docs * `PromptHardwareKeySlotOverwrite` -> `ConfirmHardwareKeySlotOverwrite` * Fix typo * Remove unnecessary `form` * Pass an enum to `AskPIN` instead of the entire message * Remove an invalid restriction of PIN/PUK to numbers only * Improve the copy
gravitational · Oct 23, 2024 · 22b5014 · 22b5014
1 parent 492379c
commit 22b5014
Show file tree

Hide file tree

Showing 23 changed files with 2,498 additions and 114 deletions.
diff --git a/api/utils/keys/cliprompt.go b/api/utils/keys/cliprompt.go
@@ -29,7 +29,11 @@ import (
 
 type cliPrompt struct{}
 
-func (c *cliPrompt) AskPIN(ctx context.Context, message string) (string, error) {
+func (c *cliPrompt) AskPIN(ctx context.Context, requirement PINPromptRequirement) (string, error) {
+	message := "Enter your YubiKey PIV PIN"
+	if requirement == PINOptional {
+		message = "Enter your YubiKey PIV PIN [blank to use default PIN]"
+	}
 	password, err := prompt.Password(ctx, os.Stderr, prompt.Stdin(), message)
 	return password, trace.Wrap(err)
 }

diff --git a/api/utils/keys/yubikey.go b/api/utils/keys/yubikey.go
@@ -374,7 +374,7 @@ func (y *YubiKeyPrivateKey) sign(ctx context.Context, rand io.Reader, digest []b
 				defer touchPromptDelayTimer.Reset(signTouchPromptDelay)
 			}
 		}
-		pass, err := y.prompt.AskPIN(ctx, "Enter your YubiKey PIV PIN")
+		pass, err := y.prompt.AskPIN(ctx, PINRequired)
 		return pass, trace.Wrap(err)
 	}
 
@@ -666,7 +666,7 @@ func (y *YubiKey) SetPIN(oldPin, newPin string) error {
 // If the user provides the default PIN, they will be prompted to set a
 // non-default PIN and PUK before continuing.
 func (y *YubiKey) checkOrSetPIN(ctx context.Context) error {
-	pin, err := y.prompt.AskPIN(ctx, "Enter your YubiKey PIV PIN [blank to use default PIN]")
+	pin, err := y.prompt.AskPIN(ctx, PINOptional)
 	if err != nil {
 		return trace.Wrap(err)
 	}

diff --git a/api/utils/keys/yubikey_common.go b/api/utils/keys/yubikey_common.go
@@ -22,7 +22,8 @@ import (
 // HardwareKeyPrompt provides methods to interact with a YubiKey hardware key.
 type HardwareKeyPrompt interface {
 	// AskPIN prompts the user for a PIN.
-	AskPIN(ctx context.Context, message string) (string, error)
+	// The requirement tells if the PIN is required or optional.
+	AskPIN(ctx context.Context, requirement PINPromptRequirement) (string, error)
 	// Touch prompts the user to touch the hardware key.
 	Touch(ctx context.Context) error
 	// ChangePIN asks for a new PIN.
@@ -35,6 +36,16 @@ type HardwareKeyPrompt interface {
 	ConfirmSlotOverwrite(ctx context.Context, message string) (bool, error)
 }
 
+// PINPromptRequirement specifies whether a PIN is required.
+type PINPromptRequirement int
+
+const (
+	// PINOptional allows the user to proceed without entering a PIN.
+	PINOptional PINPromptRequirement = iota
+	// PINRequired enforces that a PIN must be entered to proceed.
+	PINRequired
+)
+
 // PINAndPUK describes a response returned from HardwareKeyPrompt.ChangePIN.
 type PINAndPUK struct {
 	// New PIN set by the user.