From e5249966935fac47e8ba73bc04d0868df3d7c5da Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Fri, 25 Sep 2020 00:51:42 +0200
Subject: [PATCH] add

---
 src/lib.rs | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/lib.rs b/src/lib.rs
index 139cd2a..6f393b5 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -15,6 +15,7 @@ use pamsm::PamLibExt;
 use pamsm::*;
 use std::collections::{HashMap, HashSet};
 use std::ffi::CStr;
+use std::path::Path;
 use std::str::FromStr;
 
 pub mod cli_args;
@@ -26,7 +27,7 @@ pub mod util;
 struct PamFido2Luks;
 
 impl PamFido2Luks {
-    fn open(&self, password: String, args: Vec<String>) -> Fido2LuksResult<()> {
+    fn open(&self, user: String, password: String, args: Vec<String>) -> Fido2LuksResult<()> {
         let args: HashMap<String, String> = args
             .into_iter()
             .filter_map(|arg| {
@@ -47,10 +48,18 @@ impl PamFido2Luks {
             })
             .unwrap_or_default();
         let pin = args.get("pin");
-        let device = args.get("device");
-        let name = args.get("name");
+        let device = args
+            .get("device")
+            .map(|device| device.replace("%user%", user.as_str()));
+        let name = args
+            .get("name")
+            .map(|name| name.replace("%user%", user.as_str()));
 
         if let (Some(device), Some(name)) = (device, name) {
+            if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
+            {
+                return Ok(());
+            }
             let mut device = LuksDevice::load(device)?;
             let mut additional_credentials: HashSet<String> = HashSet::new();
             if device.is_luks2()? {
@@ -90,12 +99,16 @@ impl PamFido2Luks {
 
 impl PamServiceModule for PamFido2Luks {
     fn authenticate(pamh: Pam, flag: PamFlag, args: Vec<String>) -> PamError {
+        let user = match pamh.get_cached_user() {
+            Err(_) => return PamError::AUTH_ERR,
+            Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
+        };
         let password = match pamh.get_authtok(None) {
             Err(_) => return PamError::AUTH_ERR,
             Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
         };
-        if let Some(password) = password {
-            match PamFido2Luks.open(password, args) {
+        if let (Some(user), Some(password)) = (user, password) {
+            match PamFido2Luks.open(user, password, args) {
                 Ok(_) => PamError::SUCCESS,
                 Err(e) => match e {
                     //TODO: output more detailed error