fix: when using -P, ensure we go through JIT MFA

bin/shell/osh.pl

@@ -1228,6 +1228,16 @@ if ($osh_debug) {
     osh_debug(Data::Dumper::Dumper(\@accessList));
 }
 
+# Determine whether any of the access grants authorizing this connection requires JIT MFA.
+# This must be done regardless of the egress authentication method.
+# Note: for the ssh egress key path, this value is refined below by get_details_from_access_array(),
+# which additionally honours --use-key. We keep the "last non-none grant wins" semantics it uses.
+foreach my $access (@accessList) {
+    if ($access->{'mfaRequired'} && $access->{'mfaRequired'} ne 'none') {
+        $JITMFARequired = $access->{'mfaRequired'};
+    }
+}
+
 # build ttyrec command that'll prefix the real command
 my $ttyrec_fnret = OVH::Bastion::build_ttyrec_cmdline_part1of2(
     ip            => $ip,

tests/functional/tests.d/370-mfa.sh

@@ -181,6 +181,64 @@ testsuite_mfa()
         contain 'pamtester: successfully authenticated'
         contain 'Permission denied'
 
+        success a4_gen_self_egress_pass $a0 --osh accountGeneratePassword --account $account4 --do-it
+        json .command accountGeneratePassword .error_code OK
+
+        script a4_connect_g3_server_selfpass_jitmfa "echo 'set timeout $default_timeout; \
+            spawn $a4 root@127.7.7.7 -P; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\"; }; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\"; }; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\\n\"; }; \
+            expect eof; \
+            lassign [wait] pid spawnid value value; \
+            exit \$value' | expect -f -"
+        retvalshouldbe 125
+        contain 'will use SSH with password autologin'
+        contain 'entering MFA phase'
+        contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
+        contain REGEX 'Password:|Password for'
+        contain 'pamtester: '
+        nocontain 'pamtester: successfully authenticated'
+        nocontain 'Permission denied'
+
+        script a4_gen_g3_egress_pass "echo 'set timeout $default_timeout;
+            spawn $a4 --osh groupGeneratePassword --group $group3 --do-it;
+            expect \":\" { sleep 0.2; send \"$a4_password\\n\"; };
+            expect eof;
+            lassign [wait] pid spawnid value value;
+            exit \$value' | expect -f -"
+        retvalshouldbe 0
+        contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
+        contain REGEX 'Password:|Password for'
+        json .command groupGeneratePassword .error_code OK
+
+        script a4_connect_g3_server_grouppass_jitmfa "echo 'set timeout $default_timeout; \
+            spawn $a4 root@127.7.7.7 --password $group3; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\"; }; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\"; }; \
+            expect \"is required (password)\" { sleep 0.1; }; \
+            expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\\n\"; }; \
+            expect eof; \
+            lassign [wait] pid spawnid value value; \
+            exit \$value' | expect -f -"
+        retvalshouldbe 125
+        contain 'will use SSH with password autologin'
+        contain 'entering MFA phase'
+        contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
+        contain REGEX 'Password:|Password for'
+        contain 'pamtester: '
+        nocontain 'pamtester: successfully authenticated'
+        nocontain 'Permission denied'
+
         # test proactive mfa
         script set_help_mfa $r0 "'"'echo \{\"mfa_required\":\ \"password\"\} > '"$opt_remote_etc_bastion"'/plugin.help.conf; chmod 644 '"$opt_remote_etc_bastion"'/plugin.help.conf'"'"
         retvalshouldbe 0