Don't re-request a cached PIN for identities with PIN policy "once"

This commit is contained in:
Jack Grigg
2023-01-02 16:13:12 +00:00
parent 9418921dab
commit 00ab2c756e
+4 -4
View File
@@ -592,13 +592,13 @@ impl Connection {
metadata => metadata,
};
}
if let Some(PinPolicy::Never) = self.cached_metadata.as_ref().and_then(|m| m.pin_policy) {
return Ok(Ok(()));
match self.cached_metadata.as_ref().and_then(|m| m.pin_policy) {
Some(PinPolicy::Never) => return Ok(Ok(())),
Some(PinPolicy::Once) if self.yubikey.verify_pin(&[]).is_ok() => return Ok(Ok(())),
_ => (),
}
// The policy requires a PIN, so request it.
// Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always
// because this plugin is ephemeral, so we always request the PIN.
let enter_pin_msg = fl!(
"plugin-enter-pin",
yubikey_serial = self.yubikey.serial().to_string(),