passkey: implement preflight option

Makefile.am

@@ -3807,7 +3807,8 @@ test_passkey_LDFLAGS = \
     -Wl,-wrap,fido_assert_sig_len \
     -Wl,-wrap,fido_assert_set_count \
     -Wl,-wrap,fido_assert_set_authdata \
-    -Wl,-wrap,fido_assert_set_sig
+    -Wl,-wrap,fido_assert_set_sig \
+    -Wl,-wrap,fido_dev_get_retry_count
 test_passkey_LDADD = \
     $(CMOCKA_LIBS) \
     $(SSSD_LIBS) \

contrib/sssd.spec.in

@@ -703,6 +703,9 @@ do
         sss-certmap*)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
             ;;
+        sssd-passkey*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_passkey.lang
+            ;;
         *)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
             ;;
@@ -1034,6 +1037,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %{_udevrulesdir}/90-sssd-token-access.rules
 %endif
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%{_mandir}/man5/sssd-passkey.5*
 %endif
 
 %if %{use_sssd_user}

src/man/Makefile.am

@@ -120,6 +120,10 @@ if BUILD_ID_PROVIDER_IDP
 man_MANS += sssd-idp.5
 endif
 
+if BUILD_PASSKEY
+man_MANS += sssd-passkey.5
+endif
+
 $(builddir)/src/man/sssd_user_name.include:
 	@mkdir -p $(builddir)/src/man
 	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include

src/man/po/po4a.cfg

@@ -29,6 +29,7 @@
 [type:docbook] sssd-systemtap.5.xml $lang:$(builddir)/$lang/sssd-systemtap.5.xml
 [type:docbook] sssd-ldap-attributes.5.xml $lang:$(builddir)/$lang/sssd-ldap-attributes.5.xml
 [type:docbook] sssd_krb5_localauth_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_localauth_plugin.8.xml
+[type:docbook] sssd-passkey.5.xml $lang:$(builddir)/$lang/sssd-passkey.5.xml
 [type:docbook] include/autofs_attributes.xml $lang:$(builddir)/$lang/include/autofs_attributes.xml opt:"-k 0"
 [type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
 [type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"

src/man/sssd-passkey.5.xml

@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+    <refmeta>
+        <refentrytitle>sssd-passkey</refentrytitle>
+        <manvolnum>5</manvolnum>
+        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+    </refmeta>
+
+    <refnamediv id='name'>
+        <refname>sssd-passkey</refname>
+        <refpurpose>SSSD passkey options</refpurpose>
+    </refnamediv>
+
+    <refsect1 id='description'>
+        <title>DESCRIPTION</title>
+        <para>
+            This manual page describes the specifics for configuration of
+            passkey for
+            <citerefentry>
+                <refentrytitle>sssd</refentrytitle>
+                <manvolnum>8</manvolnum>
+            </citerefentry>.
+            Refer to the <quote>FILE FORMAT</quote> section of the
+            <citerefentry>
+                <refentrytitle>sssd.conf</refentrytitle>
+                <manvolnum>5</manvolnum>
+            </citerefentry> manual page for detailed syntax information.</para>
+    </refsect1>
+
+    <refsect1 id='configuration-options'>
+        <title>CONFIGURATION OPTIONS</title>
+        <para>
+            <variablelist>
+                <varlistentry>
+                    <term>user_verification (boolean)</term>
+                    <listitem>
+                        <para>
+                            Enable or disable the requirement for user
+                            verification (i.e. PIN, fingerprint) on the passkey
+                            device during authentication.
+                        </para>
+                        <para>
+                            Three different actors come into play when deciding
+                            whether to request user verification: LDAP server,
+                            <citerefentry><refentrytitle>sssd.conf
+                            </refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                            option and the passkey device itself.
+                        </para>
+                        <para>
+                            If the IPA provider is used and online, Kerberos
+                            based passkey authentication is available, the
+                            server-side settings are applied for all passkey
+                            usages. For other cases the settings in
+                            <filename>sssd.conf</filename> are used. This
+                            includes passkey authentication with any other
+                            provider; and the IPA provider in case online
+                            authentication is not available and local passkey
+                            is allowed by the option
+                            <emphasis>local_auth_policy = enable:passkey</emphasis>.
+                        </para>
+                        <para>
+                            The interaction of the
+                            <emphasis>user_verification</emphasis> option and
+                            the passkey device option is explained in the
+                            following table:
+                        </para>
+                        <informaltable frame='all'>
+                        <tgroup cols='3'>
+                        <colspec colname='c1' align='center'/>
+                        <colspec colname='c2' align='center'/>
+                        <colspec colname='c3' align='center'/>
+
+                        <thead>
+                        <row><entry>user_verification</entry><entry>Device</entry>
+                            <entry>Result</entry></row>
+                        </thead>
+                        <tbody>
+                        <row>
+                            <entry>True</entry>
+                            <entry>User verification is configured</entry>
+                            <entry>User verification is requested</entry>
+                        </row>
+                        <row>
+                            <entry>True</entry>
+                            <entry>User verification is not configured</entry>
+                            <entry><para>
+                            User verification is requested; however, the
+                            authentication is expected to fail if the device is
+                            not replaced with a device where user verification
+                            is configured during the authentication process.
+                            </para></entry>
+                        </row>
+                        <row>
+                            <entry>False</entry>
+                            <entry>User verification is configured</entry>
+                            <entry><para>
+                            sssd automatically detects it during device query
+                            and user verification is requested
+                            </para></entry>
+                        </row>
+                        <row>
+                            <entry>False</entry>
+                            <entry>User verification is not configured</entry>
+                            <entry>User verification is not requested</entry>
+                        </row>
+                        </tbody></tgroup></informaltable>
+                        <para>
+                            If 'enter' is pressed at the PIN prompt for user
+                            verification without typing any characters, then
+                            SSSD falls back from passkey to password
+                            authentication.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+    </refsect1>
+
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>

src/man/sssd.conf.5.xml

@@ -682,15 +682,16 @@
                                     <listitem>
                                         <para> Enable or disable the user
                                         verification (i.e. PIN, fingerprint)
-                                        during authentication. If enabled, the
-                                        PIN will always be requested.
+                                        during authentication.
                                         </para>
                                         <para>
-                                        The default is that the key settings
-                                        decide what to do. In the IPA or
-                                        kerberos pre-authentication case,
-                                        this value will be overwritten by the
-                                        server.
+                                        See
+                                        <citerefentry>
+                                            <refentrytitle>sssd-passkey</refentrytitle>
+                                            <manvolnum>5</manvolnum>
+                                        </citerefentry> to
+                                        understand the behaviour of this option
+                                        in the different scenarios.
                                         </para>
                                     </listitem>
                                 </varlistentry>

src/passkey_child/passkey_child.c

@@ -64,13 +64,13 @@ int main(int argc, const char *argv[])
     fido_init(init_flags);
 
     if (data.action == ACTION_REGISTER) {
-        ret = register_key(&data);
+        ret = register_key(&data, TIMEOUT);
         if (ret != EOK) {
             ERROR("Error registering key.\n");
             goto done;
         }
     } else if (data.action == ACTION_AUTHENTICATE) {
-        ret = authenticate(&data);
+        ret = authenticate(&data, TIMEOUT);
         if (ret == EOK) {
             PRINT("Authentication success.\n");
             goto done;
@@ -79,7 +79,7 @@ int main(int argc, const char *argv[])
             goto done;
         }
     } else if (data.action == ACTION_GET_ASSERT) {
-        ret = get_assert_data(&data);
+        ret = get_assert_data(&data, TIMEOUT);
         if (ret != EOK) {
             ERROR("Error getting assertion data.\n");
             goto done;
@@ -93,12 +93,20 @@ int main(int argc, const char *argv[])
             ERROR("Verification error.\n");
             goto done;
         }
+    } else if (data.action == ACTION_PREFLIGHT) {
+        ret = preflight(&data, 1);
+        /* Errors are ignored, as in most cases they are due to the device not
+         * being connected to the system. If an error occurs, the default
+         * values are returned, and that is sufficient for the time being.
+        */
     }
 
 done:
     talloc_free(main_ctx);
 
-    if (ret != EOK) {
+    if (ret == FIDO_ERR_PIN_AUTH_BLOCKED) {
+        return PIN_AUTH_BLOCKED_EXIT_CODE;
+    } else if (ret != EOK) {
         return EXIT_FAILURE;
     } else {
         return EXIT_SUCCESS;

src/passkey_child/passkey_child.h

@@ -34,13 +34,15 @@
 #define USER_ID_SIZE    32
 #define TIMEOUT         15
 #define FREQUENCY       1
+#define MAX_PIN_RETRIES 8
 
 enum action_opt {
     ACTION_NONE,
     ACTION_REGISTER,
     ACTION_AUTHENTICATE,
     ACTION_GET_ASSERT,
-    ACTION_VERIFY_ASSERT
+    ACTION_VERIFY_ASSERT,
+    ACTION_PREFLIGHT
 };
 
 enum credential_type {
@@ -103,12 +105,13 @@ check_arguments(const struct passkey_data *data);
  * @brief Register a key for a user
  *
  * @param[in] data passkey data
+ * @param[in] timeout Timeout to stop looking for a device
  *
  * @return 0 if the key was registered properly,
  *         another value on error.
  */
 errno_t
-register_key(struct passkey_data *data);
+register_key(struct passkey_data *data, int timeout);
 
 /**
  * @brief Translate COSE type from string to int
@@ -139,13 +142,14 @@ prepare_credentials(struct passkey_data *data, fido_dev_t *dev,
 /**
  * @brief List connected passkey devices
  *
+ * @param[in] timeout Timeout to stop looking for a device
  * @param[out] dev_list passkey device list
  * @param[out] dev_number Number of passkey devices
  *
  * @return 0 if the list was retrieved properly, another value on error.
  */
 errno_t
-list_devices(fido_dev_info_t *dev_list, size_t *dev_number);
+list_devices(int timeout, fido_dev_info_t *dev_list, size_t *dev_number);
 
 /**
  * @brief Select passkey device
@@ -322,18 +326,20 @@ public_key_to_base64(TALLOC_CTX *mem_ctx, const struct passkey_data *data,
  * key, request the assert and verify it.
  *
  * @param[in] data passkey data
+ * @param[in] timeout Timeout to stop looking for a device
  *
  * @return 0 if the user was authenticated properly,
  *         error code otherwise.
  */
 errno_t
-authenticate(struct passkey_data *data);
+authenticate(struct passkey_data *data, int timeout);
 
 /*
  * @brief Select authenticator for verification
  *
  *
  * @param[in] data passkey data
+ * @param[in] timeout Timeout to stop looking for a device
  * @param[out] _dev Device information
  * @param[out] _assert Assert
  * @param[out] _index Index for key handle list
@@ -342,7 +348,7 @@ authenticate(struct passkey_data *data);
  *         error code otherwise.
  */
 errno_t
-select_authenticator(struct passkey_data *data, fido_dev_t **_dev,
+select_authenticator(struct passkey_data *data, int timeout, fido_dev_t **_dev,
                      fido_assert_t **_assert, int *_index);
 
 /**
@@ -533,12 +539,13 @@ print_assert_data(const char *key_handle, const char *crypto_challenge,
  * and print this all information.
  *
  * @param[in] data passkey data
+ * @param[in] timeout Timeout to stop looking for a device
  *
  * @return 0 if the assertion was obtained properly,
  *         error code otherwise.
  */
 errno_t
-get_assert_data(struct passkey_data *data);
+get_assert_data(struct passkey_data *data, int timeout);
 
 /**
  * @brief Verify assertion data
@@ -554,4 +561,47 @@ get_assert_data(struct passkey_data *data);
 errno_t
 verify_assert_data(struct passkey_data *data);
 
+/**
+ * @brief Obtain PIN retries in the device
+ *
+ * @param[in] dev Device information
+ * @param[in] data passkey data
+ * @param[in] _pin_retries Number of PIN retries
+ *
+ * @return 0 if the PIN retries were obtained properly,
+ *         error code otherwise.
+ */
+errno_t
+get_device_pin_retries(fido_dev_t *dev, struct passkey_data *data,
+                       int *_pin_retries);
+
+/**
+ * @brief Print preflight information
+ *
+ * Print user-verification and pin retries
+ *
+ * @param[in] data passkey data
+ * @param[in] _pin_retries Number of PIN retries
+ *
+ * @return EOK
+ *
+ */
+errno_t
+print_preflight(const struct passkey_data *data, int pin_retries);
+
+/**
+ * @brief Obtain authentication data prior to processing
+ *
+ * Prepare the assertion request data, select the device to use, get the device
+ * options and compare them with the organization policy, get the PIN retries
+ * and print the preflight data.
+ *
+ * @param[in] data passkey data
+ * @param[in] timeout Timeout in seconds to stop looking for a device
+ *
+ * @return EOK
+ */
+errno_t
+preflight(struct passkey_data *data, int timeout);
+
 #endif /* __PASSKEY_CHILD_H__ */

src/passkey_child/passkey_child_assert.c

@@ -51,7 +51,8 @@ set_assert_client_data_hash(const struct passkey_data *data,
         return ENOMEM;
     }
 
-    if (data->action == ACTION_AUTHENTICATE) {
+    if (data->action == ACTION_AUTHENTICATE
+        || data->action == ACTION_PREFLIGHT) {
         ret = sss_generate_csprng_buffer(cdh, sizeof(cdh));
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE,