Update fix for password auth after background service failure

Related: #1942443
This commit is contained in:
Benjamin Berg 2021-04-28 16:01:29 +02:00
parent b71d55a47c
commit 9a647c460b
4 changed files with 298 additions and 37 deletions

View File

@ -1,34 +0,0 @@
From 0074c6870b284578d25c06b61ab8011cf8bbb8da Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Fri, 23 Apr 2021 19:44:52 +0200
Subject: [PATCH] gdm: Only emit verification failed for foreground service
A failing background service should not count as a verification failure
as the user can still try to continue using the current foreground
service.
As such, only emit the 'verification-failed' signal when the failing
service was the foreground service.
Closes: #3853
---
js/gdm/util.js | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/js/gdm/util.js b/js/gdm/util.js
index 1ee84acde..e7e575dba 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -721,7 +721,8 @@ var ShellUserVerifier = class {
}
}
- this.emit('verification-failed', serviceName, canRetry);
+ if (this.serviceIsForeground(serviceName))
+ this.emit('verification-failed', serviceName, canRetry);
}
_onServiceUnavailable(_client, serviceName, errorMessage) {
--
2.30.2

View File

@ -0,0 +1,67 @@
From 22df9fa5e3c973d5a194f2bbdbcdd4a64511bc93 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Wed, 28 Apr 2021 16:50:03 +0200
Subject: [PATCH] gdm: Work around failing fingerprint auth
On Fedora we have the problem that fingerprint auth fails immediately if
the PAM configuration has not been updated and no prints are enrolled.
So, consider a verification failure within one second to be a service
failure instead.
---
js/gdm/util.js | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/js/gdm/util.js b/js/gdm/util.js
index b02cd4d73..118a05100 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -157,6 +157,7 @@ var ShellUserVerifier = class {
null,
null,
Gio.DBusProxyFlags.DO_NOT_LOAD_PROPERTIES);
+ this._fprintStartTime = -1;
this._smartcardManager = SmartcardManager.getSmartcardManager();
// We check for smartcards right away, since an inserted smartcard
@@ -543,6 +544,10 @@ var ShellUserVerifier = class {
async _startService(serviceName) {
this._hold.acquire();
try {
+ if (serviceName == FINGERPRINT_SERVICE_NAME) {
+ this._fprintStartTime = GLib.get_monotonic_time();
+ }
+
if (this._userName) {
await this._userVerifier.call_begin_verification_for_user(
serviceName, this._userName, this._cancellable);
@@ -624,6 +629,7 @@ var ShellUserVerifier = class {
const cancellable = this._cancellable;
this._fingerprintFailedId = GLib.timeout_add(GLib.PRIORITY_DEFAULT,
FINGERPRINT_ERROR_TIMEOUT_WAIT, () => {
+ log("Generating _verificationFailed!");
this._fingerprintFailedId = 0;
if (!cancellable.is_cancelled())
this._verificationFailed(serviceName, false);
@@ -689,6 +695,18 @@ var ShellUserVerifier = class {
if (serviceName === FINGERPRINT_SERVICE_NAME) {
if (this._fingerprintFailedId)
GLib.source_remove(this._fingerprintFailedId);
+
+ // On Fedora we have the problem that fingerprint auth fails
+ // immediately if the PAM configuration has not been updated and no
+ // prints are enrolled.
+ // So, consider a verification failure within one second to be a service
+ // failure instead.
+ if (this._fprintStartTime > GLib.get_monotonic_time() - GLib.USEC_PER_SEC) {
+ log("Fingerprint service failed almost immediately, considering it unavailable.");
+ log("Please fix your configuration by running: authselect select --force sssd with-fingerprint with-silent-lastlog");
+ this._onServiceUnavailable(this._client, serviceName, null);
+ return;
+ }
}
// For Not Listed / enterprise logins, immediately reset
--
2.31.1

221
1821.patch Normal file
View File

@ -0,0 +1,221 @@
From e7998b4d5547d65d88c56d428a65c9fb3bbeadb0 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Wed, 28 Apr 2021 10:36:46 -0400
Subject: [PATCH 1/5] authPrompt: Don't clear querying service unless querying
service fails
At the moment we treat a failure in any service as a signal to stop
tracking users responses to service questions.
This commit makes sure we don't stop waiting for answers if a background
service fails.
---
js/gdm/authPrompt.js | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js
index d2c9a16594..c182d74318 100644
--- a/js/gdm/authPrompt.js
+++ b/js/gdm/authPrompt.js
@@ -280,8 +280,11 @@ var AuthPrompt = GObject.registerClass({
_onVerificationFailed(userVerifier, serviceName, canRetry) {
const wasQueryingService = this._queryingService === serviceName;
- this._queryingService = null;
- this.clear();
+
+ if (wasQueryingService) {
+ this._queryingService = null;
+ this.clear();
+ }
this.updateSensitivity(canRetry);
this.setActorInDefaultButtonWell(null);
--
GitLab
From ca290737ab3ecb028f03c9189dac6131e2dcf3bc Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Wed, 28 Apr 2021 10:38:58 -0400
Subject: [PATCH 2/5] authPrompt: Don't fail auth prompt until user is out of
retries
At the moment we set the state of the auth prompt to failed any
time the user fails an attempt. But verification is still going
on until the user exhausts all attempts, so that's wrong.
This commit changes it to only set the state to failed when the
user is out of tries.
---
js/gdm/authPrompt.js | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js
index c182d74318..d111cadd1b 100644
--- a/js/gdm/authPrompt.js
+++ b/js/gdm/authPrompt.js
@@ -288,7 +288,9 @@ var AuthPrompt = GObject.registerClass({
this.updateSensitivity(canRetry);
this.setActorInDefaultButtonWell(null);
- this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;
+
+ if (!canRetry)
+ this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;
if (wasQueryingService)
Util.wiggle(this._entry);
--
GitLab
From 36ccf63b7a219b7e0eb11158f39c8823a25eb058 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Wed, 28 Apr 2021 10:42:14 -0400
Subject: [PATCH 3/5] gdm: Flip canRetry boolean to doneTrying on verification
failure
This commit just flips a boolean in the verification failed handler
to make things easier to read.
---
js/gdm/util.js | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/js/gdm/util.js b/js/gdm/util.js
index 1ee84acde2..bb120a81c2 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -685,29 +685,19 @@ var ShellUserVerifier = class {
(this._reauthOnly || this._failCounter < this.allowedFailures);
}
- _verificationFailed(serviceName, retry) {
+ _verificationFailed(serviceName, shouldRetry) {
// For Not Listed / enterprise logins, immediately reset
// the dialog
// Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.
// After that, we go back to the welcome screen.
- const canRetry = retry && this._canRetry();
-
this._disconnectSignals();
+
this._filterServiceMessages(serviceName, MessageType.ERROR);
- if (canRetry) {
- if (!this.hasPendingMessages) {
- this._retry(serviceName);
- } else {
- const cancellable = this._cancellable;
- let signalId = this.connect('no-more-messages', () => {
- this.disconnect(signalId);
- if (!cancellable.is_cancelled())
- this._retry(serviceName);
- });
- }
- } else {
+ const doneTrying = !shouldRetry || !this._canRetry();
+
+ if (doneTrying) {
// eslint-disable-next-line no-lonely-if
if (!this.hasPendingMessages) {
this._cancelAndReset();
@@ -721,7 +711,18 @@ var ShellUserVerifier = class {
}
}
- this.emit('verification-failed', serviceName, canRetry);
+ this.emit('verification-failed', serviceName, !doneTrying);
+
+ if (!this.hasPendingMessages) {
+ this._retry(serviceName);
+ } else {
+ const cancellable = this._cancellable;
+ let signalId = this.connect('no-more-messages', () => {
+ this.disconnect(signalId);
+ if (!cancellable.is_cancelled())
+ this._retry(serviceName);
+ });
+ }
}
_onServiceUnavailable(_client, serviceName, errorMessage) {
--
GitLab
From de06a365e968691a4c2b39de8d5903a92f3663ec Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Wed, 28 Apr 2021 10:44:56 -0400
Subject: [PATCH 4/5] gdm: Only disconect verification signals when not going
to retry
At the moment a failure in a background service can lead to the
various verification signals getting disconnected, even though
we still need them for a foreground service.
This commit changes the code to only disconnect when we've run
out of tries.
---
js/gdm/util.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/js/gdm/util.js b/js/gdm/util.js
index bb120a81c2..bdc14b7519 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -691,13 +691,13 @@ var ShellUserVerifier = class {
// Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.
// After that, we go back to the welcome screen.
- this._disconnectSignals();
-
this._filterServiceMessages(serviceName, MessageType.ERROR);
const doneTrying = !shouldRetry || !this._canRetry();
if (doneTrying) {
+ this._disconnectSignals();
+
// eslint-disable-next-line no-lonely-if
if (!this.hasPendingMessages) {
this._cancelAndReset();
--
GitLab
From 70f1e4a0d41956a5e91c31bea4d0060c9eb0bf45 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Wed, 28 Apr 2021 18:32:22 +0200
Subject: [PATCH 5/5] gdm: Remove pending fingerprint verification failure
It can happen that we get a problem report and a verification failure at
the same time. For fingerprint, a problem report can result in an
internal verification failure to be queued.
Remove this queued failure again if we got a failure already from GDM
directly.
---
js/gdm/util.js | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/js/gdm/util.js b/js/gdm/util.js
index bdc14b7519..b02cd4d734 100644
--- a/js/gdm/util.js
+++ b/js/gdm/util.js
@@ -686,6 +686,11 @@ var ShellUserVerifier = class {
}
_verificationFailed(serviceName, shouldRetry) {
+ if (serviceName === FINGERPRINT_SERVICE_NAME) {
+ if (this._fingerprintFailedId)
+ GLib.source_remove(this._fingerprintFailedId);
+ }
+
// For Not Listed / enterprise logins, immediately reset
// the dialog
// Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.
--
GitLab

View File

@ -2,7 +2,7 @@
Name: gnome-shell Name: gnome-shell
Version: 40.0 Version: 40.0
Release: 4%{?dist} Release: 5%{?dist}
Summary: Window management and application launching for GNOME Summary: Window management and application launching for GNOME
License: GPLv2+ License: GPLv2+
@ -20,8 +20,11 @@ Patch10001: 0001-loginDialog-Allow-timed-login-with-disabled-user-lis.patch
Patch10002: 0001-workspacesView-Fix-PgUp-PgDown-shortcut.patch Patch10002: 0001-workspacesView-Fix-PgUp-PgDown-shortcut.patch
Patch10003: 0002-workspacesView-Don-t-tie-PgUp-PgDown-to-mapped-state.patch Patch10003: 0002-workspacesView-Don-t-tie-PgUp-PgDown-to-mapped-state.patch
# Some users might have a broken PAM config, so we really need this # Some users might have a broken PAM config, so we really need this.
Patch10004: 0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch # The upstream patchset fixes password auth after a fingerprint failure.
# The second is a downstream patch to stop trying on configuration errors.
Patch10004: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1821.patch
Patch10005: 0001-gdm-Work-around-failing-fingerprint-auth.patch
%define eds_version 3.33.1 %define eds_version 3.33.1
@ -237,6 +240,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de
%{_mandir}/man1/gnome-shell.1* %{_mandir}/man1/gnome-shell.1*
%changelog %changelog
* Wed Apr 28 2021 Benjamin Berg <bberg@redhat.com> - 40.0-5
- Update fix for password auth after background service failure
Related: #1942443
* Fri Apr 23 2021 Benjamin Berg <bberg@redhat.com> - 40.0-4 * Fri Apr 23 2021 Benjamin Berg <bberg@redhat.com> - 40.0-4
- Fix password auth after secondary service failure - Fix password auth after secondary service failure
Related: #1942443 Related: #1942443