invert yubikey logic

Author: akerl

cmd/profiles_rotate.go

@@ -11,7 +11,6 @@ import (
 func init() {
 	profilesCmd.AddCommand(profilesRotateCmd)
 	profilesRotateCmd.Flags().BoolP("yubikey", "y", false, "Store MFA on yubikey")
-	profilesRotateCmd.Flags().String("serial", "", "Yubikey serial to use")
 }
 
 var profilesRotateCmd = &cobra.Command{
@@ -31,15 +30,10 @@ func profilesRotateRunner(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	serial, err := cmd.Flags().GetString("serial")
-	if err != nil {
-		return err
-	}
-
 	var mfaPrompt creds.MfaPrompt
 	if useYubikey {
 		mfaPrompt = &creds.MultiMfaPrompt{Backends: []creds.MfaPrompt{
-			yubikey.NewPromptWithSerial(serial),
+			yubikey.NewPrompt(),
 			&creds.DefaultMfaPrompt{},
 		}}
 	} else {

cmd/travel.go

@@ -24,7 +24,6 @@ func init() {
 	travelCmd.Flags().String("profile", "", "Choose source profile to use")
 	travelCmd.Flags().StringP("prompt", "p", "", "Choose prompt to use")
 	travelCmd.Flags().BoolP("yubikey", "y", false, "Use Yubikey for MFA")
-	travelCmd.Flags().String("serial", "", "Yubikey serial to use")
 	travelCmd.Flags().String("service", "", "Service path for console URL")
 }
 
@@ -57,11 +56,6 @@ func travelRunner(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	serial, err := cmd.Flags().GetString("serial")
-	if err != nil {
-		return err
-	}
-
 	servicePath, err := flags.GetString("service")
 	if err != nil {
 		return err
@@ -85,7 +79,7 @@ func travelRunner(cmd *cobra.Command, args []string) error {
 	opts := travel.DefaultTraverseOptions()
 	if useYubikey {
 		opts.MfaPrompt = &creds.MultiMfaPrompt{Backends: []creds.MfaPrompt{
-			yubikey.NewPromptWithSerial(serial),
+			yubikey.NewPrompt(),
 			&creds.DefaultMfaPrompt{},
 		}}
 	}

cmd/xargs.go

@@ -26,7 +26,6 @@ func init() {
 	xargsCmd.Flags().String("profile", "", "Choose source profile to use")
 	xargsCmd.Flags().StringP("prompt", "p", "", "Choose prompt to use")
 	xargsCmd.Flags().BoolP("yubikey", "y", false, "Use Yubikey for MFA")
-	xargsCmd.Flags().String("serial", "", "Yubikey serial to use")
 	xargsCmd.Flags().StringP("command", "c", "", "Command to execute")
 	xargsCmd.Flags().Bool("skipconfirm", false, "Skip confirmation prompt")
 }
@@ -60,11 +59,6 @@ func xargsRunner(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	serial, err := cmd.Flags().GetString("serial")
-	if err != nil {
-		return err
-	}
-
 	commandStr, err := flags.GetString("command")
 	if err != nil {
 		return err
@@ -91,7 +85,7 @@ func xargsRunner(cmd *cobra.Command, args []string) error {
 	opts := travel.DefaultTraverseOptions()
 	if useYubikey {
 		opts.MfaPrompt = &creds.MultiMfaPrompt{Backends: []creds.MfaPrompt{
-			yubikey.NewPromptWithSerial(serial),
+			yubikey.NewPrompt(),
 			&creds.DefaultMfaPrompt{},
 		}}
 	}

yubikey/main.go

@@ -22,6 +22,7 @@ const (
 
 type config struct {
 	Mapping map[string]string
+	Serials map[string]string
 }
 
 func mappingFile() (string, error) {
@@ -63,22 +64,13 @@ func homeDir() (string, error) {
 // Prompt defines a yubikey prompt object
 type Prompt struct {
 	mapping map[string]string
-	serial  string
+	serials map[string]string
 }
 
 // NewPrompt populates the yubikey mapping from a dotfile, if it exists
 func NewPrompt() *Prompt {
-	return NewPromptWithSerial("")
-}
-
-// NewPromptWithSerial creates a new prompt with a specific serial
-func NewPromptWithSerial(serial string) *Prompt {
 	logger.InfoMsg("creating new yubikey prompt object")
 	p := Prompt{}
-	if serial != "" {
-		logger.InfoMsgf("setting yubikey serial to %s", serial)
-		p.serial = serial
-	}
 	file, err := mappingFile()
 	if err != nil {
 		logger.InfoMsgf("failed to load mapping file: %s", err)
@@ -103,6 +95,7 @@ func (p *Prompt) AddMappingFromFile(file string) error {
 		return err
 	}
 	p.AddMapping(c.Mapping)
+	p.AddSerials(c.Serials)
 	return nil
 }
 
@@ -112,6 +105,12 @@ func (p *Prompt) AddMapping(mapping map[string]string) {
 	p.mapping = mapping
 }
 
+// AddSerials adds a serial lookup for OTP names
+func (p *Prompt) AddSerials(serials map[string]string) {
+	logger.InfoMsgf("adding serials: %+v", serials)
+	p.serials = serials
+}
+
 // Prompt asks the yubikey for a code
 func (p *Prompt) Prompt(arn string) (string, error) {
 	logger.InfoMsgf("prompting for yubikey mfa for %s", arn)
@@ -128,7 +127,7 @@ func (p *Prompt) Prompt(arn string) (string, error) {
 func (p *Prompt) Store(arn, base32seed string) error {
 	logger.InfoMsgf("storing mfa for %s", arn)
 	name := p.otpName(arn)
-	oath, err := p.getDevice()
+	oath, err := p.getDevice(name)
 	if err != nil {
 		logger.InfoMsgf("failed to access yubikey: %s", err)
 		return err
@@ -174,7 +173,7 @@ func (p *Prompt) otpName(arn string) string {
 
 func (p *Prompt) otpExists(name string) bool {
 	logger.InfoMsgf("checking for existing of %s", name)
-	oath, err := p.getDevice()
+	oath, err := p.getDevice(name)
 	if err != nil {
 		logger.InfoMsgf("failed to access yubikey: %s", err)
 		return false
@@ -200,7 +199,7 @@ func (p *Prompt) otpExists(name string) bool {
 
 func (p *Prompt) otpCode(name string) (string, error) {
 	logger.InfoMsgf("prompting for code for %s", name)
-	oath, err := p.getDevice()
+	oath, err := p.getDevice(name)
 	if err != nil {
 		logger.InfoMsgf("failed to access yubikey: %s", err)
 		return "", err
@@ -213,9 +212,9 @@ func (p *Prompt) otpCode(name string) (string, error) {
 	})
 }
 
-func (p *Prompt) getDevice() (*ykoath.OATH, error) {
+func (p *Prompt) getDevice(name string) (*ykoath.OATH, error) {
 	logger.InfoMsg("creating new yubikey oath device")
-	oath, err := ykoath.NewFromSerial(p.serial)
+	oath, err := ykoath.NewFromSerial(p.serials[name])
 	if err != nil {
 		return nil, err
 	}