From 1ee9278786491c46be6526a5100618ea44e40f0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= Date: Mon, 15 Feb 2021 20:59:57 +0100 Subject: [PATCH] gdm: Don't try to retry authenticating when the service is unavailable In the case a service is not available (as it can be in the fingereprint case when a supported reader is available but has not enrolled prints) we were trying indefinitely to restart it, however this can lead to troubles since commit 7a2e629b as when the service conversation was stopped we had no way to figure out this case and we'd end up to eventually fail the whole authentication. However, in such cases the PAM services are expected to return a PAM_AUTHINFO_UNAVAIL and gdm to handle it, emitting service-unavailable signal. So connect to ::service-unavailable and keep track of the unavailable services so that we can avoid retrying with them. In case such service is not the foreground one, we can just silently ignore the error as we did before commit 7a2e629b, without bothering failing the whole verification. In case we got a valid error message on service-unavailable, we also show it, this is normally not happening unless GDM isn't redirecting here other kind of problems (such as MAXTRIES) which are supposed to stop the authentication stopping any further retry. Closes: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/3734 Part-of: --- js/gdm/util.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/js/gdm/util.js b/js/gdm/util.js index a91badf4f..ddd03c5f0 100644 --- a/js/gdm/util.js +++ b/js/gdm/util.js @@ -175,6 +175,7 @@ var ShellUserVerifier = class { this.reauthenticating = false; this._failCounter = 0; + this._unavailableServices = new Set(); this._credentialManagers = {}; this._credentialManagers[OVirt.SERVICE_NAME] = OVirt.getOVirtCredentialsManager(); @@ -452,6 +453,8 @@ var ShellUserVerifier = class { this._signalIds.push(id); id = this._userVerifier.connect('conversation-stopped', this._onConversationStopped.bind(this)); this._signalIds.push(id); + id = this._userVerifier.connect('service-unavailable', this._onServiceUnavailable.bind(this)); + this._signalIds.push(id); id = this._userVerifier.connect('reset', this._onReset.bind(this)); this._signalIds.push(id); id = this._userVerifier.connect('verification-complete', this._onVerificationComplete.bind(this)); @@ -598,6 +601,7 @@ var ShellUserVerifier = class { _onReset() { // Clear previous attempts to authenticate this._failCounter = 0; + this._unavailableServices.clear(); this._updateDefaultService(); this.emit('reset'); @@ -661,6 +665,16 @@ var ShellUserVerifier = class { this.emit('verification-failed', serviceName, canRetry); } + _onServiceUnavailable(_client, serviceName, errorMessage) { + this._unavailableServices.add(serviceName); + + if (!errorMessage) + return; + + if (this.serviceIsForeground(serviceName) || this.serviceIsFingerprint(serviceName)) + this._queueMessage(serviceName, errorMessage, MessageType.ERROR); + } + _onConversationStopped(client, serviceName) { // If the login failed with the preauthenticated oVirt credentials // then discard the credentials and revert to default authentication @@ -674,6 +688,9 @@ var ShellUserVerifier = class { return; } + if (this._unavailableServices.has(serviceName)) + return; + // if the password service fails, then cancel everything. // But if, e.g., fingerprint fails, still give // password authentication a chance to succeed