Log information about second_factors removal at startup (#41416)

* Log information on second_factors removal at startup * include upgrade instructions as a usermessage * resolve comments
gravitational · Jun 5, 2024 · 72f4a10 · 72f4a10
1 parent 93f8f92
commit 72f4a10
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/lib/auth/init.go b/lib/auth/init.go
@@ -23,6 +23,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"
 	"slices"
@@ -709,6 +710,20 @@ func generateAuthority(ctx context.Context, asrv *Server, caID types.CertAuthID)
 	return ca, nil
 }
 
+var secondFactorUpgradeInstructions = `
+Teleport requires second factor authentication for local users.
+The auth_service configuration should be updated to enable it.
+
+auth_service:
+  authentication:
+    second_factor: on
+    webauthn:
+      rp_id: example.com
+
+For more information:
+- https://goteleport.com/docs/access-controls/guides/webauthn/
+`
+
 func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref types.AuthPreference) error {
 	const iterationLimit = 3
 	for i := 0; i < iterationLimit; i++ {
@@ -724,7 +739,13 @@ func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref typ
 
 		if !shouldReplace {
 			if os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "true" {
-				return trace.Wrap(modules.ValidateResource(storedAuthPref))
+				err := modules.ValidateResource(storedAuthPref)
+				if errors.Is(err, modules.ErrCannotDisableSecondFactor) {
+					return trace.Wrap(err, secondFactorUpgradeInstructions)
+				}
+				if err != nil {
+					return trace.Wrap(err)
+				}
 			}
 			return nil
 		}
@@ -744,6 +765,9 @@ func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref typ
 		if trace.IsCompareFailed(err) {
 			continue
 		}
+		if errors.Is(err, modules.ErrCannotDisableSecondFactor) {
+			return trace.Wrap(err, secondFactorUpgradeInstructions)
+		}
 
 		return trace.Wrap(err)
 	}

diff --git a/lib/modules/modules.go b/lib/modules/modules.go
@@ -23,6 +23,7 @@ package modules
 import (
 	"context"
 	"crypto"
+	"errors"
 	"fmt"
 	"os"
 	"runtime"
@@ -338,6 +339,8 @@ func GetModules() Modules {
 	return modules
 }
 
+var ErrCannotDisableSecondFactor = errors.New("cannot disable multi-factor authentication")
+
 // ValidateResource performs additional resource checks.
 func ValidateResource(res types.Resource) error {
 	// todo(lxea): DELETE IN 17 [remove env var, leave insecure test mode]
@@ -348,7 +351,7 @@ func ValidateResource(res types.Resource) error {
 		case types.AuthPreference:
 			switch r.GetSecondFactor() {
 			case constants.SecondFactorOff, constants.SecondFactorOptional:
-				return trace.BadParameter("cannot disable two-factor authentication")
+				return trace.Wrap(ErrCannotDisableSecondFactor)
 			}
 		}
 	}

diff --git a/lib/modules/modules_test.go b/lib/modules/modules_test.go
@@ -60,7 +60,7 @@ func TestValidateAuthPreferenceOnCloud(t *testing.T) {
 
 	authPref.SetSecondFactor(constants.SecondFactorOff)
 	_, err = testServer.AuthServer.UpdateAuthPreference(ctx, authPref)
-	require.EqualError(t, err, "cannot disable two-factor authentication")
+	require.EqualError(t, err, modules.ErrCannotDisableSecondFactor.Error())
 }
 
 func TestValidateSessionRecordingConfigOnCloud(t *testing.T) {