rework challenge handling to expect exactly one challenge

Signed-off-by: Ashley Davis <[email protected]>

Author: SgtCoDFish

pkg/internal/cyberark/identity/identity.go

@@ -172,7 +172,8 @@ type advanceAuthenticationResponseResult struct {
 	// Other fields omitted as they're not needed
 }
 
-// Client is an client for interacting with the CyberArk Identity API and performing a login
+// Client is an client for interacting with the CyberArk Identity API and performing a login using a username and password.
+// For context on the behaviour of this client, see the Pytho SDK: https://github.com/cyberark/ark-sdk-python/blob/3be12c3f2d3a2d0407025028943e584b6edc5996/ark_sdk_python/auth/identity/ark_identity.py
 type Client struct {
 	client *http.Client
 
@@ -331,41 +332,41 @@ func (c *Client) doStartAuthentication(ctx context.Context, username string) (ad
 		klog.FromContext(ctx).Info("got an unexpected Summary from StartAuthentication response; will attempt to complete a login challenge anyway", "summary", startAuthResponse.Result.Summary)
 	}
 
-	if len(startAuthResponse.Result.Challenges) == 0 {
+	// We can only handle a UP type challenge, and if there are any other challenges, we'll have to fail because we can't handle them.
+	// https://github.com/cyberark/ark-sdk-python/blob/3be12c3f2d3a2d0407025028943e584b6edc5996/ark_sdk_python/auth/identity/ark_identity.py#L405
+	switch len(startAuthResponse.Result.Challenges) {
+	case 0:
 		return response, fmt.Errorf("got no valid challenges in response to start authentication; unable to log in")
-	}
 
-	mechanismID := ""
+	case 1:
+		// do nothing, this is ideal
 
-	for i, challenge := range startAuthResponse.Result.Challenges {
-		logger.V(logs.Debug).Info("found a challenge", "idx", i, "mechanismCount", len(challenge.Mechanisms))
+	default:
+		return response, fmt.Errorf("got %d challenges in response to start authentication, which means MFA may be enabled; unable to log in", len(startAuthResponse.Result.Challenges))
+	}
 
-		if len(challenge.Mechanisms) == 0 {
-			// presumably this shouldn't happen, but handle the case anyway
-			logger.Info("got no mechanisms for challenge from Identity server; skipping this challenge")
-			continue
-		}
+	challenge := startAuthResponse.Result.Challenges[0]
 
-		for j, mechanism := range challenge.Mechanisms {
-			logger.V(logs.Debug).Info("found a mechanism in challenge", "idx", j, "enrolled", mechanism.Enrolled, "name", mechanism.Name)
+	switch len(challenge.Mechanisms) {
+	case 0:
+		// presumably this shouldn't happen, but handle the case anyway
+		return response, fmt.Errorf("got no mechanisms for challenge from Identity server")
 
-			if !mechanism.Enrolled || mechanism.Name != MechanismUsernamePassword {
-				continue
-			}
+	case 1:
+		// do nothing, this is ideal
 
-			// got a username/password mechanism, so use it
-			mechanismID = mechanism.MechanismID
-			break
-		}
+	default:
+		return response, fmt.Errorf("got %d mechanisms in response to start authentication, which means MFA may be enabled; unable to log in", len(challenge.Mechanisms))
 	}
 
-	if mechanismID == "" {
-		klog.FromContext(ctx).Info("ctx", "response", startAuthResponse)
+	mechanism := challenge.Mechanisms[0]
+
+	if !mechanism.Enrolled || mechanism.Name != MechanismUsernamePassword {
 		return response, errNoUPMechanism
 	}
 
 	response.Action = ActionAnswer
-	response.MechanismID = mechanismID
+	response.MechanismID = mechanism.MechanismID
 	response.SessionID = startAuthResponse.Result.SessionID
 	response.TenantID = c.subdomain
 	response.PersistantLogin = true

pkg/internal/cyberark/identity/mock.go

@@ -14,7 +14,8 @@ import (
 
 const (
 	successUser                   = "[email protected]"
-	successUserChallengesSwitched = "[email protected]"
+	successUserMultipleChallenges = "[email protected]"
+	successUserMultipleMechanisms = "[email protected]"
 	noUPMechanism                 = "[email protected]"
 
 	successMechanismID = "aaaaaaa_AAAAAAAAAAAAAAAAAAAAAAAAAAAA-1111111"
@@ -31,8 +32,11 @@ var (
 	//go:embed testdata/start_authentication_success.json
 	startAuthenticationSuccessResponse string
 
-	//go:embed testdata/start_authentication_success_challenges_switched.json
-	startAuthenticationSuccessChallengesSwitchedResponse string
+	//go:embed testdata/start_authentication_success_multiple_challenges.json
+	startAuthenticationSuccessMultipleChallengesResponse string
+
+	//go:embed testdata/start_authentication_success_multiple_mechanisms.json
+	startAuthenticationSuccessMultipleMechanismsResponse string
 
 	//go:embed testdata/start_authentication_success_no_up_mechanism.json
 	startAuthenticationNoUPMechanismResponse string
@@ -136,9 +140,13 @@ func (mis *mockIdentityServer) handleStartAuthentication(w http.ResponseWriter,
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte(startAuthenticationSuccessResponse))
 
-	case successUserChallengesSwitched:
+	case successUserMultipleChallenges:
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(startAuthenticationSuccessMultipleChallengesResponse))
+
+	case successUserMultipleMechanisms:
 		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(startAuthenticationSuccessChallengesSwitchedResponse))
+		_, _ = w.Write([]byte(startAuthenticationSuccessMultipleMechanismsResponse))
 
 	case noUPMechanism:
 		w.WriteHeader(http.StatusOK)

pkg/internal/cyberark/identity/start_authentication_test.go

@@ -18,9 +18,13 @@ func Test_IdentityStartAuthentication(t *testing.T) {
 			username:      successUser,
 			expectedError: nil,
 		},
-		"successful request, challenges switched": {
-			username:      successUserChallengesSwitched,
-			expectedError: nil,
+		"successful request, multiple challenges": {
+			username:      successUserMultipleChallenges,
+			expectedError: fmt.Errorf("got 2 challenges in response to start authentication, which means MFA may be enabled; unable to log in"),
+		},
+		"successful request, multiple mechanisms": {
+			username:      successUserMultipleMechanisms,
+			expectedError: fmt.Errorf("got 2 mechanisms in response to start authentication, which means MFA may be enabled; unable to log in"),
 		},
 		"successful request, no username / password (UP) mechanism available": {
 			username:      noUPMechanism,

pkg/internal/cyberark/identity/testdata/start_authentication_success.json

@@ -25,19 +25,6 @@
             "Enrolled": true
           }
         ]
-      },
-      {
-        "Mechanisms": [
-          {
-            "AnswerType": "StartOob",
-            "Name": "PF",
-            "PartialPhoneNumber": "0775",
-            "PromptMechChosen": "We will now attempt to call your phone (0000). Please follow the instructions to proceed with authentication.",
-            "PromptSelectMech": "Phone Call... XXX-0000",
-            "MechanismId": "bbbbbbb_BBBBBBBBBBBBBBBBBBBBBBBBBBBB-2222222",
-            "Enrolled": true
-          }
-        ]
       }
     ],
     "Summary": "NewPackage",

pkg/internal/cyberark/identity/testdata/start_authentication_success_challenges_switched.json renamed to pkg/internal/cyberark/identity/testdata/start_authentication_success_multiple_challenges.json

@@ -0,0 +1,49 @@
+{
+  "success": true,
+  "Result": {
+    "ClientHints": {
+      "PersistDefault": false,
+      "AllowPersist": true,
+      "AllowForgotPassword": true,
+      "EndpointAuthenticationEnabled": false
+    },
+    "Version": "1.0",
+    "SessionId": "mysessionid101",
+    "EventDescription": null,
+    "RetryWaitingTime": 0,
+    "SecurityImageName": null,
+    "AllowLoginMfaCache": false,
+    "Challenges": [
+      {
+        "Mechanisms": [
+          {
+            "AnswerType": "Text",
+            "Name": "UP",
+            "PromptMechChosen": "Enter Password",
+            "PromptSelectMech": "Password",
+            "MechanismId": "aaaaaaa_AAAAAAAAAAAAAAAAAAAAAAAAAAAA-1111111",
+            "Enrolled": true
+          },
+          {
+            "AnswerType": "StartOob",
+            "Name": "PF",
+            "PartialPhoneNumber": "0775",
+            "PromptMechChosen": "We will now attempt to call your phone (0000). Please follow the instructions to proceed with authentication.",
+            "PromptSelectMech": "Phone Call... XXX-0000",
+            "MechanismId": "bbbbbbb_BBBBBBBBBBBBBBBBBBBBBBBBBBBB-2222222",
+            "Enrolled": true
+          }
+        ]
+      }
+    ],
+    "Summary": "NewPackage",
+    "TenantId": "TENANTID"
+  },
+  "Message": null,
+  "MessageID": null,
+  "Exception": null,
+  "ErrorID": null,
+  "ErrorCode": null,
+  "IsSoftError": false,
+  "InnerExceptions": null
+}