Commit a386f3c6 authored by David Zeuthen's avatar David Zeuthen
Browse files

refactor constraints API so there is one entry per constraint in the auth file

This makes things a lot more future proof and, perhaps, also easier to
understand.
parent ea7da4ea
......@@ -413,7 +413,7 @@ _to_hex (unsigned int nibble)
* this limit then the return value is the number of characters (not
* including the trailing zero) which would have been written to the
* final string if enough space had been available. Thus, a return
* value of size or more means that the output was truncated.
* value of @buf_size or more means that the output was truncated.
*/
size_t
kit_string_percent_encode (char *buf, size_t buf_size, const char *s)
......@@ -625,7 +625,7 @@ out:
* this limit then the return value is the number of characters (not
* including the trailing zero) which would have been written to the
* final string if enough space had been available. Thus, a return
* value of size or more means that the output was truncated.
* value of @buf_size or more means that the output was truncated.
*
* If an uneven number of strings are given, this function will return
* zero and errno will be set to EINVAL.
......
......@@ -115,16 +115,11 @@ main (int argc, char *argv[])
}
char *authc_str;
PolKitAuthorizationConstraint *authc;
size_t authc_str_len;
/* second is the auth constraint */
/* second is the textual form of the auth constraint */
authc_str = argv[2];
authc = polkit_authorization_constraint_from_string (authc_str);
if (authc == NULL) {
syslog (LOG_NOTICE, "auth constraint is malformed [uid=%d]", getuid ());
fprintf (stderr, "polkit-explicit-grant-helper: auth constraint is malformed. This incident has been logged.\n");
goto out;
}
authc_str_len = strlen (authc_str);
#define TARGET_UID 0
int target;
......@@ -190,19 +185,25 @@ main (int argc, char *argv[])
snprintf (now_buf, sizeof (now_buf), "%Lu", (polkit_uint64_t) now.tv_sec);
snprintf (uid_buf, sizeof (uid_buf), "%d", invoking_uid);
if (kit_string_entry_create (auth_buf, sizeof (auth_buf),
"scope", is_negative ? "grant-negative" : "grant",
"action-id", action_id,
"when", now_buf,
"granted-by", uid_buf,
"constraint", authc_str,
NULL) >= sizeof (auth_buf)) {
size_t len;
if ((len = kit_string_entry_create (auth_buf, sizeof (auth_buf),
"scope", is_negative ? "grant-negative" : "grant",
"action-id", action_id,
"when", now_buf,
"granted-by", uid_buf,
NULL)) >= sizeof (auth_buf)) {
kit_warning ("polkit-explicit-grant-helper: authbuf is too small");
goto out;
}
if (authc_str_len > 0) {
if (sizeof (auth_buf) - len < authc_str_len + 1) {
kit_warning ("polkit-explicit-grant-helper: authbuf is too small");
goto out;
}
strncpy (auth_buf + len, authc_str, authc_str_len + 1);
}
if (_polkit_authorization_db_auth_file_add (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit",
FALSE,
if (_polkit_authorization_db_auth_file_add (FALSE,
target_uid,
auth_buf)) {
ret = 0;
......
......@@ -640,19 +640,20 @@ main (int argc, char *argv[])
fprintf (stderr, "polkit-grant-helper: no uid for caller\n");
goto out;
}
if (!polkit_caller_get_ck_session (caller, &session)) {
fprintf (stderr, "polkit-grant-helper: caller is not in a session\n");
goto out;
}
if (!polkit_session_get_ck_objref (session, &session_objpath)) {
fprintf (stderr, "polkit-grant-helper: caller is not in a session\n");
goto out;
/* This user does not have to be in a session.. for example, one might
* use <allow_any>auth_admin</allow_any>...
*/
session = NULL;
session_objpath = NULL;
if (polkit_caller_get_ck_session (caller, &session) && session != NULL) {
if (!polkit_session_get_ck_objref (session, &session_objpath)) {
session = NULL;
session_objpath = NULL;
}
}
/* Use libpolkit to
*
* - figure out if the caller can really auth to do the action
* - learn what ConsoleKit session the caller belongs to
/* Use libpolkit to figure out if the caller can really auth to do the action
*/
if (!verify_with_polkit (context, caller, action, &result, &admin_users))
goto out;
......@@ -838,6 +839,11 @@ main (int argc, char *argv[])
case POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION:
case POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION:
if (session == NULL || session_objpath == NULL) {
fprintf (stderr, "polkit-grant-helper: cannot grant to session when not in a session\n");
ret = 2;
goto out;
}
dbres = polkit_authorization_db_add_entry_session (polkit_context_get_authorization_db (context),
action,
caller,
......
......@@ -71,20 +71,14 @@
struct _PolKitAuthorizationConstraint
{
int refcount;
PolKitAuthorizationConstraintFlags flags;
PolKitAuthorizationConstraintType type;
};
static PolKitAuthorizationConstraint _null_constraint = {-1, 0};
static PolKitAuthorizationConstraint _local_constraint = {-1,
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL};
POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL};
static PolKitAuthorizationConstraint _active_constraint = {-1,
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE};
static PolKitAuthorizationConstraint _local_active_constraint = {-1,
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL |
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE};
POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE};
PolKitAuthorizationConstraint *
_polkit_authorization_constraint_new (const char *entry_in_auth_file)
......@@ -153,7 +147,7 @@ void
polkit_authorization_constraint_debug (PolKitAuthorizationConstraint *authc)
{
kit_return_if_fail (authc != NULL);
_pk_debug ("PolKitAuthorizationConstraint: refcount=%d", authc->refcount);
_pk_debug ("PolKitAuthorizationConstraint: refcount=%d type=%d", authc->refcount, authc->type);
}
/**
......@@ -180,7 +174,7 @@ polkit_authorization_constraint_validate (PolKitAuthorizationConstraint *authc)
* @session: the session
*
* Determine if the given session satisfies the conditions imposed by
* the given constraint
* the given constraint.
*
* Returns: #TRUE if, and only if, the given session satisfies the
* conditions imposed by the given constraint.
......@@ -203,12 +197,12 @@ polkit_authorization_constraint_check_session (PolKitAuthorizationConstraint *au
polkit_session_get_ck_is_local (session, &is_local);
polkit_session_get_ck_is_active (session, &is_active);
if (authc->flags & POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL) {
if (authc->type == POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL) {
if (!is_local)
goto out;
}
if (authc->flags & POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE) {
if (authc->type == POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE) {
if (!is_active)
goto out;
}
......@@ -247,7 +241,8 @@ polkit_authorization_constraint_check_caller (PolKitAuthorizationConstraint *aut
if (polkit_caller_get_ck_session (caller, &session) && session != NULL) {
ret = polkit_authorization_constraint_check_session (authc, session);
} else {
if (authc->flags == 0) {
if (authc->type != POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL &&
authc->type != POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE) {
ret = TRUE;
}
}
......@@ -256,44 +251,22 @@ polkit_authorization_constraint_check_caller (PolKitAuthorizationConstraint *aut
}
/**
* polkit_authorization_constraint_get_flags:
* polkit_authorization_constraint_type:
* @authc: the object
*
* Describe the constraint; this is only useful when inspecting an
* authorization to present information to the user (e.g. as
* polkit-auth(1) does).
*
* Note that the flags returned may not fully describe the constraint
* and shouldn't be used to perform checking against #PolKitCaller or
* #PolKitSession objects. Use the
* polkit_authorization_constraint_check_caller() and
* polkit_authorization_constraint_check_session() methods for that
* instead.
*
* Returns: flags from #PolKitAuthorizationConstraintFlags
* Returns: type from #PolKitAuthorizationConstraintFlags
*
* Since: 0.7
*/
PolKitAuthorizationConstraintFlags
polkit_authorization_constraint_get_flags (PolKitAuthorizationConstraint *authc)
PolKitAuthorizationConstraintType
polkit_authorization_constraint_type (PolKitAuthorizationConstraint *authc)
{
kit_return_val_if_fail (authc != NULL, FALSE);
return authc->flags;
}
/**
* polkit_authorization_constraint_get_null:
*
* Get a #PolKitAuthorizationConstraint object that represents no constraints.
*
* Returns: the constraint; the caller shall not unref this object
*
* Since: 0.7
*/
PolKitAuthorizationConstraint *
polkit_authorization_constraint_get_null (void)
{
return &_null_constraint;
return authc->type;
}
/**
......@@ -328,23 +301,6 @@ polkit_authorization_constraint_get_require_active (void)
return &_active_constraint;
}
/**
* polkit_authorization_constraint_get_require_local_active:
*
* Get a #PolKitAuthorizationConstraint object that represents the
* constraint that the session or caller must be local and in an
* active session.
*
* Returns: the constraint; the caller shall not unref this object
*
* Since: 0.7
*/
PolKitAuthorizationConstraint *
polkit_authorization_constraint_get_require_local_active (void)
{
return &_local_active_constraint;
}
/**
* polkit_authorization_constraint_to_string:
* @authc: the object
......@@ -367,19 +323,15 @@ polkit_authorization_constraint_to_string (PolKitAuthorizationConstraint *authc,
{
kit_return_val_if_fail (authc != NULL, buf_size);
switch (authc->flags) {
switch (authc->type) {
default:
case 0:
return snprintf (out_buf, buf_size, "none");
case POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL:
case POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL:
return snprintf (out_buf, buf_size, "local");
case POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE:
case POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE:
return snprintf (out_buf, buf_size, "active");
case POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL|POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE:
return snprintf (out_buf, buf_size, "local+active");
}
}
......@@ -401,18 +353,12 @@ polkit_authorization_constraint_from_string (const char *str)
ret = NULL;
if (strcmp (str, "none") == 0) {
ret = polkit_authorization_constraint_get_null ();
goto out;
} else if (strcmp (str, "local") == 0) {
if (strcmp (str, "local") == 0) {
ret = polkit_authorization_constraint_get_require_local ();
goto out;
} else if (strcmp (str, "active") == 0) {
ret = polkit_authorization_constraint_get_require_active ();
goto out;
} else if (strcmp (str, "local+active") == 0) {
ret = polkit_authorization_constraint_get_require_local_active ();
goto out;
}
out:
......@@ -422,54 +368,69 @@ out:
/**
* polkit_authorization_constraint_get_from_caller:
* @caller: caller
* @out_array: return location for constraints
* @array_size: size of the passed array
*
* Given a caller, return the most restrictive constraint
* possible. For example, if the caller is local and active, a
* constraint requiring this will be returned.
* Given a caller, return the set of most restrictive constraints
* possible. For example, if the caller is local and active, a set
* constraints requiring this will be returned.
*
* This function is typically used when the caller obtains an
* authorization through authentication; the goal is to put a
* authorization through authentication; the goal is to put
* constraints on the authorization such that it's only valid when the
* caller is in the context as where she obtained it.
*
* Returns: a #PolKitConstraint object; this function will never return #NULL.
* The caller must unref all the created objects using
* polkit_authorization_constraint_unref().
*
* Returns: This function do not create more than @array_size constraints
* (including the trailing %NULL). If the output was truncated due to
* this limit then the return value is the number of objects (not
* including the trailing %NULL) which would have been written to the
* final array if enough space had been available. Thus, a return
* value of @array_size or more means that the output was truncated.
*/
PolKitAuthorizationConstraint *
polkit_authorization_constraint_get_from_caller (PolKitCaller *caller)
size_t
polkit_authorization_constraint_get_from_caller (PolKitCaller *caller,
PolKitAuthorizationConstraint **out_array,
size_t array_size)
{
unsigned int ret;
polkit_bool_t is_local;
polkit_bool_t is_active;
PolKitSession *session;
PolKitAuthorizationConstraint *ret;
/* caller is not in a session so use the null constraint */
kit_return_val_if_fail (caller != NULL, 0);
kit_return_val_if_fail (out_array != NULL, 0);
ret = 0;
if (!polkit_caller_get_ck_session (caller, &session) || session == NULL) {
ret = polkit_authorization_constraint_get_null ();
goto out;
}
polkit_session_get_ck_is_local (session, &is_local);
polkit_session_get_ck_is_active (session, &is_active);
if (is_local) {
if (is_active) {
ret = polkit_authorization_constraint_get_require_local_active ();
} else {
ret = polkit_authorization_constraint_get_require_local ();
}
} else {
if (is_active) {
ret = polkit_authorization_constraint_get_require_active ();
} else {
ret = polkit_authorization_constraint_get_null ();
}
if (ret < array_size)
out_array[ret] = polkit_authorization_constraint_get_require_local ();
ret++;
}
if (is_active) {
if (ret < array_size)
out_array[ret] = polkit_authorization_constraint_get_require_active ();
ret++;
}
out:
if (ret < array_size)
out_array[ret] = NULL;
return ret;
}
/**
* polkit_authorization_constraint_equal:
* @a: first constraint
......@@ -487,7 +448,8 @@ polkit_authorization_constraint_equal (PolKitAuthorizationConstraint *a, PolKitA
kit_return_val_if_fail (a != NULL, FALSE);
kit_return_val_if_fail (b != NULL, FALSE);
return a->flags == b->flags;
/* When we add more types this needs expansion */
return a->type == b->type;
}
#ifdef POLKIT_BUILD_TESTS
......@@ -506,11 +468,8 @@ _tst1 (PolKitSession *s, PolKitAuthorizationConstraint *ac, polkit_bool_t *out_r
*out_result = polkit_authorization_constraint_check_session (ac, s);
if ((c = polkit_caller_new ()) != NULL) {
if (ac->flags == 0) {
kit_assert (polkit_authorization_constraint_check_caller (ac, c) == TRUE);
} else {
kit_assert (polkit_authorization_constraint_check_caller (ac, c) == FALSE);
}
/* we know that the ac's passed always will be REQUIRE_ACTIVE or REQUIRE_LOCAL */
kit_assert (polkit_authorization_constraint_check_caller (ac, c) == FALSE);
kit_assert (polkit_caller_set_ck_session (c, s));
kit_assert (*out_result == polkit_authorization_constraint_check_caller (ac, c));
......@@ -539,6 +498,7 @@ _tst2 (PolKitAuthorizationConstraint *ac)
}
}
#if 0
static polkit_bool_t
_tst3 (PolKitSession *s, PolKitAuthorizationConstraint *compare_to, polkit_bool_t *ret)
{
......@@ -572,18 +532,18 @@ _tst3 (PolKitSession *s, PolKitAuthorizationConstraint *compare_to, polkit_bool_
out:
return is_oom;
}
#endif
static polkit_bool_t
_run_test (void)
{
PolKitAuthorizationConstraint *ac;
PolKitAuthorizationConstraintFlags flags;
PolKitAuthorizationConstraintType type;
PolKitSession *s_active;
PolKitSession *s_inactive;
PolKitSession *s_active_remote;
PolKitSession *s_inactive_remote;
polkit_bool_t ret;
int n;
if ((s_active = polkit_session_new ()) != NULL) {
if (!polkit_session_set_ck_objref (s_active, "/session1")) {
......@@ -627,22 +587,10 @@ _run_test (void)
}
}
/* null constraint */
kit_assert ((ac = polkit_authorization_constraint_get_null ()) != NULL);
polkit_authorization_constraint_ref (ac);
polkit_authorization_constraint_unref (ac);
flags = polkit_authorization_constraint_get_flags (ac);
kit_assert (flags == 0);
kit_assert (_tst1 (s_active, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_inactive, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_active_remote, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_inactive_remote, ac, &ret) || ret == TRUE);
_tst2 (ac);
/* local constraint */
kit_assert ((ac = polkit_authorization_constraint_get_require_local ()) != NULL);
flags = polkit_authorization_constraint_get_flags (ac);
kit_assert (flags == POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL);
type = polkit_authorization_constraint_type (ac);
kit_assert (type == POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL);
kit_assert (_tst1 (s_active, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_inactive, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_active_remote, ac, &ret) || ret == FALSE);
......@@ -651,25 +599,16 @@ _run_test (void)
/* active constraint */
kit_assert ((ac = polkit_authorization_constraint_get_require_active ()) != NULL);
flags = polkit_authorization_constraint_get_flags (ac);
kit_assert (flags == POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE);
type = polkit_authorization_constraint_type (ac);
kit_assert (type == POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE);
kit_assert (_tst1 (s_active, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_inactive, ac, &ret) || ret == FALSE);
kit_assert (_tst1 (s_active_remote, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_inactive_remote, ac, &ret) || ret == FALSE);
_tst2 (ac);
/* local+active constraint */
kit_assert ((ac = polkit_authorization_constraint_get_require_local_active ()) != NULL);
flags = polkit_authorization_constraint_get_flags (ac);
kit_assert (flags == (POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL|
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE));
kit_assert (_tst1 (s_active, ac, &ret) || ret == TRUE);
kit_assert (_tst1 (s_inactive, ac, &ret) || ret == FALSE);
kit_assert (_tst1 (s_active_remote, ac, &ret) || ret == FALSE);
kit_assert (_tst1 (s_inactive_remote, ac, &ret) || ret == FALSE);
_tst2 (ac);
#if 0
for (n = 0; n < 4; n++) {
PolKitSession *s;
polkit_bool_t expected[4];
......@@ -710,8 +649,9 @@ _run_test (void)
kit_assert (_tst3 (s, polkit_authorization_constraint_get_require_active (), &ret) || ret == expected[2]);
kit_assert (_tst3 (s, polkit_authorization_constraint_get_null (), &ret) || ret == expected[3]);
}
#endif
if ((ac = _polkit_authorization_constraint_new ("local+active")) != NULL) {
if ((ac = _polkit_authorization_constraint_new ("local")) != NULL) {
polkit_authorization_constraint_validate (ac);
polkit_authorization_constraint_debug (ac);
polkit_authorization_constraint_ref (ac);
......
......@@ -44,38 +44,32 @@
POLKIT_BEGIN_DECLS
/**
* PolKitAuthorizationConstraintFlags:
* @POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL: the session or
* PolKitAuthorizationConstraintType:
* @POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL: the session or
* caller must be local
* @POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE: the session or
* @POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE: the session or
* caller must be in an active session
* @POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL_ACTIVE: short
* hand for the flags POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL
* and POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE.
*
* This enumeration describes different conditions, not mutually
* exclusive, to help describe an authorization constraint.
* This enumeration describes the type of the authorization
* constraint.
*/
typedef enum {
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL = 1 << 0,
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_ACTIVE = 1 << 1,
POLKIT_AUTHORIZATION_CONSTRAINT_REQUIRE_LOCAL_ACTIVE = (1 << 0) | (1 << 1)
} PolKitAuthorizationConstraintFlags;
POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_LOCAL,
POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_ACTIVE
} PolKitAuthorizationConstraintType;
struct _PolKitAuthorizationConstraint;
typedef struct _PolKitAuthorizationConstraint PolKitAuthorizationConstraint;
PolKitAuthorizationConstraint *polkit_authorization_constraint_get_null (void);
PolKitAuthorizationConstraint *polkit_authorization_constraint_get_require_local (void);
PolKitAuthorizationConstraint *polkit_authorization_constraint_get_require_active (void);
PolKitAuthorizationConstraint *polkit_authorization_constraint_get_require_local_active (void);
PolKitAuthorizationConstraint *polkit_authorization_constraint_ref (PolKitAuthorizationConstraint *authc);
void polkit_authorization_constraint_unref (PolKitAuthorizationConstraint *authc);
void polkit_authorization_constraint_debug (PolKitAuthorizationConstraint *authc);
polkit_bool_t polkit_authorization_constraint_validate (PolKitAuthorizationConstraint *authc);
PolKitAuthorizationConstraintFlags polkit_authorization_constraint_get_flags (PolKitAuthorizationConstraint *authc);
PolKitAuthorizationConstraintType polkit_authorization_constraint_type (PolKitAuthorizationConstraint *authc);
polkit_bool_t polkit_authorization_constraint_check_session (PolKitAuthorizationConstraint *authc,
PolKitSession *session);
......@@ -86,7 +80,7 @@ polkit_bool_t polkit_authorization_constraint_check_caller (PolKitAuthorizationC
size_t polkit_authorization_constraint_to_string (PolKitAuthorizationConstraint *authc, char *out_buf, size_t buf_size);
PolKitAuthorizationConstraint *polkit_authorization_constraint_from_string (const char *str);
PolKitAuthorizationConstraint *polkit_authorization_constraint_get_from_caller (PolKitCaller *caller);
size_t polkit_authorization_constraint_get_from_caller (PolKitCaller *caller, PolKitAuthorizationConstraint **out_array, size_t array_size);
polkit_bool_t polkit_authorization_constraint_equal (PolKitAuthorizationConstraint *a,
PolKitAuthorizationConstraint *b);
......
......@@ -626,6 +626,19 @@ typedef struct {
polkit_bool_t *out_is_negative_authorized;
} CheckDataSession;
static polkit_bool_t
_check_constraint_session (PolKitAuthorization *auth, PolKitAuthorizationConstraint *authc, void *user_data)
{
PolKitSession *session = (PolKitSession *) user_data;
if (!polkit_authorization_constraint_check_session (authc, session))
goto no_match;
return FALSE;
no_match:
return TRUE;
}
static polkit_bool_t
_check_auth_for_session (PolKitAuthorizationDB *authdb, PolKitAuthorization *auth, void *user_data)
{
......@@ -633,15 +646,13 @@ _check_auth_for_session (PolKitAuthorizationDB *authdb, PolKitAuthorization *aut
uid_t pimp_uid;
polkit_bool_t is_negative;
CheckDataSession *cd = (CheckDataSession *) user_data;
PolKitAuthorizationConstraint *constraint;
ret = FALSE;
if (strcmp (polkit_authorization_get_action_id (auth), cd->action_id) != 0)
goto no_match;
constraint = polkit_authorization_get_constraint (auth);
if (!polkit_authorization_constraint_check_session (constraint, cd->session))
if (polkit_authorization_constraints_foreach (auth, _check_constraint_session, cd->session))
goto no_match;
switch (polkit_authorization_get_scope (auth))
......@@ -771,6 +782,19 @@ typedef struct {
PolKitError *error;
} CheckData;
static polkit_bool_t
_check_constraint_caller (PolKitAuthorization *auth, PolKitAuthorizationConstraint *authc, void *user_data)
{