jesus/prvng_core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_core/nulib/mfa/commands.nu

379 lines
10 KiB
Plaintext
Raw Normal View History

feat: integrate enterprise security system into core libraries Adds KMS, secrets management, config encryption, and auth plugins to enable zero-trust security architecture across the provisioning platform.
2025-10-09 16:36:27 +01:00
# Multi-Factor Authentication (MFA) CLI commands
#
# Provides comprehensive MFA management through the control-center API
use ../lib_provisioning/config/loader.nu get-config
# Get API base URL from config
def get-api-url [] {
let config = get-config
$config.api.base_url? | default "http://localhost:8080"
}
# Get auth token from environment or config
def get-auth-token [] {
$env.PROVISIONING_AUTH_TOKEN? | default ""
}
# Make authenticated API request
def api-request [
method: string # HTTP method (GET, POST, DELETE)
endpoint: string # API endpoint path
body?: any # Request body (optional)
] {
let base_url = get-api-url
let token = get-auth-token
let url = $"($base_url)/api/v1($endpoint)"
let headers = {
"Authorization": $"Bearer ($token)"
"Content-Type": "application/json"
}
if ($body | is-empty) {
http $method $url --headers $headers
} else {
http $method $url --headers $headers ($body | to json)
}
}
# ============================================================================
# TOTP Commands
# ============================================================================
# Enroll TOTP (Time-based One-Time Password)
#
# Example:
# mfa totp enroll
export def "mfa totp enroll" [] {
print "📱 Enrolling TOTP device..."
let response = api-request "POST" "/mfa/totp/enroll"
print ""
print "✅ TOTP device enrolled successfully!"
print ""
print "📋 Device ID:" $response.device_id
print ""
print "🔑 Manual entry secret (if QR code doesn't work):"
print $" ($response.secret)"
print ""
print "📱 Scan this QR code with your authenticator app:"
print " (Google Authenticator, Authy, Microsoft Authenticator, etc.)"
print ""
# Save QR code to file
let qr_file = $"/tmp/mfa-qr-($response.device_id).html"
$"<!DOCTYPE html>
<html>
<head><title>MFA Setup - QR Code</title></head>
<body style='text-align: center; padding: 50px;'>
<h1>Scan QR Code</h1>
<img src='($response.qr_code)' style='max-width: 400px;' />
<p><code>($response.secret)</code></p>
</body>
</html>" | save -f $qr_file
print $" QR code saved to: ($qr_file)"
print $" Open in browser: open ($qr_file)"
print ""
print "💾 Backup codes (save these securely):"
for code in $response.backup_codes {
print $" ($code)"
}
print ""
print "⚠️ IMPORTANT: Test your TOTP setup with 'mfa totp verify <code>'"
print ""
}
# Verify TOTP code
#
# Example:
# mfa totp verify 123456
export def "mfa totp verify" [
code: string # 6-digit TOTP code
--device-id: string # Specific device ID (optional)
] {
print $"🔐 Verifying TOTP code: ($code)..."
let body = {
code: $code
device_id: $device_id
}
let response = api-request "POST" "/mfa/totp/verify" $body
if $response.verified {
print ""
print "✅ TOTP verification successful!"
if $response.backup_code_used {
print "⚠️ Note: A backup code was used"
}
print ""
} else {
print ""
print "❌ TOTP verification failed"
print " Please check your code and try again"
print ""
exit 1
}
}
# Disable TOTP
#
# Example:
# mfa totp disable
export def "mfa totp disable" [] {
print "⚠️ Disabling TOTP..."
print ""
print "This will remove all TOTP devices from your account."
let confirm = input "Are you sure? (yes/no): "
if $confirm != "yes" {
print "Cancelled."
return
}
api-request "POST" "/mfa/totp/disable"
print ""
print "✅ TOTP disabled successfully"
print ""
}
# Show backup codes status
#
# Example:
# mfa totp backup-codes
export def "mfa totp backup-codes" [] {
print "🔑 Fetching backup codes status..."
let response = api-request "GET" "/mfa/totp/backup-codes"
print ""
print "📋 Backup Codes:"
for code in $response.backup_codes {
print $" ($code)"
}
print ""
}
# Regenerate backup codes
#
# Example:
# mfa totp regenerate
export def "mfa totp regenerate" [] {
print "🔄 Regenerating backup codes..."
print ""
print "⚠️ This will invalidate all existing backup codes."
let confirm = input "Continue? (yes/no): "
if $confirm != "yes" {
print "Cancelled."
return
}
let response = api-request "POST" "/mfa/totp/regenerate"
print ""
print "✅ New backup codes generated:"
print ""
for code in $response.backup_codes {
print $" ($code)"
}
print ""
print "💾 Save these codes securely!"
print ""
}
# ============================================================================
# WebAuthn Commands
# ============================================================================
# Enroll WebAuthn device (security key)
#
# Example:
# mfa webauthn enroll --device-name "YubiKey 5"
export def "mfa webauthn enroll" [
--device-name: string = "Security Key" # Device name
] {
print $"🔐 Enrolling WebAuthn device: ($device_name)"
print ""
print "⚠️ WebAuthn enrollment requires browser interaction."
print " Use the Web UI at: (get-api-url)/mfa/setup"
print ""
print " Or use the API directly with a browser-based client."
print ""
}
# List WebAuthn devices
#
# Example:
# mfa webauthn list
export def "mfa webauthn list" [] {
print "🔑 Fetching WebAuthn devices..."
let devices = api-request "GET" "/mfa/webauthn/devices"
if ($devices | is-empty) {
print ""
print "No WebAuthn devices registered"
print ""
return
}
print ""
print "📱 WebAuthn Devices:"
print ""
for device in $devices {
print $"Device: ($device.device_name)"
print $" ID: ($device.id)"
print $" Created: ($device.created_at)"
print $" Last used: ($device.last_used | default 'Never')"
print $" Status: (if $device.enabled { '✅ Enabled' } else { '❌ Disabled' })"
print $" Transports: ($device.transports | str join ', ')"
print ""
}
}
# Remove WebAuthn device
#
# Example:
# mfa webauthn remove <device-id>
export def "mfa webauthn remove" [
device_id: string # Device ID to remove
] {
print $"🗑️ Removing WebAuthn device: ($device_id)"
print ""
let confirm = input "Are you sure? (yes/no): "
if $confirm != "yes" {
print "Cancelled."
return
}
api-request "DELETE" $"/mfa/webauthn/devices/($device_id)"
print ""
print "✅ Device removed successfully"
print ""
}
# ============================================================================
# General MFA Commands
# ============================================================================
# Show MFA status
#
# Example:
# mfa status
export def "mfa status" [] {
print "🔐 Fetching MFA status..."
let status = api-request "GET" "/mfa/status"
print ""
print "📊 MFA Status:"
print $" Enabled: (if $status.enabled { '✅ Yes' } else { '❌ No' })"
print ""
if not ($status.totp_devices | is-empty) {
print "📱 TOTP Devices:"
for device in $status.totp_devices {
print $" • ID: ($device.id)"
print $" Created: ($device.created_at)"
print $" Last used: ($device.last_used | default 'Never')"
print $" Status: (if $device.enabled { 'Enabled' } else { 'Not verified' })"
}
print ""
}
if not ($status.webauthn_devices | is-empty) {
print "🔑 WebAuthn Devices:"
for device in $status.webauthn_devices {
print $" • ($device.device_name)"
print $" ID: ($device.id)"
print $" Created: ($device.created_at)"
print $" Last used: ($device.last_used | default 'Never')"
}
print ""
}
if $status.has_backup_codes {
print "💾 Backup codes: Available"
print ""
}
if (not $status.enabled) {
print " MFA is not enabled. Set it up with:"
print " • mfa totp enroll - For TOTP (recommended)"
print " • mfa webauthn enroll - For hardware keys"
print ""
}
}
# Disable all MFA methods
#
# Example:
# mfa disable
export def "mfa disable" [] {
print "⚠️ Disabling ALL MFA methods..."
print ""
print "This will remove:"
print " • All TOTP devices"
print " • All WebAuthn devices"
print " • All backup codes"
print ""
let confirm = input "Are you ABSOLUTELY sure? Type 'disable mfa': "
if $confirm != "disable mfa" {
print "Cancelled."
return
}
api-request "POST" "/mfa/disable"
print ""
print "✅ All MFA methods have been disabled"
print ""
}
# List all MFA devices
#
# Example:
# mfa list-devices
export def "mfa list-devices" [] {
mfa status
}
# ============================================================================
# Help Command
# ============================================================================
# Show MFA help
export def "mfa help" [] {
print ""
print "🔐 Multi-Factor Authentication (MFA) Commands"
print ""
print "TOTP (Time-based One-Time Password):"
print " mfa totp enroll - Enroll TOTP device"
print " mfa totp verify <code> - Verify TOTP code"
print " mfa totp disable - Disable TOTP"
print " mfa totp backup-codes - Show backup codes status"
print " mfa totp regenerate - Regenerate backup codes"
print ""
print "WebAuthn (Hardware Security Keys):"
print " mfa webauthn enroll - Enroll security key"
print " mfa webauthn list - List registered devices"
print " mfa webauthn remove <id> - Remove device"
print ""
print "General:"
print " mfa status - Show MFA status"
print " mfa list-devices - List all devices"
print " mfa disable - Disable all MFA"
print " mfa help - Show this help"
print ""
}
Reference in New Issue Copy Permalink