Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/archinstall/lib/disk/fido.py
blob: 96a74991ae30d765d80d209024c0b81430da1310 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
from __future__ import annotations

import getpass
from pathlib import Path
from typing import List, Optional

from .device_model import PartitionModification, Fido2Device
from ..general import SysCommand, SysCommandWorker, clear_vt100_escape_codes
from ..output import error, info
from ..exceptions import SysCallError


class Fido2:
	_loaded: bool = False
	_fido2_devices: List[Fido2Device] = []

	@classmethod
	def get_fido2_devices(cls, reload: bool = False) -> List[Fido2Device]:
		"""
		Uses systemd-cryptenroll to list the FIDO2 devices
		connected that supports FIDO2.
		Some devices might show up in udevadm as FIDO2 compliant
		when they are in fact not.

		The drawback of systemd-cryptenroll is that it uses human readable format.
		That means we get this weird table like structure that is of no use.

		So we'll look for `MANUFACTURER` and `PRODUCT`, we take their index
		and we split each line based on those positions.

		Output example:

		PATH         MANUFACTURER PRODUCT
		/dev/hidraw1 Yubico       YubiKey OTP+FIDO+CCID
		"""

		# to prevent continous reloading which will slow
		# down moving the cursor in the menu
		if not cls._loaded or reload:
			try:
				ret: Optional[str] = SysCommand("systemd-cryptenroll --fido2-device=list").decode('UTF-8')
			except SysCallError:
				error('fido2 support is most likely not installed')
				raise ValueError('HSM devices can not be detected, is libfido2 installed?')

			if not ret:
				return []

			fido_devices: str = clear_vt100_escape_codes(ret)  # type: ignore

			manufacturer_pos = 0
			product_pos = 0
			devices = []

			for line in fido_devices.split('\r\n'):
				if '/dev' not in line:
					manufacturer_pos = line.find('MANUFACTURER')
					product_pos = line.find('PRODUCT')
					continue

				path = line[:manufacturer_pos].rstrip()
				manufacturer = line[manufacturer_pos:product_pos].rstrip()
				product = line[product_pos:]

				devices.append(
					Fido2Device(Path(path), manufacturer, product)
				)

			cls._loaded = True
			cls._fido2_devices = devices

		return cls._fido2_devices

	@classmethod
	def fido2_enroll(
		cls,
		hsm_device: Fido2Device,
		part_mod: PartitionModification,
		password: str
	):
		worker = SysCommandWorker(f"systemd-cryptenroll --fido2-device={hsm_device.path} {part_mod.dev_path}", peek_output=True)
		pw_inputted = False
		pin_inputted = False

		while worker.is_alive():
			if pw_inputted is False:
				if bytes(f"please enter current passphrase for disk {part_mod.dev_path}", 'UTF-8') in worker._trace_log.lower():
					worker.write(bytes(password, 'UTF-8'))
					pw_inputted = True
			elif pin_inputted is False:
				if bytes(f"please enter security token pin", 'UTF-8') in worker._trace_log.lower():
					worker.write(bytes(getpass.getpass(" "), 'UTF-8'))
					pin_inputted = True

				info('You might need to touch the FIDO2 device to unlock it if no prompt comes up after 3 seconds')