Ignore pivman.puk_blocked when metadata is available.

Yubico · Jan 11, 2024 · 42cee4e · 42cee4e
1 parent 36dc38f
commit 42cee4e
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 17 deletions.
diff --git a/tests/device/cli/piv/test_pin_puk.py b/tests/device/cli/piv/test_pin_puk.py
@@ -68,9 +68,36 @@ def test_change_puk_prompt(self, ykman_cli):
  input=old_new_new(NON_DEFAULT_PUK, DEFAULT_PUK),
  )
 
+ def test_unblock_pin(self, ykman_cli):
+ for _ in range(3):
+ with pytest.raises(SystemExit):
+ ykman_cli(
+ "piv",
+ "access",
+ "change-pin",
+ "-P",
+ NON_DEFAULT_PIN,
+ "-n",
+ DEFAULT_PIN,
+ )
+
+ o = ykman_cli("piv", "info").output
+ assert re.search(r"PIN tries remaining:\s+0(/3)?", o)
+
+ with pytest.raises(SystemExit):
+ ykman_cli(
+ "piv", "access", "change-pin", "-p", DEFAULT_PIN, "-n", NON_DEFAULT_PIN
+ )
+
+ o = ykman_cli(
+ "piv", "access", "unblock-pin", "-p", DEFAULT_PUK, "-n", DEFAULT_PIN
+ ).output
+ assert "PIN unblocked" in o
+ o = ykman_cli("piv", "info").output
+ assert re.search(r"PIN tries remaining:\s+3(/3)?", o)
+
 
 class TestSetRetries:
- @condition.min_version(5, 3)
  def test_set_retries(self, ykman_cli):
  ykman_cli(
  "piv",
@@ -82,8 +109,9 @@ def test_set_retries(self, ykman_cli):
  )
 
  o = ykman_cli("piv", "info").output
- assert re.search(r"PIN tries remaining:\s+5/5", o)
- assert re.search(r"PUK tries remaining:\s+6/6", o)
+ assert re.search(r"PIN tries remaining:\s+5(/5)?", o)
+ if re.search(r"PUK tries remaining", o):
+ assert re.search(r"PUK tries remaining:\s+6/6", o)
 
  @condition.min_version(5, 3)
  def test_set_retries_clears_puk_blocked(self, ykman_cli):

diff --git a/ykman/piv.py b/ykman/piv.py
@@ -510,20 +510,20 @@ def get_piv_info(session: PivSession):
  tries = session.get_pin_attempts()
  tries_str = "15 or more" if tries == 15 else str(tries)
  info["PIN tries remaining"] = tries_str
- if pivman.puk_blocked:
- lines.append("PUK is blocked")
- else:
- try:
-  puk_data = session.get_puk_metadata()
- if puk_data.default_value:
-  lines.append("WARNING: Using default PUK!")
- tries_str = "%d/%d" % (
-  puk_data.attempts_remaining,
-  puk_data.total_attempts,
-  )
-  info["PUK tries remaining"] = tries_str
- except NotSupportedError:
- pass
+ try:
+ puk_data = session.get_puk_metadata()
+  if puk_data.attempts_remaining == 0:
+  lines.append("PUK is blocked")
+ elif puk_data.default_value:
+ lines.append("WARNING: Using default PUK!")
+ tries_str = "%d/%d" % (
+ puk_data.attempts_remaining,
+ puk_data.total_attempts,
+ )
+ info["PUK tries remaining"] = tries_str
+ except NotSupportedError:
+ if pivman.puk_blocked:
+ lines.append("PUK is blocked")
 
  try:
  metadata = session.get_management_key_metadata()