gnome-shell/enforce-smartcard-at-unlock.patch

From 420178f0f4711b3d58c9880008cf847a99fb438b Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 28 Sep 2015 10:57:02 -0400
Subject: [PATCH 1/3] smartcardManager: add way to detect if user logged using
 (any) token

If a user uses a token at login time, we need to make sure they continue
to use the token at unlock time.

As a prerequisite for addressing that problem we need to know up front
if a user logged in with a token at all.

This commit adds the necessary api to detect that case.
---
 js/misc/smartcardManager.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/js/misc/smartcardManager.js b/js/misc/smartcardManager.js
index 32573cd384..6c48c80a19 100644
--- a/js/misc/smartcardManager.js
+++ b/js/misc/smartcardManager.js
@@ -118,4 +118,11 @@ class SmartcardManager extends Signals.EventEmitter {
 
         return true;
     }
+
+    loggedInWithToken() {
+        if (this._loginToken)
+            return true;
+
+        return false;
+    }
 }
-- 
2.44.0


From add283227afed3e32d9dd7c93b211e012d9fd85a Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 28 Sep 2015 19:56:53 -0400
Subject: [PATCH 2/3] gdm: only unlock with smartcard, if smartcard used for
 login

If a smartcard is used for login, we need to make sure the smartcard
gets used for unlock, too.
---
 js/gdm/util.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/js/gdm/util.js b/js/gdm/util.js
index 97df6d687e..cfb430a24e 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -125,7 +125,6 @@ export class ShellUserVerifier extends Signals.EventEmitter {
         this._settings = new Gio.Settings({schema_id: LOGIN_SCREEN_SCHEMA});
         this._settings.connect('changed', () => this._onSettingsChanged());
         this._updateEnabledServices();
-        this._updateDefaultService();
 
         this.addCredentialManager(OVirt.SERVICE_NAME, OVirt.getOVirtCredentialsManager());
         this.addCredentialManager(Vmware.SERVICE_NAME, Vmware.getVmwareCredentialsManager());
@@ -463,6 +462,8 @@ export class ShellUserVerifier extends Signals.EventEmitter {
         this.smartcardDetected = false;
         this._checkForSmartcard();
 
+        this._updateDefaultService();
+
         this._smartcardManager.connectObject(
             'smartcard-inserted', () => this._checkForSmartcard(),
             'smartcard-removed', () => this._checkForSmartcard(), this);
@@ -641,7 +642,9 @@ export class ShellUserVerifier extends Signals.EventEmitter {
     }
 
     _getDetectedDefaultService() {
-        if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))
+        if (this._smartcardManager.loggedInWithToken())
+            return SMARTCARD_SERVICE_NAME;
+        else if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))
             return PASSWORD_SERVICE_NAME;
         else if (this._smartcardManager)
             return SMARTCARD_SERVICE_NAME;
-- 
2.44.0


From 2ad44eb49ab436df194d5ad78a73aef02f67a220 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 28 Sep 2015 19:57:36 -0400
Subject: [PATCH 3/3] gdm: update default service when smartcard inserted

Early on at start up we may not know if a smartcard is
available.  Make sure we reupdate the default service
after we get a smartcard insertion event.
---
 js/gdm/util.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/js/gdm/util.js b/js/gdm/util.js
index cfb430a24e..e4777225a0 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -487,6 +487,8 @@ export class ShellUserVerifier extends Signals.EventEmitter {
             else if (this._preemptingService === SMARTCARD_SERVICE_NAME)
                 this._preemptingService = null;
 
+            this._updateDefaultService();
+
             this.emit('smartcard-status-changed');
         }
     }
-- 
2.44.0
Re-apply downstream patches Not all patches have been upstreamed, so re-apply the changes from RHEL 9 that are still relevant. Downstream branding will be different in RHEL 10, so it has been left out for now and will be handled in a separate issue. Resolves: RHEL-32989 2024-04-16 18:51:39 +00:00			`From 420178f0f4711b3d58c9880008cf847a99fb438b Mon Sep 17 00:00:00 2001`
			`From: Ray Strode <rstrode@redhat.com>`
			`Date: Mon, 28 Sep 2015 10:57:02 -0400`
			`Subject: [PATCH 1/3] smartcardManager: add way to detect if user logged using`
			`(any) token`

			`If a user uses a token at login time, we need to make sure they continue`
			`to use the token at unlock time.`

			`As a prerequisite for addressing that problem we need to know up front`
			`if a user logged in with a token at all.`

			`This commit adds the necessary api to detect that case.`
			`---`
			`js/misc/smartcardManager.js \| 7 +++++++`
			`1 file changed, 7 insertions(+)`

			`diff --git a/js/misc/smartcardManager.js b/js/misc/smartcardManager.js`
			`index 32573cd384..6c48c80a19 100644`
			`--- a/js/misc/smartcardManager.js`
			`+++ b/js/misc/smartcardManager.js`
			`@@ -118,4 +118,11 @@ class SmartcardManager extends Signals.EventEmitter {`

			`return true;`
			`}`
			`+`
			`+ loggedInWithToken() {`
			`+ if (this._loginToken)`
			`+ return true;`
			`+`
			`+ return false;`
			`+ }`
			`}`
			`--`
			`2.44.0`


			`From add283227afed3e32d9dd7c93b211e012d9fd85a Mon Sep 17 00:00:00 2001`
			`From: Ray Strode <rstrode@redhat.com>`
			`Date: Mon, 28 Sep 2015 19:56:53 -0400`
			`Subject: [PATCH 2/3] gdm: only unlock with smartcard, if smartcard used for`
			`login`

			`If a smartcard is used for login, we need to make sure the smartcard`
			`gets used for unlock, too.`
			`---`
			`js/gdm/util.js \| 7 +++++--`
			`1 file changed, 5 insertions(+), 2 deletions(-)`

			`diff --git a/js/gdm/util.js b/js/gdm/util.js`
			`index 97df6d687e..cfb430a24e 100644`
			`--- a/js/gdm/util.js`
			`+++ b/js/gdm/util.js`
			`@@ -125,7 +125,6 @@ export class ShellUserVerifier extends Signals.EventEmitter {`
			`this._settings = new Gio.Settings({schema_id: LOGIN_SCREEN_SCHEMA});`
			`this._settings.connect('changed', () => this._onSettingsChanged());`
			`this._updateEnabledServices();`
			`- this._updateDefaultService();`

			`this.addCredentialManager(OVirt.SERVICE_NAME, OVirt.getOVirtCredentialsManager());`
			`this.addCredentialManager(Vmware.SERVICE_NAME, Vmware.getVmwareCredentialsManager());`
			`@@ -463,6 +462,8 @@ export class ShellUserVerifier extends Signals.EventEmitter {`
			`this.smartcardDetected = false;`
			`this._checkForSmartcard();`

			`+ this._updateDefaultService();`
			`+`
			`this._smartcardManager.connectObject(`
			`'smartcard-inserted', () => this._checkForSmartcard(),`
			`'smartcard-removed', () => this._checkForSmartcard(), this);`
			`@@ -641,7 +642,9 @@ export class ShellUserVerifier extends Signals.EventEmitter {`
			`}`

			`_getDetectedDefaultService() {`
			`- if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))`
			`+ if (this._smartcardManager.loggedInWithToken())`
			`+ return SMARTCARD_SERVICE_NAME;`
			`+ else if (this._settings.get_boolean(PASSWORD_AUTHENTICATION_KEY))`
			`return PASSWORD_SERVICE_NAME;`
			`else if (this._smartcardManager)`
			`return SMARTCARD_SERVICE_NAME;`
			`--`
			`2.44.0`


			`From 2ad44eb49ab436df194d5ad78a73aef02f67a220 Mon Sep 17 00:00:00 2001`
			`From: Ray Strode <rstrode@redhat.com>`
			`Date: Mon, 28 Sep 2015 19:57:36 -0400`
			`Subject: [PATCH 3/3] gdm: update default service when smartcard inserted`

			`Early on at start up we may not know if a smartcard is`
			`available. Make sure we reupdate the default service`
			`after we get a smartcard insertion event.`
			`---`
			`js/gdm/util.js \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/js/gdm/util.js b/js/gdm/util.js`
			`index cfb430a24e..e4777225a0 100644`
			`--- a/js/gdm/util.js`
			`+++ b/js/gdm/util.js`
			`@@ -487,6 +487,8 @@ export class ShellUserVerifier extends Signals.EventEmitter {`
			`else if (this._preemptingService === SMARTCARD_SERVICE_NAME)`
			`this._preemptingService = null;`

			`+ this._updateDefaultService();`
			`+`
			`this.emit('smartcard-status-changed');`
			`}`
			`}`
			`--`
			`2.44.0`