Introduce pam_verbosity config option

Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.

This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.

7 files changed, 126 insertions, 11 deletions

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5726ad5dc..eccb98d36 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -80,6 +80,7 @@
 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0
 #define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
+#define CONFDB_PAM_VERBOSITY "pam_verbosity"
 
 /* Data Provider */
 #define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d27d2f8a6..1f54b4757 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -63,6 +63,7 @@ option_strings = {
     'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
     'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
     'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
+    'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
 
     # [provider]
     'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ca85ed709..3bd0cc490 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -33,6 +33,7 @@ pwfield = str, None, false
 offline_credentials_expiration = int, None, false
 offline_failed_login_attempts = int, None, false
 offline_failed_login_delay = int, None, false
+pam_verbosity = int, None, false
 
 [provider]
 #Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 60ba169bd..2bba38050 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -409,6 +409,37 @@
                         </para>
                     </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                    <term>pam_verbosity (integer)</term>
+                    <listitem>
+                        <para>
+                            Controls what kind of messages are shown to the user
+                            during authentication. The higher the number to more
+                            messages are displayed.
+                        </para>
+                        <para>
+                             Currently sssd supports the following values:
+                        </para>
+                        <para>
+                             <emphasis>0</emphasis>: do not show any message
+                        </para>
+                        <para>
+                             <emphasis>1</emphasis>: show only important
+                             messages
+                        </para>
+                        <para>
+                             <emphasis>2</emphasis>: show informational messages
+                        </para>
+                        <para>
+                             <emphasis>3</emphasis>: show all messages and debug
+                             information
+                        </para>
+                        <para>
+                            Default: 1
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
     </refsect1>
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 062c36e34..819a2d770 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -159,6 +159,7 @@ struct response_data {
     int32_t type;
     int32_t len;
     uint8_t *data;
+    bool do_not_send_to_client;
     struct response_data *next;
 };
 
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index d709447d1..5c06a81ba 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -163,6 +163,7 @@ int pam_add_response(struct pam_data *pd, enum response_type type,
     new->len = len;
     new->data = talloc_memdup(pd, data, len);
     if (new->data == NULL) return ENOMEM;
+    new->do_not_send_to_client = false;
     new->next = pd->resp_list;
     pd->resp_list = new;
 
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1ba6f17f7..25031e198 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -31,6 +31,15 @@
 #include "responder/pam/pamsrv.h"
 #include "db/sysdb.h"
 
+enum pam_verbosity {
+    PAM_VERBOSITY_NO_MESSAGES = 0,
+    PAM_VERBOSITY_IMPORTANT,
+    PAM_VERBOSITY_INFO,
+    PAM_VERBOSITY_DEBUG
+};
+
+#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+
 static void pam_reply(struct pam_auth_req *preq);
 
 static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) {
@@ -319,6 +328,59 @@ fail:
     return ret;
 }
 
+static errno_t filter_responses(struct response_data *resp_list,
+                                int pam_verbosity)
+{
+    struct response_data *resp;
+    uint32_t user_info_type;
+    int64_t expire_date;
+
+    resp = resp_list;
+
+    while(resp != NULL) {
+        if (resp->type == SSS_PAM_USER_INFO) {
+            if (resp->len < sizeof(uint32_t)) {
+                DEBUG(1, ("User info entry is too short.\n"));
+                return EINVAL;
+            }
+
+            if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) {
+                resp->do_not_send_to_client = true;
+                resp = resp->next;
+                continue;
+            }
+
+            memcpy(&user_info_type, resp->data, sizeof(uint32_t));
+
+            resp->do_not_send_to_client = false;
+            switch (user_info_type) {
+                case SSS_PAM_USER_INFO_OFFLINE_AUTH:
+                    if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) {
+                        DEBUG(1, ("User info offline auth entry is "
+                                  "too short.\n"));
+                        return EINVAL;
+                    }
+                    memcpy(&expire_date, resp->data + sizeof(uint32_t),
+                           sizeof(int64_t));
+                    if ((expire_date == 0 &&
+                         pam_verbosity < PAM_VERBOSITY_INFO) ||
+                        (expire_date > 0 &&
+                         pam_verbosity < PAM_VERBOSITY_IMPORTANT)) {
+                        resp->do_not_send_to_client = true;
+                    }
+
+                    break;
+                default:
+                    DEBUG(7, ("User info type [%d] not filtered.\n"));
+            }
+        }
+
+        resp = resp->next;
+    }
+
+    return EOK;
+}
+
 static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
                             struct timeval tv, void *pvt)
 {
@@ -352,9 +414,12 @@ static void pam_reply(struct pam_auth_req *preq)
     uint32_t user_info_type;
     time_t exp_date = -1;
     time_t delay_until = -1;
+    int pam_verbosity = 0;
 
     pd = preq->pd;
     cctx = preq->cctx;
+    pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
 
     DEBUG(4, ("pam_reply get called.\n"));
 
@@ -376,9 +441,6 @@ static void pam_reply(struct pam_auth_req *preq)
                         goto done;
                     }
 
-                    pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx,
-                                           struct pam_ctx);
-
                     ret = sysdb_cache_auth(preq, sysdb,
                                            preq->domain, pd->user,
                                            pd->authtok, pd->authtok_size,
@@ -453,6 +515,19 @@ static void pam_reply(struct pam_auth_req *preq)
         goto done;
     }
 
+    ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+                         &pam_verbosity);
+    if (ret != EOK) {
+        DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+        pam_verbosity = 0;
+    }
+
+    ret = filter_responses(pd->resp_list, pam_verbosity);
+    if (ret != EOK) {
+        DEBUG(1, ("filter_responses failed, not fatal.\n"));
+    }
+
     if (pd->domain != NULL) {
         pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1,
                          (uint8_t *) pd->domain);
@@ -462,8 +537,10 @@ static void pam_reply(struct pam_auth_req *preq)
     resp_size = 0;
     resp = pd->resp_list;
     while(resp != NULL) {
-        resp_c++;
-        resp_size += resp->len;
+        if (!resp->do_not_send_to_client) {
+            resp_c++;
+            resp_size += resp->len;
+        }
         resp = resp->next;
     }
 
@@ -487,12 +564,14 @@ static void pam_reply(struct pam_auth_req *preq)
 
     resp = pd->resp_list;
     while(resp != NULL) {
-        memcpy(&body[p], &resp->type, sizeof(int32_t));
-        p += sizeof(int32_t);
-        memcpy(&body[p], &resp->len, sizeof(int32_t));
-        p += sizeof(int32_t);
-        memcpy(&body[p], resp->data, resp->len);
-        p += resp->len;
+        if (!resp->do_not_send_to_client) {
+            memcpy(&body[p], &resp->type, sizeof(int32_t));
+            p += sizeof(int32_t);
+            memcpy(&body[p], &resp->len, sizeof(int32_t));
+            p += sizeof(int32_t);
+            memcpy(&body[p], resp->data, resp->len);
+            p += resp->len;
+        }
 
         resp = resp->next;
     }