[pve-devel] [PATCH access-control 2/2] fix #3768: warn on bad u2f or webauthn settings

[Wolfgang Bumiller]

but don't bail out of the entire auth process, otherwise
not even totp or recovery keys will work anymore in this
case

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/AccessControl.pm | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 51a96a3..1306576 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -895,17 +895,23 @@ sub configure_u2f_and_wa : prototype($) {
 
     my $dc = cfs_read_file('datacenter.cfg');
     if (my $u2f = $dc->{u2f}) {
-	$tfa_cfg->set_u2f_config({
-	    origin => $u2f->{origin} // $get_origin->(),
-	    appid => $u2f->{appid},
-	});
+	eval {
+	    $tfa_cfg->set_u2f_config({
+		origin => $u2f->{origin} // $get_origin->(),
+		appid => $u2f->{appid},
+	    });
+	};
+	warn "u2f unavailable, configuration error: $@\n" if $@;
     }
     if (my $wa = $dc->{webauthn}) {
-	$tfa_cfg->set_webauthn_config({
-	    origin => $wa->{origin} // $get_origin->(),
-	    rp => $wa->{rp},
-	    id => $wa->{id},
-	});
+	eval {
+	    $tfa_cfg->set_webauthn_config({
+		origin => $wa->{origin} // $get_origin->(),
+		rp => $wa->{rp},
+		id => $wa->{id},
+	    });
+	};
+	warn "webauthn unavailable, configuration error: $@\n" if $@;
     }
 }
 
-- 
2.30.2