pam/authentication: Start new auth only after cancellation is notified

In case we're still in the process of cancelling the authentication we should not continue with the current action until we're notified that the cancellation is completed. This is needed because otherwise we may end up into this situation: - reselectAuthMode - AuthModeSelected - ... - startAuthentication - isAuthenticatedResultReceived: cancelled Or a bit less extreme, but still getting the cancelled event while we're selecting the authentication mode. And this mis-order causes troubles when passing the data to gdm
ubuntu · Jun 27, 2024 · b3ab93c · b3ab93c
1 parent 3d3a967
commit b3ab93c
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 14 deletions.
diff --git a/pam/internal/adapter/authentication.go b/pam/internal/adapter/authentication.go
@@ -90,11 +90,12 @@ type authenticationModel struct {
 	client     authd.PAMClient
 	clientType PamClientType
 
-	currentModel          authenticationComponent
-	currentSessionID      string
-	currentBrokerID       string
-	currentChallenge      string
-	cancelIsAuthenticated func()
+	currentModel     authenticationComponent
+	currentSessionID string
+	currentBrokerID  string
+	currentChallenge string
+	cancelAuthFunc   func()
+	postCancellation []tea.Cmd
 
 	encryptionKey *rsa.PublicKey
 
@@ -124,9 +125,8 @@ type newPasswordCheckResult struct {
 // newAuthenticationModel initializes a authenticationModel which needs to be Compose then.
 func newAuthenticationModel(client authd.PAMClient, clientType PamClientType) authenticationModel {
 	return authenticationModel{
-		client:                client,
-		clientType:            clientType,
-		cancelIsAuthenticated: func() {},
+		client:     client,
+		clientType: clientType,
 	}
 }
 
@@ -135,12 +135,27 @@ func (m *authenticationModel) Init() tea.Cmd {
 	return nil
 }
 
+func (m *authenticationModel) cancelIsAuthenticated() {
+	if m.cancelAuthFunc == nil {
+		return
+	}
+	m.cancelAuthFunc()
+	m.cancelAuthFunc = nil
+}
+
 // Update handles events and actions.
 func (m *authenticationModel) Update(msg tea.Msg) (authenticationModel, tea.Cmd) {
 	switch msg := msg.(type) {
 	case reselectAuthMode:
+		cmd := sendEvent(AuthModeSelected{})
+		if m.cancelAuthFunc == nil {
+			return *m, cmd
+		}
+
+		// We need to wait until the cancellation actually happens before
+		// starting again the authentication.
+		m.postCancellation = append(m.postCancellation, cmd)
 		m.cancelIsAuthenticated()
-		return *m, sendEvent(AuthModeSelected{})
 
 	case newPasswordCheck:
 		res := newPasswordCheckResult{challenge: msg.challenge}
@@ -153,7 +168,7 @@ func (m *authenticationModel) Update(msg tea.Msg) (authenticationModel, tea.Cmd)
 		log.Debugf(context.TODO(), "%#v", msg)
 		m.cancelIsAuthenticated()
 		ctx, cancel := context.WithCancel(context.Background())
-		m.cancelIsAuthenticated = cancel
+		m.cancelAuthFunc = cancel
 
 		// Store the current challenge, if present, for password verifications.
 		challenge, ok := msg.item.(*authd.IARequest_AuthenticationData_Challenge)
@@ -213,8 +228,8 @@ func (m *authenticationModel) Update(msg tea.Msg) (authenticationModel, tea.Cmd)
 			return *m, sendEvent(GetAuthenticationModesRequested{})
 
 		case brokers.AuthCancelled:
-			// nothing to do
-			return *m, nil
+			defer func() { m.postCancellation = nil }()
+			return *m, tea.Sequence(m.postCancellation...)
 		}
 
 	case errMsgToDisplay:
@@ -271,7 +286,7 @@ func (m *authenticationModel) Compose(brokerID, sessionID string, encryptionKey
 	m.currentBrokerID = brokerID
 	m.currentSessionID = sessionID
 	m.encryptionKey = encryptionKey
-	m.cancelIsAuthenticated = func() {}
+	m.cancelAuthFunc = nil
 
 	m.errorMsg = ""
 
@@ -328,7 +343,7 @@ func (m authenticationModel) View() string {
 // Resets zeroes any internal state on the authenticationModel.
 func (m *authenticationModel) Reset() {
 	m.cancelIsAuthenticated()
-	m.cancelIsAuthenticated = func() {}
+	m.cancelAuthFunc = nil
 	m.currentModel = nil
 	m.currentSessionID = ""
 	m.currentBrokerID = ""

diff --git a/pam/internal/adapter/gdmmodel_test.go b/pam/internal/adapter/gdmmodel_test.go
@@ -914,6 +914,7 @@ func TestGdmModel(t *testing.T) {
 				gdm.EventType_uiLayoutReceived,
 				gdm.EventType_startAuthentication,
 				gdm.EventType_authEvent,
+				gdm.EventType_authEvent,
 			},
 			wantStage: pam_proto.Stage_challenge,
 			wantGdmAuthRes: []*authd.IAResponse{
@@ -1076,6 +1077,92 @@ func TestGdmModel(t *testing.T) {
 			},
 			wantExitStatus: PamSuccess{BrokerID: firstBrokerInfo.Id},
 		},
+		"Authenticated with qrcode regenerated after wait started at auth selection stage from client after client-side broker and auth mode selection": {
+			supportedLayouts: []*authd.UILayout{
+				pam_test.FormUILayout(),
+				pam_test.QrCodeUILayout(),
+			},
+			clientOptions: append(slices.Clone(singleBrokerClientOptions),
+				pam_test.WithUILayout("qrcode", "Hello QR!", pam_test.QrCodeUILayout()),
+				// It's long because we want to cancel this!
+				pam_test.WithIsAuthenticatedWantWait(time.Millisecond*1500),
+			),
+			gdmEvents: []*gdm.EventData{
+				gdm_test.SelectUserEvent("gdm-selected-user-broker-and-auth-mode"),
+			},
+			messages: []tea.Msg{
+				gdmTestWaitForStage{
+					stage: pam_proto.Stage_brokerSelection,
+					events: []*gdm.EventData{
+						gdm_test.SelectBrokerEvent(firstBrokerInfo.Id),
+					},
+				},
+				gdmTestWaitForStage{
+					stage: pam_proto.Stage_challenge,
+					events: []*gdm.EventData{
+						gdm_test.ChangeStageEvent(pam_proto.Stage_authModeSelection),
+					},
+					commands: []tea.Cmd{
+						sendEvent(gdmTestWaitForStage{
+							stage: pam_proto.Stage_authModeSelection,
+							events: []*gdm.EventData{
+								gdm_test.AuthModeSelectedEvent("qrcode"),
+							},
+							commands: []tea.Cmd{
+								sendEvent(gdmTestSendAuthDataWhenReady{&authd.IARequest_AuthenticationData_Wait{
+									Wait: "true",
+								}}),
+								sendEvent(gdmTestWaitForStage{
+									stage: pam_proto.Stage_challenge,
+									events: []*gdm.EventData{
+										gdm_test.ReselectAuthMode(),
+									},
+								}),
+								sendEvent(gdmTestSendAuthDataWhenReady{&authd.IARequest_AuthenticationData_Wait{
+									Wait: "true",
+								}}),
+							},
+						}),
+					},
+				},
+			},
+			wantUsername:       "gdm-selected-user-broker-and-auth-mode",
+			wantSelectedBroker: firstBrokerInfo.Id,
+			wantGdmRequests: []gdm.RequestType{
+				gdm.RequestType_uiLayoutCapabilities,
+				gdm.RequestType_changeStage, // -> broker Selection
+				gdm.RequestType_changeStage, // -> authMode Selection
+				gdm.RequestType_changeStage, // -> challenge
+				gdm.RequestType_changeStage, // -> authMode Selection
+				gdm.RequestType_changeStage, // -> challenge
+			},
+			wantMessages: []tea.Msg{
+				startAuthentication{},
+				startAuthentication{},
+				startAuthentication{},
+			},
+			wantGdmEvents: []gdm.EventType{
+				gdm.EventType_userSelected,
+				gdm.EventType_brokersReceived,
+				gdm.EventType_brokerSelected,
+				gdm.EventType_authModeSelected,
+				gdm.EventType_uiLayoutReceived,
+				gdm.EventType_startAuthentication,
+				gdm.EventType_authModeSelected,
+				gdm.EventType_authEvent,
+				gdm.EventType_uiLayoutReceived,
+				gdm.EventType_startAuthentication,
+				gdm.EventType_authEvent,
+				gdm.EventType_authEvent,
+			},
+			wantStage: pam_proto.Stage_challenge,
+			wantGdmAuthRes: []*authd.IAResponse{
+				{Access: brokers.AuthCancelled},
+				{Access: brokers.AuthCancelled},
+				{Access: brokers.AuthGranted},
+			},
+			wantExitStatus: PamSuccess{BrokerID: firstBrokerInfo.Id},
+		},
 		"Broker selection stage from client after client-side broker and auth mode selection if there is only one auth mode": {
 			gdmEvents: []*gdm.EventData{
 				gdm_test.SelectUserEvent("gdm-selected-user-broker-and-auth-mode"),