Merge pull request #15442 from poettering/fido2

[thirdparty/systemd.git] / src / home / user-record-util.c

diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c
index 0881d1472c9314f7bd4be0029f01ab4369ea7d77..5d0ac8653387de240f98b727e84efe86eff73f2c 100644 (file)
--- a/src/home/user-record-util.c
+++ b/src/home/user-record-util.c
@@ -887,7 +887,7 @@ int user_record_set_password(UserRecord *h, char **password, bool prepend) {
         return 0;
 }
 
-int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
+int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend) {
         _cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
         _cleanup_(strv_free_erasep) char **e = NULL;
         int r;
@@ -899,17 +899,17 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
                 if (!e)
                         return -ENOMEM;
 
-                r = strv_extend_strv(&e, h->pkcs11_pin, true);
+                r = strv_extend_strv(&e, h->token_pin, true);
                 if (r < 0)
                         return r;
 
                 strv_uniq(e);
 
-                if (strv_equal(h->pkcs11_pin, e))
+                if (strv_equal(h->token_pin, e))
                         return 0;
 
         } else {
-                if (strv_equal(h->pkcs11_pin, pin))
+                if (strv_equal(h->token_pin, pin))
                         return 0;
 
                 e = strv_copy(pin);
@@ -922,7 +922,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
         w = json_variant_ref(json_variant_by_key(h->json, "secret"));
 
         if (strv_isempty(e))
-                r = json_variant_filter(&w, STRV_MAKE("pkcs11Pin"));
+                r = json_variant_filter(&w, STRV_MAKE("tokenPin"));
         else {
                 _cleanup_(json_variant_unrefp) JsonVariant *l = NULL;
 
@@ -932,7 +932,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
 
                 json_variant_sensitive(l);
 
-                r = json_variant_set_field(&w, "pkcs11Pin", l);
+                r = json_variant_set_field(&w, "tokenPin", l);
         }
         if (r < 0)
                 return r;
@@ -943,7 +943,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
         if (r < 0)
                 return r;
 
-        strv_free_and_replace(h->pkcs11_pin, e);
+        strv_free_and_replace(h->token_pin, e);
 
         SET_FLAG(h->mask, USER_RECORD_SECRET, !json_variant_is_blank_object(w));
         return 0;
@@ -980,6 +980,34 @@ int user_record_set_pkcs11_protected_authentication_path_permitted(UserRecord *h
         return 0;
 }
 
+int user_record_set_fido2_user_presence_permitted(UserRecord *h, int b) {
+        _cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
+        int r;
+
+        assert(h);
+
+        w = json_variant_ref(json_variant_by_key(h->json, "secret"));
+
+        if (b < 0)
+                r = json_variant_filter(&w, STRV_MAKE("fido2UserPresencePermitted"));
+        else
+                r = json_variant_set_field_boolean(&w, "fido2UserPresencePermitted", b);
+        if (r < 0)
+                return r;
+
+        if (json_variant_is_blank_object(w))
+                r = json_variant_filter(&h->json, STRV_MAKE("secret"));
+        else
+                r = json_variant_set_field(&h->json, "secret", w);
+        if (r < 0)
+                return r;
+
+        h->fido2_user_presence_permitted = b;
+
+        SET_FLAG(h->mask, USER_RECORD_SECRET, !json_variant_is_blank_object(w));
+        return 0;
+}
+
 static bool per_machine_entry_empty(JsonVariant *v) {
         const char *k;
         _unused_ JsonVariant *e;
@@ -1062,12 +1090,22 @@ int user_record_merge_secret(UserRecord *h, UserRecord *secret) {
         if (r < 0)
                 return r;
 
-        r = user_record_set_pkcs11_pin(h, secret->pkcs11_pin, true);
+        r = user_record_set_token_pin(h, secret->token_pin, true);
         if (r < 0)
                 return r;
 
         if (secret->pkcs11_protected_authentication_path_permitted >= 0) {
-                r = user_record_set_pkcs11_protected_authentication_path_permitted(h, secret->pkcs11_protected_authentication_path_permitted);
+                r = user_record_set_pkcs11_protected_authentication_path_permitted(
+                                h,
+                                secret->pkcs11_protected_authentication_path_permitted);
+                if (r < 0)
+                        return r;
+        }
+
+        if (secret->fido2_user_presence_permitted >= 0) {
+                r = user_record_set_fido2_user_presence_permitted(
+                                h,
+                                secret->fido2_user_presence_permitted);
                 if (r < 0)
                         return r;
         }