desktop.notifications.dev-nodes: add yk-piv-pins check type

README.md

@@ -2966,17 +2966,23 @@ Python wrapper around ["age" encryption tool] and sqlite to encrypt any tokens
 with optional comment strings to an sqlite db file, or retrieve/decrypt those.
 
 Stores fixed list of recipient keys in the db on its creation ("init" script
-command), and always uses those afterwards for all secrets stored there, using
-one neat self-contained file.
+command), and always uses those afterwards for all secrets stored there,
+in one neat self-contained file.
 
-My use-case for this is a simple asymmetric-encryption backup for secrets processed
-by [fido2-hmac-desalinate] tool above, where each one can be decrypted separately
-using some other PIV smartcard (with e.g. [age-plugin-yubikey] installed) or an
-offline backup secret key, if necessary.
+My use-case for this is a simple asymmetric-encryption backup for secrets
+processed by [fido2-hmac-desalinate] tool above (using "wrap" command to always
+run script around it), where each one can be decrypted separately using some
+other PIV smartcard capabile of public-key crypto (with e.g. [age-plugin-yubikey]
+installed) or an offline/fallback backup secret key, if necessary.
 
 Robust single-file storage allows easy syncing, enumeration, import/export for
 re-encryption with different keys, etc. `-h/--help` output has all usage info/examples.
 
+Can also be used on its own, as an asymmetric-crypto alternative (or read-only addition)
+to fido2-hmac-secret-based tools, not just as a wrapper/backup for those,
+e.g. to access secrets using any number of piv-yubikeys via shared db file
+with all those set as recipients.
+
 ["age" encryption tool]: https://github.com/FiloSottile/age
 [age-plugin-yubikey]: https://github.com/str4d/age-plugin-yubikey/
 
@@ -3462,14 +3468,15 @@ Trivial script to read \~/.dev-nodes.monitor.list with
     /dev/disk/by-id/wwn-0x... unplug some external hdd
     usb_wifi net-cut wifi temp usb ap
     /dev/fido2 fido2-pins-5 YubiKey has <5 pin-attempts left
+    /dev/yk yk-piv-pins-1234=3 Yubikey PIV serial-1234 has <3 pin-tries
 
 ...and issue persistent deduplicated desktop notifications if device needs to be
 unplugged, network interface removed, and such physical-manipulation reminders,
 to fix common "always forget about this thing" errors that are easily detectable
 and avoidable.
 
-Looks up either specific paths with "plug"/"unplug" and fido2-token checks,
-or network interfaces with "net-cut" or "net-connect".
+Looks up either specific paths with "plug"/"unplug" and other device-state checks
+(e.g. fido2/piv pin counts), or network interfaces with "net-cut" or "net-connect".
 
 Avoids creating duplicate notifications while one is already on-screen via
 `-w/--wait` option of notify-send (to monitor "notification closed" signals)

desktop/notifications/dev-nodes

@@ -26,12 +26,24 @@ check_dev() {
 		unplug|remove) [[ -e "$dev" ]] || return 0 ;;
 		net-cut) ip -br link show "$dev" >/dev/null 2>&1 || return 0 ;;
 		net-connect) ip -br link show "$dev" >/dev/null 2>&1 && return 0 ||: ;;
+
 		fido2-pins-[0-9]*)
 			[[ -e "$dev" ]] || return 0
 			re=$'(^|\n)[\r ]*pin retries: ([0-9]+)[\r ]*(\n|$)'
 			st=$(fido2-token -I "$dev" || echo 'pin retries: 0')
-			[[ "$st" =~ $re ]] && att_left="${BASH_REMATCH[2]}" || att_left=0
+			[[ "$st" =~ $re ]] && att_left=${BASH_REMATCH[2]} || att_left=0
 			[[ "$att_left" -lt "${act#fido2-pins-}" ]] || return 0 ;;
+
+		yk-piv-pins-[0-9]*=[0-9]*)
+			[[ -e "$dev" ]] || return 0
+			[[ "$act" =~ ^yk-piv-pins-([0-9]+)=([0-9]+)$ ]] && {
+					serial=${BASH_REMATCH[1]} att_chk=${BASH_REMATCH[2]}; } \
+				|| { serial=000 att_chk=999; }
+			re=$'(^|\n)[\r ]*PIN tries remaining: +([0-9]+)/'
+			st=$(ykman -d "$serial" piv info || echo 'PIN tries remaining: 0/0')
+			[[ "$st" =~ $re ]] && att_left=${BASH_REMATCH[2]} || att_left=0
+			[[ "$att_left" -lt "$att_chk" ]] || return 0 ;;
+
 		*) echo >&2 "ERROR: Unrecognized action '$dev $act ...'"; err=1; return
 	esac
 	read b2 junk < <(b2sum -l32 <<< "$dev"); u=cron-notify-"$b2"