jesus/prvng_core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_core/nulib/mfa/commands.nu
Jesús Pérez 1fe83246d6
feat: integrate enterprise security system into core libraries 
Adds KMS, secrets management, config encryption, and auth plugins to enable
zero-trust security architecture across the provisioning platform.
2025-10-09 16:36:27 +01:00

379 lines
10 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Multi-Factor Authentication (MFA) CLI commands
#
# Provides comprehensive MFA management through the control-center API
use ../lib_provisioning/config/loader.nu get-config
# Get API base URL from config
def get-api-url [] {
let config = get-config
$config.api.base_url? | default "http://localhost:8080"
}
# Get auth token from environment or config
def get-auth-token [] {
$env.PROVISIONING_AUTH_TOKEN? | default ""
}
# Make authenticated API request
def api-request [
method: string # HTTP method (GET, POST, DELETE)
endpoint: string # API endpoint path
body?: any # Request body (optional)
] {
let base_url = get-api-url
let token = get-auth-token
let url = $"($base_url)/api/v1($endpoint)"
let headers = {
"Authorization": $"Bearer ($token)"
"Content-Type": "application/json"
}
if ($body | is-empty) {
http $method $url --headers $headers
} else {
http $method $url --headers $headers ($body | to json)
}
}
# ============================================================================
# TOTP Commands
# ============================================================================
# Enroll TOTP (Time-based One-Time Password)
#
# Example:
# mfa totp enroll
export def "mfa totp enroll" [] {
print "📱 Enrolling TOTP device..."
let response = api-request "POST" "/mfa/totp/enroll"
print ""
print "✅ TOTP device enrolled successfully!"
print ""
print "📋 Device ID:" $response.device_id
print ""
print "🔑 Manual entry secret (if QR code doesn't work):"
print $" ($response.secret)"
print ""
print "📱 Scan this QR code with your authenticator app:"
print " (Google Authenticator, Authy, Microsoft Authenticator, etc.)"
print ""
# Save QR code to file
let qr_file = $"/tmp/mfa-qr-($response.device_id).html"
$"<!DOCTYPE html>
<html>
<head><title>MFA Setup - QR Code</title></head>
<body style='text-align: center; padding: 50px;'>
<h1>Scan QR Code</h1>
<img src='($response.qr_code)' style='max-width: 400px;' />
<p><code>($response.secret)</code></p>
</body>
</html>" | save -f $qr_file
print $" QR code saved to: ($qr_file)"
print $" Open in browser: open ($qr_file)"
print ""
print "💾 Backup codes (save these securely):"
for code in $response.backup_codes {
print $" ($code)"
}
print ""
print "⚠️ IMPORTANT: Test your TOTP setup with 'mfa totp verify <code>'"
print ""
}
# Verify TOTP code
#
# Example:
# mfa totp verify 123456
export def "mfa totp verify" [
code: string # 6-digit TOTP code
--device-id: string # Specific device ID (optional)
] {
print $"🔐 Verifying TOTP code: ($code)..."
let body = {
code: $code
device_id: $device_id
}
let response = api-request "POST" "/mfa/totp/verify" $body
if $response.verified {
print ""
print "✅ TOTP verification successful!"
if $response.backup_code_used {
print "⚠️ Note: A backup code was used"
}
print ""
} else {
print ""
print "❌ TOTP verification failed"
print " Please check your code and try again"
print ""
exit 1
}
}
# Disable TOTP
#
# Example:
# mfa totp disable
export def "mfa totp disable" [] {
print "⚠️ Disabling TOTP..."
print ""
print "This will remove all TOTP devices from your account."
let confirm = input "Are you sure? (yes/no): "
if $confirm != "yes" {
print "Cancelled."
return
}
api-request "POST" "/mfa/totp/disable"
print ""
print "✅ TOTP disabled successfully"
print ""
}
# Show backup codes status
#
# Example:
# mfa totp backup-codes
export def "mfa totp backup-codes" [] {
print "🔑 Fetching backup codes status..."
let response = api-request "GET" "/mfa/totp/backup-codes"
print ""
print "📋 Backup Codes:"
for code in $response.backup_codes {
print $" ($code)"
}
print ""
}
# Regenerate backup codes
#
# Example:
# mfa totp regenerate
export def "mfa totp regenerate" [] {
print "🔄 Regenerating backup codes..."
print ""
print "⚠️ This will invalidate all existing backup codes."
let confirm = input "Continue? (yes/no): "
if $confirm != "yes" {
print "Cancelled."
return
}
let response = api-request "POST" "/mfa/totp/regenerate"
print ""
print "✅ New backup codes generated:"
print ""
for code in $response.backup_codes {
print $" ($code)"
}
print ""
print "💾 Save these codes securely!"
print ""
}
# ============================================================================
# WebAuthn Commands
# ============================================================================
# Enroll WebAuthn device (security key)
#
# Example:
# mfa webauthn enroll --device-name "YubiKey 5"
export def "mfa webauthn enroll" [
--device-name: string = "Security Key" # Device name
] {
print $"🔐 Enrolling WebAuthn device: ($device_name)"
print ""
print "⚠️ WebAuthn enrollment requires browser interaction."
print " Use the Web UI at: (get-api-url)/mfa/setup"
print ""
print " Or use the API directly with a browser-based client."
print ""
}
# List WebAuthn devices
#
# Example:
# mfa webauthn list
export def "mfa webauthn list" [] {
print "🔑 Fetching WebAuthn devices..."
let devices = api-request "GET" "/mfa/webauthn/devices"
if ($devices | is-empty) {
print ""
print "No WebAuthn devices registered"
print ""
return
}
print ""
print "📱 WebAuthn Devices:"
print ""
for device in $devices {
print $"Device: ($device.device_name)"
print $" ID: ($device.id)"
print $" Created: ($device.created_at)"
print $" Last used: ($device.last_used | default 'Never')"
print $" Status: (if $device.enabled { '✅ Enabled' } else { '❌ Disabled' })"
print $" Transports: ($device.transports | str join ', ')"
print ""
}
}
# Remove WebAuthn device
#
# Example:
# mfa webauthn remove <device-id>
export def "mfa webauthn remove" [
device_id: string # Device ID to remove
] {
print $"🗑️ Removing WebAuthn device: ($device_id)"
print ""
let confirm = input "Are you sure? (yes/no): "
if $confirm != "yes" {
print "Cancelled."
return
}
api-request "DELETE" $"/mfa/webauthn/devices/($device_id)"
print ""
print "✅ Device removed successfully"
print ""
}
# ============================================================================
# General MFA Commands
# ============================================================================
# Show MFA status
#
# Example:
# mfa status
export def "mfa status" [] {
print "🔐 Fetching MFA status..."
let status = api-request "GET" "/mfa/status"
print ""
print "📊 MFA Status:"
print $" Enabled: (if $status.enabled { '✅ Yes' } else { '❌ No' })"
print ""
if not ($status.totp_devices | is-empty) {
print "📱 TOTP Devices:"
for device in $status.totp_devices {
print $" • ID: ($device.id)"
print $" Created: ($device.created_at)"
print $" Last used: ($device.last_used | default 'Never')"
print $" Status: (if $device.enabled { 'Enabled' } else { 'Not verified' })"
}
print ""
}
if not ($status.webauthn_devices | is-empty) {
print "🔑 WebAuthn Devices:"
for device in $status.webauthn_devices {
print $" • ($device.device_name)"
print $" ID: ($device.id)"
print $" Created: ($device.created_at)"
print $" Last used: ($device.last_used | default 'Never')"
}
print ""
}
if $status.has_backup_codes {
print "💾 Backup codes: Available"
print ""
}
if (not $status.enabled) {
print " MFA is not enabled. Set it up with:"
print " • mfa totp enroll - For TOTP (recommended)"
print " • mfa webauthn enroll - For hardware keys"
print ""
}
}
# Disable all MFA methods
#
# Example:
# mfa disable
export def "mfa disable" [] {
print "⚠️ Disabling ALL MFA methods..."
print ""
print "This will remove:"
print " • All TOTP devices"
print " • All WebAuthn devices"
print " • All backup codes"
print ""
let confirm = input "Are you ABSOLUTELY sure? Type 'disable mfa': "
if $confirm != "disable mfa" {
print "Cancelled."
return
}
api-request "POST" "/mfa/disable"
print ""
print "✅ All MFA methods have been disabled"
print ""
}
# List all MFA devices
#
# Example:
# mfa list-devices
export def "mfa list-devices" [] {
mfa status
}
# ============================================================================
# Help Command
# ============================================================================
# Show MFA help
export def "mfa help" [] {
print ""
print "🔐 Multi-Factor Authentication (MFA) Commands"
print ""
print "TOTP (Time-based One-Time Password):"
print " mfa totp enroll - Enroll TOTP device"
print " mfa totp verify <code> - Verify TOTP code"
print " mfa totp disable - Disable TOTP"
print " mfa totp backup-codes - Show backup codes status"
print " mfa totp regenerate - Regenerate backup codes"
print ""
print "WebAuthn (Hardware Security Keys):"
print " mfa webauthn enroll - Enroll security key"
print " mfa webauthn list - List registered devices"
print " mfa webauthn remove <id> - Remove device"
print ""
print "General:"
print " mfa status - Show MFA status"
print " mfa list-devices - List all devices"
print " mfa disable - Disable all MFA"
print " mfa help - Show this help"
print ""
}
Reference in New Issue View Git Blame Copy Permalink