PR#12: Update fix for password auth after background service failure - rpms/gnome-shell

rpms / gnome-shell

#12 Update fix for password auth after background service failure

Closed a year ago by benzea. Opened a year ago by benzea.

rpms/ benzea/gnome-shell f34 into f34

Update fix for password auth after background service failure

Benjamin Berg • a year ago

db6b665

0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch

file removed

-34

		`@@ -1,34 +0,0 @@`
		`- From 0074c6870b284578d25c06b61ab8011cf8bbb8da Mon Sep 17 00:00:00 2001`
		`- From: Benjamin Berg <bberg@redhat.com>`
		`- Date: Fri, 23 Apr 2021 19:44:52 +0200`
		`- Subject: [PATCH] gdm: Only emit verification failed for foreground service`
		`-`
		`- A failing background service should not count as a verification failure`
		`- as the user can still try to continue using the current foreground`
		`- service.`
		`-`
		`- As such, only emit the 'verification-failed' signal when the failing`
		`- service was the foreground service.`
		`-`
		`- Closes: #3853`
		`- ---`
		`- js/gdm/util.js \| 3 ++-`
		`- 1 file changed, 2 insertions(+), 1 deletion(-)`
		`-`
		`- diff --git a/js/gdm/util.js b/js/gdm/util.js`
		`- index 1ee84acde..e7e575dba 100644`
		`- --- a/js/gdm/util.js`
		`- +++ b/js/gdm/util.js`
		`- @@ -721,7 +721,8 @@ var ShellUserVerifier = class {`
		`- }`
		`- }`
		`-`
		`- - this.emit('verification-failed', serviceName, canRetry);`
		`- + if (this.serviceIsForeground(serviceName))`
		`- + this.emit('verification-failed', serviceName, canRetry);`
		`- }`
		`-`
		`- _onServiceUnavailable(_client, serviceName, errorMessage) {`
		`- --`
		`- 2.30.2`
		`-`

0001-gdm-Work-around-failing-fingerprint-auth.patch

file added

+67

		`@@ -0,0 +1,67 @@`
		`+ From 22df9fa5e3c973d5a194f2bbdbcdd4a64511bc93 Mon Sep 17 00:00:00 2001`
		`+ From: Benjamin Berg <bberg@redhat.com>`
		`+ Date: Wed, 28 Apr 2021 16:50:03 +0200`
		`+ Subject: [PATCH] gdm: Work around failing fingerprint auth`
		`+`
		`+ On Fedora we have the problem that fingerprint auth fails immediately if`
		`+ the PAM configuration has not been updated and no prints are enrolled.`
		`+`
		`+ So, consider a verification failure within one second to be a service`
		`+ failure instead.`
		`+ ---`
		`+ js/gdm/util.js \| 18 ++++++++++++++++++`
		`+ 1 file changed, 18 insertions(+)`
		`+`
		`+ diff --git a/js/gdm/util.js b/js/gdm/util.js`
		`+ index b02cd4d73..118a05100 100644`
		`+ --- a/js/gdm/util.js`
		`+ +++ b/js/gdm/util.js`
		`+ @@ -157,6 +157,7 @@ var ShellUserVerifier = class {`
		`+ null,`
		`+ null,`
		`+ Gio.DBusProxyFlags.DO_NOT_LOAD_PROPERTIES);`
		`+ + this._fprintStartTime = -1;`
		`+ this._smartcardManager = SmartcardManager.getSmartcardManager();`
		`+`
		`+ // We check for smartcards right away, since an inserted smartcard`
		`+ @@ -543,6 +544,10 @@ var ShellUserVerifier = class {`
		`+ async _startService(serviceName) {`
		`+ this._hold.acquire();`
		`+ try {`
		`+ + if (serviceName == FINGERPRINT_SERVICE_NAME) {`
		`+ + this._fprintStartTime = GLib.get_monotonic_time();`
		`+ + }`
		`+ +`
		`+ if (this._userName) {`
		`+ await this._userVerifier.call_begin_verification_for_user(`
		`+ serviceName, this._userName, this._cancellable);`
		`+ @@ -624,6 +629,7 @@ var ShellUserVerifier = class {`
		`+ const cancellable = this._cancellable;`
		`+ this._fingerprintFailedId = GLib.timeout_add(GLib.PRIORITY_DEFAULT,`
		`+ FINGERPRINT_ERROR_TIMEOUT_WAIT, () => {`
		`+ + log("Generating _verificationFailed!");`
		`+ this._fingerprintFailedId = 0;`
		`+ if (!cancellable.is_cancelled())`
		`+ this._verificationFailed(serviceName, false);`
		`+ @@ -689,6 +695,18 @@ var ShellUserVerifier = class {`
		`+ if (serviceName === FINGERPRINT_SERVICE_NAME) {`
		`+ if (this._fingerprintFailedId)`
		`+ GLib.source_remove(this._fingerprintFailedId);`
		`+ +`
		`+ + // On Fedora we have the problem that fingerprint auth fails`
		`+ + // immediately if the PAM configuration has not been updated and no`
		`+ + // prints are enrolled.`
		`+ + // So, consider a verification failure within one second to be a service`
		`+ + // failure instead.`
		`+ + if (this._fprintStartTime > GLib.get_monotonic_time() - GLib.USEC_PER_SEC) {`
		`+ + log("Fingerprint service failed almost immediately, considering it unavailable.");`
		`+ + log("Please fix your configuration by running: authselect select --force sssd with-fingerprint with-silent-lastlog");`
		`+ + this._onServiceUnavailable(this._client, serviceName, null);`
		`+ + return;`
		`+ + }`
		`+ }`
		`+`
		`+ // For Not Listed / enterprise logins, immediately reset`
		`+ --`
		`+ 2.31.1`
		`+`

1821.patch

file added

+221

		`@@ -0,0 +1,221 @@`
		`+ From e7998b4d5547d65d88c56d428a65c9fb3bbeadb0 Mon Sep 17 00:00:00 2001`
		`+ From: Ray Strode <rstrode@redhat.com>`
		`+ Date: Wed, 28 Apr 2021 10:36:46 -0400`
		`+ Subject: [PATCH 1/5] authPrompt: Don't clear querying service unless querying`
		`+ service fails`
		`+`
		`+ At the moment we treat a failure in any service as a signal to stop`
		`+ tracking users responses to service questions.`
		`+`
		`+ This commit makes sure we don't stop waiting for answers if a background`
		`+ service fails.`
		`+ ---`
		`+ js/gdm/authPrompt.js \| 7 +++++--`
		`+ 1 file changed, 5 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js`
		`+ index d2c9a16594..c182d74318 100644`
		`+ --- a/js/gdm/authPrompt.js`
		`+ +++ b/js/gdm/authPrompt.js`
		`+ @@ -280,8 +280,11 @@ var AuthPrompt = GObject.registerClass({`
		`+`
		`+ _onVerificationFailed(userVerifier, serviceName, canRetry) {`
		`+ const wasQueryingService = this._queryingService === serviceName;`
		`+ - this._queryingService = null;`
		`+ - this.clear();`
		`+ +`
		`+ + if (wasQueryingService) {`
		`+ + this._queryingService = null;`
		`+ + this.clear();`
		`+ + }`
		`+`
		`+ this.updateSensitivity(canRetry);`
		`+ this.setActorInDefaultButtonWell(null);`
		`+ --`
		`+ GitLab`
		`+`
		`+`
		`+ From ca290737ab3ecb028f03c9189dac6131e2dcf3bc Mon Sep 17 00:00:00 2001`
		`+ From: Ray Strode <rstrode@redhat.com>`
		`+ Date: Wed, 28 Apr 2021 10:38:58 -0400`
		`+ Subject: [PATCH 2/5] authPrompt: Don't fail auth prompt until user is out of`
		`+ retries`
		`+`
		`+ At the moment we set the state of the auth prompt to failed any`
		`+ time the user fails an attempt. But verification is still going`
		`+ on until the user exhausts all attempts, so that's wrong.`
		`+`
		`+ This commit changes it to only set the state to failed when the`
		`+ user is out of tries.`
		`+ ---`
		`+ js/gdm/authPrompt.js \| 4 +++-`
		`+ 1 file changed, 3 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/js/gdm/authPrompt.js b/js/gdm/authPrompt.js`
		`+ index c182d74318..d111cadd1b 100644`
		`+ --- a/js/gdm/authPrompt.js`
		`+ +++ b/js/gdm/authPrompt.js`
		`+ @@ -288,7 +288,9 @@ var AuthPrompt = GObject.registerClass({`
		`+`
		`+ this.updateSensitivity(canRetry);`
		`+ this.setActorInDefaultButtonWell(null);`
		`+ - this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;`
		`+ +`
		`+ + if (!canRetry)`
		`+ + this.verificationStatus = AuthPromptStatus.VERIFICATION_FAILED;`
		`+`
		`+ if (wasQueryingService)`
		`+ Util.wiggle(this._entry);`
		`+ --`
		`+ GitLab`
		`+`
		`+`
		`+ From 36ccf63b7a219b7e0eb11158f39c8823a25eb058 Mon Sep 17 00:00:00 2001`
		`+ From: Ray Strode <rstrode@redhat.com>`
		`+ Date: Wed, 28 Apr 2021 10:42:14 -0400`
		`+ Subject: [PATCH 3/5] gdm: Flip canRetry boolean to doneTrying on verification`
		`+ failure`
		`+`
		`+ This commit just flips a boolean in the verification failed handler`
		`+ to make things easier to read.`
		`+ ---`
		`+ js/gdm/util.js \| 33 +++++++++++++++++----------------`
		`+ 1 file changed, 17 insertions(+), 16 deletions(-)`
		`+`
		`+ diff --git a/js/gdm/util.js b/js/gdm/util.js`
		`+ index 1ee84acde2..bb120a81c2 100644`
		`+ --- a/js/gdm/util.js`
		`+ +++ b/js/gdm/util.js`
		`+ @@ -685,29 +685,19 @@ var ShellUserVerifier = class {`
		`+ (this._reauthOnly \|\| this._failCounter < this.allowedFailures);`
		`+ }`
		`+`
		`+ - _verificationFailed(serviceName, retry) {`
		`+ + _verificationFailed(serviceName, shouldRetry) {`
		`+ // For Not Listed / enterprise logins, immediately reset`
		`+ // the dialog`
		`+ // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.`
		`+ // After that, we go back to the welcome screen.`
		`+`
		`+ - const canRetry = retry && this._canRetry();`
		`+ -`
		`+ this._disconnectSignals();`
		`+ +`
		`+ this._filterServiceMessages(serviceName, MessageType.ERROR);`
		`+`
		`+ - if (canRetry) {`
		`+ - if (!this.hasPendingMessages) {`
		`+ - this._retry(serviceName);`
		`+ - } else {`
		`+ - const cancellable = this._cancellable;`
		`+ - let signalId = this.connect('no-more-messages', () => {`
		`+ - this.disconnect(signalId);`
		`+ - if (!cancellable.is_cancelled())`
		`+ - this._retry(serviceName);`
		`+ - });`
		`+ - }`
		`+ - } else {`
		`+ + const doneTrying = !shouldRetry \|\| !this._canRetry();`
		`+ +`
		`+ + if (doneTrying) {`
		`+ // eslint-disable-next-line no-lonely-if`
		`+ if (!this.hasPendingMessages) {`
		`+ this._cancelAndReset();`
		`+ @@ -721,7 +711,18 @@ var ShellUserVerifier = class {`
		`+ }`
		`+ }`
		`+`
		`+ - this.emit('verification-failed', serviceName, canRetry);`
		`+ + this.emit('verification-failed', serviceName, !doneTrying);`
		`+ +`
		`+ + if (!this.hasPendingMessages) {`
		`+ + this._retry(serviceName);`
		`+ + } else {`
		`+ + const cancellable = this._cancellable;`
		`+ + let signalId = this.connect('no-more-messages', () => {`
		`+ + this.disconnect(signalId);`
		`+ + if (!cancellable.is_cancelled())`
		`+ + this._retry(serviceName);`
		`+ + });`
		`+ + }`
		`+ }`
		`+`
		`+ _onServiceUnavailable(_client, serviceName, errorMessage) {`
		`+ --`
		`+ GitLab`
		`+`
		`+`
		`+ From de06a365e968691a4c2b39de8d5903a92f3663ec Mon Sep 17 00:00:00 2001`
		`+ From: Ray Strode <rstrode@redhat.com>`
		`+ Date: Wed, 28 Apr 2021 10:44:56 -0400`
		`+ Subject: [PATCH 4/5] gdm: Only disconect verification signals when not going`
		`+ to retry`
		`+`
		`+ At the moment a failure in a background service can lead to the`
		`+ various verification signals getting disconnected, even though`
		`+ we still need them for a foreground service.`
		`+`
		`+ This commit changes the code to only disconnect when we've run`
		`+ out of tries.`
		`+ ---`
		`+ js/gdm/util.js \| 4 ++--`
		`+ 1 file changed, 2 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/js/gdm/util.js b/js/gdm/util.js`
		`+ index bb120a81c2..bdc14b7519 100644`
		`+ --- a/js/gdm/util.js`
		`+ +++ b/js/gdm/util.js`
		`+ @@ -691,13 +691,13 @@ var ShellUserVerifier = class {`
		`+ // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.`
		`+ // After that, we go back to the welcome screen.`
		`+`
		`+ - this._disconnectSignals();`
		`+ -`
		`+ this._filterServiceMessages(serviceName, MessageType.ERROR);`
		`+`
		`+ const doneTrying = !shouldRetry \|\| !this._canRetry();`
		`+`
		`+ if (doneTrying) {`
		`+ + this._disconnectSignals();`
		`+ +`
		`+ // eslint-disable-next-line no-lonely-if`
		`+ if (!this.hasPendingMessages) {`
		`+ this._cancelAndReset();`
		`+ --`
		`+ GitLab`
		`+`
		`+`
		`+ From 70f1e4a0d41956a5e91c31bea4d0060c9eb0bf45 Mon Sep 17 00:00:00 2001`
		`+ From: Benjamin Berg <bberg@redhat.com>`
		`+ Date: Wed, 28 Apr 2021 18:32:22 +0200`
		`+ Subject: [PATCH 5/5] gdm: Remove pending fingerprint verification failure`
		`+`
		`+ It can happen that we get a problem report and a verification failure at`
		`+ the same time. For fingerprint, a problem report can result in an`
		`+ internal verification failure to be queued.`
		`+`
		`+ Remove this queued failure again if we got a failure already from GDM`
		`+ directly.`
		`+ ---`
		`+ js/gdm/util.js \| 5 +++++`
		`+ 1 file changed, 5 insertions(+)`
		`+`
		`+ diff --git a/js/gdm/util.js b/js/gdm/util.js`
		`+ index bdc14b7519..b02cd4d734 100644`
		`+ --- a/js/gdm/util.js`
		`+ +++ b/js/gdm/util.js`
		`+ @@ -686,6 +686,11 @@ var ShellUserVerifier = class {`
		`+ }`
		`+`
		`+ _verificationFailed(serviceName, shouldRetry) {`
		`+ + if (serviceName === FINGERPRINT_SERVICE_NAME) {`
		`+ + if (this._fingerprintFailedId)`
		`+ + GLib.source_remove(this._fingerprintFailedId);`
		`+ + }`
		`+ +`
		`+ // For Not Listed / enterprise logins, immediately reset`
		`+ // the dialog`
		`+ // Otherwise, when in login mode we allow ALLOWED_FAILURES attempts.`
		`+ --`
		`+ GitLab`
		`+`

gnome-shell.spec

file modified

+10 -3

		`@@ -2,7 +2,7 @@`

		`Name: gnome-shell`
		`Version: 40.0`
		`- Release: 4%{?dist}`
		`+ Release: 5%{?dist}`
		`Summary: Window management and application launching for GNOME`

		`License: GPLv2+`
		`@@ -20,8 +20,11 @@`
		`Patch10002: 0001-workspacesView-Fix-PgUp-PgDown-shortcut.patch`
		`Patch10003: 0002-workspacesView-Don-t-tie-PgUp-PgDown-to-mapped-state.patch`

		`- # Some users might have a broken PAM config, so we really need this`
		`- Patch10004: 0001-gdm-Only-emit-verification-failed-for-foreground-ser.patch`
		`+ # Some users might have a broken PAM config, so we really need this.`
		`+ # The upstream patchset fixes password auth after a fingerprint failure.`
		`+ # The second is a downstream patch to stop trying on configuration errors.`
		`+ Patch10004: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1821.patch`
		`+ Patch10005: 0001-gdm-Work-around-failing-fingerprint-auth.patch`


		`%define eds_version 3.33.1`
		`@@ -237,6 +240,10 @@`
		`%{_mandir}/man1/gnome-shell.1*`

		`%changelog`
		`+ * Wed Apr 28 2021 Benjamin Berg <bberg@redhat.com> - 40.0-5`
		`+ - Update fix for password auth after background service failure`
		`+ Related: #1942443`
		`+`
		`* Fri Apr 23 2021 Benjamin Berg <bberg@redhat.com> - 40.0-4`
		`- Fix password auth after secondary service failure`
		`Related: #1942443`