|
|
580c05 |
From d1aaebbb268df2f53f909028d9ae83c1849db103 Mon Sep 17 00:00:00 2001
|
|
|
580c05 |
From: Ray Strode <rstrode@redhat.com>
|
|
|
580c05 |
Date: Mon, 28 Sep 2015 10:57:02 -0400
|
|
|
580c05 |
Subject: [PATCH 1/3] smartcardManager: add way to detect if user logged using
|
|
|
580c05 |
(any) token
|
|
|
580c05 |
|
|
|
580c05 |
If a user uses a token at login time, we need to make sure they continue
|
|
|
580c05 |
to use the token at unlock time.
|
|
|
580c05 |
|
|
|
580c05 |
As a prerequisite for addressing that problem we need to know up front
|
|
|
580c05 |
if a user logged in with a token at all.
|
|
|
580c05 |
|
|
|
580c05 |
This commit adds the necessary api to detect that case.
|
|
|
580c05 |
---
|
|
|
580c05 |
js/misc/smartcardManager.js | 7 +++++++
|
|
|
580c05 |
1 file changed, 7 insertions(+)
|
|
|
580c05 |
|
|
|
580c05 |
diff --git a/js/misc/smartcardManager.js b/js/misc/smartcardManager.js
|
|
|
580c05 |
index 674efc9..bfe8a26 100644
|
|
|
580c05 |
--- a/js/misc/smartcardManager.js
|
|
|
580c05 |
+++ b/js/misc/smartcardManager.js
|
|
|
580c05 |
@@ -86,34 +86,41 @@ const SmartcardManager = new Lang.Class({
|
|
|
580c05 |
if (token.IsInserted)
|
|
|
580c05 |
this.emit('smartcard-inserted', token);
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_removeToken: function(token) {
|
|
|
580c05 |
let objectPath = token.get_object_path();
|
|
|
580c05 |
|
|
|
580c05 |
if (this._insertedTokens[objectPath] == token) {
|
|
|
580c05 |
delete this._insertedTokens[objectPath];
|
|
|
580c05 |
this.emit('smartcard-removed', token);
|
|
|
580c05 |
}
|
|
|
580c05 |
|
|
|
580c05 |
if (this._loginToken == token)
|
|
|
580c05 |
this._loginToken = null;
|
|
|
580c05 |
|
|
|
580c05 |
token.disconnectAll();
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
hasInsertedTokens: function() {
|
|
|
580c05 |
return Object.keys(this._insertedTokens).length > 0;
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
hasInsertedLoginToken: function() {
|
|
|
580c05 |
if (!this._loginToken)
|
|
|
580c05 |
return false;
|
|
|
580c05 |
|
|
|
580c05 |
if (!this._loginToken.IsInserted)
|
|
|
580c05 |
return false;
|
|
|
580c05 |
|
|
|
580c05 |
return true;
|
|
|
580c05 |
+ },
|
|
|
580c05 |
+
|
|
|
580c05 |
+ loggedInWithToken: function() {
|
|
|
580c05 |
+ if (this._loginToken)
|
|
|
580c05 |
+ return true;
|
|
|
580c05 |
+
|
|
|
580c05 |
+ return false;
|
|
|
580c05 |
}
|
|
|
580c05 |
|
|
|
580c05 |
});
|
|
|
580c05 |
Signals.addSignalMethods(SmartcardManager.prototype);
|
|
|
580c05 |
--
|
|
|
580c05 |
2.5.0
|
|
|
580c05 |
|
|
|
580c05 |
|
|
|
580c05 |
From 090c0f85b01e95d953b287f21d8aa33335a014c1 Mon Sep 17 00:00:00 2001
|
|
|
580c05 |
From: Ray Strode <rstrode@redhat.com>
|
|
|
580c05 |
Date: Mon, 28 Sep 2015 19:56:53 -0400
|
|
|
580c05 |
Subject: [PATCH 2/3] gdm: only unlock with smartcard, if smartcard used for
|
|
|
580c05 |
login
|
|
|
580c05 |
|
|
|
580c05 |
If a smartcard is used for login, we need to make sure the smartcard
|
|
|
580c05 |
gets used for unlock, too.
|
|
|
580c05 |
---
|
|
|
580c05 |
js/gdm/util.js | 7 +++++--
|
|
|
580c05 |
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
580c05 |
|
|
|
580c05 |
diff --git a/js/gdm/util.js b/js/gdm/util.js
|
|
|
580c05 |
index dd04544..776b76d 100644
|
|
|
580c05 |
--- a/js/gdm/util.js
|
|
|
580c05 |
+++ b/js/gdm/util.js
|
|
|
580c05 |
@@ -104,71 +104,72 @@ function cloneAndFadeOutActor(actor) {
|
|
|
580c05 |
Main.uiGroup.add_child(clone);
|
|
|
580c05 |
|
|
|
580c05 |
let [x, y] = actor.get_transformed_position();
|
|
|
580c05 |
clone.set_position(x, y);
|
|
|
580c05 |
|
|
|
580c05 |
let hold = new Batch.Hold();
|
|
|
580c05 |
Tweener.addTween(clone,
|
|
|
580c05 |
{ opacity: 0,
|
|
|
580c05 |
time: CLONE_FADE_ANIMATION_TIME,
|
|
|
580c05 |
transition: 'easeOutQuad',
|
|
|
580c05 |
onComplete: function() {
|
|
|
580c05 |
clone.destroy();
|
|
|
580c05 |
hold.release();
|
|
|
580c05 |
}
|
|
|
580c05 |
});
|
|
|
580c05 |
return hold;
|
|
|
580c05 |
}
|
|
|
580c05 |
|
|
|
580c05 |
const ShellUserVerifier = new Lang.Class({
|
|
|
580c05 |
Name: 'ShellUserVerifier',
|
|
|
580c05 |
|
|
|
580c05 |
_init: function(client, params) {
|
|
|
580c05 |
params = Params.parse(params, { reauthenticationOnly: false });
|
|
|
580c05 |
this._reauthOnly = params.reauthenticationOnly;
|
|
|
580c05 |
|
|
|
580c05 |
this._client = client;
|
|
|
580c05 |
|
|
|
580c05 |
this._settings = new Gio.Settings({ schema_id: LOGIN_SCREEN_SCHEMA });
|
|
|
580c05 |
this._settings.connect('changed',
|
|
|
580c05 |
Lang.bind(this, this._updateDefaultService));
|
|
|
580c05 |
- this._updateDefaultService();
|
|
|
580c05 |
|
|
|
580c05 |
this._fprintManager = new Fprint.FprintManager();
|
|
|
580c05 |
this._smartcardManager = SmartcardManager.getSmartcardManager();
|
|
|
580c05 |
|
|
|
580c05 |
// We check for smartcards right away, since an inserted smartcard
|
|
|
580c05 |
// at startup should result in immediately initiating authentication.
|
|
|
580c05 |
// This is different than fingeprint readers, where we only check them
|
|
|
580c05 |
// after a user has been picked.
|
|
|
580c05 |
this._checkForSmartcard();
|
|
|
580c05 |
|
|
|
580c05 |
+ this._updateDefaultService();
|
|
|
580c05 |
+
|
|
|
580c05 |
this._smartcardInsertedId = this._smartcardManager.connect('smartcard-inserted',
|
|
|
580c05 |
Lang.bind(this, this._checkForSmartcard));
|
|
|
580c05 |
this._smartcardRemovedId = this._smartcardManager.connect('smartcard-removed',
|
|
|
580c05 |
Lang.bind(this, this._checkForSmartcard));
|
|
|
580c05 |
|
|
|
580c05 |
this._messageQueue = [];
|
|
|
580c05 |
this._messageQueueTimeoutId = 0;
|
|
|
580c05 |
this.hasPendingMessages = false;
|
|
|
580c05 |
this.reauthenticating = false;
|
|
|
580c05 |
|
|
|
580c05 |
this._failCounter = 0;
|
|
|
580c05 |
|
|
|
580c05 |
this._oVirtCredentialsManager = OVirt.getOVirtCredentialsManager();
|
|
|
580c05 |
|
|
|
580c05 |
if (this._oVirtCredentialsManager.hasToken())
|
|
|
580c05 |
this._oVirtUserAuthenticated(this._oVirtCredentialsManager.getToken());
|
|
|
580c05 |
|
|
|
580c05 |
this._oVirtUserAuthenticatedId = this._oVirtCredentialsManager.connect('user-authenticated',
|
|
|
580c05 |
Lang.bind(this, this._oVirtUserAuthenticated));
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
begin: function(userName, hold) {
|
|
|
580c05 |
this._cancellable = new Gio.Cancellable();
|
|
|
580c05 |
this._hold = hold;
|
|
|
580c05 |
this._userName = userName;
|
|
|
580c05 |
this.reauthenticating = false;
|
|
|
580c05 |
|
|
|
580c05 |
this._checkForFingerprintReader();
|
|
|
580c05 |
|
|
|
580c05 |
if (userName) {
|
|
|
580c05 |
@@ -381,61 +382,63 @@ const ShellUserVerifier = new Lang.Class({
|
|
|
580c05 |
this._beginVerification();
|
|
|
580c05 |
this._hold.release();
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_connectSignals: function() {
|
|
|
580c05 |
this._userVerifier.connect('info', Lang.bind(this, this._onInfo));
|
|
|
580c05 |
this._userVerifier.connect('problem', Lang.bind(this, this._onProblem));
|
|
|
580c05 |
this._userVerifier.connect('info-query', Lang.bind(this, this._onInfoQuery));
|
|
|
580c05 |
this._userVerifier.connect('secret-info-query', Lang.bind(this, this._onSecretInfoQuery));
|
|
|
580c05 |
this._userVerifier.connect('conversation-stopped', Lang.bind(this, this._onConversationStopped));
|
|
|
580c05 |
this._userVerifier.connect('reset', Lang.bind(this, this._onReset));
|
|
|
580c05 |
this._userVerifier.connect('verification-complete', Lang.bind(this, this._onVerificationComplete));
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_getForegroundService: function() {
|
|
|
580c05 |
if (this._preemptingService)
|
|
|
580c05 |
return this._preemptingService;
|
|
|
580c05 |
|
|
|
580c05 |
return this._defaultService;
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
serviceIsForeground: function(serviceName) {
|
|
|
580c05 |
return serviceName == this._getForegroundService();
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
serviceIsDefault: function(serviceName) {
|
|
|
580c05 |
return serviceName == this._defaultService;
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_updateDefaultService: function() {
|
|
|
580c05 |
- if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))
|
|
|
580c05 |
+ if (this._smartcardManager.loggedInWithToken())
|
|
|
580c05 |
+ this._defaultService = SMARTCARD_SERVICE_NAME;
|
|
|
580c05 |
+ else if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))
|
|
|
580c05 |
this._defaultService = PASSWORD_SERVICE_NAME;
|
|
|
580c05 |
else if (this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY))
|
|
|
580c05 |
this._defaultService = SMARTCARD_SERVICE_NAME;
|
|
|
580c05 |
else if (this._haveFingerprintReader)
|
|
|
580c05 |
this._defaultService = FINGERPRINT_SERVICE_NAME;
|
|
|
580c05 |
|
|
|
580c05 |
if (!this._defaultService) {
|
|
|
580c05 |
log("no authentication service is enabled, using password authentication");
|
|
|
580c05 |
this._defaultService = PASSWORD_SERVICE_NAME;
|
|
|
580c05 |
}
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_startService: function(serviceName) {
|
|
|
580c05 |
this._hold.acquire();
|
|
|
580c05 |
if (this._userName) {
|
|
|
580c05 |
this._userVerifier.call_begin_verification_for_user(serviceName,
|
|
|
580c05 |
this._userName,
|
|
|
580c05 |
this._cancellable,
|
|
|
580c05 |
Lang.bind(this, function(obj, result) {
|
|
|
580c05 |
try {
|
|
|
580c05 |
obj.call_begin_verification_for_user_finish(result);
|
|
|
580c05 |
} catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) {
|
|
|
580c05 |
return;
|
|
|
580c05 |
} catch(e) {
|
|
|
580c05 |
this._reportInitError('Failed to start verification for user', e);
|
|
|
580c05 |
return;
|
|
|
580c05 |
}
|
|
|
580c05 |
|
|
|
580c05 |
this._hold.release();
|
|
|
580c05 |
}));
|
|
|
580c05 |
--
|
|
|
580c05 |
2.5.0
|
|
|
580c05 |
|
|
|
580c05 |
|
|
|
580c05 |
From cc8f8795d9a4bdf4b7893b07bb1a1a5585443ef7 Mon Sep 17 00:00:00 2001
|
|
|
580c05 |
From: Ray Strode <rstrode@redhat.com>
|
|
|
580c05 |
Date: Mon, 28 Sep 2015 19:57:36 -0400
|
|
|
580c05 |
Subject: [PATCH 3/3] gdm: update default service when smartcard inserted
|
|
|
580c05 |
|
|
|
580c05 |
Early on at start up we may not know if a smartcard is
|
|
|
580c05 |
available. Make sure we reupdate the default service
|
|
|
580c05 |
after we get a smartcard insertion event.
|
|
|
580c05 |
---
|
|
|
580c05 |
js/gdm/util.js | 2 ++
|
|
|
580c05 |
1 file changed, 2 insertions(+)
|
|
|
580c05 |
|
|
|
580c05 |
diff --git a/js/gdm/util.js b/js/gdm/util.js
|
|
|
580c05 |
index 776b76d..8723d59 100644
|
|
|
580c05 |
--- a/js/gdm/util.js
|
|
|
580c05 |
+++ b/js/gdm/util.js
|
|
|
580c05 |
@@ -304,60 +304,62 @@ const ShellUserVerifier = new Lang.Class({
|
|
|
580c05 |
if (!error && device) {
|
|
|
580c05 |
this._haveFingerprintReader = true;
|
|
|
580c05 |
this._updateDefaultService();
|
|
|
580c05 |
}
|
|
|
580c05 |
}));
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_oVirtUserAuthenticated: function(token) {
|
|
|
580c05 |
this._preemptingService = OVIRT_SERVICE_NAME;
|
|
|
580c05 |
this.emit('ovirt-user-authenticated');
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_checkForSmartcard: function() {
|
|
|
580c05 |
let smartcardDetected;
|
|
|
580c05 |
|
|
|
580c05 |
if (!this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY))
|
|
|
580c05 |
smartcardDetected = false;
|
|
|
580c05 |
else if (this._reauthOnly)
|
|
|
580c05 |
smartcardDetected = this._smartcardManager.hasInsertedLoginToken();
|
|
|
580c05 |
else
|
|
|
580c05 |
smartcardDetected = this._smartcardManager.hasInsertedTokens();
|
|
|
580c05 |
|
|
|
580c05 |
if (smartcardDetected != this.smartcardDetected) {
|
|
|
580c05 |
this.smartcardDetected = smartcardDetected;
|
|
|
580c05 |
|
|
|
580c05 |
if (this.smartcardDetected)
|
|
|
580c05 |
this._preemptingService = SMARTCARD_SERVICE_NAME;
|
|
|
580c05 |
else if (this._preemptingService == SMARTCARD_SERVICE_NAME)
|
|
|
580c05 |
this._preemptingService = null;
|
|
|
580c05 |
|
|
|
580c05 |
+ this._updateDefaultService();
|
|
|
580c05 |
+
|
|
|
580c05 |
this.emit('smartcard-status-changed');
|
|
|
580c05 |
}
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_reportInitError: function(where, error) {
|
|
|
580c05 |
logError(error, where);
|
|
|
580c05 |
this._hold.release();
|
|
|
580c05 |
|
|
|
580c05 |
this._queueMessage(_("Authentication error"), MessageType.ERROR);
|
|
|
580c05 |
this._verificationFailed(false);
|
|
|
580c05 |
},
|
|
|
580c05 |
|
|
|
580c05 |
_reauthenticationChannelOpened: function(client, result) {
|
|
|
580c05 |
try {
|
|
|
580c05 |
this._clearUserVerifier();
|
|
|
580c05 |
this._userVerifier = client.open_reauthentication_channel_finish(result);
|
|
|
580c05 |
} catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) {
|
|
|
580c05 |
return;
|
|
|
580c05 |
} catch(e if e.matches(Gio.DBusError, Gio.DBusError.ACCESS_DENIED) &&
|
|
|
580c05 |
!this._reauthOnly) {
|
|
|
580c05 |
// Gdm emits org.freedesktop.DBus.Error.AccessDenied when there is
|
|
|
580c05 |
// no session to reauthenticate. Fall back to performing verification
|
|
|
580c05 |
// from this login session
|
|
|
580c05 |
client.get_user_verifier(this._cancellable, Lang.bind(this, this._userVerifierGot));
|
|
|
580c05 |
return;
|
|
|
580c05 |
} catch(e) {
|
|
|
580c05 |
this._reportInitError('Failed to open reauthentication channel', e);
|
|
|
580c05 |
return;
|
|
|
580c05 |
}
|
|
|
580c05 |
|
|
|
580c05 |
--
|
|
|
580c05 |
2.5.0
|
|
|
580c05 |
|