pam/gdm: Show a sanitized challenge value when printing auth data in …

…debug mode Instead of hiding the content authentication data completely, show the whole challenge when `pam_gdm_debug` build tag is used, or when in testing mode. Otherwise, just show a sanitized challenge so that we don't miss the fact that the event has happened Fixes: ca47562
ubuntu · Oct 3, 2024 · 3480bf0 · 3480bf0
1 parent cbaf0d4
commit 3480bf0
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 7 deletions.
diff --git a/pam/internal/adapter/gdmmodel.go b/pam/internal/adapter/gdmmodel.go
@@ -98,13 +98,7 @@ func (m *gdmModel) pollGdm() tea.Cmd {
 
 	if log.IsLevelEnabled(log.DebugLevel) {
 		for _, result := range gdmPollResults {
-			// Don't log EventData_IsAuthenticatedRequested because it contains
-			// the user password
-			if result.GetIsAuthenticatedRequested() != nil {
-				log.Debugf(context.TODO(), "GDM poll returned: IsAuthenticatedRequested")
-			} else {
-				log.Debugf(context.TODO(), "GDM poll returned: %s", result.Data)
-			}
+			log.Debugf(context.TODO(), "GDM poll response: %v", result.SafeString())
 		}
 	}
 

diff --git a/pam/internal/gdm/debug.go b/pam/internal/gdm/debug.go
@@ -5,4 +5,5 @@ package gdm
 func init() {
 	checkMembersFunc = checkMembersDebug
 	validateJSONFunc = validateJSONDebug
+	stringifyEventDataFunc = stringifyEventDataDebug
 }
diff --git a/pam/internal/gdm/export_test.go b/pam/internal/gdm/export_test.go
@@ -3,4 +3,5 @@ package gdm
 func init() {
 	checkMembersFunc = checkMembersDebug
 	validateJSONFunc = validateJSONDebug
+	stringifyEventDataFunc = stringifyEventDataDebug
 }
diff --git a/pam/internal/gdm/protocol.go b/pam/internal/gdm/protocol.go
@@ -9,6 +9,7 @@ import (
 	"reflect"
 	"slices"
 
+	"github.com/ubuntu/authd"
 	"google.golang.org/protobuf/encoding/protojson"
 )
 
@@ -167,3 +168,40 @@ func (d *Data) JSON() ([]byte, error) {
 
 	return bytes, err
 }
+
+var stringifyEventDataFunc = stringifyEventDataFiltered
+
+func stringifyEventDataDebug(ed *EventData) string {
+	return ed.String()
+}
+
+func stringifyEventDataFiltered(ed *EventData) string {
+	authReq, ok := ed.GetData().(*EventData_IsAuthenticatedRequested)
+	if !ok {
+		return ed.String()
+	}
+
+	item := authReq.IsAuthenticatedRequested.GetAuthenticationData().Item
+	_, ok = item.(*authd.IARequest_AuthenticationData_Challenge)
+	if !ok {
+		return ed.String()
+	}
+
+	return (&EventData{
+		Type: ed.Type,
+		Data: &EventData_IsAuthenticatedRequested{
+			IsAuthenticatedRequested: &Events_IsAuthenticatedRequested{
+				AuthenticationData: &authd.IARequest_AuthenticationData{
+					Item: &authd.IARequest_AuthenticationData_Challenge{
+						Challenge: "**************",
+					},
+				},
+			},
+		},
+	}).String()
+}
+
+// SafeString creates a string of EventData with confidential content removed.
+func (ed *EventData) SafeString() string {
+	return stringifyEventDataFunc(ed)
+}