From e2035070bee77eede431c5f6bdd0615dbbbcfde2 Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Wed, 1 Jun 2022 14:41:52 -0700
Subject: [PATCH 1/5] adding new path channel to disconnect on bad response

---
 lib/client/twofa/pushtoken/pushtoken.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/client/twofa/pushtoken/pushtoken.go b/lib/client/twofa/pushtoken/pushtoken.go
index 2587ffb7..6aa31a28 100644
--- a/lib/client/twofa/pushtoken/pushtoken.go
+++ b/lib/client/twofa/pushtoken/pushtoken.go
@@ -94,6 +94,7 @@ func doGenericPushCheck(client *http.Client,
 	baseURL string,
 	pushType string,
 	userAgentString string,
+	codeIsDone chan bool,
 	logger log.DebugLogger,
 	errorReturnDuration time.Duration) error {
 
@@ -118,7 +119,15 @@ func doGenericPushCheck(client *http.Client,
 			logger.Printf("") //To do a CR
 			return nil
 		}
-		time.Sleep(2 * time.Second)
+		select {
+		case codeSuccess := <-codeIsDone:
+			if codeSuccess {
+				return nil
+			}
+			continue
+		case <-time.After(2 * time.Second):
+			logger.Debugf(1, "doGenericPushCheck: timeout on checkGenericPollStatus loop")
+		}
 	}
 
 	err = errors.New("Vip Push Checked timeout out")
@@ -203,14 +212,19 @@ func doGenericTokenPushAuthenticate(
 
 	timeout := time.Duration(time.Duration(vipCheckTimeoutSecs) * time.Second)
 	ch := make(chan error, 1)
+	doneCh := make(chan bool, 1)
 	go func() {
 		err := genericAuthenticateWithToken(client, baseURL, pushType, userAgentString, logger)
+		if err == nil {
+			doneCh <- true
+		}
 		ch <- err
 	}()
 	go func() {
 		err := doGenericPushCheck(client, baseURL,
 			pushType,
 			userAgentString,
+			doneCh,
 			logger, timeout)
 		ch <- err
 

From 30236c93a9a5f730b64f0b916c420037cbbd0e35 Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Thu, 2 Jun 2022 07:51:38 -0700
Subject: [PATCH 2/5] more debug

---
 cmd/keymaster/main.go                   |  1 +
 cmd/keymasterd/2fa_okta.go              |  1 +
 lib/authenticators/okta/impl.go         |  1 +
 lib/client/twofa/pushtoken/pushtoken.go | 14 ++++++++++++++
 4 files changed, 17 insertions(+)

diff --git a/cmd/keymaster/main.go b/cmd/keymaster/main.go
index 3183ed62..f9fad937 100644
--- a/cmd/keymaster/main.go
+++ b/cmd/keymaster/main.go
@@ -362,6 +362,7 @@ func setupCerts(
 
 		}
 	}
+	logger.Debugf(1, "SetupCerts: authenticaiton Complete")
 	if err := signers.Wait(); err != nil {
 		return err
 	}
diff --git a/cmd/keymasterd/2fa_okta.go b/cmd/keymasterd/2fa_okta.go
index b3777607..06907f10 100644
--- a/cmd/keymasterd/2fa_okta.go
+++ b/cmd/keymasterd/2fa_okta.go
@@ -101,6 +101,7 @@ func (state *RuntimeState) oktaPushStartHandler(w http.ResponseWriter, r *http.R
 		state.writeFailureResponse(w, r, http.StatusInternalServerError, "Failure when validating OKTA push")
 		return
 	}
+	logger.Debugf(2, "oktaPushStartHandler: after validating push response=%+v", pushResponse)
 	switch pushResponse {
 	case okta.PushResponseWaiting:
 		w.WriteHeader(http.StatusOK)
diff --git a/lib/authenticators/okta/impl.go b/lib/authenticators/okta/impl.go
index e3a3ac1e..6a58bee0 100644
--- a/lib/authenticators/okta/impl.go
+++ b/lib/authenticators/okta/impl.go
@@ -202,6 +202,7 @@ func (pa *PasswordAuthenticator) validateUserPush(username string) (PushResponse
 	if userResponse == nil {
 		return PushResponseRejected, nil
 	}
+	pa.logger.Debugf(2, "oktaAuthenticator: validsteUserPush: after getting userResponse=%+v", userResponse)
 	for _, factor := range userResponse.Embedded.Factor {
 		if !(factor.FactorType == "push" && factor.VendorName == "OKTA") {
 			continue
diff --git a/lib/client/twofa/pushtoken/pushtoken.go b/lib/client/twofa/pushtoken/pushtoken.go
index 6aa31a28..a38f5a8d 100644
--- a/lib/client/twofa/pushtoken/pushtoken.go
+++ b/lib/client/twofa/pushtoken/pushtoken.go
@@ -2,6 +2,7 @@ package pushtoken
 
 import (
 	"bufio"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -20,6 +21,11 @@ import (
 
 const vipCheckTimeoutSecs = 180
 
+func debugLogCert(messageSuffix string, cert *x509.Certificate, logger log.DebugLogger) {
+	logger.Debugf(2, "%s.issuer=%+v", messageSuffix, cert.Issuer)
+	logger.Debugf(2, "%s.subject=%+v", messageSuffix, cert.Subject)
+}
+
 func startGenericPush(client *http.Client,
 	baseURL string,
 	pushType string,
@@ -42,6 +48,14 @@ func startGenericPush(client *http.Client,
 		return err
 	}
 	defer pushStartResp.Body.Close()
+
+	if pushStartResp.TLS != nil {
+		debugLogCert("startGenericPush peeerCerts[0]", pushStartResp.TLS.PeerCertificates[0], logger)
+		if pushStartResp.TLS.VerifiedChains != nil {
+			debugLogCert("startGenericPush verifiedcerts[0]", pushStartResp.TLS.VerifiedChains[0][0], logger)
+		}
+	}
+
 	// since we dont care about content we just consume it all.
 	io.Copy(ioutil.Discard, pushStartResp.Body)
 	if pushStartResp.StatusCode != 200 {

From f0e8c7279ba733dd5439ee2036b6461b3f2ac39c Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Fri, 17 Jun 2022 08:32:19 -0700
Subject: [PATCH 3/5] missed commit

---
 cmd/keymasterd/2fa_okta.go              | 11 +++++++++++
 lib/authenticators/okta/impl.go         |  6 +++---
 lib/client/twofa/pushtoken/pushtoken.go |  2 +-
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/cmd/keymasterd/2fa_okta.go b/cmd/keymasterd/2fa_okta.go
index 06907f10..175dfd48 100644
--- a/cmd/keymasterd/2fa_okta.go
+++ b/cmd/keymasterd/2fa_okta.go
@@ -95,6 +95,17 @@ func (state *RuntimeState) oktaPushStartHandler(w http.ResponseWriter, r *http.R
 		state.writeFailureResponse(w, r, http.StatusInternalServerError, "Apperent Misconfiguration")
 		return
 	}
+	userResponse, err := oktaAuth.GetValidUserResponse(authData.Username)
+	if err != nil {
+		logger.Debugf(2, "oktaPushStartHandler: ")
+	}
+	if len(userResponse.Embedded.Factor) < 1 {
+		logger.Printf("oktaPushStartHandler: user %s does not have valid authenticators", authData.Username)
+		logger.Debugf(2, "oktaPushStartHandler: usedata for broken user%s is :%s", authData.Username, userResponse)
+		state.writeFailureResponse(w, r, http.StatusPreconditionFailed, "No valid MFA authenticators available")
+		return
+	}
+
 	pushResponse, err := oktaAuth.ValidateUserPush(authData.Username)
 	if err != nil {
 		logger.Println(err)
diff --git a/lib/authenticators/okta/impl.go b/lib/authenticators/okta/impl.go
index 6a58bee0..09a8b096 100644
--- a/lib/authenticators/okta/impl.go
+++ b/lib/authenticators/okta/impl.go
@@ -122,7 +122,7 @@ func (pa *PasswordAuthenticator) passwordAuthenticate(username string,
 	}
 }
 
-func (pa *PasswordAuthenticator) getValidUserResponse(username string) (*OktaApiPrimaryResponseType, error) {
+func (pa *PasswordAuthenticator) GetValidUserResponse(username string) (*OktaApiPrimaryResponseType, error) {
 	pa.mutex.Lock()
 	userData, ok := pa.recentAuth[username]
 	defer pa.mutex.Unlock()
@@ -138,7 +138,7 @@ func (pa *PasswordAuthenticator) getValidUserResponse(username string) (*OktaApi
 }
 
 func (pa *PasswordAuthenticator) validateUserOTP(username string, otpValue int) (bool, error) {
-	userResponse, err := pa.getValidUserResponse(username)
+	userResponse, err := pa.GetValidUserResponse(username)
 	if err != nil {
 		return false, err
 	}
@@ -195,7 +195,7 @@ func (pa *PasswordAuthenticator) validateUserOTP(username string, otpValue int)
 }
 
 func (pa *PasswordAuthenticator) validateUserPush(username string) (PushResponse, error) {
-	userResponse, err := pa.getValidUserResponse(username)
+	userResponse, err := pa.GetValidUserResponse(username)
 	if err != nil {
 		return PushResponseRejected, err
 	}
diff --git a/lib/client/twofa/pushtoken/pushtoken.go b/lib/client/twofa/pushtoken/pushtoken.go
index a38f5a8d..d51f73be 100644
--- a/lib/client/twofa/pushtoken/pushtoken.go
+++ b/lib/client/twofa/pushtoken/pushtoken.go
@@ -201,7 +201,7 @@ func genericAuthenticateWithToken(
 	defer loginResp.Body.Close()
 	if loginResp.StatusCode != 200 {
 		logger.Printf("got error from login call %s", loginResp.Status)
-		return err
+		return fmt.Errorf("Failed to authenticate with token")
 	}
 
 	loginJSONResponse := proto.LoginResponse{}

From 2511e41477aa07e8f7354f9ea7d03f7caacb4dab Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@gmail.com>
Date: Sun, 23 Jun 2024 09:37:54 -0700
Subject: [PATCH 4/5] fixing typos

---
 cmd/keymaster/main.go           | 2 +-
 cmd/keymasterd/2fa_okta.go      | 2 +-
 lib/authenticators/okta/impl.go | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/keymaster/main.go b/cmd/keymaster/main.go
index 68e77fcb..8ed8620a 100644
--- a/cmd/keymaster/main.go
+++ b/cmd/keymaster/main.go
@@ -374,7 +374,7 @@ func setupCerts(
 
 		}
 	}
-	logger.Debugf(1, "SetupCerts: authenticaiton Complete")
+	logger.Debugf(1, "SetupCerts: authentication Complete")
 	if err := signers.Wait(); err != nil {
 		return err
 	}
diff --git a/cmd/keymasterd/2fa_okta.go b/cmd/keymasterd/2fa_okta.go
index ffb793a5..1101e989 100644
--- a/cmd/keymasterd/2fa_okta.go
+++ b/cmd/keymasterd/2fa_okta.go
@@ -101,7 +101,7 @@ func (state *RuntimeState) oktaPushStartHandler(w http.ResponseWriter, r *http.R
 	}
 	if len(userResponse.Embedded.Factor) < 1 {
 		logger.Printf("oktaPushStartHandler: user %s does not have valid authenticators", authData.Username)
-		logger.Debugf(2, "oktaPushStartHandler: usedata for broken user%s is :%s", authData.Username, userResponse)
+		logger.Debugf(2, "oktaPushStartHandler: userdata for broken user%s is :%s", authData.Username, userResponse)
 		state.writeFailureResponse(w, r, http.StatusPreconditionFailed, "No valid MFA authenticators available")
 		return
 	}
diff --git a/lib/authenticators/okta/impl.go b/lib/authenticators/okta/impl.go
index 6da0e366..6dcf1df3 100644
--- a/lib/authenticators/okta/impl.go
+++ b/lib/authenticators/okta/impl.go
@@ -202,7 +202,7 @@ func (pa *PasswordAuthenticator) validateUserPush(username string) (PushResponse
 	if userResponse == nil {
 		return PushResponseRejected, nil
 	}
-	pa.logger.Debugf(2, "oktaAuthenticator: validsteUserPush: after getting userResponse=%+v", userResponse)
+	pa.logger.Debugf(2, "oktaAuthenticator: validateUserPush: after getting userResponse=%+v", userResponse)
 	rvalue := PushResponseRejected
 	for _, factor := range userResponse.Embedded.Factor {
 		if !(factor.FactorType == "push" && factor.VendorName == "OKTA") {

From 046af9a2ff35a9bd2f1c3ab6e6671a774a3f4dac Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@gmail.com>
Date: Mon, 1 Jul 2024 12:55:00 -0700
Subject: [PATCH 5/5] addressed  nit

---
 lib/client/twofa/pushtoken/pushtoken.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/client/twofa/pushtoken/pushtoken.go b/lib/client/twofa/pushtoken/pushtoken.go
index 5f516c73..ab67e2af 100644
--- a/lib/client/twofa/pushtoken/pushtoken.go
+++ b/lib/client/twofa/pushtoken/pushtoken.go
@@ -108,7 +108,7 @@ func doGenericPushCheck(client *http.Client,
 	baseURL string,
 	pushType string,
 	userAgentString string,
-	codeIsDone chan bool,
+	codeIsDone <-chan bool,
 	logger log.DebugLogger,
 	errorReturnDuration time.Duration) error {