Commit 035e6ee4 authored by David Zeuthen's avatar David Zeuthen

make polkit_context_is_[caller|session]_authorized() take a PolKitError

parent e701ee4c
......@@ -58,6 +58,8 @@ check_for_auth (uid_t caller_uid, pid_t caller_pid)
PolKitCaller *caller;
PolKitAction *action;
PolKitContext *context;
PolKitError *pk_error;
PolKitResult pk_result;
ret = FALSE;
......@@ -92,12 +94,33 @@ check_for_auth (uid_t caller_uid, pid_t caller_pid)
fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
goto out;
}
if (!polkit_context_init (context, NULL)) {
fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit\n");
pk_error = NULL;
if (!polkit_context_init (context, &pk_error)) {
fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit context: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
if (polkit_error_is_set (pk_error)) {
if (polkit_error_get_error_code (pk_error) ==
POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS) {
polkit_error_free (pk_error);
pk_error = NULL;
} else {
fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
}
if (pk_result != POLKIT_RESULT_YES) {
/* having 'grant' (which is a lot more powerful) is also sufficient.. this is because 'read'
* is required to 'grant' (to check if there's a similar authorization already)
*/
......@@ -105,7 +128,17 @@ check_for_auth (uid_t caller_uid, pid_t caller_pid)
fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
goto out;
}
if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
if (polkit_error_is_set (pk_error)) {
fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
if (pk_result != POLKIT_RESULT_YES) {
goto out;
}
}
......
......@@ -56,13 +56,15 @@ check_pid_for_authorization (pid_t caller_pid, const char *action_id)
PolKitCaller *caller;
PolKitAction *action;
PolKitContext *context;
PolKitError *pk_error;
PolKitResult pk_result;
ret = FALSE;
dbus_error_init (&error);
bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
if (bus == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot connect to system bus: %s: %s\n",
fprintf (stderr, "polkit-explicit-grant-helper: cannot connect to system bus: %s: %s\n",
error.name, error.message);
dbus_error_free (&error);
goto out;
......@@ -70,34 +72,48 @@ check_pid_for_authorization (pid_t caller_pid, const char *action_id)
caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
if (caller == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot get caller from pid: %s: %s\n",
fprintf (stderr, "polkit-explicit-grant-helper: cannot get caller from pid: %s: %s\n",
error.name, error.message);
goto out;
}
action = polkit_action_new ();
if (action == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitAction\n");
fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitAction\n");
goto out;
}
if (!polkit_action_set_action_id (action, action_id)) {
fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
fprintf (stderr, "polkit-explicit-grant-helper: cannot set action_id\n");
goto out;
}
context = polkit_context_new ();
if (context == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitContext\n");
goto out;
}
if (!polkit_context_init (context, NULL)) {
fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit\n");
pk_error = NULL;
if (!polkit_context_init (context, &pk_error)) {
fprintf (stderr, "polkit-explicit-grant-helper: cannot initialize polkit context: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
if (polkit_error_is_set (pk_error)) {
fprintf (stderr, "polkit-explicit-grant-helper: cannot determine if caller is authorized: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
if (pk_result != POLKIT_RESULT_YES) {
//fprintf (stderr,
// "polkit-read-auth-helper: uid %d (pid %d) does not have the "
// "polkit-explicit-grant-helper: uid %d (pid %d) does not have the "
// "org.freedesktop.policykit.read-other-authorizations authorization\n",
// caller_uid, caller_pid);
goto out;
......
......@@ -267,7 +267,17 @@ verify_with_polkit (PolKitContext *pol_ctx,
PolKitResult *out_result,
char ***out_admin_users)
{
*out_result = polkit_context_is_caller_authorized (pol_ctx, action, caller, FALSE);
PolKitError *pk_error;
pk_error = NULL;
*out_result = polkit_context_is_caller_authorized (pol_ctx, action, caller, FALSE, &pk_error);
if (polkit_error_is_set (pk_error)) {
fprintf (stderr, "polkit-grant-helper: cannot determine if caller is authorized: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto error;
}
if (*out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH &&
*out_result != POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION &&
......
......@@ -54,13 +54,15 @@ check_for_revoke_authorization (pid_t caller_pid)
PolKitCaller *caller;
PolKitAction *action;
PolKitContext *context;
PolKitError *pk_error;
PolKitResult pk_result;
ret = FALSE;
dbus_error_init (&error);
bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
if (bus == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot connect to system bus: %s: %s\n",
fprintf (stderr, "polkit-revoke-helper: cannot connect to system bus: %s: %s\n",
error.name, error.message);
dbus_error_free (&error);
goto out;
......@@ -68,32 +70,46 @@ check_for_revoke_authorization (pid_t caller_pid)
caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
if (caller == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot get caller from pid: %s: %s\n",
fprintf (stderr, "polkit-revoke-helper: cannot get caller from pid: %s: %s\n",
error.name, error.message);
goto out;
}
action = polkit_action_new ();
if (action == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitAction\n");
fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitAction\n");
goto out;
}
if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.revoke")) {
fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
fprintf (stderr, "polkit-revoke-helper: cannot set action_id\n");
goto out;
}
context = polkit_context_new ();
if (context == NULL) {
fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitContext\n");
goto out;
}
if (!polkit_context_init (context, NULL)) {
fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit\n");
pk_error = NULL;
if (!polkit_context_init (context, &pk_error)) {
fprintf (stderr, "polkit-revoke-helper: cannot initialize polkit context: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
if (polkit_context_is_caller_authorized (context, action, caller, FALSE) != POLKIT_RESULT_YES) {
pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
if (polkit_error_is_set (pk_error)) {
fprintf (stderr, "polkit-revoke-helper: cannot determine if caller is authorized: %s: %s\n",
polkit_error_get_error_name (pk_error),
polkit_error_get_error_message (pk_error));
polkit_error_free (pk_error);
goto out;
}
if (pk_result != POLKIT_RESULT_YES) {
goto out;
}
......
......@@ -428,6 +428,7 @@ polkit_context_get_policy_cache (PolKitContext *pk_context)
* @session: the session in question
* @is_mechanism: Whether the mechanism carrying out the action is
* asking. This can be used to revoke one-time-only authorizations.
* @error: return location for error
*
* Determine if any caller from a giver session is authorized to do a
* given action.
......@@ -441,7 +442,8 @@ PolKitResult
polkit_context_is_session_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitSession *session,
polkit_bool_t is_mechanism)
polkit_bool_t is_mechanism,
PolKitError **error)
{
/* TODO: properly implement */
return polkit_context_can_session_do_action (pk_context, action, session);
......@@ -454,8 +456,13 @@ polkit_context_is_session_authorized (PolKitContext *pk_context,
* @caller: the caller in question
* @is_mechanism: Whether the mechanism carrying out the action is
* asking. This can be used to revoke one-time-only authorizations.
* @error: return location for error
*
* Determine if a given caller is authorized to do a given action.
* Determine if a given caller is authorized to do a given
* action.
*
* This can fail with the following errors:
* #POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS
*
* Returns: A #PolKitResult specifying if, and how, the caller can
* do a specific action.
......@@ -466,7 +473,8 @@ PolKitResult
polkit_context_is_caller_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitCaller *caller,
polkit_bool_t is_mechnanism)
polkit_bool_t is_mechnanism,
PolKitError **error)
{
/* TODO: properly implement */
return polkit_context_can_caller_do_action (pk_context, action, caller);
......@@ -480,6 +488,9 @@ polkit_context_is_caller_authorized (PolKitContext *pk_context,
*
* Determine if a given session can do a given action.
*
* This can fail with the following errors:
* #POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS
*
* Returns: A #PolKitResult - can only be one of
* #POLKIT_RESULT_YES, #POLKIT_RESULT_NO.
*
......
......@@ -173,12 +173,14 @@ PolKitConfig *polkit_context_get_config (PolKitContext *pk_context, PolKitError
PolKitResult polkit_context_is_caller_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitCaller *caller,
polkit_bool_t is_mechanism);
polkit_bool_t is_mechanism,
PolKitError **error);
PolKitResult polkit_context_is_session_authorized (PolKitContext *pk_context,
PolKitAction *action,
PolKitSession *session,
polkit_bool_t is_mechanism);
polkit_bool_t is_mechanism,
PolKitError **error);
PolKitAuthorizationDB *polkit_context_get_authorization_db (PolKitContext *pk_context);
......
......@@ -416,7 +416,8 @@ is_caller_authorized (PolKitDaemon *daemon,
pk_result = polkit_context_is_caller_authorized (daemon->priv->pk_context,
pk_action,
pk_caller_who_wants_to_know,
FALSE);
FALSE,
NULL);
polkit_action_unref (pk_action);
if (pk_result != POLKIT_RESULT_YES) {
error = g_error_new (POLKIT_DAEMON_ERROR,
......@@ -432,7 +433,11 @@ is_caller_authorized (PolKitDaemon *daemon,
pk_action = polkit_action_new ();
polkit_action_set_action_id (pk_action, action_id);
pk_result = polkit_context_is_caller_authorized (daemon->priv->pk_context, pk_action, pk_caller, is_mechanism);
pk_result = polkit_context_is_caller_authorized (daemon->priv->pk_context,
pk_action,
pk_caller,
is_mechanism,
NULL);
polkit_action_unref (pk_action);
dbus_g_method_return (context, polkit_result_to_string_representation (pk_result));
......
......@@ -427,7 +427,7 @@ auth_iterator_cb (PolKitAuthorizationDB *authdb,
pk_action = polkit_action_new ();
polkit_action_set_action_id (pk_action, action_id);
pk_result = polkit_context_is_caller_authorized (pk_context, pk_action, pk_caller, FALSE);
pk_result = polkit_context_is_caller_authorized (pk_context, pk_action, pk_caller, FALSE, NULL);
polkit_action_unref (pk_action);
printf (" Authorized: %s\n", pk_result == POLKIT_RESULT_YES ? "Yes" : "No");
......@@ -499,7 +499,8 @@ pfe_iterator_cb (PolKitPolicyCache *policy_cache,
if (polkit_context_is_caller_authorized (pk_context,
action,
pk_caller,
FALSE) == POLKIT_RESULT_YES) {
FALSE,
NULL) == POLKIT_RESULT_YES) {
printf ("%s\n", polkit_policy_file_entry_get_id (pfe));
}
......@@ -519,7 +520,8 @@ pfe_iterator_show_obtainable_cb (PolKitPolicyCache *policy_cache,
switch (polkit_context_is_caller_authorized (pk_context,
action,
pk_caller,
FALSE)) {
FALSE,
NULL)) {
default:
case POLKIT_RESULT_UNKNOWN:
case POLKIT_RESULT_NO:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment