[pve-devel] [PATCH apiclient] fix #2227: enable totp codes to be passed in cli

[Oguz Bektas]

this patch enables to pass totp codes during cluster join if tfa has been
enabled for root at pam (or any other user actually, but root seems to cause the
most problems).

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---

will start working on a gui patch soon.

 PVE/APIClient/LWP.pm | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm
index c0e30ff..33a26e0 100755
--- a/PVE/APIClient/LWP.pm
+++ b/PVE/APIClient/LWP.pm
@@ -92,6 +92,11 @@ sub update_ticket {
     $agent->default_header('Cookie', $cookie);
 }
 
+sub complete_tfa_challenge {
+    my ($self, $tfa_response) = @_;
+    return $self->post('/api2/json/access/tfa', {response => $tfa_response});
+}
+
 sub login {
     my ($self) = @_;
 
@@ -129,15 +134,17 @@ sub login {
     my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 
     my $data = $extract_data->($res);
-
-    # TODO: make it possible to use tfa
-    if ($data->{ticket} =~ m/^PVE:tfa!/) {
-	raise("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
-    }
-
     $self->update_ticket($data->{ticket});
     $self->update_csrftoken($data->{CSRFPreventionToken});
 
+    # handle totp
+    if ($data->{ticket} =~ m/^PVE:tfa!/) {
+	print "\nEnter TFA code for user $username: ";
+	my $tfa_code = <STDIN>;
+	chomp $tfa_code;
+	$data = $self->complete_tfa_challenge($tfa_code);
+	$self->update_ticket($data->{ticket});
+    }
     return $data;
 }
 
-- 
2.20.1