[pve-devel] applied: [PATCH access-control] tfa: realm required TFA should lock out users without TFA
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Apr 25 08:39:52 CEST 2019
Am 4/24/19 um 8:11 PM schrieb Thomas Lamprecht:
> Am 4/18/19 um 10:24 AM schrieb Wolfgang Bumiller:
>> This changed with the previous TFA changes.
>>
>> In the long term, the plan is to let the user get into the
>> half-logged-in state and open the TFA configuration window
>> on the UI to allow them to finish their TFA setup, but for
>> now we restore the previous behavior.
>
> looks OK. It would be nice to get this message to the API client,
> i.e., the WebUI, as at this point one is already logged in
> successfully but did not met some other criteria, IMO, this is
> worth to tell him, like it'd be also worth to tell a few other
> errors, like account expired, or the like.
>
> Currently we do not get any info from the API regarding this, and
> raising a perm exception is also not helping (just as a quick
> test), if we could do this cheaply nice, else I'd apply this as is to
> restore the old behavior in the meantime..
>
applied, the above requested can also be done as followup just fine.
Thanks!
>>
>> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
>> ---
>> PVE/AccessControl.pm | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
>> index 06c649d..512fcd2 100644
>> --- a/PVE/AccessControl.pm
>> +++ b/PVE/AccessControl.pm
>> @@ -1453,7 +1453,6 @@ sub user_get_tfa {
>> or die "user '$username' not found\n";
>>
>> my $keys = $user->{keys};
>> - return if !$keys;
>>
>> my $domain_cfg = cfs_read_file('domains.cfg');
>> my $realm_cfg = $domain_cfg->{ids}->{$realm};
>> @@ -1463,6 +1462,11 @@ sub user_get_tfa {
>> $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
>> if $realm_tfa;
>>
>> + if (!$keys) {
>> + return if !$realm_tfa;
>> + die "missing required 2nd keys\n";
>> + }
>> +
>> # new style config starts with an 'x' and optionally contains a !<type> suffix
>> if ($keys !~ /^x(?:!.*)?$/) {
>> # old style config, find the type via the realm
>>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list