pam/gdm/conversation: Show the Poll response if non-empty

In case the gdm data poll response has content, it's still something we want to show, even though we should sanitize the value when it contains the challenge secret Fixes: 40fa85d
ubuntu · Oct 2, 2024 · 600dff6 · 600dff6
1 parent fa276dd
commit 600dff6
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/pam/internal/gdm/conversation.go b/pam/internal/gdm/conversation.go
@@ -6,13 +6,15 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"regexp"
 	"sync/atomic"
 
 	"github.com/msteinert/pam/v2"
 	"github.com/ubuntu/authd/internal/log"
 )
 
 var conversations atomic.Int32
+var challengeRegex = regexp.MustCompile(`"challenge"\s*:\s*"(?:[^"\\]|\\.)*"`)
 
 // ConversationInProgress checks if conversations are currently active.
 func ConversationInProgress() bool {
@@ -63,9 +65,16 @@ func SendData(pamMTx pam.ModuleTransaction, d *Data) (*Data, error) {
 	}
 
 	gdmData, err := NewDataFromJSON(jsonValue)
-	// Log unless it's a poll, which are so frequently that it would be
+	// Log unless it's an empty poll, which are so frequently that it would be
 	// too verbose to log them.
-	if d.Type != DataType_poll {
+	if gdmData.Type == DataType_pollResponse && len(gdmData.GetPollResponse()) == 0 {
+		jsonValue = nil
+	}
+	if log.IsLevelEnabled(log.DebugLevel) && jsonValue != nil &&
+		gdmData != nil && gdmData.Type == DataType_pollResponse {
+		jsonValue = challengeRegex.ReplaceAll(jsonValue, []byte(`"challenge":"**************"`))
+	}
+	if jsonValue != nil {
 		log.Debugf(context.TODO(), "Got from GDM: %s", jsonValue)
 	}
 	if err != nil {