static gboolean
real_authenticate (MMAuthRequest *self, GError **error)
{
MMAuthRequestPolkitPrivate *priv;
g_return_val_if_fail (self != NULL, FALSE);
g_return_val_if_fail (MM_IS_AUTH_REQUEST_POLKIT (self), FALSE);
/* We ref ourselves across the polkit call, because we can't get
* disposed of while the call is still in-progress, and even if we
* cancel ourselves we'll still get the callback.
*/
g_object_ref (self);
priv = MM_AUTH_REQUEST_POLKIT_GET_PRIVATE (self);
polkit_authority_check_authorization (priv->authority,
priv->subject,
mm_auth_request_get_authorization (MM_AUTH_REQUEST (self)),
NULL,
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
priv->cancellable,
pk_auth_cb,
self);
return TRUE;
}
static void
check_next_action (CheckAuthData *data)
{
g_debug ("checking action '%s'\n", data->actions[data->id]);
polkit_authority_check_authorization (data->mechanism->priv->auth,
data->subject,
data->actions[data->id],
NULL,
data->flags,
NULL,
data->check_auth_callback,
data);
}
static gboolean
_add_call_polkit (NMAuthChain *self,
const char *permission,
gboolean allow_interaction)
{
PolkitSubject *subject;
PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE;
AuthCall *call;
g_return_val_if_fail (self != NULL, FALSE);
g_return_val_if_fail (self->owner || self->subject, FALSE);
g_return_val_if_fail (permission != NULL, FALSE);
call = auth_call_new (self, permission);
if (self->authority == NULL) {
/* No polkit, no authorization */
auth_call_schedule_complete_with_error (call, "PolicyKit not running");
return FALSE;
}
if (self->subject) {
subject = g_object_ref (nm_auth_subject_get_polkit_subject (self->subject));
g_assert (subject);
} else {
g_assert (self->owner);
subject = polkit_system_bus_name_new (self->owner);
if (!subject) {
auth_call_schedule_complete_with_error (call, "Failed to create polkit subject");
return FALSE;
}
}
if (allow_interaction)
flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
call->cancellable = g_cancellable_new ();
polkit_authority_check_authorization (self->authority,
subject,
permission,
NULL,
flags,
call->cancellable,
pk_call_cb,
call);
g_object_unref (subject);
return TRUE;
}
static void
authorize (MMAuthProvider *self,
GDBusMethodInvocation *invocation,
const gchar *authorization,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
MMAuthProviderPolkit *polkit = MM_AUTH_PROVIDER_POLKIT (self);
AuthorizeContext *ctx;
/* When creating the object, we actually allowed errors when looking for the
* authority. If that is the case, we'll just forbid any incoming
* authentication request */
if (!polkit->priv->authority) {
g_simple_async_report_error_in_idle (G_OBJECT (self),
callback,
user_data,
MM_CORE_ERROR,
MM_CORE_ERROR_FAILED,
"PolicyKit authorization error: "
"'authority not found'");
return;
}
ctx = g_new (AuthorizeContext, 1);
ctx->self = g_object_ref (self);
ctx->invocation = g_object_ref (invocation);
ctx->authorization = g_strdup (authorization);
ctx->cancellable = cancellable ? g_object_ref (cancellable) : NULL;
ctx->result = g_simple_async_result_new (G_OBJECT (self),
callback,
user_data,
authorize);
ctx->subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (ctx->invocation));
polkit_authority_check_authorization (polkit->priv->authority,
ctx->subject,
authorization,
NULL, /* details */
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
ctx->cancellable,
(GAsyncReadyCallback)check_authorization_ready,
ctx);
}
void
daemon_local_check_auth (Daemon *daemon,
User *user,
const gchar *action_id,
gboolean allow_interaction,
AuthorizedCallback authorized_cb,
GDBusMethodInvocation *context,
gpointer authorized_cb_data,
GDestroyNotify destroy_notify)
{
CheckAuthData *data;
PolkitSubject *subject;
PolkitCheckAuthorizationFlags flags;
data = g_new0 (CheckAuthData, 1);
data->daemon = g_object_ref (daemon);
if (user)
data->user = g_object_ref (user);
data->context = context;
data->authorized_cb = authorized_cb;
data->data = authorized_cb_data;
data->destroy_notify = destroy_notify;
subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (context));
flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE;
if (allow_interaction)
flags |= POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
polkit_authority_check_authorization (daemon->priv->authority,
subject,
action_id,
NULL,
flags,
NULL,
(GAsyncReadyCallback) check_auth_cb,
data);
g_object_unref (subject);
}
gboolean
bm_auth_chain_add_call (BMAuthChain *self,
const char *permission,
gboolean allow_interaction)
{
PolkitCall *call;
PolkitSubject *subject;
PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE;
g_return_val_if_fail (self != NULL, FALSE);
g_return_val_if_fail (self->owner != NULL, FALSE);
g_return_val_if_fail (permission != NULL, FALSE);
subject = polkit_system_bus_name_new (self->owner);
if (!subject)
return FALSE;
call = g_malloc0 (sizeof (PolkitCall));
call->chain = self;
call->permission = g_strdup (permission);
call->cancellable = g_cancellable_new ();
self->calls = g_slist_append (self->calls, call);
if (allow_interaction)
flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
polkit_authority_check_authorization (self->authority,
subject,
permission,
NULL,
flags,
call->cancellable,
pk_call_cb,
call);
g_object_unref (subject);
return TRUE;
}
static void stdin_read_complete(GObject *src, GAsyncResult *res, gpointer data)
{
char *s, *ep;
GError *err = NULL;
gsize len;
s = g_data_input_stream_read_line_finish(G_DATA_INPUT_STREAM(src), res,
&len, &err);
if (!s) {
if (err) {
FATAL_ERROR("Reading from stdin: %s\n", err->message);
g_error_free(err);
return;
}
switch (state) {
case STATE_WAITING_FOR_BUS_N_DEV:
FATAL_ERROR("EOF while waiting for bus and device num\n");
break;
case STATE_WAITING_FOR_POL_KIT:
ERROR("Cancelled while waiting for authorization\n");
break;
case STATE_WAITING_FOR_STDIN_EOF:
cleanup();
break;
}
return;
}
switch (state) {
case STATE_WAITING_FOR_BUS_N_DEV:
busnum = strtol(s, &ep, 10);
if (!isspace(*ep)) {
FATAL_ERROR("Invalid busnum / devnum: %s\n", s);
break;
}
devnum = strtol(ep, &ep, 10);
if (*ep != '\0') {
FATAL_ERROR("Invalid busnum / devnum: %s\n", s);
break;
}
/*
* The set_facl() call is a no-op for root, so no need to ask PolKit
* and then if ok call set_facl(), when called by a root process.
*/
if (getuid() != 0) {
polkit_cancellable = g_cancellable_new();
polkit_authority_check_authorization(
authority, subject, "org.spice-space.lowlevelusbaccess", NULL,
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
polkit_cancellable,
(GAsyncReadyCallback)check_authorization_cb, NULL);
state = STATE_WAITING_FOR_POL_KIT;
} else {
fprintf(stdout, "SUCCESS\n");
fflush(stdout);
state = STATE_WAITING_FOR_STDIN_EOF;
}
g_data_input_stream_read_line_async(stdin_stream, G_PRIORITY_DEFAULT,
NULL, stdin_read_complete, NULL);
break;
default:
FATAL_ERROR("Unexpected extra input in state %u: %s\n", state, s);
}
g_free(s);
}
int
main (int argc, char *argv[])
{
pid_t parent_pid;
const gchar *action_id;
GMainLoop *loop;
PolkitSubject *subject;
PolkitAuthority *authority;
GCancellable *cancellable;
g_type_init ();
if (argc != 2)
{
g_printerr ("usage: %s <action_id>\n", argv[0]);
return 1;
}
action_id = argv[1];
loop = g_main_loop_new (NULL, FALSE);
authority = polkit_authority_get_sync (NULL, NULL);
/* Typically mechanisms will use a PolkitSystemBusName since most
* clients communicate with the mechanism via D-Bus. However for
* this simple example we use the process id of the calling process.
*
* Note that if the parent was reaped we have to be careful not to
* check if init(1) is authorized (it always is).
*/
parent_pid = getppid ();
if (parent_pid == 1)
{
g_printerr ("Parent process was reaped by init(1)\n");
return 1;
}
subject = polkit_unix_process_new (parent_pid);
cancellable = g_cancellable_new ();
g_print ("Will cancel authorization check in 10 seconds\n");
/* Set up a 10 second timer to cancel the check */
g_timeout_add (10 * 1000,
(GSourceFunc) do_cancel,
cancellable);
polkit_authority_check_authorization (authority,
subject,
action_id,
NULL, /* PolkitDetails */
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
cancellable,
(GAsyncReadyCallback) check_authorization_cb,
loop);
g_main_loop_run (loop);
g_object_unref (authority);
g_object_unref (subject);
g_object_unref (cancellable);
g_main_loop_unref (loop);
return 0;
}
