auth-manager: let NMAuthChain always call to NMAuthManager for dummy requests

NMAuthChain's nm_auth_chain_add_call() used to add special handling for the NMAuthSubject. This handling really belongs to NMAuthManager for two reasons: - NMAuthManager already goes through the effort of scheduling an idle handler to handle the case where no GDBusProxy is present. It can just as well handle the special cases where polkit-auth is disabled or when we have internal requests. - by NMAuthChain doing special handling, it makes it more complicated to call nm_auth_manager_check_authorization() directly. Previously, the NMAuthChain had additional logic, which means you either were forced to create an NMAuthChain, or you had to reimplement special handling like nm_auth_chain_add_call().
2018-04-09 16:04:46 +02:00
parent 41abf9f8e8
commit 798b2a7527
2 changed files with 49 additions and 42 deletions
--- a/src/nm-auth-manager.c
+++ b/src/nm-auth-manager.c
@@ -123,6 +123,11 @@ typedef enum {
 	POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0),
 } PolkitCheckAuthorizationFlags;
 typedef enum {
 	IDLE_REASON_AUTHORIZED,
 	IDLE_REASON_NO_DBUS,
 } IdleReason;
 struct _NMAuthManagerCallId {
 	CList calls_lst;
 	NMAuthManager *self;
@@ -132,6 +137,7 @@ struct _NMAuthManagerCallId {
 	gpointer user_data;
 	guint64 call_numid;
 	guint idle_id;
 	IdleReason idle_reason:8;
 };
 #define cancellation_id_to_str_a(call_numid) \
@@ -289,16 +295,28 @@ _call_check_authorize (NMAuthManagerCallId *call_id)
 }
 static gboolean
-_call_fail_on_idle (gpointer user_data)
+_call_on_idle (gpointer user_data)
 {
 	NMAuthManagerCallId *call_id = user_data;
 	gs_free_error GError *error = NULL;
 	gboolean is_authorized = FALSE;
 	gboolean is_challenge = FALSE;
 	const char *error_msg = NULL;
 	call_id->idle_id = 0;
-	g_set_error_literal (&error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
+	if (call_id->idle_reason == IDLE_REASON_AUTHORIZED) {
-	                     "failure creating GDBusProxy for authorization request");
+		is_authorized = TRUE;
-	_LOG2T (call_id, "completed: failed due to no D-Bus proxy");
+		_LOG2T (call_id, "completed: authorized=%d, challenge=%d (simulated)",
-	_call_id_invoke_callback (call_id, FALSE, FALSE, error);
+		        is_authorized, is_challenge);
 	} else {
 		nm_assert (call_id->idle_reason == IDLE_REASON_NO_DBUS);
 		error_msg = "failure creating GDBusProxy for authorization request";
 		_LOG2T (call_id, "completed: failed due to no D-Bus proxy");
 	}
 	if (error_msg)
 		g_set_error_literal (&error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN, error_msg);
 	_call_id_invoke_callback (call_id, is_authorized, is_challenge, error);
 	return G_SOURCE_REMOVE;
 }
@@ -332,13 +350,14 @@ nm_auth_manager_check_authorization (NMAuthManager *self,
 	NMAuthManagerCallId *call_id;
 	g_return_val_if_fail (NM_IS_AUTH_MANAGER (self), NULL);
-	g_return_val_if_fail (NM_IS_AUTH_SUBJECT (subject), NULL);
+	g_return_val_if_fail (NM_IN_SET (nm_auth_subject_get_subject_type (subject),
-	g_return_val_if_fail (nm_auth_subject_is_unix_process (subject), NULL);
+	                                 NM_AUTH_SUBJECT_TYPE_INTERNAL,
 	                                 NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS),
 	                      NULL);
 	g_return_val_if_fail (action_id, NULL);
 	priv = NM_AUTH_MANAGER_GET_PRIVATE (self);
 	g_return_val_if_fail (priv->polkit_enabled, NULL);
 	g_return_val_if_fail (!priv->disposing, NULL);
 	g_return_val_if_fail (!priv->shutting_down, NULL);
@@ -353,10 +372,23 @@ nm_auth_manager_check_authorization (NMAuthManager *self,
 	call_id->call_numid = ++priv->call_numid_counter;
 	c_list_link_tail (&priv->calls_lst_head, &call_id->calls_lst);
-	if (   !priv->proxy
+	if (!priv->polkit_enabled) {
-	    && !priv->new_proxy_cancellable) {
+		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding due to polkit authorization disabled)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
 		call_id->idle_reason = IDLE_REASON_AUTHORIZED;
 		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
 	} else if (nm_auth_subject_is_internal (subject)) {
 		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding for internal request)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
 		call_id->idle_reason = IDLE_REASON_AUTHORIZED;
 		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
 	} else if (nm_auth_subject_get_unix_process_uid (subject) == 0) {
 		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding for root)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
 		call_id->idle_reason = IDLE_REASON_AUTHORIZED;
 		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
 	} else if (   !priv->proxy
 	           && !priv->new_proxy_cancellable) {
 		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (failing due to invalid DBUS proxy)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
-		call_id->idle_id = g_idle_add (_call_fail_on_idle, call_id);
+		call_id->idle_reason = IDLE_REASON_NO_DBUS;
 		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
 	} else {
 		subject_value = nm_auth_subject_unix_process_to_polkit_gvariant (subject);
 		nm_assert (g_variant_is_floating (subject_value));
--- a/src/nm-auth-utils.c
+++ b/src/nm-auth-utils.c
@@ -54,7 +54,6 @@ typedef struct {
 	NMAuthChain *chain;
 	NMAuthManagerCallId *call_id;
 	char *permission;
 	guint call_idle_id;
 } AuthCall;
 /*****************************************************************************/
@@ -74,8 +73,6 @@ auth_call_free (AuthCall *call)
 {
 	if (call->call_id)
 		nm_auth_manager_check_authorization_cancel (call->call_id);
 	nm_clear_g_source (&call->call_idle_id);
 	c_list_unlink_stale (&call->auth_call_lst);
 	g_free (call->permission);
 	g_slice_free (AuthCall, call);
@@ -241,18 +238,6 @@ auth_call_complete (AuthCall *call)
 	}
 }
 static gboolean
 auth_call_complete_idle_cb (gpointer user_data)
 {
 	AuthCall *call = user_data;
 	_ASSERT_call (call);
 	call->call_idle_id = 0;
 	auth_call_complete (call);
 	return G_SOURCE_REMOVE;
 }
 static void
 pk_call_cb (NMAuthManager *auth_manager,
            NMAuthManagerCallId *call_id,
@@ -311,22 +296,12 @@ nm_auth_chain_add_call (NMAuthChain *self,
 	call->chain = self;
 	call->permission = g_strdup (permission);
 	c_list_link_tail (&self->auth_call_lst_head, &call->auth_call_lst);
-
+	call->call_id = nm_auth_manager_check_authorization (auth_manager,
-	if (   nm_auth_subject_is_internal (self->subject)
+	                                                     self->subject,
-	    || nm_auth_subject_get_unix_process_uid (self->subject) == 0
+	                                                     permission,
-	    || !nm_auth_manager_get_polkit_enabled (auth_manager)) {
+	                                                     allow_interaction,
-		/* Root user or non-polkit always gets the permission */
+	                                                     pk_call_cb,
-		nm_auth_chain_set_data (self, permission, GUINT_TO_POINTER (NM_AUTH_CALL_RESULT_YES), NULL);
+	                                                     call);
 		call->call_idle_id = g_idle_add (auth_call_complete_idle_cb, call);
 	} else {
 		/* Non-root always gets authenticated when using polkit */
 		call->call_id = nm_auth_manager_check_authorization (auth_manager,
 		                                                     self->subject,
 		                                                     permission,
 		                                                     allow_interaction,
 		                                                     pk_call_cb,
 		                                                     call);
 	}
 }
 /*****************************************************************************/