Resolve comments.

api/mfa/ceremony.go

@@ -38,22 +38,19 @@ type Ceremony struct {
 
 // Run runs the MFA ceremony.
 func (c *Ceremony) Run(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest, promptOpts ...PromptOpt) (*proto.MFAAuthenticateResponse, error) {
-	if c.CreateAuthenticateChallenge == nil {
+	switch {
+	case c.CreateAuthenticateChallenge == nil:
 		return nil, trace.BadParameter("mfa ceremony must have CreateAuthenticateChallenge set in order to begin")
-	}
-
-	if c.SolveAuthenticateChallenge == nil && c.PromptConstructor == nil {
-		return nil, trace.BadParameter("mfa ceremony must have SolveAuthenticateChallenge or PromptConstructor set in order to succeed")
-	}
-
-	if req != nil {
-		if req.ChallengeExtensions == nil {
-			return nil, trace.BadParameter("missing challenge extensions")
-		}
-
-		if req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED {
-			return nil, trace.BadParameter("mfa challenge scope must be specified")
-		}
+	case (c.SolveAuthenticateChallenge == nil && c.PromptConstructor == nil) ||
+		(c.SolveAuthenticateChallenge != nil && c.PromptConstructor != nil):
+		return nil, trace.BadParameter("mfa ceremony must have either SolveAuthenticateChallenge or PromptConstructor set in order to succeed")
+	case req == nil:
+		// req may be nil in cases where the ceremony's CreateAuthenticateChallenge sources
+		// its own req or uses a different rpc, e.g. moderated sessions.
+	case req.ChallengeExtensions == nil:
+		return nil, trace.BadParameter("missing challenge extensions")
+	case req.ChallengeExtensions.Scope == mfav1.ChallengeScope_CHALLENGE_SCOPE_UNSPECIFIED:
+		return nil, trace.BadParameter("mfa challenge scope must be specified")
 	}
 
 	chal, err := c.CreateAuthenticateChallenge(ctx, req)

lib/client/mfa.go

@@ -21,24 +21,25 @@ package client
 import (
 	"context"
 
+	"github.com/gravitational/trace"
+
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/mfa"
 	wancli "github.com/gravitational/teleport/lib/auth/webauthncli"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
 	libmfa "github.com/gravitational/teleport/lib/client/mfa"
-	"github.com/gravitational/trace"
 )
 
 // NewMFACeremony returns a new MFA ceremony configured for this client.
 func (tc *TeleportClient) NewMFACeremony() *mfa.Ceremony {
 	return &mfa.Ceremony{
-		CreateAuthenticateChallenge: tc.CreateAuthenticateChallenge,
+		CreateAuthenticateChallenge: tc.createAuthenticateChallenge,
 		PromptConstructor:           tc.NewMFAPrompt,
 	}
 }
 
-// CreateAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.
-func (tc *TeleportClient) CreateAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) {
+// createAuthenticateChallenge creates and returns MFA challenges for a users registered MFA devices.
+func (tc *TeleportClient) createAuthenticateChallenge(ctx context.Context, req *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) {
 	clusterClient, err := tc.ConnectToCluster(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/client/presence.go

@@ -57,7 +57,6 @@ func WithPresenceClock(clock clockwork.Clock) PresenceOption {
 // RunPresenceTask periodically performs and MFA ceremony to detect that a user is
 // still present and attentive.
 func RunPresenceTask(ctx context.Context, term io.Writer, maintainer PresenceMaintainer, sessionID string, mfaPrompt mfa.Prompt, opts ...PresenceOption) error {
-
 	fmt.Fprintf(term, "\r\nTeleport > MFA presence enabled\r\n")
 
 	o := &presenceOptions{

lib/web/terminal.go

@@ -639,7 +639,6 @@ func mfaPrompt(stream *terminal.WSStream, codec terminal.MFACodec) mfa.Prompt {
 		resp, err := stream.ReadChallengeResponse(codec)
 		return resp, trace.Wrap(err)
 	})
-
 }
 
 type connectWithMFAFn = func(ctx context.Context, ws terminal.WSConn, tc *client.TeleportClient, accessChecker services.AccessChecker, getAgent teleagent.Getter, signer agentless.SignerCreator) (*client.NodeClient, error)