shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-25 10:04:04 +03:00
Code

bus-polkit: move verification to a separate function

Browse Source
This commit is contained in:
David Tardon 2023-02-03 14:05:46 +01:00
parent bc8187f75a
commit d2c50a176d
1 changed files with 58 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
src/shared/bus-polkit.c
View File

@ -246,6 +246,60 @@ fail:
return r; return r;
} }
static int process_polkit_response(
AsyncPolkitQuery *q,
sd_bus_message *call,
const char *action,
const char **details,
Hashmap **registry,
sd_bus_error *ret_error) {
int authorized, challenge, r;
assert(q);
assert(call);
assert(action);
assert(registry);
assert(ret_error);
assert(q->action);
assert(q->reply);
/* If the operation we want to authenticate changed between the first and the second time,
* let's not use this authentication, it might be out of date as the object and context we
* operate on might have changed. */
if (!streq(q->action, action) || !strv_equal(q->details, (char**) details))
return -ESTALE;
if (sd_bus_message_is_method_error(q->reply, NULL)) {
const sd_bus_error *e;
e = sd_bus_message_get_error(q->reply);
/* Treat no PK available as access denied */
if (bus_error_is_unknown_service(e))
return -EACCES;
/* Copy error from polkit reply */
sd_bus_error_copy(ret_error, e);
return -sd_bus_error_get_errno(e);
}
r = sd_bus_message_enter_container(q->reply, 'r', "bba{ss}");
if (r >= 0)
r = sd_bus_message_read(q->reply, "bb", &authorized, &challenge);
if (r < 0)
return r;
if (authorized)
return 1;
if (challenge)
return sd_bus_error_set(ret_error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
return -EACCES;
}
#endif #endif
int bus_verify_polkit_async( int bus_verify_polkit_async(
@ -271,48 +325,10 @@ int bus_verify_polkit_async(
#if ENABLE_POLKIT #if ENABLE_POLKIT
AsyncPolkitQuery *q = hashmap_get(*registry, call); AsyncPolkitQuery *q = hashmap_get(*registry, call);
if (q) { /* This is the second invocation of this function, and there's already a response from
int authorized, challenge; * polkit, let's process it */
if (q)
/* This is the second invocation of this function, and there's already a response from return process_polkit_response(q, call, action, details, registry, ret_error);
* polkit, let's process it */
assert(q->reply);
/* If the operation we want to authenticate changed between the first and the second time,
* let's not use this authentication, it might be out of date as the object and context we
* operate on might have changed. */
if (!streq(q->action, action) ||
!strv_equal(q->details, (char**) details))
return -ESTALE;
if (sd_bus_message_is_method_error(q->reply, NULL)) {
const sd_bus_error *e;
e = sd_bus_message_get_error(q->reply);
/* Treat no PK available as access denied */
if (bus_error_is_unknown_service(e))
return -EACCES;
/* Copy error from polkit reply */
sd_bus_error_copy(ret_error, e);
return -sd_bus_error_get_errno(e);
}
r = sd_bus_message_enter_container(q->reply, 'r', "bba{ss}");
if (r >= 0)
r = sd_bus_message_read(q->reply, "bb", &authorized, &challenge);
if (r < 0)
return r;
if (authorized)
return 1;
if (challenge)
return sd_bus_error_set(ret_error, SD_BUS_ERROR_INTERACTIVE_AUTHORIZATION_REQUIRED, "Interactive authentication required.");
return -EACCES;
}
#endif #endif
r = sd_bus_query_sender_privilege(call, capability); r = sd_bus_query_sender_privilege(call, capability);