From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 18:15:02 +0200
Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option

If the --wait_for_card is used to call p11_child the PAM responder
should be prepared to wait longer until p11_child can return
successfully.

Related to https://pagure.io/SSSD/sssd/issue/3650

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/confdb/confdb.h                  |  1 +
 src/config/SSSDConfig/__init__.py.in |  1 +
 src/config/cfg_rules.ini             |  1 +
 src/config/etc/sssd.api.conf         |  1 +
 src/man/sssd.conf.5.xml              | 14 ++++++++++++++
 src/responder/pam/pamsrv_cmd.c       | 15 +++++++++++++++
 src/util/util.h                      |  1 +
 7 files changed, 34 insertions(+)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 625d156..87904c2 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -130,6 +130,7 @@
 #define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
 #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
 #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
 #define CONFDB_PAM_APP_SERVICES "pam_app_services"
 #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
 
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 81a03ad..4d1dba2 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -104,6 +104,7 @@ option_strings = {
     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
     'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
+    'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 78f215e..50a8f1d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -127,6 +127,7 @@ option = pam_cert_db_path
 option = p11_child_timeout
 option = pam_app_services
 option = pam_p11_allowed_services
+option = p11_wait_for_card_timeout
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 52494c0..bb686c3 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
 p11_child_timeout = int, None, false
 pam_app_services = str, None, false
 pam_p11_allowed_services = str, None, false
+p11_wait_for_card_timeout = int, None, false
 
 [sudo]
 # sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c1e3895..4df0163 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>p11_wait_for_card_timeout (integer)</term>
+                    <listitem>
+                        <para>
+                            If Smartcard authentication is required how many
+                            extra seconds in addition to p11_child_timeout
+                            should the PAM responder wait until a Smartcard is
+                            inserted.
+                        </para>
+                        <para>
+                            Default: 60
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
 
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 817f3c5..c8df32d 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
                           struct pam_data *pd)
 {
     int p11_child_timeout;
+    int wait_for_card_timeout;
     char *cert_verification_opts;
     errno_t ret;
     struct tevent_req *req;
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
               ret, sss_strerror(ret));
         return ret;
     }
+    if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
+        ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+                             CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
+                             P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
+                             &wait_for_card_timeout);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            return ret;
+        }
+
+        p11_child_timeout += wait_for_card_timeout;
+    }
 
     ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
                             CONFDB_MONITOR_CERT_VERIFICATION, NULL,
diff --git a/src/util/util.h b/src/util/util.h
index 59e7a96..e3e9100 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
 #define P11_CHILD_LOG_FILE "p11_child"
 #define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
 #define P11_CHILD_TIMEOUT_DEFAULT 10
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
 #endif  /* SSSD_LIBEXEC_PATH */
 
 #endif /* __SSSD_UTIL_H__ */
-- 
2.9.5