!44 【轻量级 PR】：update kiran-authentication-service.yaml.

From: @licihua 
Reviewed-by: @tangjie02 
Signed-off-by: @tangjie02

0006-fix-default-device-Device-adapters-do-not-update-def.patch

@@ -0,0 +1,43 @@
+From d5b850a0249c2f2b19341acc5bd3a72eebcfa626 Mon Sep 17 00:00:00 2001
+From: liuxinhao <liuxinhao@kylinsec.com.cn>
+Date: Fri, 2 Jun 2023 14:46:07 +0800
+Subject: [PATCH 6/9] fix(default device): Device adapters do not update
+ default devices that do not exist
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 设备适配器不更新不存在的默认设备
+---
+ src/daemon/device/device-adaptor-factory.cpp | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/daemon/device/device-adaptor-factory.cpp b/src/daemon/device/device-adaptor-factory.cpp
+index d3ffe19..531e0d9 100644
+--- a/src/daemon/device/device-adaptor-factory.cpp
++++ b/src/daemon/device/device-adaptor-factory.cpp
+@@ -189,11 +189,16 @@ void DeviceAdaptorFactory::onDefaultDeviceChanged(int authType,
+                                                   const QString &deviceID)
+ {
+     auto deviceAdaptor = this->getDeviceAdaptor(authType);
+-    if (deviceAdaptor && deviceAdaptor->getDeviceID() != deviceID)
+-    {
+-        auto dbusDeviceProxy = this->getDBusDeviceProxy(authType, deviceID);
+-        deviceAdaptor->updateDBusDeviceProxy(dbusDeviceProxy);
+-    }
++    // 当前不存在设备设配器的情况，不更新设备适配器代理，需要时会优先考虑默认设备
++    // 设备适配器已使用默认设备代理，不需要更新设备适配器
++    RETURN_IF_FALSE(deviceAdaptor && deviceAdaptor->getDeviceID()!=deviceID);
++
++    // 尝试通过默认设备ID，拿到设备代理
++    auto recommendedDeviceProxy = this->getDBusDeviceProxy(authType, deviceID);
++    // 未能拿到设备，或者拿不到默认设备，不更新设备适配器代理
++    RETURN_IF_FALSE( recommendedDeviceProxy && recommendedDeviceProxy->deviceID()==deviceID);
++
++    deviceAdaptor->updateDBusDeviceProxy(recommendedDeviceProxy);
+ }
+ 
+ void DeviceAdaptorFactory::onAuthDeviceManagerLost(const QString &service)
+-- 
+2.33.0
+

0007-fix-multi-factor-Multifactor-authentication-handling.patch

@@ -0,0 +1,74 @@
+From f32c0200d2bc9c537b45b37e9b4d246fd330f362 Mon Sep 17 00:00:00 2001
+From: liuxinhao <liuxinhao@kylinsec.com.cn>
+Date: Fri, 2 Jun 2023 15:03:46 +0800
+Subject: [PATCH 7/9] fix(multi-factor): Multifactor authentication, handling
+ only password authentication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+-  多因子认证，处理只有密码认证的情况
+---
+ src/daemon/session.cpp | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
+index e8c516b..291f9fc 100644
+--- a/src/daemon/session.cpp
++++ b/src/daemon/session.cpp
+@@ -132,7 +132,7 @@ void Session::StartAuth()
+     this->m_verifyInfo.m_inAuth = true;
+     this->m_verifyInfo.m_dbusMessage = this->message();
+     this->startPhaseAuth();
+-} 
++}
+ 
+ void Session::StopAuth()
+ {
+@@ -230,7 +230,7 @@ void Session::onIdentifyStatus(const QString &bid, int result, const QString &me
+     {
+         Q_EMIT this->AuthMessage(verifyResultStr, KADMessageType::KAD_MESSAGE_TYPE_INFO);
+     }
+-    else if(result == IdentifyStatus::IDENTIFY_STATUS_NOT_MATCH)
++    else if (result == IdentifyStatus::IDENTIFY_STATUS_NOT_MATCH)
+     {
+         Q_EMIT this->AuthMessage(verifyResultStr, KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+     }
+@@ -283,9 +283,14 @@ void Session::startUkeyAuth()
+ void Session::startPasswdAuth()
+ {
+     KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
++    
+     this->m_verifyInfo.m_inAuth = true;
+-    this->m_verifyInfo.m_authenticatedUserName = m_userName;
+-    this->finishPhaseAuth(true,false);
++    if (this->m_verifyInfo.m_authenticatedUserName.isEmpty())
++    {
++        this->m_verifyInfo.m_authenticatedUserName = m_userName;
++    }
++    
++    this->finishPhaseAuth(true, false);
+ }
+ 
+ void Session::startGeneralAuth(const QString &extraInfo)
+@@ -305,7 +310,7 @@ void Session::startGeneralAuth(const QString &extraInfo)
+     {
+         auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
+         KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
+-        Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR);
++        Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+ 
+         this->finishPhaseAuth(false, false);
+         return;
+@@ -359,7 +364,7 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
+         break;
+     case KADAuthMode::KAD_AUTH_MODE_AND:
+     {
+-        if( this->m_authOrderWaiting.size() > 0 )
++        if (this->m_authOrderWaiting.size() > 0)
+         {
+             this->m_authOrderWaiting.removeOne(this->m_authType);
+         }
+-- 
+2.33.0
+

0008-fix-default-device-Update-the-logic-of-the-default-a.patch

@@ -0,0 +1,61 @@
+From 17523794f035c7e66c232a799830c994da1a8a1b Mon Sep 17 00:00:00 2001
+From: liuxinhao <liuxinhao@kylinsec.com.cn>
+Date: Fri, 2 Jun 2023 15:05:34 +0800
+Subject: [PATCH 8/9] fix(default device): Update the logic of the default
+ authentication device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 修复更新默认认证设备的逻辑，更新翻译
+---
+ src/daemon/device/device-adaptor.cpp              | 7 +++++--
+ translations/kiran-authentication-daemon.zh_CN.ts | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/daemon/device/device-adaptor.cpp b/src/daemon/device/device-adaptor.cpp
+index 32c768f..369554d 100644
+--- a/src/daemon/device/device-adaptor.cpp
++++ b/src/daemon/device/device-adaptor.cpp
+@@ -92,13 +92,14 @@ void DeviceAdaptor::updateDBusDeviceProxy(QSharedPointer<AuthDeviceProxy> dbusDe
+ {
+     RETURN_IF_FALSE(dbusDeviceProxy);
+ 
++    DEVICE_DEBUG() << "update auth device";
+     if (!this->m_dbusDeviceProxy ||
+         this->m_dbusDeviceProxy->deviceID() != dbusDeviceProxy->deviceID())
+     {
+         if (this->m_dbusDeviceProxy)
+         {
+-            this->m_dbusDeviceProxy->disconnect();
+-            this->m_dbusDeviceProxy = nullptr;
++            this->m_dbusDeviceProxy->disconnect(this);
++            this->m_dbusDeviceProxy.clear();
+         }
+ 
+         this->m_dbusDeviceProxy = dbusDeviceProxy;
+@@ -108,6 +109,8 @@ void DeviceAdaptor::updateDBusDeviceProxy(QSharedPointer<AuthDeviceProxy> dbusDe
+ 
+         connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::EnrollStatus, this, &DeviceAdaptor::onEnrollStatus);
+         connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::IdentifyStatus, this, &DeviceAdaptor::onIdentifyStatus);
++
++        DEVICE_DEBUG() << "update auth device finished";
+         this->schedule();
+     }
+ }
+diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts
+index 8c03e2c..e74195f 100644
+--- a/translations/kiran-authentication-daemon.zh_CN.ts
++++ b/translations/kiran-authentication-daemon.zh_CN.ts
+@@ -27,7 +27,7 @@
+         <translation>请输入PIN码。</translation>
+     </message>
+     <message>
+-        <location filename="../src/daemon/session.cpp" line="308"/>
++        <location filename="../src/daemon/session.cpp" line="313"/>
+         <source>can not find %1 device</source>
+         <translation>未能检测到%1设备</translation>
+     </message>
+-- 
+2.33.0
+

0009-fix-multi-factor-multi-factor-no-jump-login.patch

@@ -0,0 +1,29 @@
+From 9046f70a621f92a9eab590e380768b74d897d43e Mon Sep 17 00:00:00 2001
+From: liuxinhao <liuxinhao@kylinsec.com.cn>
+Date: Fri, 2 Jun 2023 15:09:15 +0800
+Subject: [PATCH 9/9] fix(multi-factor): multi-factor no jump login
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 多因子登录禁止跳转登录
+---
+ src/daemon/session.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
+index 291f9fc..5144da1 100644
+--- a/src/daemon/session.cpp
++++ b/src/daemon/session.cpp
+@@ -57,6 +57,8 @@ Session::Session(uint32_t sessionID,
+     if (m_authMode == KAD_AUTH_MODE_AND)
+     {
+         this->m_authOrderWaiting = authTypes;
++        // 多因子认证时，不允许调整用户登录
++        this->m_verifyInfo.m_authenticatedUserName = m_userName;
+     }
+ 
+     KLOG_DEBUG() << QString("new session authmode(%1),login user switchable(%2),default auth type(%3),auth order(%4)")
+-- 
+2.33.0
+

0010-fix-multi-channel-auth-If-the-authentication-fails-t.patch

@@ -0,0 +1,30 @@
+From 3af3972404b72f71851995e0d4e89bdb4ce29862 Mon Sep 17 00:00:00 2001
+From: liuxinhao <liuxinhao@kylinsec.com.cn>
+Date: Sat, 3 Jun 2023 17:08:16 +0800
+Subject: [PATCH] fix(multi-channel auth): If the authentication fails, the
+ faillock module counts the data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 修改多路认证情况下，如果认证失败，交由failock模块计数
+---
+ data/kiran-authentication-service | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
+index e0f2763..8bbbea7 100644
+--- a/data/kiran-authentication-service
++++ b/data/kiran-authentication-service
+@@ -6,7 +6,7 @@
+ 
+ # =========================认证配置项目================================ #
+ # 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
+-auth  [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
++auth  [success=done ignore=2 default=bad] pam_kiran_authentication.so doauth
+ # 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
+ #auth  [success=2 default=bad] pam_kiran_authentication.so doauth
+ # ==================================================================== #
+-- 
+2.33.0
+

0011-feat-auth-error-Subdivide-the-cause-of-the-error-and.patch

@@ -0,0 +1,387 @@
+From 32c665b09765c17d75e31340059b8c3f8183766e Mon Sep 17 00:00:00 2001
+From: liuxinhao <liuxinhao@kylinsec.com.cn>
+Date: Mon, 5 Jun 2023 14:57:35 +0800
+Subject: [PATCH] feat(auth error): Subdivide the cause of the error and
+ determine whether to record the error according to the cause and mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 细分错误原因，根据原因以及模式不同，判断是否记录错误，例如多路认证不存在认证设备或认证被取消的情况下将不记录内部错误次数以及外部faillock次数
+---
+ ....kylinsec.Kiran.Authentication.Session.xml |   2 +
+ data/kiran-authentication-service             |   2 +-
+ src/daemon/session.cpp                        | 146 +++++++++++-------
+ src/daemon/session.h                          |  17 +-
+ src/pam/authentication.cpp                    |   7 +
+ src/pam/authentication.h                      |   1 +
+ 6 files changed, 118 insertions(+), 57 deletions(-)
+
+diff --git a/data/com.kylinsec.Kiran.Authentication.Session.xml b/data/com.kylinsec.Kiran.Authentication.Session.xml
+index ac737b8..b261dec 100644
+--- a/data/com.kylinsec.Kiran.Authentication.Session.xml
++++ b/data/com.kylinsec.Kiran.Authentication.Session.xml
+@@ -80,6 +80,8 @@
+ 
+         <signal name="AuthFailed" />
+ 
++        <signal name="AuthUnavail"/>
++
+         <signal name="AuthTypeChanged">
+             <arg name="authtype" type="i">
+                 <description>The authentication type being or to be performed. Refer to enum AuthType in file kas-authentication-i.h.</description>
+diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
+index 8bbbea7..00acda3 100644
+--- a/data/kiran-authentication-service
++++ b/data/kiran-authentication-service
+@@ -6,7 +6,7 @@
+ 
+ # =========================认证配置项目================================ #
+ # 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
+-auth  [success=done ignore=2 default=bad] pam_kiran_authentication.so doauth
++auth  [success=done ignore=2 default=bad authinfo_unavail=die] pam_kiran_authentication.so doauth
+ # 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
+ #auth  [success=2 default=bad] pam_kiran_authentication.so doauth
+ # ==================================================================== #
+diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
+index 5144da1..b679349 100644
+--- a/src/daemon/session.cpp
++++ b/src/daemon/session.cpp
+@@ -30,6 +30,7 @@
+ #include <QDBusConnectionInterface>
+ #include <QEventLoop>
+ #include <QJsonDocument>
++#include <QMetaEnum>
+ 
+ namespace Kiran
+ {
+@@ -49,29 +50,27 @@ Session::Session(uint32_t sessionID,
+ {
+     this->m_dbusAdaptor = new SessionAdaptor(this);
+     this->m_objectPath = QDBusObjectPath(QString("%1/%2").arg(KAD_SESSION_DBUS_OBJECT_PATH).arg(this->m_sessionID));
+-    this->m_authMode = AuthManager::getInstance()->getAuthMode();
+ 
++    this->m_authMode = AuthManager::getInstance()->getAuthMode();
+     auto authTypes = AuthManager::getInstance()->GetAuthTypeByApp(m_authApplication);
+     this->m_authType = authTypes.count() > 0 ? authTypes.first() : KAD_AUTH_TYPE_NONE;
+-
+     if (m_authMode == KAD_AUTH_MODE_AND)
+     {
+         this->m_authOrderWaiting = authTypes;
+-        // 多因子认证时，不允许调整用户登录
+         this->m_verifyInfo.m_authenticatedUserName = m_userName;
+     }
+ 
+-    KLOG_DEBUG() << QString("new session authmode(%1),login user switchable(%2),default auth type(%3),auth order(%4)")
+-                        .arg(m_authMode)
+-                        .arg(m_loginUserSwitchable)
+-                        .arg(Utils::authTypeEnum2Str(m_authType))
+-                        .arg(Utils::authOrderEnum2Str(m_authOrderWaiting).join(","));
+-
+     auto systemConnection = QDBusConnection::systemBus();
+     if (!systemConnection.registerObject(this->m_objectPath.path(), this))
+     {
+         KLOG_WARNING() << m_sessionID << "can't register object:" << systemConnection.lastError();
+     }
++
++    KLOG_DEBUG() << QString("new session authmode(%1),login user switchable(%2),default auth type(%3),auth order(%4)")
++                        .arg(m_authMode)
++                        .arg(m_loginUserSwitchable)
++                        .arg(Utils::authTypeEnum2Str(m_authType))
++                        .arg(Utils::authOrderEnum2Str(m_authOrderWaiting).join(","));
+ }
+ 
+ Session::~Session()
+@@ -206,7 +205,7 @@ void Session::interrupt()
+ void Session::cancel()
+ {
+     KLOG_DEBUG() << m_sessionID << "session (request id:" << this->m_verifyInfo.m_requestID << ") cancel";
+-    this->finishPhaseAuth(false, false);
++    this->finishPhaseAuth(SESSION_AUTH_CANCEL);
+ }
+ 
+ void Session::end()
+@@ -244,7 +243,7 @@ void Session::onIdentifyStatus(const QString &bid, int result, const QString &me
+     if (result == IdentifyStatus::IDENTIFY_STATUS_MATCH ||
+         result == IdentifyStatus::IDENTIFY_STATUS_NOT_MATCH)
+     {
+-        this->finishPhaseAuth(result == IdentifyStatus::IDENTIFY_STATUS_MATCH, m_authMode == KAD_AUTH_MODE_OR);
++        this->finishPhaseAuth(result == IDENTIFY_STATUS_MATCH ? SESSION_AUTH_MATCH : SESSION_AUTH_NOT_MATCH);
+     }
+ }
+ 
+@@ -285,14 +284,14 @@ void Session::startUkeyAuth()
+ void Session::startPasswdAuth()
+ {
+     KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
+-    
++
+     this->m_verifyInfo.m_inAuth = true;
+     if (this->m_verifyInfo.m_authenticatedUserName.isEmpty())
+     {
+         this->m_verifyInfo.m_authenticatedUserName = m_userName;
+     }
+-    
+-    this->finishPhaseAuth(true, false);
++
++    this->finishPhaseAuth(SESSION_AUTH_PASSWD_AUTH_IGNORE);
+ }
+ 
+ void Session::startGeneralAuth(const QString &extraInfo)
+@@ -303,7 +302,7 @@ void Session::startGeneralAuth(const QString &extraInfo)
+         auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
+         KLOG_WARNING() << m_sessionID << "start phase auth failed,invalid auth type:" << m_authType;
+         Q_EMIT this->AuthMessage(tr(QString("Auth type %1 invalid").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+-        this->finishPhaseAuth(false, false);
++        this->finishPhaseAuth(SESSION_AUTH_INTERNAL_ERROR);
+         return;
+     }
+ 
+@@ -313,8 +312,7 @@ void Session::startGeneralAuth(const QString &extraInfo)
+         auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
+         KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
+         Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
+-
+-        this->finishPhaseAuth(false, false);
++        this->finishPhaseAuth(SESSION_AUTH_NO_DEVICE);
+         return;
+     }
+ 
+@@ -344,69 +342,94 @@ void Session::startGeneralAuth(const QString &extraInfo)
+     this->m_verifyInfo.deviceAdaptor->identify(this, doc.toJson(QJsonDocument::Compact));
+ }
+ 
+-void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
++void Session::finishPhaseAuth(SessionAuthResult authResult)
+ {
++    auto authResultEnum = QMetaEnum::fromType<Session::SessionAuthResult>();
++    auto authResultKey = authResultEnum.valueToKey(authResult);
++
+     KLOG_DEBUG() << m_sessionID
+                  << "session finish phase auth, auth type:" << this->m_authType
+-                 << "auth result:" << isSuccess
+-                 << "record failure:" << recordFailure;
+-
+-    // 如果阶段认证失败，则直接结束
+-    if (!isSuccess)
+-    {
+-        this->finishAuth(isSuccess, recordFailure);
+-        return;
+-    }
++                 << "auth result:" << (authResultKey ? authResultKey : "NULL");
+ 
+-    // 阶段认证成功则进入下个阶段
+-    switch (this->m_authMode)
++    switch (authResult)
+     {
+-    case KADAuthMode::KAD_AUTH_MODE_OR:
+-        this->finishAuth(isSuccess, recordFailure);
+-        break;
+-    case KADAuthMode::KAD_AUTH_MODE_AND:
++    case SESSION_AUTH_MATCH:
++    case SESSION_AUTH_PASSWD_AUTH_IGNORE:
+     {
+-        if (this->m_authOrderWaiting.size() > 0)
++        if (this->m_authMode == KAD_AUTH_MODE_OR)
+         {
+-            this->m_authOrderWaiting.removeOne(this->m_authType);
+-        }
+-
+-        if (this->m_authOrderWaiting.size() == 0)
+-        {
+-            this->finishAuth(isSuccess, recordFailure);
++            // 多路认证，认证一个通过即算通过
++            this->finishAuth(authResult);
+         }
+         else
+         {
+-            this->m_authType = this->m_authOrderWaiting.first();
+-            this->startPhaseAuth();
++            // 检测是否所有认证类型都已通过
++            // 存在还未认证，则继续开始认证
++            if (this->m_authOrderWaiting.size() > 0)
++            {
++                this->m_authOrderWaiting.removeOne(this->m_authType);
++            }
++
++            if (this->m_authOrderWaiting.size() == 0)
++            {
++                this->finishAuth(SESSION_AUTH_MATCH);
++            }
++            else
++            {
++                this->m_authType = this->m_authOrderWaiting.first();
++                this->startPhaseAuth();
++            }
+         }
+         break;
+     }
++    case SESSION_AUTH_NOT_MATCH:
++    case SESSION_AUTH_NO_DEVICE:
++    case SESSION_AUTH_CANCEL:
++    case SESSION_AUTH_INTERNAL_ERROR:
++    {
++        // 阶段认证失败，则算失败
++        this->finishAuth(authResult);
++        break;
++    }
+     default:
++        KLOG_ERROR() << m_sessionID << "invalid session auth result:" << authResult << (authResultKey ? authResultKey : "NULL");
+         break;
+     }
+ }
+ 
+-void Session::finishAuth(bool isSuccess, bool recordFailure)
++void Session::finishAuth(SessionAuthResult authResult)
+ {
+-    KLOG_DEBUG() << m_sessionID << "finish auth"
+-                 << "auth result:" << isSuccess
+-                 << "record failure:" << recordFailure;
++    auto authResultEnum = QMetaEnum::fromType<Session::SessionAuthResult>();
++    auto authResultKey = authResultEnum.valueToKey(authResult);
++    KLOG_DEBUG() << m_sessionID << "finish auth\n"
++                 << "auth result:" << (authResultKey ? authResultKey : "NULL");
+ 
+     const QString &authenticatedUserName = this->m_verifyInfo.m_authenticatedUserName;
+-    if (isSuccess && !authenticatedUserName.isEmpty())
++    bool isSuccess = (authResult == SESSION_AUTH_MATCH) || (authResult == SESSION_AUTH_PASSWD_AUTH_IGNORE);
++    if (isSuccess)
+     {
+-        // 认证成功，清空认证通过用户的生物认证错误次数(针对于登录过程中用户跳转)
+-        auto user = UserManager::getInstance()->findUser(authenticatedUserName);
+-        if (user)
++        if (authenticatedUserName.isEmpty())
+         {
+-            user->setFailures(0);
++            KLOG_ERROR() << "authentication succeeded, but the user name was empty!";
++        }
++        else
++        {
++            auto user = UserManager::getInstance()->findUser(authenticatedUserName);
++            if (user)
++            {
++                user->setFailures(0);
++            }
++            Q_EMIT this->AuthSuccessed(authenticatedUserName);
+         }
+-        Q_EMIT this->AuthSuccessed(authenticatedUserName);
+     }
+     else
+     {
+-        if (recordFailure)
++        // 是否记录内部错误，内部错误达到上限将不能使用生物认证，只能使用密码解锁
++        // 只在多路认证情况下，并且是特征不匹配的情况下记录
++        bool recordInternalFailure = (this->m_authMode == KAD_AUTH_MODE_OR) &&
++                                     (authResult == SESSION_AUTH_NOT_MATCH);
++
++        if (recordInternalFailure)
+         {
+             // 认证失败，未通过一次阶段认证，记录失败用户为发起登录请求的用户
+             const QString &currentUser = authenticatedUserName.isEmpty() ? m_userName : authenticatedUserName;
+@@ -416,8 +439,23 @@ void Session::finishAuth(bool isSuccess, bool recordFailure)
+                 user->setFailures(user->getFailures() + 1);
+             }
+         }
+-        Q_EMIT this->AuthFailed();
++
++        // 是否记录外部failock错误，达到上限，将会锁定账户
++        // 多因子认证情况下，任何错误，都将被failock记录
++        // 多路认证情况下，只有特征不匹配才被failock记录
++        bool recordFailure = (this->m_authMode == KAD_AUTH_MODE_AND) ||
++                             (authResult == SESSION_AUTH_NOT_MATCH);
++
++        if (recordFailure)
++        {
++            Q_EMIT this->AuthFailed();
++        }
++        else
++        {
++            Q_EMIT this->AuthUnavail();
++        }
+     }
++
+     m_verifyInfo.m_inAuth = false;
+ }
+ 
+diff --git a/src/daemon/session.h b/src/daemon/session.h
+index a850237..ed97a16 100644
+--- a/src/daemon/session.h
++++ b/src/daemon/session.h
+@@ -37,6 +37,18 @@ class Session : public QObject,
+     Q_PROPERTY(uint ID READ getID)
+     Q_PROPERTY(QString RSAPublicKey READ getRSAPublicKey)
+     Q_PROPERTY(QString Username READ getUsername)
++public:
++    enum SessionAuthResult
++    {
++        SESSION_AUTH_MATCH,               // 特征匹配
++        SESSION_AUTH_NOT_MATCH,           // 特征不匹配
++        SESSION_AUTH_PASSWD_AUTH_IGNORE,  // 多因子认证模式，放行密码认证
++        SESSION_AUTH_NO_DEVICE,           // 不存在该设备
++        SESSION_AUTH_CANCEL,              // 认证会话被取消
++        SESSION_AUTH_INTERNAL_ERROR,      // 内部错误
++        SESSION_AUTH_LAST
++    };
++    Q_ENUM(SessionAuthResult)
+ public:
+     // 如果只允许对特定用户进行认证，则创建对象时需要指定用户名
+     Session(uint32_t sessionID,
+@@ -68,6 +80,7 @@ Q_SIGNALS:  // SIGNALS
+     void AuthMessage(const QString &text, int type);
+     void AuthPrompt(const QString &text, int type);
+     void AuthSuccessed(const QString &username);
++    void AuthUnavail();
+ 
+ private:
+     struct SessionVerifyInfo
+@@ -101,8 +114,8 @@ private:
+     void startPasswdAuth();
+     void startGeneralAuth(const QString &extraInfo = QString());
+ 
+-    void finishPhaseAuth(bool isSuccess,bool recordFailure = true);
+-    void finishAuth(bool isSuccess,bool recordFailures = true);
++    void finishPhaseAuth(SessionAuthResult authResult);
++    void finishAuth(SessionAuthResult authResult);
+ 
+     bool matchUser(int32_t authType, const QString &dataID);
+ 
+diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
+index 06bc010..0e3b6f0 100644
+--- a/src/pam/authentication.cpp
++++ b/src/pam/authentication.cpp
+@@ -271,6 +271,7 @@ bool Authentication::initSession()
+     connect(this->m_authSessionProxy, &AuthSessionProxy::AuthPrompt, this, &Authentication::onAuthPrompt);
+     connect(this->m_authSessionProxy, &AuthSessionProxy::AuthMessage, this, &Authentication::onAuthMessage);
+     connect(this->m_authSessionProxy, &AuthSessionProxy::AuthFailed, this, &Authentication::onAuthFailed);
++    connect(this->m_authSessionProxy, &AuthSessionProxy::AuthUnavail, this, &Authentication::onAuthUnavail);
+     connect(this->m_authSessionProxy, &AuthSessionProxy::AuthSuccessed, this, &Authentication::onAuthSuccessed);
+     this->m_pamHandle->syslog(LOG_DEBUG, QString("init session,%1").arg(m_sessionID));
+     return true;
+@@ -335,6 +336,12 @@ void Authentication::onAuthFailed()
+     this->finishAuth(PAM_AUTH_ERR);
+ }
+ 
++void Authentication::onAuthUnavail()
++{
++    this->m_pamHandle->syslog(LOG_DEBUG, QString("Authentication unavail,session ID:%1").arg(m_sessionID));
++    this->finishAuth(PAM_AUTHINFO_UNAVAIL);
++}
++
+ void Authentication::onAuthSuccessed(const QString &userName)
+ {
+     if (!userName.isEmpty())
+diff --git a/src/pam/authentication.h b/src/pam/authentication.h
+index f6cc5a5..704dfc1 100644
+--- a/src/pam/authentication.h
++++ b/src/pam/authentication.h
+@@ -64,6 +64,7 @@ private Q_SLOTS:
+     void onAuthPrompt(const QString &text, int type);
+     void onAuthMessage(const QString &text, int type);
+     void onAuthFailed();
++    void onAuthUnavail();
+     void onAuthSuccessed(const QString &userName);
+     void onAuthTypeChanged(int authType);
+ 
+-- 
+2.33.0
+

0012-fix-kiran-authentication-service-fix-for-versions-ea.patch

@@ -0,0 +1,204 @@
+From 3b847f53c73bf1695a9fe81420c7faa480fa3357 Mon Sep 17 00:00:00 2001
+From: niko_yhc <yinhongchang@kylinsec.com.cn>
+Date: Mon, 11 Sep 2023 08:50:19 +0800
+Subject: [PATCH] fix(kiran-authentication-service):fix for versions earlier
+ than qt5.10 in kiranUI-2.5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- 在kiranUI-2.5中适配qt5.10以下的版本
+
+Closes:#15019
+---
+ CMakeLists.txt                               |  6 +++++-
+ src/daemon/auth-manager.cpp                  |  5 +++++
+ src/daemon/auth-manager.h                    |  4 ++++
+ src/daemon/device/device-adaptor-factory.cpp | 10 +++++-----
+ src/daemon/device/device-adaptor.cpp         | 12 ++++++------
+ src/pam/authentication-graphical.cpp         | 20 ++++++++++++++++++++
+ 6 files changed, 45 insertions(+), 12 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 22e5ac2..a77f4b3 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -22,7 +22,11 @@ find_package(Qt5 COMPONENTS Core DBus LinguistTools)
+ pkg_search_module(KLOG_QT5 REQUIRED klog-qt5)
+ pkg_search_module(SYSTEMD REQUIRED systemd)
+ pkg_search_module(KIRAN_CC_DAEMON REQUIRED kiran-cc-daemon)
+-pkg_search_module(PAM REQUIRED pam)
++pkg_search_module(PAM QUIET pam)
++if(NOT DEFINED ${PAM_FOUND})
++    set(PAM_INCLUDE_DIRS /usr/include/security)
++    set(PAM_LIBRARIES pam)
++endif()
+ pkg_search_module(LIBSYSTEMD REQUIRED libsystemd)
+ 
+ configure_file(config.h.in ${PROJECT_BINARY_DIR}/config.h)
+diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
+index 3d7aaf0..a030897 100644
+--- a/src/daemon/auth-manager.cpp
++++ b/src/daemon/auth-manager.cpp
+@@ -276,7 +276,12 @@ int32_t AuthManager::generateSessionID()
+     // 最多生成10次，超过次数则返回失败
+     for (int i = 0; i <= 10; ++i)
+     {
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+         auto sessionID = this->m_randomGenerator.bounded(1, MAX_SESSION_ID);
++#else
++        qsrand(QTime(0, 0, 0).secsTo(QTime::currentTime()));
++        auto sessionID = qrand() % MAX_SESSION_ID + 1;
++#endif
+         auto session = this->m_sessions.value(sessionID, nullptr);
+         // KLOG_DEBUG() << "session: " << session << ", sessionID: " << sessionID;
+         RETURN_VAL_IF_TRUE(session == nullptr, sessionID);
+diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
+index e707e0b..b6f2446 100644
+--- a/src/daemon/auth-manager.h
++++ b/src/daemon/auth-manager.h
+@@ -16,7 +16,9 @@
+ #include <QDBusContext>
+ #include <QDBusObjectPath>
+ #include <QList>
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+ #include <QRandomGenerator>
++#endif
+ #include "kas-authentication-i.h"
+ 
+ class AuthManagerAdaptor;
+@@ -118,7 +120,9 @@ private:
+ 
+     // <会话ID，会话>
+     QMap<int32_t, Session *> m_sessions;
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+     QRandomGenerator m_randomGenerator;
++#endif
+     QDBusServiceWatcher *m_serviceWatcher;
+ };
+ 
+diff --git a/src/daemon/device/device-adaptor-factory.cpp b/src/daemon/device/device-adaptor-factory.cpp
+index 531e0d9..590214c 100644
+--- a/src/daemon/device/device-adaptor-factory.cpp
++++ b/src/daemon/device/device-adaptor-factory.cpp
+@@ -206,8 +206,8 @@ void DeviceAdaptorFactory::onAuthDeviceManagerLost(const QString &service)
+     // 设备管理服务消失，认证设备无效，应清理所有无效的设备及其请求
+     for (auto iter = m_devices.begin(); iter != m_devices.end();)
+     {
+-        KLOG_DEBUG() << "auth device manager lost,remove device:" << iter->get()->getDeviceID();
+-        iter->get()->removeAllRequest();
++        KLOG_DEBUG() << "auth device manager lost,remove device:" << iter.value().data()->getDeviceID();
++        iter.value().data()->removeAllRequest();
+         iter = m_devices.erase(iter);
+     }
+ }
+@@ -217,10 +217,10 @@ void DeviceAdaptorFactory::onDeviceDeleted(int deviceType, const QString &device
+     // 认证设备拔出，认证设备变成无效，清理该设备下请求，从缓存中删除该设备
+     for (auto iter = m_devices.begin(); iter != m_devices.end(); iter++)
+     {
+-        if (iter->get()->getDeviceID() == deviceID)
++        if (iter.value().data()->getDeviceID() == deviceID)
+         {
+-            KLOG_DEBUG() << "auth device deleted,remove device:" << iter->get()->getDeviceID();
+-            iter->get()->removeAllRequest();
++            KLOG_DEBUG() << "auth device deleted,remove device:" << iter.value().data()->getDeviceID();
++            iter.value().data()->removeAllRequest();
+             m_devices.erase(iter);
+             break;
+         }
+diff --git a/src/daemon/device/device-adaptor.cpp b/src/daemon/device/device-adaptor.cpp
+index 369554d..cef646f 100644
+--- a/src/daemon/device/device-adaptor.cpp
++++ b/src/daemon/device/device-adaptor.cpp
+@@ -41,7 +41,7 @@ DeviceAdaptor::DeviceAdaptor(QSharedPointer<AuthDeviceProxy> dbusDeviceProxy)
+     connect(&m_deviceOccupyTimer,&QTimer::timeout,this,&DeviceAdaptor::onDeviceOccupyTimeout);
+ 
+     auto defaultSeat = Login1SeatProxy::getDefault();
+-    connect(defaultSeat.get(), SIGNAL(activeSessionChanged(const Login1SessionItem &)), this, SLOT(onActiveSessionChanged(const Login1SessionItem &)));
++    connect(defaultSeat.data(), SIGNAL(activeSessionChanged(const Login1SessionItem &)), this, SLOT(onActiveSessionChanged(const Login1SessionItem &)));
+ 
+     this->updateDBusDeviceProxy(dbusDeviceProxy);
+ }
+@@ -76,8 +76,8 @@ void DeviceAdaptor::removeAllRequest()
+     // 清空/结束所有认证，不再参与调度
+     for (auto iter = this->m_requests.begin(); iter != this->m_requests.end();)
+     {
+-        iter->get()->source->cancel();
+-        iter->get()->source->end();
++        iter.value().data()->source->cancel();
++        iter.value().data()->source->end();
+         iter = this->m_requests.erase(iter);
+     }
+ }
+@@ -107,8 +107,8 @@ void DeviceAdaptor::updateDBusDeviceProxy(QSharedPointer<AuthDeviceProxy> dbusDe
+ 
+         this->interruptRequest();
+ 
+-        connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::EnrollStatus, this, &DeviceAdaptor::onEnrollStatus);
+-        connect(this->m_dbusDeviceProxy.get(), &AuthDeviceProxy::IdentifyStatus, this, &DeviceAdaptor::onIdentifyStatus);
++        connect(this->m_dbusDeviceProxy.data(), &AuthDeviceProxy::EnrollStatus, this, &DeviceAdaptor::onEnrollStatus);
++        connect(this->m_dbusDeviceProxy.data(), &AuthDeviceProxy::IdentifyStatus, this, &DeviceAdaptor::onIdentifyStatus);
+ 
+         DEVICE_DEBUG() << "update auth device finished";
+         this->schedule();
+@@ -134,7 +134,7 @@ void DeviceAdaptor::wakeRequest(QSharedPointer<DeviceRequest> request)
+ {
+     RETURN_IF_FALSE(request);
+     // 请求未变化，直接返回
+-    RETURN_IF_TRUE(this->m_currentRequest && this->m_currentRequest.get() == request.get());
++    RETURN_IF_TRUE(this->m_currentRequest && this->m_currentRequest.data() == request.data());
+     // 中断当前的请求
+     this->interruptRequest();
+ 
+diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp
+index 2f104ac..4a31b77 100644
+--- a/src/pam/authentication-graphical.cpp
++++ b/src/pam/authentication-graphical.cpp
+@@ -52,12 +52,22 @@ bool AuthenticationGraphical::requestLoginUserSwitchable()
+     // 请求失败的情况下使用默认值
+     if (retval != PAM_SUCCESS)
+     {
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+         auto errorMsg = jsonReqDoc[KAP_PJK_KEY_HEAD][KAP_PJK_KEY_ERROR].toString();
++#else
++        QJsonValue val = jsonReqDoc.object()[KAP_PJK_KEY_HEAD];
++        auto errorMsg = val.toObject()[KAP_PJK_KEY_ERROR].toString();
++#endif
+         this->m_pamHandle->syslog(LOG_WARNING, QString("Request login user switchable failed: %1").arg(errorMsg));
+         return false;
+     }
+ 
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+     return jsonRspDoc[KAP_PJK_KEY_BODY][KAP_PJK_KEY_LOGIN_USER_SWITCHABLE].toBool();
++#else
++    QJsonValue val = jsonRspDoc.object()[KAP_PJK_KEY_BODY];
++    return val.toObject()[KAP_PJK_KEY_LOGIN_USER_SWITCHABLE].toBool();
++#endif
+ }
+ 
+ void AuthenticationGraphical::notifySupportAuthType()
+@@ -90,11 +100,21 @@ int32_t AuthenticationGraphical::requestAuthType()
+     // 请求失败的情况下使用默认认证类型
+     if (retval != PAM_SUCCESS)
+     {
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+         auto errorMsg = jsonReqDoc[KAP_PJK_KEY_HEAD][KAP_PJK_KEY_ERROR].toString();
++#else
++        QJsonValue val = jsonReqDoc.object()[KAP_PJK_KEY_HEAD];
++        auto errorMsg = val.toObject()[KAP_PJK_KEY_ERROR].toString();
++#endif
+         this->m_pamHandle->syslog(LOG_WARNING, QString("Request auth type failed: %1").arg(errorMsg));
+         return KADAuthType::KAD_AUTH_TYPE_NONE;
+     }
++#if (QT_VERSION >= QT_VERSION_CHECK(5, 10, 0))
+     return jsonRspDoc[KAP_PJK_KEY_BODY][KAP_PJK_KEY_AUTH_TYPE].toInt();
++#else
++    QJsonValue val = jsonRspDoc.object()[KAP_PJK_KEY_BODY];
++    return val.toObject()[KAP_PJK_KEY_AUTH_TYPE].toInt();
++#endif
+ }
+ 
+ void AuthenticationGraphical::notifyAuthType(int authType)
+-- 
+2.27.0
+

kiran-authentication-service.spec

@@ -1,6 +1,6 @@
 Name:          kiran-authentication-service
 Version:       2.5.1
-Release:       3
+Release:       7
 Summary:       Kiran Desktop kiran authentication service
 License:       MulanPSL-2.0
 URL:           http://www.kylinsec.com.cn
@@ -12,6 +12,14 @@ Patch0002:	0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch
 Patch0003:	0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch
 Patch0004:	0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch
 Patch0005:	0005-fix-auth-order-Adjust-the-authentication-sequence.patch
+Patch0006:	0006-fix-default-device-Device-adapters-do-not-update-def.patch
+Patch0007:	0007-fix-multi-factor-Multifactor-authentication-handling.patch
+Patch0008:	0008-fix-default-device-Update-the-logic-of-the-default-a.patch
+Patch0009:	0009-fix-multi-factor-multi-factor-no-jump-login.patch
+Patch0010:	0010-fix-multi-channel-auth-If-the-authentication-fails-t.patch
+Patch0011:	0011-feat-auth-error-Subdivide-the-cause-of-the-error-and.patch
+Patch0012:      0012-fix-kiran-authentication-service-fix-for-versions-ea.patch
+
 
 BuildRequires: systemd
 BuildRequires: systemd-devel
@@ -87,6 +95,21 @@ systemctl enable kiran-authentication-daemon.service
 %{_includedir}/kiran-authentication-service/kas-authentication-i.h
 
 %changelog
+* Mon Sep 11 2023 yinhongchang <yinhongchang@kylinsec.com.cn> - 2.5.1-7
+- KYOS-F: fix for versions earlier than qt5.10 in kiranUI-2.5(#15019)
+
+* Thu Jun 15 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-6
+- KYOS-B: Subdivide the cause of the error and determine whether to record the error according to the cause and mode(#I7DCKL)
+
+* Sat Jun 03 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-5
+- KYOS-B:  If the authentication fails, the faillock module counts the data(#I7937W)
+
+* Fri Jun 02 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-4
+- KYOS-B: Device adapters do not update default devices that do not exist
+- KYOS-B: Multifactor authentication, handling only password authentication
+- KYOS-B: Update the logic of the default authentication device
+- KYOS-B: multi-factor no jump login
+
 * Wed May 31 2023 liuxinhao <liuxinhao@kylinsec.com.cn> - 2.5.1-3
 - KYOS-B: fix terminl authentication type check (#I792B4)
 - KYOS-B: Adjust the number of non-password authentication failures recorded in the PAM configuration file(#I7937W)

kiran-authentication-service.yaml

@@ -1,4 +1,4 @@
 version_control: gitee
-src_repo: https://gitee.com/openeuler/kiran-authentication-service.git
-tag_prefix: "v"
-seperator: "."
+src_repo: openeuler/kiran-authentication-service
+tag_prefix: "^v"
+separator: "."