From 8651a042b6b25e2889a9c7e254aaa6edc1c8e548 Mon Sep 17 00:00:00 2001
From: joerger <bjoerger@goteleport.com>
Date: Mon, 28 Oct 2024 18:32:47 -0700
Subject: [PATCH] Move SSOSessionData to a more fitting package.

---
 lib/{services/sso_mfa.go => auth/mfa/session.go} |  9 ++++++---
 lib/auth/sso_mfa.go                              | 10 +++++-----
 lib/services/identity.go                         |  5 +++--
 lib/services/local/users.go                      |  7 ++++---
 lib/services/local/users_test.go                 |  3 ++-
 5 files changed, 20 insertions(+), 14 deletions(-)
 rename lib/{services/sso_mfa.go => auth/mfa/session.go} (87%)

diff --git a/lib/services/sso_mfa.go b/lib/auth/mfa/session.go
similarity index 87%
rename from lib/services/sso_mfa.go
rename to lib/auth/mfa/session.go
index b9c4b71962882..776d642bfa278 100644
--- a/lib/services/sso_mfa.go
+++ b/lib/auth/mfa/session.go
@@ -16,11 +16,11 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-package services
+package mfa
 
 import mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
 
-// SSOMFASessionData SSO MFA Session data.
+// SSOMFASessionData is SSO MFA Session data.
 type SSOMFASessionData struct {
 	// RequestID is the ID of the corresponding SSO Auth request, which is used to
 	// identity this session.
@@ -38,7 +38,10 @@ type SSOMFASessionData struct {
 }
 
 // ChallengeExtensions is a json struct for [mfav1.ChallengeExtensions].
+//
+// The UserVerificationRequirement field from [mfav1.ChallengeExtensions]
+// has been omitted as it's only relevant to WebAuthn/Passwordless.
 type ChallengeExtensions struct {
-	Scope      mfav1.ChallengeScope      `json:"scope,omitempty"`
+	Scope      mfav1.ChallengeScope      `json:"scope"`
 	AllowReuse mfav1.ChallengeAllowReuse `json:"allow_reuse,omitempty"`
 }
diff --git a/lib/auth/sso_mfa.go b/lib/auth/sso_mfa.go
index 5508a3c6990df..72cbd0c61e1dd 100644
--- a/lib/auth/sso_mfa.go
+++ b/lib/auth/sso_mfa.go
@@ -26,9 +26,9 @@ import (
 	"github.com/gravitational/teleport/api/constants"
 	mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/auth/mfa"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/defaults"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -136,12 +136,12 @@ func (a *Server) verifySSOMFASession(ctx context.Context, username, sessionID, t
 // upsertSSOMFASession upserts a new unverified SSO MFA session for the given username,
 // sessionID, connector details, and challenge extensions.
 func (a *Server) upsertSSOMFASession(ctx context.Context, user string, sessionID string, connectorID string, connectorType string, ext *mfav1.ChallengeExtensions) error {
-	err := a.UpsertSSOMFASessionData(ctx, &services.SSOMFASessionData{
+	err := a.UpsertSSOMFASessionData(ctx, &mfa.SSOMFASessionData{
 		Username:      user,
 		RequestID:     sessionID,
 		ConnectorID:   connectorID,
 		ConnectorType: connectorType,
-		ChallengeExtensions: &services.ChallengeExtensions{
+		ChallengeExtensions: &mfa.ChallengeExtensions{
 			Scope:      ext.Scope,
 			AllowReuse: ext.AllowReuse,
 		},
@@ -150,7 +150,7 @@ func (a *Server) upsertSSOMFASession(ctx context.Context, user string, sessionID
 }
 
 // UpsertSSOMFASessionWithToken upserts the given SSO MFA session with a random mfa token.
-func (a *Server) UpsertSSOMFASessionWithToken(ctx context.Context, sd *services.SSOMFASessionData) (token string, err error) {
+func (a *Server) UpsertSSOMFASessionWithToken(ctx context.Context, sd *mfa.SSOMFASessionData) (token string, err error) {
 	sd.Token, err = utils.CryptoRandomHex(defaults.TokenLenBytes)
 	if err != nil {
 		return "", trace.Wrap(err)
@@ -164,7 +164,7 @@ func (a *Server) UpsertSSOMFASessionWithToken(ctx context.Context, sd *services.
 }
 
 // GetSSOMFASession returns the SSO MFA session for the given username and sessionID.
-func (a *Server) GetSSOMFASession(ctx context.Context, sessionID string) (*services.SSOMFASessionData, error) {
+func (a *Server) GetSSOMFASession(ctx context.Context, sessionID string) (*mfa.SSOMFASessionData, error) {
 	sd, err := a.GetSSOMFASessionData(ctx, sessionID)
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/services/identity.go b/lib/services/identity.go
index 938c331a7d882..92b8f62c0e8cd 100644
--- a/lib/services/identity.go
+++ b/lib/services/identity.go
@@ -34,6 +34,7 @@ import (
 	userspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/users/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/utils/keys"
+	"github.com/gravitational/teleport/lib/auth/mfa"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
 	"github.com/gravitational/teleport/lib/defaults"
 )
@@ -249,10 +250,10 @@ type Identity interface {
 	// UpsertSSOMFASessionData creates or updates SSO MFA session data in
 	// storage, for the purpose of later verifying an MFA authentication attempt.
 	// SSO MFA session data is expected to expire according to backend settings.
-	UpsertSSOMFASessionData(ctx context.Context, sd *SSOMFASessionData) error
+	UpsertSSOMFASessionData(ctx context.Context, sd *mfa.SSOMFASessionData) error
 
 	// GetSSOMFASessionData retrieves SSO MFA session data by ID.
-	GetSSOMFASessionData(ctx context.Context, sessionID string) (*SSOMFASessionData, error)
+	GetSSOMFASessionData(ctx context.Context, sessionID string) (*mfa.SSOMFASessionData, error)
 
 	// DeleteSSOMFASessionData deletes SSO MFA session data by ID.
 	DeleteSSOMFASessionData(ctx context.Context, sessionID string) error
diff --git a/lib/services/local/users.go b/lib/services/local/users.go
index 0efa92d691593..f18df2e6b3c0c 100644
--- a/lib/services/local/users.go
+++ b/lib/services/local/users.go
@@ -48,6 +48,7 @@ import (
 	"github.com/gravitational/teleport/api/internalutils/stream"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/utils/keys"
+	"github.com/gravitational/teleport/lib/auth/mfa"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/defaults"
@@ -1884,7 +1885,7 @@ func (s *IdentityService) GetSSODiagnosticInfo(ctx context.Context, authKind str
 	return &req, nil
 }
 
-func (s *IdentityService) UpsertSSOMFASessionData(ctx context.Context, sd *services.SSOMFASessionData) error {
+func (s *IdentityService) UpsertSSOMFASessionData(ctx context.Context, sd *mfa.SSOMFASessionData) error {
 	switch {
 	case sd == nil:
 		return trace.BadParameter("missing parameter sd")
@@ -1910,7 +1911,7 @@ func (s *IdentityService) UpsertSSOMFASessionData(ctx context.Context, sd *servi
 	return trace.Wrap(err)
 }
 
-func (s *IdentityService) GetSSOMFASessionData(ctx context.Context, sessionID string) (*services.SSOMFASessionData, error) {
+func (s *IdentityService) GetSSOMFASessionData(ctx context.Context, sessionID string) (*mfa.SSOMFASessionData, error) {
 	if sessionID == "" {
 		return nil, trace.BadParameter("missing parameter sessionID")
 	}
@@ -1919,7 +1920,7 @@ func (s *IdentityService) GetSSOMFASessionData(ctx context.Context, sessionID st
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	sd := &services.SSOMFASessionData{}
+	sd := &mfa.SSOMFASessionData{}
 	return sd, trace.Wrap(json.Unmarshal(item.Value, sd))
 }
 
diff --git a/lib/services/local/users_test.go b/lib/services/local/users_test.go
index e0f97d17d5110..eef4372cc6274 100644
--- a/lib/services/local/users_test.go
+++ b/lib/services/local/users_test.go
@@ -45,6 +45,7 @@ import (
 	userspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/users/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/utils/keys"
+	"github.com/gravitational/teleport/lib/auth/mfa"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/memory"
@@ -1748,7 +1749,7 @@ func TestIdentityService_SSOMFASessionDataCRUD(t *testing.T) {
 	identity := newIdentityService(t, clockwork.NewFakeClock())
 
 	// Verify create.
-	sd := &services.SSOMFASessionData{
+	sd := &mfa.SSOMFASessionData{
 		RequestID:     "request",
 		Username:      "alice",
 		ConnectorID:   "saml",