From aae5bba42b6f59fb51d543e8a65137987c520bd1 Mon Sep 17 00:00:00 2001
From: joerger <bjoerger@goteleport.com>
Date: Mon, 7 Oct 2024 11:48:01 -0700
Subject: [PATCH] Validate oidc max age.

---
 api/types/oidc.go | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/api/types/oidc.go b/api/types/oidc.go
index efbe4a6c86b23..601afa499edfd 100644
--- a/api/types/oidc.go
+++ b/api/types/oidc.go
@@ -109,7 +109,7 @@ type OIDCConnector interface {
 	// GetClientRedirectSettings returns the client redirect settings.
 	GetClientRedirectSettings() *SSOClientRedirectSettings
 	// GetMFASettings returns the connector's MFA settings.
-	GetMFASettings() OIDCConnectorMFASettings
+	GetMFASettings() *OIDCConnectorMFASettings
 	// IsMFAEnabled returns whether the connector has MFA enabled.
 	IsMFAEnabled() bool
 	// WithMFASettings returns the connector will some settings overwritten set from MFA settings.
@@ -461,6 +461,16 @@ func (o *OIDCConnectorV3) CheckAndSetDefaults() error {
 		}
 	}
 
+	if o.Spec.MFASettings != nil {
+		maxAge := o.Spec.MFASettings.MaxAge.Duration()
+		if maxAge < 0 {
+			return trace.BadParameter("max_age cannot be negative")
+		}
+		if maxAge.Round(time.Second) != maxAge {
+			return trace.BadParameter("max_age must be a multiple of seconds")
+		}
+	}
+
 	return nil
 }
 
@@ -506,18 +516,14 @@ func (o *OIDCConnectorV3) GetClientRedirectSettings() *SSOClientRedirectSettings
 }
 
 // GetMFASettings returns the connector's MFA settings.
-func (o *OIDCConnectorV3) GetMFASettings() OIDCConnectorMFASettings {
-	if o.Spec.MFASettings == nil {
-		return OIDCConnectorMFASettings{
-			Enabled: false,
-		}
-	}
-	return *o.Spec.MFASettings
+func (o *OIDCConnectorV3) GetMFASettings() *OIDCConnectorMFASettings {
+	return o.Spec.MFASettings
 }
 
 // IsMFAEnabled returns whether the connector has MFA enabled.
 func (o *OIDCConnectorV3) IsMFAEnabled() bool {
-	return o.GetMFASettings().Enabled
+	mfa := o.GetMFASettings()
+	return mfa != nil && mfa.Enabled
 }
 
 // WithMFASettings returns the connector will some settings overwritten set from MFA settings.
@@ -530,6 +536,9 @@ func (o *OIDCConnectorV3) WithMFASettings() error {
 	o.Spec.ClientSecret = o.Spec.MFASettings.ClientSecret
 	o.Spec.ACR = o.Spec.MFASettings.AcrValues
 	o.Spec.Prompt = o.Spec.MFASettings.Prompt
+	o.Spec.MaxAge = &MaxAge{
+		Value: o.Spec.MFASettings.MaxAge,
+	}
 	return nil
 }