From c2bf77abf80ec15b37a01e0ec868207de6780679 Mon Sep 17 00:00:00 2001
From: Tim Ross <tim.ross@goteleport.com>
Date: Mon, 2 Dec 2024 15:19:23 -0500
Subject: [PATCH] Revert "Remove 2FA bypass (#47288)"

This reverts commit 1952dd8d24cc0582b897d19ad73327009293736b.
---
 constants.go           |  4 ++++
 lib/auth/init.go       | 10 ++++++----
 lib/modules/modules.go |  6 +++++-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/constants.go b/constants.go
index af059bc1ffe54..803a58d44fbbd 100644
--- a/constants.go
+++ b/constants.go
@@ -410,6 +410,10 @@ const (
 
 	// MinimumEtcdVersion is the minimum version of etcd supported by Teleport
 	MinimumEtcdVersion = "3.3.0"
+
+	// EnvVarAllowNoSecondFactor is used to allow disabling second factor auth
+	// todo(tross): DELETE WHEN ABLE TO
+	EnvVarAllowNoSecondFactor = "TELEPORT_ALLOW_NO_SECOND_FACTOR"
 )
 
 const (
diff --git a/lib/auth/init.go b/lib/auth/init.go
index 0b14c88dffb8a..10987111ba6e1 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -26,6 +26,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"os"
 	"slices"
 	"strings"
 	"sync"
@@ -786,14 +787,15 @@ func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref typ
 		}
 
 		if !shouldReplace {
-			if err := modules.ValidateResource(storedAuthPref); err != nil {
+			if os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "true" {
+				err := modules.ValidateResource(storedAuthPref)
 				if errors.Is(err, modules.ErrCannotDisableSecondFactor) {
 					return trace.Wrap(err, secondFactorUpgradeInstructions)
 				}
-
-				return trace.Wrap(err)
+				if err != nil {
+					return trace.Wrap(err)
+				}
 			}
-
 			return nil
 		}
 
diff --git a/lib/modules/modules.go b/lib/modules/modules.go
index 0812cf4ef06df..abc6b41fef043 100644
--- a/lib/modules/modules.go
+++ b/lib/modules/modules.go
@@ -25,6 +25,7 @@ import (
 	"crypto"
 	"errors"
 	"fmt"
+	"os"
 	"runtime"
 	"sync"
 	"time"
@@ -332,7 +333,10 @@ var ErrCannotDisableSecondFactor = errors.New("cannot disable multi-factor authe
 
 // ValidateResource performs additional resource checks.
 func ValidateResource(res types.Resource) error {
-	if GetModules().Features().Cloud || !IsInsecureTestMode() {
+	// todo(tross): DELETE WHEN ABLE TO [remove env var, leave insecure test mode]
+	if GetModules().Features().Cloud ||
+		(os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "yes" && !IsInsecureTestMode()) {
+
 		switch r := res.(type) {
 		case types.AuthPreference:
 			if !r.IsSecondFactorEnforced() {