[pve-devel] [PATCH access-control] tfa: realm required TFA should lock out users without TFA

[Wolfgang Bumiller]

This changed with the previous TFA changes.

In the long term, the plan is to let the user get into the
half-logged-in state and open the TFA configuration window
on the UI to allow them to finish their TFA setup, but for
now we restore the previous behavior.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 PVE/AccessControl.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 06c649d..512fcd2 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1453,7 +1453,6 @@ sub user_get_tfa {
 	or die "user '$username' not found\n";
 
     my $keys = $user->{keys};
-    return if !$keys;
 
     my $domain_cfg = cfs_read_file('domains.cfg');
     my $realm_cfg = $domain_cfg->{ids}->{$realm};
@@ -1463,6 +1462,11 @@ sub user_get_tfa {
     $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
 	if $realm_tfa;
 
+    if (!$keys) {
+	return if !$realm_tfa;
+	die "missing required 2nd keys\n";
+    }
+
     # new style config starts with an 'x' and optionally contains a !<type> suffix
     if ($keys !~ /^x(?:!.*)?$/) {
 	# old style config, find the type via the realm
-- 
2.11.0