diff --git a/examplebroker/broker.go b/examplebroker/broker.go index 695a30663..e80ba0065 100644 --- a/examplebroker/broker.go +++ b/examplebroker/broker.go @@ -655,10 +655,10 @@ func (b *Broker) sleepDuration(in time.Duration) time.Duration { } func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionInfo, authData map[string]string) (access, data string) { - // Decrypt challenge if present. - challenge, err := decodeRawChallenge(b.privateKey, authData["challenge"]) + // Decrypt secret if present. + secret, err := decodeRawSecret(b.privateKey, authData["challenge"]) if err != nil { - return auth.Retry, fmt.Sprintf(`{"message": "could not decode challenge: %v"}`, err) + return auth.Retry, fmt.Sprintf(`{"message": "could not decode secret: %v"}`, err) } exampleUsersMu.Lock() @@ -670,24 +670,24 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI sleepDuration := b.sleepDuration(4 * time.Second) - // Note that the layouts.Wait authentication can be cancelled and switch to another mode with a challenge. + // Note that the layouts.Wait authentication can be cancelled and switch to another mode with a secret. // Take into account the cancellation. switch sessionInfo.currentAuthMode { case passwordMode.id: - expectedChallenge := user.Password + expectedSecret := user.Password - if challenge != expectedChallenge { - return auth.Retry, fmt.Sprintf(`{"message": "invalid password '%s', should be '%s'"}`, challenge, expectedChallenge) + if secret != expectedSecret { + return auth.Retry, fmt.Sprintf(`{"message": "invalid password '%s', should be '%s'"}`, secret, expectedSecret) } case pinCodeMode.id: - if challenge != "4242" { + if secret != "4242" { return auth.Retry, `{"message": "invalid pincode, should be 4242"}` } case totpWithButtonMode.id, totpMode.id: wantedCode := sessionInfo.allModes[sessionInfo.currentAuthMode].wantedCode - if challenge != wantedCode { + if secret != wantedCode { return auth.Retry, `{"message": "invalid totp code"}` } @@ -745,27 +745,27 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI } fallthrough case mandatoryResetMode: - expectedChallenge := "authd2404" + expectedSecret := "authd2404" // Reset the password to default if it had already been changed. // As at PAM level we'd refuse a previous password to be re-used. - if user.Password == expectedChallenge { - expectedChallenge = "goodpass" + if user.Password == expectedSecret { + expectedSecret = "goodpass" } - if challenge != expectedChallenge { - return auth.Retry, fmt.Sprintf(`{"message": "new password does not match criteria: must be '%s'"}`, expectedChallenge) + if secret != expectedSecret { + return auth.Retry, fmt.Sprintf(`{"message": "new password does not match criteria: must be '%s'"}`, expectedSecret) } exampleUsersMu.Lock() - exampleUsers[sessionInfo.username] = userInfoBroker{Password: challenge} + exampleUsers[sessionInfo.username] = userInfoBroker{Password: secret} exampleUsersMu.Unlock() // this case name was dynamically generated case emailMode(sessionInfo.username).id: - // do we have a challenge sent or should we just wait? - if challenge != "" { - // validate challenge given manually by the user - if challenge != "aaaaa" { - return auth.Denied, `{"message": "invalid challenge, should be aaaaa"}` + // do we have a secret sent or should we just wait? + if secret != "" { + // validate secret given manually by the user + if secret != "aaaaa" { + return auth.Denied, `{"message": "invalid secret, should be aaaaa"}` } } else if authData[layouts.Wait] == layouts.True { // we are simulating clicking on the url signal received by the broker @@ -783,13 +783,13 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI return auth.Granted, fmt.Sprintf(`{"userinfo": %s}`, userInfoFromName(sessionInfo.username)) } -// decodeRawChallenge extract the base64 challenge and try to decrypt it with the private key. -func decodeRawChallenge(priv *rsa.PrivateKey, rawChallenge string) (string, error) { - if rawChallenge == "" { +// decodeRawSecret extract the base64 secret and try to decrypt it with the private key. +func decodeRawSecret(priv *rsa.PrivateKey, rawSecret string) (string, error) { + if rawSecret == "" { return "", nil } - ciphertext, err := base64.StdEncoding.DecodeString(rawChallenge) + ciphertext, err := base64.StdEncoding.DecodeString(rawSecret) if err != nil { return "", err } diff --git a/pam/internal/adapter/authentication.go b/pam/internal/adapter/authentication.go index bf855d9f3..c327ee908 100644 --- a/pam/internal/adapter/authentication.go +++ b/pam/internal/adapter/authentication.go @@ -34,10 +34,10 @@ var ( errorStyle = lipgloss.NewStyle().Foreground(lipgloss.Color("#ff0000")) ) -// sendIsAuthenticated sends the authentication challenges or wait request to the brokers. +// sendIsAuthenticated sends the authentication secrets or wait request to the brokers. // The event will contain the returned value from the broker. func sendIsAuthenticated(ctx context.Context, client authd.PAMClient, sessionID string, - authData *authd.IARequest_AuthenticationData, challenge *string) tea.Cmd { + authData *authd.IARequest_AuthenticationData, secret *string) tea.Cmd { return func() (msg tea.Msg) { log.Debugf(context.TODO(), "Authentication request for session %q: %#v", sessionID, authData.Item) @@ -61,8 +61,8 @@ func sendIsAuthenticated(ctx context.Context, client authd.PAMClient, sessionID <-time.After(cancellationWait * 3) return isAuthenticatedResultReceived{ - access: auth.Cancelled, - challenge: challenge, + access: auth.Cancelled, + secret: secret, } } return pamError{ @@ -72,15 +72,15 @@ func sendIsAuthenticated(ctx context.Context, client authd.PAMClient, sessionID } return isAuthenticatedResultReceived{ - access: res.Access, - msg: res.Msg, - challenge: challenge, + access: res.Access, + msg: res.Msg, + secret: secret, } } } // isAuthenticatedRequested is the internal events signalling that authentication -// with the given challenge or wait has been requested. +// with the given password or wait has been requested. type isAuthenticatedRequested struct { item authd.IARequestAuthenticationDataItem } @@ -95,9 +95,9 @@ type isAuthenticatedRequestedSend struct { // isAuthenticatedResultReceived is the internal event with the authentication access result // and data that was retrieved. type isAuthenticatedResultReceived struct { - access string - challenge *string - msg string + access string + secret *string + msg string } // isAuthenticatedCancelled is the event to cancel the auth request. @@ -127,7 +127,7 @@ type authenticationModel struct { currentModel authenticationComponent currentSessionID string currentBrokerID string - currentChallenge string + currentSecret string currentLayout string authTracker *authTracker @@ -153,15 +153,15 @@ type errMsgToDisplay struct { // newPasswordCheck is sent to request a new password quality check. type newPasswordCheck struct { - ctx context.Context - challenge string + ctx context.Context + password string } // newPasswordCheckResult returns the password quality check result. type newPasswordCheckResult struct { - ctx context.Context - challenge string - msg string + ctx context.Context + password string + msg string } // newAuthenticationModel initializes a authenticationModel which needs to be Compose then. @@ -194,10 +194,10 @@ func (m *authenticationModel) Update(msg tea.Msg) (authModel authenticationModel return *m, tea.Sequence(m.cancelIsAuthenticated(), sendEvent(AuthModeSelected{})) case newPasswordCheck: - currentChallenge := m.currentChallenge + currentSecret := m.currentSecret return *m, func() tea.Msg { - res := newPasswordCheckResult{ctx: msg.ctx, challenge: msg.challenge} - if err := checkChallengeQuality(currentChallenge, msg.challenge); err != nil { + res := newPasswordCheckResult{ctx: msg.ctx, password: msg.password} + if err := checkPasswordQuality(currentSecret, msg.password); err != nil { res.msg = err.Error() } return res @@ -213,7 +213,8 @@ func (m *authenticationModel) Update(msg tea.Msg) (authModel authenticationModel return *m, sendEvent(isAuthenticatedRequestedSend{ ctx: msg.ctx, isAuthenticatedRequested: isAuthenticatedRequested{ - item: &authd.IARequest_AuthenticationData_Challenge{Challenge: msg.challenge}, + // TODO(UDENG-5844): Rename this to "secret" once all broker installations support the auth data field "secret". + item: &authd.IARequest_AuthenticationData_Challenge{Challenge: msg.password}, }, }) } @@ -256,9 +257,9 @@ func (m *authenticationModel) Update(msg tea.Msg) (authModel authenticationModel return *m, func() tea.Msg { authTracker.waitAndStart(cancelFunc) - challenge, hasChallenge := msg.item.(*authd.IARequest_AuthenticationData_Challenge) - if hasChallenge && clientType == Gdm && currentLayout == layouts.NewPassword { - return newPasswordCheck{ctx: ctx, challenge: challenge.Challenge} + secret, hasSecret := msg.item.(*authd.IARequest_AuthenticationData_Challenge) + if hasSecret && clientType == Gdm && currentLayout == layouts.NewPassword { + return newPasswordCheck{ctx: ctx, password: secret.Challenge} } return isAuthenticatedRequestedSend{msg, ctx} @@ -266,13 +267,13 @@ func (m *authenticationModel) Update(msg tea.Msg) (authModel authenticationModel case isAuthenticatedRequestedSend: log.Debugf(context.TODO(), "%#v", msg) - // no challenge value, pass it as is - plainTextChallenge, err := msg.encryptChallengeIfPresent(m.encryptionKey) + // no password value, pass it as is + plainTextSecret, err := msg.encryptSecretIfPresent(m.encryptionKey) if err != nil { - return *m, sendEvent(pamError{status: pam.ErrSystem, msg: fmt.Sprintf("could not encrypt challenge payload: %v", err)}) + return *m, sendEvent(pamError{status: pam.ErrSystem, msg: fmt.Sprintf("could not encrypt password payload: %v", err)}) } - return *m, sendIsAuthenticated(msg.ctx, m.client, m.currentSessionID, &authd.IARequest_AuthenticationData{Item: msg.item}, plainTextChallenge) + return *m, sendIsAuthenticated(msg.ctx, m.client, m.currentSessionID, &authd.IARequest_AuthenticationData{Item: msg.item}, plainTextSecret) case isAuthenticatedCancelled: log.Debugf(context.TODO(), "%#v", msg) @@ -281,13 +282,13 @@ func (m *authenticationModel) Update(msg tea.Msg) (authModel authenticationModel case isAuthenticatedResultReceived: log.Debugf(context.TODO(), "%#v", msg) - // Resets challenge if the authentication wasn't successful. + // Resets password if the authentication wasn't successful. defer func() { // the returned authModel is a copy of function-level's `m` at this point! m := &authModel - if msg.challenge != nil && + if msg.secret != nil && (msg.access == auth.Granted || msg.access == auth.Next) { - m.currentChallenge = *msg.challenge + m.currentSecret = *msg.secret } if msg.access != auth.Next && msg.access != auth.Retry { @@ -481,22 +482,22 @@ func dataToMsg(data string) (string, error) { return r, nil } -func (authData *isAuthenticatedRequestedSend) encryptChallengeIfPresent(publicKey *rsa.PublicKey) (*string, error) { - // no challenge value, pass it as is - challenge, ok := authData.item.(*authd.IARequest_AuthenticationData_Challenge) +func (authData *isAuthenticatedRequestedSend) encryptSecretIfPresent(publicKey *rsa.PublicKey) (*string, error) { + // no password value, pass it as is + secret, ok := authData.item.(*authd.IARequest_AuthenticationData_Challenge) if !ok { return nil, nil } - ciphertext, err := rsa.EncryptOAEP(sha512.New(), rand.Reader, publicKey, []byte(challenge.Challenge), nil) + ciphertext, err := rsa.EncryptOAEP(sha512.New(), rand.Reader, publicKey, []byte(secret.Challenge), nil) if err != nil { return nil, err } - // encrypt it to base64 and replace the challenge with it + // encrypt it to base64 and replace the password with it base64Encoded := base64.StdEncoding.EncodeToString(ciphertext) authData.item = &authd.IARequest_AuthenticationData_Challenge{Challenge: base64Encoded} - return &challenge.Challenge, nil + return &secret.Challenge, nil } // wait waits for the current authentication to be completed. diff --git a/pam/internal/adapter/brokerselection.go b/pam/internal/adapter/brokerselection.go index b87002c78..67a53cdfa 100644 --- a/pam/internal/adapter/brokerselection.go +++ b/pam/internal/adapter/brokerselection.go @@ -15,7 +15,7 @@ import ( "github.com/ubuntu/authd/pam/internal/proto" ) -// brokerSelectionModel is the model list selection layout to allow authenticating and return a challenge. +// brokerSelectionModel is the model list selection layout to allow authenticating and return a password. type brokerSelectionModel struct { list.Model focused bool diff --git a/pam/internal/adapter/formmodel.go b/pam/internal/adapter/formmodel.go index bef7581ee..60c2b3b41 100644 --- a/pam/internal/adapter/formmodel.go +++ b/pam/internal/adapter/formmodel.go @@ -13,7 +13,7 @@ import ( "github.com/ubuntu/authd/log" ) -// formModel is the form layout type to allow authentication and return a challenge. +// formModel is the form layout type to allow authentication and return a password. type formModel struct { label string diff --git a/pam/internal/adapter/gdmmodel.go b/pam/internal/adapter/gdmmodel.go index 2e62f3660..bd7869d11 100644 --- a/pam/internal/adapter/gdmmodel.go +++ b/pam/internal/adapter/gdmmodel.go @@ -157,7 +157,7 @@ func (m *gdmModel) pollGdm() tea.Cmd { log.Infof(context.TODO(), "GDM Stage changed to %s", res.StageChanged.Stage) if m.waitingAuth && res.StageChanged.Stage != proto.Stage_challenge { - // Maybe this can be sent only if we ever hit the challenge phase. + // Maybe this can be sent only if we ever hit the password phase. commands = append(commands, sendEvent(isAuthenticatedCancelled{})) } commands = append(commands, sendEvent(ChangeStage{res.StageChanged.Stage})) diff --git a/pam/internal/adapter/gdmmodel_test.go b/pam/internal/adapter/gdmmodel_test.go index 9f1647095..7f990609c 100644 --- a/pam/internal/adapter/gdmmodel_test.go +++ b/pam/internal/adapter/gdmmodel_test.go @@ -174,7 +174,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -209,7 +209,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -229,7 +229,7 @@ func TestGdmModel(t *testing.T) { "Authenticated with preset PAM user and server-side broker and authMode selection": { clientOptions: append(slices.Clone(singleBrokerClientOptions), pam_test.WithGetPreviousBrokerReturn(firstBrokerInfo.Id, nil), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password")), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password")), pamUser: "pam-preset-user-and-daemon-selected-broker", messages: []tea.Msg{ gdmTestWaitForStage{ @@ -246,7 +246,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -285,7 +285,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -330,7 +330,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -374,7 +374,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -426,7 +426,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -516,11 +516,11 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -550,7 +550,7 @@ func TestGdmModel(t *testing.T) { }, "Authentication is ignored if not requested by model first": { clientOptions: append(slices.Clone(singleBrokerClientOptions), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password")), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password")), gdmEvents: []*gdm.EventData{ gdm_test.IsAuthenticatedEvent(&authd.IARequest_AuthenticationData_Challenge{ Challenge: "gdm-good-password", @@ -594,7 +594,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -627,7 +627,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -645,7 +645,7 @@ func TestGdmModel(t *testing.T) { "Authenticated with preset PAM user and server-side broker and authMode selection and after various retries": { clientOptions: append(slices.Clone(singleBrokerClientOptions), pam_test.WithGetPreviousBrokerReturn(firstBrokerInfo.Id, nil), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), pam_test.WithIsAuthenticatedMaxRetries(1), ), pamUser: "pam-preset-user-and-daemon-selected-broker", @@ -667,7 +667,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -693,7 +693,7 @@ func TestGdmModel(t *testing.T) { }, "Authenticated after client-side user and broker and authMode selection": { clientOptions: append(slices.Clone(multiBrokerClientOptions), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), ), gdmEvents: []*gdm.EventData{ gdm_test.SelectUserEvent("gdm-selected-user-broker-and-auth-mode"), @@ -717,7 +717,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -734,7 +734,7 @@ func TestGdmModel(t *testing.T) { }, "Authenticated after client-side user and broker and authMode selection and after various retries": { clientOptions: append(slices.Clone(singleBrokerClientOptions), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), pam_test.WithIsAuthenticatedMaxRetries(1), ), gdmEvents: []*gdm.EventData{ @@ -765,7 +765,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -815,7 +815,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -854,7 +854,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection }, wantMessages: []tea.Msg{ @@ -896,7 +896,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection }, wantGdmEvents: []gdm.EventType{ @@ -940,7 +940,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection }, wantMessages: []tea.Msg{ @@ -962,7 +962,7 @@ func TestGdmModel(t *testing.T) { }, "Authenticated after auth selection stage from client after client-side broker and auth mode selection if there is only one auth mode": { clientOptions: append(slices.Clone(singleBrokerClientOptions), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), ), gdmEvents: []*gdm.EventData{ gdm_test.SelectUserEvent("gdm-selected-user-broker-and-auth-mode"), @@ -1000,9 +1000,9 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantMessages: []tea.Msg{ startAuthentication{}, @@ -1030,7 +1030,7 @@ func TestGdmModel(t *testing.T) { "Authenticated after auth selection stage from client after client-side broker and auth mode selection with multiple auth modes": { clientOptions: append(slices.Clone(singleBrokerClientOptions), pam_test.WithUILayout("pincode", "Write the pin Code", pam_test.FormUILayout()), - pam_test.WithIsAuthenticatedWantChallenge("1234"), + pam_test.WithIsAuthenticatedWantSecret("1234"), ), gdmEvents: []*gdm.EventData{ gdm_test.SelectUserEvent("gdm-selected-user-broker-and-auth-mode"), @@ -1068,9 +1068,9 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantMessages: []tea.Msg{ startAuthentication{}, @@ -1141,9 +1141,9 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantMessages: []tea.Msg{ startAuthentication{}, @@ -1222,9 +1222,9 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantMessages: []tea.Msg{ startAuthentication{}, @@ -1307,9 +1307,9 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantMessages: []tea.Msg{ startAuthentication{}, @@ -1370,7 +1370,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection gdm.RequestType_changeStage, // -> broker Selection }, @@ -1433,7 +1433,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password gdm.RequestType_changeStage, // -> authMode Selection gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> user Selection @@ -1765,7 +1765,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -1802,7 +1802,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -1837,7 +1837,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -1855,7 +1855,7 @@ func TestGdmModel(t *testing.T) { }, "Error on authentication client denied because of wrong password - with error message": { clientOptions: append(slices.Clone(singleBrokerClientOptions), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), pam_test.WithIsAuthenticatedMessage("you're not allowed!"), ), pamUser: "pam-preset-user-for-client-selected-brokers-with-wrong-pass", @@ -1880,7 +1880,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -1903,7 +1903,7 @@ func TestGdmModel(t *testing.T) { }, "Error on authentication client denied because of wrong password": { clientOptions: append(slices.Clone(singleBrokerClientOptions), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), ), pamUser: "pam-preset-user-and-client-selected-broker-with-wrong-pass", messages: []tea.Msg{ @@ -1927,7 +1927,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -1948,7 +1948,7 @@ func TestGdmModel(t *testing.T) { "Error on authentication client denied because of wrong password after retry": { clientOptions: append(slices.Clone(singleBrokerClientOptions), pam_test.WithGetPreviousBrokerReturn(firstBrokerInfo.Id, nil), - pam_test.WithIsAuthenticatedWantChallenge("gdm-good-password"), + pam_test.WithIsAuthenticatedWantSecret("gdm-good-password"), pam_test.WithIsAuthenticatedMaxRetries(1), ), pamUser: "pam-preset-user-and-daemon-selected-broker-with-wrong-pass", @@ -1970,7 +1970,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -2013,7 +2013,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, @@ -2058,7 +2058,7 @@ func TestGdmModel(t *testing.T) { gdm.RequestType_uiLayoutCapabilities, gdm.RequestType_changeStage, // -> broker Selection gdm.RequestType_changeStage, // -> authMode Selection - gdm.RequestType_changeStage, // -> challenge + gdm.RequestType_changeStage, // -> password }, wantGdmEvents: []gdm.EventType{ gdm.EventType_userSelected, diff --git a/pam/internal/adapter/nativemodel.go b/pam/internal/adapter/nativemodel.go index 50cf58a39..ba23335d1 100644 --- a/pam/internal/adapter/nativemodel.go +++ b/pam/internal/adapter/nativemodel.go @@ -69,7 +69,7 @@ type nativeBrokerSelection struct{} // nativeAuthSelection is used to require the user input for auth selection. type nativeAuthSelection struct{} -// nativeChallengeRequested is used to require the user input for challenge. +// nativeChallengeRequested is used to require the user input for password. type nativeChallengeRequested struct{} // nativeAsyncOperationCompleted is a message to tell we're done with an async operation. @@ -286,7 +286,7 @@ func (m nativeModel) Update(msg tea.Msg) (nativeModel, tea.Cmd) { } return m, m.newPasswordChallenge(nil) } - return m, m.newPasswordChallenge(&msg.challenge) + return m, m.newPasswordChallenge(&msg.password) case isAuthenticatedResultReceived: access := msg.access @@ -629,7 +629,7 @@ func (m nativeModel) handleFormChallenge(hasWait bool) tea.Cmd { return cmd } - challenge, err := m.promptForChallenge(prompt) + secret, err := m.promptForSecret(prompt) if errors.Is(err, errGoBack) { return sendEvent(nativeGoBack{}) } @@ -644,11 +644,11 @@ func (m nativeModel) handleFormChallenge(hasWait bool) tea.Cmd { } return sendEvent(isAuthenticatedRequested{ - item: &authd.IARequest_AuthenticationData_Challenge{Challenge: challenge}, + item: &authd.IARequest_AuthenticationData_Challenge{Challenge: secret}, }) } -func (m nativeModel) promptForChallenge(prompt string) (string, error) { +func (m nativeModel) promptForSecret(prompt string) (string, error) { switch m.uiLayout.GetEntry() { case entries.Chars, "": return m.promptForInput(pam.PromptEchoOn, inputPromptStyleMultiLine, prompt) @@ -827,8 +827,8 @@ func (m nativeModel) handleNewPassword() tea.Cmd { return m.newPasswordChallenge(nil) } -func (m nativeModel) newPasswordChallenge(previousChallenge *string) tea.Cmd { - if previousChallenge == nil { +func (m nativeModel) newPasswordChallenge(previousPassword *string) tea.Cmd { + if previousPassword == nil { instructions := fmt.Sprintf("Enter '%[1]s' to cancel the request and %[2]s", nativeCancelKey, m.goBackActionLabel()) title := m.selectedAuthModeLabel("Password Update") @@ -838,11 +838,11 @@ func (m nativeModel) newPasswordChallenge(previousChallenge *string) tea.Cmd { } prompt := m.uiLayout.GetLabel() - if previousChallenge != nil { + if previousPassword != nil { prompt = "Confirm Password" } - challenge, err := m.promptForChallenge(prompt) + password, err := m.promptForSecret(prompt) if errors.Is(err, errGoBack) { return sendEvent(nativeGoBack{}) } @@ -850,10 +850,10 @@ func (m nativeModel) newPasswordChallenge(previousChallenge *string) tea.Cmd { return maybeSendPamError(err) } - if previousChallenge == nil { - return sendEvent(newPasswordCheck{challenge: challenge}) + if previousPassword == nil { + return sendEvent(newPasswordCheck{password: password}) } - if challenge != *previousChallenge { + if password != *previousPassword { err := m.sendError("Password entries don't match") if err != nil { return maybeSendPamError(err) @@ -861,7 +861,7 @@ func (m nativeModel) newPasswordChallenge(previousChallenge *string) tea.Cmd { return m.newPasswordChallenge(nil) } return sendEvent(isAuthenticatedRequested{ - item: &authd.IARequest_AuthenticationData_Challenge{Challenge: challenge}, + item: &authd.IARequest_AuthenticationData_Challenge{Challenge: password}, }) } diff --git a/pam/internal/adapter/newpasswordmodel.go b/pam/internal/adapter/newpasswordmodel.go index 763542773..30c41b5bc 100644 --- a/pam/internal/adapter/newpasswordmodel.go +++ b/pam/internal/adapter/newpasswordmodel.go @@ -13,7 +13,7 @@ import ( "github.com/ubuntu/authd/log" ) -// newPasswordModel is the form layout type to allow authentication and return a challenge. +// newPasswordModel is the form layout type to allow authentication and return a password. type newPasswordModel struct { errorMsg string label string @@ -123,7 +123,7 @@ func (m newPasswordModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) { // First entry is focused if m.focusIndex == 0 { // Check password quality - return m, sendEvent(newPasswordCheck{challenge: m.passwordEntries[0].Value()}) + return m, sendEvent(newPasswordCheck{password: m.passwordEntries[0].Value()}) } // Second entry is focused diff --git a/pam/internal/adapter/pwquality_c.go b/pam/internal/adapter/pwquality_c.go index 0767f706b..a18905e24 100644 --- a/pam/internal/adapter/pwquality_c.go +++ b/pam/internal/adapter/pwquality_c.go @@ -12,12 +12,12 @@ import ( "unsafe" ) -var challengeQualityMu sync.Mutex +var passwordQualityMu sync.Mutex -// checkChallengeQuality checks the quality of the new password using the pwquality library. -func checkChallengeQuality(oldChallenge, newChallenge string) error { - challengeQualityMu.Lock() - defer challengeQualityMu.Unlock() +// checkPasswordQuality checks the quality of the new password using the pwquality library. +func checkPasswordQuality(oldPassword, newPassword string) error { + passwordQualityMu.Lock() + defer passwordQualityMu.Unlock() pwq := C.pwquality_default_settings() if pwq == nil { @@ -35,10 +35,10 @@ func checkChallengeQuality(oldChallenge, newChallenge string) error { return fmt.Errorf("can't ready pwquality configuration: %s", errMsg) } - oldC := C.CString(oldChallenge) + oldC := C.CString(oldPassword) defer C.free(unsafe.Pointer(oldC)) - newC := C.CString(newChallenge) + newC := C.CString(newPassword) defer C.free(unsafe.Pointer(newC)) if ret := C.pwquality_check(pwq, newC, oldC, nil, &auxErrPointer); ret < 0 { diff --git a/pam/internal/adapter/qrcodemodel.go b/pam/internal/adapter/qrcodemodel.go index 6ec93deaf..281cde2ec 100644 --- a/pam/internal/adapter/qrcodemodel.go +++ b/pam/internal/adapter/qrcodemodel.go @@ -17,7 +17,7 @@ import ( var centeredStyle = lipgloss.NewStyle().Align(lipgloss.Center, lipgloss.Top) -// qrcodeModel is the form layout type to allow authenticating and return a challenge. +// qrcodeModel is the form layout type to allow authenticating and return a password. type qrcodeModel struct { label string buttonModel *authReselectButtonModel diff --git a/pam/internal/gdm/conversation.go b/pam/internal/gdm/conversation.go index 1a6fd9dcf..b239aef87 100644 --- a/pam/internal/gdm/conversation.go +++ b/pam/internal/gdm/conversation.go @@ -14,7 +14,10 @@ import ( ) var conversations atomic.Int32 -var challengeRegex = regexp.MustCompile(`"challenge"\s*:\s*"(?:[^"\\]|\\.)*"`) +var secretRegex = regexp.MustCompile(`"secret"\s*:\s*"(?:[^"\\]|\\.)*"`) + +// TODO(UDENG-5844): Remove this once the auth data field has been renamed to "secret". +var secretRegexOld = regexp.MustCompile(`"challenge"\s*:\s*"(?:[^"\\]|\\.)*"`) // ConversationInProgress checks if conversations are currently active. func ConversationInProgress() bool { @@ -72,7 +75,8 @@ func SendData(pamMTx pam.ModuleTransaction, d *Data) (*Data, error) { } if log.IsLevelEnabled(log.DebugLevel) && jsonValue != nil && gdmData != nil && gdmData.Type == DataType_pollResponse { - jsonValue = challengeRegex.ReplaceAll(jsonValue, []byte(`"challenge":"**************"`)) + jsonValue = secretRegex.ReplaceAll(jsonValue, []byte(`"secret":"**************"`)) + jsonValue = secretRegexOld.ReplaceAll(jsonValue, []byte(`"secret":"**************"`)) } if jsonValue != nil { log.Debugf(context.TODO(), "Got from GDM: %s", jsonValue) diff --git a/pam/internal/pam_test/pam-client-dummy.go b/pam/internal/pam_test/pam-client-dummy.go index e2baf5fe6..25d7c7650 100644 --- a/pam/internal/pam_test/pam-client-dummy.go +++ b/pam/internal/pam_test/pam-client-dummy.go @@ -39,13 +39,13 @@ type options struct { selectAuthenticationModeRet *authd.UILayout selectAuthenticationModeErr error - isAuthenticatedRet *authd.IAResponse - isAuthenticatedErr error - isAuthenticatedWantChallenge string - isAuthenticatedWantSkip bool - isAuthenticatedWantWait time.Duration - isAuthenticatedMessage string - isAuthenticatedMaxRetries int + isAuthenticatedRet *authd.IAResponse + isAuthenticatedErr error + isAuthenticatedWantSecret string + isAuthenticatedWantSkip bool + isAuthenticatedWantWait time.Duration + isAuthenticatedMessage string + isAuthenticatedMaxRetries int endSessionErr error @@ -131,10 +131,10 @@ func WithIsAuthenticatedReturn(ret *authd.IAResponse, err error) func(o *options } } -// WithIsAuthenticatedWantChallenge is the option to define the IsAuthenticated wanted challenge. -func WithIsAuthenticatedWantChallenge(challenge string) func(o *options) { +// WithIsAuthenticatedWantSecret is the option to define the IsAuthenticated wanted secret. +func WithIsAuthenticatedWantSecret(secret string) func(o *options) { return func(o *options) { - o.isAuthenticatedWantChallenge = challenge + o.isAuthenticatedWantSecret = secret } } @@ -422,8 +422,8 @@ func (dc *DummyClient) IsAuthenticated(ctx context.Context, in *authd.IARequest, switch item := in.AuthenticationData.Item.(type) { case *authd.IARequest_AuthenticationData_Challenge: - if dc.isAuthenticatedWantChallenge == "" { - return nil, errors.New("no wanted challenge provided") + if dc.isAuthenticatedWantSecret == "" { + return nil, errors.New("no wanted secret provided") } return dc.handleChallenge(item.Challenge, msg) case *authd.IARequest_AuthenticationData_Wait: @@ -452,11 +452,11 @@ func (dc *DummyClient) IsAuthenticated(ctx context.Context, in *authd.IARequest, } } -func (dc *DummyClient) handleChallenge(challenge string, msg string) (*authd.IAResponse, error) { - if challenge == "" { - return nil, errors.New("no challenge provided") +func (dc *DummyClient) handleChallenge(secret string, msg string) (*authd.IAResponse, error) { + if secret == "" { + return nil, errors.New("no secret provided") } - ciphertext, err := base64.StdEncoding.DecodeString(challenge) + ciphertext, err := base64.StdEncoding.DecodeString(secret) if err != nil { return nil, err } @@ -468,7 +468,7 @@ func (dc *DummyClient) handleChallenge(challenge string, msg string) (*authd.IAR return nil, err } - if string(plaintext) == dc.isAuthenticatedWantChallenge { + if string(plaintext) == dc.isAuthenticatedWantSecret { return &authd.IAResponse{ Access: auth.Granted, Msg: msg, diff --git a/pam/internal/pam_test/pam-client-dummy_test.go b/pam/internal/pam_test/pam-client-dummy_test.go index d0eb1fed0..495903723 100644 --- a/pam/internal/pam_test/pam-client-dummy_test.go +++ b/pam/internal/pam_test/pam-client-dummy_test.go @@ -687,20 +687,20 @@ func TestIsAuthenticated(t *testing.T) { Msg: "Try again", }, }, - "Invalid challenge": { + "Invalid secret": { client: NewDummyClient(privateKey, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("super-secret-password"), + WithIsAuthenticatedWantSecret("super-secret-password"), ), args: &authd.IARequest{ SessionId: "started-session-id", AuthenticationData: &authd.IARequest_AuthenticationData{ Item: &authd.IARequest_AuthenticationData_Challenge{ - Challenge: encryptAndEncodeChallenge(t, &privateKey.PublicKey, "invalid-password"), + Challenge: encryptAndEncodeSecret(t, &privateKey.PublicKey, "invalid-password"), }, }, }, @@ -708,21 +708,21 @@ func TestIsAuthenticated(t *testing.T) { Access: auth.Denied, }, }, - "Invalid challenge with message": { + "Invalid secret with message": { client: NewDummyClient(privateKey, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("super-secret-password"), + WithIsAuthenticatedWantSecret("super-secret-password"), WithIsAuthenticatedMessage("You're out!"), ), args: &authd.IARequest{ SessionId: "started-session-id", AuthenticationData: &authd.IARequest_AuthenticationData{ Item: &authd.IARequest_AuthenticationData_Challenge{ - Challenge: encryptAndEncodeChallenge(t, &privateKey.PublicKey, "invalid-password"), + Challenge: encryptAndEncodeSecret(t, &privateKey.PublicKey, "invalid-password"), }, }, }, @@ -738,7 +738,7 @@ func TestIsAuthenticated(t *testing.T) { Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("super-secret-password"), + WithIsAuthenticatedWantSecret("super-secret-password"), WithIsAuthenticatedMaxRetries(1), WithIsAuthenticatedMessage("try again!"), ), @@ -746,7 +746,7 @@ func TestIsAuthenticated(t *testing.T) { SessionId: "started-session-id", AuthenticationData: &authd.IARequest_AuthenticationData{ Item: &authd.IARequest_AuthenticationData_Challenge{ - Challenge: encryptAndEncodeChallenge(t, &privateKey.PublicKey, "invalid-password"), + Challenge: encryptAndEncodeSecret(t, &privateKey.PublicKey, "invalid-password"), }, }, }, @@ -755,20 +755,20 @@ func TestIsAuthenticated(t *testing.T) { Msg: `{"message": "try again!"}`, }, }, - "Valid challenge": { + "Valid secret": { client: NewDummyClient(privateKey, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("super-secret-password"), + WithIsAuthenticatedWantSecret("super-secret-password"), ), args: &authd.IARequest{ SessionId: "started-session-id", AuthenticationData: &authd.IARequest_AuthenticationData{ Item: &authd.IARequest_AuthenticationData_Challenge{ - Challenge: encryptAndEncodeChallenge(t, &privateKey.PublicKey, "super-secret-password"), + Challenge: encryptAndEncodeSecret(t, &privateKey.PublicKey, "super-secret-password"), }, }, }, @@ -776,21 +776,21 @@ func TestIsAuthenticated(t *testing.T) { Access: auth.Granted, }, }, - "Valid challenge with message": { + "Valid secret with message": { client: NewDummyClient(privateKey, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("super-secret-password"), + WithIsAuthenticatedWantSecret("super-secret-password"), WithIsAuthenticatedMessage("try again!"), ), args: &authd.IARequest{ SessionId: "started-session-id", AuthenticationData: &authd.IARequest_AuthenticationData{ Item: &authd.IARequest_AuthenticationData_Challenge{ - Challenge: encryptAndEncodeChallenge(t, &privateKey.PublicKey, "super-secret-password"), + Challenge: encryptAndEncodeSecret(t, &privateKey.PublicKey, "super-secret-password"), }, }, }, @@ -875,7 +875,7 @@ func TestIsAuthenticated(t *testing.T) { Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("super-secret-password"), + WithIsAuthenticatedWantSecret("super-secret-password"), ), args: &authd.IARequest{ SessionId: "started-session-id", @@ -883,7 +883,7 @@ func TestIsAuthenticated(t *testing.T) { }, wantError: errors.New("no authentication data provided"), }, - "Error missing wanted challenge": { + "Error missing wanted secret": { client: NewDummyClient(nil, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", @@ -897,7 +897,7 @@ func TestIsAuthenticated(t *testing.T) { Item: &authd.IARequest_AuthenticationData_Challenge{}, }, }, - wantError: errors.New("no wanted challenge provided"), + wantError: errors.New("no wanted secret provided"), }, "Error missing wanted wait": { client: NewDummyClient(nil, @@ -931,14 +931,14 @@ func TestIsAuthenticated(t *testing.T) { }, wantError: errors.New("no wanted skip requested"), }, - "Error empty challenge": { + "Error empty secret": { client: NewDummyClient(nil, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("challenge"), + WithIsAuthenticatedWantSecret("secret"), ), args: &authd.IARequest{ SessionId: "started-session-id", @@ -946,16 +946,16 @@ func TestIsAuthenticated(t *testing.T) { Item: &authd.IARequest_AuthenticationData_Challenge{}, }, }, - wantError: errors.New("no challenge provided"), + wantError: errors.New("no secret provided"), }, - "Error decoding challenge": { + "Error decoding secret": { client: NewDummyClient(nil, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("challenge"), + WithIsAuthenticatedWantSecret("secret"), ), args: &authd.IARequest{ SessionId: "started-session-id", @@ -967,14 +967,14 @@ func TestIsAuthenticated(t *testing.T) { }, wantError: base64.CorruptInputError(7), }, - "Error decrypting challenge per missing private key": { + "Error decrypting secret per missing private key": { client: NewDummyClient(nil, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("challenge"), + WithIsAuthenticatedWantSecret("secret"), ), args: &authd.IARequest{ SessionId: "started-session-id", @@ -986,14 +986,14 @@ func TestIsAuthenticated(t *testing.T) { }, wantError: errors.New("no private key defined"), }, - "Error decrypting invalid challenge": { + "Error decrypting invalid secret": { client: NewDummyClient(privateKey, WithAvailableBrokers([]*authd.ABResponse_BrokerInfo{{ Id: "test-broker", Name: "A test broker", }}, nil), WithSelectBrokerReturn(&authd.SBResponse{SessionId: "started-session-id"}, nil), - WithIsAuthenticatedWantChallenge("challenge"), + WithIsAuthenticatedWantSecret("secret"), ), args: &authd.IARequest{ SessionId: "started-session-id", @@ -1022,13 +1022,13 @@ func TestIsAuthenticated(t *testing.T) { } } -func encryptAndEncodeChallenge(t *testing.T, pubKey *rsa.PublicKey, challenge string) string { +func encryptAndEncodeSecret(t *testing.T, pubKey *rsa.PublicKey, secret string) string { t.Helper() - ciphertext, err := rsa.EncryptOAEP(sha512.New(), rand.Reader, pubKey, []byte(challenge), nil) + ciphertext, err := rsa.EncryptOAEP(sha512.New(), rand.Reader, pubKey, []byte(secret), nil) require.NoError(t, err) - // encrypt it to base64 and replace the challenge with it + // encrypt it to base64 and replace the secret with it base64Encoded := base64.StdEncoding.EncodeToString(ciphertext) return base64Encoded }