Merge pull request #29 from aripalo/fix/yubikey-without-password

Fix: Yubikey without Password
aripalo · May 12, 2022 · 7704e3c · 7704e3c
2 parents 6ba4b7c + 285b782
commit 7704e3c
Show file tree

Hide file tree

Showing 9 changed files with 29 additions and 21 deletions.
diff --git a/internal/app/assume.go b/internal/app/assume.go
@@ -58,7 +58,7 @@ func (a *App) Assume(flags AssumeFlags) error {
 	// Catch timeout error and return a cleaner error message.
 	if err != nil {
 		if errors.Is(err, context.DeadlineExceeded) {
-			msg.Fatal(fmt.Sprintf("Operation Timeout"))
+			msg.Fatal("Operation Timeout")
 		}
 		msg.Fatal(fmt.Sprintf("Credentials: STS: %s", err))
 	}

diff --git a/internal/app/version_test.go b/internal/app/version_test.go
@@ -38,7 +38,7 @@ func TestVersion(t *testing.T) {
 			a := &App{dest: &output}
 			err := a.Version(test.input)
 			require.NoError(t, err)
-			actual := string(output.Bytes())
+			actual := output.String()
 			assert.Equal(t, test.expected, actual)
 		})
 	}

diff --git a/internal/credentials/cache.go b/internal/credentials/cache.go
@@ -65,13 +65,3 @@ func (c *Credentials) readFromCache() error {
 
 	return nil
 }
-
-// DeleteFromCache deletes the cached response cache database
-func (c *Credentials) deleteFromCache() error {
-	key, err := resolveKey(c.cfg.ProfileName, c.cfg.Checksum)
-	if err != nil {
-		return err
-	}
-
-	return c.repo.Delete(key)
-}
diff --git a/internal/multinput/multinput.go b/internal/multinput/multinput.go
@@ -2,7 +2,6 @@ package multinput
 
 import (
 	"context"
-	"time"
 )
 
 // Identifier for a single resolver.
@@ -17,7 +16,6 @@ type Result struct {
 
 // Multinput models the configuration/state.
 type Multinput struct {
-	timeout   time.Duration
 	results   chan *Result
 	resolvers []InputResolver
 }
@@ -33,8 +31,8 @@ func New(resolvers []InputResolver) Multinput {
 	}
 }
 
-// Provide runs the given resolvers and will keep waitig for first
-// non-empty value until timeout reached.
+// Provide runs the given resolvers and will keep waiting for first
+// non-empty value until timeout (defined by ctx) reached.
 func (m *Multinput) Provide(ctx context.Context) (*Result, error) {
 
 	// loop through all given resolvers, run them as goroutines and

diff --git a/internal/tmpl/write_test.go b/internal/tmpl/write_test.go
@@ -63,7 +63,7 @@ func TestWrite(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			var output bytes.Buffer
 			err := Write(&output, "test", test.template, test.input)
-			actual := string(output.Bytes())
+			actual := output.String()
 			assert.Equal(t, test.err, err)
 			assert.Equal(t, test.expected, actual)
 		})

diff --git a/internal/totp/message.go b/internal/totp/message.go
@@ -26,5 +26,5 @@ func formatInputMessage(enableGui bool, enableYubikey bool) string {
 	if err != nil {
 		msg.Fatal(err.Error())
 	}
-	return string(message.Bytes())
+	return message.String()
 }
diff --git a/internal/totp/totp.go b/internal/totp/totp.go
@@ -60,6 +60,8 @@ func GetCode(ctx context.Context, options Options) (string, error) {
 
 	code := result.Value
 
+	msg.Debug("ℹ️", fmt.Sprintf("MFA: Token received: \"%s\"", result.Value))
+
 	if !isValidToken(code) {
 		return code, errors.New("invalid mfa code") // TODO
 	}

diff --git a/internal/yubikey/setup/setup.go b/internal/yubikey/setup/setup.go
@@ -39,6 +39,9 @@ func Setup(options Options, store PasswordStore) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
+	msg.Debug("🔧", fmt.Sprintf("Yubikey: Device Serial: %s", options.Device))
+	msg.Debug("🔧", fmt.Sprintf("Yubikey: OATH Account: %s", options.Account))
+
 	oathAccounts, err := ykmangoath.New(ctx, options.Device)
 	if err != nil {
 		return fmt.Errorf("ykmangoat init: %w", err)
@@ -135,6 +138,16 @@ func stateMachine(state State, op Operation) State {
 			}
 		}
 		msg.Debug("🔓", "Yubikey: OATH application not password protected")
+
+		err := op.SetPassword("")
+		if err != nil {
+			msg.Warn("⚠️", fmt.Sprintf("Yubikey: Could not configure empty password: %s", err))
+			return State{
+				Name:  ERROR,
+				Error: errors.New("yubikey: could not configure empty password"),
+			}
+		}
+
 		return State{
 			Name: CHECK_DEVICE_HAS_ACCOUNT,
 		}
@@ -258,6 +271,7 @@ func stateMachine(state State, op Operation) State {
 	case CHECK_DEVICE_HAS_ACCOUNT:
 		has, err := op.HasAccount()
 		if err != nil {
+			msg.Debug("ℹ️", fmt.Sprintf("Yubikey: Failed to acquire account: %s", err))
 			return State{
 				Name:  ERROR,
 				Error: errors.New("yubikey: could not read accounts"),
@@ -270,6 +284,7 @@ func stateMachine(state State, op Operation) State {
 				Error: errors.New("yubikey: account not found"),
 			}
 		}
+		msg.Debug("ℹ️", "Yubikey: Account found")
 		return State{
 			Name: DONE,
 		}

diff --git a/internal/yubikey/setup/setup_test.go b/internal/yubikey/setup/setup_test.go
@@ -44,9 +44,12 @@ func TestStateMachine(t *testing.T) {
 			expected: State{Name: CHECK_DEVICE_PASSWORD_PROTECTED},
 		},
 		{
-			name:     "device not password protected",
-			input:    State{Name: CHECK_DEVICE_PASSWORD_PROTECTED},
-			op:       Operation{IsPasswordProtected: func() bool { return false }},
+			name:  "device not password protected",
+			input: State{Name: CHECK_DEVICE_PASSWORD_PROTECTED},
+			op: Operation{
+				IsPasswordProtected: func() bool { return false },
+				SetPassword:         func(string) error { return nil },
+			},
 			expected: State{Name: CHECK_DEVICE_HAS_ACCOUNT},
 		},
 		{