Handle FIDO transports_for_reset

Author: dainnilsson

lib/app/views/reset_dialog.dart

@@ -75,6 +75,10 @@ class _ResetDialogState extends ConsumerState<ResetDialog> {
   late Capability? _application;
   late bool _globalReset;
   late bool _longTouch;
+  // If empty, FIDO reset is enabled for the current transport.
+  // Otherwise, the reset is disabled for the current transport and requires
+  // one of the listed transports to be used instead.
+  List<Transport> _fidoDisabledRequiredTransports = [];
   StreamSubscription<InteractionEvent>? _subscription;
   InteractionEvent? _interaction;
   int _currentStep = -1;
@@ -147,6 +151,28 @@ class _ResetDialogState extends ConsumerState<ResetDialog> {
     final showResetProgress =
         _resetting && (!Platform.isAndroid || usbTransport);
 
+    if (widget.data.info.config.enabledCapabilities[widget
+                .data
+                .node
+                .transport]! &
+            Capability.fido2.value !=
+        0) {
+      final ctapInfo =
+          ref.watch(fidoStateProvider(widget.data.node.path)).value?.info ?? {};
+      _longTouch = ctapInfo['long_touch_for_reset'] == true;
+
+      final transportsForReset =
+          ctapInfo['transports_for_reset'] as List? ?? [];
+      if (transportsForReset.isNotEmpty &&
+          !transportsForReset.contains(widget.data.node.transport.name)) {
+        _fidoDisabledRequiredTransports = [
+          for (var t in transportsForReset) Transport.values.byName(t),
+        ];
+      } else {
+        _fidoDisabledRequiredTransports = [];
+      }
+    }
+
     return ResponsiveDialog(
       title: Text(l10n.s_factory_reset),
       key: factoryResetCancel,
@@ -175,83 +201,87 @@ class _ResetDialogState extends ConsumerState<ResetDialog> {
             onPressed:
                 !_resetting
                     ? switch (_application) {
-                      Capability.fido2 => () async {
-                        final ctapInfo =
-                            ref
-                                .read(fidoStateProvider(widget.data.node.path))
-                                .value
-                                ?.info ??
-                            {};
-                        _longTouch = ctapInfo['long_touch_for_reset'] == true;
-                        _subscription = ref
-                            .read(
-                              fidoStateProvider(widget.data.node.path).notifier,
-                            )
-                            .reset()
-                            .listen(
-                              (event) {
-                                setState(() {
-                                  _resetting = true;
-                                  _currentStep++;
-                                  _interaction = event;
-                                });
-                              },
-                              onDone: () async {
-                                setState(() {
-                                  _currentStep = _totalSteps;
-                                });
-                                _subscription = null;
-                                if (isAndroid && !usbTransport) {
-                                  // close the dialog after reset over NFC on Android
-                                  await ref.read(withContextProvider)((
-                                    context,
-                                  ) async {
-                                    Navigator.of(context).pop();
-                                    showMessage(context, l10n.l_fido_app_reset);
-                                  });
-                                }
-                              },
-                              onError: (e) {
-                                if (e is CancellationException) {
-                                  setState(() {
-                                    _resetting = false;
-                                    _currentStep = -1;
-                                    _application = null;
-                                  });
-                                  return;
-                                }
+                      Capability.fido2 =>
+                        _fidoDisabledRequiredTransports.isEmpty
+                            ? () async {
+                              _subscription = ref
+                                  .read(
+                                    fidoStateProvider(
+                                      widget.data.node.path,
+                                    ).notifier,
+                                  )
+                                  .reset()
+                                  .listen(
+                                    (event) {
+                                      setState(() {
+                                        _resetting = true;
+                                        _currentStep++;
+                                        _interaction = event;
+                                      });
+                                    },
+                                    onDone: () async {
+                                      setState(() {
+                                        _currentStep = _totalSteps;
+                                      });
+                                      _subscription = null;
+                                      if (isAndroid && !usbTransport) {
+                                        // close the dialog after reset over NFC on Android
+                                        await ref.read(withContextProvider)((
+                                          context,
+                                        ) async {
+                                          Navigator.of(context).pop();
+                                          showMessage(
+                                            context,
+                                            l10n.l_fido_app_reset,
+                                          );
+                                        });
+                                      }
+                                    },
+                                    onError: (e) {
+                                      if (e is CancellationException) {
+                                        setState(() {
+                                          _resetting = false;
+                                          _currentStep = -1;
+                                          _application = null;
+                                        });
+                                        return;
+                                      }
 
-                                _log.error('Error performing FIDO reset', e);
+                                      _log.error(
+                                        'Error performing FIDO reset',
+                                        e,
+                                      );
 
-                                if (!context.mounted) return;
-                                Navigator.of(context).pop();
-                                final String errorMessage;
-                                // TODO: Make this cleaner than importing desktop specific RpcError.
-                                if (e is RpcError) {
-                                  if (e.status == 'connection-error') {
-                                    errorMessage =
-                                        l10n.l_failed_connecting_to_fido;
-                                  } else if (e.status == 'key-mismatch') {
-                                    errorMessage =
-                                        l10n.l_wrong_inserted_yk_error;
-                                  } else if (e.status ==
-                                      'user-action-timeout') {
-                                    errorMessage =
-                                        l10n.l_user_action_timeout_error;
-                                  } else {
-                                    errorMessage = e.message;
-                                  }
-                                } else {
-                                  errorMessage = e.toString();
-                                }
-                                showMessage(
-                                  context,
-                                  l10n.l_reset_failed(errorMessage),
-                                  duration: const Duration(seconds: 4),
-                                );
-                              },
-                            );
-                      },
+                                      if (!context.mounted) return;
+                                      Navigator.of(context).pop();
+                                      final String errorMessage;
+                                      // TODO: Make this cleaner than importing desktop specific RpcError.
+                                      if (e is RpcError) {
+                                        if (e.status == 'connection-error') {
+                                          errorMessage =
+                                              l10n.l_failed_connecting_to_fido;
+                                        } else if (e.status == 'key-mismatch') {
+                                          errorMessage =
+                                              l10n.l_wrong_inserted_yk_error;
+                                        } else if (e.status ==
+                                            'user-action-timeout') {
+                                          errorMessage =
+                                              l10n.l_user_action_timeout_error;
+                                        } else {
+                                          errorMessage = e.message;
+                                        }
+                                      } else {
+                                        errorMessage = e.toString();
+                                      }
+                                      showMessage(
+                                        context,
+                                        l10n.l_reset_failed(errorMessage),
+                                        duration: const Duration(seconds: 4),
+                                      );
+                                    },
+                                  );
+                            }
+                            : null,
                       Capability.oath => () async {
                         setState(() {
                           _resetting = true;
@@ -423,7 +453,14 @@ class _ResetDialogState extends ConsumerState<ResetDialog> {
                             Capability.oath =>
                               l10n.p_warning_disable_credentials,
                             Capability.piv => l10n.p_warning_piv_reset_desc,
-                            Capability.fido2 => l10n.p_warning_disable_accounts,
+                            Capability.fido2 =>
+                              _fidoDisabledRequiredTransports.isEmpty
+                                  ? l10n.p_warning_disable_accounts
+                                  : l10n.p_transports_required_for_reset(
+                                    _fidoDisabledRequiredTransports
+                                        .map((t) => t.getDisplayName(l10n))
+                                        .join(', '),
+                                  ),
                             _ =>
                               _globalReset
                                   ? l10n.p_warning_global_reset_desc

lib/core/models.dart

@@ -18,12 +18,21 @@ import 'package:collection/collection.dart';
 import 'package:freezed_annotation/freezed_annotation.dart';
 import 'package:intl/intl.dart';
 
+import '../generated/l10n/app_localizations.dart';
 import '../management/models.dart';
 
 part 'models.freezed.dart';
 part 'models.g.dart';
 
-enum Transport { usb, nfc }
+enum Transport {
+  usb,
+  nfc;
+
+  String getDisplayName(AppLocalizations l10n) => switch (this) {
+    Transport.usb => l10n.s_usb,
+    Transport.nfc => l10n.s_nfc,
+  };
+}
 
 enum UsbInterface {
   otp(0x01),

lib/l10n/app_cs.arb

@@ -975,6 +975,14 @@
     "p_warning_disable_credentials": "Vaše OATH přihlašovací údaje, stejně jako veškerá nastavení hesel, budou odstraněny z tohoto YubiKey. Ujistěte se, že jste je odstranili z příslušných webových stránek, abyste se vyhnuli zablokování vašich účtů.",
     "p_warning_deletes_accounts": "Varování! Neodvolatelně smažete z vašeho YubiKey všechny účty U2F a FIDO2 včetně přístupových klíčů.",
     "p_warning_disable_accounts": "Vaše přihlašovací údaje  včetně kódu PIN, budou odstraněny z tohoto YubiKey. Ujistěte se, že jste je odstranili z příslušných webových stránek, abyste se vyhnuli zablokování vašich účtů.",
+    "p_transports_required_for_reset": null,
+    "@p_transports_required_for_reset": {
+        "placeholders": {
+            "transports": {
+                "type": "String"
+            }
+        }
+    },
     "p_warning_piv_reset": "Varování! Všechna data uložená pro PIV budou neodvolatelně smazána z vašeho YubiKey.",
     "p_warning_piv_reset_desc": "To zahrnuje soukromé klíče a certifikáty. Váš PIN, PUK, a klíč správy bude resetován na jejich výchozí tovární hodnoty.",
     "p_warning_global_reset": "Varování! Tímto se neodvolatelně smažou všechna uložená data, včetně přihlašovacích údajů, z vašeho YubiKey.",

lib/l10n/app_de.arb

@@ -975,6 +975,14 @@
     "p_warning_disable_credentials": "Deine OATH Anmeldedaten und sämtliche Passwörter werden von diesem YubiKey entfernt. Deaktiviere die Anmeldedaten unbedingt zuerst auf den zugehörigen Webseiten, bevor du fortfährst, um nicht aus deinen Konten ausgesperrt zu werden.",
     "p_warning_deletes_accounts": "Achtung! Dies löscht alle U2F und FIDO2 Konten dauerhaft von deinem YubiKey.",
     "p_warning_disable_accounts": "Deine Anmeldedaten und sämtliche PINs werden von diesem YubiKey entfernt. Deaktiviere die Anmeldedaten unbedingt zuerst auf den zugehörigen Webseiten, bevor du fortfährst, um nicht aus deinen Konten ausgesperrt zu werden.",
+    "p_transports_required_for_reset": null,
+    "@p_transports_required_for_reset": {
+        "placeholders": {
+            "transports": {
+                "type": "String"
+            }
+        }
+    },
     "p_warning_piv_reset": "Achtung! Alle gespeicherten PIV Daten werden dauerhaft von deinem YubiKey gelöscht.",
     "p_warning_piv_reset_desc": "Dies schließt private Schlüssel und Zertifikate mit ein. Deine PIN, PUK und der Management-Key werden auf Werkseinstellung zurückgesetzt.",
     "p_warning_global_reset": "Achtung! Dies löscht alle gespeicherten Daten inkl. Anmeldedaten dauerhaft von deinem YubiKey.",

lib/l10n/app_en.arb

@@ -975,6 +975,14 @@
     "p_warning_disable_credentials": "Your OATH credentials, as well as any password set, will be removed from this YubiKey. Make sure to disable these from their respective web sites to avoid being locked out of your accounts.",
     "p_warning_deletes_accounts": "Warning! This will irrevocably delete all U2F and FIDO2 accounts, including passkeys, from your YubiKey.",
     "p_warning_disable_accounts": "Your credentials, as well as any PIN set, will be removed from this YubiKey. Make sure to disable these from their respective web sites to avoid being locked out of your accounts.",
+    "p_transports_required_for_reset": "FIDO reset is disabled for this transport, use one of the following instead: {transports}",
+    "@p_transports_required_for_reset": {
+        "placeholders": {
+            "transports": {
+                "type": "String"
+            }
+        }
+    },
     "p_warning_piv_reset": "Warning! All data stored for PIV will be irrevocably deleted from your YubiKey.",
     "p_warning_piv_reset_desc": "This includes private keys and certificates. Your PIN, PUK, and management key will be reset to their factory default values.",
     "p_warning_global_reset": "Warning! This will irrevocably delete all saved data, including credentials, from your YubiKey.",

lib/l10n/app_es.arb

@@ -975,6 +975,14 @@
     "p_warning_disable_credentials": "Tus credenciales OATH, así como cualquier contraseña establecida, serán removidas de esta YubiKey. Asegúrate de desactivarlas desde sus respectivos sitios web para evitar ser bloqueado de tus cuentas.",
     "p_warning_deletes_accounts": "¡Advertencia! Esto borrará irrevocablemente todas las cuentas U2F y FIDO2, incluidas las passkeys, de tu YubiKey.",
     "p_warning_disable_accounts": "Tus credenciales, así como cualquier PIN establecido, se eliminarán de esta YubiKey. Asegúrate de desvincularlos de los respectivos sitios web para evitar quedar bloqueado/a de tus cuentas.",
+    "p_transports_required_for_reset": null,
+    "@p_transports_required_for_reset": {
+        "placeholders": {
+            "transports": {
+                "type": "String"
+            }
+        }
+    },
     "p_warning_piv_reset": "¡Advertencia! Todos los datos almacenados para PIV se eliminarán irrevocablemente de tu YubiKey.",
     "p_warning_piv_reset_desc": "Esto incluye claves privadas y certificados. Su PIN, PUK y clave de administración se restablecerán a sus valores predeterminados de fábrica.",
     "p_warning_global_reset": "¡Advertencia! Esto borrará irrevocablemente todos los datos guardados, incluidas las credenciales, de tu YubiKey.",

lib/l10n/app_fr.arb

@@ -975,6 +975,14 @@
     "p_warning_disable_credentials": "Vos informations d'identification OATH, ainsi que tout mot de passe défini, seront supprimés de cette clé YubiKey. Veillez à les désactiver à partir de leurs sites web respectifs afin d'éviter que vos comptes ne soient verrouillés.",
     "p_warning_deletes_accounts": "Attention\u00a0! Cela supprimera définitivement tous les comptes U2F et FIDO2, notamment les passkeys, de votre YubiKey.",
     "p_warning_disable_accounts": "Vos informations d'identification, ainsi que tout code PIN défini, seront supprimés de cette YubiKey. Veillez à les désactiver à partir de leurs sites web respectifs pour éviter que vos comptes ne soient verrouillés.",
+    "p_transports_required_for_reset": null,
+    "@p_transports_required_for_reset": {
+        "placeholders": {
+            "transports": {
+                "type": "String"
+            }
+        }
+    },
     "p_warning_piv_reset": "Attention\u00a0! Toutes les données PIV seront définitivement supprimées de votre YubiKey.",
     "p_warning_piv_reset_desc": "Cela inclut les clés privées et les certificats. Vos PIN, PUK et clé de gestion seront réinitialisés à leurs valeurs d'usine.",
     "p_warning_global_reset": "Attention\u00a0! Cela supprimera définitivement toutes les données enregistrées, notamment les identifiants, de votre YubiKey.",

lib/l10n/app_ja.arb

@@ -975,6 +975,14 @@
     "p_warning_disable_credentials": "あなたの OATH 認証情報、および設定されているパスワードは、この YubiKey から削除されます。アカウントにログインできなくならないように、それぞれのウェブサイトから該当する認証情報を無効にしてください。",
     "p_warning_deletes_accounts": "警告！パスキーを含めたすべての U2F および FIDO2 アカウントが YubiKey から削除されます。削除されたデータは回復できません。",
     "p_warning_disable_accounts": "あなたの認証情報および設定された PIN は、この YubiKey から削除されます。アカウントにログインできなくならないように、それぞれのウェブサイトから該当する認証情報を無効にしてください。",
+    "p_transports_required_for_reset": null,
+    "@p_transports_required_for_reset": {
+        "placeholders": {
+            "transports": {
+                "type": "String"
+            }
+        }
+    },
     "p_warning_piv_reset": "警告！PIV に保存されたすべてのデータが YubiKey から削除されます。削除されたデータは回復できません。",
     "p_warning_piv_reset_desc": "秘密鍵と証明書が含まれます。PIN、PUK、および管理キーが工場出荷時のデフォルト値にリセットされます。",
     "p_warning_global_reset": "警告！資格情報を含めた保存されているすべてのデータが YubiKey から削除されます。削除されたデータは回復できません。",