missed commit

Cloud-Foundations · Jun 17, 2022 · f0e8c72 · f0e8c72
1 parent 30236c9
commit f0e8c72
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/cmd/keymasterd/2fa_okta.go b/cmd/keymasterd/2fa_okta.go
@@ -95,6 +95,17 @@ func (state *RuntimeState) oktaPushStartHandler(w http.ResponseWriter, r *http.R
 		state.writeFailureResponse(w, r, http.StatusInternalServerError, "Apperent Misconfiguration")
 		return
 	}
+	userResponse, err := oktaAuth.GetValidUserResponse(authData.Username)
+	if err != nil {
+		logger.Debugf(2, "oktaPushStartHandler: ")
+	}
+	if len(userResponse.Embedded.Factor) < 1 {
+		logger.Printf("oktaPushStartHandler: user %s does not have valid authenticators", authData.Username)
+		logger.Debugf(2, "oktaPushStartHandler: usedata for broken user%s is :%s", authData.Username, userResponse)
+		state.writeFailureResponse(w, r, http.StatusPreconditionFailed, "No valid MFA authenticators available")
+		return
+	}
+
 	pushResponse, err := oktaAuth.ValidateUserPush(authData.Username)
 	if err != nil {
 		logger.Println(err)

diff --git a/lib/authenticators/okta/impl.go b/lib/authenticators/okta/impl.go
@@ -122,7 +122,7 @@ func (pa *PasswordAuthenticator) passwordAuthenticate(username string,
 	}
 }
 
-func (pa *PasswordAuthenticator) getValidUserResponse(username string) (*OktaApiPrimaryResponseType, error) {
+func (pa *PasswordAuthenticator) GetValidUserResponse(username string) (*OktaApiPrimaryResponseType, error) {
 	pa.mutex.Lock()
 	userData, ok := pa.recentAuth[username]
 	defer pa.mutex.Unlock()
@@ -138,7 +138,7 @@ func (pa *PasswordAuthenticator) getValidUserResponse(username string) (*OktaApi
 }
 
 func (pa *PasswordAuthenticator) validateUserOTP(username string, otpValue int) (bool, error) {
-	userResponse, err := pa.getValidUserResponse(username)
+	userResponse, err := pa.GetValidUserResponse(username)
 	if err != nil {
 		return false, err
 	}
@@ -195,7 +195,7 @@ func (pa *PasswordAuthenticator) validateUserOTP(username string, otpValue int)
 }
 
 func (pa *PasswordAuthenticator) validateUserPush(username string) (PushResponse, error) {
-	userResponse, err := pa.getValidUserResponse(username)
+	userResponse, err := pa.GetValidUserResponse(username)
 	if err != nil {
 		return PushResponseRejected, err
 	}

diff --git a/lib/client/twofa/pushtoken/pushtoken.go b/lib/client/twofa/pushtoken/pushtoken.go
@@ -201,7 +201,7 @@ func genericAuthenticateWithToken(
 	defer loginResp.Body.Close()
 	if loginResp.StatusCode != 200 {
 		logger.Printf("got error from login call %s", loginResp.Status)
-		return err
+		return fmt.Errorf("Failed to authenticate with token")
 	}
 
 	loginJSONResponse := proto.LoginResponse{}