From 67705ea59b8f62da14d79169036a54f10b379bca Mon Sep 17 00:00:00 2001 From: liuxinhao Date: Wed, 31 May 2023 16:27:58 +0800 Subject: [PATCH] fix(*): Fixed an issue with the first round of test in Part 2.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 修复部分第一轮测试出现的问题 --- ...nal-Repair-authentication-type-check.patch | 32 ++ ...ust-the-number-of-non-password-authe.patch | 46 +++ ...rmission-Upgrade-the-permission-of-s.patch | 300 ++++++++++++++++++ ...-Fixed-an-authentication-failure-cau.patch | 227 +++++++++++++ ...r-Adjust-the-authentication-sequence.patch | 31 ++ kiran-authentication-service.spec | 17 +- 6 files changed, 651 insertions(+), 2 deletions(-) create mode 100644 0001-fix-auth-terminal-Repair-authentication-type-check.patch create mode 100644 0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch create mode 100644 0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch create mode 100644 0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch create mode 100644 0005-fix-auth-order-Adjust-the-authentication-sequence.patch diff --git a/0001-fix-auth-terminal-Repair-authentication-type-check.patch b/0001-fix-auth-terminal-Repair-authentication-type-check.patch new file mode 100644 index 0000000..f418299 --- /dev/null +++ b/0001-fix-auth-terminal-Repair-authentication-type-check.patch @@ -0,0 +1,32 @@ +From 313ce71e34f4af75f0b0ccbb954ffc89ff86fee6 Mon Sep 17 00:00:00 2001 +From: liuxinhao +Date: Mon, 29 May 2023 20:32:15 +0800 +Subject: [PATCH 1/5] fix(auth terminal): Repair authentication type check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +- 修复命令行认证,认证类型检查问题 + +Closes #I792B4 +--- + src/pam/authentication-terminal.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp +index c6df098..5db6b1c 100644 +--- a/src/pam/authentication-terminal.cpp ++++ b/src/pam/authentication-terminal.cpp +@@ -93,7 +93,8 @@ int32_t AuthenticationTerminal::requestAuthType() + authType == KADAuthType::KAD_AUTH_TYPE_FINGERPRINT || + authType == KADAuthType::KAD_AUTH_TYPE_FINGERVEIN || + authType == KADAuthType::KAD_AUTH_TYPE_UKEY || +- authType == KADAuthType::KAD_AUTH_TYPE_FACE) ++ authType == KADAuthType::KAD_AUTH_TYPE_FACE || ++ authType == KADAuthType::KAD_AUTH_TYPE_IRIS) + { + return authType; + } +-- +2.33.0 + diff --git a/0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch b/0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch new file mode 100644 index 0000000..5bbab2e --- /dev/null +++ b/0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch @@ -0,0 +1,46 @@ +From e9d570e068bbb5ae1fd91a86b186cecf488ac771 Mon Sep 17 00:00:00 2001 +From: liuxinhao +Date: Tue, 30 May 2023 09:25:03 +0800 +Subject: [PATCH 2/5] fix(pam conf): Adjust the number of non-password + authentication failures recorded in the PAM configuration file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +- 调整PAM配置文件,多路认证非密码认证失败记录错误次数 + +Closes #I7937W +--- + data/kiran-authentication-service | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service +index e5d0f98..afc7e17 100644 +--- a/data/kiran-authentication-service ++++ b/data/kiran-authentication-service +@@ -1,11 +1,16 @@ +-# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式 +-auth [success=done ignore=ignore default=die] pam_kiran_authentication.so doauth ++# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite ++# 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。 + ++# =========================认证配置项目================================ # ++# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式 ++auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth + # 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败 +-#auth requisite pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60 + #auth [success=2 default=bad] pam_kiran_authentication.so doauth +-#auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60 +-#auth required pam_debug ++# ==================================================================== # ++ ++# 认证服务后续认证流程兼容,走系统错误计数failock, pam_debug只是修改认证状态值为成功 ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60 ++auth required pam_debug + + # 认证成功,清理内部记录错误次数 + account required pam_kiran_authentication.so authsucc +\ No newline at end of file +-- +2.33.0 + diff --git a/0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch b/0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch new file mode 100644 index 0000000..19718ae --- /dev/null +++ b/0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch @@ -0,0 +1,300 @@ +From 74cff73678e966b232d70aba787476f34fa0d584 Mon Sep 17 00:00:00 2001 +From: liuxinhao +Date: Tue, 30 May 2023 11:11:48 +0800 +Subject: [PATCH 3/5] fix(Interface permission): Upgrade the permission of some + interfaces of the authentication service +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +- 提升部分认证服务接口权限至root,调用前需认证polkit + +Closes #I795QI +--- + data/com.kylinsec.Kiran.Authentication.xml | 7 ++- + src/daemon/auth-manager.cpp | 66 ++++++++++++++-------- + src/daemon/auth-manager.h | 46 ++++++++++----- + src/daemon/user.cpp | 2 +- + src/pam/authentication.cpp | 1 - + 5 files changed, 82 insertions(+), 40 deletions(-) + +diff --git a/data/com.kylinsec.Kiran.Authentication.xml b/data/com.kylinsec.Kiran.Authentication.xml +index b575ebd..12b077f 100644 +--- a/data/com.kylinsec.Kiran.Authentication.xml ++++ b/data/com.kylinsec.Kiran.Authentication.xml +@@ -51,7 +51,7 @@ + + + +- ++ + + driver name + +@@ -73,7 +73,7 @@ + + The auth type. Refer to KADAuthType in kas-authentication-i.h + +- ++ + The default device ID. + + +@@ -82,6 +82,9 @@ + + The auth type. Refer to KADAuthType in kas-authentication-i.h + ++ ++ The default device ID. ++ + + + +diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp +index 0a74682..7ebef89 100644 +--- a/src/daemon/auth-manager.cpp ++++ b/src/daemon/auth-manager.cpp +@@ -21,6 +21,7 @@ + #include "src/daemon/device/device-adaptor-factory.h" + #include "src/daemon/error.h" + #include "src/daemon/proxy/dbus-daemon-proxy.h" ++#include "src/daemon/proxy/polkit-proxy.h" + #include "src/daemon/session.h" + #include "src/daemon/user-manager.h" + #include "src/utils/utils.h" +@@ -34,6 +35,9 @@ + #include + #include + #include ++ ++#define AUTH_USER_ADMIN "com.kylinsec.kiran.authentication.user-administration" ++ + namespace Kiran + { + // 会话ID的最大值 +@@ -85,7 +89,7 @@ QDBusObjectPath AuthManager::CreateSession(const QString &username, int timeout, + .arg(authApp) + .arg(this->message().service()) + .arg(sessionID); +- ++ + return QDBusObjectPath(session->getObjectPath()); + } + +@@ -108,15 +112,6 @@ QString AuthManager::GetDriversForType(int authType) + return DeviceAdaptorFactory::getInstance()->getDriversForType(authType); + } + +-void AuthManager::SetDrivereEanbled(const QString &driverName, bool enabled) +-{ +- if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled)) +- { +- DBUS_ERROR_REPLY(QDBusError::InternalError, +- KADErrorCode::ERROR_FAILED); +- } +-} +- + QDBusObjectPath AuthManager::FindUserByID(qulonglong uid) + { + auto pwent = getpwuid(uid); +@@ -164,21 +159,11 @@ bool AuthManager::GetAuthTypeEnabled(int authType) + return m_authConfig->getAuthTypeEnable((KADAuthType)authType); + } + +-void AuthManager::SetAuthTypeEnabled(int authType, bool enabled) +-{ +- m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled); +-} +- + bool AuthManager::GetAuthTypeEnabledForApp(int authType, int authApp) + { + return m_authConfig->getAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp); + } + +-void AuthManager::SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled) +-{ +- m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled); +-} +- + /// @brief 通过认证应用枚举获取支持的认证类型或认证顺序 + /// @param authApp 应用程序所属的认证应用类型 + /// @return 与模式下为需认证类型的认证顺序,或模式下为可选的认证类型 +@@ -202,9 +187,9 @@ QList AuthManager::GetAuthTypeByApp(int32_t authApp) + auto sortedAuthTypes = authOrder; + + auto enabledAuthTypeIter = enabledAuthTypes.begin(); +- while(enabledAuthTypeIter != enabledAuthTypes.end()) ++ while (enabledAuthTypeIter != enabledAuthTypes.end()) + { +- if(!sortedAuthTypes.contains(*enabledAuthTypeIter)) ++ if (!sortedAuthTypes.contains(*enabledAuthTypeIter)) + { + sortedAuthTypes << *enabledAuthTypeIter; + } +@@ -257,6 +242,10 @@ void AuthManager::onNameLost(const QString &serviceName) + } + } + ++CHECK_AUTH_WITH_2ARGS(AuthManager, SetDrivereEnabled, onSetDriverEnabled, AUTH_USER_ADMIN, const QString &, bool); ++CHECK_AUTH_WITH_2ARGS(AuthManager, SetAuthTypeEnabled, onSetAuthTypeEnabled, AUTH_USER_ADMIN, int, bool); ++CHECK_AUTH_WITH_3ARGS(AuthManager, SetAuthTypeEnabledForApp, onSetAuthTypeEnabledForApp, AUTH_USER_ADMIN, int, int, bool); ++ + void AuthManager::init() + { + auto systemConnection = QDBusConnection::systemBus(); +@@ -276,6 +265,11 @@ void AuthManager::init() + connect(m_authConfig, SIGNAL(defaultDeviceChanged(int, QString)), this, SIGNAL(defaultDeviceChanged(int, QString))); + } + ++QString AuthManager::calcAction(const QString &originAction) ++{ ++ return AUTH_USER_ADMIN; ++} ++ + int32_t AuthManager::generateSessionID() + { + // 最多生成10次,超过次数则返回失败 +@@ -288,4 +282,32 @@ int32_t AuthManager::generateSessionID() + } + return -1; + } ++ ++void AuthManager::onSetDriverEnabled(const QDBusMessage &message, const QString &driverName, bool enabled) ++{ ++ if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled)) ++ { ++ DBUS_ERROR_REPLY_ASYNC(message, QDBusError::InternalError, KADErrorCode::ERROR_FAILED); ++ } ++ ++ auto replyMessage = message.createReply(); ++ QDBusConnection::systemBus().send(replyMessage); ++} ++ ++void AuthManager::onSetAuthTypeEnabled(const QDBusMessage &message, int authType, bool enabled) ++{ ++ m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled); ++ ++ auto replyMessage = message.createReply(); ++ QDBusConnection::systemBus().send(replyMessage); ++} ++ ++void AuthManager::onSetAuthTypeEnabledForApp(const QDBusMessage &message, int authType, int authApp, bool enabled) ++{ ++ m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled); ++ ++ auto replyMessage = message.createReply(); ++ QDBusConnection::systemBus().send(replyMessage); ++} ++ + } // namespace Kiran +diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h +index 696dc96..e707e0b 100644 +--- a/src/daemon/auth-manager.h ++++ b/src/daemon/auth-manager.h +@@ -48,46 +48,64 @@ public: + int getMaxFailures(); + + public Q_SLOTS: // DBUS METHODS ++ /// normal ++ // 获取认证服务中用户DBUS对象 ++ QDBusObjectPath FindUserByID(qulonglong uid); ++ QDBusObjectPath FindUserByName(const QString &userName); ++ + // 认证会话创建以及销毁 + QDBusObjectPath CreateSession(const QString &userName, int timeout,int authApp); + void DestroySession(uint sessionID); + ++ // 根据认证类型获取驱动列表 + QString GetDriversForType(int authType); +- void SetDrivereEanbled(const QString& driverName,bool enabled); + +- // 获取认证服务中用户DBUS对象 +- QDBusObjectPath FindUserByID(qulonglong uid); +- QDBusObjectPath FindUserByName(const QString &userName); +- +- // 获取认证设备 ++ // 根据认证类型获取设备列表 + QString GetDevicesForType(int authType); +- // 获取默认认证设备 +- QString GetDefaultDeviceID(int authType); +- // 设置默认设备ID +- void SetDefaultDeviceID(int authType, const QString &deviceID); + +- // 认证类型总开关 ++ // 获取认证类型是否启用 + bool GetAuthTypeEnabled(int authType); +- void SetAuthTypeEnabled(int authType,bool enabled); + +- // 获取/设置指定认证场景下认证类型的开关 ++ // 获取认证类型认证场景(认证应用)是否启用 + bool GetAuthTypeEnabledForApp(int authType,int authApp); +- void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled); ++ ++ // 默认设备 ++ QString GetDefaultDeviceID(int authType); ++ void SetDefaultDeviceID(int authType, const QString &deviceID); + + // 通过pam服务名查询属于哪个认证场景 ++ // 例如: ++ // lightdm->KAD_AUTH_APPLICATION_LOGIN, ++ // iran-screensaver->KAD_AUTH_APPLICATION_UNLOCK + int QueryAuthApp(const QString &pamServiceName); ++ + // 通过指定的认证应用获取支持的认证类型,返回值为有序列表 + QList GetAuthTypeByApp(int32_t authApp); + + void onNameLost(const QString &serviceName); + ++ // root ++ // 设备驱动控制 ++ void SetDrivereEnabled(const QString& driverName,bool enabled); ++ ++ // 认证类型总开关 ++ void SetAuthTypeEnabled(int authType,bool enabled); ++ ++ // 获取/设置指定认证场景下认证类型的开关 ++ void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled); ++ + signals: + void defaultDeviceChanged(int authType,const QString& deviceID,QPrivateSignal); + + private: + void init(); ++ // 需要管理员权限 ++ QString calcAction(const QString &originAction); + // 生成一个唯一的会话ID + int32_t generateSessionID(); ++ void onSetDriverEnabled(const QDBusMessage &message,const QString& driverName,bool enabled); ++ void onSetAuthTypeEnabled(const QDBusMessage &message,int authType,bool enabled); ++ void onSetAuthTypeEnabledForApp(const QDBusMessage &message,int authType, int authApp, bool enabled); + + private: + static AuthManager *m_instance; +diff --git a/src/daemon/user.cpp b/src/daemon/user.cpp +index 1b77bf0..c9d98bb 100644 +--- a/src/daemon/user.cpp ++++ b/src/daemon/user.cpp +@@ -290,7 +290,7 @@ void User::onDeleteIdentification(const QDBusMessage &message, const QString &ii + if (!getIIDs().contains(iid)) + { + USER_WARNING() << "delete identification" << iid << "error,can not find!"; +- DBUS_ERROR_REPLY_AND_RET(QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT); ++ DBUS_ERROR_REPLY_ASYNC_AND_RET(message,QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT); + } + + USER_DEBUG() << "delete identification" << iid; +diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp +index 192a1b1..6a165fd 100644 +--- a/src/pam/authentication.cpp ++++ b/src/pam/authentication.cpp +@@ -42,7 +42,6 @@ Authentication::Authentication(PAMHandle *pamHandle, + { + } + +-// TODO polkit 认证 超时,未结束认证 + Authentication::~Authentication() + { + if (this->m_authSessionProxy && this->m_authManagerProxy) +-- +2.33.0 + diff --git a/0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch b/0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch new file mode 100644 index 0000000..30231fc --- /dev/null +++ b/0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch @@ -0,0 +1,227 @@ +From 945a85d4d7867d103d1a98093cc5122fadd55845 Mon Sep 17 00:00:00 2001 +From: liuxinhao +Date: Wed, 31 May 2023 14:19:54 +0800 +Subject: [PATCH 4/5] fix(multi factor): Fixed an authentication failure caused + by disabling all authentication modes during multi-factor authentication +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +- 修复多因子认证时,关闭所有非密码认证,认证失败的问题,认证服务进行密码认证时放行,密码认证流程由PAM模块以及PAM配置管理 + +Closes #I79I33 +--- + data/kiran-authentication-service | 7 +++-- + src/daemon/auth-manager.cpp | 1 + + src/daemon/session.cpp | 29 +++++++++++++------ + src/daemon/session.h | 1 + + src/pam/authentication-graphical.cpp | 1 - + src/pam/authentication-terminal.cpp | 1 - + src/pam/authentication.cpp | 6 ---- + .../kiran-authentication-daemon.zh_CN.ts | 11 +++++-- + 8 files changed, 35 insertions(+), 22 deletions(-) + +diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service +index afc7e17..e0f2763 100644 +--- a/data/kiran-authentication-service ++++ b/data/kiran-authentication-service +@@ -1,5 +1,8 @@ +-# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite ++# NOTE: ++# 需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite + # 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。 ++# sudo 若用户已锁定,仍然会尝试多次 ++# sudo visudo ,添加'Defaults passwd_tries=1'行,将sudo尝试次数修改为1 + + # =========================认证配置项目================================ # + # 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式 +@@ -10,7 +13,7 @@ auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth + + # 认证服务后续认证流程兼容,走系统错误计数failock, pam_debug只是修改认证状态值为成功 + auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60 +-auth required pam_debug ++auth required pam_debug.so + + # 认证成功,清理内部记录错误次数 + account required pam_kiran_authentication.so authsucc +\ No newline at end of file +diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp +index 7ebef89..3d7aaf0 100644 +--- a/src/daemon/auth-manager.cpp ++++ b/src/daemon/auth-manager.cpp +@@ -196,6 +196,7 @@ QList AuthManager::GetAuthTypeByApp(int32_t authApp) + enabledAuthTypeIter++; + } + ++ sortedAuthTypes << KAD_AUTH_TYPE_PASSWORD; + KLOG_DEBUG() << "get auth types by app:" << authApp << "result:" << sortedAuthTypes; + return sortedAuthTypes; + } +diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp +index f24a697..e8c516b 100644 +--- a/src/daemon/session.cpp ++++ b/src/daemon/session.cpp +@@ -128,17 +128,11 @@ void Session::StartAuth() + DBUS_ERROR_REPLY_AND_RET(QDBusError::AccessDenied, KADErrorCode::ERROR_USER_IDENTIFIYING); + } + +- if (this->m_authType == KAD_AUTH_TYPE_NONE || this->m_authType == KAD_AUTH_TYPE_PASSWORD) +- { +- KLOG_WARNING() << m_sessionID << "auth type is invalid" << this->m_authType << ",start auth failed"; +- DBUS_ERROR_REPLY_AND_RET(QDBusError::Failed, KADErrorCode::ERROR_FAILED); +- } +- + KLOG_DEBUG() << m_sessionID << "start auth"; + this->m_verifyInfo.m_inAuth = true; + this->m_verifyInfo.m_dbusMessage = this->message(); + this->startPhaseAuth(); +-} ++} + + void Session::StopAuth() + { +@@ -258,11 +252,15 @@ void Session::startPhaseAuth() + + // 开始阶段认证前,通知认证类型状态变更 + emit this->m_dbusAdaptor->AuthTypeChanged(this->m_authType); ++ + switch (this->m_authType) + { + case KAD_AUTH_TYPE_UKEY: + startUkeyAuth(); + break; ++ case KAD_AUTH_TYPE_PASSWORD: ++ startPasswdAuth(); ++ break; + default: + startGeneralAuth(); + break; +@@ -282,6 +280,14 @@ void Session::startUkeyAuth() + Q_EMIT this->AuthPrompt(tr("please input ukey code."), KADPromptType::KAD_PROMPT_TYPE_SECRET); + } + ++void Session::startPasswdAuth() ++{ ++ KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!"; ++ this->m_verifyInfo.m_inAuth = true; ++ this->m_verifyInfo.m_authenticatedUserName = m_userName; ++ this->finishPhaseAuth(true,false); ++} ++ + void Session::startGeneralAuth(const QString &extraInfo) + { + auto deviceType = Utils::authType2DeviceType(this->m_authType); +@@ -299,7 +305,8 @@ void Session::startGeneralAuth(const QString &extraInfo) + { + auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType); + KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType; +- Q_EMIT this->AuthMessage(tr(QString("can not find %1 device").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR); ++ Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR); ++ + this->finishPhaseAuth(false, false); + return; + } +@@ -352,7 +359,11 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure) + break; + case KADAuthMode::KAD_AUTH_MODE_AND: + { +- this->m_authOrderWaiting.removeOne(this->m_authType); ++ if( this->m_authOrderWaiting.size() > 0 ) ++ { ++ this->m_authOrderWaiting.removeOne(this->m_authType); ++ } ++ + if (this->m_authOrderWaiting.size() == 0) + { + this->finishAuth(isSuccess, recordFailure); +diff --git a/src/daemon/session.h b/src/daemon/session.h +index 2998f73..a850237 100644 +--- a/src/daemon/session.h ++++ b/src/daemon/session.h +@@ -98,6 +98,7 @@ private: + private: + void startPhaseAuth(); + void startUkeyAuth(); ++ void startPasswdAuth(); + void startGeneralAuth(const QString &extraInfo = QString()); + + void finishPhaseAuth(bool isSuccess,bool recordFailure = true); +diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp +index 619f3cf..2f104ac 100644 +--- a/src/pam/authentication-graphical.cpp ++++ b/src/pam/authentication-graphical.cpp +@@ -64,7 +64,6 @@ void AuthenticationGraphical::notifySupportAuthType() + { + auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication); + QList authTypeList = authType.value(); +- authTypeList << KAD_AUTH_TYPE_PASSWORD; + + QStringList authTypeStrList; + for (auto authType : authTypeList) +diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp +index 5db6b1c..01d66c6 100644 +--- a/src/pam/authentication-terminal.cpp ++++ b/src/pam/authentication-terminal.cpp +@@ -34,7 +34,6 @@ void AuthenticationTerminal::notifySupportAuthType() + { + auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication); + QList authTypeList = authType.value(); +- authTypeList << KAD_AUTH_TYPE_PASSWORD; + + QList tempAuthTypeList; + for (auto authType : authTypeList) +diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp +index 6a165fd..06bc010 100644 +--- a/src/pam/authentication.cpp ++++ b/src/pam/authentication.cpp +@@ -184,14 +184,8 @@ int Authentication::startAuthPre() + { + auto authTypeReply = m_authManagerProxy->GetAuthTypeByApp(m_authApplication); + QList authTypeList = authTypeReply.value(); +- if (m_authApplication == KAD_AUTH_APPLICATION_NONE || authTypeList.isEmpty()) +- { +- this->m_pamHandle->syslog(LOG_DEBUG, QString("The pam service '%1' is unsupported or authentication type is not configured.").arg(this->m_serviceName)); +- return PAM_IGNORE; +- } + + this->notifyAuthMode(); +- + RETURN_VAL_IF_TRUE(!this->initSession(), PAM_SYSTEM_ERR); + + if (this->m_authManagerProxy->authMode() == KADAuthMode::KAD_AUTH_MODE_OR) +diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts +index 4292ee7..8c03e2c 100644 +--- a/translations/kiran-authentication-daemon.zh_CN.ts ++++ b/translations/kiran-authentication-daemon.zh_CN.ts +@@ -12,20 +12,25 @@ + + Kiran::Session + +- ++ + Please wait while the %1 request is processed + %1认证请求正在等待处理 + + +- ++ + Insert the UKey and enter the PIN code + 请插入UKey并输入PIN码 + + +- ++ + please input ukey code. + 请输入PIN码。 + ++ ++ ++ can not find %1 device ++ 未能检测到%1设备 ++ + + + Kiran::User +-- +2.33.0 + diff --git a/0005-fix-auth-order-Adjust-the-authentication-sequence.patch b/0005-fix-auth-order-Adjust-the-authentication-sequence.patch new file mode 100644 index 0000000..146eb9a --- /dev/null +++ b/0005-fix-auth-order-Adjust-the-authentication-sequence.patch @@ -0,0 +1,31 @@ +From 169a18a2d098edf8ba869368d52ea5719509a10d Mon Sep 17 00:00:00 2001 +From: liuxinhao +Date: Wed, 31 May 2023 14:23:51 +0800 +Subject: [PATCH 5/5] fix(auth order): Adjust the authentication sequence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +- 依据需求文档调整认证顺序 + +Closes #I79FVY +--- + data/kad.ini | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/kad.ini b/data/kad.ini +index eaaa05a..5c7b281 100644 +--- a/data/kad.ini ++++ b/data/kad.ini +@@ -2,7 +2,7 @@ + #多因子认证,需多个认证方式认证通过,And + #多路认证,多个认证方式选择一个通过即可,Or + AuthMode=Or +-AuthOrder=fingerprint,fingervein,face,iris,ukey ++AuthOrder=iris,face,fingerprint,fingervein,ukey + #内置最大错误次数判断,错误超过该次数后,该用户将无法使用生物认证(认证服务提供的认证方式) + #只针对与多路认证,多因子认证错误次数不由认证服务接管 + MaxFailures=3 +-- +2.33.0 + diff --git a/kiran-authentication-service.spec b/kiran-authentication-service.spec index 54d0759..70270b5 100644 --- a/kiran-authentication-service.spec +++ b/kiran-authentication-service.spec @@ -1,12 +1,18 @@ Name: kiran-authentication-service Version: 2.5.1 -Release: 2 +Release: 3 Summary: Kiran Desktop kiran authentication service License: MulanPSL-2.0 URL: http://www.kylinsec.com.cn Source0: %{name}-%{version}.tar.gz +Patch0001: 0001-fix-auth-terminal-Repair-authentication-type-check.patch +Patch0002: 0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch +Patch0003: 0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch +Patch0004: 0004-fix-multi-factor-Fixed-an-authentication-failure-cau.patch +Patch0005: 0005-fix-auth-order-Adjust-the-authentication-sequence.patch + BuildRequires: systemd BuildRequires: systemd-devel BuildRequires: gcc @@ -81,7 +87,14 @@ systemctl enable kiran-authentication-daemon.service %{_includedir}/kiran-authentication-service/kas-authentication-i.h %changelog -* Wed May 24 2023 liuxinhao - 2.5.1-2 +* Wed May 31 2023 liuxinhao - 2.5.1-3 +- KYOS-B: fix terminl authentication type check (#I792B4) +- KYOS-B: Adjust the number of non-password authentication failures recorded in the PAM configuration file(#I7937W) +- KYOS-B: Upgrade the permission of some interfaces of the authentication service(#I795QI) +- KYOS-B: Fixed an authentication failure caused by disabling all authentication modes during multi-factor authentication(#I79I33) +- KYOS-B: Adjust the authentication sequence(#I79FVY) + +* Wed May 24 2023 liuxinhao - 2.5.1-2 - KYOS-F: Remove Require kiran-control-panel * Wed May 24 2023 liuxinhao - 2.5.1-1 -- Gitee