static void
pk_auth_cb (GObject *object, GAsyncResult *result, gpointer user_data)
{
MMAuthRequestPolkit *self = user_data;
MMAuthRequestPolkitPrivate *priv;
PolkitAuthorizationResult *pk_result;
GError *error = NULL;
g_return_if_fail (self != NULL);
g_return_if_fail (MM_IS_AUTH_REQUEST_POLKIT (self));
priv = MM_AUTH_REQUEST_POLKIT_GET_PRIVATE (self);
if (!g_cancellable_is_cancelled (priv->cancellable)) {
pk_result = polkit_authority_check_authorization_finish (priv->authority,
result,
&error);
if (error) {
mm_auth_request_set_result (MM_AUTH_REQUEST (self), MM_AUTH_RESULT_INTERNAL_FAILURE);
g_warning ("%s: PolicyKit authentication error: (%d) %s",
__func__,
error ? error->code : -1,
error && error->message ? error->message : "(unknown)");
} else if (polkit_authorization_result_get_is_authorized (pk_result))
mm_auth_request_set_result (MM_AUTH_REQUEST (self), MM_AUTH_RESULT_AUTHORIZED);
else if (polkit_authorization_result_get_is_challenge (pk_result))
mm_auth_request_set_result (MM_AUTH_REQUEST (self), MM_AUTH_RESULT_CHALLENGE);
else
mm_auth_request_set_result (MM_AUTH_REQUEST (self), MM_AUTH_RESULT_NOT_AUTHORIZED);
g_signal_emit_by_name (self, "result");
}
g_object_unref (self);
}
static PolkitResult do_check(PolkitSubject *subject, const char *action_id)
{
PolkitAuthority *authority;
PolkitAuthorizationResult *auth_result;
PolkitResult result = PolkitNo;
GError *error = NULL;
GCancellable * cancellable;
cancellable = g_cancellable_new();
/* we ignore the error for now .. */
authority = polkit_authority_get_sync(cancellable, NULL);
guint cancel_timeout = g_timeout_add(POLKIT_TIMEOUT * 1000,
(GSourceFunc) do_cancel,
cancellable);
auth_result = polkit_authority_check_authorization_sync(authority,
subject,
action_id,
NULL,
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
cancellable,
&error);
g_object_unref(cancellable);
g_object_unref(authority);
g_source_remove(cancel_timeout);
g_object_unref(subject);
if (error)
{
g_error_free(error);
return PolkitUnknown;
}
if (!auth_result)
return PolkitUnknown;
if (polkit_authorization_result_get_is_challenge(auth_result))
{
/* Can't happen (happens only with
* POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE flag) */
result = PolkitChallenge;
goto out;
}
if (polkit_authorization_result_get_is_authorized(auth_result))
{
result = PolkitYes;
goto out;
}
out:
g_object_unref(auth_result);
return result;
}
static void
pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data)
{
PolkitCall *call = user_data;
BMAuthChain *chain;
PolkitAuthorizationResult *pk_result;
GError *error = NULL;
guint call_result = BM_AUTH_CALL_RESULT_UNKNOWN;
/* If the call is already disposed do nothing */
if (call->disposed) {
polkit_call_free (call);
return;
}
chain = call->chain;
chain->calls = g_slist_remove (chain->calls, call);
pk_result = polkit_authority_check_authorization_finish (chain->authority,
result,
&error);
if (error) {
if (!chain->error)
chain->error = g_error_copy (error);
bm_log_warn (LOGD_CORE, "error requesting auth for %s: (%d) %s",
call->permission,
error ? error->code : -1,
error && error->message ? error->message : "(unknown)");
} else {
if (polkit_authorization_result_get_is_authorized (pk_result)) {
/* Caller has the permission */
call_result = BM_AUTH_CALL_RESULT_YES;
} else if (polkit_authorization_result_get_is_challenge (pk_result)) {
/* Caller could authenticate to get the permission */
call_result = BM_AUTH_CALL_RESULT_AUTH;
} else
call_result = BM_AUTH_CALL_RESULT_NO;
}
chain->call_func (chain, call->permission, error, call_result, chain->user_data);
bm_auth_chain_check_done (chain);
g_clear_error (&error);
polkit_call_free (call);
if (pk_result)
g_object_unref (pk_result);
}
static void
check_authorization_ready (PolkitAuthority *authority,
GAsyncResult *res,
AuthorizeContext *ctx)
{
PolkitAuthorizationResult *pk_result;
GError *error = NULL;
if (g_cancellable_is_cancelled (ctx->cancellable)) {
g_simple_async_result_set_error (ctx->result,
MM_CORE_ERROR,
MM_CORE_ERROR_CANCELLED,
"PolicyKit authorization attempt cancelled");
authorize_context_complete_and_free (ctx);
return;
}
pk_result = polkit_authority_check_authorization_finish (authority, res, &error);
if (!pk_result) {
g_simple_async_result_set_error (ctx->result,
MM_CORE_ERROR,
MM_CORE_ERROR_FAILED,
"PolicyKit authorization failed: '%s'",
error->message);
g_error_free (error);
} else {
if (polkit_authorization_result_get_is_authorized (pk_result))
/* Good! */
g_simple_async_result_set_op_res_gboolean (ctx->result, TRUE);
else if (polkit_authorization_result_get_is_challenge (pk_result))
g_simple_async_result_set_error (ctx->result,
MM_CORE_ERROR,
MM_CORE_ERROR_UNAUTHORIZED,
"PolicyKit authorization failed: challenge needed for '%s'",
ctx->authorization);
else
g_simple_async_result_set_error (ctx->result,
MM_CORE_ERROR,
MM_CORE_ERROR_UNAUTHORIZED,
"PolicyKit authorization failed: not authorized for '%s'",
ctx->authorization);
g_object_unref (pk_result);
}
authorize_context_complete_and_free (ctx);
}
gboolean
cpufreq_selector_service_can_set (CPUFreqSelectorService *service,
DBusGMethodInvocation *context)
{
PolkitSubject *subject;
PolkitAuthorizationResult *result;
gchar *sender;
gboolean ret;
GError *error = NULL;
reset_killtimer ();
sender = dbus_g_method_get_sender (context);
subject = polkit_system_bus_name_new (sender);
g_free (sender);
result = polkit_authority_check_authorization_sync (service->authority,
subject,
"org.consort.cpufreqselector",
NULL,
0,
NULL,
&error);
g_object_unref (subject);
if (error) {
dbus_g_method_return_error (context, error);
g_error_free (error);
return FALSE;
}
if (polkit_authorization_result_get_is_authorized (result)) {
ret = TRUE;
} else if (polkit_authorization_result_get_is_challenge (result)) {
ret = TRUE;
} else {
ret = FALSE;
}
g_object_unref (result);
dbus_g_method_return (context, ret);
return TRUE;
}
static void
check_can_do (GsdDatetimeMechanism *mechanism,
const char *action,
DBusGMethodInvocation *context)
{
const char *sender;
PolkitSubject *subject;
PolkitAuthorizationResult *result;
GError *error;
/* Check that caller is privileged */
sender = dbus_g_method_get_sender (context);
subject = polkit_system_bus_name_new (sender);
error = NULL;
result = polkit_authority_check_authorization_sync (mechanism->priv->auth,
subject,
action,
NULL,
0,
NULL,
&error);
g_object_unref (subject);
if (error) {
dbus_g_method_return_error (context, error);
g_error_free (error);
return;
}
if (polkit_authorization_result_get_is_authorized (result)) {
dbus_g_method_return (context, 2);
}
else if (polkit_authorization_result_get_is_challenge (result)) {
dbus_g_method_return (context, 1);
}
else {
dbus_g_method_return (context, 0);
}
g_object_unref (result);
}
static void
pk_call_cb (GObject *object, GAsyncResult *result, gpointer user_data)
{
AuthCall *call = user_data;
PolkitAuthorizationResult *pk_result;
GError *error = NULL;
pk_result = polkit_authority_check_authorization_finish ((PolkitAuthority *) object, result, &error);
/* If the call is already canceled do nothing */
if (!call->cancellable) {
g_clear_error (&error);
g_clear_object (&pk_result);
auth_call_free (call);
return;
}
if (error) {
if (!call->chain->error)
call->chain->error = g_error_copy (error);
nm_log_warn (LOGD_CORE, "error requesting auth for %s: (%d) %s",
call->permission, error->code, error->message);
g_clear_error (&error);
} else {
guint call_result = NM_AUTH_CALL_RESULT_UNKNOWN;
if (polkit_authorization_result_get_is_authorized (pk_result)) {
/* Caller has the permission */
call_result = NM_AUTH_CALL_RESULT_YES;
} else if (polkit_authorization_result_get_is_challenge (pk_result)) {
/* Caller could authenticate to get the permission */
call_result = NM_AUTH_CALL_RESULT_AUTH;
} else
call_result = NM_AUTH_CALL_RESULT_NO;
nm_auth_chain_set_data (call->chain, call->permission, GUINT_TO_POINTER (call_result), NULL);
g_object_unref (pk_result);
}
auth_call_complete (call);
}
static void
check_auth_cb (PolkitAuthority *authority,
GAsyncResult *res,
gpointer data)
{
CheckAuthData *cad = data;
PolkitAuthorizationResult *result;
GError *error;
gboolean is_authorized;
is_authorized = FALSE;
error = NULL;
result = polkit_authority_check_authorization_finish (authority, res, &error);
if (error) {
throw_error (cad->context, ERROR_PERMISSION_DENIED, "Not authorized: %s", error->message);
g_error_free (error);
}
else {
if (polkit_authorization_result_get_is_authorized (result)) {
is_authorized = TRUE;
}
else if (polkit_authorization_result_get_is_challenge (result)) {
throw_error (cad->context, ERROR_PERMISSION_DENIED, "Authentication is required");
}
else {
throw_error (cad->context, ERROR_PERMISSION_DENIED, "Not authorized");
}
g_object_unref (result);
}
if (is_authorized) {
(* cad->authorized_cb) (cad->daemon,
cad->user,
cad->context,
cad->data);
}
check_auth_data_free (data);
}
static void
check_authorization_cb (PolkitAuthority *authority,
GAsyncResult *res,
gpointer user_data)
{
GMainLoop *loop = user_data;
PolkitAuthorizationResult *result;
GError *error;
error = NULL;
result = polkit_authority_check_authorization_finish (authority, res, &error);
if (error != NULL)
{
g_print ("Error checking authorization: %s\n", error->message);
g_error_free (error);
}
else
{
const gchar *result_str;
if (polkit_authorization_result_get_is_authorized (result))
{
result_str = "authorized";
}
else if (polkit_authorization_result_get_is_challenge (result))
{
result_str = "challenge";
}
else
{
result_str = "not authorized";
}
g_print ("Authorization result: %s\n", result_str);
}
g_print ("Authorization check has been cancelled and the dialog should now be hidden.\n"
"This process will exit in ten seconds.\n");
g_timeout_add (10000, on_tensec_timeout, loop);
}
static gboolean
on_authorize_method (GDBusInterfaceSkeleton *instance,
GDBusMethodInvocation *invocation,
gpointer user_data)
{
const GDBusMethodInfo *info;
PolkitAuthorizationResult *result;
PolkitCheckAuthorizationFlags flags;
const gchar *action_id;
PolkitDetails *details;
GError *error = NULL;
InvocationClient *client;
gboolean ret = FALSE;
uid_t uid;
info = g_dbus_method_invocation_get_method_info (invocation);
client = invocation_client_lookup (invocation, &uid, &error);
if (error)
{
g_dbus_method_invocation_return_gerror (invocation, error);
g_error_free (error);
return TRUE;
}
/* Only allow root when no polkit authority */
if (inv.authority == NULL)
{
ret = authorize_without_polkit (client, uid, invocation);
goto out;
}
action_id = lookup_method_action_and_details (instance, client, uid, info, &details);
if (action_id == NULL)
action_id = "com.redhat.lvm2.manage-lvm";
flags = lookup_invocation_flags (invocation, info);
result = polkit_authority_check_authorization_sync (inv.authority,
client->subject,
action_id,
details,
flags,
NULL, /* GCancellable* */
&error);
g_clear_object (&details);
if (result == NULL)
{
if (error->domain != POLKIT_ERROR)
{
/* assume polkit authority is not available (e.g. could be the service
* manager returning org.freedesktop.systemd1.Masked)
*/
g_debug ("CheckAuthorization() failed: %s", error->message);
ret = authorize_without_polkit (client, uid, invocation);
goto out;
}
else
{
g_dbus_method_invocation_return_error (invocation,
UDISKS_ERROR,
UDISKS_ERROR_FAILED,
"Error checking authorization: %s (%s, %d)",
error->message,
g_quark_to_string (error->domain),
error->code);
goto out;
}
}
if (!polkit_authorization_result_get_is_authorized (result))
{
if (polkit_authorization_result_get_dismissed (result))
g_dbus_method_invocation_return_error_literal (invocation,
UDISKS_ERROR, UDISKS_ERROR_NOT_AUTHORIZED_DISMISSED,
"The authentication dialog was dismissed");
else
g_dbus_method_invocation_return_error_literal (invocation, UDISKS_ERROR,
polkit_authorization_result_get_is_challenge (result) ?
UDISKS_ERROR_NOT_AUTHORIZED_CAN_OBTAIN : UDISKS_ERROR_NOT_AUTHORIZED,
"Not authorized to perform operation");
goto out;
}
ret = TRUE;
out:
invocation_client_unref (client);
g_clear_error (&error);
g_clear_object (&result);
return ret;
}
static void
check_authorization_callback (PolkitAuthority *authority,
GAsyncResult *res,
gpointer user_data)
{
CheckAuthData *data = user_data;
PolkitAuthorizationResult *result;
GError *error;
gboolean is_authorized;
is_authorized = FALSE;
error = NULL;
result = polkit_authority_check_authorization_finish (authority,
res,
&error);
if (error != NULL) {
g_debug ("error checking action '%s'\n", error->message);
throw_error (data->context,
GCONF_DEFAULTS_ERROR_NOT_PRIVILEGED,
"Not Authorized: %s", error->message);
g_error_free (error);
}
else {
if (polkit_authorization_result_get_is_authorized (result)) {
g_debug ("result for '%s': authorized\n",
data->actions[data->id]);
is_authorized = TRUE;
}
else if (polkit_authorization_result_get_is_challenge (result)) {
g_debug ("result for '%s': challenge\n",
data->actions[data->id]);
throw_error (data->context,
GCONF_DEFAULTS_ERROR_NOT_PRIVILEGED,
"Authorization is required");
}
else {
g_debug ("result for '%s': not authorized\n",
data->actions[data->id]);
throw_error (data->context,
GCONF_DEFAULTS_ERROR_NOT_PRIVILEGED,
"Not Authorized");
}
}
if (is_authorized) {
data->id++;
if (data->actions[data->id] == NULL)
data->auth_obtained_callback (data->mechanism,
data->context,
data->user_data);
else {
check_next_action (data);
return; /* continue operation */
}
}
check_auth_data_free (data);
g_object_unref (result);
stop_operation ();
}
/**
* udisks_daemon_util_check_authorization_sync:
* @daemon: A #UDisksDaemon.
* @object: (allow-none): The #GDBusObject that the call is on or %NULL.
* @action_id: The action id to check for.
* @options: (allow-none): A #GVariant to check for the <quote>auth.no_user_interaction</quote> option or %NULL.
* @message: The message to convey (use N_).
* @invocation: The invocation to check for.
*
* Checks if the caller represented by @invocation is authorized for
* the action identified by @action_id, optionally displaying @message
* if authentication is needed. Additionally, if the caller is not
* authorized, the appropriate error is already returned to the caller
* via @invocation.
*
* The calling thread is blocked for the duration of the authorization
* check which could be a very long time since it may involve
* presenting an authentication dialog and having a human user use
* it. If <quote>auth.no_user_interaction</quote> in @options is %TRUE
* no authentication dialog will be presented and the check is not
* expected to take a long time.
*
* See <xref linkend="udisks-polkit-details"/> for the variables that
* can be used in @message but note that not all variables can be used
* in all checks. For example, any check involving a #UDisksDrive or a
* #UDisksBlock object can safely include the fragment
* <quote>$(drive)</quote> since it will always expand to the name of
* the drive, e.g. <quote>INTEL SSDSA2MH080G1GC (/dev/sda1)</quote> or
* the block device file e.g. <quote>/dev/vg_lucifer/lv_root</quote>
* or <quote>/dev/sda1</quote>. However this won't work for operations
* that isn't on a drive or block device, for example calls on the
* <link linkend="gdbus-interface-org-freedesktop-UDisks2-Manager.top_of_page">Manager</link>
* object.
*
* Returns: %TRUE if caller is authorized, %FALSE if not.
*/
gboolean
udisks_daemon_util_check_authorization_sync (UDisksDaemon *daemon,
UDisksObject *object,
const gchar *action_id,
GVariant *options,
const gchar *message,
GDBusMethodInvocation *invocation)
{
PolkitAuthority *authority = NULL;
PolkitSubject *subject = NULL;
PolkitDetails *details = NULL;
PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE;
PolkitAuthorizationResult *result = NULL;
GError *error = NULL;
gboolean ret = FALSE;
UDisksBlock *block = NULL;
UDisksDrive *drive = NULL;
UDisksPartition *partition = NULL;
UDisksObject *block_object = NULL;
UDisksObject *drive_object = NULL;
gboolean auth_no_user_interaction = FALSE;
const gchar *details_device = NULL;
gchar *details_drive = NULL;
authority = udisks_daemon_get_authority (daemon);
if (authority == NULL)
{
ret = check_authorization_no_polkit (daemon, object, action_id, options, message, invocation);
goto out;
}
subject = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation));
if (options != NULL)
{
g_variant_lookup (options,
"auth.no_user_interaction",
"b",
&auth_no_user_interaction);
}
if (!auth_no_user_interaction)
flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
details = polkit_details_new ();
polkit_details_insert (details, "polkit.message", message);
polkit_details_insert (details, "polkit.gettext_domain", "udisks2");
/* Find drive associated with the block device, if any */
if (object != NULL)
{
block = udisks_object_get_block (object);
if (block != NULL)
{
block_object = g_object_ref (object);
drive_object = udisks_daemon_find_object (daemon, udisks_block_get_drive (block));
if (drive_object != NULL)
drive = udisks_object_get_drive (drive_object);
}
partition = udisks_object_get_partition (object);
if (drive == NULL)
drive = udisks_object_get_drive (object);
}
if (block != NULL)
details_device = udisks_block_get_preferred_device (block);
/* If we have a drive, use vendor/model in the message (in addition to Block:preferred-device) */
if (drive != NULL)
{
gchar *s;
const gchar *vendor;
const gchar *model;
vendor = udisks_drive_get_vendor (drive);
model = udisks_drive_get_model (drive);
if (vendor == NULL)
vendor = "";
if (model == NULL)
model = "";
if (strlen (vendor) > 0 && strlen (model) > 0)
s = g_strdup_printf ("%s %s", vendor, model);
else if (strlen (vendor) > 0)
s = g_strdup (vendor);
else
s = g_strdup (model);
if (block != NULL)
{
details_drive = g_strdup_printf ("%s (%s)", s, udisks_block_get_preferred_device (block));
}
else
{
details_drive = s;
s = NULL;
}
g_free (s);
_safe_polkit_details_insert (details, "drive.wwn", udisks_drive_get_wwn (drive));
_safe_polkit_details_insert (details, "drive.serial", udisks_drive_get_serial (drive));
_safe_polkit_details_insert (details, "drive.vendor", udisks_drive_get_vendor (drive));
_safe_polkit_details_insert (details, "drive.model", udisks_drive_get_model (drive));
_safe_polkit_details_insert (details, "drive.revision", udisks_drive_get_revision (drive));
if (udisks_drive_get_removable (drive))
{
const gchar *const *media_compat;
GString *media_compat_str;
const gchar *sep = ",";
polkit_details_insert (details, "drive.removable", "true");
_safe_polkit_details_insert (details, "drive.removable.bus", udisks_drive_get_connection_bus (drive));
media_compat_str = g_string_new (NULL);
media_compat = udisks_drive_get_media_compatibility (drive);
if (media_compat)
{
guint i;
for (i = 0; media_compat[i] && strlen(media_compat[i]); i++)
{
if (i)
g_string_append (media_compat_str, sep);
g_string_append (media_compat_str, media_compat[i]);
}
}
_safe_polkit_details_insert (details, "drive.removable.media", media_compat_str->str);
g_string_free (media_compat_str, TRUE);
}
}
if (block != NULL)
{
_safe_polkit_details_insert (details, "id.type", udisks_block_get_id_type (block));
_safe_polkit_details_insert (details, "id.usage", udisks_block_get_id_usage (block));
_safe_polkit_details_insert (details, "id.version", udisks_block_get_id_version (block));
_safe_polkit_details_insert (details, "id.label", udisks_block_get_id_label (block));
_safe_polkit_details_insert (details, "id.uuid", udisks_block_get_id_uuid (block));
}
if (partition != NULL)
{
_safe_polkit_details_insert_int (details, "partition.number", udisks_partition_get_number (partition));
_safe_polkit_details_insert (details, "partition.type", udisks_partition_get_type_ (partition));
_safe_polkit_details_insert_uint64 (details, "partition.flags", udisks_partition_get_flags (partition));
_safe_polkit_details_insert (details, "partition.name", udisks_partition_get_name (partition));
_safe_polkit_details_insert (details, "partition.uuid", udisks_partition_get_uuid (partition));
}
/* Fall back to Block:preferred-device */
if (details_drive == NULL && block != NULL)
details_drive = udisks_block_dup_preferred_device (block);
if (details_device != NULL)
polkit_details_insert (details, "device", details_device);
if (details_drive != NULL)
polkit_details_insert (details, "drive", details_drive);
error = NULL;
result = polkit_authority_check_authorization_sync (authority,
subject,
action_id,
details,
flags,
NULL, /* GCancellable* */
&error);
if (result == NULL)
{
if (error->domain != POLKIT_ERROR)
{
/* assume polkit authority is not available (e.g. could be the service
* manager returning org.freedesktop.systemd1.Masked)
*/
g_error_free (error);
ret = check_authorization_no_polkit (daemon, object, action_id, options, message, invocation);
}
else
{
g_dbus_method_invocation_return_error (invocation,
UDISKS_ERROR,
UDISKS_ERROR_FAILED,
"Error checking authorization: %s (%s, %d)",
error->message,
g_quark_to_string (error->domain),
error->code);
g_error_free (error);
}
goto out;
}
if (!polkit_authorization_result_get_is_authorized (result))
{
if (polkit_authorization_result_get_dismissed (result))
g_dbus_method_invocation_return_error_literal (invocation,
UDISKS_ERROR,
UDISKS_ERROR_NOT_AUTHORIZED_DISMISSED,
"The authentication dialog was dismissed");
else
g_dbus_method_invocation_return_error_literal (invocation,
UDISKS_ERROR,
polkit_authorization_result_get_is_challenge (result) ?
UDISKS_ERROR_NOT_AUTHORIZED_CAN_OBTAIN :
UDISKS_ERROR_NOT_AUTHORIZED,
"Not authorized to perform operation");
goto out;
}
ret = TRUE;
out:
g_free (details_drive);
g_clear_object (&block_object);
g_clear_object (&drive_object);
g_clear_object (&block);
g_clear_object (&partition);
g_clear_object (&drive);
g_clear_object (&subject);
g_clear_object (&details);
g_clear_object (&result);
return ret;
}
