From 5d1ac4cbe7ee31c619e742341d1931cce2d162f3 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 15:21:54 -0300 Subject: [PATCH] fix: Respect the --no-allow-passwordless flag --- tool/tsh/common/mfa.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tool/tsh/common/mfa.go b/tool/tsh/common/mfa.go index c540cce3b1228..404be014e1c0f 100644 --- a/tool/tsh/common/mfa.go +++ b/tool/tsh/common/mfa.go @@ -197,12 +197,14 @@ type mfaAddCommand struct { devName string devType string - // allowPasswordless is initially true if --allow-passwordless is set, false - // if not explicitly requested. - // It can only be set by users if wancli.IsFIDO2Available() is true. + // allowPasswordless and allowPasswordlessSet hold the state of the + // --(no-)allow-passwordless flag. + // + // allowPasswordless can only be set by users if wancli.IsFIDO2Available() is + // true. // Note that Touch ID registrations are always passwordless-capable, // regardless of other settings. - allowPasswordless bool + allowPasswordless, allowPasswordlessSet bool } func newMFAAddCommand(parent *kingpin.CmdClause) *mfaAddCommand { @@ -213,7 +215,9 @@ func newMFAAddCommand(parent *kingpin.CmdClause) *mfaAddCommand { c.Flag("type", fmt.Sprintf("Type of the new MFA device (%s)", strings.Join(defaultDeviceTypes, ", "))). EnumVar(&c.devType, defaultDeviceTypes...) if wancli.IsFIDO2Available() { - c.Flag("allow-passwordless", "Allow passwordless logins").BoolVar(&c.allowPasswordless) + c.Flag("allow-passwordless", "Allow passwordless logins"). + IsSetByUser(&c.allowPasswordlessSet). + BoolVar(&c.allowPasswordless) } return c } @@ -265,9 +269,7 @@ func (c *mfaAddCommand) run(cf *CLIConf) error { switch c.devType { case webauthnDeviceType: // Ask the user? - // c.allowPasswordless=false at this point only means that the flag wasn't - // explicitly set. - if !c.allowPasswordless && wancli.IsFIDO2Available() { + if !c.allowPasswordlessSet && wancli.IsFIDO2Available() { answer, err := prompt.PickOne(ctx, os.Stdout, prompt.Stdin(), "Allow passwordless logins", []string{"YES", "NO"}) if err != nil { return trace.Wrap(err)