MPA: Add ability to pass cred source to MPA command printed for approver (#600)

sfc-gh-mwalas · web-flow · commit 17086d86d9fa · 2025-10-14T14:21:57.000+02:00
* Add ability to pass cred source to MPA command printed for approver

* revert

* Revert credential source
diff --git a/cmd/sanssh/client/client.go b/cmd/sanssh/client/client.go
@@ -390,6 +390,7 @@ func Run(ctx context.Context, rs RunState) {
 		}
 
 		state.Conn = conn
+		state.CredSource = rs.CredSource
 		state.Out = output[start:end]
 		state.Err = errors[start:end]
 		if len(rs.Targets) == 0 {
diff --git a/services/mpa/mpahooks/mpahooks.go b/services/mpa/mpahooks/mpahooks.go
@@ -279,7 +279,7 @@ func createAndBlockOnProxiedMPA(ctx context.Context, method string, args any, co
 
 	if len(targetsNeedingApproval) > 0 {
 		fmt.Fprintln(os.Stderr, "Waiting for multi-party approval on all targets, ask an approver to run:")
-		fmt.Fprintf(os.Stderr, "  sanssh -proxy %v -targets %v mpa approve %v\n", conn.Proxy().Target(), strings.Join(targetsNeedingApproval, ","), mpaID)
+		fmt.Fprintf(os.Stderr, "  sanssh %v-proxy %v -targets %v mpa approve %v\n", getSourceParam(state.CredSource), conn.Proxy().Target(), strings.Join(targetsNeedingApproval, ","), mpaID)
 		// We call WaitForApproval on all targets, even ones already approved. This is silly but not harmful.
 		waitCh, err := mpaClient.WaitForApprovalOneMany(ctx, &mpa.WaitForApprovalRequest{Id: mpaID})
 		if err != nil {
@@ -294,6 +294,13 @@ func createAndBlockOnProxiedMPA(ctx context.Context, method string, args any, co
 	return mpaID, nil
 }
 
+func getSourceParam(credentialSource string) string {
+	if credentialSource != "" {
+		return fmt.Sprintf("--credential-source %s ", credentialSource)
+	}
+	return ""
+}
+
 // ProxyClientUnaryInterceptor will perform the MPA flow prior to making the desired RPC
 // calls through the proxy.
 func ProxyClientUnaryInterceptor(state *util.ExecuteState) proxy.UnaryInterceptor {
diff --git a/services/util/util.go b/services/util/util.go
@@ -50,6 +50,8 @@ type ExecuteState struct {
 	Out []io.Writer
 	// Error stream to write log lines related to particular target host.
 	Err []io.Writer
+	// CredSource is the credential source to use for authn.
+	CredSource string
 }
 
 // StreamingChunkSize is the chunk size we use when sending replies on a stream.

Original file line number	Diff line number	Diff line change
`@@ -390,6 +390,7 @@ func Run(ctx context.Context, rs RunState) {`
`390`	`390`	`}`
`391`	`391`
`392`	`392`	`state.Conn = conn`
	`393`	`+ state.CredSource = rs.CredSource`
`393`	`394`	`state.Out = output[start:end]`
`394`	`395`	`state.Err = errors[start:end]`
`395`	`396`	`if len(rs.Targets) == 0 {`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@ type ExecuteState struct {`
`50`	`50`	`Out []io.Writer`
`51`	`51`	`// Error stream to write log lines related to particular target host.`
`52`	`52`	`Err []io.Writer`
	`53`	`+ // CredSource is the credential source to use for authn.`
	`54`	`+ CredSource string`
`53`	`55`	`}`
`54`	`56`
`55`	`57`	`// StreamingChunkSize is the chunk size we use when sending replies on a stream.`