From 226fa542239ec010883f935915a1f8f927e19e57 Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Thu, 30 Jan 2025 13:56:21 -0700
Subject: [PATCH] Fix TELEPORT_ALLOW_NO_SECOND_FACTOR

Some parts of Teleport required this env var to be set to "true"
while other parts required a value of "yes" - this made it
impossible to pass all of the checks.

Use ParseBool instead to be more generous in what values are allowed.
---
 lib/auth/init.go       | 3 ++-
 lib/modules/modules.go | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/auth/init.go b/lib/auth/init.go
index cca0c8a100a36..25ff99dffd4ad 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -28,6 +28,7 @@ import (
 	"log/slog"
 	"os"
 	"slices"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -791,7 +792,7 @@ func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref typ
 		}
 
 		if !shouldReplace {
-			if os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "true" {
+			if allowNoSecondFactor, _ := strconv.ParseBool(os.Getenv(teleport.EnvVarAllowNoSecondFactor)); allowNoSecondFactor {
 				err := modules.ValidateResource(storedAuthPref)
 				if errors.Is(err, modules.ErrCannotDisableSecondFactor) {
 					return trace.Wrap(err, secondFactorUpgradeInstructions)
diff --git a/lib/modules/modules.go b/lib/modules/modules.go
index abc6b41fef043..da15b036bd78c 100644
--- a/lib/modules/modules.go
+++ b/lib/modules/modules.go
@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"strconv"
 	"sync"
 	"time"
 
@@ -334,9 +335,9 @@ var ErrCannotDisableSecondFactor = errors.New("cannot disable multi-factor authe
 // ValidateResource performs additional resource checks.
 func ValidateResource(res types.Resource) error {
 	// todo(tross): DELETE WHEN ABLE TO [remove env var, leave insecure test mode]
+	allowNoSecondFactor, _ := strconv.ParseBool(os.Getenv(teleport.EnvVarAllowNoSecondFactor))
 	if GetModules().Features().Cloud ||
-		(os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "yes" && !IsInsecureTestMode()) {
-
+		(!allowNoSecondFactor && !IsInsecureTestMode()) {
 		switch r := res.(type) {
 		case types.AuthPreference:
 			if !r.IsSecondFactorEnforced() {