PAM: Add passkey preflight operation

Makefile.am

@@ -1523,9 +1523,11 @@ sssd_pam_SOURCES = \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
     src/responder/pam/pam_helpers.c \
+    src/krb5_plugin/common/utils.c \
     $(SSSD_RESPONDER_OBJ)
 if BUILD_PASSKEY
-    sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c
+    sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c \
+                        src/krb5_plugin/passkey/passkey_utils.c
 endif
 sssd_pam_CFLAGS = \
     $(AM_CFLAGS) \
@@ -1535,6 +1537,7 @@ sssd_pam_LDADD = \
     $(LIBADD_DL) \
     $(TDB_LIBS) \
     $(SSSD_LIBS) \
+    $(JANSSON_LIBS) \
     $(SELINUX_LIBS) \
     $(PAM_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
@@ -2570,6 +2573,7 @@ pam_srv_tests_SOURCES = \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
+    src/krb5_plugin/common/utils.c \
     $(NULL)
 pam_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
@@ -2591,6 +2595,7 @@ pam_srv_tests_LDADD = \
     $(PAM_LIBS) \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
+    $(JANSSON_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
     libsss_test_common.la \
     libsss_idmap.la \
@@ -2599,7 +2604,8 @@ pam_srv_tests_LDADD = \
     libsss_sbus.la \
     $(NULL)
 if BUILD_PASSKEY
-     pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c
+     pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c \
+                              src/krb5_plugin/passkey/passkey_utils.c
 endif # BUILD_PASSKEY
 
 EXTRA_ssh_srv_tests_DEPENDENCIES = \
@@ -3774,6 +3780,7 @@ test_passkey_CFLAGS = \
     $(NULL)
 test_passkey_LDFLAGS = \
     -Wl,-wrap,sleep \
+    -Wl,-wrap,time \
     -Wl,-wrap,tcgetattr \
     -Wl,-wrap,tcsetattr \
     -Wl,-wrap,getline \
@@ -3805,7 +3812,8 @@ test_passkey_LDFLAGS = \
     -Wl,-wrap,fido_assert_sig_len \
     -Wl,-wrap,fido_assert_set_count \
     -Wl,-wrap,fido_assert_set_authdata \
-    -Wl,-wrap,fido_assert_set_sig
+    -Wl,-wrap,fido_assert_set_sig \
+    -Wl,-wrap,fido_dev_get_retry_count
 test_passkey_LDADD = \
     $(CMOCKA_LIBS) \
     $(SSSD_LIBS) \

contrib/sssd.spec.in

@@ -640,6 +640,9 @@ do
         sss-certmap*)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
             ;;
+        sssd-passkey*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_passkey.lang
+            ;;
         *)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
             ;;
@@ -960,6 +963,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
 %{_udevrulesdir}/90-sssd-token-access.rules
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%{_mandir}/man5/sssd-passkey.5*
 
 %pre common
 ! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null 2>&1 || true

src/krb5_plugin/passkey/passkey.h

@@ -22,6 +22,7 @@
 #define _PASSKEY_H_
 
 #include <stdlib.h>
+#include <stdbool.h>
 #include <krb5/preauth_plugin.h>
 
 #ifndef discard_const
@@ -100,6 +101,11 @@ sss_passkey_message_encode_padata(const struct sss_passkey_message *data);
 struct sss_passkey_message *
 sss_passkey_message_decode_padata(krb5_pa_data *padata);
 
+int
+sss_passkey_preflight_from_json(const char *json_str,
+                                bool *_pin_required,
+                                int *_attempts);
+
 krb5_pa_data **
 sss_passkey_message_encode_padata_array(const struct sss_passkey_message *data);
 

src/krb5_plugin/passkey/passkey_utils.c

@@ -24,6 +24,7 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdbool.h>
 #include <string.h>
 #include <jansson.h>
 #include <arpa/inet.h>
@@ -561,6 +562,42 @@
     return message;
 }
 
+int
+sss_passkey_preflight_from_json(const char *json_str,
+                                bool *_pin_required,
+                                int *_attempts)
+{
+    json_t *jroot;
+    json_error_t jret;
+    int ret;
+    bool pin_required;
+    int attempts;
+
+    jroot = json_loads(json_str, 0, &jret);
+    if (jroot == NULL) {
+        return ENOMEM;
+    }
+
+    ret = json_unpack(jroot, "{s:b, s:i}",
+                "pin_required", &pin_required,
+                "attempts", &attempts);
+    if (ret != 0) {
+        ret = EINVAL;
+        goto done;
+    }
+
+    *_pin_required = pin_required;
+    *_attempts = attempts;
+
+    ret = 0;
+done:
+    if (jroot != NULL) {
+        json_decref(jroot);
+    }
+
+    return ret;
+}
+
 char *
 sss_passkey_message_encode(const struct sss_passkey_message *data)
 {

src/man/Makefile.am

@@ -120,6 +120,10 @@ if BUILD_ID_PROVIDER_IDP
 man_MANS += sssd-idp.5
 endif
 
+if BUILD_PASSKEY
+man_MANS += sssd-passkey.5
+endif
+
 $(builddir)/src/man/sssd_user_name.include:
 	@mkdir -p $(builddir)/src/man
 	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include

src/man/include/seealso.xml

@@ -37,6 +37,12 @@
                     <manvolnum>5</manvolnum>
                 </citerefentry>,
             </phrase>
+            <phrase condition="build_passkey">
+                <citerefentry>
+                    <refentrytitle>sssd-passkey</refentrytitle>
+                    <manvolnum>5</manvolnum>
+                </citerefentry>,
+            </phrase>
             <citerefentry>
                 <refentrytitle>sssd-session-recording</refentrytitle>
                 <manvolnum>5</manvolnum>

src/man/po/po4a.cfg

@@ -29,6 +29,7 @@
 [type:docbook] sssd-systemtap.5.xml $lang:$(builddir)/$lang/sssd-systemtap.5.xml
 [type:docbook] sssd-ldap-attributes.5.xml $lang:$(builddir)/$lang/sssd-ldap-attributes.5.xml
 [type:docbook] sssd_krb5_localauth_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_localauth_plugin.8.xml
+[type:docbook] sssd-passkey.5.xml $lang:$(builddir)/$lang/sssd-passkey.5.xml
 [type:docbook] include/autofs_attributes.xml $lang:$(builddir)/$lang/include/autofs_attributes.xml opt:"-k 0"
 [type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
 [type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"

src/man/sssd-passkey.5.xml

@@ -0,0 +1,128 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+    <refmeta>
+        <refentrytitle>sssd-passkey</refentrytitle>
+        <manvolnum>5</manvolnum>
+        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+    </refmeta>
+
+    <refnamediv id='name'>
+        <refname>sssd-passkey</refname>
+        <refpurpose>SSSD passkey options</refpurpose>
+    </refnamediv>
+
+    <refsect1 id='description'>
+        <title>DESCRIPTION</title>
+        <para>
+            This manual page describes the specifics for configuration of
+            passkey for
+            <citerefentry>
+                <refentrytitle>sssd</refentrytitle>
+                <manvolnum>8</manvolnum>
+            </citerefentry>.
+            Refer to the <quote>FILE FORMAT</quote> section of the
+            <citerefentry>
+                <refentrytitle>sssd.conf</refentrytitle>
+                <manvolnum>5</manvolnum>
+            </citerefentry> manual page for detailed syntax information.</para>
+    </refsect1>
+
+    <refsect1 id='configuration-options'>
+        <title>CONFIGURATION OPTIONS</title>
+        <para>
+            <variablelist>
+                <varlistentry>
+                    <term>user_verification (boolean)</term>
+                    <listitem>
+                        <para>
+                            Enable or disable the requirement for user
+                            verification (i.e. PIN, fingerprint) on the passkey
+                            device during authentication.
+                        </para>
+                        <para>
+                            Three different actors come into play when deciding
+                            whether to request user verification: LDAP server,
+                            <citerefentry><refentrytitle>sssd.conf
+                            </refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                            option and the passkey device itself.
+                        </para>
+                        <para>
+                            If the IPA provider is used and online, Kerberos
+                            based passkey authentication is available, the
+                            server-side settings are applied for all passkey
+                            usages. For other cases the settings in
+                            <filename>sssd.conf</filename> are used. This
+                            includes passkey authentication with any other
+                            provider; and the IPA provider in case online
+                            authentication is not available and local passkey
+                            is allowed by the option
+                            <emphasis>local_auth_policy = enable:passkey</emphasis>.
+                        </para>
+                        <para>
+                            The interaction of the
+                            <emphasis>user_verification</emphasis> option and
+                            the passkey device option is explained in the
+                            following table:
+                        </para>
+                        <informaltable frame='all'>
+                        <tgroup cols='3'>
+                        <colspec colname='c1' align='center'/>
+                        <colspec colname='c2' align='center'/>
+                        <colspec colname='c3' align='center'/>
+
+                        <thead>
+                        <row><entry>user_verification</entry><entry>Device</entry>
+                            <entry>Result</entry></row>
+                        </thead>
+                        <tbody>
+                        <row>
+                            <entry>True</entry>
+                            <entry>User verification is configured</entry>
+                            <entry>User verification is requested</entry>
+                        </row>
+                        <row>
+                            <entry>True</entry>
+                            <entry>User verification is not configured</entry>
+                            <entry><para>
+                            User verification is requested; however, the
+                            authentication is expected to fail if the device is
+                            not replaced with a device where user verification
+                            is configured during the authentication process.
+                            </para></entry>
+                        </row>
+                        <row>
+                            <entry>False</entry>
+                            <entry>User verification is configured</entry>
+                            <entry><para>
+                            sssd automatically detects it during device query
+                            and user verification is requested
+                            </para></entry>
+                        </row>
+                        <row>
+                            <entry>False</entry>
+                            <entry>User verification is not configured</entry>
+                            <entry>User verification is not requested</entry>
+                        </row>
+                        </tbody></tgroup></informaltable>
+                        <para>
+                            If 'enter' is pressed at the PIN prompt for user
+                            verification without typing any characters, then
+                            SSSD falls back from passkey to password
+                            authentication.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+    </refsect1>
+
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>

src/man/sssd.conf.5.xml

@@ -682,15 +682,16 @@
                                     <listitem>
                                         <para> Enable or disable the user
                                         verification (i.e. PIN, fingerprint)
-                                        during authentication. If enabled, the
-                                        PIN will always be requested.
+                                        during authentication.
                                         </para>
                                         <para>
-                                        The default is that the key settings
-                                        decide what to do. In the IPA or
-                                        kerberos pre-authentication case,
-                                        this value will be overwritten by the
-                                        server.
+                                        See
+                                        <citerefentry>
+                                            <refentrytitle>sssd-passkey</refentrytitle>
+                                            <manvolnum>5</manvolnum>
+                                        </citerefentry> to
+                                        understand the behaviour of this option
+                                        in the different scenarios.
                                         </para>
                                     </listitem>
                                 </varlistentry>

src/passkey_child/passkey_child.c

@@ -64,13 +64,13 @@ int main(int argc, const char *argv[])
     fido_init(init_flags);
 
     if (data.action == ACTION_REGISTER) {
-        ret = register_key(&data);
+        ret = register_key(&data, TIMEOUT);
         if (ret != EOK) {
             ERROR("Error registering key.\n");
             goto done;
         }
     } else if (data.action == ACTION_AUTHENTICATE) {
-        ret = authenticate(&data);
+        ret = authenticate(&data, TIMEOUT);
         if (ret == EOK) {
             PRINT("Authentication success.\n");
             goto done;
@@ -79,7 +79,7 @@ int main(int argc, const char *argv[])
             goto done;
         }
     } else if (data.action == ACTION_GET_ASSERT) {
-        ret = get_assert_data(&data);
+        ret = get_assert_data(&data, TIMEOUT);
         if (ret != EOK) {
             ERROR("Error getting assertion data.\n");
             goto done;
@@ -93,12 +93,20 @@ int main(int argc, const char *argv[])
             ERROR("Verification error.\n");
             goto done;
         }
+    } else if (data.action == ACTION_PREFLIGHT) {
+        ret = preflight(&data, 1);
+        /* Errors are ignored, as in most cases they are due to the device not
+         * being connected to the system. If an error occurs, the default
+         * values are returned, and that is sufficient for the time being.
+        */
     }
 
 done:
     talloc_free(main_ctx);
 
-    if (ret != EOK) {
+    if (ret == FIDO_ERR_PIN_AUTH_BLOCKED) {
+        return PIN_AUTH_BLOCKED_EXIT_CODE;
+    } else if (ret != EOK) {
         return EXIT_FAILURE;
     } else {
         return EXIT_SUCCESS;