packages/kiran-authentication-service
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:9ca8030f9417f63ceb83b29446f684c880f35727
Branches Tags
packages:main
...
compare: packages:de0451207f0c3fd71dfad6efbdda72d4e12bca40
Branches Tags
packages:main

11 Commits
9ca8030f94 ... de0451207f

Author SHA1 Message Date
openeuler-ci-bot
de0451207f
!44 【轻量级 PR】:update kiran-authentication-service.yaml. 
From: @licihua 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
 2024-01-05 07:18:36 +00:00
Monday
a98c8a136f
update kiran-authentication-service.yaml. 
#https://gitee.com/openeuler/openEuler-Advisor/issues/I8T5SR?from=project-issue

Signed-off-by: Monday <licihua@huawei.com>
 2024-01-04 08:45:58 +00:00
openeuler-ci-bot
b162d13bf2
!41 在kiranUI-2.5中适配qt5.10以下的版本 
From: @niko_yhc 
Reviewed-by: @liubuguiii 
Signed-off-by: @liubuguiii
 2023-09-11 02:18:53 +00:00
niko_yhc
015965560a fix(kiran-authentication-service):fix for versions earlier than qt5.10 in kiranUI-2.5 
- 在kiranUI-2.5中适配qt5.10以下的版本

Closes:#15019
 2023-09-11 09:54:27 +08:00
openeuler-ci-bot
59623d4b72
!38 细分错误原因,根据原因以及模式不同,判断是否记录错误 
From: @liubuguiii 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
 2023-06-19 09:47:00 +00:00
liuxinhao
268efd4b29 细分错误原因,根据原因以及模式不同,判断是否记录错误 2023-06-15 17:27:10 +08:00
openeuler-ci-bot
b638ead1e0
!35 修改多路认证情况下,如果认证失败,交由failock模块计数 
From: @liubuguiii 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
 2023-06-03 11:17:03 +00:00
liuxinhao
0da21be046 改多路认证情况下,如果认证失败,交由failock模块计数 2023-06-03 17:13:24 +08:00
openeuler-ci-bot
099a18dc1c
!32 修复部分问题 
From: @liubuguiii 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
 2023-06-02 09:06:37 +00:00
liuxinhao
2e5f30a061 更新部分问题: 
- 多因子登录禁止跳转登录
- 修复更新默认认证设备的逻辑,更新翻译
- 多因子认证,处理只有密码认证的情况
- 设备适配器不更新不存在的默认设备
 2023-06-02 15:21:23 +08:00
openeuler-ci-bot
18c3372cf7
!29 修复部分第一轮测试出现的问题 
From: @liubuguiii 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02
 2023-05-31 11:54:41 +00:00
9 changed files with 855 additions and 4 deletions
Show Stats Expand all files Collapse all files

43
0006-fix-default-device-Device-adapters-do-not-update-def.patch Normal file
View File

@ -0,0 +1,43 @@
From d5b850a0249c2f2b19341acc5bd3a72eebcfa626 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Fri, 2 Jun 2023 14:46:07 +0800
Subject: [PATCH 6/9] fix(default device): Device adapters do not update
default devices that do not exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 设备适配器不更新不存在的默认设备
---
src/daemon/device/device-adaptor-factory.cpp | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/daemon/device/device-adaptor-factory.cpp b/src/daemon/device/device-adaptor-factory.cpp
index d3ffe19..531e0d9 100644
--- a/src/daemon/device/device-adaptor-factory.cpp
+++ b/src/daemon/device/device-adaptor-factory.cpp
@@ -189,11 +189,16 @@ void DeviceAdaptorFactory::onDefaultDeviceChanged(int authType,
const QString &deviceID)
{
auto deviceAdaptor = this->getDeviceAdaptor(authType);
- if (deviceAdaptor && deviceAdaptor->getDeviceID() != deviceID)
- {
- auto dbusDeviceProxy = this->getDBusDeviceProxy(authType, deviceID);
- deviceAdaptor->updateDBusDeviceProxy(dbusDeviceProxy);
- }
+ // 当前不存在设备设配器的情况,不更新设备适配器代理,需要时会优先考虑默认设备
+ // 设备适配器已使用默认设备代理,不需要更新设备适配器
+ RETURN_IF_FALSE(deviceAdaptor && deviceAdaptor->getDeviceID()!=deviceID);
+
+ // 尝试通过默认设备ID拿到设备代理
+ auto recommendedDeviceProxy = this->getDBusDeviceProxy(authType, deviceID);
+ // 未能拿到设备,或者拿不到默认设备,不更新设备适配器代理
+ RETURN_IF_FALSE( recommendedDeviceProxy && recommendedDeviceProxy->deviceID()==deviceID);
+
+ deviceAdaptor->updateDBusDeviceProxy(recommendedDeviceProxy);
}
void DeviceAdaptorFactory::onAuthDeviceManagerLost(const QString &service)
--
2.33.0

74
0007-fix-multi-factor-Multifactor-authentication-handling.patch Normal file
View File

@ -0,0 +1,74 @@
From f32c0200d2bc9c537b45b37e9b4d246fd330f362 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Fri, 2 Jun 2023 15:03:46 +0800
Subject: [PATCH 7/9] fix(multi-factor): Multifactor authentication, handling
only password authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 多因子认证,处理只有密码认证的情况
---
src/daemon/session.cpp | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
index e8c516b..291f9fc 100644
--- a/src/daemon/session.cpp
+++ b/src/daemon/session.cpp
@@ -132,7 +132,7 @@ void Session::StartAuth()
this->m_verifyInfo.m_inAuth = true;
this->m_verifyInfo.m_dbusMessage = this->message();
this->startPhaseAuth();
-}
+}
void Session::StopAuth()
{
@@ -230,7 +230,7 @@ void Session::onIdentifyStatus(const QString &bid, int result, const QString &me
{
Q_EMIT this->AuthMessage(verifyResultStr, KADMessageType::KAD_MESSAGE_TYPE_INFO);
}
- else if(result == IdentifyStatus::IDENTIFY_STATUS_NOT_MATCH)
+ else if (result == IdentifyStatus::IDENTIFY_STATUS_NOT_MATCH)
{
Q_EMIT this->AuthMessage(verifyResultStr, KADMessageType::KAD_MESSAGE_TYPE_ERROR);
}
@@ -283,9 +283,14 @@ void Session::startUkeyAuth()
void Session::startPasswdAuth()
{
KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
+
this->m_verifyInfo.m_inAuth = true;
- this->m_verifyInfo.m_authenticatedUserName = m_userName;
- this->finishPhaseAuth(true,false);
+ if (this->m_verifyInfo.m_authenticatedUserName.isEmpty())
+ {
+ this->m_verifyInfo.m_authenticatedUserName = m_userName;
+ }
+
+ this->finishPhaseAuth(true, false);
}
void Session::startGeneralAuth(const QString &extraInfo)
@@ -305,7 +310,7 @@ void Session::startGeneralAuth(const QString &extraInfo)
{
auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
- Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+ Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
this->finishPhaseAuth(false, false);
return;
@@ -359,7 +364,7 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
break;
case KADAuthMode::KAD_AUTH_MODE_AND:
{
- if( this->m_authOrderWaiting.size() > 0 )
+ if (this->m_authOrderWaiting.size() > 0)
{
this->m_authOrderWaiting.removeOne(this->m_authType);
}
--
2.33.0

61
0008-fix-default-device-Update-the-logic-of-the-default-a.patch Normal file
View File

@ -0,0 +1,61 @@
From 17523794f035c7e66c232a799830c994da1a8a1b Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Fri, 2 Jun 2023 15:05:34 +0800
Subject: [PATCH 8/9] fix(default device): Update the logic of the default
authentication device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 修复更新默认认证设备的逻辑,更新翻译
---
src/daemon/device/device-adaptor.cpp | 7 +++++--
translations/kiran-authentication-daemon.zh_CN.ts | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/daemon/device/device-adaptor.cpp b/src/daemon/device/device-adaptor.cpp
index 32c768f..369554d 100644
--- a/src/daemon/device/device-adaptor.cpp
+++ b/src/daemon/device/device-adaptor.cpp
@@ -92,13 +92,14 @@ void DeviceAdaptor::updateDBusDeviceProxy(QSharedPointer<AuthDeviceProxy> dbusDe
{
RETURN_IF_FALSE(dbusDeviceProxy);
+ DEVICE_DEBUG() << "update auth device";
if (!this->m_dbusDeviceProxy ||
this->m_dbusDeviceProxy->deviceID() != dbusDeviceProxy->deviceID())
{
if (this->m_dbusDeviceProxy)
{
- this->m_dbusDeviceProxy->disconnect();
- this->m_dbusDeviceProxy = nullptr;
+ this->m_dbusDeviceProxy->disconnect(this);
+ this->m_dbusDeviceProxy.clear();
}
this->m_dbusDeviceProxy = dbusDeviceProxy;
@@ -108,6 +109,8 @@ void DeviceAdaptor::updateDBusDeviceProxy(QSharedPointer<AuthDeviceProxy> dbusDe
connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::EnrollStatus, this, &DeviceAdaptor::onEnrollStatus);
connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::IdentifyStatus, this, &DeviceAdaptor::onIdentifyStatus);
+
+ DEVICE_DEBUG() << "update auth device finished";
this->schedule();
}
}
diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts
index 8c03e2c..e74195f 100644
--- a/translations/kiran-authentication-daemon.zh_CN.ts
+++ b/translations/kiran-authentication-daemon.zh_CN.ts
@@ -27,7 +27,7 @@
<translation>请输入PIN码。</translation>
</message>
<message>
- <location filename="../src/daemon/session.cpp" line="308"/>
+ <location filename="../src/daemon/session.cpp" line="313"/>
<source>can not find %1 device</source>
<translation>未能检测到%1设备</translation>
</message>
--
2.33.0

29
0009-fix-multi-factor-multi-factor-no-jump-login.patch Normal file
View File

@ -0,0 +1,29 @@
From 9046f70a621f92a9eab590e380768b74d897d43e Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Fri, 2 Jun 2023 15:09:15 +0800
Subject: [PATCH 9/9] fix(multi-factor): multi-factor no jump login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 多因子登录禁止跳转登录
---
src/daemon/session.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
index 291f9fc..5144da1 100644
--- a/src/daemon/session.cpp
+++ b/src/daemon/session.cpp
@@ -57,6 +57,8 @@ Session::Session(uint32_t sessionID,
if (m_authMode == KAD_AUTH_MODE_AND)
{
this->m_authOrderWaiting = authTypes;
+ // 多因子认证时,不允许调整用户登录
+ this->m_verifyInfo.m_authenticatedUserName = m_userName;
}
KLOG_DEBUG() << QString("new session authmode(%1),login user switchable(%2),default auth type(%3),auth order(%4)")
--
2.33.0

30
0010-fix-multi-channel-auth-If-the-authentication-fails-t.patch Normal file
View File

@ -0,0 +1,30 @@
From 3af3972404b72f71851995e0d4e89bdb4ce29862 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Sat, 3 Jun 2023 17:08:16 +0800
Subject: [PATCH] fix(multi-channel auth): If the authentication fails, the
faillock module counts the data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 修改多路认证情况下如果认证失败交由failock模块计数
---
data/kiran-authentication-service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index e0f2763..8bbbea7 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -6,7 +6,7 @@
# =========================认证配置项目================================ #
# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
-auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
+auth [success=done ignore=2 default=bad] pam_kiran_authentication.so doauth
# 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
#auth [success=2 default=bad] pam_kiran_authentication.so doauth
# ==================================================================== #
--
2.33.0

387
0011-feat-auth-error-Subdivide-the-cause-of-the-error-and.patch Normal file
View File

@ -0,0 +1,387 @@
From 32c665b09765c17d75e31340059b8c3f8183766e Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Mon, 5 Jun 2023 14:57:35 +0800
Subject: [PATCH] feat(auth error): Subdivide the cause of the error and
determine whether to record the error according to the cause and mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 细分错误原因根据原因以及模式不同判断是否记录错误例如多路认证不存在认证设备或认证被取消的情况下将不记录内部错误次数以及外部faillock次数
---
....kylinsec.Kiran.Authentication.Session.xml | 2 +
data/kiran-authentication-service | 2 +-
src/daemon/session.cpp | 146 +++++++++++-------
src/daemon/session.h | 17 +-
src/pam/authentication.cpp | 7 +
src/pam/authentication.h | 1 +
6 files changed, 118 insertions(+), 57 deletions(-)
diff --git a/data/com.kylinsec.Kiran.Authentication.Session.xml b/data/com.kylinsec.Kiran.Authentication.Session.xml
index ac737b8..b261dec 100644
--- a/data/com.kylinsec.Kiran.Authentication.Session.xml
+++ b/data/com.kylinsec.Kiran.Authentication.Session.xml
@@ -80,6 +80,8 @@
<signal name="AuthFailed" />
+ <signal name="AuthUnavail"/>
+
<signal name="AuthTypeChanged">
<arg name="authtype" type="i">
<description>The authentication type being or to be performed. Refer to enum AuthType in file kas-authentication-i.h.</description>
diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index 8bbbea7..00acda3 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -6,7 +6,7 @@
# =========================认证配置项目================================ #
# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
-auth [success=done ignore=2 default=bad] pam_kiran_authentication.so doauth
+auth [success=done ignore=2 default=bad authinfo_unavail=die] pam_kiran_authentication.so doauth
# 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
#auth [success=2 default=bad] pam_kiran_authentication.so doauth
# ==================================================================== #
diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
index 5144da1..b679349 100644
--- a/src/daemon/session.cpp
+++ b/src/daemon/session.cpp
@@ -30,6 +30,7 @@
#include <QDBusConnectionInterface>
#include <QEventLoop>
#include <QJsonDocument>
+#include <QMetaEnum>
namespace Kiran
{
@@ -49,29 +50,27 @@ Session::Session(uint32_t sessionID,
{
this->m_dbusAdaptor = new SessionAdaptor(this);
this->m_objectPath = QDBusObjectPath(QString("%1/%2").arg(KAD_SESSION_DBUS_OBJECT_PATH).arg(this->m_sessionID));
- this->m_authMode = AuthManager::getInstance()->getAuthMode();
+ this->m_authMode = AuthManager::getInstance()->getAuthMode();
auto authTypes = AuthManager::getInstance()->GetAuthTypeByApp(m_authApplication);
this->m_authType = authTypes.count() > 0 ? authTypes.first() : KAD_AUTH_TYPE_NONE;
-
if (m_authMode == KAD_AUTH_MODE_AND)
{
this->m_authOrderWaiting = authTypes;
- // 多因子认证时,不允许调整用户登录
this->m_verifyInfo.m_authenticatedUserName = m_userName;
}
- KLOG_DEBUG() << QString("new session authmode(%1),login user switchable(%2),default auth type(%3),auth order(%4)")
- .arg(m_authMode)
- .arg(m_loginUserSwitchable)
- .arg(Utils::authTypeEnum2Str(m_authType))
- .arg(Utils::authOrderEnum2Str(m_authOrderWaiting).join(","));
-
auto systemConnection = QDBusConnection::systemBus();
if (!systemConnection.registerObject(this->m_objectPath.path(), this))
{
KLOG_WARNING() << m_sessionID << "can't register object:" << systemConnection.lastError();
}
+
+ KLOG_DEBUG() << QString("new session authmode(%1),login user switchable(%2),default auth type(%3),auth order(%4)")
+ .arg(m_authMode)
+ .arg(m_loginUserSwitchable)
+ .arg(Utils::authTypeEnum2Str(m_authType))
+ .arg(Utils::authOrderEnum2Str(m_authOrderWaiting).join(","));
}
Session::~Session()
@@ -206,7 +205,7 @@ void Session::interrupt()
void Session::cancel()
{
KLOG_DEBUG() << m_sessionID << "session (request id:" << this->m_verifyInfo.m_requestID << ") cancel";
- this->finishPhaseAuth(false, false);
+ this->finishPhaseAuth(SESSION_AUTH_CANCEL);
}
void Session::end()
@@ -244,7 +243,7 @@ void Session::onIdentifyStatus(const QString &bid, int result, const QString &me
if (result == IdentifyStatus::IDENTIFY_STATUS_MATCH ||
result == IdentifyStatus::IDENTIFY_STATUS_NOT_MATCH)
{
- this->finishPhaseAuth(result == IdentifyStatus::IDENTIFY_STATUS_MATCH, m_authMode == KAD_AUTH_MODE_OR);
+ this->finishPhaseAuth(result == IDENTIFY_STATUS_MATCH ? SESSION_AUTH_MATCH : SESSION_AUTH_NOT_MATCH);
}
}
@@ -285,14 +284,14 @@ void Session::startUkeyAuth()
void Session::startPasswdAuth()
{
KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
-
+
this->m_verifyInfo.m_inAuth = true;
if (this->m_verifyInfo.m_authenticatedUserName.isEmpty())
{
this->m_verifyInfo.m_authenticatedUserName = m_userName;
}
-
- this->finishPhaseAuth(true, false);
+
+ this->finishPhaseAuth(SESSION_AUTH_PASSWD_AUTH_IGNORE);
}
void Session::startGeneralAuth(const QString &extraInfo)
@@ -303,7 +302,7 @@ void Session::startGeneralAuth(const QString &extraInfo)
auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
KLOG_WARNING() << m_sessionID << "start phase auth failed,invalid auth type:" << m_authType;
Q_EMIT this->AuthMessage(tr(QString("Auth type %1 invalid").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
- this->finishPhaseAuth(false, false);
+ this->finishPhaseAuth(SESSION_AUTH_INTERNAL_ERROR);
return;
}
@@ -313,8 +312,7 @@ void Session::startGeneralAuth(const QString &extraInfo)
auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
-
- this->finishPhaseAuth(false, false);
+ this->finishPhaseAuth(SESSION_AUTH_NO_DEVICE);
return;
}
@@ -344,69 +342,94 @@ void Session::startGeneralAuth(const QString &extraInfo)
this->m_verifyInfo.deviceAdaptor->identify(this, doc.toJson(QJsonDocument::Compact));
}
-void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
+void Session::finishPhaseAuth(SessionAuthResult authResult)
{
+ auto authResultEnum = QMetaEnum::fromType<Session::SessionAuthResult>();
+ auto authResultKey = authResultEnum.valueToKey(authResult);
+
KLOG_DEBUG() << m_sessionID
<< "session finish phase auth, auth type:" << this->m_authType
- << "auth result:" << isSuccess
- << "record failure:" << recordFailure;
-
- // 如果阶段认证失败,则直接结束
- if (!isSuccess)
- {
- this->finishAuth(isSuccess, recordFailure);
- return;
- }
+ << "auth result:" << (authResultKey ? authResultKey : "NULL");
- // 阶段认证成功则进入下个阶段
- switch (this->m_authMode)
+ switch (authResult)
{
- case KADAuthMode::KAD_AUTH_MODE_OR:
- this->finishAuth(isSuccess, recordFailure);
- break;
- case KADAuthMode::KAD_AUTH_MODE_AND:
+ case SESSION_AUTH_MATCH:
+ case SESSION_AUTH_PASSWD_AUTH_IGNORE:
{
- if (this->m_authOrderWaiting.size() > 0)
+ if (this->m_authMode == KAD_AUTH_MODE_OR)
{
- this->m_authOrderWaiting.removeOne(this->m_authType);
- }
-
- if (this->m_authOrderWaiting.size() == 0)
- {
- this->finishAuth(isSuccess, recordFailure);
+ // 多路认证,认证一个通过即算通过
+ this->finishAuth(authResult);
}
else
{
- this->m_authType = this->m_authOrderWaiting.first();
- this->startPhaseAuth();
+ // 检测是否所有认证类型都已通过
+ // 存在还未认证,则继续开始认证
+ if (this->m_authOrderWaiting.size() > 0)
+ {
+ this->m_authOrderWaiting.removeOne(this->m_authType);
+ }
+
+ if (this->m_authOrderWaiting.size() == 0)
+ {
+ this->finishAuth(SESSION_AUTH_MATCH);
+ }
+ else
+ {
+ this->m_authType = this->m_authOrderWaiting.first();
+ this->startPhaseAuth();
+ }
}
break;
}
+ case SESSION_AUTH_NOT_MATCH:
+ case SESSION_AUTH_NO_DEVICE:
+ case SESSION_AUTH_CANCEL:
+ case SESSION_AUTH_INTERNAL_ERROR:
+ {
+ // 阶段认证失败,则算失败
+ this->finishAuth(authResult);
+ break;
+ }
default:
+ KLOG_ERROR() << m_sessionID << "invalid session auth result:" << authResult << (authResultKey ? authResultKey : "NULL");
break;
}
}
-void Session::finishAuth(bool isSuccess, bool recordFailure)
+void Session::finishAuth(SessionAuthResult authResult)
{
- KLOG_DEBUG() << m_sessionID << "finish auth"
- << "auth result:" << isSuccess
- << "record failure:" << recordFailure;
+ auto authResultEnum = QMetaEnum::fromType<Session::SessionAuthResult>();
+ auto authResultKey = authResultEnum.valueToKey(authResult);
+ KLOG_DEBUG() << m_sessionID << "finish auth\n"
+ << "auth result:" << (authResultKey ? authResultKey : "NULL");
const QString &authenticatedUserName = this->m_verifyInfo.m_authenticatedUserName;
- if (isSuccess && !authenticatedUserName.isEmpty())
+ bool isSuccess = (authResult == SESSION_AUTH_MATCH) || (authResult == SESSION_AUTH_PASSWD_AUTH_IGNORE);
+ if (isSuccess)
{
- // 认证成功,清空认证通过用户的生物认证错误次数(针对于登录过程中用户跳转)
- auto user = UserManager::getInstance()->findUser(authenticatedUserName);
- if (user)
+ if (authenticatedUserName.isEmpty())
{
- user->setFailures(0);
+ KLOG_ERROR() << "authentication succeeded, but the user name was empty!";
+ }
+ else
+ {
+ auto user = UserManager::getInstance()->findUser(authenticatedUserName);
+ if (user)
+ {
+ user->setFailures(0);
+ }
+ Q_EMIT this->AuthSuccessed(authenticatedUserName);
}
- Q_EMIT this->AuthSuccessed(authenticatedUserName);
}
else
{
- if (recordFailure)
+ // 是否记录内部错误,内部错误达到上限将不能使用生物认证,只能使用密码解锁
+ // 只在多路认证情况下,并且是特征不匹配的情况下记录
+ bool recordInternalFailure = (this->m_authMode == KAD_AUTH_MODE_OR) &&
+ (authResult == SESSION_AUTH_NOT_MATCH);
+
+ if (recordInternalFailure)
{
// 认证失败,未通过一次阶段认证,记录失败用户为发起登录请求的用户
const QString &currentUser = authenticatedUserName.isEmpty() ? m_userName : authenticatedUserName;
@@ -416,8 +439,23 @@ void Session::finishAuth(bool isSuccess, bool recordFailure)
user->setFailures(user->getFailures() + 1);
}
}
- Q_EMIT this->AuthFailed();
+
+ // 是否记录外部failock错误达到上限将会锁定账户
+ // 多因子认证情况下任何错误都将被failock记录
+ // 多路认证情况下只有特征不匹配才被failock记录
+ bool recordFailure = (this->m_authMode == KAD_AUTH_MODE_AND) ||
+ (authResult == SESSION_AUTH_NOT_MATCH);
+
+ if (recordFailure)
+ {
+ Q_EMIT this->AuthFailed();
+ }
+ else
+ {
+ Q_EMIT this->AuthUnavail();
+ }
}
+
m_verifyInfo.m_inAuth = false;
}
diff --git a/src/daemon/session.h b/src/daemon/session.h
index a850237..ed97a16 100644
--- a/src/daemon/session.h
+++ b/src/daemon/session.h
@@ -37,6 +37,18 @@ class Session : public QObject,
Q_PROPERTY(uint ID READ getID)
Q_PROPERTY(QString RSAPublicKey READ getRSAPublicKey)
Q_PROPERTY(QString Username READ getUsername)
+public:
+ enum SessionAuthResult
+ {
+ SESSION_AUTH_MATCH, // 特征匹配
+ SESSION_AUTH_NOT_MATCH, // 特征不匹配
+ SESSION_AUTH_PASSWD_AUTH_IGNORE, // 多因子认证模式,放行密码认证
+ SESSION_AUTH_NO_DEVICE, // 不存在该设备
+ SESSION_AUTH_CANCEL, // 认证会话被取消
+ SESSION_AUTH_INTERNAL_ERROR, // 内部错误
+ SESSION_AUTH_LAST
+ };
+ Q_ENUM(SessionAuthResult)
public:
// 如果只允许对特定用户进行认证,则创建对象时需要指定用户名
Session(uint32_t sessionID,
@@ -68,6 +80,7 @@ Q_SIGNALS: // SIGNALS
void AuthMessage(const QString &text, int type);
void AuthPrompt(const QString &text, int type);
void AuthSuccessed(const QString &username);
+ void AuthUnavail();
private:
struct SessionVerifyInfo
@@ -101,8 +114,8 @@ private:
void startPasswdAuth();
void startGeneralAuth(const QString &extraInfo = QString());
- void finishPhaseAuth(bool isSuccess,bool recordFailure = true);
- void finishAuth(bool isSuccess,bool recordFailures = true);
+ void finishPhaseAuth(SessionAuthResult authResult);
+ void finishAuth(SessionAuthResult authResult);
bool matchUser(int32_t authType, const QString &dataID);
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 06bc010..0e3b6f0 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -271,6 +271,7 @@ bool Authentication::initSession()
connect(this->m_authSessionProxy, &AuthSessionProxy::AuthPrompt, this, &Authentication::onAuthPrompt);
connect(this->m_authSessionProxy, &AuthSessionProxy::AuthMessage, this, &Authentication::onAuthMessage);
connect(this->m_authSessionProxy, &AuthSessionProxy::AuthFailed, this, &Authentication::onAuthFailed);
+ connect(this->m_authSessionProxy, &AuthSessionProxy::AuthUnavail, this, &Authentication::onAuthUnavail);
connect(this->m_authSessionProxy, &AuthSessionProxy::AuthSuccessed, this, &Authentication::onAuthSuccessed);
this->m_pamHandle->syslog(LOG_DEBUG, QString("init session,%1").arg(m_sessionID));
return true;
@@ -335,6 +336,12 @@ void Authentication::onAuthFailed()
this->finishAuth(PAM_AUTH_ERR);
}
+void Authentication::onAuthUnavail()
+{
+ this->m_pamHandle->syslog(LOG_DEBUG, QString("Authentication unavail,session ID:%1").arg(m_sessionID));
+ this->finishAuth(PAM_AUTHINFO_UNAVAIL);
+}
+
void Authentication::onAuthSuccessed(const QString &userName)
{
if (!userName.isEmpty())
diff --git a/src/pam/authentication.h b/src/pam/authentication.h
index f6cc5a5..704dfc1 100644
--- a/src/pam/authentication.h
+++ b/src/pam/authentication.h
@@ -64,6 +64,7 @@ private Q_SLOTS:
void onAuthPrompt(const QString &text, int type);
void onAuthMessage(const QString &text, int type);
void onAuthFailed();
+ void onAuthUnavail();
void onAuthSuccessed(const QString &userName);
void onAuthTypeChanged(int authType);
--
2.33.0

204
0012-fix-kiran-authentication-service-fix-for-versions-ea.patch Normal file
View File

@ -0,0 +1,204 @@
From 3b847f53c73bf1695a9fe81420c7faa480fa3357 Mon Sep 17 00:00:00 2001
From: niko_yhc <yinhongchang@kylinsec.com.cn>
Date: Mon, 11 Sep 2023 08:50:19 +0800
Subject: [PATCH] fix(kiran-authentication-service):fix for versions earlier
than qt5.10 in kiranUI-2.5
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 在kiranUI-2.5中适配qt5.10以下的版本
Closes:#15019
---
CMakeLists.txt | 6 +++++-
src/daemon/auth-manager.cpp | 5 +++++
src/daemon/auth-manager.h | 4 ++++
src/daemon/device/device-adaptor-factory.cpp | 10 +++++-----
src/daemon/device/device-adaptor.cpp | 12 ++++++------
src/pam/authentication-graphical.cpp | 20 ++++++++++++++++++++
6 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 22e5ac2..a77f4b3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -22,7 +22,11 @@ find_package(Qt5 COMPONENTS Core DBus LinguistTools)
pkg_search_module(KLOG_QT5 REQUIRED klog-qt5)
pkg_search_module(SYSTEMD REQUIRED systemd)
pkg_search_module(KIRAN_CC_DAEMON REQUIRED kiran-cc-daemon)
-pkg_search_module(PAM REQUIRED pam)
+pkg_search_module(PAM QUIET pam)
+if(NOT DEFINED ${PAM_FOUND})
+ set(PAM_INCLUDE_DIRS /usr/include/security)
+ set(PAM_LIBRARIES pam)
+endif()
pkg_search_module(LIBSYSTEMD REQUIRED libsystemd)
configure_file(config.h.in ${PROJECT_BINARY_DIR}/config.h)
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 3d7aaf0..a030897 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -276,7 +276,12 @@ int32_t AuthManager::generateSessionID()
// 最多生成10次超过次数则返回失败
for (int i = 0; i <= 10; ++i)
{
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
auto sessionID = this->m_randomGenerator.bounded(1, MAX_SESSION_ID);
+#else
+ qsrand(QTime(0, 0, 0).secsTo(QTime::currentTime()));
+ auto sessionID = qrand() % MAX_SESSION_ID + 1;
+#endif
auto session = this->m_sessions.value(sessionID, nullptr);
// KLOG_DEBUG() << "session: " << session << ", sessionID: " << sessionID;
RETURN_VAL_IF_TRUE(session == nullptr, sessionID);
diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
index e707e0b..b6f2446 100644
--- a/src/daemon/auth-manager.h
+++ b/src/daemon/auth-manager.h
@@ -16,7 +16,9 @@
#include <QDBusContext>
#include <QDBusObjectPath>
#include <QList>
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
#include <QRandomGenerator>
+#endif
#include "kas-authentication-i.h"
class AuthManagerAdaptor;
@@ -118,7 +120,9 @@ private:
// <会话ID会话>
QMap<int32_t, Session *> m_sessions;
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
QRandomGenerator m_randomGenerator;
+#endif
QDBusServiceWatcher *m_serviceWatcher;
};
diff --git a/src/daemon/device/device-adaptor-factory.cpp b/src/daemon/device/device-adaptor-factory.cpp
index 531e0d9..590214c 100644
--- a/src/daemon/device/device-adaptor-factory.cpp
+++ b/src/daemon/device/device-adaptor-factory.cpp
@@ -206,8 +206,8 @@ void DeviceAdaptorFactory::onAuthDeviceManagerLost(const QString &service)
// 设备管理服务消失,认证设备无效,应清理所有无效的设备及其请求
for (auto iter = m_devices.begin(); iter != m_devices.end();)
{
- KLOG_DEBUG() << "auth device manager lost,remove device:" << iter->get()->getDeviceID();
- iter->get()->removeAllRequest();
+ KLOG_DEBUG() << "auth device manager lost,remove device:" << iter.value().data()->getDeviceID();
+ iter.value().data()->removeAllRequest();
iter = m_devices.erase(iter);
}
}
@@ -217,10 +217,10 @@ void DeviceAdaptorFactory::onDeviceDeleted(int deviceType, const QString &device
// 认证设备拔出,认证设备变成无效,清理该设备下请求,从缓存中删除该设备
for (auto iter = m_devices.begin(); iter != m_devices.end(); iter++)
{
- if (iter->get()->getDeviceID() == deviceID)
+ if (iter.value().data()->getDeviceID() == deviceID)
{
- KLOG_DEBUG() << "auth device deleted,remove device:" << iter->get()->getDeviceID();
- iter->get()->removeAllRequest();
+ KLOG_DEBUG() << "auth device deleted,remove device:" << iter.value().data()->getDeviceID();
+ iter.value().data()->removeAllRequest();
m_devices.erase(iter);
break;
}
diff --git a/src/daemon/device/device-adaptor.cpp b/src/daemon/device/device-adaptor.cpp
index 369554d..cef646f 100644
--- a/src/daemon/device/device-adaptor.cpp
+++ b/src/daemon/device/device-adaptor.cpp
@@ -41,7 +41,7 @@ DeviceAdaptor::DeviceAdaptor(QSharedPointer<AuthDeviceProxy> dbusDeviceProxy)
connect(&m_deviceOccupyTimer,&QTimer::timeout,this,&DeviceAdaptor::onDeviceOccupyTimeout);
auto defaultSeat = Login1SeatProxy::getDefault();
- connect(defaultSeat.get(), SIGNAL(activeSessionChanged(const Login1SessionItem &)), this, SLOT(onActiveSessionChanged(const Login1SessionItem &)));
+ connect(defaultSeat.data(), SIGNAL(activeSessionChanged(const Login1SessionItem &)), this, SLOT(onActiveSessionChanged(const Login1SessionItem &)));
this->updateDBusDeviceProxy(dbusDeviceProxy);
}
@@ -76,8 +76,8 @@ void DeviceAdaptor::removeAllRequest()
// 清空/结束所有认证,不再参与调度
for (auto iter = this->m_requests.begin(); iter != this->m_requests.end();)
{
- iter->get()->source->cancel();
- iter->get()->source->end();
+ iter.value().data()->source->cancel();
+ iter.value().data()->source->end();
iter = this->m_requests.erase(iter);
}
}
@@ -107,8 +107,8 @@ void DeviceAdaptor::updateDBusDeviceProxy(QSharedPointer<AuthDeviceProxy> dbusDe
this->interruptRequest();
- connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::EnrollStatus, this, &DeviceAdaptor::onEnrollStatus);
- connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::IdentifyStatus, this, &DeviceAdaptor::onIdentifyStatus);
+ connect(this->m_dbusDeviceProxy.data(), &AuthDeviceProxy::EnrollStatus, this, &DeviceAdaptor::onEnrollStatus);
+ connect(this->m_dbusDeviceProxy.data(), &AuthDeviceProxy::IdentifyStatus, this, &DeviceAdaptor::onIdentifyStatus);
DEVICE_DEBUG() << "update auth device finished";
this->schedule();
@@ -134,7 +134,7 @@ void DeviceAdaptor::wakeRequest(QSharedPointer<DeviceRequest> request)
{
RETURN_IF_FALSE(request);
// 请求未变化,直接返回
- RETURN_IF_TRUE(this->m_currentRequest && this->m_currentRequest.get() == request.get());
+ RETURN_IF_TRUE(this->m_currentRequest && this->m_currentRequest.data() == request.data());
// 中断当前的请求
this->interruptRequest();
diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp
index 2f104ac..4a31b77 100644
--- a/src/pam/authentication-graphical.cpp
+++ b/src/pam/authentication-graphical.cpp
@@ -52,12 +52,22 @@ bool AuthenticationGraphical::requestLoginUserSwitchable()
// 请求失败的情况下使用默认值
if (retval != PAM_SUCCESS)
{
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
auto errorMsg = jsonReqDoc[KAP_PJK_KEY_HEAD][KAP_PJK_KEY_ERROR].toString();
+#else
+ QJsonValue val = jsonReqDoc.object()[KAP_PJK_KEY_HEAD];
+ auto errorMsg = val.toObject()[KAP_PJK_KEY_ERROR].toString();
+#endif
this->m_pamHandle->syslog(LOG_WARNING, QString("Request login user switchable failed: %1").arg(errorMsg));
return false;
}
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
return jsonRspDoc[KAP_PJK_KEY_BODY][KAP_PJK_KEY_LOGIN_USER_SWITCHABLE].toBool();
+#else
+ QJsonValue val = jsonRspDoc.object()[KAP_PJK_KEY_BODY];
+ return val.toObject()[KAP_PJK_KEY_LOGIN_USER_SWITCHABLE].toBool();
+#endif
}
void AuthenticationGraphical::notifySupportAuthType()
@@ -90,11 +100,21 @@ int32_t AuthenticationGraphical::requestAuthType()
// 请求失败的情况下使用默认认证类型
if (retval != PAM_SUCCESS)
{
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
auto errorMsg = jsonReqDoc[KAP_PJK_KEY_HEAD][KAP_PJK_KEY_ERROR].toString();
+#else
+ QJsonValue val = jsonReqDoc.object()[KAP_PJK_KEY_HEAD];
+ auto errorMsg = val.toObject()[KAP_PJK_KEY_ERROR].toString();
+#endif
this->m_pamHandle->syslog(LOG_WARNING, QString("Request auth type failed: %1").arg(errorMsg));
return KADAuthType::KAD_AUTH_TYPE_NONE;
}
+#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
return jsonRspDoc[KAP_PJK_KEY_BODY][KAP_PJK_KEY_AUTH_TYPE].toInt();
+#else
+ QJsonValue val = jsonRspDoc.object()[KAP_PJK_KEY_BODY];
+ return val.toObject()[KAP_PJK_KEY_AUTH_TYPE].toInt();
+#endif
}
void AuthenticationGraphical::notifyAuthType(int authType)
--
2.27.0

25
kiran-authentication-service.spec
View File

@ -1,6 +1,6 @@
Name: kiran-authentication-service Name: kiran-authentication-service
Version: 2.5.1 Version: 2.5.1
Release: 3 Release: 7
Summary: Kiran Desktop kiran authentication service Summary: Kiran Desktop kiran authentication service
License: MulanPSL-2.0 License: MulanPSL-2.0
URL: http://www.kylinsec.com.cn URL: http://www.kylinsec.com.cn
@ -12,6 +12,14 @@ Patch0002: 0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch
Patch0003: 0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch Patch0003: 0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch
Patch0004: 0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch Patch0004: 0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch
Patch0005: 0005-fix-auth-order-Adjust-the-authentication-sequence.patch Patch0005: 0005-fix-auth-order-Adjust-the-authentication-sequence.patch
Patch0006: 0006-fix-default-device-Device-adapters-do-not-update-def.patch
Patch0007: 0007-fix-multi-factor-Multifactor-authentication-handling.patch
Patch0008: 0008-fix-default-device-Update-the-logic-of-the-default-a.patch
Patch0009: 0009-fix-multi-factor-multi-factor-no-jump-login.patch
Patch0010: 0010-fix-multi-channel-auth-If-the-authentication-fails-t.patch
Patch0011: 0011-feat-auth-error-Subdivide-the-cause-of-the-error-and.patch
Patch0012: 0012-fix-kiran-authentication-service-fix-for-versions-ea.patch
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-devel BuildRequires: systemd-devel
@ -87,6 +95,21 @@ systemctl enable kiran-authentication-daemon.service
%{_includedir}/kiran-authentication-service/kas-authentication-i.h %{_includedir}/kiran-authentication-service/kas-authentication-i.h
%changelog %changelog
* Mon Sep 11 2023 yinhongchang <yinhongchang@kylinsec.com.cn> - 2.5.1-7
- KYOS-F: fix for versions earlier than qt5.10 in kiranUI-2.5(#15019)
* Thu Jun 15 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-6
- KYOS-B: Subdivide the cause of the error and determine whether to record the error according to the cause and mode(#I7DCKL)
* Sat Jun 03 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-5
- KYOS-B: If the authentication fails, the faillock module counts the data(#I7937W)
* Fri Jun 02 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-4
- KYOS-B: Device adapters do not update default devices that do not exist
- KYOS-B: Multifactor authentication, handling only password authentication
- KYOS-B: Update the logic of the default authentication device
- KYOS-B: multi-factor no jump login
* Wed May 31 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-3 * Wed May 31 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-3
- KYOS-B: fix terminl authentication type check (#I792B4) - KYOS-B: fix terminl authentication type check (#I792B4)
- KYOS-B: Adjust the number of non-password authentication failures recorded in the PAM configuration file(#I7937W) - KYOS-B: Adjust the number of non-password authentication failures recorded in the PAM configuration file(#I7937W)

6
kiran-authentication-service.yaml
View File

@ -1,4 +1,4 @@
version_control: gitee version_control: gitee
src_repo: https://gitee.com/openeuler/kiran-authentication-service.git src_repo: openeuler/kiran-authentication-service
tag_prefix: "v" tag_prefix: "^v"
seperator: "." separator: "."