Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package himmelblau for openSUSE:Factory checked in at 2026-06-11 17:27:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/himmelblau (Old) and /work/SRC/openSUSE:Factory/.himmelblau.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "himmelblau" Thu Jun 11 17:27:30 2026 rev:49 rq:1358616 version:3.1.6+git0.102ee045 Changes: -------- --- /work/SRC/openSUSE:Factory/himmelblau/himmelblau.changes 2026-05-13 17:21:56.817782363 +0200 +++ /work/SRC/openSUSE:Factory/.himmelblau.new.1981/himmelblau.changes 2026-06-11 17:29:15.567106808 +0200 @@ -1,0 +2,20 @@ +Wed Jun 10 20:29:37 UTC 2026 - David Mulder <[email protected]> + +- Update to version 3.1.6+git0.102ee045: + * Fix cargo-fuzz install in fuzz CI + * cargo vet + * Update ldap3_proto to 0.6.2 + * Update `openssl` from 0.10.79 to 0.10.80 + * Version 3.1.6 + * Update cargo vet audits for backport + * Work around resume lockout on network down + * Reset Hello TOTP when passwd changes Hello key + * Clear Hello TOTP keys during full cache clear + * Add automatic fallback when requested MFA method is unavailable + * Fix SSHd configuration load order on Fedora/RHEL systems + * himmelblau-init-hsm-pin: don't bind the hsm-pin to PCR7 + * qr-greeter: support GNOME Shell 50 + * Update libhimmelblau to latest version + * deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates + +------------------------------------------------------------------- Old: ---- himmelblau-3.1.5+git0.445569d9.tar.bz2 New: ---- himmelblau-3.1.6+git0.102ee045.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ himmelblau.spec ++++++ --- /var/tmp/diff_new_pack.cKbjb8/_old 2026-06-11 17:29:19.343265161 +0200 +++ /var/tmp/diff_new_pack.cKbjb8/_new 2026-06-11 17:29:19.343265161 +0200 @@ -30,7 +30,7 @@ %endif Name: himmelblau -Version: 3.1.5+git0.445569d9 +Version: 3.1.6+git0.102ee045 Release: 0 Summary: Interoperability suite for Microsoft Azure Entra Id License: GPL-3.0-or-later ++++++ _service ++++++ --- /var/tmp/diff_new_pack.cKbjb8/_old 2026-06-11 17:29:19.395267341 +0200 +++ /var/tmp/diff_new_pack.cKbjb8/_new 2026-06-11 17:29:19.399267509 +0200 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="manual"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> <param name="scm">git</param> - <param name="revision">3.1.5</param> + <param name="revision">stable-3.x</param> <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param> <param name="versionrewrite-pattern">himmelblau-(.*)</param> <param name="versionrewrite-replacement">\1</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.cKbjb8/_old 2026-06-11 17:29:19.423268515 +0200 +++ /var/tmp/diff_new_pack.cKbjb8/_new 2026-06-11 17:29:19.427268683 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> - <param name="changesrevision">445569d9eae49a6b573365d2740233937d269e39</param></service></servicedata> + <param name="changesrevision">102ee045d192c2317af90461ea76f188e3728f0a</param></service></servicedata> (No newline at EOF) ++++++ himmelblau-3.1.5+git0.445569d9.tar.bz2 -> himmelblau-3.1.6+git0.102ee045.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/Cargo.lock new/himmelblau-3.1.6+git0.102ee045/Cargo.lock --- old/himmelblau-3.1.5+git0.445569d9/Cargo.lock 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/Cargo.lock 2026-05-28 23:36:26.000000000 +0200 @@ -4,7 +4,7 @@ [[package]] name = "aad-tool" -version = "3.1.5" +version = "3.1.6" dependencies = [ "anyhow", "broker-client", @@ -611,7 +611,7 @@ [[package]] name = "broker" -version = "3.1.5" +version = "3.1.6" dependencies = [ "dbus", "himmelblau_unix_common", @@ -622,7 +622,7 @@ [[package]] name = "broker-client" -version = "3.1.5" +version = "3.1.6" dependencies = [ "serde_json", "zbus", @@ -2050,7 +2050,7 @@ [[package]] name = "himmelblau-fuzz" -version = "3.1.5" +version = "3.1.6" dependencies = [ "arbitrary", "himmelblau_unix_common", @@ -2062,7 +2062,7 @@ [[package]] name = "himmelblau_policies" -version = "3.1.5" +version = "3.1.6" dependencies = [ "anyhow", "async-trait", @@ -2084,7 +2084,7 @@ [[package]] name = "himmelblau_unix_common" -version = "3.1.5" +version = "3.1.6" dependencies = [ "anyhow", "async-trait", @@ -2133,7 +2133,7 @@ [[package]] name = "himmelblaud" -version = "3.1.5" +version = "3.1.6" dependencies = [ "async-trait", "base64 0.22.1", @@ -2522,7 +2522,7 @@ [[package]] name = "idmap" -version = "3.1.5" +version = "3.1.6" dependencies = [ "bindgen", "cc", @@ -2827,15 +2827,22 @@ [[package]] name = "ldap3_proto" version = "0.6.2" +dependencies = [ + "ldap3_proto 0.7.1", +] + +[[package]] +name = "ldap3_proto" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "b52f9ddd849c72b3f3147d91b1220a47709fdaacfe55aaaf88912c2ee3d5357b" +checksum = "61954eefd3ff2b74d2d5bfa899c235b4c77536b4d17627607ff55430d05e0c61" dependencies = [ - "base64 0.21.7", + "base64 0.22.1", "bytes", "lber", "nom", "peg", - "thiserror 1.0.69", + "thiserror 2.0.16", "tokio-util", "tracing", "uuid", @@ -2874,21 +2881,23 @@ [[package]] name = "libhimmelblau" -version = "0.8.19" +version = "0.8.20" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "4331d6c174da030b21bb2bf7dde3ea49d9cea3a08cd99007a008f65a64059ae8" +checksum = "c0aced2dc4e76ba0a04043e9b9eb87569fc7e9f9bebe89ce734986cf3ac0df49" dependencies = [ "base64 0.22.1", "cbindgen", "chrono", "compact_jwt", "crypto-glue", + "der 0.7.10", "hostname", "kanidm-hsm-crypto", "libkrimes", "openssl", "os-release", "paste", + "pem-rfc7468", "percent-encoding", "picky-asn1", "picky-asn1-der", @@ -2907,6 +2916,7 @@ "tracing-subscriber", "urlencoding", "uuid", + "x509-cert", "zeroize", ] @@ -2931,7 +2941,7 @@ "hmac 0.12.1", "keyutils", "keyutils-raw", - "ldap3_proto", + "ldap3_proto 0.6.2", "libc", "md5", "num_enum", @@ -3264,7 +3274,7 @@ [[package]] name = "nss_himmelblau" -version = "3.1.5" +version = "3.1.6" dependencies = [ "himmelblau_unix_common", "lazy_static", @@ -3370,7 +3380,7 @@ [[package]] name = "o365" -version = "3.1.5" +version = "3.1.6" dependencies = [ "anyhow", "reqwest 0.12.24", @@ -3456,9 +3466,9 @@ [[package]] name = "openssl" -version = "0.10.79" +version = "0.10.80" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542" +checksum = "a45fa2aa886c42762255da344f0a0d313e254066c46aad76f300c3d3da62d967" dependencies = [ "bitflags 2.9.1", "cfg-if", @@ -3493,9 +3503,9 @@ [[package]] name = "openssl-sys" -version = "0.9.115" +version = "0.9.116" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781" +checksum = "f28a22dc7140cda5f096e5e7724a6962ca81a7f8bfd2979f9b18c11af56318c4" dependencies = [ "cc", "libc", @@ -3657,7 +3667,7 @@ [[package]] name = "pam_himmelblau" -version = "3.1.5" +version = "3.1.6" dependencies = [ "himmelblau_unix_common", "libc", @@ -4106,7 +4116,7 @@ [[package]] name = "qr-greeter" -version = "3.1.5" +version = "3.1.6" [[package]] name = "qrcodegen" @@ -4809,7 +4819,7 @@ [[package]] name = "selinux" -version = "3.1.5" +version = "3.1.6" [[package]] name = "semver" @@ -5170,7 +5180,7 @@ [[package]] name = "sshd-config" -version = "3.1.5" +version = "3.1.6" [[package]] name = "sshkey-attest" @@ -5181,7 +5191,7 @@ [[package]] name = "sso" -version = "3.1.5" +version = "3.1.6" dependencies = [ "broker-client", "clap", @@ -5193,7 +5203,7 @@ [[package]] name = "sso-policies" -version = "3.1.5" +version = "3.1.6" [[package]] name = "stable_deref_trait" @@ -5312,7 +5322,7 @@ checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" dependencies = [ "fastrand", - "getrandom 0.4.1", + "getrandom 0.3.3", "once_cell", "rustix 1.1.4", "windows-sys 0.61.2", @@ -5587,9 +5597,9 @@ [[package]] name = "tonic" -version = "0.14.5" +version = "0.14.6" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "fec7c61a0695dc1887c1b53952990f3ad2e3a31453e1f49f10e75424943a93ec" +checksum = "ac2a5518c70fa84342385732db33fb3f44bc4cc748936eb5833d2df34d6445ef" dependencies = [ "async-trait", "axum", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/Cargo.toml new/himmelblau-3.1.6+git0.102ee045/Cargo.toml --- old/himmelblau-3.1.5+git0.445569d9/Cargo.toml 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/Cargo.toml 2026-05-28 23:36:26.000000000 +0200 @@ -32,9 +32,10 @@ sshkey-attest = { path = "src/sshkey-attest" } kanidm_build_profiles = { path = "src/kanidm_build_profiles" } picky-krb = { path = "src/picky-krb" } +ldap3_proto = { path = "src/overrides/ldap3_proto/0.6.2" } [workspace.package] -version = "3.1.5" +version = "3.1.6" authors = [ "David Mulder <[email protected]>" ] @@ -54,7 +55,7 @@ tracing-subscriber = "^0.3.23" tracing = "^0.1.37" himmelblau_unix_common = { path = "src/common" } -libhimmelblau = { version = "0.8.18", features = ["broker", "changepassword", "on_behalf_of", "mfa_method_selection", "optional_mfa", "intune_portal_vers_selection", "set_timeout"] } +libhimmelblau = { version = "0.8.20", features = ["broker", "changepassword", "on_behalf_of", "mfa_method_selection", "optional_mfa", "intune_portal_vers_selection", "set_timeout"] } clap = { version = "^4.6", features = ["derive", "env"] } clap_complete = "^4.6.3" reqwest = { version = "^0.12.24", features = ["json"] } @@ -92,7 +93,7 @@ kanidm_proto = "1.8.1" openssl-sys = "^0.9" openssl = "^0.10.79" -rand = "^0.9.4" +rand = "^0.10.1" tss-esapi = "^7.2.0" sketching = "1.10.0" tracing-forest = "^0.1.6" @@ -119,7 +120,7 @@ opentelemetry-semantic-conventions = "0.27.0" tracing-opentelemetry = "0.28.0" tracing-core = "0.1.34" -tonic = "0.14.5" +tonic = "0.14.6" compact_jwt = { version = "0.5.3-dev", features = ["msextensions"] } kanidm-hsm-crypto = { version = "^0.3.6" } whoami = "1.6.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/platform/common/NetworkManager/dispatcher.d/99-himmelblau-restart-on-down new/himmelblau-3.1.6+git0.102ee045/platform/common/NetworkManager/dispatcher.d/99-himmelblau-restart-on-down --- old/himmelblau-3.1.5+git0.445569d9/platform/common/NetworkManager/dispatcher.d/99-himmelblau-restart-on-down 1970-01-01 01:00:00.000000000 +0100 +++ new/himmelblau-3.1.6+git0.102ee045/platform/common/NetworkManager/dispatcher.d/99-himmelblau-restart-on-down 2026-05-28 23:36:26.000000000 +0200 @@ -0,0 +1,38 @@ +#!/bin/sh +# Temporary workaround for himmelblau-idm/himmelblau#1206. + +IFACE="${1:-}" +ACTION="${2:-}" +TAG="himmelblau-nm-dispatcher" + +case "$IFACE" in + ""|lo|docker*|virbr*|br-*|veth*|vnet*|tun*|tap*|wg*|ppp*) + exit 0 + ;; +esac + +case "$ACTION" in + pre-down|down) + ;; + *) + exit 0 + ;; +esac + +if [ ! -d /run/systemd/system ] || ! command -v systemctl >/dev/null 2>&1; then + exit 0 +fi + +state="$(systemctl is-active himmelblaud.service 2>/dev/null || true)" +case "$state" in + active|failed) + ;; + *) + exit 0 + ;; +esac + +logger -t "$TAG" "Network $IFACE going $ACTION - restarting himmelblaud.service" +systemctl restart --no-block himmelblaud.service 2>&1 | logger -t "$TAG" + +exit 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/scripts/gen_servicefiles.py new/himmelblau-3.1.6+git0.102ee045/scripts/gen_servicefiles.py --- old/himmelblau-3.1.5+git0.445569d9/scripts/gen_servicefiles.py 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/scripts/gen_servicefiles.py 2026-05-28 23:36:26.000000000 +0200 @@ -232,7 +232,7 @@ {os.linesep.join(dirs_block)} {type_line} -{'LoadCredentialEncrypted=hsm-pin:/var/lib/himmelblaud/hsm-pin.enc' if supported('LoadCredentialEncrypted') else ''} +{'LoadCredentialEncrypted=hsm-pin:/var/lib/himmelblaud/hsm-pin-nopcr.enc' if supported('LoadCredentialEncrypted') else ''} {'Environment=HIMMELBLAU_HSM_PIN_PATH=%d/hsm-pin' if supported('LoadCredentialEncrypted') else ''} ExecStart=/usr/sbin/himmelblaud Restart=on-failure @@ -312,7 +312,7 @@ # Wants= (not Requires=) so we degrade gracefully on TPM-less systems. After=local-fs.target systemd-tpm2-setup.service Wants=systemd-tpm2-setup.service -ConditionPathExists=!/var/lib/private/himmelblaud/hsm-pin.enc +ConditionPathExists=!/var/lib/private/himmelblaud/hsm-pin-nopcr.enc [Service] Type=oneshot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/common/src/constants.rs new/himmelblau-3.1.6+git0.102ee045/src/common/src/constants.rs --- old/himmelblau-3.1.5+git0.445569d9/src/common/src/constants.rs 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/common/src/constants.rs 2026-05-28 23:36:26.000000000 +0200 @@ -45,7 +45,7 @@ pub const DEFAULT_CACHE_TIMEOUT: u64 = 300; pub const DEFAULT_SELINUX: bool = true; pub const DEFAULT_HSM_PIN_PATH: &str = "/var/lib/himmelblaud/hsm-pin"; -pub const DEFAULT_HSM_PIN_PATH_ENC: &str = "/var/lib/himmelblaud/hsm-pin.enc"; +pub const DEFAULT_HSM_PIN_PATH_ENC: &str = "/var/lib/himmelblaud/hsm-pin-nopcr.enc"; pub const DEFAULT_HELLO_ENABLED: bool = true; pub const DEFAULT_ALLOW_REMOTE_HELLO: bool = false; pub const DEFAULT_SFA_FALLBACK_ENABLED: bool = false; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/common/src/db.rs new/himmelblau-3.1.6+git0.102ee045/src/common/src/db.rs --- old/himmelblau-3.1.5+git0.445569d9/src/common/src/db.rs 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/common/src/db.rs 2026-05-28 23:36:26.000000000 +0200 @@ -552,7 +552,9 @@ "DELETE FROM hsm_data_t WHERE key LIKE '%/hello' OR key LIKE '%/hello_decoupled' - OR key LIKE '%/hello_prt'", + OR key LIKE '%/hello_prt' + OR key LIKE '%/hello_refresh_token' + OR key LIKE '%/hello_totp'", [], ) .map_err(|e| self.sqlite_error("delete hello keys", &e))?; @@ -1088,7 +1090,7 @@ #[cfg(test)] mod tests { - use super::{Cache, CacheTxn, Db}; + use super::{Cache, CacheTxn, Db, KeyStoreTxn}; use crate::idprovider::interface::{GroupToken, Id, UserToken}; use kanidm_hsm_crypto::{provider::BoxedDynTpm, provider::Tpm, AuthValue}; @@ -1108,6 +1110,41 @@ } #[tokio::test] + async fn test_clear_hello_keys() { + sketching::test_init(); + let db = Db::new("").expect("failed to create."); + let mut dbtxn = db.write().await; + assert!(dbtxn.migrate().is_ok()); + + let hello_keys = [ + "[email protected]/hello", + "[email protected]/hello_decoupled", + "[email protected]/hello_prt", + "[email protected]/hello_refresh_token", + "[email protected]/hello_totp", + ]; + let unrelated_key = "[email protected]/not_hello"; + let value = "test value".to_string(); + + for key in hello_keys { + dbtxn.insert_tagged_hsm_key(key, &value).unwrap(); + } + dbtxn.insert_tagged_hsm_key(unrelated_key, &value).unwrap(); + + assert!(dbtxn.clear_hello_keys().is_ok()); + + for key in hello_keys { + let stored: Option<String> = dbtxn.get_tagged_hsm_key(key).unwrap(); + assert!(stored.is_none()); + } + + let stored: Option<String> = dbtxn.get_tagged_hsm_key(unrelated_key).unwrap(); + assert_eq!(stored, Some(value)); + + assert!(dbtxn.commit().is_ok()); + } + + #[tokio::test] async fn test_cache_db_account_basic() { sketching::test_init(); let db = Db::new("").expect("failed to create."); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/common/src/idprovider/common.rs new/himmelblau-3.1.6+git0.102ee045/src/common/src/idprovider/common.rs --- old/himmelblau-3.1.5+git0.445569d9/src/common/src/idprovider/common.rs 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/common/src/idprovider/common.rs 2026-05-28 23:36:26.000000000 +0200 @@ -942,6 +942,31 @@ error!("Failed to provision hello key: {:?}", e); IdpError::Tpm })?; + + let hello_prt_tag = $self.fetch_hello_prt_key_tag($account_id); + $keystore + .delete_tagged_hsm_key(&hello_prt_tag) + .map_err(|e| { + error!("Failed to delete hello PRT: {:?}", e); + IdpError::Tpm + })?; + + let hello_refresh_token_tag = $self.fetch_hello_refresh_token_key_tag($account_id); + $keystore + .delete_tagged_hsm_key(&hello_refresh_token_tag) + .map_err(|e| { + error!("Failed to delete hello refresh token: {:?}", e); + IdpError::Tpm + })?; + + let hello_totp_tag = $self.fetch_hello_totp_key_tag($account_id); + $keystore + .delete_tagged_hsm_key(&hello_totp_tag) + .map_err(|e| { + error!("Failed to delete hello TOTP: {:?}", e); + IdpError::Tpm + })?; + Ok(true) }}; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/common/src/idprovider/himmelblau.rs new/himmelblau-3.1.6+git0.102ee045/src/common/src/idprovider/himmelblau.rs --- old/himmelblau-3.1.5+git0.445569d9/src/common/src/idprovider/himmelblau.rs 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/common/src/idprovider/himmelblau.rs 2026-05-28 23:36:26.000000000 +0200 @@ -91,6 +91,12 @@ // AADSTS50125: PasswordResetRegistrationRequiredInterrupt const PASSWORD_RESET_REGISTRATION_REQUIRED: u32 = 50125; +fn is_unavailable_mfa_method_error(msg: &str, requested_method: &str) -> bool { + let expected_prefix = + format!("Requested MFA method '{requested_method}' not available. Available methods: "); + msg.starts_with(&expected_prefix) +} + /// Convert an MsalError to a short, user-friendly message for PAM display. /// This intentionally ignores the internal string contents of error variants /// to avoid leaking verbose or sensitive information to the user. @@ -820,6 +826,56 @@ bad_pin_counter: BadPinCounter::new(), }) } + + /// Initiate MFA flow with automatic fallback if the requested method is unavailable. + /// If a specific MFA method is requested but not available, this will automatically + /// retry with no method specified (allowing Azure to choose the default). + async fn initiate_mfa_flow_with_fallback( + &self, + account_id: &str, + password: Option<&str>, + auth_options: &[AuthOption], + auth_init: Option<himmelblau::auth::AuthInit>, + mfa_method: Option<String>, + ) -> Result<himmelblau::auth::MFAAuthContinue, MsalError> { + let result = self + .client + .lock() + .await + .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + account_id, + password, + auth_options, + auth_init.clone(), + mfa_method.as_deref(), + ) + .await; + + match result { + Ok(flow) => Ok(flow), + Err(MsalError::GeneralFailure(ref msg)) + if mfa_method + .as_deref() + .map(|method| is_unavailable_mfa_method_error(msg, method)) + .unwrap_or(false) => + { + // Requested MFA method not available, fall back to default + warn!("{} Retrying with default MFA method.", msg); + self.client + .lock() + .await + .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + account_id, + password, + auth_options, + auth_init, + None, // Retry without specifying MFA method + ) + .await + } + Err(e) => Err(e), + } + } } enum TokenOrObj { @@ -1721,16 +1777,14 @@ } Ok((AuthRequest::Password, AuthCredHandler::None)) } else { + let mfa_method = self.config.lock().await.get_mfa_method(); let flow = net_down_check!( - self.client - .lock() - .await - .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + self.initiate_mfa_flow_with_fallback( account_id, None, &auth_options, Some(auth_init), - self.config.lock().await.get_mfa_method().as_deref() + mfa_method ) .await, Err(MsalError::PasswordRequired) => { @@ -2132,15 +2186,12 @@ } let flow = match self - .client - .lock() - .await - .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + .initiate_mfa_flow_with_fallback( account_id, None, // No password — we only have the PIN &auth_options, None, // No auth_init — user already exists - mfa_method.as_deref(), + mfa_method ) .await { @@ -3391,16 +3442,14 @@ // from check_user_exists() was fetched without ForceMFA, so reusing // it would bypass the amr_values=ngcmfa parameter in the // /oauth2/authorize request. + let mfa_method = self.config.lock().await.get_mfa_method(); let flow = net_down_check!( - self.client - .lock() - .await - .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + self.initiate_mfa_flow_with_fallback( account_id, Some(&cred), auth_options, None, - self.config.lock().await.get_mfa_method().as_deref() + mfa_method.clone() ) .await, Ok(flow) => flow, @@ -3411,15 +3460,12 @@ auth_options.push(AuthOption::ForceMFA); } net_down_check!( - self.client - .lock() - .await - .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + self.initiate_mfa_flow_with_fallback( account_id, Some(&cred), auth_options, None, - self.config.lock().await.get_mfa_method().as_deref() + mfa_method ) .await, Ok(flow) => flow, @@ -3520,16 +3566,14 @@ } // Call the appropriate method based on whether mfa_method is configured + let mfa_method = self.config.lock().await.get_mfa_method(); let mresp = self - .client - .lock() - .await - .initiate_acquire_token_by_mfa_flow_for_device_enrollment( + .initiate_mfa_flow_with_fallback( account_id, Some(&cred), &opts, None, - self.config.lock().await.get_mfa_method().as_deref(), + mfa_method, ) .await; @@ -5094,3 +5138,25 @@ true } } + +#[cfg(test)] +mod tests { + use super::is_unavailable_mfa_method_error; + + #[test] + fn unavailable_mfa_method_error_requires_exact_requested_method() { + assert!(is_unavailable_mfa_method_error( + "Requested MFA method 'FidoKey' not available. Available methods: PhoneAppOTP", + "FidoKey" + )); + + assert!(!is_unavailable_mfa_method_error( + "Requested MFA method 'PhoneAppOTP' not available. Available methods: FidoKey", + "FidoKey" + )); + assert!(!is_unavailable_mfa_method_error( + "Stored MFA method 'FidoKey' is not available. Available methods: PhoneAppOTP", + "FidoKey" + )); + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/common/src/resolver.rs new/himmelblau-3.1.6+git0.102ee045/src/common/src/resolver.rs --- old/himmelblau-3.1.5+git0.445569d9/src/common/src/resolver.rs 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/common/src/resolver.rs 2026-05-28 23:36:26.000000000 +0200 @@ -774,11 +774,17 @@ .await; drop(hsm_lock); - dbtxn.commit().map_err(|_| ())?; - res.map_err(|e| { - trace!("change_auth_token error -> {:?}", e); - }) + match res { + Ok(res) => { + dbtxn.commit().map_err(|_| ())?; + Ok(res) + } + Err(e) => { + trace!("change_auth_token error -> {:?}", e); + Err(()) + } + } } pub async fn offline_break_glass(&self, ttl: Option<u64>) -> Result<(), ()> { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/daemon/Cargo.toml new/himmelblau-3.1.6+git0.102ee045/src/daemon/Cargo.toml --- old/himmelblau-3.1.5+git0.445569d9/src/daemon/Cargo.toml 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/daemon/Cargo.toml 2026-05-28 23:36:26.000000000 +0200 @@ -66,6 +66,7 @@ ["../../platform/debian/himmelblaud-tasks.service", "usr/lib/systemd/system/", "644"], ["../../platform/debian/himmelblaud.service", "usr/lib/systemd/system/", "644"], ["../../platform/debian/himmelblau-hsm-pin-init.service", "usr/lib/systemd/system/", "644"], + ["../../platform/common/NetworkManager/dispatcher.d/99-himmelblau-restart-on-down", "usr/lib/NetworkManager/dispatcher.d/", "755"], ["scripts/himmelblau-init-hsm-pin", "usr/libexec/", "755"], ["target/release/himmelblaud", "usr/sbin/", "755"], ["target/release/himmelblaud_tasks", "usr/sbin/", "755"], @@ -90,6 +91,7 @@ { source = "../../platform/opensuse/himmelblaud-tasks.service", dest = "/usr/lib/systemd/system/", mode = "644" }, { source = "../../platform/opensuse/himmelblaud.service", dest = "/usr/lib/systemd/system/", mode = "644" }, { source = "../../platform/opensuse/himmelblau-hsm-pin-init.service", dest = "/usr/lib/systemd/system/", mode = "644" }, + { source = "../../platform/common/NetworkManager/dispatcher.d/99-himmelblau-restart-on-down", dest = "/usr/lib/NetworkManager/dispatcher.d/", mode = "755" }, { source = "scripts/himmelblau-init-hsm-pin", dest = "/usr/libexec/", mode = "755" }, { source = "target/release/himmelblaud", dest = "/usr/sbin/", mode = "755" }, { source = "target/release/himmelblaud_tasks", dest = "/usr/sbin/", mode = "755" }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/daemon/scripts/himmelblau-init-hsm-pin new/himmelblau-3.1.6+git0.102ee045/src/daemon/scripts/himmelblau-init-hsm-pin --- old/himmelblau-3.1.5+git0.445569d9/src/daemon/scripts/himmelblau-init-hsm-pin 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/daemon/scripts/himmelblau-init-hsm-pin 2026-05-28 23:36:26.000000000 +0200 @@ -6,7 +6,8 @@ set -e LEGACY=/var/lib/private/himmelblaud/hsm-pin -CRED=/var/lib/private/himmelblaud/hsm-pin.enc +LEGACY1=/var/lib/private/himmelblaud/hsm-pin.enc +CRED=/var/lib/private/himmelblaud/hsm-pin-nopcr.enc SRK_HANDLE=0x81000001 gen_pin_hex() { @@ -163,6 +164,9 @@ if [ -f "$LEGACY" ]; then echo "Migrating existing HSM-PIN to encrypted credential" HSM_PIN=$(cat "$LEGACY") +elif [ -f "$LEGACY1" ]; then + echo "Migrating existing HSM-PIN to no PCR lock" + HSM_PIN=$(systemd-creds decrypt --name=hsm-pin "$LEGACY1") else echo "Generating new HSM-PIN" HSM_PIN=$(gen_pin_hex) @@ -173,13 +177,13 @@ # auto — systemd picks the best available (may silently omit TPM if SRK absent) if [ -e /dev/tpmrm0 ] || [ -e /dev/tpm0 ]; then if srk_is_provisioned; then - KEY_ARG="--with-key=host+tpm2" + KEY_ARG="--with-key=host+tpm2 --tpm2-pcrs=" else echo "WARNING: TPM present but SRK provisioning failed. HSM PIN will use host key only." - KEY_ARG="--with-key=auto" + KEY_ARG="--with-key=auto --tpm2-pcrs=" fi else - KEY_ARG="--with-key=auto" + KEY_ARG="--with-key=auto --tpm2-pcrs=" fi # Encrypt the PIN @@ -187,6 +191,7 @@ --tpm2-device=auto - "$CRED"; then echo "HSM PIN credential created successfully" rm -f "$LEGACY" 2>/dev/null || true + rm -f "$LEGACY1" 2>/dev/null || true exit 0 else echo "ERROR: Failed to create HSM PIN credential" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/overrides/ldap3_proto/0.6.2/Cargo.toml new/himmelblau-3.1.6+git0.102ee045/src/overrides/ldap3_proto/0.6.2/Cargo.toml --- old/himmelblau-3.1.5+git0.445569d9/src/overrides/ldap3_proto/0.6.2/Cargo.toml 1970-01-01 01:00:00.000000000 +0100 +++ new/himmelblau-3.1.6+git0.102ee045/src/overrides/ldap3_proto/0.6.2/Cargo.toml 2026-05-28 23:36:26.000000000 +0200 @@ -0,0 +1,12 @@ +[package] +name = "ldap3_proto" +version = "0.6.2" +authors.workspace = true +rust-version.workspace = true +edition.workspace = true +license.workspace = true +homepage.workspace = true +repository.workspace = true + +[dependencies] +ldap3_proto = { version = "^0.7" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/overrides/ldap3_proto/0.6.2/src/lib.rs new/himmelblau-3.1.6+git0.102ee045/src/overrides/ldap3_proto/0.6.2/src/lib.rs --- old/himmelblau-3.1.5+git0.445569d9/src/overrides/ldap3_proto/0.6.2/src/lib.rs 1970-01-01 01:00:00.000000000 +0100 +++ new/himmelblau-3.1.6+git0.102ee045/src/overrides/ldap3_proto/0.6.2/src/lib.rs 2026-05-28 23:36:26.000000000 +0200 @@ -0,0 +1 @@ +pub use ldap3_proto::*; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/qr-greeter/src/[email protected]/metadata.json new/himmelblau-3.1.6+git0.102ee045/src/qr-greeter/src/[email protected]/metadata.json --- old/himmelblau-3.1.5+git0.445569d9/src/qr-greeter/src/[email protected]/metadata.json 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/qr-greeter/src/[email protected]/metadata.json 2026-05-28 23:36:26.000000000 +0200 @@ -3,7 +3,7 @@ "name": "Himmelblau QR Greeter", "description": "Adds a QR code to authentication prompts when a URL is detected.", "version": 1, - "shell-version": ["45", "46", "47", "48", "49"], + "shell-version": ["45", "46", "47", "48", "49", "50"], "session-modes": ["gdm", "unlock-dialog"], "donations": { "opencollective" : "himmelblau" } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/src/sshd-config/Cargo.toml new/himmelblau-3.1.6+git0.102ee045/src/sshd-config/Cargo.toml --- old/himmelblau-3.1.5+git0.445569d9/src/sshd-config/Cargo.toml 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/src/sshd-config/Cargo.toml 2026-05-28 23:36:26.000000000 +0200 @@ -16,14 +16,14 @@ name = "himmelblau-sshd-config" depends = ["openssh-server"] assets = [ - ["../../platform/debian/sshd_config", "etc/ssh/sshd_config.d/himmelblau.conf", "644"], + ["../../platform/debian/sshd_config", "etc/ssh/sshd_config.d/30-himmelblau.conf", "644"], ] maintainer-scripts = "scripts" [package.metadata.generate-rpm] name = "himmelblau-sshd-config" assets = [ - { source = "../../platform/el/sshd_config", dest = "/etc/ssh/sshd_config.d/himmelblau.conf", mode = "644" }, + { source = "../../platform/el/sshd_config", dest = "/etc/ssh/sshd_config.d/30-himmelblau.conf", mode = "644" }, ] post_install_script = "scripts/postinst" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/supply-chain/audits.toml new/himmelblau-3.1.6+git0.102ee045/supply-chain/audits.toml --- old/himmelblau-3.1.5+git0.445569d9/supply-chain/audits.toml 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/supply-chain/audits.toml 2026-05-28 23:36:26.000000000 +0200 @@ -674,6 +674,11 @@ criteria = "safe-to-deploy" delta = "0.14.3 -> 0.14.5" +[[audits.tonic]] +who = "David Mulder <[email protected]>" +criteria = "safe-to-deploy" +delta = "0.14.5 -> 0.14.6" + [[audits.tonic-prost]] who = "David Mulder <[email protected]>" criteria = "safe-to-deploy" @@ -1279,7 +1284,7 @@ [[trusted.group]] criteria = "safe-to-deploy" -user-id = 1244 # ebfull +user-id = 1244 # Sean Bowe (ebfull) start = "2019-10-08" end = "2026-09-11" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/supply-chain/config.toml new/himmelblau-3.1.6+git0.102ee045/supply-chain/config.toml --- old/himmelblau-3.1.5+git0.445569d9/supply-chain/config.toml 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/supply-chain/config.toml 2026-05-28 23:36:26.000000000 +0200 @@ -34,6 +34,9 @@ [policy.kanidm_build_profiles] audit-as-crates-io = true +[policy."ldap3_proto:0.6.2"] +audit-as-crates-io = true + [policy.paste] audit-as-crates-io = true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-3.1.5+git0.445569d9/supply-chain/imports.lock new/himmelblau-3.1.6+git0.102ee045/supply-chain/imports.lock --- old/himmelblau-3.1.5+git0.445569d9/supply-chain/imports.lock 2026-05-07 19:57:55.000000000 +0200 +++ new/himmelblau-3.1.6+git0.102ee045/supply-chain/imports.lock 2026-05-28 23:36:26.000000000 +0200 @@ -343,6 +343,7 @@ when = "2022-05-04" user-id = 1244 user-login = "ebfull" +user-name = "Sean Bowe" [[publisher.h2]] version = "0.4.10" @@ -481,6 +482,13 @@ user-login = "Firstyear" user-name = "Firstyear" +[[publisher.ldap3_proto]] +version = "0.7.1" +when = "2026-04-30" +user-id = 31100 +user-login = "Firstyear" +user-name = "Firstyear" + [[publisher.libc]] version = "0.2.186" when = "2026-04-23" @@ -495,8 +503,8 @@ user-name = "Nick Fitzgerald" [[publisher.libhimmelblau]] -version = "0.8.19" -when = "2026-05-06" +version = "0.8.20" +when = "2026-05-28" user-id = 247655 user-login = "dmulder" user-name = "David Mulder" @@ -3146,6 +3154,11 @@ criteria = "safe-to-deploy" delta = "0.10.77 -> 0.10.79" +[[audits.himmelblau.audits.openssl]] +who = "David Mulder <[email protected]>" +criteria = "safe-to-deploy" +delta = "0.10.79 -> 0.10.80" + [[audits.himmelblau.audits.openssl-sys]] who = "David Mulder <[email protected]>" criteria = "safe-to-deploy" @@ -3161,6 +3174,11 @@ criteria = "safe-to-deploy" delta = "0.9.113 -> 0.9.115" +[[audits.himmelblau.audits.openssl-sys]] +who = "David Mulder <[email protected]>" +criteria = "safe-to-deploy" +delta = "0.9.115 -> 0.9.116" + [[audits.himmelblau.audits.opentelemetry-otlp]] who = "David Mulder <[email protected]>" criteria = "safe-to-deploy" @@ -3563,7 +3581,7 @@ criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-07-25" -end = "2026-02-01" +end = "2027-04-23" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"; ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/himmelblau/vendor.tar.zst /work/SRC/openSUSE:Factory/.himmelblau.new.1981/vendor.tar.zst differ: char 7, line 1
