* [pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users
@ 2024-03-13 13:18 Markus Frank
2024-07-01 11:27 ` Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Markus Frank @ 2024-03-13 13:18 UTC (permalink / raw)
To: pve-devel
Currently it is possible to set up TFA for an OpenID user (as root user),
but it is never requested during the login process for that user.
This patch prevents this and displays an error message with the instruction
to set up TFA using the OpenId server.
Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
src/PVE/API2/TFA.pm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 13ffc59..5e7e9eb 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -381,6 +381,13 @@ __PACKAGE__->register_method ({
my ($userid, $realm) =
root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ my $realm_cfg = $domain_cfg->{ids}->{$realm};
+ if ($realm_cfg->{type} eq "openid") {
+ die "Users of the realm '$realm' with type 'openid' cannot use TFA."
+ ." Using the OpenID server to set up TFA is recommended.\n";
+ }
+
my $type = delete $param->{type};
my $value = delete $param->{value};
if ($type eq 'yubico') {
--
2.39.2
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users
2024-03-13 13:18 [pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users Markus Frank
@ 2024-07-01 11:27 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2024-07-01 11:27 UTC (permalink / raw)
To: Proxmox VE development discussion
doesn't apply anymore!
On March 13, 2024 2:18 pm, Markus Frank wrote:
> Currently it is possible to set up TFA for an OpenID user (as root user),
> but it is never requested during the login process for that user.
> This patch prevents this and displays an error message with the instruction
> to set up TFA using the OpenId server.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> src/PVE/API2/TFA.pm | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> index 13ffc59..5e7e9eb 100644
> --- a/src/PVE/API2/TFA.pm
> +++ b/src/PVE/API2/TFA.pm
> @@ -381,6 +381,13 @@ __PACKAGE__->register_method ({
> my ($userid, $realm) =
> root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
>
> + my $domain_cfg = cfs_read_file('domains.cfg');
> + my $realm_cfg = $domain_cfg->{ids}->{$realm};
> + if ($realm_cfg->{type} eq "openid") {
> + die "Users of the realm '$realm' with type 'openid' cannot use TFA."
> + ." Using the OpenID server to set up TFA is recommended.\n";
> + }
> +
> my $type = delete $param->{type};
> my $value = delete $param->{value};
> if ($type eq 'yubico') {
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-07-01 11:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-13 13:18 [pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users Markus Frank
2024-07-01 11:27 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox