PolicyKit: Branch 'wip/js-rule-files'
David Zeuthen
david at kemper.freedesktop.org
Mon May 21 10:42:55 PDT 2012
docs/man/polkit.xml | 15 +++++++
src/polkitbackend/init.js | 4 ++
src/polkitbackend/polkitbackendjsauthority.c | 41 +++++++++++++++++++++
test/Makefile.am | 3 -
test/data/etc/polkit-1/rules.d/10-testing.rules | 18 +++++++++
test/polkitbackend/test-polkitbackendjsauthority.c | 24 ++++++++++++
6 files changed, 103 insertions(+), 2 deletions(-)
New commits:
commit 31c0ce425a03c59726b7c1a83aaf8cd8dfab79f7
Author: David Zeuthen <davidz at redhat.com>
Date: Mon May 21 13:42:43 2012 -0400
Add netgroup support
Signed-off-by: David Zeuthen <davidz at redhat.com>
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index 4fbc117..ee658c5 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -652,6 +652,21 @@ System Context | |
</funcprototype>
</funcsynopsis>
+ <funcsynopsis>
+ <funcprototype>
+ <?dbhtml funcsynopsis-style='ansi'?>
+ <funcdef>boolean <function>isInNetGroup</function></funcdef>
+ <paramdef>string <parameter>netGroupName</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <para>
+ The <function>isInGroup()</function> method can be used to
+ check if the subject is in a given group and
+ <function>isInNetGroup()</function> can be used to check if
+ the subject is in a given netgroup.
+ </para>
+
</refsect2>
<refsect2 id="polkit-rules-details">
diff --git a/src/polkitbackend/init.js b/src/polkitbackend/init.js
index 0e8bcfb..29f13fc 100644
--- a/src/polkitbackend/init.js
+++ b/src/polkitbackend/init.js
@@ -26,6 +26,10 @@ function Subject() {
return false;
};
+ this.isInNetGroup = function(netGroup) {
+ return polkit._userIsInNetGroup(this.user, netGroup);
+ };
+
this.toString = function() {
var ret = "[Subject";
for (var i in this) {
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index 8c1d189..7798d45 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -144,11 +144,13 @@ static JSClass js_polkit_class = {
static JSBool js_polkit_log (JSContext *cx, uintN argc, jsval *vp);
static JSBool js_polkit_spawn (JSContext *cx, uintN argc, jsval *vp);
+static JSBool js_polkit_user_is_in_netgroup (JSContext *cx, uintN argc, jsval *vp);
static JSFunctionSpec js_polkit_functions[] =
{
JS_FS("log", js_polkit_log, 0, 0),
JS_FS("spawn", js_polkit_spawn, 0, 0),
+ JS_FS("_userIsInNetGroup", js_polkit_user_is_in_netgroup, 0, 0),
JS_FS_END
};
@@ -1225,3 +1227,42 @@ js_polkit_spawn (JSContext *cx,
}
/* ---------------------------------------------------------------------------------------------------- */
+
+
+static JSBool
+js_polkit_user_is_in_netgroup (JSContext *cx,
+ uintN argc,
+ jsval *vp)
+{
+ /* PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (JS_GetContextPrivate (cx)); */
+ JSBool ret = JS_FALSE;
+ JSString *user_str;
+ JSString *netgroup_str;
+ char *user;
+ char *netgroup;
+ JSBool is_in_netgroup = JS_FALSE;
+
+ if (!JS_ConvertArguments (cx, argc, JS_ARGV (cx, vp), "SS", &user_str, &netgroup_str))
+ goto out;
+
+ user = JS_EncodeString (cx, user_str);
+ netgroup = JS_EncodeString (cx, netgroup_str);
+
+ if (innetgr (netgroup,
+ NULL, /* host */
+ user,
+ NULL)) /* domain */
+ {
+ is_in_netgroup = JS_TRUE;
+ }
+
+ JS_free (cx, netgroup);
+ JS_free (cx, user);
+
+ ret = JS_TRUE;
+
+ JS_SET_RVAL (cx, vp, BOOLEAN_TO_JSVAL (is_in_netgroup));
+ out:
+ return ret;
+}
+
diff --git a/test/Makefile.am b/test/Makefile.am
index 8426977..598e426 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -2,7 +2,7 @@
SUBDIRS = mocklibc . polkit polkitbackend
AM_CFLAGS = $(GLIB_CFLAGS)
-check_LTLIBRARIES = libpolkit-test-helper.la
+noinst_LTLIBRARIES = libpolkit-test-helper.la
libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h
libpolkit_test_helper_la_LIBADD = $(GLIB_LIBS)
@@ -17,7 +17,6 @@ export TESTS_ENVIRONMENT := $(abs_top_builddir)/test/mocklibc/bin/mocklibc
# Include path to mock config files
export POLKIT_TEST_DATA := $(abs_top_srcdir)/test/data
-
clean-local :
rm -f *~
diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
index 4cd184c..0cad62c 100644
--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
+++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
@@ -16,6 +16,12 @@ polkit.addAdminRule(function(action, subject, details) {
}
});
+polkit.addAdminRule(function(action, subject, details) {
+ if (action == "net.company.action3") {
+ return ["unix-netgroup:foo"];
+ }
+});
+
// Fallback
polkit.addAdminRule(function(action, subject, details) {
return ["unix-group:admin", "unix-user:root"];
@@ -53,3 +59,15 @@ polkit.addRule(function(action, subject, details) {
return "no";
}
});
+
+// ---------------------------------------------------------------------
+// netgroup membership
+
+polkit.addRule(function(action, subject, details) {
+ if (action == "net.company.group.only_netgroup_users") {
+ if (subject.isInNetGroup("foo"))
+ return "yes";
+ else
+ return "no";
+ }
+});
diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
index a210f68..f81c7fb 100644
--- a/test/polkitbackend/test-polkitbackendjsauthority.c
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
@@ -130,6 +130,12 @@ test_get_admin_identities (void)
"unix-group:users"
}
},
+ {
+ "net.company.action3",
+ {
+ "unix-netgroup:foo"
+ }
+ },
};
guint n;
@@ -222,6 +228,24 @@ static const RulesTestCase rules_test_cases[] = {
POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
NULL
},
+
+ /* check netgroup membership */
+ {
+ /* john is a member of netgroup 'foo', see test/etc/netgroup */
+ "netgroup_membership_with_member",
+ "net.company.group.only_netgroup_users",
+ "unix-user:john",
+ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+ NULL
+ },
+ {
+ /* sally is not a member of netgroup 'foo', see test/etc/netgroup */
+ "netgroup_membership_with_non_member",
+ "net.company.group.only_netgroup_users",
+ "unix-user:sally",
+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+ NULL
+ },
};
/* ---------------------------------------------------------------------------------------------------- */
More information about the hal-commit
mailing list