1128 - Print the entropy to stderr regardless of quiet mode

pkg/provider/aad/aad.go

@@ -9,6 +9,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"os"
 	"strings"
 	"time"
 
@@ -465,7 +466,10 @@ func (ac *Client) processMfa(mfas []userProof, convergedResponse *ConvergedRespo
 			if mfaResp.Entropy == 0 {
 				log.Println("Phone approval required.")
 			} else {
+				prevWriter := log.Writer()
+				log.SetOutput(os.Stderr)
 				log.Printf("Phone approval required. Entropy is: %d", mfaResp.Entropy)
+				log.SetOutput(prevWriter)
 			}
 		}
 

pkg/provider/aad/aad_test.go

@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"io"
 	"math"
 	mrand "math/rand"
 	"net/http"
@@ -62,6 +63,8 @@ type FixtureData struct {
 	UserName                              string // [email protected]
 	UserNameUrlEncoded                    string // exampleuser%40exampledomain.com
 	SErrorCode                            string // 50058
+	AuthMethodId                          string // OneWaySMS
+	Entropy                               string // 0
 }
 
 var fixtureData *FixtureData
@@ -89,6 +92,8 @@ func genFixtureData() *FixtureData {
 			ProofUpToken:                          genBase64Fixture(400),
 			UserName:                              "[email protected]",
 			UserNameUrlEncoded:                    "exampleuser%40exampledomain.com",
+			AuthMethodId:                          "OneWaySMS",
+			Entropy:                               "0",
 		}
 	})
 	return fixtureData
@@ -360,6 +365,69 @@ func Test_Authenticate(t *testing.T) {
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "502031")
 	})
+	t.Run("Default login with KMSI and MFA with entropy", func(t *testing.T) {
+		entropy := genIntFixture(2)
+		ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch r.URL.Path {
+			case "/index", "/applications/redirecttofederatedapplication.aspx":
+				writeFixtureBytes(t, w, r, "ConvergedSignIn.html", FixtureData{
+					UrlPost:              "/defaultLogin",
+					UrlGetCredentialType: "/getCredentialType",
+				})
+			case "/getCredentialType":
+				writeFixtureBytes(t, w, r, "GetCredentialType_default.json", FixtureData{})
+			case "/defaultLogin":
+				writeFixtureBytes(t, w, r, "KmsiInterrupt.html", FixtureData{
+					UrlPost: "/hForm",
+				})
+			case "/hForm":
+				writeFixtureBytes(t, w, r, "HiddenForm.html", FixtureData{
+					UrlHiddenForm: "/sRequest",
+				})
+			case "/sRequest":
+				writeFixtureBytes(t, w, r, "SAMLRequest.html", FixtureData{
+					UrlSamlRequest: "/sResponse?SAMLRequest=ExampleValue",
+				})
+			case "/sResponse":
+				writeFixtureBytes(t, w, r, "ConvergedTFA.html", FixtureData{
+					UrlPost:      "/processAuth",
+					UrlBeginAuth: "/beginAuth",
+					UrlEndAuth:   "/endAuth",
+				})
+			case "/beginAuth":
+				writeFixtureBytes(t, w, r, "BeginAuth.json", FixtureData{
+					AuthMethodId: "PhoneAppNotification",
+					Entropy:      entropy,
+				})
+			case "/endAuth":
+				writeFixtureBytes(t, w, r, "EndAuth.json", FixtureData{
+					AuthMethodId: "PhoneAppNotification",
+					Entropy:      entropy,
+				})
+			case "/processAuth":
+				writeFixtureBytes(t, w, r, "SAMLResponse.html", FixtureData{})
+			default:
+				http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			}
+		}))
+		defer ts.Close()
+
+		ac, loginDetails := setupTestClient(t, ts)
+
+		orig := os.Stderr
+		r, w, _ := os.Pipe()
+		os.Stderr = w
+
+		got, err := ac.Authenticate(loginDetails)
+
+		os.Stderr = orig
+		w.Close()
+		out, _ := io.ReadAll(r)
+
+		require.Contains(t, string(out), "Phone approval required. Entropy is: "+entropy)
+		require.Nil(t, err)
+		require.NotEmpty(t, got)
+	})
 	t.Run("ADFS login with KMSI and MFA", func(t *testing.T) {
 		ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			switch r.URL.Path {
@@ -492,6 +560,12 @@ func responseFixtures(host string, variableFixture FixtureData) *FixtureData {
 	} else {
 		fixtureData.UrlSamlRequest = ""
 	}
+	if variableFixture.AuthMethodId != "" {
+		fixtureData.AuthMethodId = variableFixture.AuthMethodId
+	}
+	if variableFixture.Entropy != "" {
+		fixtureData.Entropy = variableFixture.Entropy
+	}
 	return fixtureData
 }
 

pkg/provider/aad/testdata/BeginAuth.json

@@ -1 +1 @@
-{"Success":true,"ResultValue":"Success","Message":null,"AuthMethodId":"OneWaySMS","ErrCode":0,"Retry":false,"FlowToken":"{{.SFT}}","Ctx":"{{.Ctx}}","SessionId":"{{.SessionId}}","CorrelationId":"{{.ClientRequestId}}","Timestamp":"2020-01-01T00:00:00Z","Entropy":0}
+{"Success":true,"ResultValue":"Success","Message":null,"AuthMethodId":"{{.AuthMethodId}}","ErrCode":0,"Retry":false,"FlowToken":"{{.SFT}}","Ctx":"{{.Ctx}}","SessionId":"{{.SessionId}}","CorrelationId":"{{.ClientRequestId}}","Timestamp":"2020-01-01T00:00:00Z","Entropy":{{.Entropy}}}

pkg/provider/aad/testdata/EndAuth.json

@@ -1 +1 @@
-{"Success":true,"ResultValue":"Success","Message":null,"AuthMethodId":"OneWaySMS","ErrCode":0,"Retry":false,"FlowToken":"{{.SFT}}","Ctx":"{{.Ctx}}","SessionId":"{{.SessionId}}","CorrelationId":"{{.ClientRequestId}}","Timestamp":"2020-01-01T00:00:00Z","Entropy":0}
+{"Success":true,"ResultValue":"Success","Message":null,"AuthMethodId":"{{.AuthMethodId}}","ErrCode":0,"Retry":false,"FlowToken":"{{.SFT}}","Ctx":"{{.Ctx}}","SessionId":"{{.SessionId}}","CorrelationId":"{{.ClientRequestId}}","Timestamp":"2020-01-01T00:00:00Z","Entropy":{{.Entropy}}}