ipa-otpd: add passkey_child_debug_level option

By setting passkey_child_debug_level in default.conf the debug level for
the passkey_child helper utility can be set.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Sumit Bose 2023-03-29 18:39:34 +02:00 committed by Florence Blanc-Renaud
parent b252988da6
commit 8d12d497f6
2 changed files with 43 additions and 0 deletions

View File

@ -166,6 +166,9 @@ Specifies the mount point that the development server will register. The default
.B oidc_child_debug_level <debuglevel> .B oidc_child_debug_level <debuglevel>
Specifies the debug level of \fBoidc_child\fR, a helper process used by \fBipa-otpd\fR for OIDC/OAuth2 authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher HTTP debug output is added as well. Specifies the debug level of \fBoidc_child\fR, a helper process used by \fBipa-otpd\fR for OIDC/OAuth2 authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher HTTP debug output is added as well.
.TP .TP
.B passkey_child_debug_level <debuglevel>
Specifies the debug level of \fBpasskey_child\fR, a helper process used by \fBipa-otpd\fR for passkey authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher libfido2 debug output is added as well.
.TP
.B prompt_all <boolean> .B prompt_all <boolean>
Specifies that all options should be prompted for in the IPA client, even optional values. Default is False. Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
.TP .TP

View File

@ -62,6 +62,8 @@ struct otpd_queue_item_passkey {
struct passkey_data *data_in; struct passkey_data *data_in;
struct passkey_data *data_out; struct passkey_data *data_out;
krb5_data state; krb5_data state;
char* ipapasskeyDebugLevelStr;
krb5_boolean ipapasskeyDebugFido2;
}; };
static void free_passkey_data(struct passkey_data *p) static void free_passkey_data(struct passkey_data *p)
@ -124,6 +126,7 @@ static struct otpd_queue_item_passkey *get_otpd_queue_item_passkey(void)
} }
#define PASSKEY_PREFIX "passkey " #define PASSKEY_PREFIX "passkey "
#define ENV_PASSKEY_CHILD_DEBUG_LEVEL "passkey_child_debug_level"
/* Parse the passkey configuration */ /* Parse the passkey configuration */
const char *otpd_parse_passkey(LDAP *ldp, LDAPMessage *entry, const char *otpd_parse_passkey(LDAP *ldp, LDAPMessage *entry,
@ -131,6 +134,9 @@ const char *otpd_parse_passkey(LDAP *ldp, LDAPMessage *entry,
{ {
int i; int i;
char **objectclasses = NULL; char **objectclasses = NULL;
long dbg_lvl = 0;
const char *dbg_env = NULL;
char *endptr = NULL;
if (item->passkey == NULL) { if (item->passkey == NULL) {
otpd_log_req(item->req, otpd_log_req(item->req,
@ -165,6 +171,33 @@ const char *otpd_parse_passkey(LDAP *ldp, LDAPMessage *entry,
entry = ldap_next_entry(ldp, entry); entry = ldap_next_entry(ldp, entry);
}; };
item->passkey->ipapasskeyDebugLevelStr = NULL;
item->passkey->ipapasskeyDebugFido2 = FALSE;
dbg_env = getenv(ENV_PASSKEY_CHILD_DEBUG_LEVEL);
if (dbg_env != NULL && *dbg_env != '\0') {
errno = 0;
dbg_lvl = strtoul(dbg_env, &endptr, 10);
if (errno == 0 && *endptr == '\0') {
if (dbg_lvl < 0) {
dbg_lvl = 0;
} else if (dbg_lvl > 10) {
dbg_lvl = 10;
}
if (asprintf(&item->passkey->ipapasskeyDebugLevelStr, "%ld",
dbg_lvl) != -1) {
if (dbg_lvl > 5) {
item->passkey->ipapasskeyDebugFido2 = TRUE;
}
} else {
otpd_log_req(item->req, "Failed to copy debug level");
}
} else {
otpd_log_req(item->req,
"Cannot parse value [%s] from environment variable [%s]",
dbg_env, ENV_PASSKEY_CHILD_DEBUG_LEVEL);
}
}
return NULL; return NULL;
} }
@ -681,6 +714,13 @@ static int do_passkey_response(struct otpd_queue_item *item)
args[args_idx++] = item->passkey->data_in->data.response.authenticator_data; args[args_idx++] = item->passkey->data_in->data.response.authenticator_data;
args[args_idx++] = "--signature"; args[args_idx++] = "--signature";
args[args_idx++] = item->passkey->data_in->data.response.assertion_signature; args[args_idx++] = item->passkey->data_in->data.response.assertion_signature;
if (item->passkey->ipapasskeyDebugLevelStr != NULL) {
args[args_idx++] = "--debug-level";
args[args_idx++] = item->passkey->ipapasskeyDebugLevelStr;
}
if (item->passkey->ipapasskeyDebugFido2) {
args[args_idx++] = "--debug-libfido2";
}
ret = pipe(pipefd_from_child); ret = pipe(pipefd_from_child);
if (ret == -1) { if (ret == -1) {