feat(Auth): Unify shared PAM sync across greeter & lockscreen

- Add a neutral `dms auth sync` command and reuse the shared auth flow from: - Settings auth toggle auto-apply - `dms greeter sync` - `dms greeter install` - greeter auth cleanup paths - Rework lockscreen PAM so DMS builds /etc/pam.d/dankshell from the system login stack, but removes fingerprint and U2F from that password path. Keep /etc/pam.d/dankshell-u2f separate. - Preserve custom PAM files in place to avoid adding duplicate greeter auth when the distro already provides it, and keep NixOS on the non-writing path.
2026-04-13 17:22:08 -04:00 · 2026-03-27 12:52:08 -04:00
parent 521a3fa6e8
commit e7ee26ce74
17 changed files with 1968 additions and 514 deletions
--- a/core/cmd/dms/commands_greeter_test.go
+++ b/core/cmd/dms/commands_greeter_test.go
@@ -0,0 +1,87 @@
+package main
+
+import (
+	"errors"
+	"reflect"
+	"testing"
+
+	sharedpam "github.com/AvengeMedia/DankMaterialShell/core/internal/pam"
+)
+
+func TestSyncGreeterConfigsAndAuthDelegatesSharedAuth(t *testing.T) {
+	origGreeterConfigSyncFn := greeterConfigSyncFn
+	origSharedAuthSyncFn := sharedAuthSyncFn
+	t.Cleanup(func() {
+		greeterConfigSyncFn = origGreeterConfigSyncFn
+		sharedAuthSyncFn = origSharedAuthSyncFn
+	})
+
+	var calls []string
+	greeterConfigSyncFn = func(dmsPath, compositor string, logFunc func(string), sudoPassword string) error {
+		if dmsPath != "/tmp/dms" {
+			t.Fatalf("unexpected dmsPath %q", dmsPath)
+		}
+		if compositor != "niri" {
+			t.Fatalf("unexpected compositor %q", compositor)
+		}
+		if sudoPassword != "" {
+			t.Fatalf("expected empty sudoPassword, got %q", sudoPassword)
+		}
+		calls = append(calls, "configs")
+		return nil
+	}
+
+	var gotOptions sharedpam.SyncAuthOptions
+	sharedAuthSyncFn = func(logFunc func(string), sudoPassword string, options sharedpam.SyncAuthOptions) error {
+		if sudoPassword != "" {
+			t.Fatalf("expected empty sudoPassword, got %q", sudoPassword)
+		}
+		gotOptions = options
+		calls = append(calls, "auth")
+		return nil
+	}
+
+	err := syncGreeterConfigsAndAuth("/tmp/dms", "niri", func(string) {}, sharedpam.SyncAuthOptions{
+		ForceGreeterAuth: true,
+	}, func() {
+		calls = append(calls, "before-auth")
+	})
+	if err != nil {
+		t.Fatalf("syncGreeterConfigsAndAuth returned error: %v", err)
+	}
+
+	wantCalls := []string{"configs", "before-auth", "auth"}
+	if !reflect.DeepEqual(calls, wantCalls) {
+		t.Fatalf("call order = %v, want %v", calls, wantCalls)
+	}
+	if !gotOptions.ForceGreeterAuth {
+		t.Fatalf("expected ForceGreeterAuth to be true, got %+v", gotOptions)
+	}
+}
+
+func TestSyncGreeterConfigsAndAuthStopsOnConfigError(t *testing.T) {
+	origGreeterConfigSyncFn := greeterConfigSyncFn
+	origSharedAuthSyncFn := sharedAuthSyncFn
+	t.Cleanup(func() {
+		greeterConfigSyncFn = origGreeterConfigSyncFn
+		sharedAuthSyncFn = origSharedAuthSyncFn
+	})
+
+	greeterConfigSyncFn = func(string, string, func(string), string) error {
+		return errors.New("config sync failed")
+	}
+
+	authCalled := false
+	sharedAuthSyncFn = func(func(string), string, sharedpam.SyncAuthOptions) error {
+		authCalled = true
+		return nil
+	}
+
+	err := syncGreeterConfigsAndAuth("/tmp/dms", "niri", func(string) {}, sharedpam.SyncAuthOptions{}, nil)
+	if err == nil || err.Error() != "config sync failed" {
+		t.Fatalf("expected config sync error, got %v", err)
+	}
+	if authCalled {
+		t.Fatal("expected auth sync not to run after config sync failure")
+	}
+}