Skip to content

Commit

Permalink
Do not require user interaction in tsh status when using hardware keys
Browse files Browse the repository at this point in the history
  • Loading branch information
gzdunek committed Nov 8, 2024
1 parent b071b1a commit 7268b1c
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions tool/tsh/common/tsh.go
Original file line number Diff line number Diff line change
Expand Up @@ -4867,7 +4867,18 @@ func onStatus(cf *CLIConf) error {
return trace.Wrap(err)
}

if err := printLoginInformation(cf, profile, profiles, cf.getAccessListsToReview(tc)); err != nil {
// `tsh status` should run without requiring user interaction.
// To achieve this, we avoid remote calls that might prompt for
// hardware key touch or require a PIN.
hardwareKeyInteractionRequired := tc.PrivateKeyPolicy.MFAVerified()

var accessListsToReview []*accesslist.AccessList
if hardwareKeyInteractionRequired {
log.Debug("Skipping fetching access lists to review due to Hardware Key PIN/Touch requirement.")
} else {
accessListsToReview = cf.getAccessListsToReview(tc)
}
if err := printLoginInformation(cf, profile, profiles, accessListsToReview); err != nil {
return trace.Wrap(err)
}

Expand All @@ -4880,7 +4891,7 @@ func onStatus(cf *CLIConf) error {
return trace.NotFound("Active profile expired.")
}

if tc.PrivateKeyPolicy.MFAVerified() {
if hardwareKeyInteractionRequired {
log.Debug("Skipping cluster alerts due to Hardware Key PIN/Touch requirement.")
} else {
if err := common.ShowClusterAlerts(cf.Context, tc, os.Stderr, nil,
Expand Down

0 comments on commit 7268b1c

Please sign in to comment.