Creating a polkit authentication agent

[Tobias Arrskog]

On Mon, Sep 30, 2013 at 9:32 PM, Miloslav Trmač <mitr at redhat.com> wrote:

>  On Mon, Sep 30, 2013 at 8:40 PM, Miloslav Trmač <mitr at redhat.com> wrote:
>
>> Hello,
>> ------------------------------
>> > What I'm trying to do is register a polkit authentication agent in a
>> python
>> > script, through the dbus api. I have attached, a rather simplistic,
>> first
>> > start of this. From what I can read out of the logs it seems to register
>> > alright but nothing is relayed to it for authentication.
>>
>> > First question is that it seems like RegisterAuthenticationAgent takes
>> a few
>> > different subject kinds . unix-process and unix-session. What is the
>> > difference between these and what should I be using?
>>
>> You can register more than one agent; each agent is only called for those
>> subject they register for.  unix-process is obviously limited to that
>> single process.  So if you want to register for all processes running
>> within the session / within the appliance UI, unix-session is more
>> appropriate.
>>
>
> Does this mean that if xbmc runs within another session, say gnome, and we
> use packagekit for installing our addons, if we'd register a unix-process
> that one will take precedence over the one in gnome?
>
> Yes.  (You can also register a "fallback agent" for a unix-process, but
> you wouldn't to in this case.)
>

This is amazing, this is exactly what we want to achieve and something I've
asked for before! Awesome!


>
>  Or perhaps that only holds true for a polkit action which isn't
> registered in the session agent?
>
> No, agents register for subjects, not for actions.
>
>  > When registering I submit my object path, which is '/org/xbmc/polkit'
>> but
>> > what is the destination for this object? I'm using 'org.xbmc.polkit'
>> for my
>> > service, but how does polkit knows this?
>>
>> An agent can only register itself; polkit uses the identity of the caller
>> of the RegisterAuthenticationAgent operation (technically using the :number
>> unique identifier).  I don't think it's necessary to register a
>> well-known-name.
>>
>
> So polkit is able to deduct the destination from the object path and the
> bus used for the call? I'm not a dbus expert so wasn't aware that this was
> possible?
>
> Yes; this is fundamental to being able to send a reply to a request at all.
>

Oh, that makes so much sense, thanks!


>  So if I understand you correctly I just need to make sure I use the same
> bus for the service as the registration?
>
> That should be basically it.  But I'm not a D-Bus expert either I'm
> afraid, and especially not an expert in the various interface libraries.
>
>  > Could this be why its not called to
>> > authenticate even if register went through alright?
>>
>> These two lines seem rather suspect:
>> >    'session-id': getSessionID(),
>> >    'session_id': ""
>>
>> Other than that, if there are no error messages returned through the
>> D-Bus API, I can suggest only running polkitd without --no-debug and
>> capturing the output, and attaching a debugger to polkitd.
>>
>
> Yeah I'm very uncertain on those, from the RegisterAuthenticationAgent
> documentation I found this line
> "Note that current versions of PolicyKit will only work if *session_id* is
> set to the empty string. In the future it might work for non-empty strings
> if the caller is sufficiently privileged."
>
> I thought that referred to be on the subject but it strikes me know that I
> might have misunderstood this. If so I'm not sure at all where I should set
> "session_id" :)
>
> (For others looking, it is data/org.freedesktop.PolicyKit1.Authority.xml
> .  I'm afraid this is a bug in the documentation; for now filed as
> https://bugs.freedesktop.org/show_bug.cgi?id=69980 ).
>
>  I tried to start polkitd with --no-debug (if I did it correctly)
>
> Note that, at least on Fedora, --no-debug is default, so it is necessary
> to _remove_ it (and then capture stderr).
>

Sigh, when I read your response now I realized I ran the new polkitd _with_
--no-debug. I retried without --no-debug and got so much more information.
Seems like my BeginAuthentication was wrong, I didn't have the proper
parameters in my python script.

** (polkitd:8053): WARNING **: Error parsing identity unix-group:admin: No
UNIX group with name admin: Success
Error performing authentication:
GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Method
"BeginAuthentication" with signature "sssa{ss}sa(sa{sv})" on interface
"org.freedesktop.PolicyKit1.AuthenticationAgent" doesn't exist
 (g-dbus-error-quark 19)

I do have 6 parameters but I suspect I've done something wrong in my python
implementation (I'm more used to do dbus stuff in c++).


> and checked auth.log, it gave some interesting results (which I'm not
> entirely sure how to interpret)
> (at line3 is when I closed polkitd with a killall -9 polkitd)
>
> topfs at tobias-desktop:/var/log$ tail -f auth.log
> Sep 30 21:01:16 tobias-desktop polkitd(authority=local): Registered
> Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session10
> (system bus name :1.119 [python simple-unix-session-agent.py], object path
> /org/xbmc/polkit, locale sv_SE)
> Sep 30 21:05:07 tobias-desktop polkitd(authority=local): Operator of
> unix-session:/org/freedesktop/ConsoleKit/Session10 FAILED to authenticate
> to gain authorization for action com.ubuntu.softwareproperties.applychanges
> for system-bus-name::1.126 [/usr/bin/python3
> /usr/bin/software-properties-gtk -n -t 0] (owned by unix-user:topfs)
>
> So from what I can see it seems like it registers alright but it never
> calls my python scripts method (begin authentication et al).
>
> I'm afraid it's time for gdb then; there is no logging inside the code of
> get_authentication_agent_for_subject AFAICS.
>
> I've registered it under locale sv_SE, perhaps thats wrong or not what
> fluxbox (which is my testing session) is using by default?
> Can I register my agent on any locale?
>
> The locale is not involved in choosing which agent to run, only what
> messages to give to it.
>    Mirek
>


I think I know what the error is now, thanks so much for helping me!

Cheers,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20130930/3ac1b593/attachment.html>