From 3aa4de5e6f2b698abf063ddbea5008f5b732aa18 Mon Sep 17 00:00:00 2001

From: Ray Strode <rstrode@redhat.com>

Date: Fri, 9 Feb 2018 16:40:53 -0500

Subject: [PATCH 2/2] smartcard: handle a smartcard getting removed very

 shortly after login

Right now we depend on the smartcard used at login time to be inserted,

at least long enough to read some basic stats about it.  This

assumption, of course doesn't necessarly need to hold true.  A user

could remove the smartcard immediately after login and we would

misreport that the card wasn't used for login at all.

This commit addresses that edge case by creating a login_token

smartcard alias object that's around even if the login token isn't.

Once the login token does show up it gets synchronized with it, so

both object paths refer to the same underlying token.

---

 plugins/smartcard/gsd-smartcard-service.c | 82 +++++++++++++++++++++++

 1 file changed, 82 insertions(+)

diff --git a/plugins/smartcard/gsd-smartcard-service.c b/plugins/smartcard/gsd-smartcard-service.c

index 0710334b..6969ff34 100644

--- a/plugins/smartcard/gsd-smartcard-service.c

+++ b/plugins/smartcard/gsd-smartcard-service.c

@@ -11,60 +11,61 @@

  * WITHOUT ANY WARRANTY; without even the implied warranty of

  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

  * General Public License for more details.

  *

  * You should have received a copy of the GNU General Public License

  * along with this program; if not, see <http://www.gnu.org/licenses/>.

  *

  * Authors: Ray Strode

  */

 #include "config.h"

 #include "gsd-smartcard-service.h"

 #include "org.gnome.SettingsDaemon.Smartcard.h"

 #include "gsd-smartcard-manager.h"

 #include "gsd-smartcard-enum-types.h"

 #include "gsd-smartcard-utils.h"

 #include <glib/gi18n.h>

 #include <glib/gstdio.h>

 #include <gio/gio.h>

 struct _GsdSmartcardServicePrivate

 {

         GDBusConnection            *bus_connection;

         GDBusObjectManagerServer   *object_manager_server;

         GsdSmartcardManager        *smartcard_manager;

         GCancellable               *cancellable;

         GHashTable                 *tokens;

+        gboolean                    login_token_bound;

         guint name_id;

 };

 #define GSD_DBUS_NAME "org.gnome.SettingsDaemon"

 #define GSD_DBUS_PATH "/org/gnome/SettingsDaemon"

 #define GSD_DBUS_BASE_INTERFACE "org.gnome.SettingsDaemon"

 #define GSD_SMARTCARD_DBUS_NAME GSD_DBUS_NAME ".Smartcard"

 #define GSD_SMARTCARD_DBUS_PATH GSD_DBUS_PATH "/Smartcard"

 #define GSD_SMARTCARD_MANAGER_DBUS_PATH GSD_SMARTCARD_DBUS_PATH "/Manager"

 #define GSD_SMARTCARD_MANAGER_DRIVERS_DBUS_PATH GSD_SMARTCARD_MANAGER_DBUS_PATH "/Drivers"

 #define GSD_SMARTCARD_MANAGER_TOKENS_DBUS_PATH  GSD_SMARTCARD_MANAGER_DBUS_PATH "/Tokens"

 enum {

         PROP_0,

         PROP_MANAGER,

         PROP_BUS_CONNECTION

 };

 static void gsd_smartcard_service_set_property (GObject *object,

                                                 guint property_id,

                                                 const GValue *value,

                                                 GParamSpec *param_spec);

 static void gsd_smartcard_service_get_property (GObject *object,

                                                 guint property_id,

                                                 GValue *value,

                                                 GParamSpec *param_spec);

 static void async_initable_interface_init (GAsyncInitableIface *interface);

 static void smartcard_service_manager_interface_init (GsdSmartcardServiceManagerIface *interface);

@@ -83,91 +84,139 @@ set_bus_connection (GsdSmartcardService  *self,

                     GDBusConnection      *connection)

 {

         GsdSmartcardServicePrivate *priv = self->priv;

         if (priv->bus_connection != connection) {

                 g_clear_object (&priv->bus_connection);

                 priv->bus_connection = g_object_ref (connection);

                 g_object_notify (G_OBJECT (self), "bus-connection");

         }

 }

 static void

 register_object_manager (GsdSmartcardService *self)

 {

         GsdSmartcardServiceObjectSkeleton *object;

         self->priv->object_manager_server = g_dbus_object_manager_server_new (GSD_SMARTCARD_DBUS_PATH);

         object = gsd_smartcard_service_object_skeleton_new (GSD_SMARTCARD_MANAGER_DBUS_PATH);

         gsd_smartcard_service_object_skeleton_set_manager (object,

                                                            GSD_SMARTCARD_SERVICE_MANAGER (self));

         g_dbus_object_manager_server_export (self->priv->object_manager_server,

                                              G_DBUS_OBJECT_SKELETON (object));

         g_object_unref (object);

         g_dbus_object_manager_server_set_connection (self->priv->object_manager_server,

                                                      self->priv->bus_connection);

 }

+static const char *

+get_login_token_object_path (GsdSmartcardService *self)

+{

+        return GSD_SMARTCARD_MANAGER_TOKENS_DBUS_PATH "/login_token";

+}

+

+static void

+register_login_token_alias (GsdSmartcardService *self)

+{

+        GsdSmartcardServicePrivate *priv;

+        GDBusObjectSkeleton *object;

+        GDBusInterfaceSkeleton *interface;

+        const char *object_path;

+        const char *token_name;

+

+        token_name = g_getenv ("PKCS11_LOGIN_TOKEN_NAME");

+

+        if (token_name == NULL)

+                return;

+

+        priv = self->priv;

+

+        object_path = get_login_token_object_path (self);

+        object = G_DBUS_OBJECT_SKELETON (gsd_smartcard_service_object_skeleton_new (object_path));

+        interface = G_DBUS_INTERFACE_SKELETON (gsd_smartcard_service_token_skeleton_new ());

+

+        g_dbus_object_skeleton_add_interface (object, interface);

+        g_object_unref (interface);

+

+        g_object_set (G_OBJECT (interface),

+                      "name", token_name,

+                      "used-to-login", TRUE,

+                      "is-inserted", FALSE,

+                      NULL);

+

+        g_dbus_object_manager_server_export (self->priv->object_manager_server,

+                                             object);

+

+        G_LOCK (gsd_smartcard_tokens);

+        g_hash_table_insert (priv->tokens, g_strdup (object_path), interface);

+        G_UNLOCK (gsd_smartcard_tokens);

+}

+

 static void

 on_bus_gotten (GObject      *source_object,

                GAsyncResult *result,

                GTask        *task)

 {

         GsdSmartcardService *self;

         GsdSmartcardServicePrivate *priv;

         GDBusConnection *connection;

         GError *error = NULL;

         connection = g_bus_get_finish (result, &error);

         if (connection == NULL) {

                 g_task_return_error (task, error);

                 goto out;

         }

         g_debug ("taking name %s on session bus", GSD_SMARTCARD_DBUS_NAME);

         self = g_task_get_source_object (task);

         priv = self->priv;

         set_bus_connection (self, connection);

         register_object_manager (self);

         priv->name_id = g_bus_own_name_on_connection (connection,

                                                       GSD_SMARTCARD_DBUS_NAME,

                                                       G_BUS_NAME_OWNER_FLAGS_NONE,

                                                       NULL,

                                                       NULL,

                                                       NULL,

                                                       NULL);

+

+        /* In case the login token is removed at start up, register an

+         * an alias interface that's always around

+         */

+        register_login_token_alias (self);

         g_task_return_boolean (task, TRUE);

 out:

         g_object_unref (task);

         return;

 }

 static gboolean

 gsd_smartcard_service_initable_init_finish (GAsyncInitable  *initable,

                                             GAsyncResult    *result,

                                             GError         **error)

 {

         GTask *task;

         task = G_TASK (result);

         return g_task_propagate_boolean (task, error);

 }

 static void

 gsd_smartcard_service_initable_init_async (GAsyncInitable      *initable,

                                            int                  io_priority,

                                            GCancellable        *cancellable,

                                            GAsyncReadyCallback  callback,

                                            gpointer             user_data)

 {

         GsdSmartcardService *self = GSD_SMARTCARD_SERVICE (initable);

         GTask *task;

         task = g_task_new (G_OBJECT (self), cancellable, callback, user_data);

@@ -191,60 +240,75 @@ get_object_path_for_token (GsdSmartcardService *self,

         char *escaped_library_path;

         SECMODModule *driver;

         CK_SLOT_ID slot_id;

         driver = PK11_GetModule (card_slot);

         slot_id = PK11_GetSlotID (card_slot);

         escaped_library_path = gsd_smartcard_utils_escape_object_path (driver->dllName);

         object_path = g_strdup_printf ("%s/token_from_%s_slot_%lu",

                                        GSD_SMARTCARD_MANAGER_TOKENS_DBUS_PATH,

                                        escaped_library_path,

                                        (gulong) slot_id);

         g_free (escaped_library_path);

         return object_path;

 }

 static gboolean

 gsd_smartcard_service_handle_get_login_token (GsdSmartcardServiceManager *manager,

                                               GDBusMethodInvocation      *invocation)

 {

         GsdSmartcardService *self = GSD_SMARTCARD_SERVICE (manager);

         GsdSmartcardServicePrivate *priv = self->priv;

         PK11SlotInfo *card_slot;

         char *object_path;

         card_slot = gsd_smartcard_manager_get_login_token (priv->smartcard_manager);

         if (card_slot == NULL) {

+                const char *login_token_object_path;

+

+                /* If we know there's a login token but it was removed before the

+                 * smartcard manager could examine it, just return the generic login

+                 * token object path

+                 */

+                login_token_object_path = get_login_token_object_path (self);

+

+                if (g_hash_table_contains (priv->tokens, login_token_object_path)) {

+                        gsd_smartcard_service_manager_complete_get_login_token (manager,

+                                                                                invocation,

+                                                                                login_token_object_path);

+                        return TRUE;

+                }

+

                 g_dbus_method_invocation_return_error (invocation,

                                                        GSD_SMARTCARD_MANAGER_ERROR,

                                                        GSD_SMARTCARD_MANAGER_ERROR_FINDING_SMARTCARD,

                                                        _("User was not logged in with smartcard."));

                 return TRUE;

         }

         object_path = get_object_path_for_token (self, card_slot);

         gsd_smartcard_service_manager_complete_get_login_token (manager,

                                                                 invocation,

                                                                 object_path);

         g_free (object_path);

         return TRUE;

 }

 static gboolean

 gsd_smartcard_service_handle_get_inserted_tokens (GsdSmartcardServiceManager *manager,

                                                   GDBusMethodInvocation      *invocation)

 {

         GsdSmartcardService *self = GSD_SMARTCARD_SERVICE (manager);

         GsdSmartcardServicePrivate *priv = self->priv;

         GList *inserted_tokens, *node;

         GPtrArray *object_paths;

         inserted_tokens = gsd_smartcard_manager_get_inserted_tokens (priv->smartcard_manager,

                                                                      NULL);

         object_paths = g_ptr_array_new ();

@@ -498,60 +562,78 @@ synchronize_token_now (GsdSmartcardService *self,

                 is_login_card = TRUE;

         else

                 is_login_card = FALSE;

         g_debug ("===============================");

         g_debug (" Token '%s'", token_name);

         g_debug (" Inserted: %s", is_present? "yes" : "no");

         g_debug (" Previously used to login: %s", is_login_card? "yes" : "no");

         g_debug ("===============================\n");

         if (!is_present && is_login_card) {

                 gboolean was_present;

                 g_object_get (G_OBJECT (interface),

                               "is-inserted", &was_present,

                               NULL);

                 if (was_present)

                         gsd_smartcard_manager_do_remove_action (priv->smartcard_manager);

         }

         g_object_set (G_OBJECT (interface),

                       "used-to-login", is_login_card,

                       "is-inserted", is_present,

                       NULL);

         g_object_get (G_OBJECT (interface),

                       "used-to-login", &is_login_card,

                       "is-inserted", &is_present,

                       NULL);

+        if (is_login_card && !priv->login_token_bound) {

+                const char *login_token_path;

+                GDBusInterfaceSkeleton *login_token_interface;

+

+                login_token_path = get_login_token_object_path (self);

+                login_token_interface = g_hash_table_lookup (priv->tokens, login_token_path);

+

+                if (login_token_interface != NULL) {

+                        g_object_bind_property (interface, "driver",

+                                                login_token_interface, "driver",

+                                                G_BINDING_SYNC_CREATE);

+                        g_object_bind_property (interface, "is-inserted",

+                                                login_token_interface, "is-inserted",

+                                                G_BINDING_SYNC_CREATE);

+                        priv->login_token_bound = TRUE;

+                }

+        }

+

 out:

         G_UNLOCK (gsd_smartcard_tokens);

 }

 typedef struct

 {

         PK11SlotInfo *card_slot;

         char         *object_path;

         GSource      *main_thread_source;

 } RegisterNewTokenOperation;

 static void

 destroy_register_new_token_operation (RegisterNewTokenOperation *operation)

 {

         g_clear_pointer (&operation->main_thread_source,

                          (GDestroyNotify) g_source_destroy);

         PK11_FreeSlot (operation->card_slot);

         g_free (operation->object_path);

         g_free (operation);

 }

 static gboolean

 on_main_thread_to_register_new_token (GTask *task)

 {

         GsdSmartcardService *self;

         GsdSmartcardServicePrivate *priv;

         GDBusObjectSkeleton *object;

         GDBusInterfaceSkeleton *interface;

         RegisterNewTokenOperation *operation;

         SECMODModule *driver;

-- 

2.17.0