#12 Update fix for password auth after background service failure
Closed a year ago by benzea. Opened a year ago by benzea.
rpms/ benzea/gnome-shell f34  into  f34

@@ -1,34 +0,0 @@ 

- From 0074c6870b284578d25c06b61ab8011cf8bbb8da Mon Sep 17 00:00:00 2001

- From: Benjamin Berg <bberg@redhat.com>

- Date: Fri, 23 Apr 2021 19:44:52 +0200

- Subject: [PATCH] gdm: Only emit verification failed for foreground service

- 

- A failing background service should not count as a verification failure

- as the user can still try to continue using the current foreground

- service.

- 

- As such, only emit the 'verification-failed' signal when the failing

- service was the foreground service.

- 

- Closes: #3853

- ---

-  js/gdm/util.js | 3 ++-

-  1 file changed, 2 insertions(+), 1 deletion(-)

- 

- diff --git a/js/gdm/util.js b/js/gdm/util.js

- index 1ee84acde..e7e575dba 100644

- --- a/js/gdm/util.js

- +++ b/js/gdm/util.js

- @@ -721,7 +721,8 @@ var ShellUserVerifier = class {

-              }

-          }

-  

- -        this.emit('verification-failed', serviceName, canRetry);

- +        if (this.serviceIsForeground(serviceName))

- +            this.emit('verification-failed', serviceName, canRetry);

-      }

-  

-      _onServiceUnavailable(_client, serviceName, errorMessage) {

- -- 

- 2.30.2

- 

@@ -0,0 +1,67 @@ 

+ From 22df9fa5e3c973d5a194f2bbdbcdd4a64511bc93 Mon Sep 17 00:00:00 2001

+ From: Benjamin Berg <bberg@redhat.com>

+ Date: Wed, 28 Apr 2021 16:50:03 +0200

+ Subject: [PATCH] gdm: Work around failing fingerprint auth

+ 

+ On Fedora we have the problem that fingerprint auth fails immediately if

+ the PAM configuration has not been updated and no prints are enrolled.

+ 

+ So, consider a verification failure within one second to be a service

+ failure instead.

+ ---

+  js/gdm/util.js | 18 ++++++++++++++++++

+  1 file changed, 18 insertions(+)

+ 

+ diff --git a/js/gdm/util.js b/js/gdm/util.js

+ index b02cd4d73..118a05100 100644

+ --- a/js/gdm/util.js

+ +++ b/js/gdm/util.js

+ @@ -157,6 +157,7 @@ var ShellUserVerifier = class {

+              null,

+              null,

+              Gio.DBusProxyFlags.DO_NOT_LOAD_PROPERTIES);

+ +        this._fprintStartTime = -1;

+          this._smartcardManager = SmartcardManager.getSmartcardManager();

+  

+          // We check for smartcards right away, since an inserted smartcard

+ @@ -543,6 +544,10 @@ var ShellUserVerifier = class {

+      async _startService(serviceName) {

+          this._hold.acquire();

+          try {

+ +            if (serviceName == FINGERPRINT_SERVICE_NAME) {

+ +                this._fprintStartTime = GLib.get_monotonic_time();

+ +            }

+ +

+              if (this._userName) {

+                  await this._userVerifier.call_begin_verification_for_user(

+                      serviceName, this._userName, this._cancellable);

+ @@ -624,6 +629,7 @@ var ShellUserVerifier = class {

+                  const cancellable = this._cancellable;

+                  this._fingerprintFailedId = GLib.timeout_add(GLib.PRIORITY_DEFAULT,

+                      FINGERPRINT_ERROR_TIMEOUT_WAIT, () => {

+ +                        log("Generating _verificationFailed!");

+                          this._fingerprintFailedId = 0;

+                          if (!cancellable.is_cancelled())

+                              this._verificationFailed(serviceName, false);

+ @@ -689,6 +695,18 @@ var ShellUserVerifier = class {

+          if (serviceName === FINGERPRINT_SERVICE_NAME) {

+              if (this._fingerprintFailedId)

+                  GLib.source_remove(this._fingerprintFailedId);

+ +

+ +            // On Fedora we have the problem that fingerprint auth fails

+ +            // immediately if the PAM configuration has not been updated and no

+ +            // prints are enrolled.

+ +            // So, consider a verification failure within one second to be a service

+ +            // failure instead.

+ +            if (this._fprintStartTime > GLib.get_monotonic_time() - GLib.USEC_PER_SEC) {

+ +                log("Fingerprint service failed almost immediately, considering it unavailable.");

+ +                log("Please fix your configuration by running: authselect select --force sssd with-fingerprint with-silent-lastlog");

+ +                this._onServiceUnavailable(this._client, serviceName, null);

+ +                return;

+ +            }

+          }

+  

+          // For Not Listed / enterprise logins, immediately reset

+ -- 

+ 2.31.1

+ 

file added
+221
@@ -0,0 +1,221 @@ 

+ From e7998b4d5547d65d88c56d428a65c9fb3bbeadb0 Mon Sep 17 00:00:00 2001

+ From: Ray Strode <rstrode@redhat.com>

+ Date: Wed, 28 Apr 2021 10:36:46 -0400

+ Subject: [PATCH 1/5] authPrompt: Don't clear querying service unless querying

+  service fails

+ 

+ At the moment we treat a failure in any service as a signal to stop

+ tracking users responses to service questions.

+ 

+ This commit makes sure we don't stop waiting for answers if a background

+ service fails.

+ ---

+  js/gdm/authPrompt.js | 7 +++++--

+  1 file changed, 5 insertions(+), 2 deletions(-)

+ 

+ diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js

+ index d2c9a16594..c182d74318 100644

+ --- a/js/gdm/authPrompt.js

+ +++ b/js/gdm/authPrompt.js

+ @@ -280,8 +280,11 @@ var AuthPrompt = GObject.registerClass({

+  

+      _onVerificationFailed(userVerifier, serviceName, canRetry) {

+          const wasQueryingService = this._queryingService === serviceName;

+ -        this._queryingService = null;

+ -        this.clear();

+ +

+ +        if (wasQueryingService) {

+ +            this._queryingService = null;

+ +            this.clear();

+ +        }

+  

+          this.updateSensitivity(canRetry);

+          this.setActorInDefaultButtonWell(null);

+ -- 

+ GitLab

+ 

+ 

+ From ca290737ab3ecb028f03c9189dac6131e2dcf3bc Mon Sep 17 00:00:00 2001

+ From: Ray Strode <rstrode@redhat.com>

+ Date: Wed, 28 Apr 2021 10:38:58 -0400

+ Subject: [PATCH 2/5] authPrompt: Don't fail auth prompt until user is out of

+  retries

+ 

+ At the moment we set the state of the auth prompt to failed any

+ time the user fails an attempt. But verification is still going

+ on until the user exhausts all attempts, so that's wrong.

+ 

+ This commit changes it to only set the state to failed when the

+ user is out of tries.

+ ---

+  js/gdm/authPrompt.js | 4 +++-

+  1 file changed, 3 insertions(+), 1 deletion(-)

+ 

+ diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js

+ index c182d74318..d111cadd1b 100644

+ --- a/js/gdm/authPrompt.js

+ +++ b/js/gdm/authPrompt.js

+ @@ -288,7 +288,9 @@ var AuthPrompt = GObject.registerClass({

+  

+          this.updateSensitivity(canRetry);

+          this.setActorInDefaultButtonWell(null);

+ -        this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;

+ +

+ +        if (!canRetry)

+ +            this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;

+  

+          if (wasQueryingService)

+              Util.wiggle(this._entry);

+ -- 

+ GitLab

+ 

+ 

+ From 36ccf63b7a219b7e0eb11158f39c8823a25eb058 Mon Sep 17 00:00:00 2001

+ From: Ray Strode <rstrode@redhat.com>

+ Date: Wed, 28 Apr 2021 10:42:14 -0400

+ Subject: [PATCH 3/5] gdm: Flip canRetry boolean to doneTrying on verification

+  failure

+ 

+ This commit just flips a boolean in the verification failed handler

+ to make things easier to read.

+ ---

+  js/gdm/util.js | 33 +++++++++++++++++----------------

+  1 file changed, 17 insertions(+), 16 deletions(-)

+ 

+ diff --git a/js/gdm/util.js b/js/gdm/util.js

+ index 1ee84acde2..bb120a81c2 100644

+ --- a/js/gdm/util.js

+ +++ b/js/gdm/util.js

+ @@ -685,29 +685,19 @@ var ShellUserVerifier = class {

+              (this._reauthOnly || this._failCounter < this.allowedFailures);

+      }

+  

+ -    _verificationFailed(serviceName, retry) {

+ +    _verificationFailed(serviceName, shouldRetry) {

+          // For Not Listed / enterprise logins, immediately reset

+          // the dialog

+          // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.

+          // After that, we go back to the welcome screen.

+  

+ -        const canRetry = retry && this._canRetry();

+ -

+          this._disconnectSignals();

+ +

+          this._filterServiceMessages(serviceName, MessageType.ERROR);

+  

+ -        if (canRetry) {

+ -            if (!this.hasPendingMessages) {

+ -                this._retry(serviceName);

+ -            } else {

+ -                const cancellable = this._cancellable;

+ -                let signalId = this.connect('no-more-messages', () => {

+ -                    this.disconnect(signalId);

+ -                    if (!cancellable.is_cancelled())

+ -                        this._retry(serviceName);

+ -                });

+ -            }

+ -        } else {

+ +        const doneTrying = !shouldRetry || !this._canRetry();

+ +

+ +        if (doneTrying) {

+              // eslint-disable-next-line no-lonely-if

+              if (!this.hasPendingMessages) {

+                  this._cancelAndReset();

+ @@ -721,7 +711,18 @@ var ShellUserVerifier = class {

+              }

+          }

+  

+ -        this.emit('verification-failed', serviceName, canRetry);

+ +        this.emit('verification-failed', serviceName, !doneTrying);

+ +

+ +        if (!this.hasPendingMessages) {

+ +            this._retry(serviceName);

+ +        } else {

+ +            const cancellable = this._cancellable;

+ +            let signalId = this.connect('no-more-messages', () => {

+ +                this.disconnect(signalId);

+ +                if (!cancellable.is_cancelled())

+ +                    this._retry(serviceName);

+ +            });

+ +        }

+      }

+  

+      _onServiceUnavailable(_client, serviceName, errorMessage) {

+ -- 

+ GitLab

+ 

+ 

+ From de06a365e968691a4c2b39de8d5903a92f3663ec Mon Sep 17 00:00:00 2001

+ From: Ray Strode <rstrode@redhat.com>

+ Date: Wed, 28 Apr 2021 10:44:56 -0400

+ Subject: [PATCH 4/5] gdm: Only disconect verification signals when not going

+  to retry

+ 

+ At the moment a failure in a background service can lead to the

+ various verification signals getting disconnected, even though

+ we still need them for a foreground service.

+ 

+ This commit changes the code to only disconnect when we've run

+ out of tries.

+ ---

+  js/gdm/util.js | 4 ++--

+  1 file changed, 2 insertions(+), 2 deletions(-)

+ 

+ diff --git a/js/gdm/util.js b/js/gdm/util.js

+ index bb120a81c2..bdc14b7519 100644

+ --- a/js/gdm/util.js

+ +++ b/js/gdm/util.js

+ @@ -691,13 +691,13 @@ var ShellUserVerifier = class {

+          // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.

+          // After that, we go back to the welcome screen.

+  

+ -        this._disconnectSignals();

+ -

+          this._filterServiceMessages(serviceName, MessageType.ERROR);

+  

+          const doneTrying = !shouldRetry || !this._canRetry();

+  

+          if (doneTrying) {

+ +            this._disconnectSignals();

+ +

+              // eslint-disable-next-line no-lonely-if

+              if (!this.hasPendingMessages) {

+                  this._cancelAndReset();

+ -- 

+ GitLab

+ 

+ 

+ From 70f1e4a0d41956a5e91c31bea4d0060c9eb0bf45 Mon Sep 17 00:00:00 2001

+ From: Benjamin Berg <bberg@redhat.com>

+ Date: Wed, 28 Apr 2021 18:32:22 +0200

+ Subject: [PATCH 5/5] gdm: Remove pending fingerprint verification failure

+ 

+ It can happen that we get a problem report and a verification failure at

+ the same time. For fingerprint, a problem report can result in an

+ internal verification failure to be queued.

+ 

+ Remove this queued failure again if we got a failure already from GDM

+ directly.

+ ---

+  js/gdm/util.js | 5 +++++

+  1 file changed, 5 insertions(+)

+ 

+ diff --git a/js/gdm/util.js b/js/gdm/util.js

+ index bdc14b7519..b02cd4d734 100644

+ --- a/js/gdm/util.js

+ +++ b/js/gdm/util.js

+ @@ -686,6 +686,11 @@ var ShellUserVerifier = class {

+      }

+  

+      _verificationFailed(serviceName, shouldRetry) {

+ +        if (serviceName === FINGERPRINT_SERVICE_NAME) {

+ +            if (this._fingerprintFailedId)

+ +                GLib.source_remove(this._fingerprintFailedId);

+ +        }

+ +

+          // For Not Listed / enterprise logins, immediately reset

+          // the dialog

+          // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.

+ -- 

+ GitLab

+ 

file modified
+10 -3
@@ -2,7 +2,7 @@ 

  

  Name:           gnome-shell

  Version:        40.0

- Release:        4%{?dist}

+ Release:        5%{?dist}

  Summary:        Window management and application launching for GNOME

  

  License:        GPLv2+
@@ -20,8 +20,11 @@ 

  Patch10002: 0001-workspacesView-Fix-PgUp-PgDown-shortcut.patch

  Patch10003: 0002-workspacesView-Don-t-tie-PgUp-PgDown-to-mapped-state.patch

  

- # Some users might have a broken PAM config, so we really need this

- Patch10004: 0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch

+ # Some users might have a broken PAM config, so we really need this.

+ # The upstream patchset fixes password auth after a fingerprint failure.

+ # The second is a downstream patch to stop trying on configuration errors.

+ Patch10004: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1821.patch

+ Patch10005: 0001-gdm-Work-around-failing-fingerprint-auth.patch

  

  

  %define eds_version 3.33.1
@@ -237,6 +240,10 @@ 

  %{_mandir}/man1/gnome-shell.1*

  

  %changelog

+ * Wed Apr 28 2021 Benjamin Berg <bberg@redhat.com> - 40.0-5

+ - Update fix for password auth after background service failure

+   Related: #1942443

+ 

  * Fri Apr 23 2021 Benjamin Berg <bberg@redhat.com> - 40.0-4

  - Fix password auth after secondary service failure

    Related: #1942443

Pull-Request has been closed by benzea

a year ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci