Skip to content

Allow MFA devices with / in names to be deleted from UI#11011

Closed
probakowski wants to merge 1 commit into
masterfrom
probakowski/delete-mfa-slashes
Closed

Allow MFA devices with / in names to be deleted from UI#11011
probakowski wants to merge 1 commit into
masterfrom
probakowski/delete-mfa-slashes

Conversation

@probakowski

Copy link
Copy Markdown
Contributor

Currently MFA devices with / in names can't be removed from UI because httprouter can't match correct route as it sees additional path segments despite :devicename being correctly escaped (go doesn't treat encoded reserved characters as different from unescaped, deviating from RFC).
This change fixes that by using catch-all route instead, which captures all characters past /device.

@probakowski probakowski added bug mfa Issues related to Multi Factor Authentication labels Mar 9, 2022
@probakowski probakowski changed the title Allow MFA devices with / in names to be deleted Allow MFA devices with / in names to be deleted from UI Mar 9, 2022
@github-actions github-actions Bot requested review from greedy52 and nklaassen March 9, 2022 21:42

@Tener Tener left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change fixes the problem with /webapi/mfa/token/:token/devices/:devicename endpoint, but does not address other endpoints with exact same problem e.g. /webapi/sites/:site/desktops/:desktopName.

I believe the proper fix should be done at the library level, e.g. by forking httprouter and applying julienschmidt/httprouter#209 which was raised to address this exact issue, or in any other way which ensures syntax :param works with encoded parameter values.

Doing so will also work towards resolving #10576

@nklaassen nklaassen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally agreed with @Tener that we should try to fix this by properly handling escaped characters

Comment thread lib/web/mfa.go
if err := h.GetProxyClient().DeleteMFADeviceSync(r.Context(), &proto.DeleteMFADeviceSyncRequest{
TokenID: p.ByName("token"),
DeviceName: p.ByName("devicename"),
DeviceName: p.ByName("devicename")[1:],

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does this change do?

Comment thread lib/web/apiserver_test.go
Comment on lines +2267 to +2268
_, err = clt.Delete(ctx, pack.clt.Endpoint("webapi", "mfa", "token", privilegeToken, "devices", enc))
require.NoError(t, err)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we're here testing this, any cases where there should be an error? Can you try to delete a device that doesn't exist, or you don't have permissions for?

@Tener

Tener commented Mar 11, 2022

Copy link
Copy Markdown
Contributor

I went ahead and tested (#11068) that the comprehensive fix appears to be to:

  • use patched version of httprouter
  • enable .UseRawPath option added by the patched version.

What do you think?

To be clear, I think we want to reference our own fork of httprouter instead of a third-party one, but for POC I think this is good enough.

@r0mant

r0mant commented Mar 23, 2022

Copy link
Copy Markdown
Collaborator

@probakowski @Tener Hey guys, if we're going in a different direction like @Tener mentioned, should this one be closed?

@Tener

Tener commented Mar 24, 2022

Copy link
Copy Markdown
Contributor

@probakowski @Tener Hey guys, if we're going in a different direction like @Tener mentioned, should this one be closed?

Yeah, I think this makes sense. The tests are definitely useful to show the issue is fixed though.

@probakowski

Copy link
Copy Markdown
Contributor Author

Yes, that makes sense, I'll close this one

@zmb3 zmb3 deleted the probakowski/delete-mfa-slashes branch April 26, 2023 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug mfa Issues related to Multi Factor Authentication

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants