/* TODO move this to a lib or somthing that can be used from ui and web
* process together */
static gboolean on_authorize_authenticated_peer(GDBusAuthObserver *observer,
GIOStream *stream, GCredentials *credentials, gpointer data)
{
static GCredentials *own_credentials = NULL;
GError *error = NULL;
if (!own_credentials) {
own_credentials = g_credentials_new();
}
if (credentials && g_credentials_is_same_user(credentials, own_credentials, &error)) {
return TRUE;
}
if (error) {
g_warning("Failed to authorize web extension connection: %s", error->message);
g_error_free(error);
}
return FALSE;
}
static GSocketControlMessage *
g_unix_credentials_message_deserialize (gint level,
gint type,
gsize size,
gpointer data)
{
GSocketControlMessage *message;
message = NULL;
#ifdef __linux__
{
GCredentials *credentials;
struct ucred *ucred;
if (level != SOL_SOCKET || type != SCM_CREDENTIALS)
goto out;
if (size != sizeof (struct ucred))
{
g_warning ("Expected a struct ucred (%" G_GSIZE_FORMAT " bytes) but "
"got %" G_GSIZE_FORMAT " bytes of data",
sizeof (struct ucred),
size);
goto out;
}
ucred = data;
credentials = g_credentials_new ();
g_credentials_set_native (credentials, ucred);
message = g_unix_credentials_message_new_with_credentials (credentials);
g_object_unref (credentials);
out:
;
}
#endif
return message;
}
static GSocketControlMessage *
g_unix_credentials_message_deserialize (gint level,
gint type,
gsize size,
gpointer data)
{
GSocketControlMessage *message;
message = NULL;
#ifdef __linux__
{
GCredentials *credentials;
struct ucred *ucred;
if (level != SOL_SOCKET || type != SCM_CREDENTIALS)
goto out;
if (size != sizeof (struct ucred))
{
g_warning ("Expected a struct ucred (%" G_GSIZE_FORMAT " bytes) but "
"got %" G_GSIZE_FORMAT " bytes of data",
sizeof (struct ucred),
size);
goto out;
}
ucred = data;
if (ucred->uid == (uid_t)-1 &&
ucred->gid == (gid_t)-1)
{
/* This happens if the remote side didn't pass the credentials */
goto out;
}
credentials = g_credentials_new ();
g_credentials_set_native (credentials, G_CREDENTIALS_TYPE_LINUX_UCRED, ucred);
message = g_unix_credentials_message_new_with_credentials (credentials);
g_object_unref (credentials);
out:
;
}
#elif defined(__FreeBSD__)
{
GCredentials *credentials;
struct cmsgcred *cred;
if (level != SOL_SOCKET || type != SCM_CREDS)
{
goto out;
}
if (size < sizeof *cred)
{
g_warning ("Expected a struct cmsgcred (%" G_GSIZE_FORMAT " bytes) but "
"got %" G_GSIZE_FORMAT " bytes of data",
CMSG_LEN (sizeof *cred),
size);
goto out;
}
cred = data;
credentials = g_credentials_new ();
g_credentials_set_native (credentials, G_CREDENTIALS_TYPE_FREEBSD_CMSGCRED, cred);
message = g_unix_credentials_message_new_with_credentials (credentials);
g_object_unref (credentials);
out:
;
}
#endif
return message;
}
gchar *
_g_dbus_auth_run_client (GDBusAuth *auth,
GDBusCapabilityFlags offered_capabilities,
GDBusCapabilityFlags *out_negotiated_capabilities,
GCancellable *cancellable,
GError **error)
{
gchar *s;
GDataInputStream *dis;
GDataOutputStream *dos;
GCredentials *credentials;
gchar *ret_guid;
gchar *line;
gsize line_length;
gchar **supported_auth_mechs;
GPtrArray *attempted_auth_mechs;
GDBusAuthMechanism *mech;
ClientState state;
GDBusCapabilityFlags negotiated_capabilities;
debug_print ("CLIENT: initiating");
ret_guid = NULL;
supported_auth_mechs = NULL;
attempted_auth_mechs = g_ptr_array_new ();
mech = NULL;
negotiated_capabilities = 0;
credentials = NULL;
dis = G_DATA_INPUT_STREAM (g_data_input_stream_new (g_io_stream_get_input_stream (auth->priv->stream)));
dos = G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth->priv->stream)));
g_filter_input_stream_set_close_base_stream (G_FILTER_INPUT_STREAM (dis), FALSE);
g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos), FALSE);
g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
#ifdef G_OS_UNIX
if (G_IS_UNIX_CONNECTION (auth->priv->stream) && g_unix_credentials_message_is_supported ())
{
credentials = g_credentials_new ();
if (!g_unix_connection_send_credentials (G_UNIX_CONNECTION (auth->priv->stream),
cancellable,
error))
goto out;
}
else
{
if (!g_data_output_stream_put_byte (dos, '\0', cancellable, error))
goto out;
}
#else
if (!g_data_output_stream_put_byte (dos, '\0', cancellable, error))
goto out;
#endif
if (credentials != NULL)
{
if (G_UNLIKELY (_g_dbus_debug_authentication ()))
{
s = g_credentials_to_string (credentials);
debug_print ("CLIENT: sent credentials `%s'", s);
g_free (s);
}
}
else
{
debug_print ("CLIENT: didn't send any credentials");
}
/* TODO: to reduce roundtrips, try to pick an auth mechanism to start with */
/* Get list of supported authentication mechanisms */
s = "AUTH\r\n";
debug_print ("CLIENT: writing `%s'", s);
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
goto out;
state = CLIENT_STATE_WAITING_FOR_REJECT;
while (TRUE)
{
switch (state)
{
case CLIENT_STATE_WAITING_FOR_REJECT:
debug_print ("CLIENT: WaitingForReject");
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
if (line == NULL)
goto out;
debug_print ("CLIENT: WaitingForReject, read '%s'", line);
foobar:
if (!g_str_has_prefix (line, "REJECTED "))
{
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_FAILED,
"In WaitingForReject: Expected `REJECTED am1 am2 ... amN', got `%s'",
line);
g_free (line);
goto out;
}
if (supported_auth_mechs == NULL)
{
supported_auth_mechs = g_strsplit (line + sizeof ("REJECTED ") - 1, " ", 0);
#if 0
for (n = 0; supported_auth_mechs != NULL && supported_auth_mechs[n] != NULL; n++)
g_printerr ("supported_auth_mechs[%d] = `%s'\n", n, supported_auth_mechs[n]);
#endif
}
g_free (line);
mech = client_choose_mech_and_send_initial_response (auth,
credentials,
(const gchar* const *) supported_auth_mechs,
attempted_auth_mechs,
dos,
cancellable,
error);
if (mech == NULL)
goto out;
if (_g_dbus_auth_mechanism_client_get_state (mech) == G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA)
state = CLIENT_STATE_WAITING_FOR_DATA;
else
state = CLIENT_STATE_WAITING_FOR_OK;
break;
case CLIENT_STATE_WAITING_FOR_OK:
debug_print ("CLIENT: WaitingForOK");
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
if (line == NULL)
goto out;
debug_print ("CLIENT: WaitingForOK, read `%s'", line);
if (g_str_has_prefix (line, "OK "))
{
if (!g_dbus_is_guid (line + 3))
{
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_FAILED,
"Invalid OK response `%s'",
line);
g_free (line);
goto out;
}
ret_guid = g_strdup (line + 3);
g_free (line);
if (offered_capabilities & G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING)
{
s = "NEGOTIATE_UNIX_FD\r\n";
debug_print ("CLIENT: writing `%s'", s);
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
goto out;
state = CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD;
}
else
{
s = "BEGIN\r\n";
debug_print ("CLIENT: writing `%s'", s);
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
goto out;
/* and we're done! */
goto out;
}
}
else if (g_str_has_prefix (line, "REJECTED "))
{
goto foobar;
}
else
{
/* TODO: handle other valid responses */
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_FAILED,
"In WaitingForOk: unexpected response `%s'",
line);
g_free (line);
goto out;
}
break;
case CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD:
debug_print ("CLIENT: WaitingForAgreeUnixFD");
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
if (line == NULL)
goto out;
debug_print ("CLIENT: WaitingForAgreeUnixFD, read=`%s'", line);
if (g_strcmp0 (line, "AGREE_UNIX_FD") == 0)
{
g_free (line);
negotiated_capabilities |= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING;
s = "BEGIN\r\n";
debug_print ("CLIENT: writing `%s'", s);
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
goto out;
/* and we're done! */
goto out;
}
else if (g_str_has_prefix (line, "ERROR") && (line[5] == 0 || g_ascii_isspace (line[5])))
{
//g_strstrip (line + 5); g_debug ("bah, no unix_fd: `%s'", line + 5);
g_free (line);
s = "BEGIN\r\n";
debug_print ("CLIENT: writing `%s'", s);
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
goto out;
/* and we're done! */
goto out;
}
else
{
/* TODO: handle other valid responses */
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_FAILED,
"In WaitingForAgreeUnixFd: unexpected response `%s'",
line);
g_free (line);
goto out;
}
break;
case CLIENT_STATE_WAITING_FOR_DATA:
debug_print ("CLIENT: WaitingForData");
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
if (line == NULL)
goto out;
debug_print ("CLIENT: WaitingForData, read=`%s'", line);
if (g_str_has_prefix (line, "DATA "))
{
gchar *encoded;
gchar *decoded_data;
gsize decoded_data_len;
encoded = g_strdup (line + 5);
g_free (line);
g_strstrip (encoded);
decoded_data = hexdecode (encoded, &decoded_data_len, error);
g_free (encoded);
if (decoded_data == NULL)
{
g_prefix_error (error, "DATA response is malformed: ");
/* invalid encoding, disconnect! */
goto out;
}
_g_dbus_auth_mechanism_client_data_receive (mech, decoded_data, decoded_data_len);
g_free (decoded_data);
if (_g_dbus_auth_mechanism_client_get_state (mech) == G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND)
{
gchar *data;
gsize data_len;
gchar *encoded_data;
data = _g_dbus_auth_mechanism_client_data_send (mech, &data_len);
encoded_data = hexencode (data);
s = g_strdup_printf ("DATA %s\r\n", encoded_data);
g_free (encoded_data);
g_free (data);
debug_print ("CLIENT: writing `%s'", s);
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
{
g_free (s);
goto out;
}
g_free (s);
}
state = CLIENT_STATE_WAITING_FOR_OK;
}
else
{
g_set_error (error,
G_IO_ERROR,
G_IO_ERROR_FAILED,
"In WaitingForData: unexpected response `%s'",
line);
g_free (line);
goto out;
}
break;
default:
g_assert_not_reached ();
break;
}
}; /* main authentication client loop */
out:
if (mech != NULL)
g_object_unref (mech);
g_ptr_array_unref (attempted_auth_mechs);
g_strfreev (supported_auth_mechs);
g_object_unref (dis);
g_object_unref (dos);
/* ensure return value is NULL if error is set */
if (error != NULL && *error != NULL)
{
g_free (ret_guid);
ret_guid = NULL;
}
if (ret_guid != NULL)
{
if (out_negotiated_capabilities != NULL)
*out_negotiated_capabilities = negotiated_capabilities;
}
if (credentials != NULL)
g_object_unref (credentials);
debug_print ("CLIENT: Done, authenticated=%d", ret_guid != NULL);
return ret_guid;
}
