Multiple MFA prompts for chained profile (still)

[jcogilvie]

Describe the bug Re-creating as #182 was closed without resolution.

I have two active sessions, one I'll call master and one I will call chained. master requires MFA. chained inherits MFA from master.

When my mfa token expires, I am prompted twice. Entering my MFA token in either of the prompts works equally well to authenticate, and the other prompt can be canceled (albeit an error is displayed upon canceling; this seems to have no effect).

Leapp Version 0.12.2

To Reproduce Steps to reproduce the behavior:

1. Create an AWS session (in my case an IAM User) with MFA called master.
2. Create a chained role session (IAM Role Chained), using master as root.
3. Activate both sessions (which should only require MFA once iirc).
4. Wait for expiry
5. Notice that you are prompted for MFA reauthentication twice.

Expected behavior A single prompt for MFA token.

The logical link between master and chained already exists in Leapp configuration, and only the master session is actually declared to need MFA, so Leapp ought to be able to infer that they are asking for the same token, and only ask me/perform the operation once.

Desktop (please complete the following information):

• OS: OSX
• OS Version 11.6.7
• Leapp Version 0.12.2

[pethron]

Thanks for reporting, are you experiencing this issue also in the latest version (0.13.1)?

[jcogilvie]

I am.

[ericvilla]

Hi @jcogilvie, the actual behavior does not take into account the fact that another MFA prompt modal, related to the same IAM User session, is already spawned and is visible to the user. To solve this, we could add a logic that checks whether the IAM User-related MFA modal is currently active or not; if yes, the second session flow should wait until a new IAM User session token is available. Does it make sense to you?

[jcogilvie]

Yes, it does.

[andreacavagna01]

We will add a single modal to solve the issue.