PolicyKit: Branch 'master'

David Zeuthen david at kemper.freedesktop.org
Tue Jul 28 08:30:09 PDT 2009


 data/org.freedesktop.PolicyKit1.Authority.xml         |    2 
 docs/man/pkcheck.xml                                  |    4 
 docs/polkit/polkit-1-sections.txt                     |    2 
 src/polkit/polkitauthorizationresult.c                |   77 ++++++++++++++++--
 src/polkit/polkitauthorizationresult.h                |   16 ++-
 src/polkitbackend/polkitbackendinteractiveauthority.c |   26 ++++--
 src/programs/pkcheck.c                                |   53 ++++++------
 7 files changed, 130 insertions(+), 50 deletions(-)

New commits:
commit 3176182290683ab10fbe40d5a16c26d25e7a0380
Author: David Zeuthen <davidz at redhat.com>
Date:   Tue Jul 28 11:25:20 2009 -0400

    Add polkit.retains_authorization_after_challenge to authz result
    
    Also make this and other details available via methods on the
    PolkitAuthorizationResult object.
    
    See this and surrounding messages
    
     http://lists.freedesktop.org/archives/polkit-devel/2009-July/000189.html
    
    for more information.

diff --git a/data/org.freedesktop.PolicyKit1.Authority.xml b/data/org.freedesktop.PolicyKit1.Authority.xml
index 9b49334..7854a96 100644
--- a/data/org.freedesktop.PolicyKit1.Authority.xml
+++ b/data/org.freedesktop.PolicyKit1.Authority.xml
@@ -129,7 +129,7 @@
       </annotation>
 
       <annotation name="org.gtk.EggDBus.Struct.Member"  value="Dict<String,String>:details">
-        <annotation name="org.gtk.EggDBus.DocString" value="Details for the result or empty if not authorized. Known key/value-pairs include <literal>polkit.temporary_authorization_id</literal> (if the authorization is temporary, this is set to the opaque temporary authorization id)."/>
+        <annotation name="org.gtk.EggDBus.DocString" value="Details for the result or empty if not authorized. Known key/value-pairs include <literal>polkit.temporary_authorization_id</literal> (if the authorization is temporary, this is set to the opaque temporary authorization id) and <literal>polkit.retains_authorization_after_challenge</literal> (Set to a non-empty string if the authorization will be retained after authentication (if is_challenge is TRUE))."/>
       </annotation>
     </annotation>
 
diff --git a/docs/man/pkcheck.xml b/docs/man/pkcheck.xml
index c3c5bc0..d8da949 100644
--- a/docs/man/pkcheck.xml
+++ b/docs/man/pkcheck.xml
@@ -108,13 +108,15 @@ KEY3=VALUE3
     <para>
       If the specificied process is not
       authorized, <command>pkcheck</command> exits with a return value
-      of 1 and a diagnostic message is printed on standard error.
+      of 1 and a diagnostic message is printed on standard error. Details
+      are printed on standard output.
     </para>
     <para>
       If the specificied process is not
       authorized because no suitable authentication agent is available or if the
       <option>--allow-user-interaction</option> wasn't passed, <command>pkcheck</command>
       exits with a return value of 2 and a diagnostic message is printed on standard error.
+      Details are printed on standard output.
     </para>
     <para>
       If an error occured while checking for authorization, <command>pkcheck</command> exits
diff --git a/docs/polkit/polkit-1-sections.txt b/docs/polkit/polkit-1-sections.txt
index c06a55a..e3fb70e 100644
--- a/docs/polkit/polkit-1-sections.txt
+++ b/docs/polkit/polkit-1-sections.txt
@@ -62,6 +62,8 @@ PolkitAuthorizationResult
 polkit_authorization_result_new
 polkit_authorization_result_get_is_authorized
 polkit_authorization_result_get_is_challenge
+polkit_authorization_result_get_retains_authorization
+polkit_authorization_result_get_temporary_authorization_id
 polkit_authorization_result_get_details
 <SUBSECTION Standard>
 PolkitAuthorizationResultClass
diff --git a/src/polkit/polkitauthorizationresult.c b/src/polkit/polkitauthorizationresult.c
index 08911ef..40abed1 100644
--- a/src/polkit/polkitauthorizationresult.c
+++ b/src/polkit/polkitauthorizationresult.c
@@ -24,6 +24,7 @@
 #endif
 
 #include "polkitauthorizationresult.h"
+#include "polkitdetails.h"
 #include "polkitprivate.h"
 
 /**
@@ -159,6 +160,9 @@ polkit_authorization_result_new (gboolean                   is_authorized,
  *
  * Gets whether the subject is authorized.
  *
+ * If the authorization is temporary, use polkit_authorization_result_get_temporary_authorization_id()
+ * to get the opaque identifier for the temporary authorization.
+ *
  * Returns: Whether the subject is authorized.
  */
 gboolean
@@ -187,12 +191,6 @@ polkit_authorization_result_get_is_challenge (PolkitAuthorizationResult *result)
  *
  * Gets the details about the result.
  *
- * If the authorization is temporary the opaque identifier for the
- * temporary authorization
- * (cf. polkit_temporary_authorization_get_id()) is set available as
- * the value for the
- * <literal>polkit.temporary_authorization_id</literal> key.
- *
  * Returns: A #PolkitDetails object. This object is owned by @result
  * and should not be freed by the caller.
  */
@@ -211,3 +209,70 @@ polkit_authorization_result_get_details (PolkitAuthorizationResult *result)
  out:
   return result->details;
 }
+
+/**
+ * polkit_authorization_result_get_retains_authorization:
+ * @result: A #PolkitAuthorizationResult.
+ *
+ * Gets whether authorization is retained if obtained via authentication. This can only be the case
+ * if @result indicates that the subject can obtain authorization after challenge (cf.
+ * polkit_authorization_result_get_is_challenge()), e.g. when the subject is not already authorized (cf.
+ * polkit_authorization_result_get_is_authorized()).
+ *
+ * If the subject is already authorized, use polkit_authorization_result_get_temporary_authorization_id()
+ * to check if the authorization is temporary.
+ *
+ * This method simply reads the value of the key/value pair in @details with the
+ * key <literal>polkit.retains_authorization_after_challenge</literal>.
+ *
+ * Returns: %TRUE if the authorization is or will be temporary.
+ */
+gboolean
+polkit_authorization_result_get_retains_authorization (PolkitAuthorizationResult *result)
+{
+  gboolean ret;
+  PolkitDetails *details;
+
+  ret = FALSE;
+  details = polkit_authorization_result_get_details (result);
+  if (details != NULL && polkit_details_lookup (details, "polkit.retains_authorization_after_challenge") != NULL)
+    ret = TRUE;
+
+  return ret;
+}
+
+/**
+ * polkit_authorization_result_get_temporary_authorization_id:
+ * @result: A #PolkitAuthorizationResult.
+ *
+ * Gets the opaque temporary authorization id for @result if @result indicates the
+ * subject is authorized and the authorization is temporary rather than one-shot or
+ * permanent.
+ *
+ * You can use this string together with the result from
+ * polkit_authority_enumerate_temporary_authorizations() to get more details
+ * about the temporary authorization or polkit_authority_revoke_temporary_authorization_by_id()
+ * to revoke the temporary authorization.
+ *
+ * If the subject is not authorized, use polkit_authorization_result_get_retains_authorization()
+ * to check if the authorization will be retained if obtained via authentication.
+ *
+ * This method simply reads the value of the key/value pair in @details with the
+ * key <literal>polkit.temporary_authorization_id</literal>.
+ *
+ * Returns: The opaque temporary authorization id for @result or %NULL if not
+ *    available. Do not free this string, it is owned by @result.
+ */
+const gchar *
+polkit_authorization_result_get_temporary_authorization_id (PolkitAuthorizationResult *result)
+{
+  const gchar *ret;
+  PolkitDetails *details;
+
+  ret = NULL;
+  details = polkit_authorization_result_get_details (result);
+  if (details != NULL)
+    ret = polkit_details_lookup (details, "polkit.temporary_authorization_id");
+
+  return ret;
+}
diff --git a/src/polkit/polkitauthorizationresult.h b/src/polkit/polkitauthorizationresult.h
index 40db4f6..ea479fe 100644
--- a/src/polkit/polkitauthorizationresult.h
+++ b/src/polkit/polkitauthorizationresult.h
@@ -43,13 +43,15 @@ typedef struct _PolkitAuthorizationResult PolkitAuthorizationResult;
 #endif
 typedef struct _PolkitAuthorizationResultClass PolkitAuthorizationResultClass;
 
-GType                      polkit_authorization_result_get_type          (void) G_GNUC_CONST;
-PolkitAuthorizationResult *polkit_authorization_result_new               (gboolean                   is_authorized,
-                                                                          gboolean                   is_challenge,
-                                                                          PolkitDetails             *details);
-gboolean                   polkit_authorization_result_get_is_authorized (PolkitAuthorizationResult *result);
-gboolean                   polkit_authorization_result_get_is_challenge  (PolkitAuthorizationResult *result);
-PolkitDetails             *polkit_authorization_result_get_details       (PolkitAuthorizationResult *result);
+GType              polkit_authorization_result_get_type                       (void) G_GNUC_CONST;
+PolkitAuthorizationResult *polkit_authorization_result_new                    (gboolean                   is_authorized,
+                                                                               gboolean                   is_challenge,
+                                                                               PolkitDetails             *details);
+PolkitDetails     *polkit_authorization_result_get_details                    (PolkitAuthorizationResult *result);
+gboolean           polkit_authorization_result_get_is_authorized              (PolkitAuthorizationResult *result);
+gboolean           polkit_authorization_result_get_is_challenge               (PolkitAuthorizationResult *result);
+gboolean           polkit_authorization_result_get_retains_authorization      (PolkitAuthorizationResult *result);
+const gchar       *polkit_authorization_result_get_temporary_authorization_id (PolkitAuthorizationResult *result);
 
 /* ---------------------------------------------------------------------------------------------------- */
 
diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
index af58ed3..c5cf4d2 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -609,6 +609,7 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
   gboolean session_is_active;
   PolkitImplicitAuthorization implicit_authorization;
   const gchar *tmp_authz_id;
+  PolkitDetails *result_details;
 
   interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
   priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority);
@@ -619,6 +620,7 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
   groups_of_user = NULL;
   subject_str = NULL;
   session_for_subject = NULL;
+  result_details = NULL;
 
   session_is_local = FALSE;
   session_is_active = FALSE;
@@ -687,6 +689,8 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
       implicit_authorization = polkit_action_description_get_implicit_any (action_desc);
     }
 
+  result_details = polkit_details_new ();
+
   /* allow subclasses to rewrite implicit_authorization */
   implicit_authorization = polkit_backend_interactive_authority_check_authorization_sync (interactive_authority,
                                                                                           caller,
@@ -704,7 +708,7 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
       g_debug (" is authorized (has implicit authorization local=%d active=%d)",
                session_is_local,
                session_is_active);
-      result = polkit_authorization_result_new (TRUE, FALSE, NULL);
+      result = polkit_authorization_result_new (TRUE, FALSE, result_details);
       goto out;
     }
 
@@ -714,19 +718,22 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
                                                        action_id,
                                                        &tmp_authz_id))
     {
-      PolkitDetails *details;
 
       g_debug (" is authorized (has temporary authorization)");
-      details = polkit_details_new ();
-      polkit_details_insert (details, "polkit.temporary_authorization_id", tmp_authz_id);
-      result = polkit_authorization_result_new (TRUE, FALSE, details);
-      g_object_unref (details);
+      polkit_details_insert (result_details, "polkit.temporary_authorization_id", tmp_authz_id);
+      result = polkit_authorization_result_new (TRUE, FALSE, result_details);
       goto out;
     }
 
   if (implicit_authorization != POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED)
     {
-      result = polkit_authorization_result_new (FALSE, TRUE, NULL);
+      if (implicit_authorization == POLKIT_IMPLICIT_AUTHORIZATION_AUTHENTICATION_REQUIRED_RETAINED ||
+          implicit_authorization == POLKIT_IMPLICIT_AUTHORIZATION_ADMINISTRATOR_AUTHENTICATION_REQUIRED_RETAINED)
+        {
+          polkit_details_insert (result_details, "polkit.retains_authorization_after_challenge", "1");
+        }
+
+      result = polkit_authorization_result_new (FALSE, TRUE, result_details);
 
       /* return implicit_authorization so the caller can use an authentication agent if applicable */
       if (out_implicit_authorization != NULL)
@@ -737,7 +744,7 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
     }
   else
     {
-      result = polkit_authorization_result_new (FALSE, FALSE, NULL);
+      result = polkit_authorization_result_new (FALSE, FALSE, result_details);
       g_debug (" not authorized");
     }
  out:
@@ -755,6 +762,9 @@ check_authorization_sync (PolkitBackendAuthority         *authority,
   if (action_desc != NULL)
     g_object_unref (action_desc);
 
+  if (result_details != NULL)
+    g_object_unref (result_details);
+
   g_debug (" ");
 
   return result;
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index 7850cf5..fbda073 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -82,6 +82,7 @@ main (int argc, char *argv[])
   PolkitSubject *subject;
   PolkitDetails *details;
   PolkitCheckAuthorizationFlags flags;
+  PolkitDetails *result_details;
   GError *error;
 
   subject = NULL;
@@ -230,38 +231,36 @@ main (int argc, char *argv[])
       goto out;
     }
 
-  if (polkit_authorization_result_get_is_authorized (result))
+  result_details = polkit_authorization_result_get_details (result);
+  if (result_details != NULL)
     {
-      PolkitDetails *result_details;
+      gchar **keys;
 
-      result_details = polkit_authorization_result_get_details (result);
-      if (result_details != NULL)
+      keys = polkit_details_get_keys (result_details);
+      for (n = 0; keys != NULL && keys[n] != NULL; n++)
         {
-          gchar **keys;
-
-          keys = polkit_details_get_keys (result_details);
-          for (n = 0; keys != NULL && keys[n] != NULL; n++)
-            {
-              const gchar *key;
-              const gchar *value;
-              gchar *s;
-
-              key = keys[n];
-              value = polkit_details_lookup (result_details, key);
-
-              s = escape_str (key);
-              g_print ("%s", s);
-              g_free (s);
-              g_print ("=");
-              s = escape_str (value);
-              g_print ("%s", s);
-              g_free (s);
-              g_print ("\n");
-            }
-
-          g_strfreev (keys);
+          const gchar *key;
+          const gchar *value;
+          gchar *s;
+
+          key = keys[n];
+          value = polkit_details_lookup (result_details, key);
+
+          s = escape_str (key);
+          g_print ("%s", s);
+          g_free (s);
+          g_print ("=");
+          s = escape_str (value);
+          g_print ("%s", s);
+          g_free (s);
+          g_print ("\n");
         }
 
+      g_strfreev (keys);
+    }
+
+  if (polkit_authorization_result_get_is_authorized (result))
+    {
       ret = 0;
     }
   else if (polkit_authorization_result_get_is_challenge (result))


More information about the hal-commit mailing list