From 00ab2c756e4e6e5bb32b30e2b6284093d0c640b8 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 2 Jan 2023 16:13:12 +0000 Subject: [PATCH] Don't re-request a cached PIN for identities with PIN policy "once" --- src/key.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/key.rs b/src/key.rs index 32636eb..925dbc9 100644 --- a/src/key.rs +++ b/src/key.rs @@ -592,13 +592,13 @@ impl Connection { metadata => metadata, }; } - if let Some(PinPolicy::Never) = self.cached_metadata.as_ref().and_then(|m| m.pin_policy) { - return Ok(Ok(())); + match self.cached_metadata.as_ref().and_then(|m| m.pin_policy) { + Some(PinPolicy::Never) => return Ok(Ok(())), + Some(PinPolicy::Once) if self.yubikey.verify_pin(&[]).is_ok() => return Ok(Ok(())), + _ => (), } // The policy requires a PIN, so request it. - // Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always - // because this plugin is ephemeral, so we always request the PIN. let enter_pin_msg = fl!( "plugin-enter-pin", yubikey_serial = self.yubikey.serial().to_string(),