From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 16 May 2023 11:43:53 +0000 (+0200)
Subject: tfa: enable lockout of users via tfa.cfg
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=9036621e2818d8ee9491b3b9f66b1623543d90ea;p=pve-access-control.git

tfa: enable lockout of users via tfa.cfg

This will be accompanied by a change in pve-rs to finally
enable this.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index eee0869..c1ade4e 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -821,26 +821,20 @@ sub authenticate_2nd_new_do : prototype($$$$) {
 	    die "2nd factor failed\n";
 	}
 
-	# FIXME: Remove this case when enabling the ones below!
-	if (!$result->{result}) {
-	    die "2nd factor failed\n";
-	}
-
 	if ($result->{'needs-saving'}) {
 	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
 	}
-	# FIXME: Switch to the code below to use the updated `priv/tfa.cfg` format!
-	#if ($result->{'totp-limit-reached'}) {
-	#    # FIXME: send mail to the user (or admin/root if no email configured)
-	#    die "failed 2nd factor: TOTP limit reached, locked\n";
-	#}
-	#if ($result->{'tfa-limit-reached'}) {
-	#    # FIXME: send mail to the user (or admin/root if no email configured)
-	#    die "failed 1nd factor: TFA limit reached, user locked out\n";
-	#}
-	#if (!$result->{result}) {
-	#    die "failed 2nd factor\n";
-	#}
+	if ($result->{'totp-limit-reached'}) {
+	    # FIXME: send mail to the user (or admin/root if no email configured)
+	    die "failed 2nd factor: TOTP limit reached, locked\n";
+	}
+	if ($result->{'tfa-limit-reached'}) {
+	    # FIXME: send mail to the user (or admin/root if no email configured)
+	    die "failed 1nd factor: TFA limit reached, user locked out\n";
+	}
+	if (!$result->{result}) {
+	    die "failed 2nd factor\n";
+	}
     }
 
     return $tfa_challenge;