From d1aaebbb268df2f53f909028d9ae83c1849db103 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Mon, 28 Sep 2015 10:57:02 -0400 Subject: [PATCH 1/3] smartcardManager: add way to detect if user logged using (any) token If a user uses a token at login time, we need to make sure they continue to use the token at unlock time. As a prerequisite for addressing that problem we need to know up front if a user logged in with a token at all. This commit adds the necessary api to detect that case. --- js/misc/smartcardManager.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/js/misc/smartcardManager.js b/js/misc/smartcardManager.js index 674efc9..bfe8a26 100644 --- a/js/misc/smartcardManager.js +++ b/js/misc/smartcardManager.js @@ -86,34 +86,41 @@ const SmartcardManager = new Lang.Class({ if (token.IsInserted) this.emit('smartcard-inserted', token); }, _removeToken: function(token) { let objectPath = token.get_object_path(); if (this._insertedTokens[objectPath] == token) { delete this._insertedTokens[objectPath]; this.emit('smartcard-removed', token); } if (this._loginToken == token) this._loginToken = null; token.disconnectAll(); }, hasInsertedTokens: function() { return Object.keys(this._insertedTokens).length > 0; }, hasInsertedLoginToken: function() { if (!this._loginToken) return false; if (!this._loginToken.IsInserted) return false; return true; + }, + + loggedInWithToken: function() { + if (this._loginToken) + return true; + + return false; } }); Signals.addSignalMethods(SmartcardManager.prototype); -- 2.5.0 From 090c0f85b01e95d953b287f21d8aa33335a014c1 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Mon, 28 Sep 2015 19:56:53 -0400 Subject: [PATCH 2/3] gdm: only unlock with smartcard, if smartcard used for login If a smartcard is used for login, we need to make sure the smartcard gets used for unlock, too. --- js/gdm/util.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/js/gdm/util.js b/js/gdm/util.js index dd04544..776b76d 100644 --- a/js/gdm/util.js +++ b/js/gdm/util.js @@ -104,71 +104,72 @@ function cloneAndFadeOutActor(actor) { Main.uiGroup.add_child(clone); let [x, y] = actor.get_transformed_position(); clone.set_position(x, y); let hold = new Batch.Hold(); Tweener.addTween(clone, { opacity: 0, time: CLONE_FADE_ANIMATION_TIME, transition: 'easeOutQuad', onComplete: function() { clone.destroy(); hold.release(); } }); return hold; } const ShellUserVerifier = new Lang.Class({ Name: 'ShellUserVerifier', _init: function(client, params) { params = Params.parse(params, { reauthenticationOnly: false }); this._reauthOnly = params.reauthenticationOnly; this._client = client; this._settings = new Gio.Settings({ schema_id: LOGIN_SCREEN_SCHEMA }); this._settings.connect('changed', Lang.bind(this, this._updateDefaultService)); - this._updateDefaultService(); this._fprintManager = new Fprint.FprintManager(); this._smartcardManager = SmartcardManager.getSmartcardManager(); // We check for smartcards right away, since an inserted smartcard // at startup should result in immediately initiating authentication. // This is different than fingeprint readers, where we only check them // after a user has been picked. this._checkForSmartcard(); + this._updateDefaultService(); + this._smartcardInsertedId = this._smartcardManager.connect('smartcard-inserted', Lang.bind(this, this._checkForSmartcard)); this._smartcardRemovedId = this._smartcardManager.connect('smartcard-removed', Lang.bind(this, this._checkForSmartcard)); this._messageQueue = []; this._messageQueueTimeoutId = 0; this.hasPendingMessages = false; this.reauthenticating = false; this._failCounter = 0; this._oVirtCredentialsManager = OVirt.getOVirtCredentialsManager(); if (this._oVirtCredentialsManager.hasToken()) this._oVirtUserAuthenticated(this._oVirtCredentialsManager.getToken()); this._oVirtUserAuthenticatedId = this._oVirtCredentialsManager.connect('user-authenticated', Lang.bind(this, this._oVirtUserAuthenticated)); }, begin: function(userName, hold) { this._cancellable = new Gio.Cancellable(); this._hold = hold; this._userName = userName; this.reauthenticating = false; this._checkForFingerprintReader(); if (userName) { @@ -381,61 +382,63 @@ const ShellUserVerifier = new Lang.Class({ this._beginVerification(); this._hold.release(); }, _connectSignals: function() { this._userVerifier.connect('info', Lang.bind(this, this._onInfo)); this._userVerifier.connect('problem', Lang.bind(this, this._onProblem)); this._userVerifier.connect('info-query', Lang.bind(this, this._onInfoQuery)); this._userVerifier.connect('secret-info-query', Lang.bind(this, this._onSecretInfoQuery)); this._userVerifier.connect('conversation-stopped', Lang.bind(this, this._onConversationStopped)); this._userVerifier.connect('reset', Lang.bind(this, this._onReset)); this._userVerifier.connect('verification-complete', Lang.bind(this, this._onVerificationComplete)); }, _getForegroundService: function() { if (this._preemptingService) return this._preemptingService; return this._defaultService; }, serviceIsForeground: function(serviceName) { return serviceName == this._getForegroundService(); }, serviceIsDefault: function(serviceName) { return serviceName == this._defaultService; }, _updateDefaultService: function() { - if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY)) + if (this._smartcardManager.loggedInWithToken()) + this._defaultService = SMARTCARD_SERVICE_NAME; + else if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY)) this._defaultService = PASSWORD_SERVICE_NAME; else if (this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY)) this._defaultService = SMARTCARD_SERVICE_NAME; else if (this._haveFingerprintReader) this._defaultService = FINGERPRINT_SERVICE_NAME; if (!this._defaultService) { log("no authentication service is enabled, using password authentication"); this._defaultService = PASSWORD_SERVICE_NAME; } }, _startService: function(serviceName) { this._hold.acquire(); if (this._userName) { this._userVerifier.call_begin_verification_for_user(serviceName, this._userName, this._cancellable, Lang.bind(this, function(obj, result) { try { obj.call_begin_verification_for_user_finish(result); } catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) { return; } catch(e) { this._reportInitError('Failed to start verification for user', e); return; } this._hold.release(); })); -- 2.5.0 From cc8f8795d9a4bdf4b7893b07bb1a1a5585443ef7 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Mon, 28 Sep 2015 19:57:36 -0400 Subject: [PATCH 3/3] gdm: update default service when smartcard inserted Early on at start up we may not know if a smartcard is available. Make sure we reupdate the default service after we get a smartcard insertion event. --- js/gdm/util.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/js/gdm/util.js b/js/gdm/util.js index 776b76d..8723d59 100644 --- a/js/gdm/util.js +++ b/js/gdm/util.js @@ -304,60 +304,62 @@ const ShellUserVerifier = new Lang.Class({ if (!error && device) { this._haveFingerprintReader = true; this._updateDefaultService(); } })); }, _oVirtUserAuthenticated: function(token) { this._preemptingService = OVIRT_SERVICE_NAME; this.emit('ovirt-user-authenticated'); }, _checkForSmartcard: function() { let smartcardDetected; if (!this._settings.get_boolean(SMARTCARD_AUTHENTICATION_KEY)) smartcardDetected = false; else if (this._reauthOnly) smartcardDetected = this._smartcardManager.hasInsertedLoginToken(); else smartcardDetected = this._smartcardManager.hasInsertedTokens(); if (smartcardDetected != this.smartcardDetected) { this.smartcardDetected = smartcardDetected; if (this.smartcardDetected) this._preemptingService = SMARTCARD_SERVICE_NAME; else if (this._preemptingService == SMARTCARD_SERVICE_NAME) this._preemptingService = null; + this._updateDefaultService(); + this.emit('smartcard-status-changed'); } }, _reportInitError: function(where, error) { logError(error, where); this._hold.release(); this._queueMessage(_("Authentication error"), MessageType.ERROR); this._verificationFailed(false); }, _reauthenticationChannelOpened: function(client, result) { try { this._clearUserVerifier(); this._userVerifier = client.open_reauthentication_channel_finish(result); } catch(e if e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.CANCELLED)) { return; } catch(e if e.matches(Gio.DBusError, Gio.DBusError.ACCESS_DENIED) && !this._reauthOnly) { // Gdm emits org.freedesktop.DBus.Error.AccessDenied when there is // no session to reauthenticate. Fall back to performing verification // from this login session client.get_user_verifier(this._cancellable, Lang.bind(this, this._userVerifierGot)); return; } catch(e) { this._reportInitError('Failed to open reauthentication channel', e); return; } -- 2.5.0