[pve-devel] [PATCH access-control] tfa: realm required TFA should lock out users without TFA

[Thomas Lamprecht]

Am 4/18/19 um 10:24 AM schrieb Wolfgang Bumiller:
> This changed with the previous TFA changes.
> 
> In the long term, the plan is to let the user get into the
> half-logged-in state and open the TFA configuration window
> on the UI to allow them to finish their TFA setup, but for
> now we restore the previous behavior.

looks OK. It would be nice to get this message to the API client,
i.e., the WebUI, as at this point one is already logged in
successfully but did not met some other criteria, IMO, this is
worth to tell him, like it'd be also worth to tell a few other
errors, like account expired, or the like.

Currently we do not get any info from the API regarding this, and
raising a perm exception is also not helping (just as a quick
test), if we could do this cheaply nice, else I'd apply this as is to
restore the old behavior in the meantime..

> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> ---
>  PVE/AccessControl.pm | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 06c649d..512fcd2 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -1453,7 +1453,6 @@ sub user_get_tfa {
>  	or die "user '$username' not found\n";
>  
>      my $keys = $user->{keys};
> -    return if !$keys;
>  
>      my $domain_cfg = cfs_read_file('domains.cfg');
>      my $realm_cfg = $domain_cfg->{ids}->{$realm};
> @@ -1463,6 +1462,11 @@ sub user_get_tfa {
>      $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
>  	if $realm_tfa;
>  
> +    if (!$keys) {
> +	return if !$realm_tfa;
> +	die "missing required 2nd keys\n";
> +    }
> +
>      # new style config starts with an 'x' and optionally contains a !<type> suffix
>      if ($keys !~ /^x(?:!.*)?$/) {
>  	# old style config, find the type via the realm
>