Merge pull request #414 from himmelblau-idm/stable-0.9.x_backports2

Add a QR code to the greeter, remove python deps, and fix tasks startup
himmelblau-idm · Mar 5, 2025 · 28ac082 · 28ac082
2 parents 8c48655 + 2883413
commit 28ac082
Show file tree

Hide file tree

Showing 20 changed files with 190 additions and 16 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,11 +14,12 @@ members = [
 	"src/broker",
 	"src/sshd-config",
 	"src/sso",
+	"src/qr-greeter",
 ]
 resolver = "2"
 
 [workspace.package]
-version = "0.9.1"
+version = "0.9.2"
 authors = [
     "David Mulder <[email protected]>"
 ]

diff --git a/images/deb/Dockerfile.debian12 b/images/deb/Dockerfile.debian12
@@ -55,4 +55,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-deb
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo deb --deb-revision=debian12 -p himmelblaud && cargo deb --deb-revision=debian12 -p nss_himmelblau && cargo deb --deb-revision=debian12 -p pam_himmelblau && cargo deb --deb-revision=debian12 -p sshd-config && cargo deb --deb-revision=debian12 -p sso
+CMD cargo clean && cargo deb --deb-revision=debian12 -p himmelblaud && cargo deb --deb-revision=debian12 -p nss_himmelblau && cargo deb --deb-revision=debian12 -p pam_himmelblau && cargo deb --deb-revision=debian12 -p sshd-config && cargo deb --deb-revision=debian12 -p sso && cargo deb --deb-revision=debian12 -p qr-greeter
diff --git a/images/deb/Dockerfile.ubuntu22.04 b/images/deb/Dockerfile.ubuntu22.04
@@ -57,4 +57,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-deb
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo deb --deb-revision=ubuntu22.04 -p himmelblaud && cargo deb --deb-revision=ubuntu22.04 -p nss_himmelblau && cargo deb --deb-revision=ubuntu22.04 -p pam_himmelblau && cargo deb --deb-revision=ubuntu22.04 -p sshd-config && cargo deb --deb-revision=ubuntu22.04 -p sso
+CMD cargo clean && cargo deb --deb-revision=ubuntu22.04 -p himmelblaud && cargo deb --deb-revision=ubuntu22.04 -p nss_himmelblau && cargo deb --deb-revision=ubuntu22.04 -p pam_himmelblau && cargo deb --deb-revision=ubuntu22.04 -p sshd-config && cargo deb --deb-revision=ubuntu22.04 -p sso && cargo deb --deb-revision=ubuntu22.04 -p qr-greeter
diff --git a/images/deb/Dockerfile.ubuntu24.04 b/images/deb/Dockerfile.ubuntu24.04
@@ -56,4 +56,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-deb
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo deb --deb-revision=ubuntu24.04 -p himmelblaud && cargo deb --deb-revision=ubuntu24.04 -p nss_himmelblau && cargo deb --deb-revision=ubuntu24.04 -p pam_himmelblau && cargo deb --deb-revision=ubuntu24.04 -p sshd-config && cargo deb --deb-revision=ubuntu24.04 -p sso
+CMD cargo clean && cargo deb --deb-revision=ubuntu24.04 -p himmelblaud && cargo deb --deb-revision=ubuntu24.04 -p nss_himmelblau && cargo deb --deb-revision=ubuntu24.04 -p pam_himmelblau && cargo deb --deb-revision=ubuntu24.04 -p sshd-config && cargo deb --deb-revision=ubuntu24.04 -p sso && cargo deb --deb-revision=ubuntu24.04 -p qr-greeter
diff --git a/images/rpm/Dockerfile.fedora41 b/images/rpm/Dockerfile.fedora41
@@ -46,4 +46,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso && cargo generate-rpm -p src/qr-greeter
diff --git a/images/rpm/Dockerfile.rawhide b/images/rpm/Dockerfile.rawhide
@@ -46,4 +46,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso && cargo generate-rpm -p src/qr-greeter
diff --git a/images/rpm/Dockerfile.rocky8 b/images/rpm/Dockerfile.rocky8
@@ -46,4 +46,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso && cargo generate-rpm -p src/qr-greeter
diff --git a/images/rpm/Dockerfile.rocky9 b/images/rpm/Dockerfile.rocky9
@@ -53,4 +53,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso && cargo generate-rpm -p src/qr-greeter
diff --git a/images/rpm/Dockerfile.sle15sp6 b/images/rpm/Dockerfile.sle15sp6
@@ -38,4 +38,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso && cargo generate-rpm -p src/qr-greeter
diff --git a/images/rpm/Dockerfile.tumbleweed b/images/rpm/Dockerfile.tumbleweed
@@ -46,4 +46,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso && cargo generate-rpm -p src/qr-greeter
diff --git a/platform/debian/himmelblaud-tasks.service b/platform/debian/himmelblaud-tasks.service
@@ -13,7 +13,7 @@ ExecStart=/usr/sbin/himmelblaud_tasks
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
 # SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
 ProtectSystem=strict
-ReadWritePaths=/home /var/run/himmelblaud /tmp /etc/krb5.conf.d /etc /var/lib/AccountsService/icons
+ReadWritePaths=/home /var/run/himmelblaud /tmp /etc/krb5.conf.d /etc /var/lib
 RestrictAddressFamilies=AF_UNIX
 NoNewPrivileges=true
 PrivateDevices=true

diff --git a/platform/opensuse/himmelblaud-tasks.service b/platform/opensuse/himmelblaud-tasks.service
@@ -13,7 +13,7 @@ ExecStart=/usr/sbin/himmelblaud_tasks
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
 # SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
 ProtectSystem=strict
-ReadWritePaths=/home /var/run/himmelblaud /tmp /etc/krb5.conf.d /etc /var/lib/AccountsService/icons
+ReadWritePaths=/home /var/run/himmelblaud /tmp /etc/krb5.conf.d /etc /var/lib
 RestrictAddressFamilies=AF_UNIX
 NoNewPrivileges=true
 PrivateDevices=true

diff --git a/src/qr-greeter/Cargo.toml b/src/qr-greeter/Cargo.toml
@@ -0,0 +1,35 @@
+[package]
+name = "qr-greeter"
+version.workspace = true
+authors.workspace = true
+description = "GNOME Shell extension that adds a QR code to authentication prompts when a MS DAG URL is detected."
+rust-version.workspace = true
+edition.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+[lib]
+path = "src/lib.rs"
+
+[package.metadata.deb]
+name = "himmelblau-qr-greeter"
+depends = ["gnome-shell"]
+assets = [
+  ["src/[email protected]/extension.js", "usr/share/gnome-shell/extensions/[email protected]/extension.js", "644"],
+  ["src/[email protected]/metadata.json", "usr/share/gnome-shell/extensions/[email protected]/metadata.json", "644"],
+  ["src/[email protected]/stylesheet.css", "usr/share/gnome-shell/extensions/[email protected]/stylesheet.css", "644"],
+  ["src/msdag.png", "usr/share/gnome-shell/extensions/[email protected]/msdag.png", "644"],
+]
+
+[package.metadata.generate-rpm]
+name = "himmelblau-qr-greeter"
+assets = [
+  { source = "src/[email protected]/extension.js", dest = "/usr/share/gnome-shell/extensions/[email protected]/extension.js", mode = "644" },
+  { source = "src/[email protected]/metadata.json", dest = "/usr/share/gnome-shell/extensions/[email protected]/metadata.json", mode = "644" },
+  { source = "src/[email protected]/stylesheet.css", dest = "/usr/share/gnome-shell/extensions/[email protected]/stylesheet.css", mode = "644" },
+  { source = "src/msdag.png", dest = "/usr/share/gnome-shell/extensions/[email protected]/msdag.png", mode = "644" },
+]
+
+[package.metadata.generate-rpm.requires]
+gnome-shell = "*"
diff --git a/src/qr-greeter/src/lib.rs b/src/qr-greeter/src/lib.rs
@@ -0,0 +1,17 @@
+/*
+   Unix Azure Entra ID implementation
+   Copyright (C) David Mulder <[email protected]> 2024
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
diff --git a/src/qr-greeter/src/msdag.png b/src/qr-greeter/src/msdag.png
diff --git a/src/qr-greeter/src/[email protected]/extension.js b/src/qr-greeter/src/[email protected]/extension.js
@@ -0,0 +1,85 @@
+import St from 'gi://St';
+import Clutter from 'gi://Clutter';
+import { Extension } from 'resource:///org/gnome/shell/extensions/extension.js';
+import * as AuthPromptModule from 'resource:///org/gnome/shell/gdm/authPrompt.js';
+
+const GdmAuthPrompt = AuthPromptModule.AuthPrompt;
+
+export default class QrGreeterExtension extends Extension {
+    enable() {
+        console.log("Himmelblau QR Greeter: enabled...");
+
+        if (!GdmAuthPrompt) {
+            console.error("Himmelblau QR Greeter: GdmAuthPrompt is unavailable.");
+            return;
+        }
+
+        this._originalSetMessage = GdmAuthPrompt.prototype.setMessage;
+        const origSetMessage = this._originalSetMessage;
+
+        GdmAuthPrompt.prototype.setMessage = function(message, styleClass) {
+            origSetMessage.call(this, message, styleClass);
+
+            if (this._message) {
+                this._message.clutter_text.line_wrap = true;
+                this._message.set_width(350);
+                this._message.set_x_expand(false);
+                this._message.set_x_align(Clutter.ActorAlign.CENTER);
+            }
+
+            if (!this._qrVBox) {
+                const parent = this._message.get_parent();
+                parent.remove_child(this._message);
+
+                const vbox = new St.BoxLayout({
+                    vertical: true,
+                    x_expand: false,
+                    y_expand: false,
+                    x_align: Clutter.ActorAlign.CENTER,
+                    style_class: 'qr-vbox'
+                });
+                this._qrVBox = vbox;
+
+                vbox.add_child(this._message);
+
+                const qrContainer = new St.Widget({
+                    style_class: 'qr-code-container',
+                    x_expand: false,
+                    y_expand: false,
+                    x_align: Clutter.ActorAlign.CENTER
+                });
+                this._qrContainer = qrContainer;
+                vbox.add_child(qrContainer);
+
+                const qrLabel = new St.Label({
+                    text: "Scan with your phone",
+                    style_class: 'qr-instruction-label'
+                });
+                this._qrLabel = qrLabel;
+                vbox.add_child(qrLabel);
+
+                parent.add_child(vbox);
+            }
+
+            const targetUrl = "https://microsoft.com/devicelogin";
+            if (message && message.includes(targetUrl)) {
+                const fileUri = "file:///usr/share/gnome-shell/extensions/[email protected]/msdag.png";
+                this._qrContainer.set_style(`background-image: url('${fileUri}');`);
+                this._qrContainer.show();
+                this._qrLabel.show();
+            } else {
+                if (this._qrContainer) this._qrContainer.hide();
+                if (this._qrLabel) this._qrLabel.hide();
+            }
+        };
+
+        console.log("Himmelblau QR Greeter: GdmAuthPrompt.setMessage patched.");
+    }
+
+    disable() {
+        console.log("Himmelblau QR Greeter: disabled...");
+        if (GdmAuthPrompt && this._originalSetMessage) {
+            GdmAuthPrompt.prototype.setMessage = this._originalSetMessage;
+        }
+    }
+}
diff --git a/src/qr-greeter/src/[email protected]/metadata.json b/src/qr-greeter/src/[email protected]/metadata.json
@@ -0,0 +1,9 @@
+{
+  "uuid": "[email protected]",
+  "name": "Himmelblau QR Greeter",
+  "description": "Adds a QR code to authentication prompts when a URL is detected.",
+  "version": 1,
+  "shell-version": ["45", "46"],
+  "session-modes": ["gdm"],
+  "donations": { "opencollective" : "himmelblau" }
+}
diff --git a/src/qr-greeter/src/[email protected]/stylesheet.css b/src/qr-greeter/src/[email protected]/stylesheet.css
@@ -0,0 +1,27 @@
+.qr-vbox {
+    spacing: 10px;
+}
+
+.qr-code-container {
+    width: 128px;
+    height: 128px;
+    max-width: 128px;
+    max-height: 128px;
+    margin-left: auto;
+    margin-right: auto;
+
+    background-color: #ffffff;
+    background-repeat: no-repeat;
+    background-size: contain;
+    background-position: center;
+
+    border-radius: 6px;
+    box-shadow: 0 0 8px rgba(0,0,0,0.3);
+    overflow: hidden;
+}
+
+.qr-instruction-label {
+    color: #bbb;
+    font-size: 10pt;
+    text-align: center;
+}
diff --git a/src/sso/Cargo.toml b/src/sso/Cargo.toml
@@ -23,7 +23,6 @@ zbus = "5.2.0"
 
 [package.metadata.deb]
 name = "himmelblau-sso"
-depends = ["python3-pydbus"]
 assets = [
   ["target/release/linux-entra-sso", "usr/bin/linux-entra-sso", "755"],
   ["src/firefox/linux_entra_sso.json", "usr/lib/mozilla/native-messaging-hosts/", "644"],
@@ -51,6 +50,3 @@ assets = [
   { source = "../../platform/opensuse/com.microsoft.identity.broker1.service", dest = "/usr/share/dbus-1/services/", mode = "644" },
   { source = "target/release/broker", dest = "/usr/sbin/", mode = "755" },
 ]
-
-[package.metadata.generate-rpm.requires]
-python3-pydbus = "*"