From 6063b65b9b2662bea68a3381806efd14525badc5 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 18 Apr 2019 10:24:48 +0200
Subject: [PATCH] tfa: realm required TFA should lock out users without TFA

This changed with the previous TFA changes.

In the long term, the plan is to let the user get into the
half-logged-in state and open the TFA configuration window
on the UI to allow them to finish their TFA setup, but for
now we restore the previous behavior.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 PVE/AccessControl.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 06c649d..512fcd2 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1453,7 +1453,6 @@ sub user_get_tfa {
 	or die "user '$username' not found\n";
 
     my $keys = $user->{keys};
-    return if !$keys;
 
     my $domain_cfg = cfs_read_file('domains.cfg');
     my $realm_cfg = $domain_cfg->{ids}->{$realm};
@@ -1463,6 +1462,11 @@ sub user_get_tfa {
     $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
 	if $realm_tfa;
 
+    if (!$keys) {
+	return if !$realm_tfa;
+	die "missing required 2nd keys\n";
+    }
+
     # new style config starts with an 'x' and optionally contains a !<type> suffix
     if ($keys !~ /^x(?:!.*)?$/) {
 	# old style config, find the type via the realm
-- 
2.39.2