PolicyKit: Branch 'wip/js-rule-files'

David Zeuthen david at kemper.freedesktop.org
Mon May 21 10:42:55 PDT 2012


 docs/man/polkit.xml                                |   15 +++++++
 src/polkitbackend/init.js                          |    4 ++
 src/polkitbackend/polkitbackendjsauthority.c       |   41 +++++++++++++++++++++
 test/Makefile.am                                   |    3 -
 test/data/etc/polkit-1/rules.d/10-testing.rules    |   18 +++++++++
 test/polkitbackend/test-polkitbackendjsauthority.c |   24 ++++++++++++
 6 files changed, 103 insertions(+), 2 deletions(-)

New commits:
commit 31c0ce425a03c59726b7c1a83aaf8cd8dfab79f7
Author: David Zeuthen <davidz at redhat.com>
Date:   Mon May 21 13:42:43 2012 -0400

    Add netgroup support
    
    Signed-off-by: David Zeuthen <davidz at redhat.com>

diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index 4fbc117..ee658c5 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -652,6 +652,21 @@ System Context         |                        |
         </funcprototype>
       </funcsynopsis>
 
+      <funcsynopsis>
+        <funcprototype>
+          <?dbhtml funcsynopsis-style='ansi'?>
+          <funcdef>boolean <function>isInNetGroup</function></funcdef>
+          <paramdef>string <parameter>netGroupName</parameter></paramdef>
+        </funcprototype>
+      </funcsynopsis>
+
+      <para>
+        The <function>isInGroup()</function> method can be used to
+        check if the subject is in a given group and
+        <function>isInNetGroup()</function> can be used to check if
+        the subject is in a given netgroup.
+      </para>
+
     </refsect2>
 
     <refsect2 id="polkit-rules-details">
diff --git a/src/polkitbackend/init.js b/src/polkitbackend/init.js
index 0e8bcfb..29f13fc 100644
--- a/src/polkitbackend/init.js
+++ b/src/polkitbackend/init.js
@@ -26,6 +26,10 @@ function Subject() {
         return false;
     };
 
+    this.isInNetGroup = function(netGroup) {
+        return polkit._userIsInNetGroup(this.user, netGroup);
+    };
+
     this.toString = function() {
         var ret = "[Subject";
         for (var i in this) {
diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c
index 8c1d189..7798d45 100644
--- a/src/polkitbackend/polkitbackendjsauthority.c
+++ b/src/polkitbackend/polkitbackendjsauthority.c
@@ -144,11 +144,13 @@ static JSClass js_polkit_class = {
 
 static JSBool js_polkit_log (JSContext *cx, uintN argc, jsval *vp);
 static JSBool js_polkit_spawn (JSContext *cx, uintN argc, jsval *vp);
+static JSBool js_polkit_user_is_in_netgroup (JSContext *cx, uintN argc, jsval *vp);
 
 static JSFunctionSpec js_polkit_functions[] =
 {
   JS_FS("log",            js_polkit_log,            0, 0),
   JS_FS("spawn",          js_polkit_spawn,          0, 0),
+  JS_FS("_userIsInNetGroup", js_polkit_user_is_in_netgroup,          0, 0),
   JS_FS_END
 };
 
@@ -1225,3 +1227,42 @@ js_polkit_spawn (JSContext  *cx,
 }
 
 /* ---------------------------------------------------------------------------------------------------- */
+
+
+static JSBool
+js_polkit_user_is_in_netgroup (JSContext  *cx,
+                               uintN       argc,
+                               jsval      *vp)
+{
+  /* PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (JS_GetContextPrivate (cx)); */
+  JSBool ret = JS_FALSE;
+  JSString *user_str;
+  JSString *netgroup_str;
+  char *user;
+  char *netgroup;
+  JSBool is_in_netgroup = JS_FALSE;
+
+  if (!JS_ConvertArguments (cx, argc, JS_ARGV (cx, vp), "SS", &user_str, &netgroup_str))
+    goto out;
+
+  user = JS_EncodeString (cx, user_str);
+  netgroup = JS_EncodeString (cx, netgroup_str);
+
+  if (innetgr (netgroup,
+               NULL,  /* host */
+               user,
+               NULL)) /* domain */
+    {
+      is_in_netgroup =  JS_TRUE;
+    }
+
+  JS_free (cx, netgroup);
+  JS_free (cx, user);
+
+  ret = JS_TRUE;
+
+  JS_SET_RVAL (cx, vp, BOOLEAN_TO_JSVAL (is_in_netgroup));
+ out:
+  return ret;
+}
+
diff --git a/test/Makefile.am b/test/Makefile.am
index 8426977..598e426 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -2,7 +2,7 @@
 SUBDIRS = mocklibc . polkit polkitbackend
 AM_CFLAGS = $(GLIB_CFLAGS)
 
-check_LTLIBRARIES = libpolkit-test-helper.la
+noinst_LTLIBRARIES = libpolkit-test-helper.la
 libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h
 libpolkit_test_helper_la_LIBADD = $(GLIB_LIBS)
 
@@ -17,7 +17,6 @@ export TESTS_ENVIRONMENT := $(abs_top_builddir)/test/mocklibc/bin/mocklibc
 # Include path to mock config files
 export POLKIT_TEST_DATA := $(abs_top_srcdir)/test/data
 
-
 clean-local :
 	rm -f *~
 
diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
index 4cd184c..0cad62c 100644
--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
+++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
@@ -16,6 +16,12 @@ polkit.addAdminRule(function(action, subject, details) {
     }
 });
 
+polkit.addAdminRule(function(action, subject, details) {
+    if (action == "net.company.action3") {
+        return ["unix-netgroup:foo"];
+    }
+});
+
 // Fallback
 polkit.addAdminRule(function(action, subject, details) {
     return ["unix-group:admin", "unix-user:root"];
@@ -53,3 +59,15 @@ polkit.addRule(function(action, subject, details) {
             return "no";
     }
 });
+
+// ---------------------------------------------------------------------
+// netgroup membership
+
+polkit.addRule(function(action, subject, details) {
+    if (action == "net.company.group.only_netgroup_users") {
+        if (subject.isInNetGroup("foo"))
+            return "yes";
+        else
+            return "no";
+    }
+});
diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
index a210f68..f81c7fb 100644
--- a/test/polkitbackend/test-polkitbackendjsauthority.c
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
@@ -130,6 +130,12 @@ test_get_admin_identities (void)
         "unix-group:users"
       }
     },
+    {
+      "net.company.action3",
+      {
+        "unix-netgroup:foo"
+      }
+    },
   };
   guint n;
 
@@ -222,6 +228,24 @@ static const RulesTestCase rules_test_cases[] = {
     POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
     NULL
   },
+
+  /* check netgroup membership */
+  {
+    /* john is a member of netgroup 'foo', see test/etc/netgroup */
+    "netgroup_membership_with_member",
+    "net.company.group.only_netgroup_users",
+    "unix-user:john",
+    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+    NULL
+  },
+  {
+    /* sally is not a member of netgroup 'foo', see test/etc/netgroup */
+    "netgroup_membership_with_non_member",
+    "net.company.group.only_netgroup_users",
+    "unix-user:sally",
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+    NULL
+  },
 };
 
 /* ---------------------------------------------------------------------------------------------------- */


More information about the hal-commit mailing list