libnm-util: add nm_setting_connection_permissions_has_user()

Utility function to determine whether a given username is in the ACL.

libnm-util/libnm-util.ver

@@ -115,6 +115,7 @@ global:
 	nm_setting_connection_get_read_only;
 	nm_setting_connection_get_num_permissions;
 	nm_setting_connection_get_permission;
+	nm_setting_connection_permissions_has_user;
 	nm_setting_duplicate;
 	nm_setting_enumerate_values;
 	nm_setting_error_get_type;

libnm-util/nm-setting-connection.c

@@ -211,6 +211,80 @@ nm_setting_connection_get_permission (NMSettingConnection *setting, guint32 i)
 	return (const char *) g_slist_nth_data (priv->permissions, i);
 }
 
+#define USER_TAG "user:"
+
+/* Extract the username from the permission string and dump to a buffer */
+static gboolean
+perm_to_user (const char *perm, char *out_user, gsize out_user_size)
+{
+	const char *end;
+	gsize userlen;
+
+	g_return_val_if_fail (perm != NULL, FALSE);
+	g_return_val_if_fail (out_user != NULL, FALSE);
+
+	if (!g_str_has_prefix (perm, USER_TAG))
+		return FALSE;
+	perm += strlen (USER_TAG);
+
+	/* Look for trailing ':' */
+	end = strchr (perm, ':');
+	if (!end)
+		end = perm + strlen (perm);
+
+	userlen = end - perm;
+	if (userlen > (out_user_size + 1))
+		return FALSE;
+	memcpy (out_user, perm, userlen);
+	out_user[userlen] = '\0';
+	return TRUE;
+}
+
+/**
+ * nm_setting_connection_permissions_user_allowed:
+ * @setting: the #NMSettingConnection
+ * @uname: the user name to check permissions for
+ *
+ * Checks whether the given username is allowed to view/access this connection.
+ *
+ * Returns: %TRUE if the requested user is allowed to view this connection,
+ * %FALSE if the given user is not allowed to view this connection
+ */
+gboolean
+nm_setting_connection_permissions_user_allowed (NMSettingConnection *setting,
+                                                const char *uname)
+{
+	NMSettingConnectionPrivate *priv;
+	guint32 num, i;
+
+	g_return_val_if_fail (NM_IS_SETTING_CONNECTION (setting), FALSE);
+	g_return_val_if_fail (uname != NULL, FALSE);
+	g_return_val_if_fail (*uname != '\0', FALSE);
+
+	priv = NM_SETTING_CONNECTION_GET_PRIVATE (setting);
+
+	/* Match the username returned by the session check to a user in the ACL */
+	num = nm_setting_connection_get_num_permissions (setting);
+	if (num == 0)
+		return TRUE;  /* visible to all */
+
+	for (i = 0; i < num; i++) {
+		const char *perm;
+		char buf[75];
+
+		perm = nm_setting_connection_get_permission (setting, i);
+		g_assert (perm);
+		if (perm_to_user (perm, buf, sizeof (buf))) {
+			if (strcmp (buf, uname) == 0) {
+				/* Yay, permitted */
+				return TRUE;
+			}
+		}
+	}
+
+	return FALSE;
+}
+
 /**
  * nm_setting_connection_get_autoconnect:
  * @setting: the #NMSettingConnection

libnm-util/nm-setting-connection.h

@@ -107,6 +107,7 @@ guint64     nm_setting_connection_get_timestamp        (NMSettingConnection *set
 gboolean    nm_setting_connection_get_read_only        (NMSettingConnection *setting);
 guint32     nm_setting_connection_get_num_permissions  (NMSettingConnection *setting);
 const char *nm_setting_connection_get_permission       (NMSettingConnection *setting, guint32 index);
+gboolean    nm_setting_connection_permissions_user_allowed (NMSettingConnection *setting, const char *uname);
 
 /* FIXME: need add/remove calls for permissions */
 

src/settings/nm-sysconfig-connection.c

@@ -151,23 +151,8 @@ uid_in_acl (NMConnection *self,
 	}
 
 	/* Match the username returned by the session check to a user in the ACL */
-	num = nm_setting_connection_get_num_permissions (s_con);
+	if (nm_setting_connection_permissions_user_allowed (s_con, user))
-	if (num == 0)
+		return TRUE;
-		return TRUE;  /* visible to all */
-
-	for (i = 0; i < num; i++) {
-		const char *perm;
-		char buf[75];
-
-		perm = nm_setting_connection_get_permission (s_con, i);
-		g_assert (perm);
-		if (perm_to_user (perm, buf, sizeof (buf))) {
-			if (strcmp (buf, user) == 0) {
-				/* Yay, permitted */
-				return TRUE;
-			}
-		}
-	}
 
 	g_set_error (error,
 	             NM_SETTINGS_ERROR,