From b8e6dc9852522230a680fdcd3a0c1132aeb6f622 Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Mon, 30 Oct 2023 09:55:32 -0700
Subject: [PATCH 1/3] Also adding debug messages

---
 Makefile                  |   2 +-
 keymaster.spec            |   2 +-
 lib/client/twofa/twofa.go | 103 +++++++++++++++++++++++---------------
 3 files changed, 66 insertions(+), 41 deletions(-)

diff --git a/Makefile b/Makefile
index 054b34b6..256550de 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ endif
 BINARY=keymaster
 
 # These are the values we want to pass for Version and BuildTime
-VERSION=1.14.0
+VERSION=1.14.1
 #BUILD_TIME=`date +%FT%T%z`
 
 # Setup the -ldflags option for go build here, interpolate the variable values
diff --git a/keymaster.spec b/keymaster.spec
index 54374947..a43f6be7 100644
--- a/keymaster.spec
+++ b/keymaster.spec
@@ -1,5 +1,5 @@
 Name:           keymaster
-Version:        1.14.0
+Version:        1.14.1
 Release:        1%{?dist}
 Summary:        Short term access certificate generator and client
 
diff --git a/lib/client/twofa/twofa.go b/lib/client/twofa/twofa.go
index e22945e2..21cf1e54 100644
--- a/lib/client/twofa/twofa.go
+++ b/lib/client/twofa/twofa.go
@@ -123,6 +123,67 @@ func doCertRequestInternal(client *http.Client,
 	return ioutil.ReadAll(resp.Body)
 }
 
+// tryFidoMFA performs a fido authentication step
+// If there are no devices connected it will return false, nil
+// if there are fido devices connected it will return
+// true, nil on successul MFA and false, error on failure to
+// perform the Fido authentication
+func tryFidoMFA(
+	baseUrl string,
+	client *http.Client,
+	userAgentString string,
+	logger log.DebugLogger,
+) (bool, error) {
+	// Linux support for the new library is not quite correct
+	// so for now we keep using the old library (pure u2f)
+	// for linux cli as default. Windows 10 and MacOS have been
+	// tested successfully.
+	// The env variable allows us to swap what library is used by
+	// default
+	useWebAuthh := true
+	if runtime.GOOS == "linux" {
+		useWebAuthh = false
+	}
+	if os.Getenv("KEYMASTER_USEALTU2FLIB") != "" {
+		useWebAuthh = !useWebAuthh
+	}
+	var err error
+	if useWebAuthh {
+		devices := u2fhost.Devices()
+		if devices == nil || len(devices) < 1 {
+			logger.Debugf(2, "No Fido devices found")
+			return false, nil
+		}
+		err = u2f.WithDevicesDoWebAuthnAuthenticate(devices,
+			client, baseUrl, userAgentString, logger)
+		if err != nil {
+			logger.Printf("Error doing hid webathentication err=%s", err)
+			return false, err
+		}
+		return true, nil
+
+	} else {
+		devices, err := u2fhid.Devices()
+		if err != nil {
+			logger.Printf("could not open hid devices err=%s", err)
+			return false, err
+		}
+		if len(devices) < 1 {
+			logger.Debugf(2, "No Fido devices found")
+			return false, nil
+		}
+		err = u2f.DoU2FAuthenticate(
+			client, baseUrl, userAgentString, logger)
+		if err != nil {
+
+			return false, err
+		}
+		return true, nil
+
+	}
+	return false, nil
+}
+
 // This assumes the http client has a non-nul cookie jar
 func authenticateUser(
 	userName string,
@@ -227,49 +288,13 @@ func authenticateUser(
 	// upgrade to u2f
 	successful2fa := false
 
-	// Linux support for the new library is not quite correct
-	// so for now we keep using the old library (pure u2f)
-	// for linux cli as default. Windows 10 and MacOS have been
-	// tested successfully.
-	// The env variable allows us to swap what library is used by
-	// default
-	useWebAuthh := true
-	if runtime.GOOS == "linux" {
-		useWebAuthh = false
-	}
-	if os.Getenv("KEYMASTER_USEALTU2FLIB") != "" {
-		useWebAuthh = !useWebAuthh
-	}
 	if !skip2fa {
 		if allowU2F {
-			if useWebAuthh {
-				err = u2f.WithDevicesDoWebAuthnAuthenticate(u2fhost.Devices(),
-					client, baseUrl, userAgentString, logger)
-				if err != nil {
-					logger.Printf("Error doing hid webathentication err=%s", err)
-					return err
-				}
-				successful2fa = true
-
-			} else {
-				devices, err := u2fhid.Devices()
-				if err != nil {
-					logger.Printf("could not open hid devices err=%s", err)
-					return err
-				}
-				if len(devices) > 0 {
-
-					err = u2f.DoU2FAuthenticate(
-						client, baseUrl, userAgentString, logger)
-					if err != nil {
-
-						return err
-					}
-					successful2fa = true
-				}
+			successful2fa, err = tryFidoMFA(baseUrl, client, userAgentString, logger)
+			if err != nil {
+				return err
 			}
 		}
-
 		if allowTOTP && !successful2fa {
 			err = totp.DoTOTPAuthenticate(
 				client, baseUrl, userAgentString, logger)

From ed5aa887aabd87ecc3bf02145e50a20dfd24448f Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Mon, 30 Oct 2023 10:07:44 -0700
Subject: [PATCH 2/3] aslo pass via golint

---
 lib/client/twofa/twofa.go | 64 ++++++++++++++++++---------------------
 1 file changed, 30 insertions(+), 34 deletions(-)

diff --git a/lib/client/twofa/twofa.go b/lib/client/twofa/twofa.go
index 21cf1e54..2110ee65 100644
--- a/lib/client/twofa/twofa.go
+++ b/lib/client/twofa/twofa.go
@@ -68,7 +68,7 @@ func createKeyBodyRequest(method, urlStr, filedata string) (*http.Request, error
 }
 
 func doCertRequest(signer crypto.Signer, client *http.Client, userName string,
-	baseUrl,
+	baseURL,
 	certType string,
 	addGroups bool,
 	userAgentString string, logger log.DebugLogger) ([]byte, error) {
@@ -97,15 +97,15 @@ func doCertRequest(signer crypto.Signer, client *http.Client, userName string,
 		urlPostfix = "&addGroups=true"
 		logger.Debugln(0, "adding \"addGroups\" to request")
 	}
-	requestURL := baseUrl + "/certgen/" + userName + "?type=" + certType + urlPostfix
+	requestURL := baseURL + "/certgen/" + userName + "?type=" + certType + urlPostfix
 	return doCertRequestInternal(client, requestURL, serializedPubkey, userAgentString, logger)
 }
 
 func doCertRequestInternal(client *http.Client,
-	url, filedata string,
+	targetURL, filedata string,
 	userAgentString string, logger log.Logger) ([]byte, error) {
 
-	req, err := createKeyBodyRequest("POST", url, filedata)
+	req, err := createKeyBodyRequest("POST", targetURL, filedata)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +118,7 @@ func doCertRequestInternal(client *http.Client,
 
 	defer resp.Body.Close()
 	if resp.StatusCode != 200 {
-		return nil, fmt.Errorf("got error from call %s, url='%s'\n", resp.Status, url)
+		return nil, fmt.Errorf("got error from call %s, url='%s'", resp.Status, targetURL)
 	}
 	return ioutil.ReadAll(resp.Body)
 }
@@ -129,7 +129,7 @@ func doCertRequestInternal(client *http.Client,
 // true, nil on successul MFA and false, error on failure to
 // perform the Fido authentication
 func tryFidoMFA(
-	baseUrl string,
+	baseURL string,
 	client *http.Client,
 	userAgentString string,
 	logger log.DebugLogger,
@@ -148,21 +148,7 @@ func tryFidoMFA(
 		useWebAuthh = !useWebAuthh
 	}
 	var err error
-	if useWebAuthh {
-		devices := u2fhost.Devices()
-		if devices == nil || len(devices) < 1 {
-			logger.Debugf(2, "No Fido devices found")
-			return false, nil
-		}
-		err = u2f.WithDevicesDoWebAuthnAuthenticate(devices,
-			client, baseUrl, userAgentString, logger)
-		if err != nil {
-			logger.Printf("Error doing hid webathentication err=%s", err)
-			return false, err
-		}
-		return true, nil
-
-	} else {
+	if !useWebAuthh {
 		devices, err := u2fhid.Devices()
 		if err != nil {
 			logger.Printf("could not open hid devices err=%s", err)
@@ -173,22 +159,32 @@ func tryFidoMFA(
 			return false, nil
 		}
 		err = u2f.DoU2FAuthenticate(
-			client, baseUrl, userAgentString, logger)
+			client, baseURL, userAgentString, logger)
 		if err != nil {
 
 			return false, err
 		}
 		return true, nil
-
 	}
-	return false, nil
+	devices := u2fhost.Devices()
+	if devices == nil || len(devices) < 1 {
+		logger.Debugf(2, "No Fido devices found")
+		return false, nil
+	}
+	err = u2f.WithDevicesDoWebAuthnAuthenticate(devices,
+		client, baseURL, userAgentString, logger)
+	if err != nil {
+		logger.Printf("Error doing hid webathentication err=%s", err)
+		return false, err
+	}
+	return true, nil
 }
 
 // This assumes the http client has a non-nul cookie jar
 func authenticateUser(
 	userName string,
 	password []byte,
-	baseUrl string,
+	baseURL string,
 	skip2fa bool,
 	client *http.Client,
 	userAgentString string,
@@ -196,11 +192,11 @@ func authenticateUser(
 	if client == nil {
 		return fmt.Errorf("http client is nil")
 	}
-	loginUrl := baseUrl + proto.LoginPath
+	loginURL := baseURL + proto.LoginPath
 	form := url.Values{}
 	form.Add("username", userName)
 	form.Add("password", string(password[:]))
-	req, err := http.NewRequest("POST", loginUrl,
+	req, err := http.NewRequest("POST", loginURL,
 		strings.NewReader(form.Encode()))
 	if err != nil {
 		return err
@@ -290,14 +286,14 @@ func authenticateUser(
 
 	if !skip2fa {
 		if allowU2F {
-			successful2fa, err = tryFidoMFA(baseUrl, client, userAgentString, logger)
+			successful2fa, err = tryFidoMFA(baseURL, client, userAgentString, logger)
 			if err != nil {
 				return err
 			}
 		}
 		if allowTOTP && !successful2fa {
 			err = totp.DoTOTPAuthenticate(
-				client, baseUrl, userAgentString, logger)
+				client, baseURL, userAgentString, logger)
 			if err != nil {
 
 				return err
@@ -306,7 +302,7 @@ func authenticateUser(
 		}
 		if allowVIP && !successful2fa {
 			err = pushtoken.DoVIPAuthenticate(
-				client, baseUrl, userAgentString, logger)
+				client, baseURL, userAgentString, logger)
 			if err != nil {
 
 				return err
@@ -316,7 +312,7 @@ func authenticateUser(
 		// TODO: do better logic when both VIP and OKTA are configured
 		if allowOkta2FA && !successful2fa {
 			err = pushtoken.DoOktaAuthenticate(
-				client, baseUrl, userAgentString, logger)
+				client, baseURL, userAgentString, logger)
 			if err != nil {
 				return err
 			}
@@ -340,9 +336,9 @@ func authenticateToTargetUrls(
 	skip2fa bool,
 	client *http.Client,
 	userAgentString string,
-	logger log.DebugLogger) (baseUrl string, err error) {
+	logger log.DebugLogger) (baseURL string, err error) {
 
-	for _, baseUrl = range targetUrls {
+	for _, baseURL = range targetUrls {
 		logger.Printf("attempting to target '%s' for '%s'\n", baseUrl, userName)
 		err = authenticateUser(
 			userName,
@@ -355,7 +351,7 @@ func authenticateToTargetUrls(
 		if err != nil {
 			continue
 		}
-		return baseUrl, nil
+		return baseURL, nil
 
 	}
 	return "", fmt.Errorf("Failed to Authenticate to any URL")

From 7e1baa90e17259747e154070930db1d38d917b3b Mon Sep 17 00:00:00 2001
From: Camilo Viecco <cviecco@purestorage.com>
Date: Mon, 30 Oct 2023 10:18:54 -0700
Subject: [PATCH 3/3] missed rename

---
 lib/client/twofa/twofa.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/client/twofa/twofa.go b/lib/client/twofa/twofa.go
index 2110ee65..4cf0d09b 100644
--- a/lib/client/twofa/twofa.go
+++ b/lib/client/twofa/twofa.go
@@ -339,11 +339,11 @@ func authenticateToTargetUrls(
 	logger log.DebugLogger) (baseURL string, err error) {
 
 	for _, baseURL = range targetUrls {
-		logger.Printf("attempting to target '%s' for '%s'\n", baseUrl, userName)
+		logger.Printf("attempting to target '%s' for '%s'\n", baseURL, userName)
 		err = authenticateUser(
 			userName,
 			password,
-			baseUrl,
+			baseURL,
 			skip2fa,
 			client,
 			userAgentString,