pam: Add support for exposing if the UI supports qrcode rendering

As we know not all the PAM client supports rendering the qrcode properly
so the broker must be aware of this in order to provide the proper user
guidance.

To make this possible, add a further value to the UI layout that exposes
if a client is able to render the qr code or not, and depending on this
the broker can behave.

Since this is a new feature, we don't want to make the old brokers
depending on it, or we'll break their assumptions, so in case a client
doesn't support this feature, we just assume that rendering is supported
as it was before.

authd.proto

@@ -78,6 +78,7 @@ message UILayout {
   // qr code only.
   optional string content = 6;
   optional string code = 7;
+  optional bool renders_qrcode = 8;
 }
 
 message GAMResponse {

examplebroker/broker.go

@@ -221,7 +221,7 @@ func (b *Broker) GetAuthenticationModes(ctx context.Context, sessionID string, s
 		return nil, err
 	}
 
-	//var candidatesAuthenticationModes []map[string]string
+	log.Debugf(ctx, "Supported UI layouts by %s, %#v", sessionID, supportedUILayouts)
 	allModes := getSupportedModes(sessionInfo, supportedUILayouts)
 
 	// If the user needs mfa, we remove the last used mode from the list of available modes.
@@ -271,6 +271,7 @@ func (b *Broker) GetAuthenticationModes(ctx context.Context, sessionID string, s
 			"label": authMode["selection_label"],
 		})
 	}
+	log.Debugf(ctx, "Supported authentication modes for %s: %#v", sessionID, allModes)
 	sessionInfo.allModes = allModes
 
 	if err := b.updateSession(sessionID, sessionInfo); err != nil {
@@ -380,13 +381,19 @@ func getSupportedModes(sessionInfo sessionInfo, supportedUILayouts []map[string]
 
 		case "qrcode":
 			modeName := "qrcodewithtypo"
+			modeSelectionLabel := "Use a QR code"
 			modeLabel := "Enter the following code after flashing the address: "
 			if layout["code"] != "" {
 				modeName = "qrcodeandcodewithtypo"
 				modeLabel = "Scan the qrcode or enter the code in the login page"
 			}
+			if layout["renders_qrcode"] != "true" {
+				modeName = "codewithtypo"
+				modeSelectionLabel = "Use a Login code"
+				modeLabel = "Enter the code in the login page"
+			}
 			allModes[modeName] = map[string]string{
-				"selection_label": "Use a QR code",
+				"selection_label": modeSelectionLabel,
 				"ui": mapToJSON(map[string]string{
 					"type":   "qrcode",
 					"label":  modeLabel,
@@ -489,7 +496,7 @@ func (b *Broker) SelectAuthenticationMode(ctx context.Context, sessionID, authen
 		// send request to sessionInfo.allModes[authenticationModeName]["phone"]
 	case "fidodevice1":
 		// start transaction with fido device
-	case "qrcodeandcodewithtypo":
+	case "qrcodeandcodewithtypo", "codewithtypo":
 		uiLayoutInfo["content"], uiLayoutInfo["code"] = qrcodeData(&sessionInfo)
 	case "qrcodewithtypo":
 		// generate the url and finish the prompt on the fly.
@@ -648,7 +655,7 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI
 			return AuthCancelled, ""
 		}
 
-	case "qrcodewithtypo", "qrcodeandcodewithtypo":
+	case "qrcodewithtypo", "qrcodeandcodewithtypo", "codewithtypo":
 		if authData["wait"] != "true" {
 			return AuthDenied, fmt.Sprintf(`{"message": "%s should have wait set to true"}`, sessionInfo.currentAuthMode)
 		}

internal/services/pam/pam.go

@@ -324,6 +324,15 @@ func uiLayoutToMap(layout *authd.UILayout) (mapLayout map[string]string, err err
 	if c := layout.GetCode(); c != "" {
 		r["code"] = c
 	}
+
+	if layout.GetType() != "qrcode" {
+		return r, nil
+	}
+	if rc := layout.RendersQrcode; rc == nil || *rc {
+		// If the field is not set, we keep retro-compatibility with what we were
+		// dong before of the addition of the field.
+		r["renders_qrcode"] = "true"
+	}
 	return r, nil
 }
 
@@ -337,6 +346,9 @@ func mapToUILayout(layout map[string]string) (r *authd.UILayout) {
 	content := layout["content"]
 	code := layout["code"]
 
+	// We don't return whether the qrcode rendering is enabled back to the
+	// client on purpose, since it's something it mandates.
+
 	return &authd.UILayout{
 		Type:    typ,
 		Label:   &label,

internal/services/pam/pam_test.go

@@ -42,14 +42,17 @@ var (
 	optionalEntries = "optional:entry_type,other_entry_type"
 	optional        = "optional"
 
+	rendersQrCode = true
+
 	requiredEntry = &authd.UILayout{
-		Type:    "required-entry",
-		Label:   &optional,
-		Button:  &optional,
-		Wait:    &optional,
-		Entry:   &requiredEntries,
-		Content: &optional,
-		Code:    &optional,
+		Type:          "required-entry",
+		Label:         &optional,
+		Button:        &optional,
+		Wait:          &optional,
+		Entry:         &requiredEntries,
+		Content:       &optional,
+		Code:          &optional,
+		RendersQrcode: &rendersQrCode,
 	}
 	optionalEntry = &authd.UILayout{
 		Type:  "optional-entry",

pam/integration-tests/gdm_test.go

@@ -32,12 +32,13 @@ const (
 	exampleBrokerName = "ExampleBroker"
 	ignoredBrokerName = "<ignored-broker>"
 
-	passwordAuthID      = "password"
-	newPasswordAuthID   = "mandatoryreset"
-	fido1AuthID         = "fidodevice1"
-	phoneAck1ID         = "phoneack1"
-	qrcodeID            = "qrcodeandcodewithtypo"
-	qrcodeWithoutCodeID = "qrcodewithtypo"
+	passwordAuthID           = "password"
+	newPasswordAuthID        = "mandatoryreset"
+	fido1AuthID              = "fidodevice1"
+	phoneAck1ID              = "phoneack1"
+	qrcodeID                 = "qrcodeandcodewithtypo"
+	qrcodeWithoutCodeID      = "qrcodewithtypo"
+	qrcodeWithoutRenderingID = "codewithtypo"
 )
 
 var testPasswordUILayout = authd.UILayout{
@@ -80,6 +81,16 @@ var testQrcodeUIWithoutCodeLayout = authd.UILayout{
 	Entry:   ptrValue(""),
 }
 
+var testQrcodeUIWithoutRendering = authd.UILayout{
+	Type:    "qrcode",
+	Label:   ptrValue("Enter the code in the login page"),
+	Content: ptrValue("https://ubuntu.com"),
+	Wait:    ptrValue("true"),
+	Button:  ptrValue("Regenerate code"),
+	Code:    ptrValue("1337"),
+	Entry:   ptrValue(""),
+}
+
 var testFidoDeviceUILayout = authd.UILayout{
 	Type:    "form",
 	Label:   ptrValue("Plug your fido device and press with your thumb"),
@@ -429,6 +440,35 @@ func TestGdmModule(t *testing.T) {
 			},
 			wantUILayouts: []*authd.UILayout{&testQrcodeUIWithoutCodeLayout},
 		},
+		"Authenticates user with qrcode without rendering support": {
+			wantAuthModeIDs: []string{qrcodeWithoutRenderingID},
+			supportedLayouts: []*authd.UILayout{
+				pam_test.QrCodeUILayout(pam_test.WithQrCodeRenders(ptrValue(false))),
+			},
+			eventPollResponses: map[gdm.EventType][]*gdm.EventData{
+				gdm.EventType_startAuthentication: {
+					gdm_test.IsAuthenticatedEvent(&authd.IARequest_AuthenticationData_Wait{
+						Wait: "true",
+					}),
+				},
+			},
+			wantUILayouts: []*authd.UILayout{&testQrcodeUIWithoutRendering},
+		},
+		"Authenticates user with qrcode without explicit rendering support": {
+			// This checks that we're backward compatible
+			wantAuthModeIDs: []string{qrcodeID},
+			supportedLayouts: []*authd.UILayout{
+				pam_test.QrCodeUILayout(pam_test.WithQrCodeRenders(nil)),
+			},
+			eventPollResponses: map[gdm.EventType][]*gdm.EventData{
+				gdm.EventType_startAuthentication: {
+					gdm_test.IsAuthenticatedEvent(&authd.IARequest_AuthenticationData_Wait{
+						Wait: "true",
+					}),
+				},
+			},
+			wantUILayouts: []*authd.UILayout{&testQrcodeUILayout},
+		},
 		"Authenticates user after switching to qrcode": {
 			wantAuthModeIDs: []string{passwordAuthID, qrcodeID},
 			supportedLayouts: []*authd.UILayout{

pam/integration-tests/native_test.go

@@ -19,8 +19,9 @@ func TestNativeAuthenticate(t *testing.T) {
 	const socketPathEnv = "AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK"
 
 	tests := map[string]struct {
-		tape         string
-		tapeSettings []tapeSetting
+		tape          string
+		tapeSettings  []tapeSetting
+		tapeVariables map[string]string
 
 		clientOptions      clientOptions
 		currentUserNotRoot bool
@@ -43,43 +44,49 @@ func TestNativeAuthenticate(t *testing.T) {
 		"Authenticate user with qr code": {
 			tape:          "qr_code",
 			tapeSettings:  []tapeSetting{{vhsHeight, 2300}},
+			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{PamUser: "user-integration-qr-code"},
 		},
 		"Authenticate user with qr code in a TTY": {
-			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3700}},
+			tape:          "qr_code",
+			tapeSettings:  []tapeSetting{{vhsHeight, 3700}},
+			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty",
 				Term:    "linux",
 			},
 		},
 		"Authenticate user with qr code in a TTY session": {
-			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3700}},
+			tape:          "qr_code",
+			tapeSettings:  []tapeSetting{{vhsHeight, 3700}},
+			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty-session",
 				Term:    "xterm-256color", SessionType: "tty",
 			},
 		},
 		"Authenticate user with qr code in screen": {
-			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3700}},
+			tape:          "qr_code",
+			tapeSettings:  []tapeSetting{{vhsHeight, 3700}},
+			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-screen",
 				Term:    "screen",
 			},
 		},
 		"Authenticate user with qr code in polkit": {
-			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3500}},
+			tape:          "qr_code",
+			tapeSettings:  []tapeSetting{{vhsHeight, 3500}},
+			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "2"},
 			clientOptions: clientOptions{
 				PamUser:        "user-integration-qr-code-polkit",
 				PamServiceName: "polkit-1",
 			},
 		},
 		"Authenticate user with qr code in ssh": {
-			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 3500}},
+			tape:          "qr_code",
+			tapeSettings:  []tapeSetting{{vhsHeight, 3500}},
+			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "2"},
 			clientOptions: clientOptions{
 				PamUser:        "user-integration-pre-check-ssh-service-qr-code",
 				PamServiceName: "sshd",
@@ -218,6 +225,7 @@ func TestNativeAuthenticate(t *testing.T) {
 			td := newTapeData(tc.tape, tc.tapeSettings...)
 			td.Env[socketPathEnv] = socketPath
 			td.Env[pam_test.RunnerEnvSupportsConversation] = "1"
+			td.Variables = tc.tapeVariables
 			td.AddClientOptions(t, tc.clientOptions)
 			td.RunVhs(t, "native", outDir, cliEnv)
 			got := td.ExpectedOutput(t, outDir)