Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package himmelblau for openSUSE:Factory
checked in at 2024-12-06 14:25:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/himmelblau (Old)
and /work/SRC/openSUSE:Factory/.himmelblau.new.28523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "himmelblau"
Fri Dec 6 14:25:33 2024 rev:21 rq:1228554 version:0.7.9+git.0.93655d2
Changes:
--------
--- /work/SRC/openSUSE:Factory/himmelblau/himmelblau.changes 2024-12-03
20:47:05.582749072 +0100
+++ /work/SRC/openSUSE:Factory/.himmelblau.new.28523/himmelblau.changes
2024-12-06 14:25:45.674918701 +0100
@@ -1,0 +2,10 @@
+Thu Dec 05 14:18:37 UTC 2024 - david.mul...@suse.com
+
+- Update to version 0.7.9+git.0.93655d2:
+ * Version 0.7.9
+ * Update to the latest libhimmelblau
+ * Version 0.7.8
+ * Add a himmelblau.conf man page, and package the man pages
+ * Add DAG flow as a fallback for MFA
+
+-------------------------------------------------------------------
Old:
----
himmelblau-0.7.7+git.0.b48d0bb.tar.bz2
New:
----
himmelblau-0.7.9+git.0.93655d2.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ himmelblau.spec ++++++
--- /var/tmp/diff_new_pack.YIPBtK/_old 2024-12-06 14:25:47.422992356 +0100
+++ /var/tmp/diff_new_pack.YIPBtK/_new 2024-12-06 14:25:47.422992356 +0100
@@ -17,7 +17,7 @@
Name: himmelblau
-Version: 0.7.7+git.0.b48d0bb
+Version: 0.7.9+git.0.93655d2
Release: 0
Summary: Interoperability suite for Microsoft Azure Entra Id
License: GPL-3.0-or-later
@@ -51,6 +51,7 @@
Provides: aad-cli
Provides: aad-common
Suggests: himmelblau-sso
+Requires: man
# This is necessary to prevent users from installing Himmelblau along side
# Microsoft's Broker, as these will conflict.
Provides: microsoft-identity-broker
@@ -164,6 +165,15 @@
install -D -d -m 0755 %{buildroot}%{_sysconfdir}/firefox/policies
install -m 0644
%{_builddir}/%{name}-%{version}/src/sso/src/firefox/policies.json
%{buildroot}%{_sysconfdir}/firefox/policies/
+# Man pages
+install -D -d -m 0755 %{buildroot}%{_mandir}/man1
+install -D -d -m 0755 %{buildroot}%{_mandir}/man5
+install -D -d -m 0755 %{buildroot}%{_mandir}/man8
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man1/aad-tool.1
%{buildroot}%{_mandir}/man1/
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man5/himmelblau.conf.5
%{buildroot}%{_mandir}/man5/
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud.8
%{buildroot}%{_mandir}/man8/
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud_tasks.8
%{buildroot}%{_mandir}/man8/
+
%pre
%service_add_pre himmelblaud.service himmelblaud-tasks.service
@@ -189,6 +199,10 @@
%{_unitdir}/himmelblaud.service
%{_unitdir}/himmelblaud-tasks.service
%{_datarootdir}/dbus-1/services/com.microsoft.identity.broker1.service
+%{_mandir}/man1/aad-tool.1*
+%{_mandir}/man5/himmelblau.conf.5*
+%{_mandir}/man8/himmelblaud.8*
+%{_mandir}/man8/himmelblaud_tasks.8*
%files -n libnss_himmelblau2
%{_libdir}/libnss_%{name}.so.*
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.YIPBtK/_old 2024-12-06 14:25:47.462994042 +0100
+++ /var/tmp/diff_new_pack.YIPBtK/_new 2024-12-06 14:25:47.466994210 +0100
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/openSUSE/himmelblau.git</param>
<param
name="changesrevision">6d2f6450ff3c0c945a884d4b35307e03a035a581</param></service><service
name="tar_scm">
<param
name="url">https://github.com/himmelblau-idm/himmelblau.git</param>
- <param
name="changesrevision">b48d0bb199b6b05dd545c5c576009ce64f094824</param></service></servicedata>
+ <param
name="changesrevision">93655d2aa47bf56c532426d8d6e5402ae8ba1b89</param></service></servicedata>
(No newline at EOF)
++++++ himmelblau-0.7.7+git.0.b48d0bb.tar.bz2 ->
himmelblau-0.7.9+git.0.93655d2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/himmelblau-0.7.7+git.0.b48d0bb/Cargo.toml
new/himmelblau-0.7.9+git.0.93655d2/Cargo.toml
--- old/himmelblau-0.7.7+git.0.b48d0bb/Cargo.toml 2024-12-02
16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/Cargo.toml 2024-12-04
21:30:43.000000000 +0100
@@ -19,7 +19,7 @@
resolver = "2"
[workspace.package]
-version = "0.7.7"
+version = "0.7.9"
authors = [
"David Mulder <dmul...@suse.com>"
]
@@ -40,7 +40,7 @@
tracing = "^0.1.37"
himmelblau_unix_common = { path = "src/common" }
kanidm_unix_common = { path = "src/glue" }
-libhimmelblau = { version = "0.3.9" }
+libhimmelblau = { version = "0.4.2" }
clap = { version = "^4.5", features = ["derive", "env"] }
clap_complete = "^4.4.1"
reqwest = { version = "^0.12.2", features = ["json"] }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/man/man5/himmelblau.conf.5
new/himmelblau-0.7.9+git.0.93655d2/man/man5/himmelblau.conf.5
--- old/himmelblau-0.7.7+git.0.b48d0bb/man/man5/himmelblau.conf.5
1970-01-01 01:00:00.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/man/man5/himmelblau.conf.5
2024-12-04 21:30:43.000000000 +0100
@@ -0,0 +1,360 @@
+.TH HIMMELBLAU.CONF "5" "November 2024" "Himmelblau Configuration" "File
Formats"
+.SH NAME
+himmelblau.conf \- Configuration file for Himmelblau, enabling Azure Entra ID
authentication on Linux.
+
+.SH SYNOPSIS
+.B /etc/himmelblau/himmelblau.conf
+
+.SH HOW CONFIGURATION CHANGES ARE APPLIED
+Changes to the configuration file
+.B /etc/himmelblau/himmelblau.conf
+only take effect after restarting the Himmelblau daemons. This includes the
+.B himmelblaud
+daemon, which handles authentication, and the
+.B himmelblaud-tasks
+daemon, which processes related tasks.
+
+.TP
+.B Restarting the Daemons
+To apply changes, restart the Himmelblau services using the following systemd
commands:
+
+.EXAMPLES
+.RS
+.IP
+sudo systemctl restart himmelblaud
+.IP
+sudo systemctl restart himmelblaud-tasks
+.RE
+
+.SH DESCRIPTION
+The
+.B himmelblau.conf
+file is the primary configuration file for the Himmelblau authentication
module. It defines global and optional settings required for Azure Entra
ID-based authentication and device management.
+
+.SH FILE FORMAT
+The file consists of sections headed by a name enclosed in square brackets.
Each section contains parameters and their values in the format:
+.RS 4
+parameter = value
+.RE
+
+Lines beginning with a '#' are comments and are ignored by the parser.
+
+.SH PARAMETERS
+
+.SS [global]
+This section contains settings that apply globally to all operations of
Himmelblau.
+
+.TP
+.B domains
+.RE
+A comma-separated list of configured domains. This parameter is
+.B REQUIRED
+for successful authentication. If this option is not specified, no users will
be permitted to authenticate. The first user to authenticate to each domain
will become the owner of the device object in the directory.
+
+.EXAMPLES
+domains = example.com,example2.com
+
+.TP
+.B debug
+.RE
+A boolean option that enables debug-level logging. When set to
+.B true,
+debug messages are output to the system journal.
+
+.EXAMPLES
+debug = true
+
+.TP
+.B pam_allow_groups
+.RE
+A comma-separated list of Users and Groups permitted to access the system.
Groups must be specified using their Object ID (not UPN) due to Azure's
restrictions on reading group names.
+
+.EXAMPLES
+pam_allow_groups =
f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12,d98c8e1d-7f8a-4597-babc-9d3b781ef456
+
+.TP
+.B id_attr_map
+.RE
+Specifies whether to map user and group IDs based on the object name or object
UUID. Mapping by name is recommended for more consistent SSH authentication.
+
+.EXAMPLES
+id_attr_map = <name|uuid>
+
+.TP
+.B odc_provider
+.RE
+Specifies the hostname for sending federationProvider requests.
+
+.EXAMPLES
+odc_provider = odc.officeapps.live.com
+
+.TP
+.B enable_hello
+.RE
+Enables or disables user enrollment in Windows Hello authentication. If
disabled, users will need to provide MFA for each login.
+
+.EXAMPLES
+enable_hello = false
+
+.TP
+.B hello_pin_min_length
+.RE
+The minimum length of the PIN for Windows Hello authentication. The value must
be between 6 and 32 characters.
+
+.EXAMPLES
+hello_pin_min_length = 8
+
+.TP
+.B enable_sfa_fallback
+.RE
+Determines whether password-only (single-factor) authentication is permitted
when MFA is unavailable. Disabled by default.
+
+.EXAMPLES
+enable_sfa_fallback = true
+
+.TP
+.B cn_to_upn_mapping
+.RE
+Allows users to enter the short form of their username (e.g., 'dave') instead
of the full UPN.
+
+.EXAMPLES
+cn_to_upn_mapping = true
+
+.TP
+.B local_groups
+.RE
+A comma-separated list of local groups that every Entra ID user should be a
member of. For example, you may wish for all Entra ID users to be a member of
the sudo group. WARNING: This setting will not REMOVE group member entries when
groups are removed from this list. You must remove them manually.
+
+.EXAMPLES
+local_groups = sudo,admin
+
+.TP
+.B logon_script
+.RE
+A script that will execute every time a user logs on. Two environment
variables are set: USERNAME, and ACCESS_TOKEN. The ACCESS_TOKEN environment
variable is an access token for the MS Graph. The token scope config option
sets the comma-separated scopes that should be requested for the ACCESS_TOKEN.
ACCESS_TOKEN will be empty during offline logon. The return code of the script
determines how authentication proceeds. 0 is success, 1 is a soft failure and
authentication will proceed, while 2 is a hard failure causing authentication
to fail.
+
+.EXAMPLES
+logon_script = /etc/himmelblau/logon.sh
+
+.TP
+.B logon_token_scopes
+.RE
+A comma-separated list of the scopes to be requested for the ACCESS_TOKEN
during logon.
+
+.EXAMPLES
+logon_token_scopes = user.read,mail.read
+
+.TP
+.B enable_experimental_mfa
+.RE
+A boolean option that enables the experimental multi-factor authentication
(MFA) flow, which permits Hello authentication. This experimental flow may
encounter failures in certain edge cases. If disabled, the system enforces the
Device Authorization Grant (DAG) flow for MFA, which is more robust but does
not support Hello authentication. By default, this option is enabled.
+
+.EXAMPLES
+enable_experimental_mfa = true
+
+.TP
+.B authority_host
+.RE
+Specifies the hostname for Microsoft authentication. The default value is
+.B login.microsoftonline.com.
+
+.EXAMPLES
+authority_host = login.microsoftonline.com
+
+.TP
+.B db_path
+.RE
+The location of the cache database. This file is used to store cached
authentication data and device state.
+
+.EXAMPLES
+db_path = /var/cache/himmelblau/himmelblau.cache.db
+
+.TP
+.B hsm_pin_path
+.RE
+The location where the HSM (Hardware Security Module) PIN will be stored. This
PIN is used to protect sensitive cryptographic operations.
+
+.EXAMPLES
+hsm_pin_path = /var/lib/himmelblaud/hsm-pin
+
+.TP
+.B socket_path
+.RE
+The path to the socket file for communication between the pam and nss modules
and the Himmelblau daemon.
+
+.EXAMPLES
+socket_path = /var/run/himmelblaud/socket
+
+.TP
+.B task_socket_path
+.RE
+The path to the socket file for communication with the task daemon.
+
+.EXAMPLES
+task_socket_path = /var/run/himmelblaud/task_sock
+
+.TP
+.B broker_socket_path
+.RE
+The path to the socket file for communication with the broker DBus service.
+
+.EXAMPLES
+broker_socket_path = /var/run/himmelblaud/broker_sock
+
+.TP
+.B home_prefix
+.RE
+The prefix to use for user home directories.
+
+.EXAMPLES
+home_prefix = /home/
+
+.TP
+.B home_attr
+.RE
+The attribute used to create a home directory for a user. Available options
include:
+.RS
+.IP
+\- UUID (default)
+.IP
+\- SPN
+.IP
+\- CN
+.RE
+
+.EXAMPLES
+home_attr = UUID
+
+.TP
+.B home_alias
+.RE
+The symlinked alias for the user's home directory. Available options include:
+.RS
+.IP
+\- UUID
+.IP
+\- SPN (default)
+.IP
+\- CN
+.RE
+
+.EXAMPLES
+home_alias = SPN
+
+.TP
+.B shell
+.RE
+The default shell for users. This will be assigned when the user logs in.
+
+.EXAMPLES
+shell = /bin/bash
+
+.TP
+.B idmap_range
+.RE
+Specifies the range of IDs to be used for the user and group mappings.
+
+.EXAMPLES
+idmap_range = 5000000-5999999
+
+.TP
+.B connection_timeout
+.RE
+The timeout for connections to the authentication server. Default is 2 seconds.
+
+.EXAMPLES
+connection_timeout = 5
+
+.TP
+.B cache_timeout
+.RE
+The timeout for caching authentication data. Default is 300 seconds (5
minutes).
+
+.EXAMPLES
+cache_timeout = 10
+
+.TP
+.B use_etc_skel
+.RE
+If set to
+.B true,
+Himmelblau will use the contents of /etc/skel when creating new user
directories.
+
+.EXAMPLES
+use_etc_skel = false
+
+.TP
+.B selinux
+.RE
+Whether SELinux security labels should be applied to users' home directories.
Set to
+.B true
+to enable.
+
+.EXAMPLES
+selinux = true
+
+.SH DOMAIN-SPECIFIC SECTIONS
+Overrides can be defined for individual domains by using a section named after
the domain in square brackets.
+
+.SS [example.com]
+This section allows customization of specific parameters for the domain
+.B example.com.
+Domain-specific sections override global values for the specified domain.
+
+.TP
+.B odc_provider
+.RE
+Overrides the `odc_provider` value for this domain.
+
+.EXAMPLES
+[example.com]
+odc_provider = custom.odcprovider.example.com
+
+.TP
+.B home_prefix
+.RE
+Overrides the `home_prefix` value for this domain.
+
+.EXAMPLES
+[example.com]
+home_prefix = /home/
+
+.TP
+.B home_attr
+.RE
+Overrides the `home_attr` value for this domain.
+
+.EXAMPLES
+[example.com]
+home_attr = UUID
+
+.TP
+.B home_alias
+.RE
+Overrides the `home_alias` value for this domain.
+
+.EXAMPLES
+[example.com]
+home_alias = SPN
+
+.TP
+.B shell
+.RE
+Overrides the `shell` value for this domain.
+
+.EXAMPLES
+[example.com]
+shell = /bin/bash
+
+.TP
+.B idmap_range
+.RE
+Overrides the `idmap_range` value for this domain.
+
+.EXAMPLES
+[example.com]
+idmap_range = 5000000-5999999
+
+.SH SEE ALSO
+.BR himmelblaud(8),
+.BR himmelblaud-tasks(8)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/man/man8/himmelblaud.8
new/himmelblau-0.7.9+git.0.93655d2/man/man8/himmelblaud.8
--- old/himmelblau-0.7.7+git.0.b48d0bb/man/man8/himmelblaud.8 2024-12-02
16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/man/man8/himmelblaud.8 2024-12-04
21:30:43.000000000 +0100
@@ -48,7 +48,6 @@
.TP
.B Enable debug mode:
# himmelblaud --debug
-.SH "SEE ALSO"
-Documentation for the `himmelblaud` daemon is available in the Texinfo manual.
Use the following command to access the full manual:
-.BR info himmelblaud
+.SH SEE ALSO
+.BR himmelblaud-tasks(8)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/man/man8/himmelblaud_tasks.8
new/himmelblau-0.7.9+git.0.93655d2/man/man8/himmelblaud_tasks.8
--- old/himmelblau-0.7.7+git.0.b48d0bb/man/man8/himmelblaud_tasks.8
2024-12-02 16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/man/man8/himmelblaud_tasks.8
2024-12-04 21:30:43.000000000 +0100
@@ -4,26 +4,24 @@
.SH SYNOPSIS
.B himmelblaud_tasks
.SH DESCRIPTION
-The `himmelblaud_tasks` daemon is responsible for automatically creating home
directories for users upon successful authentication via Azure Entra ID. This
service is required to run as the root user, as it needs elevated permissions
to create directories in system locations.
+The `himmelblaud-tasks` daemon is responsible for managing user accounts and
authentication tasks in a Linux environment. Upon successful authentication via
Azure Entra ID, it automatically creates home directories for users, adds them
to configured local groups, and executes the configured logon script. This
service requires root privileges to perform actions such as creating
directories in system locations and managing group memberships.
The daemon operates as a background service and does not accept any
command-line arguments. It is automatically invoked by the system when required.
.SH USAGE
-The `himmelblaud_tasks` daemon must be run as the root user. If the daemon is
started without root privileges, it will fail with an error. No user
interaction is needed beyond ensuring the daemon is active and running
correctly.
+The `himmelblaud-tasks` daemon must be run as the root user. If the daemon is
started without root privileges, it will fail with an error. No user
interaction is needed beyond ensuring the daemon is active and running
correctly.
.SH EXAMPLES
.TP
.B Start the daemon:
-# systemctl start himmelblaud_tasks
+# systemctl start himmelblaud-tasks
.TP
.B Verify the status of the daemon:
-# systemctl status himmelblaud_tasks
+# systemctl status himmelblaud-tasks
.SH NOTES
-This daemon is integral to Himmelblau for handling user home directory
creation. It ensures that users can properly log in with a valid directory
structure in place after authentication.
+This daemon is a key component of Himmelblau, handling several critical tasks
for user authentication. In addition to creating user home directories, it adds
users to the configured local groups, and executes the configured logon script.
These functions ensure that users have the necessary environment and access
rights in place for a seamless login experience after authentication.
-.SH "SEE ALSO"
-Further documentation for `himmelblaud_tasks` is available in the Texinfo
manual. Use the following command to access the complete manual:
-
-.BR info himmelblaud_tasks
+.SH SEE ALSO
+.BR himmelblaud(8),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/platform/debian/himmelblau.conf.example
new/himmelblau-0.7.9+git.0.93655d2/platform/debian/himmelblau.conf.example
--- old/himmelblau-0.7.7+git.0.b48d0bb/platform/debian/himmelblau.conf.example
2024-12-02 16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/platform/debian/himmelblau.conf.example
2024-12-04 21:30:43.000000000 +0100
@@ -69,6 +69,12 @@
# logon_script =
# logon_token_scopes =
#
+# This option enables the experimental MFA (multi-factor authentication) flow,
+# which permits Hello authentication. Note that this flow may fail in certain
+# edge cases. When disabled, the system will enforce the DAG (Device
Authorization
+# Grant) flow for MFA, and Hello authentication will be disabled.
+# enable_experimental_mfa = true
+#
# authority_host = login.microsoftonline.com
#
# The location of the cache database
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/src/common/src/config.rs
new/himmelblau-0.7.9+git.0.93655d2/src/common/src/config.rs
--- old/himmelblau-0.7.7+git.0.b48d0bb/src/common/src/config.rs 2024-12-02
16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/src/common/src/config.rs 2024-12-04
21:30:43.000000000 +0100
@@ -476,6 +476,10 @@
None => vec![],
}
}
+
+ pub fn get_enable_experimental_mfa(&self) -> bool {
+ match_bool(self.config.get("global", "enable_experimental_mfa"), true)
+ }
}
impl fmt::Debug for HimmelblauConfig {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/src/common/src/idprovider/himmelblau.rs
new/himmelblau-0.7.9+git.0.93655d2/src/common/src/idprovider/himmelblau.rs
--- old/himmelblau-0.7.7+git.0.b48d0bb/src/common/src/idprovider/himmelblau.rs
2024-12-02 16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/src/common/src/idprovider/himmelblau.rs
2024-12-04 21:30:43.000000000 +0100
@@ -31,6 +31,7 @@
use himmelblau::discovery::EnrollAttrs;
use himmelblau::error::{MsalError, DEVICE_AUTH_FAIL};
use himmelblau::graph::{DirectoryObject, Graph};
+use himmelblau::MFAAuthContinue;
use idmap::Idmap;
use kanidm_hsm_crypto::{LoadableIdentityKey, LoadableMsOapxbcRsaKey, PinValue,
SealedData, Tpm};
use reqwest;
@@ -654,7 +655,38 @@
// Skip Hello authentication if it is disabled by config
let hello_enabled = self.config.read().await.get_enable_hello();
if !self.is_domain_joined(keystore).await || hello_key.is_none() ||
!hello_enabled {
- Ok((AuthRequest::Password, AuthCredHandler::None))
+ if self.config.read().await.get_enable_experimental_mfa() {
+ Ok((AuthRequest::Password, AuthCredHandler::None))
+ } else {
+ let resp = self
+ .client
+ .write()
+ .await
+ .initiate_device_flow_for_device_enrollment()
+ .await
+ .map_err(|e| {
+ error!("{:?}", e);
+ IdpError::BadRequest
+ })?;
+ let mut flow: MFAAuthContinue = resp.into();
+ if !self.is_domain_joined(keystore).await {
+ flow.resource =
Some("https://enrollment.manage.microsoft.com".to_string());
+ }
+ let msg = flow.msg.clone();
+ let polling_interval = flow.polling_interval.ok_or_else(|| {
+ error!("Invalid response from the server");
+ IdpError::BadRequest
+ })?;
+ Ok((
+ AuthRequest::MFAPoll {
+ msg,
+ // Kanidm pam expects a polling_interval in
+ // seconds, not milliseconds.
+ polling_interval: polling_interval / 1000,
+ },
+ AuthCredHandler::MFA { flow },
+ ))
+ }
} else {
Ok((AuthRequest::Pin, AuthCredHandler::None))
}
@@ -832,7 +864,11 @@
.client
.write()
.await
-
.initiate_acquire_token_by_mfa_flow_for_device_enrollment(account_id, &cred)
+ .initiate_acquire_token_by_mfa_flow_for_device_enrollment(
+ account_id,
+ &cred,
+ vec![],
+ )
.await;
// We need to wait to handle the response until after we've
released
// the write lock on the client, otherwise we will deadlock.
@@ -939,7 +975,12 @@
Ok(AuthResult::Success { token: token3 }) => {
// Skip Hello enrollment if it is disabled by config
let hello_enabled =
self.config.read().await.get_enable_hello();
- if !hello_enabled {
+ // Skip Hello enrollment if the token doesn't have the
ngcmfa amr
+ let amr_ngcmfa = token2.amr_ngcmfa().map_err(|e| {
+ error!("{:?}", e);
+ IdpError::NotFound
+ })?;
+ if !hello_enabled || !amr_ngcmfa {
info!("Skipping Hello enrollment because it is
disabled");
return Ok((
AuthResult::Success { token: token3 },
@@ -999,7 +1040,12 @@
Ok(AuthResult::Success { token: token3 }) => {
// Skip Hello enrollment if it is disabled by config
let hello_enabled =
self.config.read().await.get_enable_hello();
- if !hello_enabled {
+ // Skip Hello enrollment if the token doesn't have the
ngcmfa amr
+ let amr_ngcmfa = token2.amr_ngcmfa().map_err(|e| {
+ error!("{:?}", e);
+ IdpError::NotFound
+ })?;
+ if !hello_enabled || !amr_ngcmfa {
info!("Skipping Hello enrollment because it is
disabled");
return Ok((
AuthResult::Success { token: token3 },
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/himmelblau-0.7.7+git.0.b48d0bb/src/config/himmelblau.conf.example
new/himmelblau-0.7.9+git.0.93655d2/src/config/himmelblau.conf.example
--- old/himmelblau-0.7.7+git.0.b48d0bb/src/config/himmelblau.conf.example
2024-12-02 16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/src/config/himmelblau.conf.example
2024-12-04 21:30:43.000000000 +0100
@@ -69,6 +69,12 @@
# logon_script =
# logon_token_scopes =
#
+# This option enables the experimental MFA (multi-factor authentication) flow,
+# which permits Hello authentication. Note that this flow may fail in certain
+# edge cases. When disabled, the system will enforce the DAG (Device
Authorization
+# Grant) flow for MFA, and Hello authentication will be disabled.
+# enable_experimental_mfa = true
+#
# authority_host = login.microsoftonline.com
#
# The location of the cache database
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/himmelblau-0.7.7+git.0.b48d0bb/src/daemon/Cargo.toml
new/himmelblau-0.7.9+git.0.93655d2/src/daemon/Cargo.toml
--- old/himmelblau-0.7.7+git.0.b48d0bb/src/daemon/Cargo.toml 2024-12-02
16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/src/daemon/Cargo.toml 2024-12-04
21:30:43.000000000 +0100
@@ -58,6 +58,10 @@
["target/release/himmelblaud_tasks", "usr/sbin/", "755"],
["target/release/broker", "usr/sbin/", "755"],
["../../README.md", "usr/share/doc/himmelblau/README", "644"],
+ ["../../man/man1/aad-tool.1", "usr/share/man/man1/", "644"],
+ ["../../man/man5/himmelblau.conf.5", "usr/share/man/man5/", "644"],
+ ["../../man/man8/himmelblaud.8", "usr/share/man/man8/", "644"],
+ ["../../man/man8/himmelblaud_tasks.8", "usr/share/man/man8/", "644"],
]
[package.metadata.generate-rpm]
@@ -73,6 +77,10 @@
{ source = "target/release/himmelblaud_tasks", dest = "/usr/sbin/", mode =
"755" },
{ source = "target/release/broker", dest = "/usr/sbin/", mode = "755" },
{ source = "../../README.md", dest = "/usr/share/doc/himmelblau/README",
mode = "644" },
+ { source = "../../man/man1/aad-tool.1", dest = "/usr/share/man/man1/", mode
= "644" },
+ { source = "../../man/man5/himmelblau.conf.5", dest =
"/usr/share/man/man5/", mode = "644" },
+ { source = "../../man/man8/himmelblaud.8", dest = "/usr/share/man/man8/",
mode = "644" },
+ { source = "../../man/man8/himmelblaud_tasks.8", dest =
"/usr/share/man/man8/", mode = "644" },
]
[package.metadata.generate-rpm.recommends]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/himmelblau-0.7.7+git.0.b48d0bb/src/sso/src/lib.rs
new/himmelblau-0.7.9+git.0.93655d2/src/sso/src/lib.rs
--- old/himmelblau-0.7.7+git.0.b48d0bb/src/sso/src/lib.rs 2024-12-02
16:55:02.000000000 +0100
+++ new/himmelblau-0.7.9+git.0.93655d2/src/sso/src/lib.rs 2024-12-04
21:30:43.000000000 +0100
@@ -0,0 +1 @@
+
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/himmelblau/vendor.tar.zst
/work/SRC/openSUSE:Factory/.himmelblau.new.28523/vendor.tar.zst differ: char 7,
line 1
